Inhalt SAP Hinweise - consolut€¦ · SAP P01 SAP Q01 SAP Support does NOT change at 01.01.2020 3...
Transcript of Inhalt SAP Hinweise - consolut€¦ · SAP P01 SAP Q01 SAP Support does NOT change at 01.01.2020 3...
1
2
3
4
5SNOTE Changes 2020
Discussion Different Scenarios
Setup Different Scenarios
Miscellaneous
Conclusion
Inhalt – SAP HinweiseC
SNOTE Changes 2020 - Warning
consolut 20 years - SAP SCP - SAP HANA + SAP Hinweise2
Since a few weeks, you do see this in EVERY Note in the Service Marketplace:
It seems to be a „major“ thing …
You need at least to be prepared ;-)
Aber: Immer erst mal die Kirche im Dorf lassen😉
01 SNOTE Changes 2020
SAP
P01SAP
Q01
SAP Support does NOT change at 01.01.2020
consolut 20 years - SAP SCP - SAP HANA + SAP Hinweise3
01 SNOTE Changes 2020
SAP Walldorf
Support
Router @
SAP
Router @
Customer
SAP
E01
Router
@
consolut
SAP –> Customer
direct
SAP -> Customer
via consolut
SAP
P01 SAP
Q01
SNOTE does change 01.01.2020
consolut 20 years - SAP SCP - SAP HANA + SAP Hinweise4
01 SNOTE Changes 2020
< 2020
OSS
O01 / O02
Router @
SAPRouter @
Customer
SAP
E01
Router @
consolut
Customer –> SAP
direct
Customer –> SAP
via consolut
Download
Server
> 2019
New Support
Infrastructure
• SNOTE Upload will still work – when you unpack
the notes-SAR-Files & ZIP-File yourself 😉
=> You always do have a workaround ☺
What happens at 01.01.2020?
consolut 20 years - SAP SCP - SAP HANA + SAP Hinweise5
• Digital signed Notes needed for SNOTE Download
• “Just” the OSS / O01 / O02 will disappear …
• Complete new “OSS-Servers” @ SAP 😉
=> first bigger change since 15+ years in the SAP Service
Infrastructure 😉
• Generic Users like OSS_RFC & ST14_RTCC &
SDCC_NEW are no longer valid
=> (technical) S-Users …
• SAPOSS-RFC-Access as of SAP_BASIS 7.40 no longer
allowed
01 SNOTE Changes 2020
Note Implementation w/o Digital Signment
consolut 20 years - SAP SCP - SAP HANA + SAP Hinweise6
• Practical Upload Test of a digitally signed note in an “old” & not patched system VGT
• We do download the note 2424539 in the SAP Service Marketplace
• We do uncar the note as follows:
SAPCAR -xvf 0002424539_00.SAR
• We do unzip the note with any ZIP tool and gain the file 0002424539.txt
• Now, we do upload this note in system VGT
• Finally, we do want to see the difference in the patched system I68
In emergency cases, we
do have a solution
already ;-)
01 SNOTE Changes 2020
Digitally Signed Notes
consolut 20 years - SAP SCP - SAP HANA + SAP Hinweise7
Motivation:
• SAP notes cannot be modified by accident or purpose
• SAP notes are always authentic
• All IT companies tend to publicize patches digitally signed
• SAP does this even when you are having typically a “secure connection” to the SAP server
01 SNOTE Changes 2020
Different Download Options (formerly “SAPOSS”)
consolut 20 years - SAP SCP - SAP HANA + SAP Hinweise8
SAP provides the following different options, to access the SAP Support environment:
• Remote Function Call (RFC)
• https Protocol
• NW Download Service
01 SNOTE Changes 2020
Remote Function Call (RFC)
consolut 20 years - SAP SCP - SAP HANA + SAP Hinweise9
Permanently possible up to 7.31 with (technical) S-User ONLY:
01 SNOTE Changes 2020
https Protocol
consolut 20 years - SAP SCP - SAP HANA + SAP Hinweise10
As of SAP_BASIS 7.40:
01 SNOTE Changes 2020
NW Download Service
consolut 20 years - SAP SCP - SAP HANA + SAP Hinweise11
• Download System as of 7.40
(perhaps even 7.02)
• Managed System as of 7.00
01 SNOTE Changes 2020
Conclusion
consolut 20 years - SAP SCP - SAP HANA + SAP Hinweise12
• SAP does change a lot in the internal infrastructure
• The changes are very useful for the future (e.g. authentication & encryption)
• Emergency fallback is no problem with manual unpacking of notes
01 SNOTE Changes 2020
1
2
3
4
5SNOTE Changes 2020
Discussion Different Scenarios
Setup Different Scenarios
Miscellaneous
Conclusion
Inhalt – SAP HinweiseC
General
consolut 20 years - SAP SCP - SAP HANA + SAP Hinweise14
All scenarios do require the „digitally signed notes“ support …
But then, you can freely choose between of the 3 options:
• Remote Function Call (RFC)
• https Protocol
• NW Download Service
02 Discussion Different Scenarios
Remote Function Call (RFC)
consolut 20 years - SAP SCP - SAP HANA + SAP Hinweise15
Pro:
• Easy to use as identical to the old version
• Only needed change: User e.g. SAPOSS OSS_RFC needs to be changed to technical S-User
• Easy RFC Connection – no https certificates required
Contra:
• Does work up to 7.31 only (as of 2020)
02 Discussion Different Scenarios
https Protocol
consolut 20 years - SAP SCP - SAP HANA + SAP Hinweise16
Pro:
• Solution for 7.40 and up
• https encrypts the complete way from the Support system at SAP to the SAP system of the customer (End-to-End)
Contra:
• Requires https certificates handling in each SID
• Web Access in each SID needed (if the https traffic will not be tunneled via SAProuter)
02 Discussion Different Scenarios
NW Download Service
consolut 20 years - SAP SCP - SAP HANA + SAP Hinweise17
Pro:
• The only option, where the TCIs of downloaded notes are downloaded as well ;-)
• Every System as of 7.40 (and perhaps 7.02 as well) can be used as download server with the latest Basis Patches
• Technical S-User only needed in Download System
• Solution for all SAP Systems as of 7.00 as „Managed System“
• Requires https certificates handling in Download System only
• Web Access needed in Download System only (if the https traffic will not be tunneled via SAProuter)
Contra:
• Nothing really found ;-)
02 Discussion Different Scenarios
Conclusion
consolut 20 years - SAP SCP - SAP HANA + SAP Hinweise18
• Digitally signed notes are always recommended to be setup, as the workaround results in always manual downloads, decompressing
and uploading – but definetely works for „old systems“, that more or less do need no more maintenance
• In general the „NW Download Service“ is the best option as it improves the functionality especially for „new notes“, that do need more
and more often TCI parts
• If the landscape does contain on 7.31 (and lower) systems only, the best option is, just to stay on the RFC option and switch the
users to technical S-Users
• SolMan 7.2 (7.40 based) is able to provide the SAP Download Service. But, this is not a feature of the SolMan, but just of the WebAS.
So, you can freely choose for the Dowload Server of your choice.
(SolMan 7.1 with Basis SP17 could provide the Download Service as well)
02 Discussion Different Scenarios
1
2
3
4
5SNOTE Changes 2020
Discussion Different Scenarios
Setup Different Scenarios
Miscellaneous
Conclusion
Inhalt – SAP HinweiseC
Setup Digitally Signed Notes
consolut 20 years - SAP SCP - SAP HANA + SAP Hinweise20
For digitally signed notes, we do need the following 3 or the one TCI note below:
• 2408073 - Handling of Digitally Signed notes in SAP Note Assistant
• 2508268 - Download of Digitally Signed SAP Notes in SNOTE
• 2546220 - [CVE-2017-16691] SNOTE: Digital signature verification along with note file extraction
OR
• 2576306 - Transport-Based Correction Instruction (TCI) for Download of Digitally Signed SAP Notes
As the notes do contain a lot of manual changes, we would recommend to use this as an argument to setup TCI in your landscape ;-)
More and more new notes to benefit or even require TCI to be setup …
Further information: https://support.sap.com/en/my-support/knowledge-base/note-assistant.html
• 2537133 - FAQ - Digitally Signed SAP Notes
03 Setup Different Scenarios
Useful Support Packs SAP_BASIS
consolut 20 years - SAP SCP - SAP HANA + SAP Hinweise21
Digitally signed notes are available in: TCI is available in:
If you you would install these Support Packs by X-Mas, you would be more or less done ;-)
03 Setup Different Scenarios
TCI for Dummies
consolut 20 years - SAP SCP - SAP HANA + SAP Hinweise22
What is „TCI“?
• TCI = Transport-based Correction Instructions
• SAP delivers more and more „features“ via notes => more dynpros, tables, data elements etc. are required
• „Small SPAM“ Support Pack
• Even the transaction SPAM is used, but in the working client
• Mostly even a rollback is possible
• But the greatest point is:
TCI will be used in DEV only and then transported ;-)))
=> no risk for any other SAP systems in your landscape!
03 Setup Different Scenarios
Setup Technical S-User I
consolut 20 years - SAP SCP - SAP HANA + SAP Hinweise23
2174416 - Creation and activation of users in the Technical Communication User application
2393376 - How to reset the password for a Technical Communication User
Here, the user can be requested and the password reset: (during activation)
https://apps.support.sap.com/technical-user
(unfortunately, no tile available for this one …)
Authorizations for technical S-Users:
• Nothing ;-)
=> ALL S-Users (even the non-technical ones) do have sufficient authorizations in order to download notes etc.
(as the old anonymes S-Users)
03 Setup Different Scenarios
Setup Technical S-User II
consolut 20 years - SAP SCP - SAP HANA + SAP Hinweise24
Passwords are quite tricky here:
• Uppercase ONLY
• ALWAYS 8 Characters
• 1 digit
• 1 special character
=> e.g. “KATZE=49”
03 Setup Different Scenarios
Selecting the Scenario
consolut 20 years - SAP SCP - SAP HANA + SAP Hinweise25
Report RCWB_SNOTE_DWNLD_PROC_CONFIG can switch easy:
Table CWB_DWNLD_PROC shows the current setting.
03 Setup Different Scenarios
Setup Remote Function Call (RFC)
consolut 20 years - SAP SCP - SAP HANA + SAP Hinweise26
• Just switch the user in SAPOSS
… to your new technical user ;-)
• Possible further RFC Connections to be changed:
• SAPNET_RFC
• SAPNET_RTCC
• SDCC_OSS
03 Setup Different Scenarios
Setup https I
consolut 20 years - SAP SCP - SAP HANA + SAP Hinweise27
The Setup in Detail:
• RZ10
ssl/client_ciphersuites = 918:PFS:HIGH::EC_P256:EC_HIGH
• Certificate Import to SSL-Client Standard
We can provide them:
03 Setup Different Scenarios
Setup https II
consolut 20 years - SAP SCP - SAP HANA + SAP Hinweise28
STC01 – Tasklist:
SAP_BASIS_CONFIG_OSS_COMM
(or better:
Report:
SOSS_UI_CREATE_RFC_NEW_OSS
in VERY latest patches only, note 2738426)
SAP-SUPPORT_NOTE_DOWNLOAD – G - notesdownloads.sap.com
03 Setup Different Scenarios
Setup https III
consolut 20 years - SAP SCP - SAP HANA + SAP Hinweise29
SAP-SUPPORT_PORTAL – H - apps.support.sap.com
Finally: Report RCWB_SNOTE_DWNLD_PROC_CONFIG
SAProuter does work even for https !!!
(“native routing” – available in newer
saprouters only)
e.g.:
/H/62.80.18.50/H/194.39.131.34/H/apps.support.sap.com
03 Setup Different Scenarios
NW Download Service - FILE
consolut 20 years - SAP SCP - SAP HANA + SAP Hinweise30
FILE - Check & Create this Entry
Check and edit the logical path DOWNLOAD_SERVICE_PATH properly for your OS:
(especially Windows NT is always missing!)
e.g. for Windows:
<P=DIR_EPS_ROOT>\in\<FILENAME>
03 Setup Different Scenarios
NW Download Service - SDS_CONFIGURATION
consolut 20 years - SAP SCP - SAP HANA + SAP Hinweise31
Transaction SDS_CONFIGURATION
03 Setup Different Scenarios
NW Download Service – STRUST & https
consolut 20 years - SAP SCP - SAP HANA + SAP Hinweise32
Transaction STRUST:
… similar to https above …
RZ10 - Client Cipher Suite
ssl/client_ciphersuites = 918:PFS:HIGH::EC_P256:EC_HIGH
SICF – Activate Service
<defaulthost>/sap/bc/rest
<defaulthost>/sap/bc/rest/SLProtocol
Test Download Service with „NONE” (local)
Report RCWB_SNOTE_DWNLD_PROC_CONFIG
03 Setup Different Scenarios
„consolut SAProuter+“
consolut 20 years - SAP SCP - SAP HANA + SAP Hinweise33
SAProuter @ consolut:
consolut always did provide a saprouter for all customers with
VPN from consolut to the customer for free
SAProuter & Download Service @ consolut:
This saprouter can now be used as connection to the SAP
Download Service ;-)
... for free … => Use w/o any Firewall Change ☺
/H/snc.consolut.com/H/saprfc.ustid.org/S/6207/W/UStIDDriv
er/H/localhost
03 Setup Different Scenarios
Practical Workshop „consolut SAProuter+“
consolut 20 years - SAP SCP - SAP HANA + SAP Hinweise34
What needs to be done in order to use any Download Service?
• Digitally signed notes need to be implemented beforehand
• Setup new SM59 RFC-Destination – e.g. SAP_DOWNLOAD_SERVER
Target Host: /H/snc.consolut.com/H/saprfc.ustid.org/S/6207/W/UStIDDriver/H/localhost
Instance: 00
Client: 100 - User: SAPDNLSRV – Pwd: EnjoyNotes;-)
• Activate via Report RCWB_SNOTE_DWNLD_PROC_CONFIG
• That‘s it ☺
• (This works the same way with „your local“ SAP Download Service)
03 Setup Different Scenarios
Conclusion
consolut 20 years - SAP SCP - SAP HANA + SAP Hinweise35
• Notes are to be implemented first (or Support Packs could be planned for this year)
• The connection setup to SAP is pretty easy in any case
• … especially with the „consolut SAProuter+“ Setup
03 Setup Different Scenarios
1
2
3
4
5SNOTE Changes 2020
Discussion Different Scenarios
Setup Different Scenarios
Miscellaneous
Conclusion
Inhalt – SAP HinweiseC
Notes „Special“ Secure …
consolut 20 years - SAP SCP - SAP HANA + SAP Hinweise37
• Report RCWB_UNSIGNED_NOTE_CONFIG can prevent downloading „unsigned“ notes
(but: SAP deliverts since 1 year no unsigned notes anymore …)
04 Miscellaneous
ST-PI & ST-A/PI?
consolut 20 years - SAP SCP - SAP HANA + SAP Hinweise38
• No problem ;-)
• The latest versions of these tools do support the switch of the backend systems as well …
04 Miscellaneous
1
2
3
4
5SNOTE Changes 2020
Discussion Different Scenarios
Setup Different Scenarios
Miscellaneous
Conclusion
Inhalt – SAP HinweiseC
More or less no longer needed SAP-System
consolut 20 years - SAP SCP - SAP HANA + SAP Hinweise40
Do nothing and in case, you do need a note, you can manually download it, unpack it and upload the TXT-file => no problem at all ,-)
(especially useful for 4.6C and 4.7 Systems)
05 Conclusion
SAP_BASIS >= 7.00 and <= 7.31
consolut 20 years - SAP SCP - SAP HANA + SAP Hinweise41
• Enable SNOTE for digitally signed notes
• … just change the user in the RFC destination
• Or: Setup to (central) Download Service as well, as then the TCIs are downloaded automatically as well 😉
05 Conclusion
SAP_BASIS >= 7.40
consolut 20 years - SAP SCP - SAP HANA + SAP Hinweise42
• Enable SNOTE for digitally signed notes
• Setup central Download Service
• Switch all Systems to this download service in order to avoid the many “unhandy” https-connections in different SAP-Systems with
their sapcryptolib settings and special certificates and benefit from the automatic TCI download.
• Or just switch from the consolut SAProuter to the “consolut SAProuter+” and stay with an RFC connection via the “Remote
Download Service” ☺
05 Conclusion
Consolut Setup Service Available
consolut 20 years - SAP SCP - SAP HANA + SAP Hinweise43
• Setup TCI (per Landscape/DEV-System) : 0,5 days (if required)
• Setup SNOTE for digitally signed notes (per landscape) : 0,5 days
• Setup Download Service in one System : included above
05 Conclusion
Questions ?
consolut 20 years - SAP SCP - SAP HANA + SAP Hinweise44
Volker Güldenpfennig
Volker Gueldenpfennig
Phone: +49 621 3383 331
05 Conclusion
VIELEN DANK!für Ihre Aufmerksamkeit.
consolut 20 years - SAP SCP - SAP HANA + SAP Hinweise45