Technical Articles
Enabling and Using SNOTE for Digitally Signed SAP Notes
Hello
My name is Basu Sharma.
In this blog post, I’ll be providing the detailed information about the enablement of SNOTE for digitally signed SAP Notes and the recent guided reports which have been released to make this process easy for the customers
A Security threat has been recognized during the upload of SAP Note into the customer’s landscape. The SAP note can be modified maliciously which can get uploaded into the landscape unknowingly.
To prevent this, SAP delivers all SAP Notes with digital signature with increased authenticity & security. This feature is enabled for both upload & download utility of SNOTE.
It was communicated last year(2019) that SAP is going to introduce this process and each customer should adopt it before 2020 commence.
Post January 8, 2020 if your system is not enabled for TCI(transport correction instructions), you might get the below pop up while implementing the notes(via SNOTE)
Following is the process we need to follow for enabling our system with regards to TCI:
Pre-Requisites:
SAP Note 2836302 provides automated guidance in implementing all the prerequisites mentioned below and the required RFC destination set up.
Or, you have implemented the following prerequisites individually.
- You have implemented the SAP Note 2408073 and SAP Note 2546220 for uploading digitally signed SAP Note and digital signature verification.
- You have implemented the SAP Note 2508268 for downloading digitally signed SAP Note.
OR
- You have implemented the SAP Note 2576306 (Recommended)
The SAP Note 2576306 contains Transport-Based Correction Instruction (TCI)
The individual steps to enable Note Assistant (SNOTE transaction) for Digitally Signed SAP Notes involves the following based on the SAP_BASIS release and SP of the ABAP system.
Below is the individual steps according to your SAP_BASIS release:
SAP_BASIS Release | Starting 2020 | Preparation for 2020 |
Below 700 | Manual process to consume digitally signed SAP Notes | ABAP systems cannot be enabled to consume digitally signed SAP Notes automatically, hence manual process needs to be followed* |
700 to 731 | SAPOSS/SAPSNOTE will work only with S-user (recommended Technical Communication User) |
Implement SAP Note 2508268 or SAP Note 2576306 (TCI) Implement SAP Note 2928592 to enable HTTP procedure of download Enable one of the following download procedures. Download Service application or HTTP protocol |
740 and above | SAPOSS/SAPSNOTE will not work. |
Implement SAP Note 2508268 or SAP Note 2576306 (TCI) Enable one of the following download procedures. HTTPS protocol (The SAP Kernel must be 7.42 PL400 above) or Download service application |
SAP Notes 2508268 or 2576306 (TCI) bring different procedures for downloading which is customizable.
Download Procedure | Default Mechanism | Additional Information |
Use RFC protocol | Yes |
|
Use HTTPS protocol | No | |
Use download service | No |
|
Authorizations:
The user in the ABAP system using the Note Assistant tool to download or upload digitally signed SAP Note must have the following authorization objects:
- S_LOG_COM
The verification of digital signature is performed by the Note Assistant tool using the SAPCAR utility and for executing SAPCAR command during signature verification the above authorization object is needed.Please refer to SAP Note 854060 for more details.
- S_DATASET
The download or upload of digitally signed SAP Note in Note Assistant writes the Note SAR file into the application server of the system. This requires the above authorization object.
- S_RFC_ADM
During the download of digitally signed SAP Notes in Note Assistant relevant RFC destinations are read. This requires the above authorization object.
- S_APPL_LOG
If the verification of digital signature for an SAP Note fails, the Note Assistant tool logs the security event in the application server using log object (CWBDS). To view the application logs, you should have the above authorization object.
Procedure:
SAP Note 2836302 brings a report (RCWB_TCI_DIGITSIGN_AUTOMATION) that provides guided steps to help you enable SNOTE for TCI and Digitally signed SAP Notes. This report also guides you with the configuration steps based on your SAP_BASIS release
Note : The SAP Note 2836302 is not valid for SAP_BASIS 710, 711 and 730 as TCI feature is not available in these releases. Instead the SNOTE must be enabled for digitally signed SAP Notes by implementing SAP Notes 2408073, 2546220 and 2508268.(as mentioned above in the table)
Report RCWB_TCI_DIGITSIGN_AUTOMATION on execution will start step by step implementation of various SAP Notes and TCI packages required for the enablement process. It also provides guidance in configuring the right download procedure to make the system ready for SAP Support Backbone infrastructure change starting January 2020.
Client in which report should be executed depends on whether the system is already enabled for TCI or not. You may check this by first executing the report in client 000. If the steps 1 to 4 is ‘Pending’ it means the report must be executed in client 000. Otherwise the report can be executed in any other actively used client in the development landscape.
Note : This report cannot be executed parallelly by different users or in different sessions.
- Implementation:
Post execution of this report, a series of steps need to be performed amongst which the first step report performs is downloading of all pre-requisite notes.
If the download of SAP Note fails the upload dialog box will appear for each Note. You must download the SAP Note file from SAP One Support Launchpad and upload it here. The Note implementation brings the relevant pop-ups for each Note being implemented.
To download the notes manually, post backbone changes, we need to use the SAPCAR utility. Below are the steps we need to follow for implementing the notes manually:
- Download the SAP note from Support Launch Pad
- Save the SAR file to a temporary location.
- Using SAPCAR, extract the SAR file with the command SAPCAR -xvf 000xxxxxxx.SAR
- Unzip the enclosed ZIP file with any unzip program
- There will now be 3 files, a .SAR, .zip and .txt
- In SNOTE of the system, choose Goto-> Upload SAP Note
- Select the 000xxxxxxx.txt file extracted above.
Configure ABAP Download Service: (Can be performed before execution of the report – RCWB_TCI_DIGITSIGN_AUTOMATION)
The ABAP download service allows you to download files directly into your Application Server ABAP system from any SAP destination addressed through a URL.
The most important use case for the ABAP download service is downloading from SAP file shares connected to the SAP Support Portal and the download of SAP Notes with all their dependencies and relevant SAP Notes transport-based correction instructions (TCIs). The downloading of files from SAP file shares is only possible after a successful login to the respective SAP Support Portal system with an S-user authorized for the file download.
To carry out the following configuration tasks and to use the ABAP download service, you require specific authorizations and roles.
Authorizations and Roles | |
Roles | Description |
SAP_BC_SDS_CONF_DISPLAY | Displaying the configuration |
SAP_BC_SDS_CONF_ADMIN | Maintaining the configuration |
SAP_BC_SDS_TASK_DISPLAY | Displaying the runs of the download task list in the SAP Task Manager |
SAP_BC_SDS_TASK_USER | Executing the ABAP download service |
Setup of the Connection to SAP Support Portal:
Call the transaction SDS_Configuration in change mode
Maintain S-User name & Password here. Then click Ok & Save.
Maintenance of Client Certificates:
To enable the ABAP download service to download software archives from SAP destinations, various root certificates must be registered in the SAP system.
To download the certificates( DigiCert Global Root CA & DigiCert Global Root G2 ) see SAP Note 2620478 & 2554853.
Transaction STRUST will be used to upload the certificates
To import certificates, call transaction STRUST and, under SSL client SSL Client (Standard), choose Import certificate.
On the File tab page, browse to the downloaded certificate files and import the certificates by choosing Continue Add to Certificate List.
Click Save.
Configure the HTTPS Service:
As the ABAP download service connects to the SAP Support Portal via the HTTPS protocol, this protocol needs to be enabled at the Application Server ABAP.
Ensure we have below parameters maintained the system
icm/server_port_2 PROT=HTTPS, PORT=44300, PROCTIMEOUT=300, TIMEOUT=300
ssl/client_ciphersuites with the value 918:PFS:HIGH::EC_P256:EC_HIGH.(this parameter will enable to download the notes from (https://apps.support.sap.com)
Setting up the Target Directory:
Use Transaction File to setup the target directory.
The logical file DOWNLOAD_SERVICE_DIR is defined and delivered by default. It points to the /usr/sap/trans/EPS/in directory in UNIX nomenclature. This path is specified in the definition of the logical path DOWNLOAD_SERVICE_PATH.
If the target directory fits your system, you can use the default logical file DOWNLOAD_SERVICE_DIR. You can also adjust the directory to which the logical path DOWNLOAD_SERVICE_PATH is pointing to your target directory, or you can create your own logical file paths, assignments of physical paths to logical paths and logical file names.
- Call transaction FILE and select the DOWNLOAD_SERVICE_PATH entry in the Create a logical file path table.
- Go to Assignment of Physical Paths to Logical Path and adapt the physical path according to your target directory or operating system, respectively.
- Save your changes
Maintain Execution Parameters:
The execution parameters required for the file download.
Call transaction SDS_CONFIGURATION in change mode and maintain the values as below:
Block size & no of aRFC processes can be changed
To establish & Configure the connection to New SAP Support Backbone, we can use a task list i.e. SAP_BASIS_CONFIG_OSS_COMM
Please follow the SAP Note : 2827658.
We need to implement this note in the system. If you are not able to do so, then please implement the note manually(steps already defined above).
Otherwise, please create the RFC’s manually in the step(of type H & G).
Create RFC SAP-SUPPORT_PORTAL(of type H) using transaction SM59
Enter S-User(technical user) & password. Second keep the SSL active
Create second RFC SAP-SUPPORT_NOTE_DOWNLOAD(type G):
Define File type for downloading SAP Notes:
The RCWB_UNSIGNED_NOTE_CONFIG report can be used to define type of file(unsigned or digitally signed).
Download unsigned SAP Note
If you choose this option, the system allows you to download unsigned SAP Notes if digitally signed SAP Note is not available.
- Do not download unsigned SAP Note:
If you choose this option, the system allows you to download only digitally signed SAP Notes
However, the fallback configuration report RCWB_UNSIGNED_NOTE_CONFIG made download of unsigned note possible when the download of signed SAP Note failed for whatever reason. Since after the SAP Support Backbone update the download of unsigned note is not possible, the report RCWB_UNSIGNED_NOTE_CONFIG becomes obsolete.
Please implement the note : 2885888
Now, let’s just jump back to the implementation part of the report i.e. RCWB_TCI_DIGITSIGN_AUTOMATION.
Post download of pre-requisite notes(either manually or automatically), we will perform the pending steps in the list.
Conclusion:
Post execution of all the above steps, we have made our system enabled for downloading & uploading the digitally signed notes.
Steps for further systems in the landscape:
For subsequent systems i.e. Quality & Production it is very import that we perform STEP 13 of the list very cautiously.(please follow the guide attached to SAP Note : 2836302)
This step will give us the list of TR’s that can be consolidated for import into subsequent systems & manual step to executed in subsequent systems in case of missing TR’s.
- Actions to be performed in subsequent systems:
- Consolidate all the transports you have created into a Workbench Request.
- Import the workbench request into the quality and production systems.
- Execute the report RCWB_TCI_DIGITSIGN_AUTOMATION in the quality and production systems.
References/Sources:
2836302 – Automated guided steps for enabling Note Assistant for TCI and Digitally Signed SAP Notes
2408073 – Handling of Digitally Signed notes in SAP Note Assistant
2537133 – FAQ – Digitally Signed SAP Notes
Troubleshooting
Please follow the below notes if you face errors related to SPAM queue & HTTPS error during note download:
2712875 – Error: “The TCI queue must be finished with the Note Assistant” while confirming import queue in SPAM
2448562 – Support Package Manager does not allow to confirm a queue with Transport based Correction Instructions (TCI)
2836005 – SNOTE: XML_FORMAT_ERROR dump occurs when downloading a note via HTTPS
Feel free to provide your feedback.
Regards
Basu Sharma
PS : If you like the blog, you can follow my profile for getting the insights on my further blog posts. 🙂
_______________________________________________
I blog this article to share information that is intended as a general resource and personal insights. Errors or omissions are not intentional. Opinions are my own and not the views of my employers (past, present or future) or any organization that I may be affiliated with. Content from third party websites, SAP and other sources reproduced in accordance with Fair Use criticism, comment, news reporting, teaching, scholarship, and research.
Thanks for your blog.
I have a question about parameter ssl/client_ciphersuites, in our Netweaver 7.4 system, I add ssl/client_ciphersuites = 150:PFS:HIGH::EC_P256:EC_HIGH, I can download note successfully. What’s the difference of value between 918 and 150?
Hello Clark
Following is the answer to your question in regards to the value of ciphersuites :
The ciphersuite parameter values recommended enable TLSv1.2+TLSv1.1+TLSv1.0, support for Perfect Forward Secrecy (PFS) cipher suites, and blind sending of client certificates for outgoing SSL/TLS-protected communication, and DISable RC4-based TLS cipher suites (which are class MEDIUM). Beginning with CommonCryptoLib 8.5.4, the cipher suite 3DES_EDE_CBC was demoted from class HIGH to class MEDIUM, and will also be disabled by above parameter values.
For Netweaver systems 150 value was recommended and for solution manager(specifically) 918 was recommended. However, we have a bug in STC01 task list i.e. SAP_BASIS_CONFIG_OSS_COMM which I have mentioned in the blog. To avoid that bug, 918 value is recommended here.
Hope I have answered your query.
Regards
Basu Sharma
Thanks for the blog,
Hi Basu,
I'm getting Error in step 12 Check download of Digitally Signed test Note 2424539. Asking me to enter logon data and when provided the credentials getting same error as
HTTP Request failed for sap-support_portal with status code unauthorized.
Thanks
Karthik
Hello Karthik
Did you try implementing that note manually?
In addition, what's the result of connection test for the RFC's which you have created?
Regards
Basu Sharma
Hi Basu,
I'm getting Error in step 13 Check download of Digitally Signed test Note 2424539. Asking me to enter logon data and when provided the credentials getting same error as
HTTP Request failed for sap-support_portal with status code unauthorized.
Thanks
Pankaj
Hi Basu,
thank you for your blog, I would like to ask you for question.
We have system SAP Netweaver SAP_Basis 730_SP11.
on the system was implemented manually following SAP notes:
SAP Note 2408073 - Handling of Digitally Signed notes in SAP Note Assistant
SAP Note 2546220 - [CVE-2017-16691] SNOTE: Digital signature verification along with note file extraction
SAP Note 2508268 - Download of Digitally Signed SAP Notes in SNOTE
2928592 - Download digitally signed SAP Notes using HTTP procedure in SAP_BASIS 700 to 731
RFC's : SAP-SUPPORT_PORTAL, SAP-SUPPORT_NOTE_DOWNLOAD, SAP-SUPPORT_PARCELBOX was created,
connection is working with new tech user, same SAPOSS is using new tech user.
report RCWB_SNOTE_DWNLD_PROC_CONFIG -> is set to HTTP protocol
report RCWB_UNSIGNED_NOTE_CONFIG -> is set to Do not download unsigned SAP Note
When we want to download sap note (not upload) we have got this error:
from logs is visible: slg1
SMICM : HTTPS is set, certificates are uploaded.
What do you think about this issue?
Thank you very much for help
Best regards
Michaela Mamrillova
Hi Basu,
problem was solved by restarting of ICM and recreating RFC SAP-SUPPORT_PORTAL.
Best regards
Michaela Mamrillova
Hi.. Thanks for the blog..
we are running late in configuring the digitally signed SAP Notes. We are on Basis 700 sp 14. So it is way very back.
So i guess we need to follow 2928592 - Download digitally signed SAP Notes using HTTP procedure in SAP_BASIS 700 to 731. But there are many Prerequisites notes with many pre and post manual activities.
Do we need to do manual activities as described in each Prerequisites notes or do it only for the main notes and rest of the Prerequisites notes gets picked up automatically from the server if we just upload it.