SAP is making SAP Notes more secure by ensuring all SAP Notes are digitally signed. The SAP Notes files can get maliciously modified and the customer unknowingly can upload the maliciously modified SAP Notes files into their ABAP systems. Therefore, SAP plans to deliver all SAP Notes files with digital signature to protect SAP Notes files with increased authenticity and improved security. We strongly recommend customers to
upload only digitally signed SAP Note files.
Post January 1, 2020, the download and upload process will stop working unless Note Assistant (SNOTE transaction) is enabled in ABAP systems to work with digitally signed SAP Notes.
We offer a guided approach which bundles all the actions required into an SAP Note 2836302, saving you considerable amount of time. Please refer the PDF attached to SAP Note 2836302.
Else, find the details of the individual steps that needs to be performed below:
1. All relevant SAP Notes are implemented in your ABAP systems.
- To enable Note Assistant (SNOTE) for downloading and uploading digitally signed SAP Notes, please implement SAP Notes 2408073, 2546220 and 2508268.
- An equivalent Transport-Based Correction Instruction (TCI) is available as SAP Note 2576306 containing the SAP Notes 2408073, 2546220 and 2508268. If the Note Assistant in your ABAP system is enabled for TCI, It is recommended to implement TCI SAP Note 2576306 instead of applying the above individual SAP Notes.
2. For SAP_BASIS Releases 740 and above, you have enabled one of the following procedures for SAP Notes download:
HTTP protocol or
Download service.
RFC protocol for download will not be allowed for SAP_BASIS Releases 740 and above.
3. For SAP_BASIS Releases 700 to 731, generic user used in RFC destination is replaced with S-user (recommended Technical Communication User).
The digitally signed SAP Notes are available as SAR files.
All SAP Notes downloaded through SAP ONE Support Launchpad are digitally signed SAR files.
The Note Assistant tool will use the SAPCAR utility on the application server to verify the digital signature of the uploaded SAP Note. Please ensure required patch level of SAPCAR executable is available on your system. If not, the digital signature verification fails and the files are not extracted. Once you have implemented the above SAP Notes, you may test the working of upload of digitally signed SAP Note feature by uploading a sample SAR file attached to the SAP Security Note
2408073. Further details about enabling Note Assistant to support digitally signed SAP Notes are described in the user guide attached to the SAP Security Note
2408073.
Refer to the table below for a quick check on what this means for you:
If your SAP_BASIS release is... |
The impact for you starting 2020... |
How you can be prepared... |
700 or below |
SAPOSS/SAPNOTE will not work. Manually upload SAP Note as .txt. |
ABAP systems can not be enabled to consume digitally signed SAP Notes automatically, hence manual process needs to be followed. |
700 to 731 |
SAPOSS/SAPSNOTE will work only with S-user (recommended Technical Communication User) |
- For continuing using RFC procedure for download, replace OSS_RFC user in SAPOSS/SAPSNOTE with S-user. Recommendation is to use Technical Communication User
or
- Use Download Service as an alternative
|
740 and above |
SAPOSS/SAPSNOTE will not work |
Enable one of the following download procedures:
- HTTPS protocol (The SAP kernel must be 7.42 PL400 above)
or
- Use Download Service as an alternative
|
Watch out the
Note Assistant Page on SAP Support Portal, for the latest updates.
For more details please refer:
