Skip to Content
Technical Articles

Enabling SNOTE for downloading digitally signed sap notes using download service procedure

As SAP has updated the support backbone infrastructure to ensure the security of its critical infrastructure, the time has arrived to migrate from traditional RFC(SAPOSS) based sap notes  upload and download procedure to digitally enabled backbone support. This setup is also important for preparing the managed systems configurations in Solution manager. SAP too has been suggesting for this move for quite sometimes.

There are many documents and posts released to assist the customers to enable the digitally secured backbone support. Many of the documents I went through have achieved this set up using HTTP(S) based procedure.

There are two procedures to enable digitally secured framework for downloading the sap notes.

  • HTTP(S) based procedure

Like the earlier RFC (SAPOSS type R/3) procedure, this procedure too is an RFC (HTTPS) based procedure, but this is secured by SSL certificates. This secured connectivity works though SAP router as was the case earlier too.

  • Download service application-based procedure

This secured procedure connectivity operates through an SAP NW AS ABAP which is defined as download service application. The download service system can be connected by multiple ABAP applications to enable digital backbone support. The need for the SAP router is replaced by download service application.

In this blog, I am trying to explain the setup of download service application-based procedure. I opted to go with it for the following advantages of download service procedure :

  1. While implementing transport-based correction instruction (TCI) notes or corrections, the package associated with the TCI is also downloaded automatically.
  2. The system downloads the prerequisite SAP Notes, whereas in the HTTP protocol-based option the prerequisite SAP Notes get downloaded during the implementation of the present SAP Note.
  3. Multiple ABAP systems can be connected to the one download service system via RFC (DS_CONFIG).

I have divided the setup task into broad parts as

  1. Prerequisites and checks
  2. Execution
  3. Configurations
  4. Confirmations

PREREQUISITES AND CHECKS

  1. NW AS ABAP for download service

This is required to define it as download service application. This can be the same system in which the note assistant will be used or a separate system.

I have used the development system for download service application and will connect quality and production systems to it via RFC

2. Checks and preparations in development system

  • Check the SPAM version. It should be 71 or greater.
  • Download the packages from the notes as below. Download for the correct SAR files for your  SAP_BASIS version.

Open the corrections of the below notes, select the correct SAP_BASIS and download the SAR file.

  1. Enabling note assistant for TCI – Note 1995550 and 2408383
  2. Digitally Signed SAP Notes Download Enablement – Note 2576306 (this is TCI equivalent of notes 2408073,2546220,2508268)

Note: If ABAP system has SAP_BASIS <=700, implement individual notes as TCI will not work.

  • Creation and activation of Technical communication user. Follow the KBA 2174416 and keep it ready.

EXECUTION

To reduce the manual efforts, SAP has automated these steps in a task list to enable the note assistant for TCI and subsequently consume the packages for enable the download of notes.

  • Login to Development system and Implement SAP note 2836302 which will bring to your system the report ‘RCWB_TCI_DIGITSIGN_AUTOMATION’
  • Execute the report and provide the inputs for the tasks.

       The report does the following:

  1. Implements any prerequisite notes.
  2. Takes TCI packages of Note 1995550 and implement the note in last, Takes TCI Roll back package of Note 2408383 and implement the note in last.
  3. Takes the Digital signed note package of note 2576306 and implement the note in last.
  4. At step 10, Note 2721941 is implemented (which includes any corrections not included in TCI) and configurations done above are validated.
  5. In step 11, it does the following validations:
  • The Digital Signature configuration table CWB_DWNLD_PROC is found and filled.
  • The RFC destinations maintained correctly .
  • The SSL certificate is maintained correctly.
  1. A test sap note 2424539 is downloaded (step 12) and then then all the notes and packages required to be imported in subsequent systems can be captured in a transport request.

Note 1: Most of the corrections mentioned in steps 1-10 are valid for SAP_BASIS 752 or lower. For SAP_BASIS 753 or above, the corrections are already incorporated, and show completed when the report is executed.

Note 2 : Steps 11 and further check and validate the configurations. Wait for the completion of Configuration Step (as below) before executing them.

CONFIGURATION

  1. Implement note 2576306.

It brings report RCWB_SNOTE_DWNLD_PROC_CONFIG used to configure the download procedure.

Execute the report.

The same can be accessed by IMG

SPRO –> IMG–> SAP NetWeaver –> Application Server –> Basis Services –> SNOTE

2. Select download service application.

In my case, the download service is installed in the same ABAP system where I am executing this configuration, so the RFC destination I gave as ‘NONE’.

Mention DS_CONFIG if system is not download service system. (In case of latter, the screen asks the download service system detail for creating RFC DS_CONFIG).

3. Configuration specific to download service application.

These configurations are specific to download service application. In case, AS ABAP is the download service application different from system where the digital backbone is required, perform below in that AS ABAP.

1.Download the certificates below

DigiCert Global Root CA https://dl.cacerts.digicert.com/DigiCertGlobalRootCA.crt

DigiCert Global Root G2 https://dl.cacerts.digicert.com/DigiCertGlobalRootG2.crt

Go to tcode STRUST and add the certificates to the certificate list of the SSL client (anonymous) and SSL client (standard) PSEs.

  1. Refer Note 510007 for Setting up SSL on Application Server ABAP (Section 2 and Section 7 for details). Here, perform the below.

2.a. Check the CryptoLib version.

Required is at least CommonCryptoLib 8.4.38. Recommended is at least 8.4.49.

Login with <sid>adm and go to kernel directory.

Execute command ./sapgenpse

2.b.  Set the profile parameters

ssl/client_ciphersuites = 150:PFS:HIGH::EC_P256:EC_HIGH

ssl/client_ciphersuites = 918:PFS:HIGH::EC_P256:EC_HIGH (For Solution Manager)

2.c.Remove the below parameters from instance and default profile (if they exist)

ssf/name, ssf/ssfapi_lib , sec/libsapsecu, ssl/ssl_lib

Note: You might see a similar value of kernel default for ssl/client_ciphersuites. I would suggest you to set the above value in instance or default profile as kernel default values may change with kernel updates

3.Implement the corrections of TCI note 2554853.

4.Setup for SAP Support Portal

Execute tcode SDS_Configuration and maintain Technical Communication user and password.

Keep the Username Empty.

5.Go to tcode SMICM and ensure icm/server_port is set for HTTPS.

6. Setup the target directory for download service.

Go to tcode FILE and select the DOWNLOAD_SERVICE_PATH. Now, select Assignment of Physical Paths to Logical Path.

We need to give a Operating system path which can be accessible for keeping files there.

Note that DOWNLOAD_SERVICE_DIR maps to the physical path for the download directory.

CONFIRMATION

Go to table CWB_DWNLD_PROC and check the entry.

Now, go back to RCWB_TCI_DIGITSIGN_AUTOMATION and execute step 11 onward. It does the check and download the test note 2424539.

 

References:

  • 2836302 – Automated guided steps for enabling Note Assistant for TCI and Digitally Signed SAP Notes
  • 2576306 – Transport-Based Correction Instruction (TCI) for Download of Digitally Signed SAP Notes

I will appreciate any recommendation or query on this blog.

21 Comments
You must be Logged on to comment or reply to a post.
  • I was looking for some doc related to backbone setup using download service option from many days. Finally i got this one. This doc is having all the necessary steps which helped me to do the configuration easily.

    Good work sumit…keep writing 🙂

  • Hi Sumit,

    thank you very much for this blog.

    I have entered the following path \\hostname\sapmnt\trans\EPS\in.

    But this is a Windows system and I can not change  Syntax grop to Windows NT. The green hook is grayed out.


     

    Which user (OS or SAP User) should enter here? We get this error message

     

    Thank you very much.

    Best regards

    • Hi Tatjana,

      Thanks for writing.

      You may refer sap note 2830368  for Windows application server.

      In execution parameter tab, keep ‘USER’ option blank.

      (I had confronted this issue ;giving any value instead of blank, gave unexpected errors) .

      Sumit

  • Hi

    Thank you very much for your answer.

    When I try to change the SYNTAX GROUP, by creating a new entries, then I get this error message:

    What am I doing wrong ?
    Thank your very much.
    Best Regards
    /
    • Hi Tatjana,

      You are doing correct. Just that you have to press “enter”  for the notifications for message no SV019

      Note : Please press Enter several times until it does not ask for a transport request to capture it ( based on client setting) or does not get saved.

      Upon this you should be able to see Windows NT as Syntax Group

       

    • Hi Daniel,

      SAP has not mentioned any preference about the two methods for downloading SAP notes – HTTP and Download Service. However, Download service method holds certain advantages as SAP mentions.

      1. While implementing transport-based correction instruction (TCI) notes or corrections, the package associated with the TCI is also downloaded automatically.
      2.  The system downloads the prerequisite SAP Notes, whereas in the HTTP protocol-based option the prerequisite SAP Notes get downloaded during the implementation of the present SAP Note
      3. Multiple ABAP systems can be connected to the one download service system via RFC (DS_CONFIG).

      Besides, if you have solution manager 7.2 SP 09 or higher in the landscape which gives a option to automatically update CR content of SLD or LMDB, the download service method becomes an important prerequisite for the setup.


      Unlike download service method in which download service system connects to SAP Portal,HTTP based method connects each of the system directly to SAP portal and hence each of the system requires the certificates installed.

      However, the one disadvantage I see in DS method is the case if download service system goes down. In that case, no system in the landscape will be able to download the sap notes.

  • Hi Sumit,

     

    Great Blog!

    So in your quality and Production ABAP system you have executed from step 3 – Configuration specific to download service application. and have used RFC DS_Config between Development-Quality and Quality-production?

    Is my understanding correct?

     

    • Hi Vinit,

      Step 3 is for setting up the download service system (first time e.g.in Dev) i.e. certificates,technical communication user and path (/usr/sap/trans/EPS/in) where SAR files for all the sap notes you will download will appear. You don’t have to repeat it and can access the system by RFC DS_CONFIG again.

      Corrections for TCI and digital download enablement ,reports RCWB_TCI_DIGITSIGN_AUTOMATION and RCWB_SNOTE_DWNLD_PROC_CONFIG (think how else will you define download procedure as DS!) are required in subsequent systems too. Do import the transport for the corrections implemented in development.

      • Thanks for the response Sumit.

        However I am seeing below error in SMICM when I try to download the note using Download Service.

        [Thr 139798220568320] NiIGetNodeAddr: hostname ‘notesdownloads.sap.com’ = addr 155.56.46.215
        [Thr 139798220568320] IcmIConnConnect: Connect to host: notesdownloads.sap.com, service: 443, SAP_O_K(0)
        [Thr 139798220568320] in: hostname = “notesdownloads.sap.com”
        [Thr 139798220568320] in: parg = “notesdownloads.sap.com”
        [Thr 139798220568320] *** ERROR => SSL handshake with notesdownloads.sap.com:443 failed: SSSLRC_CONN_CLOSED (-10)
        [Thr 139798220568320] 7f2557a60e90 000192 74682532 306e6f74 6573646f 776e6c6f |th%20notesdownlo|

        I have already updated the SAP Root certificates to client standard and client anonymous in STRUST.

        Let me know if you have any idea on this.

        • Hi Vinit,

          Looks like the issue with SSL only.

          Ensure you are able to telnet the server notesdownloads.sap.com  at port 443 (must connect, else it’s firewall issue)

          If above connects, Check :

          • CryptoLib version.
          • Profile parameter ssl/client_ciphersuites

          Hope you are using Technical Communication user in SDS_configuration and not just S-user.

  • Hi Sumit,

    We have a problem at DEV/QA System last week which is have been install snote digital signed before

    Is it possible if we want re-implement SNOTE Digitally signed now?

    cause we have accident some logical disk partition (file system) is failure and we do not have a valid backup, we can only restore/recovery before snote implemented

    please advice

    Thank you

    Trilo

    • Hi Trilo,

      There is no reason why you can’t re-implement the notes again.

      Also, since you are restoring the backup at database, some of the steps you may not have to repeat (just validate and proceed).

  • Dear Sumit,

    Really Really fantastic blog. Really appriciable guidence.

    One question hope you will reply.

    In my company we have SAP NetWeaver 7.02 version / ECC 6.0 EHP5. in this version whether above mentioned steps will be the same as you have explained here …?

    Thanks

    Kushal

     

    • Hi Kushal,

      Yes, this set up is true for SAP NW 7.02 too. However, to enable the Note assistant for TCI ( the first prerequisite- also known as bootstrapping),you need to download the SAR file from SAP Note 2444141 and not 1995550.

      • Dear Sumit,

        Seriously I am NOT understanding this NEW approach of connecting Online Support Service of SAP.

        As I have upgraded the SAP system to the following support package level, NOT a single SAP note correction related to TCI, I am able to apply.

        Component Release SP-LEVEL Support Package
        SAP_BASIS 702 0021 SAPKB70221
        SAP_ABA 702 0017 SAPKA70217
        PI_BASIS 702 0017 SAPK-70217INPIBASIS
        ST-PI 2008_1_700 0022 SAPKITLRDV
        ST-A/PI 01T_700 0003 SAPKITAB7X
        SAP_AP 700 0033 SAPKNA7033

        I have done all the steps which you have mentioned in the following steps of this document:

        1. Prerequisites and checks
        2. Execution
        3. Configurations
        4. Confirmations

        I am stuck:- (Now, go back to RCWB_TCI_DIGITSIGN_AUTOMATION and execute step 11 onward. It does the check and download the test note 2424539.) STEP.

        And finally sap note download in snote tcode is NOT happening and I am getting the following error:

        HTTP client: receive method failed with return cod e SY_SUBRC 1

        Please be kind enough to support me.

        Thanks

        Kushal

        • Hi Kushal,

          Bootstrap is already enabled for different releases at different SP levels.

          For SAP_BASIS 702 SP >= 20 , this is enabled by default. Hence, steps 2-7 (in your case) of RCWB_TCI_DIGITSIGN_AUTOMATION will say “no action required”. Again, 2576306- TCI for Download of Digitally Signed SAP Notes is already included in SP SAPKB70221 , hence steps 8-9 will say ” no action required”

          Your issue looks primarily with configuration part.

          Step 10 implementation of composite notes 2869143 should be completed successfully.

          After the above composite notes get successfully implemented, ensure “download service ‘ is defined as procedure, certificates are placed in STRUST SSL Client standard and anonymous ,  SDS_Configuration has technical communication user (avoid  normal S-user).

           

          /