Enable Note Assistant to Support Digitally Signed ...

PritiDhingra · ‎09-12-2017

SAP is making SAP Notes more secure by ensuring all SAP Notes are digitally signed. The SAP Notes files can get maliciously modified and the customer unknowingly can upload the maliciously modified SAP Notes files into their ABAP systems. Therefore, SAP plans to deliver all SAP Notes files with digital signature to protect SAP Notes files with increased authenticity and improved security. We strongly recommend customers to upload only digitally signed SAP Note files.

Post January 1, 2020, the download and upload process will stop working unless Note Assistant (SNOTE transaction) is enabled in ABAP systems to work with digitally signed SAP Notes.

We offer a guided approach which bundles all the actions required into an SAP Note 2836302, saving you considerable amount of time. Please refer the PDF attached to SAP Note 2836302.

Else, find the details of the individual steps that needs to be performed below:

1. All relevant SAP Notes are implemented in your ABAP systems.

To enable Note Assistant (SNOTE) for downloading and uploading digitally signed SAP Notes, please implement SAP Notes 2408073, 2546220 and 2508268.

An equivalent Transport-Based Correction Instruction (TCI) is available as SAP Note 2576306 containing the SAP Notes 2408073, 2546220 and 2508268. If the Note Assistant in your ABAP system is enabled for TCI, It is recommended to implement TCI SAP Note 2576306 instead of applying the above individual SAP Notes.

2. For SAP_BASIS Releases 740 and above, you have enabled one of the following procedures for SAP Notes download: HTTP protocol or Download service. RFC protocol for download will not be allowed for SAP_BASIS Releases 740 and above.

3. For SAP_BASIS Releases 700 to 731, generic user used in RFC destination is replaced with S-user (recommended Technical Communication User).

The digitally signed SAP Notes are available as SAR files. All SAP Notes downloaded through SAP ONE Support Launchpad are digitally signed SAR files.

The Note Assistant tool will use the SAPCAR utility on the application server to verify the digital signature of the uploaded SAP Note. Please ensure required patch level of SAPCAR executable is available on your system. If not, the digital signature verification fails and the files are not extracted. Once you have implemented the above SAP Notes, you may test the working of upload of digitally signed SAP Note feature by uploading a sample SAR file attached to the SAP Security Note 2408073. Further details about enabling Note Assistant to support digitally signed SAP Notes are described in the user guide attached to the SAP Security Note 2408073.

Refer to the table below for a quick check on what this means for you:

If your SAP_BASIS release is...	The impact for you starting 2020...	How you can be prepared...
700 or below	SAPOSS/SAPNOTE will not work. Manually upload SAP Note as .txt.	ABAP systems can not be enabled to consume digitally signed SAP Notes automatically, hence manual process needs to be followed.
700 to 731	SAPOSS/SAPSNOTE will work only with S-user (recommended Technical Communication User)	For continuing using RFC procedure for download, replace OSS_RFC user in SAPOSS/SAPSNOTE with S-user. Recommendation is to use Technical Communication User or Use Download Service as an alternative
740 and above	SAPOSS/SAPSNOTE will not work	Enable one of the following download procedures: HTTPS protocol (The SAP kernel must be 7.42 PL400 above) or Use Download Service as an alternative

Watch out the Note Assistant Page on SAP Support Portal, for the latest updates.

For more details please refer:

- SAP Note 2537133 for FAQs on Digitally Signed SAP Notes
- PDF attached to SAP Note 2836302
- Webinar replay
- Click here to view the presentation
- Guided answers to learn about mandatory steps
- Cheat Sheet for enabling SNOTE for Digitally Signed SAP Notes and for TCI
- Detailed information regarding impact of SAP Support Backbone update

LieveRavyts · ‎11-06-2017

SAP Note/KBA 2518518 has been removed ?

PritiDhingra · ‎11-08-2017

Hi Leive,

SAP Note 2518518 is no longer required , Manual steps are described in the same Note 2408073.

Best Regards,

Priti

wagener-mark · ‎03-21-2018

Hi,

we implemented the Download Service using TCI Note 0002576306. Report RCWB_UNSIGNED_NOTE_CONFIG was used to set "Do not download unsigned SAP Note"

Report RCWB_SNOTE_DWNLD_PROC_CONFIG was used to set "Download service Application" as download procedure. When testing corresponding RFC to notesdownloads.sap.com we get response 400 (Bad request).

Nevertheless, we receive the error message "E:SCWN:810 SAP_DOWNLOAD_SERVICE" when trying to download a note which needs the download service (e.g. 2538018).

Any suggestions?

Thanks,

Mark

PritiDhingra · ‎02-01-2019

Hi Mark,

Apologies for the delayed response. I hope issue is resolved by now, if not please raise a ticket on component BC-UPG-NA. It helps us analyse the issue more effectively.

Best Regards,

Priti

former_member592640 · ‎04-11-2019

Hi Priti,

To enable Note Assistant (SNOTE) for downloading and uploading digitally signed SAP Notes, we need to implement SAP Notes 2408073, 2546220 and 2508268.And 2554853 is required for Download system if we want to use Download Service applications.

After implementing above SAP notes, RCWB_SNOTE_DWNLD_PROC_CONFIG will enable 3 select procedure to Download SAP note -

1) Remote Functional Call (RFC) --> This option will use SAPOSS ABAP RFC connection with OSS_RFC user and will be used in case of fallback to Download of Unassigned SAP Notes ?

2) HTTP Protocol --> Both RFC connections will be generated automatically or we need to create both RFC manually ?
a) RFC Destination (H Type) for SAP Support Portal
b) RFC Destination (G Type) for SAP Note Download

3) Download Service Application --> Which one is better Option -> Option-2 (HTTP Protocol) or Option-3 (Download Service Application) for Digitally signed SAP Notes.

Gaurav

former_member358922 · ‎04-24-2019

The test of the .SAR file from note 2408073 works even though I haven't implemented notes 2408073, 2546220, or 2508268. Are we good?

jonjon · ‎05-02-2019

That would interest me too.

former_member399862 · ‎10-23-2019

Hi Priti,

Thanks a lot for providing the note 2836302. It would have made it much easier for us to setup up Support Backbone Update if we would have found that note and report earlier. We have found a lot of erros which have been fixed in the last weeks. So my question is if it makes sense to wait some more weeks in the hope that all fixes get also included into the report of note 2836302?

We have done nearly all configruation steps manuelly and now we use the report to detect if we have forgotten any task.

Thanks and Best Regards,

Daniel

rajagopalan123 · ‎11-12-2019

Hello Priti,

Thank you for this information. We have followed your Note 2836202 and completed the steps (screenshot attached). However, it is not clear if there is a test to confirm that Digital Notes are actually enabled. Is there a test or report that we can run to confirm this? Thank you!

Raja Gopalan

sujit_sharma · ‎11-13-2019

You can try downloading SAP Note 2424539 (test note) and then double click on the note number, open the "Note Log", now you should see the message that states that “Digitally signed SAP Note 0002424539 0007” note was downloaded or something similar as "S:SCWN:824 0002424539 0007"

If you get either of those messages, that indicates your configuration is correct.

Best regards,

Sujit

former_member437939 · ‎11-20-2019

Hi Priti,

Is there a sap note that is not digitally signed so we can make sure we can’t upload those notes into our system after the update?

Sorry another question, I see in the attachment they are suggesting we do a TOC for QA and Prod of the transport and bring it through, as we have only one transport is it necessary to do this or can we just bring the original transport through to QA and PROD?

mptgv2019 · ‎11-21-2019

it is necessary to implement the note 2576306 despite have the 2408073 2546220 and 2508268 already implemented?

pankaj_pabreja · ‎11-22-2019

Hi Ruben,

No, it should be either SAP TCI note 2576306 or 2408073 2546220 and 2508268.

Have you already applied notes 2408073 2546220 and 2508268 in your system?

mptgv2019 · ‎11-22-2019

Yeap, Just only applied 2408073 2546220 and 2508268.
But for 2576306 it s say Recommended by SAP, that was my concern.

pankaj_pabreja · ‎11-24-2019

Implementation of SAP note 2576306 is recommended by SAP as it is a TCI note which contains consolidated correction instructions of SAP notes 2408073 2546220 and 2508268.

The advantage of the TCI note 2576306 implementation is that you don't to have to perform any manual corrections mentioned in the SAP notes 2408073 2546220 and 2508268.

TCI note is a new way of delivering ABAP corrections by SAP.

As you have already implemented SAP notes 2408073 2546220 and 2508268 along with the manual corrections, there is no need to implement the TCI note 2576306

You can find further details about TCI in SAP Note 2187425

mptgv2019 · ‎12-02-2019

many thanks!

former_member189462 · ‎12-16-2019

Hello,

System: SAP ERP 6.0 EHP1

Release: 7.01 - SP 15

All tasks related to report RCWB_TCI_DIGITSIGN_AUTOMATION (2836302), were performed and set to completed as required:

A test was made using 0002424539_00.SAR and functionality worked ok. The NOTE log however shows as follows:

Post manual activities in note 2721941 were performed as indicated for the affected release:

Seems like the message being used from message class SCWN is 98 instead of 823.

Does someone faced a similar issue or do I miss something during configuration?

Thanks and best regard.

former_member189462 · ‎12-19-2019

Hello,

Any suggestion with regards to the above reported?

Thanks

former_member189462 · ‎12-19-2019

Please, disregard my previous message.

The reported behavior was observed while performing steps detailed in note 2424539:

"Upload this note into your system using SNOTE transaction -> Go to Menu item -> Upload SAP Note option. The digital signature verification should be successful and note is uploaded into the system".

Downloading the note corrections from SNOTE transaction--> Go to Menu Item --> Download SAP Note, shows NOTE log correctly.

Thanks