Step by Step guide on SAP Support Backbone Update and Enabling Note Assistant for Digitally Signed SAP Notes
As you are already aware by now, SAP has updated the support backbone infrastructure, to ensure that its critical infrastructure is up to date and secure, and will switch off the legacy infrastructure on January 1st, 2020.
Due to the increasing demand placed on the support backbone, SAP has updated the infrastructure to continue to provide us with the support we require. As part of this process, the way in which systems connect to SAP has been redesigned to include the following changes:
- The HTTPS protocol is now used instead of RFC.
- A technical communication user handles the data transfer instead of generic users.
- There is no generic inbound interface.
- Applications send data asynchronously unless the data is sent manually.
You would have been seeing warning messages in SAP systems, SNOTE transaction, EWA reports and SAP Service marketplace notes download sections, to update your systems to support SAP Backbone update.
This blog will explain in detail actions which are required to be configured in all SAP ABAP systems before January 2020 to ensure smooth connectivity SAP Support Backbone.
It is advisable to go through the whole blog before starting the implementation and open the SAP notes and guides referred in this blog as SAP updates the notes on regular basis.
- What is SAP’s Support Backbone?
- Configurations and Implementations of Snotes for TCI Enablement based on system releases
- Setup of connections ( Either RFC or HTTP or Download Service) to SAP Support Backbone based on system versions
- Enable Note Assistant for digitally signed SAP Notes
- Defined the right procedure to download SAP Notes based on system releases
- Defined the file type for downloading SAP Note
- SDCCN, ANST, RFC Configuration changes
- Reference links and SAP notes
What is SAP’s Support Backbone?
SAP’s Support Backbone is the central infrastructure located at SAP to provide technical support to our customers.
The SAP Support Backbone has been updated.
The legacy infrastructure remains in place to allow a safe transition for customers.
You need to switch the communication of SAP Solution Manager and Focused Run to the new infrastructure before January 2020 to ensure continuous connectivity.
To get a list of all systems in your landscape which are not yet ready and need to be switched to the new support backbone connectivity refer link
It will take you to the Early Watch Alert Work space and pre-selects the filter for “Backbone Connectivity”. As a result, you get a list of all systems (at least those who send EarlyWatch Alert reports to SAP) which are not ready yet and need to be connected to the updated support backbone infrastructure.
You then can drill down further to understand which action needs to be taken:
Refer below landing page for details on support backbone connectivity update. Landing Page for Support Backbone Connectivity Update
Note: This list will show all the systems which are not ready to connect to the updated support backbone. If you would like to see systems which are ready (green alerts), remove the filtering category and search for the text string “HTTPS -> SAP”. If this produces too many results, you can also use the search term “backbone”.
Impact of SAP Support Backbone Update and Required actions
As a result of the update, the following systems actions are mandatory:
SAP Solution Manager systems
When you switch to the new communication channels to enable the exchange of data with the updated SAP Support Backbone the following is required:
Scenario 1: You are on SAP Solution Manager 7.2
Upgrade to SAP Solution Manager SP07 or higher (*Upgrade to SP08 or higher is recommended)
Scenario 2: You are on SAP Solution Manager 7.1
Upgrade to the latest SAP Solution Manager 7.2 support package
Please note: For SAP partners (PartnerEdge Sell, VAR, CCC, PCOE), SP08 or higher is required.
Focused Run for SAP Solution Manager systems
The new communication channels in Focused Run 2.0 enable the exchange of data with the updated SAP Support Backbone. All Focused Run customers need to upgrade to Focused Run 2.0. Focused Run 1.0 systems will not be able to communicate with the SAP Support Backbone after January 1st, 2020.
Information on upgrading Focused Run can be found in the Focused Run Expert Portal.
Remark: Focused Run 1.0 will enter its Customer-Specific Maintenance phase on November 23rd 2019.
ABAP systems with direct connectivity to the support backbone
All customers with ABAP based SAP systems need to react to the SAP Support Backbone update to ensure connectivity of their SAP systems to the SAP Support Backbone.
1. Enabling Note Assistant for Transport Based Correction Instructions
2. Enabling Note Assistant for Digitally Signed SAP Notes
3. Setting up connections to SAP Support Backbone
4. Defining Procedure and File Types to Consume Digitally Signed SAP Notes
5. SDCCN direct connectivity/ Indirect connectivity update, ANST update, SAP RFC destinations update
Step by Step process to prepare managed system to support SAP Support Backbone Update
Preparation and Prerequisite:
- Request a Technical Communication User
Connections using generic users will not work anymore after January 1st, 2020. For this purpose, customers need to ensure that all connections use a technical communication user in all systems which have connectivity to SAP (this includes all systems directly sending EWA data to SAP and all systems where SAP Note Assistant is being used on).
We must request a technical communication user for the systems ( Refer SAP Note 2174416) . (You cannot convert a regular S-user into a technical communication user.) The technical communication user is required, for example, to download digitally signed SAP Notes from Note Assistant (transaction SNOTE). Technical communication users cannot be used to log on in dialog mode, and their passwords do not expire.
After you have requested a technical communication user, it is generally available within 24 hours.
Hint: If preparing an SAP Solution Manager system for the support backbone update, this step is automatically covered there and can be skipped in all managed systems.
Technical communication users can be requested via this app.
2. If the system to be prepared for SAP’s Support Backbone Update is not directly connected to the backbone, no further action is required.
For all other systems, including SAP Solution Manager systems, Focused Run systems, and ABAP systems, with direct connectivity to the support backbone, you have to be on the following plug-in levels:
ST-PI 2008_1_7xx SP20 and higher, or ST-PI 740 SP10 and higher
ST-A/PI 01T* SP01 and higher
3. Strongly recommended that you upgrade your SAP Solution Manager systems to Release 7.2, Support Package Stack 8 or higher.
1. Enabling Note Assistant for Transport Based Correction Instructions
It is strongly recommended that you enable Note Assistant to work with transport-based correction instructions (TCIs). However, to ensure that your systems can continue to communicate with the support backbone, it is sufficient that they can work with digitally signed SAP Notes.
The TCI is a new way to deliver ABAP correction instructions to customers in a flexible manner. A TCI bundles a stack of correction instructions in one transport request that can be installed using the SNOTE transaction.
The TCI reduces the installation time because it requires no pre or post installation steps.
SAP Note : 2187425 – Information about SAP Note Transport based Correction Instructions (TCI)
The TCI enablement in SNOTE are available in the following Support Packages of their respective SAP_BASIS releases. If a system is in any of the following SPs or above SPs, then, implementing the bootstrap is not needed:
2.2 Implement the list of notes given below, based on the SAP_BASIS release of your system. Doing this enables SNOTE for TCI.
Procedure for Implementing the Bootstrap SAP Note
Download the Bootstrap TCI:
In our scenario below we are in Basis level 740
a) Search and open the relevant bootstrap SAP Note xxxxxxx from SAP One Support Launchpad. For more information on relevant bootstrap SAP Notes, refer to the above TCI notes table.
b) Choose Correction Instructions and select SAP_BASIS Software Component.
c) On the Correction Instruction view, select the relevant software component version (on the left side) and choose Download (on the right side). Save the SAR file into your directory.
d) Log on into client 000 of the ABAP system you want to install the TCI.
e) Upload the bootstrap TCI SAP Note to the system: Call transaction SPAM, then choose Support Package > Load Packages > From Front End and navigate to the directory, into which you downloaded the SAR file (for example, K70003CPSAPBASIS.SAR).
a) In transaction SPAM, display the new support packages.
b) From the OCS Package Directory: New Packages view, select the respective bootstrap TCI SAP Note.
c) To define the TCI queue, click the Calculate Queue button.
Note: If you receive the following message “Not allowed Support Package is already applied,” the import of TCI is not required as the required changes are already available in the system.
d) Import the TCI queue: Click the Import queue button to import the TCI queue and complete the steps.
Continue to import and complete
e) Confirming the queue: Once the queue is imported, you are prompted with the next action – to go to the SAP Note Assistant (transaction SNOTE) and download (Even if the Note is available download it again) and implement the bootstrap note; that the status of the SAP Note is completely implemented. Doing this will automatically confirm the SPAM queue.
Note: If your system is not connected to the Online Service System (OSS) confirming the queue is not possible. In this case, you first download the SAP Note from the SAP Support Portal and upload SAP Note xxxxxxx (for example, SAP Note 2446868 for 700 release) using the Note Assistant tool and then confirm the queue.
Verify the SAP Note Status: Verify if the status of the SAP Note xxxxxxx (for example, SAP Note 2446868 for 700 release) is set to Completely Implemented.
Preparing Note Assistant (Transaction SNOTE) is also called as bootstrapping.
Once the SNOTE is bootstrapped, any SAP Note containing TCI can be implemented in the same way as implementing any other SAP Note.
Note: If you are on SPAM version 70 and above: the bootstrap note is transportable, you need not apply the bootstrap note in each system. You can apply the bootstrap note 1995550 in Dev system and you can move the TR to Quality and Production.
Please follow the below sequence :
- Create 1st TR and capture all pre-requsite notes & release the TR.
- Create 2nd TR for locking bootstrap note & release the TR.
- Create 3rd TR for implementing digitally signed note TCI (*which will be explained in next section below) and finally release the 3rd TR.
Move these TRs in sequence to Quality and Production.
2. Enabling Note Assistant for Digitally Signed SAP notes
SAP recognizes a security threat during upload of SAP Note into customer landscape. The SAP Note can get modified maliciously and the customer can upload unknowingly the maliciously modified SAP Note into their landscape.
Therefore, SAP delivers all SAP Notes having ABAP corrections with digital signature to protect SAP Notes with increased authenticity and improved security.
SAP strongly recommends uploading or download only digitally signed SAP Notes. The digital signature verification feature is enabled for both uploading or downloading of SAP Notes.
The SNOTE is enabled to work with Digitally Signed SAP Notes from the following SPs of their respective releases of SAP_BASIS software component.
Note: All higher releases (753 and above) has the enablement from SP00 itself.
For the releases listed in the table above, if you are on lower SPs, perform the following steps:
- You have to implement the SAP Note 2408073 and SAP Note 2546220 for uploading digitally signed SAP Note and digital signature verification.
- You have to implement the SAP Note 2508268 for downloading digitally signed SAP Note.
1. Implement TCI NOTE “2576306 – Transport-Based Correction Instruction (TCI) for Download of Digitally Signed SAP Notes” containing the SAP Notes 2408073, 2546220 and 2508268
While uploading the TCI package if there is a failure in signature verification please refer to the SAP Note 2520826 for solution.
“SAP recommends Implementing SAP Note 2576306 instead of applying the above individual SAP Notes.”
Follow below steps to implement the SAP Note with the corresponding TCI in your development system, use the Note Assistant via transaction SNOTE.
Note: Warnings about objects without directory entry can be ignored, since TCIs can contain deletions.
Import the adjustment transport into your productive system – to implement the TCI in productive system.
Procedure for implementing an SAP Note containing TCI
Download the SAP Note (which is also a TCI note)
Download the TCI package:
a) Search and open the relevant SAP Note xxxxxxx in SAP ONE Support Launchpad
b) Choose Correction Instructions and select the relevant software component.
c) On the Correction Instruction view, select the relevant software component version (on the left side) and choose Download (on the right side). Save the SAR file into your system.
d) Log on into client 000 of the ABAP system you want to install the TCI.
e) Upload the TCI SAR file in the Note Assistant, Choose Goto > Upload TCI
Note: Alternatively, you can upload the TCI SAR archive (for example, K700005CPSAPBASIS.SAR) through Support Package Manager or SAINT from front end to your development system
To do so, call transaction SPAM or SAINT in client 000 and choose Support Package > Load Packages > From Front End in transaction SPAM or Installation Package > Load Package > From Front End in transaction SAINT.
Note: If Upload TCI is not available in SNOTE transaction, then execute Report RSLANG20(Refer to SAP Notes 110910 and 48624). After this step, launch SNOTE and choose Goto > Upload TCI
Implement the SAP Note xxxxxxx as any other SAP Note in Note Assistant
Copy the corrections to Transport request and proceed
Download TCI correction for rollback
Upload rollback TCI in SNOTE and extract it.
Continue to implement the TCI note 2576306
If you get error message: 2258238 snote data not available, apply Snote 2258238 and continue to implement 2576306
Now all the required TCI notes are applied in the ABAP development system and copied in transport request, which can be moved to production system.
If the verification of digital signature for an SAP Note fails, the Note Assistant tool logs the security event in the application server using log object (CWBDS). To view the application logs, you should have authorization to the S_APPL_LOG authorization object.
3. Setting up connections to SAP Support Backbone
The tables below provide an overview of the RFC connections that were previously used to connect to the support backbone, along with the new HTTPS connections.
Note: For SAP Solution Manager, some destinations are created as part of task list SAP_SUPPORT_HUB_CONFIG.
Once the prerequisite step of implementing 2576306 – Transport-Based Correction Instruction (TCI) for Download of Digitally Signed SAP Notes is completed, follow below connection setup based on your system version
1> RFC procedure for SAP_BASIS release 700 to 731 only
- SAP ABAP systems with lower SAP Releases (= lower than SAP Kernel 7.42 Patch Level 400) who want to download SAP notes or uses software components of ST-PI and ST-A/PI will still use RFC connection SAPOSS or SAPSNOTE, but changes with that RFC connection`s SAPOSS or SAPSNOTE are mandatory!
- This is the default procedure for all releases of SAP_BASIS until end of 2019.
- From January 1 st 2020 the following will be enforce:
> This procedure will be the default option for SAP_BASIS releases 700 to 731 only.
> As system kernel version is below 742, we can use SAPOSS connection but we need to make below changes.
> Generic user (OSS_RFC) will not be allowed in RFC destinations SAPOSS/SAPSNOTE.
> Only customer S user (recommended is Technical Communication User) will be allowed.
> SAPRouter string to the SAP Service and Support target system of the SAP infrastructure can be:
target host: /H/X1/S/S1/H/X2/S/3299/H/oss001.wdf.sap.corp with
X1 = IP address of saprouter on SAP customer side
X2 = IP address of sapservX
S1 = TCP port of SAPRouter on customer side
Possible settings for sapservX could be:
sapserv1 (22.214.171.124) Internet VPN connection
sapserv2 (126.96.36.199) Internet SNC connction
sapserv3 (188.8.131.52) SAP customers from Germany will typically use that settings
sapserv4 (184.108.40.206)SAP customers from US region will typically use that settings
sapserv5 (220.127.116.11) SAP customers from Japan will typically use that settings
sapserv7 (18.104.22.168) SAP customers from region APJ (Asia Pacific) inclusive New Zealand and Australia will typically use that settings
sapserv9 (22.214.171.124) SAP customers from region APJ (Asia Pacific) inclusive New Zealand and Australia will typically use that settings
sapserv10 (126.96.36.199) SAP customers from China will typically use that settings.
> There is no change in logon group, you can use 1_PUBLIC, 2_JAPANESE, EWA
> It is mandatory to use “oss001.wdf.sap.corp” and Load Balancing and a Technical Communiation User in your RFC connection to SAP Backbone.
RFC destinations SAPOSS/SAPSNOTE will not work in ABAP systems on SAP_BASIS release 740 and above. Instead HTTPS communication should be used.
2> HTTPS procedure for SAP_BASIS release 740 and above
- For system higher than 740, mandatory protocol is HTTPS so we need to configure RFC accordingly and make relevant changes so SAP Notes gets download using HTTPS protocol instead of RFC protocol i.e. SAPOSS
- Destinations to SAP Support Portal and SAP Note Download needs to be defined (SM59). Use S user (recommended Technical Communication User) in the H and G type destinations
- HTTPS encryption and communication path needs to be configured
- By following recommended destination names, configuration can be reused in other scenarios
Either manual or automatic configuration of HTTP connection setup can be followed. For manual step follow “Digital Signature.pdf” attached to SAP Note 2576306
In our scenario we will see automatic setup.“SNOTE 2738426 for Automated Configuration of new Support Backbone Communication”HTTPS prerequisites can be configured in ABAP Task Manager (STC01) by executing automated Task List SAP_BASIS_CONFIG_OSS_COMM.This task list contains common configuration steps for the ABAP task manager, and automatically creates the required connections to the support backbone.Technical Communication User and SAP Router string needs to be prepared before execution
Task 2: We need to set parameter ssl/client_ciphersuites and parameter value for enabling highest TLS protocol version with BEST-OPTION.
Check for the parameter, if it already exists with the required value no change is required if not we need to set parameter ssl/client_ciphersuites value.
Before Configuration of parameter: value of ssl/client_ciphersuites parameter is not set
Added profile parameter value as ssl/client_ciphersuites = 150:PFS:HIGH::EC_P256:EC_HIGH,
Restart the system after adding/changing parameter.
For more information, read SAP Note 510007 – Setting up SSL on Application Server ABAP
Task 3: Check certificate for SSL Client
Checked in transaction STRUST, no certificates exist.
Obtain certificates from certificate provider websites or use below link.
- VeriSign Class 3 Public Primary Certification Authority – G5
- DigiCert Global Root CA
- DigiCert Global Root G2
- Baltimore CyberTrust Root
Add the required certificates and save it.
Note: Import client certificate in SSL Client (Standard) or SSL Client (Anonymous), but relative option needs to selected while running task list otherwise you will get error while running task list. I have imported all the above client in SSL client (standard)
Task 4: Create HTTP connection
Maintain the fields Technical Communication User, Password and Router String (optional, if required), press ‘Return’, ‘Save’ and ‘Back’
Task 5: Change the user in RFC connection SAPOSS with technical user
Task 6: Select Restart of ICM if required, optional
Execute the task list by pressing button ‘Start/Resume Task List run in Dialog (F8)’
Click on the detailed log icon of each task to see the results of the task execution
Checked in transaction SM59, new connection destinations are created by the execution of above tasks list.
Following RFC’s created by Digital Signed process are working fine (test is good):
SAP-SUPPORT_PORTAL (Status HTTP response is 200)
SAP-SUPPORT_PARCELBOX (Status HTTP response is 200)
SAP-SUPPORT_NOTE_DOWNLOAD (Status HTTP response is 404)
3> Download Service application for SAP_Basis Release 700 onwards
- Available for SAP_BASIS release 700 onwards
- Any ABAP system having download service can be used as download system.
The SAP NetWeaver download service allows you to download files directly into your SAP NetWeaver Application Server ABAP system from any SAP destination addressed through a URL.
The most important use case for the SAP NetWeaver download service is downloading from SAP file shares connected to the SAP Support Portal and the download of SAP Notes with all their dependencies and relevant SAP Notes transport-based correction instructions (TCIs).
The downloading of files from SAP file shares is only possible after a successful login to the respective SAP Support Portal system with an S-user authorized for the file download.
With below scenario we will explain what to configure to use download service. We have taken download system as our Solution Manager 7.2 system in our scenario.
Implement SAP note 2554853 SAP Netweaver Download service for SAP Notes
The following information describes how to configure the SAP NetWeaver download service to your needs.
Authorizations and Roles:
To carry out the following configuration tasks and to use the SAP NetWeaver download service, you require specific authorizations and roles.
Configuring the SAP NetWeaver download service involves the following steps:
Step 1: You set up the connection to the SAP Support Portal:
1.You maintain the S-user configuration using the transaction SDS_CONFIGURATION.
2. You configure the client certificates.
The following root certificates must be registered for the SSL client SSL Client (Standard) in the SAP NetWeaver system:
- For access to https://smpdl.sap-ag.de or https://service.sap.com: VeriSign Class 3 Public Primary Certification Authority – G5
- For access to https://smpdla.sap.com: Baltimore CyberTrust Root
- For access to https://*.softwaredownloads.sap.com or https://*.notesdownloads.sap.com: VeriSign Class 3 Public Primary Certification Authority – G5 and GeoTrust Global CA
- For access to https://apps.support.sap.com: Symantex Class 3 Secure Server CA -G4
- To import certificates, call transaction STRUST and, under SSL client SSL Client (Standard), choose Import certificate.
- On the File tab page, browse to the downloaded certificate files and import the certificates by choosing .
- Save your changes.
The Certificate List is now updated with the new certificates.
If the SAP NetWeaver download service fails during the download from these locations, see SAP Note 2456654 .
If errors occur, restart the ICM Monitor using transaction SMICM. This restarts ICM services and reloads all certificates in your system.
3. You adapt the proxy settings.
1.Adapting settings for a global proxy server
- Call transaction SM59 and choose Extras HTTP Proxy Configuration.
- On the Gobal Settings tab page, make sure that a proxy server exists and specify destinations that should not be accessed using the proxy server.
- On the HTTPS Protocol tab page, enter the connection information for the proxy server and choose OK.
No Proxy settings are active in our environment, if you have proxy active please make the corrections and save
2. Adapting settings for a local proxy server
- Call transaction SDS_CONFIGURATION in change mode.
- On the Proxy Settings tab page, enter the connection information for the proxy server and choose OK
If you have proxy settings available enter them and save.
4. You configure the HTTPS service.
1. Check if the HTTPS service is configured.
Call transaction SMICM (ICM Monitor) and choose Goto Services.
Check if an entry for the HTTPS protocol exists and is set to active.
2. If no active entry exists, choose one of the following options:
Create a non-permanent entry that is valid until the next restart.
To create a new entry, choose Service Create, enter the required information for an HTTPS protocol and choose Create Service.
To activate an existing but inactive HTTPS entry, select the entry and choose Service Activate.
Create a permanent entry.
Call transaction RZ10.
Choose the default or instance profile entry and create a new parameter entry icm/server_port_<number> by choosing Extended maintenace Change Parameter Create.
Example: icm/server_port_2 PROT=HTTPS, PORT=44300, PROCTIMEOUT=300, TIMEOUT=300
3. To enable the download of SAP Notes from https://apps.support.sap.com, call transaction RZ10 and create the profile parameter ssl/client_ciphersuites with the value 918:PFS:HIGH::EC_P256:EC_HIGH.
Step 2: You set up the download directory.
The logical file DOWNLOAD_SERVICE_DIR is defined and delivered by default. It points to the /usr/sap/trans/EPS/in directory in UNIX nomenclature. This path is specified in the definition of the logical path DOWNLOAD_SERVICE_PATH.
If the target directory fits your system, you can use the default logical file DOWNLOAD_SERVICE_DIR. You can also adjust the directory to which the logical path DOWNLOAD_SERVICE_PATH is pointing to your target directory, or you can create your own logical file paths, assignments of physical paths to logical paths and logical file names.
Adjusting the physical path assignment of the default logical path
1.Call transaction FILE and select the DOWNLOAD_SERVICE_PATH entry in the Create a logical file path table.
2. Go to Assignment of Physical Paths to Logical Path and adapt the physical path according to your target directory or operating system, respectively.
3. Save your changes.
Defining a new logical file
1. Call transaction FILE, choose New Entries, and specify a logical file path.
2. Under Assignment of Physical Paths to Logical Path, assign a physical path.
3. Go to Logical File Name Definition, Cross-Client, double-click your logical file, assign your new logical file path to it, and save your changes
Step 3.You maintain execution parameters using the transaction SDS_CONFIGURATION.
1. Creating a user-specific execution parameter
On the Execution Parameters tab page, choose Create Entry.
In the upcoming dialog box, for all fields the hard-coded system defaults are set. Enter here the respective values for your configuration. If you want to create a system default execution parameter, enter all values except the user name.
2. Changing an existing execution parameter
On the Execution Parameters tab page, select the entry that you want to change and choose Change Entry.
Enter your changes.
You can change all parameters but the user name.
Confirm your changes by choosing Continue and then Save.
3. Deleting an execution parameter
On the Execution Parameters tab page, select the entry that you want to delete and choose Delete Entry.
The entry is removed from the Execution Parameters table.
Step 4. You set up the SL protocol service.
You only need to perform this step if the following situations apply:
The release version of your SAP NetWeaver Application Server ABAP is 7.4 or higher.
The SL protocol is used.
Call transaction SICF.
Set the Hirarchy Type to SERVICE and choose Execute.
Expand the nodes under default_host and navigate to the following service trees:
SL protocol: <defaulthost>/sap/bc/rest/SLProtocol
REST protocol: <defaulthost>/sap/bc/rest
Ensure that the services are active.
Once the connection to SAP support backbone is decided and configured, we can use them to consume digitally Signed SAP Notes by customizing in report RCWB_SNOTE_DWNLD _PROC_ CONFIG .
4. Defining Procedure and File Types to Consume Digitally Signed SAP Notes
Following are the two modes through which you can consume the digitally signed SAP Notes:
- How to Upload Digitally Signed SAP Notes Using SNOTE Transaction
- How to Download Digitally Signed SAP Notes Using SNOTE Transaction
1.How to Upload Digitally Signed SAP Notes Using SNOTE Transaction
Digitally signed SAP Notes are available from SAP ONE Support Launchpad. You can upload the digitally signed SAP Notes into the SNOTE transaction as follows:
- Download the digitally signed SAP Note from SAP ONE Support Launchpad
- Run the SNOTE transaction
- From the menu bar, choose Goto -> Upload SAP Note
2.How to Download Digitally Signed SAP Notes Using SNOTE Transaction
Based on your SAP NetWeaver version, you have the following ways to download SAP Notes into your system.
Download Procedures for NetWeaver 700 to 731:
- Download service
- RFC (Enabled by default)
Download Procedures for NetWeaver 740 and later:
- Download service
- RFC (Enabled by default until end of 2019.
To directly download the digitally signed SAP Notes using SNOTE transaction, proceed as follows:
Depending upon the settings defined in the Customization, the digitally signed SAP Notes are downloaded.
1. Defining Procedure for Downloading SAP Note (RCWB_SNOTE_DWNLD _PROC_ CONFIG)
2. Defining File Type for Downloading SAP Note (RCWB_UNSIGNED_NOTE _CONFIG) Note
Defining Procedure for Downloading SAP Note (RCWB_SNOTE_DWNLD _PROC_ CONFIG)
With the introduction of digitally signed SAP Notes, various procedures or modes are offered for downloading the SAP Notes. You use this report to define a procedure based on your requirement for downloading the SAP Note.
The report RCWB_SNOTE_DWNLD_PROC_CONFIG is used for customizing the different procedures.
If you are on the SPS level where the feature is delivered or implemented the TCI 2576306, this activity can be performed through IMG customization (IMG > SAP NetWeaver Implementation Guide > Application server > Basis Services > SNOTE )
This is a one time set up. If required, you can change the settings in this report at any given point in time.
RFC procedure for download of digitally signed SAP Note
If you choose this option, the system uses RFC destination SAPOSS or SAPSNOTE, whichever is applicable, to download the digitally signed SAP Note.
By default, the system uses the RFC option when no other option is selected.
->Starting 1st January 2020, downloading SAP Note using RFC procedure will no longer be supported for NetWeaver 740 and higher. You need to choose a download procedure between Download Service Application or HTTP Protocol.
HTTPS procedure for download of digitally signed SAP Note
If you choose below option, the system uses the HTTPS protocol to download the digitally signed SAP Note.
When you run this report RCWB_SNOTE_DWNLD_PROC_CONFIG using the transaction SE38, following are the various procedures offered in the report to download the SAP Note. Select HTTPS and save configuration.
Try to download one SNOTE and check the logs.
Logs will now contain Digitally Signed SAP note is downloaded using HTTPS as below.
Note: When using this option we faced situation where no proper messages are displayed like below, to solve it follow manual action in 2508268 snote
After maintaining above message numbers with text we were able to read the SNOTE log texts properly.
Download of digitally signed SAP Note using Download Service application
If you choose this option, the system uses the Download Service application to download the digitally signed SAP Note.
The download service can be present in the same system that you are using to download the digitally signed SAP Note or in another system. For example, the SAP Solution Manager can be used as the download service system. Ensure that you have established the RFC connection, of type 3, to the download service system.
Advantage: Associated Transport based Correction Instruction (TCI) packages and prerequisite SAP
Notes are downloaded automatically
For example, assume you have an SAP Note and that SAP Note has around 20 prerequisite SAP Notes. When you try to download the SAP Note, the 20 prerequisite SAP Notes also get downloaded automatically. Whereas in the other two options (RFC and HTTP Protocol), the prerequisite SAP Notes get downloaded during the implementation of the present SAP Note
In report RCWB_SNOTE_DWNLD_PROC_CONFIG, choose download service
On the Download Service System the RFC destination has been set to NONE and click save.
Tried to download one SNOTE and check the logs.
Logs will now contain Digitally Signed SAP note is downloaded using Download Service as below.
Note: Refer below snotes if you face any issues while downloading SNOTE with download service.
2803658 – After configuring the Netweaver Download Service for SAP Notes, attempting to download a note gives Error I:SCWNL810 NONE.
2608378 – Download fails when downloading a high number of Notes
2618713 – Timeout during download of SAP Notes via SAP Download Service
Defining File Type for Downloading SAP Note (RCWB_UNSIGNED_NOTE _CONFIG)
Report RCWB_UNSIGNED_NOTE_CONFIG was used to set “Do not download unsigned SAP Note”
In future when you try to upload any SNOTE which is not digitally signed choosing this option will not allow that SNOTE to be implemented in our system.
5. SDCCN direct connectivity/ Indirect connectivity update, ANST update, SAP RFC update
SDCCN Configuration Update:
After you have upgraded to the latest version of ST-A/PI, you must specify new HTTP connections in Service Data Control Center.
Below is automatic option we get to migrate tasks in SDCCN.
Click on migrate tasks, and validate RFC destinations in task specific settings in SDCCN are migrated.
In below scenario we explain how to manually make configuration changes in SDCCN,
Goto Settings-> task specific
Add destination SAP-SUPPORT_PORTAL and Remove destination SDCC_OSS
Delete all tasks that have the target SAP (O02).
Create the tasks again. The new tasks will use new destination SAP-SUPPORT_PORTAL or SAP-SUPPORT_PARCELBOX depending on the task type.
ANST Configuration Update:
In ANST transaction, settings change RFC Destination from SAPOSS to SAP-SUPPORT-PORTAL if the SAPOSS connection throws error while downloading SAP notes using ANST transaction.
Update of RFC connection to SAP Support Backbone:
In a SAP ABAP system the following RFC connections to SAP Service and Support backbone infrastructure can exist:
- SM_SP_<customer number>
If you connect to SAP Support Backbone infrastructure with an RFC connection not listed here, identify and check the RFC connection. To identify such an RFC connection to OSS, consider using transaction SE16 in your ABAP system and table rfcdes.
- RFC connection SAPOSS or SAPSNOTE to SAP Service and Support backbone infrastructure needs to be updated before January 2020; other RFC connections similar to RFC connection SAPOSS or SAPSNOTE are normally not necessary anymore
- It is mandatory to replace the existing generic user`s (like OSS_RFC) in a RFC connection like SAPOSS or SAPSNOTE with a Technical Communication User
- Please check the settings of RFC connection SAPOSS (or SAPSNOTE) and change it, if necessary.
- You still can use logon group 1_PUBLIC or EWA or 2_JAPANESE
- The servers behind the 3 logon groups are configured identically. Japanese customers of SAP SE can still use logon group 2_JAPANESE. Other customers can use either logon group 1_PUBLIC or EWA
- You still can use target system “OSS”
- You still can use message server “oss001.wdf.sap.corp”. Please do NOT change that setting with “oss001.wdf.sap.corp” !
- Please use Load Balancing and set the flag to “yes”. It is mandatory to use flag “yes”.
Reference Links and SAP Notes:
->FAQ – Digitally Signed SAP Notes – 2537133
-> Cheat Sheet for enabling SNOTE for Digitally Signed SAP Notes and for TCI
2737826 – SAP Support Backbone Update / upcoming changes in SAP Service and Support Backbone interfaces (latest) in January 2020.
2740667 – RFC connection SAPOSS to SAP Service & Support backbone will change (latest) in January 2020
2836302 – Automated guided steps for enabling Note Assistant for TCI and Digitally Signed SAP Notes
2392726 – How to unlock a Support Hub User (Technical Communication User)
2508268 – Download of Digitally Signed SAP Notes in SNOTE
2732094 – ANST – Implementing SOAP Based ANST Note Search
2690656 – New communication channel to SAP Backbone for transaction SDCCN
2174416 – Creation and activation of users for the Support Hub Communication
2554853 – SAP NetWeaver download service for SAP Notes
2783798 – SNOTE log messages displayed improperly after enabling Digitally Signed SAP Notes
2603877 – Exception handling corrected in download of digitally signed SAP Note for callers other than SNOTE
«You would have been seeing warning messages in […] SAP Service marketplace notes download sections, to update your systems to support SAP Backbone update.»
Yeah, and closed – by now, like, many hundreds of times, I believe. They are so <expletive> annoying, and I have neither the roles and authorisations, nor the mandate to do what they implore me to do… Do you know how to turn them off, please?
If you are mentioning about the warning message in SAP Service marketplace notes download section, it will be available till January 2020, as it is an alert message to all customers to make necessary changes prior. We cannot turn off them.
The warning message when you open SNOTE tcode in SAP systems should disappear after you apply the required corrections to enable digitally signed SAP notes, and make necessary changes as mentioned in the blog as per your system release.
Nice blog, however I would suggest you to correct the below sections in your blog
2.1 Update to Support Package Manager (SPAM) version 69 or higher.
Once the SNOTE is bootstrapped, any SAP Note containing TCI can be implemented in the same way as implementing any other SAP Note. The bootstrapping of SNOTE is not transportable. Whereas the implementation of SAP Note containing TCI, in SNOTE, is locked in Transport Request and is transportable.
If you are on SPAM version 70 and above: the bootstrap note is transportable, you need not apply the bootstrap note in each system.
I have done that and transported it from Dev to QA and prod, you can check the detailed steps here
I would also recommend to create separate TRs for below:
Move these TRs in sequence to QA and prod.
Thank you for the suggestion, and yes I have updated them.
why this step is required in stc01 that is last before step (Old OSS Comm: Configuration of SAPOSS Connection (OSS1): and you said need to maintain technical user in old SAPOSS rfc.....is it mandatory to maintain the technical user iD? and also can we delete the SAPOSS rfc? we are at sap netweaver 7.5 sps12, please respond.
Hi! thanks a lot for this detailed procedure, i really appreciate
I have a question here, if i am running SAP_BASIS 740 SP19, i know that i need to implement notes 2536585, 2606986, 2615270 & 2569813 (if valid) do i need to implement also the bootstrap for note 1995550? i mean i am confused because i read that the bootstrap is not needed for 740 SP16 and above so this means that i only need to implement the notes i put above?
If you basis release is above 740,you don't need to maintain suser in sapsoss,and more over your note download will work with https connection not through RFC after implementing the digitally signed note.
Below note has been released for Bootstrapping system for TCI and Digitally signed ennoblement. With this note, customers can perform TCI and Digitally signed ennoblement in guided way
2836302 - Automated guided steps for enabling Note Assistant for TCI and Digitally Signed SAP Note
In our Solution Manager system, when we run the Task List SAP_SUPPORT_HUB_CONFIG from transaction STC01, in step 7 "Check connectivity and credentials to SAP Support Portal" we
are getting connected ok, but get an error "SAP service point ping error
: 401 unauthorized"
The "Checklist for Support Backbone Update" document states to check if the Technical User is locked which we have and its not locked - it has a tick against "Active for Data Transfer"
We have reset the password in the SAP Portal https://launchpad.support.sap.com/#techuser and updated the same password in SM59 RFC SAP-SUPPORT_PORTAL
But despite all the above we still get the error in STC01 task list
SAP_SUPPORT_HUB_CONFIG - step 7 "Check connectivity and credentials to SAP Support Portal"
Please can you advise
I resolved my issue but just requesting a different technical user. Not sure why the existing one wouldn't work, but the new one worked fine.
I have configured the ABAP Download Service on the Solution Manager (7.2 SPS09).
I have configured one satellite system - NetWeaver 7.31 to use the download service.
I created an RFC type 3 connection to the Solman for this.
When I try to download an SAP note, it simply says - Download Service could not
download the SAP note.
Well, what a descriptive error message !!!!!! What am I missing ? Am I missing something
in the configuration ?
How to diagnose that ?!? How can I check the Download service ?
I digged out the whole internet - not a word about that !!!
OK, nobody replies, but I will continue to write...
I have a NetWeaver 7.4 SP07 system.
I am now trying to implement this bunch of notes. Note 2576306 has 8 (!!!!!!) PAGES of manual prerequisites !!!!!!!!!!!!!!!
Other notes had 3, so it makes together 11 (!!!!!!!) pages of manual operation !!!!!!!!!!!!!!
Then I had some activation errors and it took a short while to fix them.
Now I am SHOCKED to determine, that there are about 12 (!!!!!!!!!!!) pages of manual POST-
PROCESSING steps... I already spent 5 hours doing this and I expect it to take AT LEAST
4 hours more !!!!!
And we have 3 more NetWeaver 7.4 based landscapes !!!!!!!!! WHO can ever manage to do
that !!!!!!!!! THIS IS OUTRAGEOUS and the MOTHER OF ALL BAD IDEAS of SAP to force us
to do that and this in such a short time till 1-Jan-2020 !!!!!!!!!!
PLEASE advise whether there is an easier way to do this, because I am at the end of my
I found more easy way to complete this activity, use PDF attached to KBA 2836302
Step 1- Implement note 2836302 in Development system. It will bring report RCWB_TCI_DIGITSIGN_AUTOMATION
Step 2- Execute the report in client 000, to check the steps need to be performed based on NW version.
After executing the above report will give you insights of the activity need to be performed in the system.
MANY THANKS !!!!!!!
Your reply was a GAME CHANGER !!!!!! WHY is not EVERY guide beginning with - Implement SAP note 2836302 ?!? I had it a WAAAAY easier from then on, with only minimal manual corrections !!!
Wondering how is that even possible... Do you know if the report RCWB_TCI_DIGITSIGN_AUTOMATION is doing most of the manual actions automatically ?
However I had one bigger obstacle - in the first system where I tried to directly implement the notes,
SAP note says that it Cannot be implemented. I found some solutions, including implementing note
1995550, however it could still not be implemented and I had to create all the new RFC destinations
by hand. However, now everything is working just fine !!!
THANK YOU SOOOOOO MUCH !!!!!!!!!!!
Dear Praveena Subramani,
Thank you so much for such a detail documentation. Really appreciate it.
Great article. However, I am having issues and I am stuck on step
2> HTTPS procedure for SAP_BASIS release 740 and above on Task 4: Create HTTP connection
I am on Basis Release 7.40 SP Level 0013 and Kernel 742 Sup. PKG 400
On step where I need to define SAP Router string, it always fails, and on my SAPRouter I get:
checkRoute: native routing denied (0)
It seems that SAPRouter would not allow that destination port for final location is HTTPS default port 443.
How can I solve this issue?
Excellent article, Praveena. Many thanks for sharing with the community.
wonderful document.. and I am now confident and able to finish Backbone installation. Kudos !!! to Praveena
I am Facing below issue while configuring HTTPS Destination for SAP Note Download inSAP_BASIS release 722.
*** WARNING => Connection request from (35/43/1) to host: notesdownload.sap.com, service: 443 failed (NIEHOST_UNKNOWN)
Please advise on this
Thanks for that great Wiki (much more helpful than hundreds of sapnotes)
@ TASK-3 STRUST (STC01 is asking for this cert)
where to download => DigiCert High Assurance EV Root CA
o.k. i think, i found the answer
https://launchpad.support.sap.com/#/notes/2827658 (+ have a look at this append .docx in this note)
obviously this Link to download
I have a question of understanding. After the SAP BAckboone conversion, the SAPOSS RFC should be deleted. Which RFC is used by the saprouter (via VPN connection)?
one question to ANST configuration (we are on S/4Hana-1909-02 with NW-7.54_SP02)
i found this 2 sapnotes to configure the ANST new WebService within SOAMANAGER + https URL
corresponding to your blog - and info to ANST, there is still in ANST => settings => the RFC-usage of the new RFC "SAP-SUPPORT_PORTAL"
in our ANST settings there is still the old RFC "SAPSNOTE" in that ANST-setup ??
what is the right one to use?
it is worth mentioning:
2786930 - SNOTE: Download Service not available in destination
Download Service Application DOES NOT work through saprouter!
ANST configuration - (we are now on S/4Hana-2020-03 with NW-7.55_SP03)
and ANST is not working again -
SOAMANAGER configuration had been setup already, but PING => error:
Error when calling the request for conservation from the web service of ANST.
SRT: Processing error in Internet CommunicationFramework: ("SSL handshake with apps.support.sap.com:443 failed: SSSLERR_CLIENT_
SSL_read SSL API errorFailed to verify peer certificate.
i will check sapnote 2730525 => https://launchpad.support.sap.com/#/notes/2730525 (in Vers. 9)
and (we have had this before) - certificate has to be renewed.
obviously there was a new DigiCert Global Root CA certificate needed (since october 2021)
=> CN=DigiCert TLS RSA SHA256 2020 CA1, O=DigiCert Inc, C=US
needed to be added twice in SSL-client anonym + in SSL client standard
now in oct. 2022, certificate apps.support.sap.com is ending,
and wonder why, is not needed anymore - wrongly installed certificates
( Examples for **frequently** misplaced CA-signed TLS server certificates, short-lived CA-signed end-entity certificates that should *never* be used as trust anchors for an SSL/TLS-protected communication scenario: )
see sapnote-2890773 => https://launchpad.support.sap.com/#/notes/2890773
we are configure EWA on DEV system SOLMAN is different machine and DEV is different we could not find SAP-SUPPORT_PORTAL in DEV but in SOLMAN SAP-SUPPORT_PORTAL working fine how to solve the issue