Step by Step guide for SAP Support Backbone Update

Posted 2021-03-05 weikui

Prerequisites.

All customers with ABAP-based SAP systems needs to switch to the new infrastructure before January 2020 to ensure smooth connectivity.

 

Resolution for Solution Manager.

 

Look at this step-by-step guide by Praveena Subramani

 

https://blogs.sap.com/2019/11/14/step-by-step-guide-on-sap-support-backbone-update-and-enabling-note-assistant-for-digitally-signed-sap-notes/

 

Resolution for other ABAP systems.

Step-by-step guide.

0. Make a backup.

 

1.Technical communication user for the systems

We must request a technical communication user for the systems ( Refer SAP Note 2174416) . (You cannot convert a regular S-user into a technical communication user.) The technical communication user is required, for example, to download digitally signed SAP Notes from Note Assistant (transaction SNOTE). Technical communication users cannot be used to log on in dialog mode, and their passwords do not expire.

For this step, we need Handling of Technical Communication Users  here – https://apps.support.sap.com/technical-user/index.html

A user was successfully requested.

 

2.Required ST-PI and ST-A/PI Plug-In Versions for SAP NetWeaver

 

Prerequisites:

● ST-PI 2008_1_7xx SP20 and higher, or ST-PI 740 SP10 and higher

● ST-A/PI 01T* SP01 and higher

 

Check ST-PI and ST/PI version

 

 

 

 

Download and implement actual ST-PI and ST-A/PI version in SPAM transaction

 

 

 

 

 

 

 

3. Import certificates into STRUST transaction

 

3.1 Download attachments from Note #2631190

 

 

3.2.  Import certificates in STRUST transaction

 

 

 

4. Maintan ssl/client_ciphersuites parameter in RZ11 transaction.

 

Set ssl/client_ciphersuites = 150:PFS:HIGH::EC_P256:EC_HIGH in SAP instance profile (Dialog instance, restart is required)

 

 

5.Update SAP Kernel to latest version including SAPCRYPTOLIB.

 

 

6.Enabling Note Assistant for TCI and Digitally Signed SAP Notes

 

6.1. Implement Note #2836302

https://launchpad.support.sap.com/#/notes/2836302

2836302 – Automated guided steps for enabling Note Assistant for TCI and Digitally Signed SAP Notes

 

 

Objects inside (DYNP -Web Dynpro, FUNC – Functions, REPS – Reports, etc)

 

 

7.Run Report – RCWB_TCI_DIGITSIGN_AUTOMATION (Automated guided steps for enabling Note Assistant for TCI and Digitally Signed SAP Notes)

 

 

    7.1. Implement Notes:  2508268, 2721941 (Step 10 of RCWB_TCI_DIGITSIGN_AUTOMATION Report)

 

 

 

   7.2. Configure Download Procedure for SNOTE

 

     Enable HTTP Protocol and RFC Destinations

 

• SAP-SUPPORT_PORTAL (Type H)
• SAP-SUPPORT_NOTE_DOWNLOAD (Type G)

 

7.3. Maintain Procedure Connectivity

 

Upload TCI Package  SAPK75000KCPSAPBASIS

 

 

7.4. Upload Note 2827658

 

 

7.5. Maintain Task List Run SAP_BASIS_CONFIG_OSS_COMM

 

 

 

Step – Create HTTPS Connections for SAP Service

 

 

7.6. Lock Procedure Configuration in Transport Request

 

 

8.Finally Check

 

Check download of Digitally Signed test Note 2424539

 

 

 

 

Troubleshooting

 

Problem.

 

Connect to <host> failed: NIEROUT_INTERN(-93)

 

Resolution.

 

Check note

https://launchpad.support.sap.com/#/notes/2631190

 

1) The used SAProuter string to access either target hosts servicepoint.sap.com, apps.support.sap.com or notesdownloads.sap.com is too long. In the SAP_BASIS release 740 the SAP router string will be truncated after 100 Bytes.

Example:  /H/<customer-saprouter_1>/S/sapdp99/H/<customer-saprouter_2>/S/sapdp99/H/<sapserver>/S/sapdp99/H/apps.support.sap.com/S/443   -> error

2) The Port Number 443 of Access URL was manually change to another number, e.g. icm http or https port.

3) The SAProuter string was copied from SAPOSS or SAP-OSS included host oss001.Therefore the target host is wrong, e.g. /H/<customer-saprouter_1>/S/sapdp99/H/<customer-saprouter_2>/S/sapdp99/H/<sapserver>/S/sapdp99/H/oss001apps.support.sap.com .

 

Problem resolution.

 

1) This issue has been fixed in software component SAP_BASIS release 740 SP18 or higher.

Reduce the total length of the SAP router string in task “Create Support Portal HTTP Destination (SM59)” by

a) using port numbers instead of service names (e.g. 3299 vs sapdp99)

b) using IP addresses or shorter host names (e.g. 10.10.10.1)

Example:

 /H/<customer-saprouter_1>/S/sapdp99/H/<customer-saprouter_2>/S/sapdp99/H/<sapserver>/S/sapdp99/H/apps.support.sap.com/S/443   -> error ( > 100 Bytes )

/H/<IP_customer-SR_1>/S/3299/H/<IP_customer-SR_2>/S/3299/H/<IP_sapserver>/S/3299/H/apps.support.sap.com/S/443   -> OK ( < 101 Bytes)

 

2) Change the Port Number / Service No. of Access URL back to 443.

3) Delete the string “oss001″in the SAProuter string.

 

In other words – check

Target host for RFC destinations:

 

SAP-SUPPORT_NOTE_DOWNLOAD

SAP-SUPPORT_PARCELBOX and SAP-SUPPORT_PORTAL

 

Conclusion.

SAP Support Backbone Update procedure provided.

 

Useful resources about this topic.

 

CONFIGURATION GUIDE:

https://help.sap.com/doc/feb605248d4c4fb0af6ffed96346f0be/latest/en-US/loio8528fcfcbef24e459448d8b9c57ee724.pdf

Cheat Sheet – Enabling SNOTE for Digitally Signed SAP Notes and for TCI:

https://support.sap.com/content/dam/support/en_us/library/ssp/my-support/knowledge-base/note-assistant/cheatsheet-for-digsignnotes_snote_tci.pdf

2836302 – Automated guided steps for enabling Note Assistant for TCI and Digitally Signed SAP Notes:

https://launchpad.support.sap.com/#/notes/2836302

Digital Signature.pdf attached to Note 2576306

https://launchpad.support.sap.com/#/notes/2576306

SAP Support Backbone Connectivity Troubleshooting

https://gad5158842f.us2.hana.ondemand.com/dtp/viewer/#/tree/1423/actions/17822