Prerequisites.
All customers with ABAP-based SAP systems needs to switch to the new infrastructure before January 2020 to ensure smooth connectivity.
Resolution for Solution Manager.
Look at this step-by-step guide by Praveena Subramani
Resolution for other ABAP systems.
Step-by-step guide.
0. Make a backup.
1.Technical communication user for the systems
We must request a technical communication user for the systems ( Refer SAP Note 2174416) . (You cannot convert a regular S-user into a technical communication user.) The technical communication user is required, for example, to download digitally signed SAP Notes from Note Assistant (transaction SNOTE). Technical communication users cannot be used to log on in dialog mode, and their passwords do not expire.
For this step, we need Handling of Technical Communication Users here – https://apps.support.sap.com/technical-user/index.html
A user was successfully requested.
2.Required ST-PI and ST-A/PI Plug-In Versions for SAP NetWeaver
Prerequisites:
● ST-PI 2008_1_7xx SP20 and higher, or ST-PI 740 SP10 and higher
● ST-A/PI 01T* SP01 and higher
Check ST-PI and ST/PI version
Download and implement actual ST-PI and ST-A/PI version in SPAM transaction
3. Import certificates into STRUST transaction
3.1 Download attachments from Note #2631190
3.2. Import certificates in STRUST transaction
4. Maintan ssl/client_ciphersuites parameter in RZ11 transaction.
Set ssl/client_ciphersuites = 150:PFS:HIGH::EC_P256:EC_HIGH in SAP instance profile (Dialog instance, restart is required)
5.Update SAP Kernel to latest version including SAPCRYPTOLIB.
6.Enabling Note Assistant for TCI and Digitally Signed SAP Notes
6.1. Implement Note #2836302
2836302 – Automated guided steps for enabling Note Assistant for TCI and Digitally Signed SAP Notes
Objects inside (DYNP -Web Dynpro, FUNC – Functions, REPS – Reports, etc)
7.Run Report – RCWB_TCI_DIGITSIGN_AUTOMATION (Automated guided steps for enabling Note Assistant for TCI and Digitally Signed SAP Notes)
7.1. Implement Notes: 2508268, 2721941 (Step 10 of RCWB_TCI_DIGITSIGN_AUTOMATION Report)
7.2. Configure Download Procedure for SNOTE
Enable HTTP Protocol and RFC Destinations
-
SAP-SUPPORT_PORTAL (Type H)
-
SAP-SUPPORT_NOTE_DOWNLOAD (Type G)
7.3. Maintain Procedure Connectivity
Upload TCI Package SAPK75000KCPSAPBASIS
7.4. Upload Note 2827658
7.5. Maintain Task List Run SAP_BASIS_CONFIG_OSS_COMM
Step – Create HTTPS Connections for SAP Service
7.6. Lock Procedure Configuration in Transport Request
8.Finally Check
Check download of Digitally Signed test Note 2424539
Troubleshooting
Problem.
Connect to <host> failed: NIEROUT_INTERN(-93)
Resolution.
Check note
1) The used SAProuter string to access either target hosts servicepoint.sap.com, apps.support.sap.com or notesdownloads.sap.com is too long. In the SAP_BASIS release 740 the SAP router string will be truncated after 100 Bytes.
Example: /H/<customer-saprouter_1>/S/sapdp99/H/<customer-saprouter_2>/S/sapdp99/H/<sapserver>/S/sapdp99/H/apps.support.sap.com/S/443 -> error
2) The Port Number 443 of Access URL was manually change to another number, e.g. icm http or https port.
3) The SAProuter string was copied from SAPOSS or SAP-OSS included host oss001.Therefore the target host is wrong, e.g. /H/<customer-saprouter_1>/S/sapdp99/H/<customer-saprouter_2>/S/sapdp99/H/<sapserver>/S/sapdp99/H/oss001apps.support.sap.com .
Problem resolution.
1) This issue has been fixed in software component SAP_BASIS release 740 SP18 or higher.
Reduce the total length of the SAP router string in task “Create Support Portal HTTP Destination (SM59)” by
a) using port numbers instead of service names (e.g. 3299 vs sapdp99)
b) using IP addresses or shorter host names (e.g. 10.10.10.1)
Example:
/H/<customer-saprouter_1>/S/sapdp99/H/<customer-saprouter_2>/S/sapdp99/H/<sapserver>/S/sapdp99/H/apps.support.sap.com/S/443 -> error ( > 100 Bytes )
/H/<IP_customer-SR_1>/S/3299/H/<IP_customer-SR_2>/S/3299/H/<IP_sapserver>/S/3299/H/apps.support.sap.com/S/443 -> OK ( < 101 Bytes)
2) Change the Port Number / Service No. of Access URL back to 443.
3) Delete the string “oss001″in the SAProuter string.
In other words – check
Target host for RFC destinations:
SAP-SUPPORT_NOTE_DOWNLOAD
SAP-SUPPORT_PARCELBOX and SAP-SUPPORT_PORTAL
Conclusion.
SAP Support Backbone Update procedure provided.
Useful resources about this topic.
CONFIGURATION GUIDE:
Cheat Sheet – Enabling SNOTE for Digitally Signed SAP Notes and for TCI:
2836302 – Automated guided steps for enabling Note Assistant for TCI and Digitally Signed SAP Notes:
Digital Signature.pdf attached to Note 2576306
SAP Support Backbone Connectivity Troubleshooting