Enabling SNOTE for downloading digitally signed sap notes using download service procedure
As SAP has updated the support backbone infrastructure to ensure the security of its critical infrastructure, the time has arrived to migrate from traditional RFC(SAPOSS) based sap notes upload and download procedure to digitally enabled backbone support. This setup is also important for preparing the managed systems configurations in Solution manager. SAP too has been suggesting for this move for quite sometimes.
There are many documents and posts released to assist the customers to enable the digitally secured backbone support. Many of the documents I went through have achieved this set up using HTTP(S) based procedure.
There are two procedures to enable digitally secured framework for downloading the sap notes.
- HTTP(S) based procedure
Like the earlier RFC (SAPOSS type R/3) procedure, this procedure too is an RFC (HTTPS) based procedure, but this is secured by SSL certificates. This secured connectivity works though SAP router as was the case earlier too.
- Download service application-based procedure
This secured procedure connectivity operates through an SAP NW AS ABAP which is defined as download service application. The download service system can be connected by multiple ABAP applications to enable digital backbone support. The need for the SAP router is replaced by download service application.
In this blog, I am trying to explain the setup of download service application-based procedure. I opted to go with it for the following advantages of download service procedure :
- While implementing transport-based correction instruction (TCI) notes or corrections, the package associated with the TCI is also downloaded automatically.
- The system downloads the prerequisite SAP Notes, whereas in the HTTP protocol-based option the prerequisite SAP Notes get downloaded during the implementation of the present SAP Note.
- We don’t need SAP router (string) in this setup and multiple ABAP systems can be connected to the one download service system via RFC (DS_CONFIG).
I have divided the setup task into broad parts as
- Prerequisites and checks
PREREQUISITES AND CHECKS
- NW AS ABAP for download service
This is required to define it as download service application. This can be the same system in which the note assistant will be used or a separate system.
I have used the development system for download service application and will connect quality and production systems to it via RFC
2. Checks and preparations in development system
- Check the SPAM version. It should be 71 or greater.
- Download the packages from the notes as below. Download for the correct SAR files for your SAP_BASIS version.
Open the corrections of the below notes, select the correct SAP_BASIS and download the SAR file.
- Enabling note assistant for TCI – Note 1995550 and 2408383
- Digitally Signed SAP Notes Download Enablement – Note 2576306 (this is TCI equivalent of notes 2408073,2546220,2508268)
Note: If ABAP system has SAP_BASIS <=700, implement individual notes as TCI will not work.
3. Creating H and G type destinations automatically (It will be used if you opted HTTP based procedure) – Note 282765
- Creation and activation of Technical communication user. Follow the KBA 2174416 and keep it ready.
To reduce the manual efforts, SAP has automated these steps in a task list to enable the note assistant for TCI and subsequently consume the packages for enable the download of notes.
- Login to Development system and Implement SAP note 2836302 which will bring to your system the report ‘RCWB_TCI_DIGITSIGN_AUTOMATION’
- Execute the report and provide the inputs for the tasks.
The report does the following:
- Implements any prerequisite notes.
- Takes TCI packages of Note 1995550 and implement the note in last, Takes TCI Roll back package of Note 2408383 and implement the note in last.
- Takes the Digital signed note package of note 2576306 and implement the note in last.
- At step 10, Note 2721941 is implemented (which includes any corrections not included in TCI) and configurations done above are validated.
- In step 11, it does the following validations:
- The Digital Signature configuration table CWB_DWNLD_PROC is found and filled.
- The RFC destinations maintained correctly .
- The SSL certificate is maintained correctly.
- A test sap note 2424539 is downloaded (step 12) and then then all the notes and packages required to be imported in subsequent systems can be captured in a transport request.
Note 1: Most of the corrections mentioned in steps 1-10 are valid for SAP_BASIS 752 or lower. For SAP_BASIS 753 or above, the corrections are already incorporated, and show completed when the report is executed.
Note 2 : Steps 11 and further check and validate the configurations. Wait for the completion of Configuration Step (as below) before executing them.
- Implement note 2576306.
It brings report RCWB_SNOTE_DWNLD_PROC_CONFIG used to configure the download procedure.
Execute the report.
The same can be accessed by IMG
SPRO –> IMG–> SAP NetWeaver –> Application Server –> Basis Services –> SNOTE
2. Select download service application.
In my case, the download service is installed in the same ABAP system where I am executing this configuration, so the RFC destination I gave as ‘NONE’.
Mention DS_CONFIG if system is not download service system. (In case of latter, the screen asks the download service system detail for creating RFC DS_CONFIG).
3. Configuration specific to download service application.
These configurations are specific to download service application. In case, AS ABAP is the download service application different from system where the digital backbone is required, perform below in that AS ABAP.
1.Download the certificates below
DigiCert Global Root CA https://dl.cacerts.digicert.com/DigiCertGlobalRootCA.crt
DigiCert Global Root G2 https://dl.cacerts.digicert.com/DigiCertGlobalRootG2.crt
Go to tcode STRUST and add the certificates to the certificate list of the SSL client (anonymous) and SSL client (standard) PSEs.
- Refer Note 510007 for Setting up SSL on Application Server ABAP (Section 2 and Section 7 for details). Here, perform the below.
2.a. Check the CryptoLib version.
Required is at least CommonCryptoLib 8.4.38. Recommended is at least 8.4.49.
Login with <sid>adm and go to kernel directory.
Execute command ./sapgenpse
2.b. Set the profile parameters
ssl/client_ciphersuites = 150:PFS:HIGH::EC_P256:EC_HIGH
ssl/client_ciphersuites = 918:PFS:HIGH::EC_P256:EC_HIGH (For Solution Manager)
2.c.Remove the below parameters from instance and default profile (if they exist)
ssf/name, ssf/ssfapi_lib , sec/libsapsecu, ssl/ssl_lib
Note: You might see a similar value of kernel default for ssl/client_ciphersuites. I would suggest you to set the above value in instance or default profile as kernel default values may change with kernel updates
3.Implement the corrections of TCI note 2554853.
4.Setup for SAP Support Portal
Execute tcode SDS_Configuration and maintain Technical Communication user and password.
Keep the Username Empty.
5.Go to tcode SMICM and ensure icm/server_port is set for HTTPS.
6. Setup the target directory for download service.
Go to tcode FILE and select the DOWNLOAD_SERVICE_PATH. Now, select Assignment of Physical Paths to Logical Path.
We need to give a Operating system path which can be accessible for keeping files there.
Note that DOWNLOAD_SERVICE_DIR maps to the physical path for the download directory.
Go to table CWB_DWNLD_PROC and check the entry.
Now, go back to RCWB_TCI_DIGITSIGN_AUTOMATION and execute step 11 onward. It does the check and download the test note 2424539.
- 2836302 – Automated guided steps for enabling Note Assistant for TCI and Digitally Signed SAP Notes
- 2576306 – Transport-Based Correction Instruction (TCI) for Download of Digitally Signed SAP Notes
I will appreciate any recommendation or query on this blog.