Enabling SNOTE for downloading digitally signed sap notes using download service procedure
As SAP has updated the support backbone infrastructure to ensure the security of its critical infrastructure, the time has arrived to migrate from traditional RFC(SAPOSS) based sap notes upload and download procedure to digitally enabled backbone support. This setup is also important for preparing the managed systems configurations in Solution manager. SAP too has been suggesting for this move for quite sometimes.
There are many documents and posts released to assist the customers to enable the digitally secured backbone support. Many of the documents I went through have achieved this set up using HTTP(S) based procedure.
There are two procedures to enable digitally secured framework for downloading the sap notes.
- HTTP(S) based procedure
Like the earlier RFC (SAPOSS type R/3) procedure, this procedure too is an RFC (HTTPS) based procedure, but this is secured by SSL certificates. This secured connectivity works though SAP router as was the case earlier too.
- Download service application-based procedure
This secured procedure connectivity operates through an SAP NW AS ABAP which is defined as download service application. The download service system can be connected by multiple ABAP applications to enable digital backbone support. The need for the SAP router is replaced by download service application.
In this blog, I am trying to explain the setup of download service application-based procedure. I opted to go with it for the following advantages of download service procedure :
- While implementing transport-based correction instruction (TCI) notes or corrections, the package associated with the TCI is also downloaded automatically.
- The system downloads the prerequisite SAP Notes, whereas in the HTTP protocol-based option the prerequisite SAP Notes get downloaded during the implementation of the present SAP Note.
- Multiple ABAP systems can be connected to the one download service system via RFC (DS_CONFIG).
I have divided the setup task into broad parts as
- Prerequisites and checks
PREREQUISITES AND CHECKS
- NW AS ABAP for download service
This is required to define it as download service application. This can be the same system in which the note assistant will be used or a separate system.
I have used the development system for download service application and will connect quality and production systems to it via RFC
2. Checks and preparations in development system
- Check the SPAM version. It should be 71 or greater.
- Download the packages from the notes as below. Download for the correct SAR files for your SAP_BASIS version.
Open the corrections of the below notes, select the correct SAP_BASIS and download the SAR file.
- Enabling note assistant for TCI – Note 1995550 and 2408383
- Digitally Signed SAP Notes Download Enablement – Note 2576306 (this is TCI equivalent of notes 2408073,2546220,2508268)
Note: If ABAP system has SAP_BASIS <=700, implement individual notes as TCI will not work.
- Creation and activation of Technical communication user. Follow the KBA 2174416 and keep it ready.
To reduce the manual efforts, SAP has automated these steps in a task list to enable the note assistant for TCI and subsequently consume the packages for enable the download of notes.
- Login to Development system and Implement SAP note 2836302 which will bring to your system the report ‘RCWB_TCI_DIGITSIGN_AUTOMATION’
- Execute the report and provide the inputs for the tasks.
The report does the following:
- Implements any prerequisite notes.
- Takes TCI packages of Note 1995550 and implement the note in last, Takes TCI Roll back package of Note 2408383 and implement the note in last.
- Takes the Digital signed note package of note 2576306 and implement the note in last.
- At step 10, Note 2721941 is implemented (which includes any corrections not included in TCI) and configurations done above are validated.
- In step 11, it does the following validations:
- The Digital Signature configuration table CWB_DWNLD_PROC is found and filled.
- The RFC destinations maintained correctly .
- The SSL certificate is maintained correctly.
- A test sap note 2424539 is downloaded (step 12) and then then all the notes and packages required to be imported in subsequent systems can be captured in a transport request.
Note 1: Most of the corrections mentioned in steps 1-10 are valid for SAP_BASIS 752 or lower. For SAP_BASIS 753 or above, the corrections are already incorporated, and show completed when the report is executed.
Note 2 : Steps 11 and further check and validate the configurations. Wait for the completion of Configuration Step (as below) before executing them.
- Implement note 2576306.
It brings report RCWB_SNOTE_DWNLD_PROC_CONFIG used to configure the download procedure.
Execute the report.
The same can be accessed by IMG
SPRO –> IMG–> SAP NetWeaver –> Application Server –> Basis Services –> SNOTE
2. Select download service application.
In my case, the download service is installed in the same ABAP system where I am executing this configuration, so the RFC destination I gave as ‘NONE’.
Mention DS_CONFIG if system is not download service system. (In case of latter, the screen asks the download service system detail for creating RFC DS_CONFIG).
3. Configuration specific to download service application.
These configurations are specific to download service application. In case, AS ABAP is the download service application different from system where the digital backbone is required, perform below in that AS ABAP.
1.Download the certificates below
DigiCert Global Root CA https://dl.cacerts.digicert.com/DigiCertGlobalRootCA.crt
DigiCert Global Root G2 https://dl.cacerts.digicert.com/DigiCertGlobalRootG2.crt
Go to tcode STRUST and add the certificates to the certificate list of the SSL client (anonymous) and SSL client (standard) PSEs.
- Refer Note 510007 for Setting up SSL on Application Server ABAP (Section 2 and Section 7 for details). Here, perform the below.
2.a. Check the CryptoLib version.
Required is at least CommonCryptoLib 8.4.38. Recommended is at least 8.4.49.
Login with <sid>adm and go to kernel directory.
Execute command ./sapgenpse
2.b. Set the profile parameters
ssl/client_ciphersuites = 150:PFS:HIGH::EC_P256:EC_HIGH
ssl/client_ciphersuites = 918:PFS:HIGH::EC_P256:EC_HIGH (For Solution Manager)
2.c.Remove the below parameters from instance and default profile (if they exist)
ssf/name, ssf/ssfapi_lib , sec/libsapsecu, ssl/ssl_lib
Note: You might see a similar value of kernel default for ssl/client_ciphersuites. I would suggest you to set the above value in instance or default profile as kernel default values may change with kernel updates
3.Implement the corrections of TCI note 2554853.
4.Setup for SAP Support Portal
Execute tcode SDS_Configuration and maintain Technical Communication user and password.
Keep the Username Empty.
5.Go to tcode SMICM and ensure icm/server_port is set for HTTPS.
6. Setup the target directory for download service.
Go to tcode FILE and select the DOWNLOAD_SERVICE_PATH. Now, select Assignment of Physical Paths to Logical Path.
We need to give a Operating system path which can be accessible for keeping files there.
Note that DOWNLOAD_SERVICE_DIR maps to the physical path for the download directory.
Go to table CWB_DWNLD_PROC and check the entry.
Now, go back to RCWB_TCI_DIGITSIGN_AUTOMATION and execute step 11 onward. It does the check and download the test note 2424539.
- 2836302 – Automated guided steps for enabling Note Assistant for TCI and Digitally Signed SAP Notes
- 2576306 – Transport-Based Correction Instruction (TCI) for Download of Digitally Signed SAP Notes
I will appreciate any recommendation or query on this blog.
I was looking for some doc related to backbone setup using download service option from many days. Finally i got this one. This doc is having all the necessary steps which helped me to do the configuration easily.
Good work sumit...keep writing 🙂
thank you very much for this blog.
I have entered the following path \\hostname\sapmnt\trans\EPS\in.
But this is a Windows system and I can not change Syntax grop to Windows NT. The green hook is grayed out.
Which user (OS or SAP User) should enter here? We get this error message
Thank you very much.
Thanks for writing.
You may refer sap note 2830368 for Windows application server.
In execution parameter tab, keep 'USER' option blank.
(I had confronted this issue ;giving any value instead of blank, gave unexpected errors) .
Thank you very much for your answer.
When I try to change the SYNTAX GROUP, by creating a new entries, then I get this error message:
You are doing correct. Just that you have to press "enter" for the notifications for message no SV019
Note : Please press Enter several times until it does not ask for a transport request to capture it ( based on client setting) or does not get saved.
Upon this you should be able to see Windows NT as Syntax Group
Thank you very very much !!!!
Glad to help.
Please don't hesitate if you face any another issue.
does anyone know if SAP prefers one of the two methods for downloading SAP notes?
Regards + Thanks
SAP has not mentioned any preference about the two methods for downloading SAP notes – HTTP and Download Service. However, Download service method holds certain advantages as SAP mentions.
Besides, if you have solution manager 7.2 SP 09 or higher in the landscape which gives a option to automatically update CR content of SLD or LMDB, the download service method becomes an important prerequisite for the setup.
Unlike download service method in which download service system connects to SAP Portal,HTTP based method connects each of the system directly to SAP portal and hence each of the system requires the certificates installed.
However, the one disadvantage I see in DS method is the case if download service system goes down. In that case, no system in the landscape will be able to download the sap notes.
So in your quality and Production ABAP system you have executed from step 3 - Configuration specific to download service application. and have used RFC DS_Config between Development-Quality and Quality-production?
Is my understanding correct?
Step 3 is for setting up the download service system (first time e.g.in Dev) i.e. certificates,technical communication user and path (/usr/sap/trans/EPS/in) where SAR files for all the sap notes you will download will appear. You don’t have to repeat it and can access the system by RFC DS_CONFIG again.
Corrections for TCI and digital download enablement ,reports RCWB_TCI_DIGITSIGN_AUTOMATION and RCWB_SNOTE_DWNLD_PROC_CONFIG (think how else will you define download procedure as DS!) are required in subsequent systems too. Do import the transport for the corrections implemented in development.
Thanks for the response Sumit.
However I am seeing below error in SMICM when I try to download the note using Download Service.
[Thr 139798220568320] NiIGetNodeAddr: hostname 'notesdownloads.sap.com' = addr 22.214.171.124
[Thr 139798220568320] IcmIConnConnect: Connect to host: notesdownloads.sap.com, service: 443, SAP_O_K(0)
[Thr 139798220568320] in: hostname = "notesdownloads.sap.com"
[Thr 139798220568320] in: parg = "notesdownloads.sap.com"
[Thr 139798220568320] *** ERROR => SSL handshake with notesdownloads.sap.com:443 failed: SSSLRC_CONN_CLOSED (-10)
[Thr 139798220568320] 7f2557a60e90 000192 74682532 306e6f74 6573646f 776e6c6f |th%20notesdownlo|
I have already updated the SAP Root certificates to client standard and client anonymous in STRUST.
Let me know if you have any idea on this.
Looks like the issue with SSL only.
Ensure you are able to telnet the server notesdownloads.sap.com at port 443 (must connect, else it's firewall issue)
If above connects, Check :
Hope you are using Technical Communication user in SDS_configuration and not just S-user.
We have a problem at DEV/QA System last week which is have been install snote digital signed before
Is it possible if we want re-implement SNOTE Digitally signed now?
cause we have accident some logical disk partition (file system) is failure and we do not have a valid backup, we can only restore/recovery before snote implemented
There is no reason why you can’t re-implement the notes again.
Also, since you are restoring the backup at database, some of the steps you may not have to repeat (just validate and proceed).
Really Really fantastic blog. Really appriciable guidence.
One question hope you will reply.
In my company we have SAP NetWeaver 7.02 version / ECC 6.0 EHP5. in this version whether above mentioned steps will be the same as you have explained here …?
Yes, this set up is true for SAP NW 7.02 too. However, to enable the Note assistant for TCI ( the first prerequisite- also known as bootstrapping),you need to download the SAR file from SAP Note 2444141 and not 1995550.
Seriously I am NOT understanding this NEW approach of connecting Online Support Service of SAP.
As I have upgraded the SAP system to the following support package level, NOT a single SAP note correction related to TCI, I am able to apply.
I have done all the steps which you have mentioned in the following steps of this document:
I am stuck:- (Now, go back to RCWB_TCI_DIGITSIGN_AUTOMATION and execute step 11 onward. It does the check and download the test note 2424539.) STEP.
And finally sap note download in snote tcode is NOT happening and I am getting the following error:
HTTP client: receive method failed with return cod e SY_SUBRC 1
Please be kind enough to support me.
Bootstrap is already enabled for different releases at different SP levels.
For SAP_BASIS 702 SP >= 20 , this is enabled by default. Hence, steps 2-7 (in your case) of RCWB_TCI_DIGITSIGN_AUTOMATION will say “no action required”. Again, 2576306- TCI for Download of Digitally Signed SAP Notes is already included in SP SAPKB70221 , hence steps 8-9 will say ” no action required”
Your issue looks primarily with configuration part.
Step 10 implementation of composite notes 2869143 should be completed successfully.
After the above composite notes get successfully implemented, ensure “download service ‘ is defined as procedure, certificates are placed in STRUST SSL Client standard and anonymous , SDS_Configuration has technical communication user (avoid normal S-user).
How can get the tcode SDS_CONFIGURATION and DOWNLOAD_SERVICE_PATH on the code FILE?
I've a NW 7.02 and executed almost all the steps of the report RCWB_TCI_DIGITSIGN_AUTOMATION.
SDS_CONFIGURATION is quite old tcode . Aren't you getting it?
I don't have a system at NW 7.02 to reproduce this issue.
Could you please try the report SDS_CONFIGURATION_MAINT for the same?
If you have correctly applied TCI 2554853 for SAP_BASIS 702 , the FILE tcode - Logical file path must have populated with entry DOWNLOAD_SERVICE_PATH.
I've checked to systems (NW 7.31_SP09 and NW 7.02_SP15) and neither have the SDS_CONFIGURATION and SDS_CONFIGURATION_MAINT.
For that reason I'm thinking to discard download service option to download notes and choose the HTTP option, but I would know on which note/sp/tci are included the tcode SDS_CONFIGURATION.
Inclusion of a personal email address is a violation of rules of engagement: https://community.sap.com/resources/rules-of-engagement. I have removed.
Hi Sumit Jaiswal
Thanks for this article.
When the QA and Prod system connect to download service in DEV system do I need to implement
SAP note 2836302 which will bring system the report
‘RCWB_TCI_DIGITSIGN_AUTOMATION’ in QA and Prod system too?
Using this download service, whether I just need to setting up SSL in Dev system only?
Report RCWB_TCI_DIGITSIGN_AUTOMATION automates the steps to consume TCI and then apply TCI based packages of 2576306
From steps 11, the reports just validates the configurations. You may transport the TCI from DEV ( your DS system) to subsequent systems if you opt to validate the configurations using RCWB_TCI_DIGITSIGN_AUTOMATION .
This is optional in subsequent systems. In subsequent systems ( QAS and PRD), you must have RCWB_SNOTE_DWNLD_PROC_CONFIG to select 'Download service Application' with the RFC pointing to your download service system i.e. DEV in your case.
Hi Sumit Jaiswal
Previously I implemented Note 2923799 and choose the RFC connection using RCWB_SNOTE_DWNLD_PROC_CONFIG
Can i use connection using SAPOSS with Technical user?
or i have to use HTTPS or download service?
From Jan 2020, RFC SAPOSS calls into SAP Support Backbone infrastructure are not allowed.
You need to setup either HTTPS or download service to connect Support portal & download the notes.
Hi Sumit Jaiswal
here is my system detail :
i didn’t understand with note 510007 in step 2.
should i remove parameter ssf/name, ssf/ssfapi_lib , sec/libsapsecu, ssl/ssl_lib?
current in rz10 :
No, it's fine . Removal is required if there were custom values.
Hi Sumit Jaiswal
When we use the download service do I also have to create SAP-SUPPORT_PORTAL and
Thanks for the reply
I'm trying to configure TCI, but the next pop up window appears in the step:
RFC connections are working fine.
Pop up Snote
SDS_configuration transaction code not exists in for version EHP6 FOR SAP ERP 6.0 / NW 731 to add S-User.