The process of SAP Notes Download changed since January 8, 2020. We can’t download or upload any note which is not digitally signed. More information on this fact can be found in the note Final Shutdown of RFC Connections From Customer Systems to SAP .
SAP saw security threat during upload or download of SAP Note that SAP delivers for ABAP corrections and so come up with digital signature to protect SAP Notes for increased authenticity and improved security. The digital signature verification protects any malware from intruding any system and this feature is enabled for both uploading and downloading of SAP Notes and must be in configured in SAP system.
There are couple of ways doing it and every process has it’s pros and cons. In this document I am following Automated Configuration of new Support Backbone Communication using HTTP protocol.
There are few pre-steps that I did before the main configuration. The steps are not always interdependent but I followed this way.
- Implemented the SAP Note 2408073 and SAP Note 2546220 for uploading digitally signed SAP Note and digital signature verification.
- Implemented the SAP Note 2508268 for downloading digitally signed SAP Note.
- Implemented Note 2576306 Digitally Signed SAP Notes Download Enablement.
- For TCI implemented the notes 2508268, 2408073, 2546220, 2836996
- From TCODE SMICM and ensure icm/server_port is set for HTTPS.
- Set the values in profile parameters
- ssl/client_ciphersuites = 150:PFS:HIGH::EC_P256:EC_HIGH
- Removed the parameters from instance and default profile ssf/name, ssf/ssfapi_lib ,ssl/ssl_lib, sec/libsapsecu
- Setup for SAP Support Portal. In Tcode SDS_Configuration maintain Technical Communication user and password.
- Username should be empty for both S-User tab and execution parameters tab.
- In Development system and Implement SAP note 2836302 which will bring the report RCWB_TCI_DIGITSIGN_AUTOMATION in the system. Execute the report and provide the inputs for the tasks. This is mandatory and strongly recommended step by SAP.
- Followed 2836302 – Automated guided steps for enabling Note Assistant for TCI and Digitally Signed SAP Notes for more details on TCI configuration.
- Implemented note 2576306 for the report RCWB_SNOTE_DWNLD_PROC_CONFIG in the system. This is required for further configuration at the end of configuration process.
Step by Step configuration process
Now we will follow the almost automated process for implementing the HTTPS protocol for NOTE download and upload in the system using STC01 task list.
- Run transaction STC01 to open Task Manager for Technical Configuration
- Select task list ‘SAP_BASIS_CONFIG_OSS_COMM’ – New OSS Communication
- Press button ‘Generate Task List Run (F8)
Below all Task should be Green .
- During execution this might stop at this step
- We need to import trusted certificates for this step.
- For an up-to-date list of the required certificates, see SAP Note 2620478
- To download these certificates go to Links below and Download to apply.
- DigiCert Global Root CA https://dl.cacerts.digicert.com/DigiCertGlobalRootCA.crt
- DigiCert Global Root G2 https://dl.cacerts.digicert.com/DigiCertGlobalRootG2.crt
- Now to add a trust anchor certificatein in PSE:
- Call transaction STRUST and double-click on SSL client (Standard) in the left tree view of PSEs (also called “SAPSSLC.pse”)
- From Menu, choose Certificate->Import. In the File tab enter the filename of the downloaded cert into the field File path, or use the selection help at the end of that field for an Open File popup window of the OS.
- When the proper trust anchor certificate appears in the certificate details view in the lower right area of transaction STRUST, press the Add to Certificate List button on the bottom.
- Save the changes to the PSE with Save button on the toolbar (floppy disk icon) or alternatively the key combination <Ctrl>-<S>
- Redo steps 1-4 for SSL client (Anonymous) PSE (also called “SAPSSLA.pse”)
- Now Restart the HTTPS. Go to SMICM
- Now again go STC01 Tcode and run that Task List again
- Click again the mentioned parameter option and check
- Now Click on Change Parameter for OSS1 step in the task list and Provide Technical Communication User ID and Password and SAVE.
- Now we can see all the task successfully executed.
- Now you can see in SM59 3 RFC are available as below. Check every RFC is working perfectly.
- When all are working fine go to SE38 and run below Report
- Provide here H and G Type RFC and save configuration.
- Now again go SE38 and run below report RCWB_UNSIGNED_NOTE_CONFIG. This confirms that only digitally signed NOTES can be processed.
- Select this option and save. It means only Digitally Singed not will Download.
- Save the configuration.
- Now Download any Notes from SNOTE and check if it comes using HTTPS.
- Check the “Note log” in SNOTE transaction, whether digitally signed SAP Note was downloaded, the following should be displayed:
The Procedure is now successfully completed. Now all the notes will be processed using only HTTPS protocol and not old RFC process.
The other way of downloading SAP Note securely is download service procedure. But I found this process is convenient and mostly automated for error free processing.
Any user comment and query is much appreciated on this Topic.