Skip to Content
Technical Articles
Author's profile photo Sumit Jaiswal

Enabling SNOTE for downloading digitally signed sap notes using download service procedure

As SAP has updated the support backbone infrastructure to ensure the security of its critical infrastructure, the time has arrived to migrate from traditional RFC(SAPOSS) based sap notes  upload and download procedure to digitally enabled backbone support. This setup is also important for preparing the managed systems configurations in Solution manager. SAP too has been suggesting for this move for quite sometimes.

There are many documents and posts released to assist the customers to enable the digitally secured backbone support. Many of the documents I went through have achieved this set up using HTTP(S) based procedure.

There are two procedures to enable digitally secured framework for downloading the sap notes.

  • HTTP(S) based procedure

Like the earlier RFC (SAPOSS type R/3) procedure, this procedure too is an RFC (HTTPS) based procedure, but this is secured by SSL certificates. This secured connectivity works though SAP router as was the case earlier too.

  • Download service application-based procedure

This secured procedure connectivity operates through an SAP NW AS ABAP which is defined as download service application. The download service system can be connected by multiple ABAP applications to enable digital backbone support. The need for the SAP router is replaced by download service application.

In this blog, I am trying to explain the setup of download service application-based procedure. I opted to go with it for the following advantages of download service procedure :

  1. While implementing transport-based correction instruction (TCI) notes or corrections, the package associated with the TCI is also downloaded automatically.
  2. The system downloads the prerequisite SAP Notes, whereas in the HTTP protocol-based option the prerequisite SAP Notes get downloaded during the implementation of the present SAP Note.
  3. Multiple ABAP systems can be connected to the one download service system via RFC (DS_CONFIG).

I have divided the setup task into broad parts as

  1. Prerequisites and checks
  2. Execution
  3. Configurations
  4. Confirmations

PREREQUISITES AND CHECKS

  1. NW AS ABAP for download service

This is required to define it as download service application. This can be the same system in which the note assistant will be used or a separate system.

I have used the development system for download service application and will connect quality and production systems to it via RFC

2. Checks and preparations in development system

  • Check the SPAM version. It should be 71 or greater.
  • Download the packages from the notes as below. Download for the correct SAR files for your  SAP_BASIS version.

Open the corrections of the below notes, select the correct SAP_BASIS and download the SAR file.

  1. Enabling note assistant for TCI – Note 1995550 and 2408383
  2. Digitally Signed SAP Notes Download Enablement – Note 2576306 (this is TCI equivalent of notes 2408073,2546220,2508268)

Note: If ABAP system has SAP_BASIS <=700, implement individual notes as TCI will not work.

  • Creation and activation of Technical communication user. Follow the KBA 2174416 and keep it ready.

EXECUTION

To reduce the manual efforts, SAP has automated these steps in a task list to enable the note assistant for TCI and subsequently consume the packages for enable the download of notes.

  • Login to Development system and Implement SAP note 2836302 which will bring to your system the report ‘RCWB_TCI_DIGITSIGN_AUTOMATION’
  • Execute the report and provide the inputs for the tasks.

       The report does the following:

  1. Implements any prerequisite notes.
  2. Takes TCI packages of Note 1995550 and implement the note in last, Takes TCI Roll back package of Note 2408383 and implement the note in last.
  3. Takes the Digital signed note package of note 2576306 and implement the note in last.
  4. At step 10, Note 2721941 is implemented (which includes any corrections not included in TCI) and configurations done above are validated.
  5. In step 11, it does the following validations:
  • The Digital Signature configuration table CWB_DWNLD_PROC is found and filled.
  • The RFC destinations maintained correctly .
  • The SSL certificate is maintained correctly.
  1. A test sap note 2424539 is downloaded (step 12) and then then all the notes and packages required to be imported in subsequent systems can be captured in a transport request.

Note 1: Most of the corrections mentioned in steps 1-10 are valid for SAP_BASIS 752 or lower. For SAP_BASIS 753 or above, the corrections are already incorporated, and show completed when the report is executed.

Note 2 : Steps 11 and further check and validate the configurations. Wait for the completion of Configuration Step (as below) before executing them.

CONFIGURATION

  1. Implement note 2576306.

It brings report RCWB_SNOTE_DWNLD_PROC_CONFIG used to configure the download procedure.

Execute the report.

The same can be accessed by IMG

SPRO –> IMG–> SAP NetWeaver –> Application Server –> Basis Services –> SNOTE

2. Select download service application.

In my case, the download service is installed in the same ABAP system where I am executing this configuration, so the RFC destination I gave as ‘NONE’.

Mention DS_CONFIG if system is not download service system. (In case of latter, the screen asks the download service system detail for creating RFC DS_CONFIG).

3. Configuration specific to download service application.

These configurations are specific to download service application. In case, AS ABAP is the download service application different from system where the digital backbone is required, perform below in that AS ABAP.

1.Download the certificates below

DigiCert Global Root CA https://dl.cacerts.digicert.com/DigiCertGlobalRootCA.crt

DigiCert Global Root G2 https://dl.cacerts.digicert.com/DigiCertGlobalRootG2.crt

Go to tcode STRUST and add the certificates to the certificate list of the SSL client (anonymous) and SSL client (standard) PSEs.

  1. Refer Note 510007 for Setting up SSL on Application Server ABAP (Section 2 and Section 7 for details). Here, perform the below.

2.a. Check the CryptoLib version.

Required is at least CommonCryptoLib 8.4.38. Recommended is at least 8.4.49.

Login with <sid>adm and go to kernel directory.

Execute command ./sapgenpse

2.b.  Set the profile parameters

ssl/client_ciphersuites = 150:PFS:HIGH::EC_P256:EC_HIGH

ssl/client_ciphersuites = 918:PFS:HIGH::EC_P256:EC_HIGH (For Solution Manager)

2.c.Remove the below parameters from instance and default profile (if they exist)

ssf/name, ssf/ssfapi_lib , sec/libsapsecu, ssl/ssl_lib

Note: You might see a similar value of kernel default for ssl/client_ciphersuites. I would suggest you to set the above value in instance or default profile as kernel default values may change with kernel updates

3.Implement the corrections of TCI note 2554853.

4.Setup for SAP Support Portal

Execute tcode SDS_Configuration and maintain Technical Communication user and password.

Keep the Username Empty.

5.Go to tcode SMICM and ensure icm/server_port is set for HTTPS.

6. Setup the target directory for download service.

Go to tcode FILE and select the DOWNLOAD_SERVICE_PATH. Now, select Assignment of Physical Paths to Logical Path.

We need to give a Operating system path which can be accessible for keeping files there.

Note that DOWNLOAD_SERVICE_DIR maps to the physical path for the download directory.

CONFIRMATION

Go to table CWB_DWNLD_PROC and check the entry.

Now, go back to RCWB_TCI_DIGITSIGN_AUTOMATION and execute step 11 onward. It does the check and download the test note 2424539.

 

References:

  • 2836302 – Automated guided steps for enabling Note Assistant for TCI and Digitally Signed SAP Notes
  • 2576306 – Transport-Based Correction Instruction (TCI) for Download of Digitally Signed SAP Notes

I will appreciate any recommendation or query on this blog.

Assigned Tags

      32 Comments
      You must be Logged on to comment or reply to a post.
      Author's profile photo Hareesh Rayi
      Hareesh Rayi

      I was looking for some doc related to backbone setup using download service option from many days. Finally i got this one. This doc is having all the necessary steps which helped me to do the configuration easily.

      Good work sumit...keep writing 🙂

      Author's profile photo Sumit Jaiswal
      Sumit Jaiswal
      Blog Post Author

      Thanks.

      Author's profile photo Tatjana Schumakowa
      Tatjana Schumakowa

      Hi Sumit,

      thank you very much for this blog.

      I have entered the following path \\hostname\sapmnt\trans\EPS\in.

      But this is a Windows system and I can not change  Syntax grop to Windows NT. The green hook is grayed out.


       

      Which user (OS or SAP User) should enter here? We get this error message

       

      Thank you very much.

      Best regards

      Author's profile photo Sumit Jaiswal
      Sumit Jaiswal
      Blog Post Author

      Hi Tatjana,

      Thanks for writing.

      You may refer sap note 2830368  for Windows application server.

      In execution parameter tab, keep 'USER' option blank.

      (I had confronted this issue ;giving any value instead of blank, gave unexpected errors) .

      Sumit

      Author's profile photo Tatjana Schumakowa
      Tatjana Schumakowa

      Hi

      Thank you very much for your answer.

      When I try to change the SYNTAX GROUP, by creating a new entries, then I get this error message:

      What am I doing wrong ?
      Thank your very much.
      Best Regards
      Author's profile photo Sumit Jaiswal
      Sumit Jaiswal
      Blog Post Author

      Hi Tatjana,

      You are doing correct. Just that you have to press "enter"  for the notifications for message no SV019

      Note : Please press Enter several times until it does not ask for a transport request to capture it ( based on client setting) or does not get saved.

      Upon this you should be able to see Windows NT as Syntax Group

       

      Author's profile photo Tatjana Schumakowa
      Tatjana Schumakowa

      Hi Sumit,

       

      Thank you very very much !!!!

      It works.

       

      Many Thanks

       

      Author's profile photo Sumit Jaiswal
      Sumit Jaiswal
      Blog Post Author

      Glad to help.

      Please don't hesitate if you face any another issue.

      Author's profile photo Daniel Masaladzic
      Daniel Masaladzic

      Hello everybody,

      does anyone know if SAP prefers one of the two methods for downloading SAP notes?

      Regards + Thanks

      Daniel

       

       

      Author's profile photo Sumit Jaiswal
      Sumit Jaiswal
      Blog Post Author

      Hi Daniel,

      SAP has not mentioned any preference about the two methods for downloading SAP notes – HTTP and Download Service. However, Download service method holds certain advantages as SAP mentions.

      1. While implementing transport-based correction instruction (TCI) notes or corrections, the package associated with the TCI is also downloaded automatically.
      2.  The system downloads the prerequisite SAP Notes, whereas in the HTTP protocol-based option the prerequisite SAP Notes get downloaded during the implementation of the present SAP Note
      3. Multiple ABAP systems can be connected to the one download service system via RFC (DS_CONFIG).

      Besides, if you have solution manager 7.2 SP 09 or higher in the landscape which gives a option to automatically update CR content of SLD or LMDB, the download service method becomes an important prerequisite for the setup.


      Unlike download service method in which download service system connects to SAP Portal,HTTP based method connects each of the system directly to SAP portal and hence each of the system requires the certificates installed.

      However, the one disadvantage I see in DS method is the case if download service system goes down. In that case, no system in the landscape will be able to download the sap notes.

      Author's profile photo Vinit Vishal
      Vinit Vishal

      Hi Sumit,

       

      Great Blog!

      So in your quality and Production ABAP system you have executed from step 3 - Configuration specific to download service application. and have used RFC DS_Config between Development-Quality and Quality-production?

      Is my understanding correct?

       

      Author's profile photo Sumit Jaiswal
      Sumit Jaiswal
      Blog Post Author

      Hi Vinit,

      Step 3 is for setting up the download service system (first time e.g.in Dev) i.e. certificates,technical communication user and path (/usr/sap/trans/EPS/in) where SAR files for all the sap notes you will download will appear. You don’t have to repeat it and can access the system by RFC DS_CONFIG again.

      Corrections for TCI and digital download enablement ,reports RCWB_TCI_DIGITSIGN_AUTOMATION and RCWB_SNOTE_DWNLD_PROC_CONFIG (think how else will you define download procedure as DS!) are required in subsequent systems too. Do import the transport for the corrections implemented in development.

      Author's profile photo Vinit Vishal
      Vinit Vishal

      Thanks for the response Sumit.

      However I am seeing below error in SMICM when I try to download the note using Download Service.

      [Thr 139798220568320] NiIGetNodeAddr: hostname 'notesdownloads.sap.com' = addr 155.56.46.215
      [Thr 139798220568320] IcmIConnConnect: Connect to host: notesdownloads.sap.com, service: 443, SAP_O_K(0)
      [Thr 139798220568320] in: hostname = "notesdownloads.sap.com"
      [Thr 139798220568320] in: parg = "notesdownloads.sap.com"
      [Thr 139798220568320] *** ERROR => SSL handshake with notesdownloads.sap.com:443 failed: SSSLRC_CONN_CLOSED (-10)
      [Thr 139798220568320] 7f2557a60e90 000192 74682532 306e6f74 6573646f 776e6c6f |th%20notesdownlo|

      I have already updated the SAP Root certificates to client standard and client anonymous in STRUST.

      Let me know if you have any idea on this.

      Author's profile photo Sumit Jaiswal
      Sumit Jaiswal
      Blog Post Author

      Hi Vinit,

      Looks like the issue with SSL only.

      Ensure you are able to telnet the server notesdownloads.sap.com  at port 443 (must connect, else it's firewall issue)

      If above connects, Check :

      • CryptoLib version.
      • Profile parameter ssl/client_ciphersuites

      Hope you are using Technical Communication user in SDS_configuration and not just S-user.

      Author's profile photo Tri Susilo
      Tri Susilo

      Hi Sumit,

      We have a problem at DEV/QA System last week which is have been install snote digital signed before

      Is it possible if we want re-implement SNOTE Digitally signed now?

      cause we have accident some logical disk partition (file system) is failure and we do not have a valid backup, we can only restore/recovery before snote implemented

      please advice

      Thank you

      Trilo

      Author's profile photo Sumit Jaiswal
      Sumit Jaiswal
      Blog Post Author

      Hi Trilo,

      There is no reason why you can’t re-implement the notes again.

      Also, since you are restoring the backup at database, some of the steps you may not have to repeat (just validate and proceed).

      Author's profile photo Kushal Sambhunath Banerjee
      Kushal Sambhunath Banerjee

      Dear Sumit,

      Really Really fantastic blog. Really appriciable guidence.

      One question hope you will reply.

      In my company we have SAP NetWeaver 7.02 version / ECC 6.0 EHP5. in this version whether above mentioned steps will be the same as you have explained here …?

      Thanks

      Kushal

       

      Author's profile photo Sumit Jaiswal
      Sumit Jaiswal
      Blog Post Author

      Hi Kushal,

      Yes, this set up is true for SAP NW 7.02 too. However, to enable the Note assistant for TCI ( the first prerequisite- also known as bootstrapping),you need to download the SAR file from SAP Note 2444141 and not 1995550.

      Author's profile photo Kushal Sambhunath Banerjee
      Kushal Sambhunath Banerjee

      Dear Sumit,

      Seriously I am NOT understanding this NEW approach of connecting Online Support Service of SAP.

      As I have upgraded the SAP system to the following support package level, NOT a single SAP note correction related to TCI, I am able to apply.

      Component Release SP-LEVEL Support Package
      SAP_BASIS 702 0021 SAPKB70221
      SAP_ABA 702 0017 SAPKA70217
      PI_BASIS 702 0017 SAPK-70217INPIBASIS
      ST-PI 2008_1_700 0022 SAPKITLRDV
      ST-A/PI 01T_700 0003 SAPKITAB7X
      SAP_AP 700 0033 SAPKNA7033

      I have done all the steps which you have mentioned in the following steps of this document:

      1. Prerequisites and checks
      2. Execution
      3. Configurations
      4. Confirmations

      I am stuck:- (Now, go back to RCWB_TCI_DIGITSIGN_AUTOMATION and execute step 11 onward. It does the check and download the test note 2424539.) STEP.

      And finally sap note download in snote tcode is NOT happening and I am getting the following error:

      HTTP client: receive method failed with return cod e SY_SUBRC 1

      Please be kind enough to support me.

      Thanks

      Kushal

      Author's profile photo Sumit Jaiswal
      Sumit Jaiswal
      Blog Post Author

      Hi Kushal,

      Bootstrap is already enabled for different releases at different SP levels.

      For SAP_BASIS 702 SP >= 20 , this is enabled by default. Hence, steps 2-7 (in your case) of RCWB_TCI_DIGITSIGN_AUTOMATION will say “no action required”. Again, 2576306- TCI for Download of Digitally Signed SAP Notes is already included in SP SAPKB70221 , hence steps 8-9 will say ” no action required”

      Your issue looks primarily with configuration part.

      Step 10 implementation of composite notes 2869143 should be completed successfully.

      After the above composite notes get successfully implemented, ensure “download service ‘ is defined as procedure, certificates are placed in STRUST SSL Client standard and anonymous ,  SDS_Configuration has technical communication user (avoid  normal S-user).

       

      Author's profile photo Sergio Torres
      Sergio Torres

      Hello Sumit,

      How can get the tcode SDS_CONFIGURATION and DOWNLOAD_SERVICE_PATH on the code FILE?

      I've a NW 7.02 and executed almost all the steps of the report RCWB_TCI_DIGITSIGN_AUTOMATION.

      Thanks

      Author's profile photo Sumit Jaiswal
      Sumit Jaiswal
      Blog Post Author

      Hi Sergio,

      SDS_CONFIGURATION  is quite old tcode . Aren't you getting it?

      I don't have a system at NW 7.02 to reproduce this issue.

      Could you please try the report SDS_CONFIGURATION_MAINT for the same?

      If you have correctly applied TCI 2554853 for SAP_BASIS 702 , the FILE tcode - Logical file path must have populated with entry DOWNLOAD_SERVICE_PATH.

      Author's profile photo Sergio Torres
      Sergio Torres

      Hello Sumit,

      I've checked to systems (NW 7.31_SP09 and NW 7.02_SP15) and neither have the SDS_CONFIGURATION and SDS_CONFIGURATION_MAINT.

      For that reason I'm thinking to discard download service option to download notes and choose the HTTP option, but I would know on which note/sp/tci are included the tcode SDS_CONFIGURATION.

       

      Author's profile photo Jerry Janda
      Jerry Janda

      Inclusion of a personal email address is a violation of rules of engagement: https://community.sap.com/resources/rules-of-engagement. I have removed.

      --Jerry

      Author's profile photo Irfan M.
      Irfan M.

      Hi Sumit Jaiswal

       

      Thanks for this article.

       

      When the QA and Prod system connect to download service in DEV system do I need to implement

      SAP note 2836302 which will bring system the report

      ‘RCWB_TCI_DIGITSIGN_AUTOMATION’ in QA and Prod system too?

       

      Using this download service, whether I just need to setting up SSL in Dev system only?

       

      Regards

      Irfan

      Author's profile photo Sumit Jaiswal
      Sumit Jaiswal
      Blog Post Author

      Hi Irfan,

      Report RCWB_TCI_DIGITSIGN_AUTOMATION automates the steps to consume TCI and then apply TCI based packages of 2576306

      From steps 11, the reports just validates the configurations. You may transport the TCI from DEV ( your DS system) to subsequent systems if you opt to validate the configurations using RCWB_TCI_DIGITSIGN_AUTOMATION .

      This is optional in subsequent systems. In subsequent systems ( QAS and PRD), you must have RCWB_SNOTE_DWNLD_PROC_CONFIG to select 'Download service Application' with the RFC pointing to your download service system i.e. DEV in your case.

      Author's profile photo Irfan M.
      Irfan M.

      Hi Sumit Jaiswal

       

      Previously I implemented Note 2923799 and choose the RFC connection using RCWB_SNOTE_DWNLD_PROC_CONFIG

      Can i use connection using SAPOSS with Technical user?

      or i have to use HTTPS or download service?

       

      Regards

      Author's profile photo Sumit Jaiswal
      Sumit Jaiswal
      Blog Post Author

      From Jan 2020, RFC SAPOSS calls into SAP Support Backbone infrastructure are not allowed.

      You need to setup either HTTPS or download service to connect Support portal & download the notes.

      Author's profile photo Irfan M.
      Irfan M.

      Hi Sumit Jaiswal

      need help

      here is my system detail :

      System%20detail

      i didn’t understand with note 510007 in step 2.

      should i remove parameter ssf/name, ssf/ssfapi_lib , sec/libsapsecu, ssl/ssl_lib?

      current in rz10 :

      rz10%20detail

       

      Regards

       

       

      Author's profile photo Sumit Jaiswal
      Sumit Jaiswal
      Blog Post Author

      No, it's fine . Removal is required if there were custom values.

      Author's profile photo Irfan M.
      Irfan M.

      Hi Sumit Jaiswal

       

      When we use the download service do I also have to create SAP-SUPPORT_PORTAL and

      SAP-SUPPORT_PARCELBOX?

      Thanks for the reply

       

      Regards

      Author's profile photo Abraham Gonzalez
      Abraham Gonzalez

      Hello,

       

      I'm trying to configure TCI, but the next pop up window appears in the step:

      • Check download of Digitally Signed test Note 2424539

      RFC connections are working fine.

       

      Pop%20up%20Snote

      Pop up Snote

       

      SDS_configuration transaction code not exists in for version  EHP6 FOR SAP ERP 6.0 / NW 731 to add S-User.

       

      Best Regards,