Enabling and Using SNOTE for Digitally Signed SAP Notes

Hello

My name is Basu Sharma.

In this blog post, I’ll be providing the detailed information about the enablement of SNOTE for digitally signed SAP Notes and the recent guided reports which have been released to make this process easy for the customers

A Security threat has been recognized during the upload of SAP Note into the customer’s landscape. The SAP note can be modified maliciously which can get uploaded into the landscape unknowingly.

To prevent this, SAP delivers all SAP Notes with digital signature with increased authenticity & security. This feature is enabled for both upload & download utility of SNOTE.

It was communicated last year(2019) that SAP is going to introduce this process and each customer should adopt it before 2020 commence.

Post January 8, 2020 if your system is not enabled for TCI(transport correction instructions), you might get the below pop up while implementing the notes(via SNOTE)

Following is the process we need to follow for enabling our system with regards to TCI:

 

Pre-Requisites:

SAP Note 2836302 provides automated guidance in implementing all the prerequisites mentioned below and the required RFC destination set up.

Or, you have implemented the following prerequisites individually.

1. You have implemented the SAP Note 2408073 and SAP Note 2546220 for uploading digitally signed SAP Note and digital signature verification.
2. You have implemented the SAP Note 2508268 for downloading digitally signed SAP Note.

OR

1. You have implemented the SAP Note 2576306 (Recommended)

The SAP Note 2576306 contains Transport-Based Correction Instruction (TCI)

The individual steps to enable Note Assistant (SNOTE transaction) for Digitally Signed SAP Notes involves the following based on the SAP_BASIS release and SP of the ABAP system.

Below is the individual steps according to your SAP_BASIS release:

SAP_BASIS Release	Starting 2020	Preparation for 2020
Below 700	Manual process to consume digitally signed SAP Notes	ABAP systems cannot be enabled to consume digitally signed SAP Notes automatically, hence manual process needs to be followed*
700 to 731	SAPOSS/SAPSNOTE will work only with S-user (recommended Technical Communication User)	Implement SAP Note 2508268 or SAP Note 2576306 (TCI) Implement SAP Note 2928592 to enable HTTP procedure of download Enable one of the following download procedures. Download Service application or HTTP protocol
740 and above	SAPOSS/SAPSNOTE will not work.	Implement SAP Note 2508268 or SAP Note 2576306 (TCI) Enable one of the following download procedures. HTTPS protocol (The SAP Kernel must be 7.42 PL400 above) or Download service application

SAP Notes 2508268 or 2576306 (TCI) bring different procedures for downloading which is customizable.

Download Procedure	Default Mechanism	Additional Information
Use RFC protocol	Yes	Available from SAP_BASIS release 700 onwards and is existing from before. Downloads by default the digitally signed SAP Notes. Will continue to be available for SAP_BASIS releases 700 to 731 even after 2019. But, the user within the RFC destinations SAPOSS/SAPSNOTE have to be replaced with S-user (recommended is technical communication S-user) From January 2020 this procedure will not work for SAP_BASIS release 740 and above. From November 30, 2020, this procedure will not work for SAP_BASIS 700 to 731. Alternative is to use HTTP procedure or Download Service application. Please refer to SAP Note 2508268 or 2576306 (TCI) for SAP_BASIS 740 and above and, SAP Note 2928592 for SAP_BASIS 700 to 731 for details
Use HTTPS protocol	No	Available from SAP_BASIS release 700 and above. Can be customized. Please refer to SAP Note 2508268 or 2576306 (TCI) for SAP_BASIS 740 and above and, SAP Note 2928592 for SAP_BASIS 700 to 731 for details
Use download service	No	Available from SAP_BASIS release 700 and above. Can be customized. Please refer to SAP Note 2508268 or 2576306 (TCI) for details. Download service is coupled with SAP Solution Manager 7.2. It is also available with the SAP Solution Manager 7.1 but from higher support packages of SAP_BASIS releases (for example SAP_BASIS release 702, support package 17 onwards). Basically, any ABAP system having download service can be used as download system and linked to the managed system (where SAP Note is to be downloaded) through RFC connection.

Authorizations:

The user in the ABAP system using the Note Assistant tool to download or upload digitally signed SAP Note must have the following authorization objects:

• S_LOG_COM

The verification of digital signature is performed by the Note Assistant tool using the SAPCAR utility and for executing SAPCAR command during signature verification the above authorization object is needed.Please refer to SAP Note 854060 for more details.

• S_DATASET

The download or upload of digitally signed SAP Note in Note Assistant writes the Note SAR file into the application server of the system. This requires the above authorization object.

• S_RFC_ADM

During the download of digitally signed SAP Notes in Note Assistant relevant RFC destinations are read. This requires the above authorization object.

• S_APPL_LOG

If the verification of digital signature for an SAP Note fails, the Note Assistant tool logs the security event in the application server using log object (CWBDS). To view the application logs, you should have the above authorization object.

Procedure:

SAP Note 2836302 brings a report (RCWB_TCI_DIGITSIGN_AUTOMATION) that provides guided steps to help you enable SNOTE for TCI and Digitally signed SAP Notes. This report also guides you with the configuration steps based on your SAP_BASIS release

Note : The SAP Note 2836302 is not valid for SAP_BASIS 710, 711 and 730 as TCI feature is not available in these releases. Instead the SNOTE must be enabled for digitally signed SAP Notes by implementing SAP Notes 2408073, 2546220 and 2508268.(as mentioned above in the table)

Report RCWB_TCI_DIGITSIGN_AUTOMATION on execution will start step by step implementation of various SAP Notes and TCI packages required for the enablement process. It also provides guidance in configuring the right download procedure to make the system ready for SAP Support Backbone infrastructure change starting January 2020.

Client in which report should be executed depends on whether the system is already enabled for TCI or not. You may check this by first executing the report in client 000. If the steps 1 to 4 is ‘Pending’ it means the report must be executed in client 000. Otherwise the report can be executed in any other actively used client in the development landscape.

Note : This report cannot be executed parallelly by different users or in different sessions.

• Implementation:

Post execution of this report, a series of steps need to be performed amongst which the first step report performs is downloading of all pre-requisite notes.

If the download of SAP Note fails the upload dialog box will appear for each Note. You must download the SAP Note file from SAP One Support Launchpad and upload it here. The Note implementation brings the relevant pop-ups for each Note being implemented.

To download the notes manually, post backbone changes, we need to use the SAPCAR utility. Below are the steps we need to follow for implementing the notes manually:

• Download the SAP note from Support Launch Pad

• Save the SAR file to a temporary location.

 

• Using SAPCAR, extract the SAR file with the command SAPCAR -xvf 000xxxxxxx.SAR
• Unzip the enclosed ZIP file with any unzip program
• There will now be 3 files, a .SAR, .zip and .txt
• In SNOTE of the system, choose  Goto-> Upload SAP Note
• Select the 000xxxxxxx.txt file extracted above.

Configure ABAP Download Service: (Can be performed before execution of the report – RCWB_TCI_DIGITSIGN_AUTOMATION)

The ABAP download service allows you to download files directly into your Application Server ABAP system from any SAP destination addressed through a URL.

The most important use case for the ABAP download service is downloading from SAP file shares connected to the SAP Support Portal and the download of SAP Notes with all their dependencies and relevant SAP Notes transport-based correction instructions (TCIs). The downloading of files from SAP file shares is only possible after a successful login to the respective SAP Support Portal system with an S-user authorized for the file download.

To carry out the following configuration tasks and to use the ABAP download service, you require specific authorizations and roles.

Authorizations and Roles
Roles	Description
SAP_BC_SDS_CONF_DISPLAY	Displaying the configuration
SAP_BC_SDS_CONF_ADMIN	Maintaining the configuration
SAP_BC_SDS_TASK_DISPLAY	Displaying the runs of the download task list in the SAP Task Manager
SAP_BC_SDS_TASK_USER	Executing the ABAP download service

Setup of the Connection to SAP Support Portal:

Call the transaction SDS_Configuration in  change mode

Maintain S-User name & Password here. Then click Ok & Save.

Maintenance of Client Certificates:

To enable the ABAP download service to download software archives from SAP destinations, various root certificates must be registered in the SAP system.

To download the certificates( DigiCert Global Root CA & DigiCert Global Root G2 ) see SAP Note 2620478 & 2554853.

Transaction STRUST will be used to upload the certificates

To import certificates, call transaction STRUST and, under SSL client SSL Client (Standard), choose Import certificate.

On the File tab page, browse to the downloaded certificate files and import the certificates by choosing Continue  Add to Certificate List.

Click Save.

Configure the HTTPS Service:

As the ABAP download service connects to the SAP Support Portal via the HTTPS protocol, this protocol needs to be enabled at the Application Server ABAP.

Ensure we have below parameters maintained the system

 

icm/server_port_2 PROT=HTTPS, PORT=44300, PROCTIMEOUT=300, TIMEOUT=300

ssl/client_ciphersuites with the value 918:PFS:HIGH::EC_P256:EC_HIGH.(this parameter will enable to download the notes from (https://apps.support.sap.com)

Setting up the Target Directory:

Use Transaction File to setup the target directory.

The logical file DOWNLOAD_SERVICE_DIR is defined and delivered by default. It points to the /usr/sap/trans/EPS/in directory in UNIX nomenclature. This path is specified in the definition of the logical path DOWNLOAD_SERVICE_PATH.

If the target directory fits your system, you can use the default logical file DOWNLOAD_SERVICE_DIR. You can also adjust the directory to which the logical path DOWNLOAD_SERVICE_PATH is pointing to your target directory, or you can create your own logical file paths, assignments of physical paths to logical paths and logical file names.

• Call transaction FILE and select the DOWNLOAD_SERVICE_PATH entry in the Create a logical file path table.
• Go to Assignment of Physical Paths to Logical Path and adapt the physical path according to your target directory or operating system, respectively.
• Save your changes

Maintain Execution Parameters:

The execution parameters required for the file download.

Call transaction SDS_CONFIGURATION in change mode and maintain the values as below:

Block size & no of aRFC processes can be changed

To establish & Configure the connection to New SAP Support Backbone, we can use a task list i.e. SAP_BASIS_CONFIG_OSS_COMM

Please follow the SAP Note : 2827658.

We need to implement this note in the system. If you are not able to do so, then please implement the note manually(steps already defined above).

Otherwise, please create the RFC’s manually in the step(of type H & G).

Create RFC SAP-SUPPORT_PORTAL(of type H) using transaction SM59

Enter S-User(technical user) & password. Second keep the SSL active

 

Create second RFC SAP-SUPPORT_NOTE_DOWNLOAD(type G):

Define File type for downloading SAP Notes:

The RCWB_UNSIGNED_NOTE_CONFIG report can be used to define type of file(unsigned or digitally signed).

Download unsigned SAP Note

If you choose this option, the system allows you to download unsigned SAP Notes if digitally signed SAP Note is not available.

• Do not download unsigned SAP Note:

If you choose this option, the system allows you to download only digitally signed SAP Notes

However, the fallback configuration report RCWB_UNSIGNED_NOTE_CONFIG made download of unsigned note possible when the download of signed SAP Note failed for whatever reason. Since after the SAP Support Backbone update the download of unsigned note is not possible, the report RCWB_UNSIGNED_NOTE_CONFIG becomes obsolete.

Please implement the note : 2885888

Now, let’s just jump back to the implementation part of the report i.e. RCWB_TCI_DIGITSIGN_AUTOMATION.

Post download of pre-requisite notes(either manually or automatically), we will perform the pending steps in the list.

Conclusion:

Post execution of all the above steps, we have made our system enabled for downloading & uploading the digitally signed notes.

Steps for further systems in the landscape:

For subsequent systems i.e. Quality & Production it is very import that we perform STEP 13 of the list very cautiously.(please follow the guide attached to SAP Note : 2836302)

This step will give us the list of TR’s that can be consolidated for import into subsequent systems & manual step to executed in subsequent systems in case of missing TR’s.

• Actions to be performed in subsequent systems:
• Consolidate all the transports you have created into a Workbench Request.
• Import the workbench request into the quality and production systems.
• Execute the report RCWB_TCI_DIGITSIGN_AUTOMATION in the quality and production systems.

References/Sources:

2836302 – Automated guided steps for enabling Note Assistant for TCI and Digitally Signed SAP Notes

2408073 – Handling of Digitally Signed notes in SAP Note Assistant

2537133 – FAQ – Digitally Signed SAP Notes

 

https://help.sap.com/viewer/9d6aa238582042678952ab3b4aa5cc71/7.5.9/en-US/8dc5621ba47b445e8ac5431fee7e5104.html

Troubleshooting

Please follow the below notes if you face errors related to SPAM queue & HTTPS error during note download:

2712875 – Error: “The TCI queue must be finished with the Note Assistant” while confirming import queue in SPAM

2448562 – Support Package Manager does not allow to confirm a queue with Transport based Correction Instructions (TCI)

2836005 – SNOTE: XML_FORMAT_ERROR dump occurs when downloading a note via HTTPS

 

Feel free to provide your feedback.

Regards

Basu Sharma

PS : If you like the blog, you can follow my profile for getting the insights on my further blog posts. 🙂

_______________________________________________

I blog this article to share information that is intended as a general resource and personal insights. Errors or omissions are not intentional. Opinions are my own and not the views of my employers (past, present or future) or any organization that I may be affiliated with. Content from third party websites, SAP and other sources reproduced in accordance with Fair Use criticism, comment, news reporting, teaching, scholarship, and research.