Starting from Jan 1 2020, SAP has implemented the new Support Backbone infrastructure and hence, your ABAP systems must be prepared to get connected with the new SAP support backbone.
This is required for at least downloading the digitally signed SAP notes in the ABAP systems and maintaining the connectivity related to Early Watch reports of your SAP systems.
Pre-requisites and Preparation
1. Prepare ABAP systems SNOTE for Digitally Signed SAP Notes
Below is the step-by-step guide for enabling SNOTE for digitally signed SAP notes. It is recommended to go through the below blog before proceeding with the next steps.
2. Required Plug-in version of your SAP systems
a) If your SAP system doesn't directly connect to SAP Support Backbone
This will be your case mostly as almost every SAP system is generally connected to SAP Support backbone through SAP Solution manager to generate the Early Watch Alert reports. You can check in SDCCN of your ABAP system if there is a master BACK RFC pointing to any solution manager. Go to Settings->Task Specific->RFC destination
In this case, you don't have to worry about the ST-PI and ST-A/PI versions of your ABAP systems, however it is generally recommended to update them at the latest level. So I would suggest you to include the update of ST-PI and ST-A/PI in your plan if possible.
b) If your SAP system connects directly to SAP Support Backbone
If ST-PI 2008_1_7xx : At least SP20
If ST-PI 740: At least SP10
ST-A/PI : At least 01T* SP01
3. Technical Communication SUSER
You have already requested a technical communication SUSER to be maintained in the new RFCs. Check the Step 1 of this blog for requesting it.
Creating RFC Connections for New Support Backbone
1. For system with SAP_BASIS < 740
You just need to replace the users in the SAP OSS related RFCs with the technical communication SUSER requested in the pre-requisite steps. The RFCs in the systems could be SAPOSS, SAPNET_RFC, SAPNET_RTCC and SDCC_OSS.
2. For Systems with SAP_BASIS >= 740
If your system has SAP_BASIS release 740 Patch Level (SP00 to SP07) < SP08, follow the manual steps in the document attached to SAP Note 2827658.
Else if your system has SAP_BASIS release 7.40 >=SP08 // 7.50, 7.51, 752, 7.53 >=SP00 ,implement the TCI note 2827658 following the below steps to get the automated task list for RFC related steps.
You might need to plan for the system restart for completing some of the steps in the task list e.g change of parameter ssl/client_ciphersuites.
1. Check SPAM version:
It should be at least on patch level 71 for implementing the TCI note 2827658. I would recommend updating SPAM to the latest patch level available on SAP support portal.
2. Implement SAP TCI Note 2827658
a) Download the correction instructions of this note from SAP support portal
b) Upload the downloaded TCI correction through SNOTE
c) Download SAP Note 2827658 in SNOTE
d) Implement TCI Note 2827658 through SNOTE
Create a new transport request and lock this TCI note 2827658 in the transport request in your development system, which can then be transported to the QA and Prod systems.
You may get the system dump LOAD_PROGRAM_TABLE_MISMATCH while implementing this SAP note.
Resolution: Go to SE11 and check the database object and runtime object of the table mentioned in the above system dump in section Error Analysis. For example, in our case it was database table "PAT05"
If the database and runtime objects are found to be consistent, then re-implement the TCI note 2827658 through SNOTE, else follow SAP note 2559989 to resolve the inconsistency issues.
Release the transport request once the note is implemented.
3. Execute the automated Task List SAP_BASIS_CONFIG_OSS_COMM
Once the SAP note is implemented, you will get the task list SAP_BASIS_CONFIG_OSS_COMM in your SAP system to perform the automated tasks for setting up the new HTTP RFC connections for the new SAP support backbone.
Go to T-code STC01 , enter task list name and press the highlighted button to generate the task list.
Enter the parameters for HTTPS connection for new Support Backbone by clicking on below icon.
Enter the technical communication Suser and password as requested in pre-requisites
You can enter the Router string similar to the one mentioned in the old SAPOSS connection.
Click on Save and go back to task list.
Execute the task list.
The task list will be executed until one of the step fails. You can check the document against each step for details or can check the document attached to SAP Note 2827658 for each step details.
In the first step, it will check the SAPCRYPTOLIB version. If it is < 8.4.48, follow the steps mentioned in the document against this step.
It will then check the TLS version related profile parameters and will stop if it fails on this step.
The default value of the parameter ssl/client_ciphersuites is below. You can check it in RZ11 of your system.
Change it to the recommended value 150:PFS:HIGH::EC_P256:EC:HIGH in the default profile of the system.
Restart the SAP system.
Re-execute the task list using t-code STC02
Execute the task list, it will then stop at Check certificates for SSL client (STRUST).
If you check the documentation, you will need to download the below 4 certificates and install them in the SSL Client SSL Client (Standard) in STRUST of the system.
DigiCert Global Root CA
DigiCert Global Root G2
DigiCert High Assurance EV Root CA
VeriSign Class 3 Public Primary Certification Authority - G5
Open Strust and upload these certificates as below
Re-execute the task list
Once the task list is completed, the below HTTP RFC destinations are generated in your SAP system and tested as well.
SAP Support Portal (SAP-SUPPORT_PORTAL - Type H)
SAP Parcel Download (SAP-SUPPORT_PARCELBOX - Type G)
SAP Note Download (SAP-SUPPORT_NOTE_DOWNLOAD - Type G)
If the task list fails for your system on step test HTTPS connection, this could be due to the incorrect router string passed to RFC destinations by the task list due to the below restriction
For releases < 7.40 SP16 / < 7.50 SP6 the router string length is limited to 45 digits (i.e. when you enter in the UI of the task a router string longer than 45 digits, it is not completely passed to the destination). In this case either correct the router string in RFC destinations (sm59) manually (router string + host)
4. Save HTTP destinations for Note download procedure
Execute report RCWB_SNOTE_DWNLD_PROC_CONFIG from SE38/SA38 in your system as mentioned in SAP Note 2836996.
Select HTTP Protocol and RFC SAP-SUPPORT_PORTAL and SAP-SUPPORT_NOTE_DOWNLOAD as shown above and save it.
How to test Digitally Signed Notes download
Download test SAP Note 2755640 through SNOTE.
Check the logs of SAP note.
You should see the log as "Digitally signed SAP Note downloaded in version using HTTPS"
This will complete the steps required to enable the digitally signed SAP notes in your SAP ABAP systems.
Solution Manager Related Steps For SAP Support Backbone
Don't forget to complete the steps in your SAP Solution manager for the new support backbone as your SAP systems are mostly connected to Support backbone through SAP Solution manager. Follow the SAP Support Backbone Checklists for Solution manager to complete the connectivity for Solution manager related tasks including the service content updates, Early Watch Alert content, landscape synchronisation with SAP etc.