Introduction
SAP is making SAP Notes more secure by allowing only the SAP Notes which are digitally signed.
The SAP Notes files can get maliciously modified and the customer unknowingly can upload the modified SAP Notes files into their ABAP systems. So, to protect SAP Notes files with increased authenticity and improved security,digitally signed note came into picture.
SAP notes download and upload process is going to change from Jan Ist 2020.SAP system will not allow any unsigned note to be downloaded or uploaded in the system.The system which is following the RFC procedure to download the note will no longer work for Basis release 7.4 and above.There is exceptional for basis release 700-731 where we need to update the rfc user from OSS_RFC to technical SUSER .To make your system more secure and protect from malicious attack ,please be preapred for implementing the digitally signed note.
Please go through the step by step documents to enable digitally signed note in your ABAP system.
Steps invloved:
Based on the basis release of your system,perform the TCI implementation if not implemented yet.Note for reference:
2576306
2546220
2408073
2508268
2537133
Once TCI implementation is in place, please refer to below snotes for enabling digitally signed note in your system:
https://launchpad.support.sap.com/#/notes/2836302
https://launchpad.support.sap.com/#/notes/2853813
https://launchpad.support.sap.com/#/notes/2738426
https://launchpad.support.sap.com/#/notes/2793641
The note will bring the following task for backbone support SAP_BASIS_CONFIG_OSS_COMM
1-SAP Cryptographic Library should have version 8.4.48 or higher
2-make sure this parameter value is set in rz11,restart is required after setting this parameter
ssl/client_ciphersuites =150:PFS:HIGH::EC_P256:EC_HIGH,note for reference 510007.
3-Below certificates are added in the SSL Client anonymous:
VeriSign Class 3 Public Primary Certification Authority – G5
DigiCert Global Root CA
DigiCert Global Root G2
Baltimore CyberTrust Root
4-Provide the technical SUSER credentials which was created for sap backbone connection ,this task will create three RFC connections:
RC-404 is okay for this connection
parcelbox should return rc-200
Support_Portal connection test should return code 200.
once the report run successfully,it will show all as green:
Run the below reports in se38:select the option as don't download unsigned note and save it
RCWB_UNSIGNED_NOTE_CONFIG
Run report RCWB_SNOTE_DWNLD_PROC_CONFIG,select the method as the HTTPS,give below details and save it:
Test-Download any sap note and check the note log ,it should show as downloaded from https:
Conclusion
After following the above procedure and enabling the SAP support backbone in the ABAP system,system will only allow digitally signed notes to be downloaded/uploaded in it and protect the ABAP system from any malicious attack or entry in the system.
Earlier you would have noted that any note is getting downloaded through RFC call which was less secure, now it is passing through cryptographic check of the certificates which make sure of authenticity and call is made via Https protocol.
SAP is making SAP Notes more secure by allowing only the SAP Notes which are digitally signed.
The SAP Notes files can get maliciously modified and the customer unknowingly can upload the modified SAP Notes files into their ABAP systems. So, to protect SAP Notes files with increased authenticity and improved security,digitally signed note came into picture.
SAP notes download and upload process is going to change from Jan Ist 2020.SAP system will not allow any unsigned note to be downloaded or uploaded in the system.The system which is following the RFC procedure to download the note will no longer work for Basis release 7.4 and above.There is exceptional for basis release 700-731 where we need to update the rfc user from OSS_RFC to technical SUSER .To make your system more secure and protect from malicious attack ,please be preapred for implementing the digitally signed note.
Please go through the step by step documents to enable digitally signed note in your ABAP system.
Steps invloved:
Based on the basis release of your system,perform the TCI implementation if not implemented yet.Note for reference:
2576306
2546220
2408073
2508268
2537133
Once TCI implementation is in place, please refer to below snotes for enabling digitally signed note in your system:
https://launchpad.support.sap.com/#/notes/2836302
https://launchpad.support.sap.com/#/notes/2853813
https://launchpad.support.sap.com/#/notes/2738426
https://launchpad.support.sap.com/#/notes/2793641
The note will bring the following task for backbone support SAP_BASIS_CONFIG_OSS_COMM
1-SAP Cryptographic Library should have version 8.4.48 or higher
2-make sure this parameter value is set in rz11,restart is required after setting this parameter
ssl/client_ciphersuites =150:PFS:HIGH::EC_P256:EC_HIGH,note for reference 510007.
3-Below certificates are added in the SSL Client anonymous:
VeriSign Class 3 Public Primary Certification Authority – G5
DigiCert Global Root CA
DigiCert Global Root G2
Baltimore CyberTrust Root
4-Provide the technical SUSER credentials which was created for sap backbone connection ,this task will create three RFC connections:
RC-404 is okay for this connection
parcelbox should return rc-200
Support_Portal connection test should return code 200.
once the report run successfully,it will show all as green:
Run the below reports in se38:select the option as don't download unsigned note and save it
RCWB_UNSIGNED_NOTE_CONFIG
Run report RCWB_SNOTE_DWNLD_PROC_CONFIG,select the method as the HTTPS,give below details and save it:
Test-Download any sap note and check the note log ,it should show as downloaded from https:
Conclusion
After following the above procedure and enabling the SAP support backbone in the ABAP system,system will only allow digitally signed notes to be downloaded/uploaded in it and protect the ABAP system from any malicious attack or entry in the system.
Earlier you would have noted that any note is getting downloaded through RFC call which was less secure, now it is passing through cryptographic check of the certificates which make sure of authenticity and call is made via Https protocol.
- SAP Managed Tags:
