The Onapsis Security Blog

The world of business-critical application security and compliance is dynamic, with new developments happening on a continuous basis. Read our blog posts for recommendations, insights and observations on the latest news for safeguarding your SAP® and Oracle® applications.

Research Labs Banner

Handling of Digitally Signed Notes

Starting in Q1 2019, unsigned SAP Notes will be discontinued. This means that now every SAP system should be able to load digitally signed notes. Before Q1 2019, it would have still been possible to download unsigned SAP notes. This may not have been the first time you’ve heard this, since SAP currently shows the following message when you open an ABAP Security Note:

In this blog post, we will talk about the necessary prerequisites in order to prepare your system to be able to upload digitally signed SAP Notes, the risks of not doing it, and discuss an example in order to understand how to implement a digitally signed note. 

Why digitally sign a document?

Digitally signing a document is a great way to verify its authenticity. It is usually used for software distribution, contracts and to avoid forgery. The authentication process consists of knowing who the owner is, but it is not the only attribute. The most important part of digitally signing a document is that it assures that there were no changes made since it was signed, so its integrity should not be compromised.

How to implement digitally signed notes in SAP

To implement digitally signed notes, here are some SAP Notes that must be installed as prerequisites. Go to transaction SNOTE and implement them in the following order (notes 1 and 2 are prerequisites for note 3: 

 

  1. #2546220 (“SNOTE: Digital signature verification along with note file extraction”) This note verifies that an SAP Note is digitally signed before extracting the SAR file.
  2. #2408073 (“Handling of Digitally Signed Notes in SAP Notes Assistant”). This note prepares your SAP system to upload digitally signed notes. With the SNOTE transaction, you will be able to upload a note with a digital signature. Take into account that this SAP note has manual activities that must be followed before implementing. Finally, there are also some post-implement manual steps to perform.
  3. Then implement #2508268 (“Download of Digitally Signed SAP Notes in SNOTE”) which allows the SAP Note Assistant (SNOTE transaction) to download digitally signed SAP Notes.

There’s another alternative to enable the implementation of digitally signed notes. In fact, SAP highly recommends implementing the following SAP note, instead of the previous three detailed above:

  1. #2576306 (“Transport-Based Correction Instruction (TCI) for Download of Digitally Signed SAP Notes”), it contains TCI and encompasses the other three mentioned notes. Please check if your software components allow implementation of this note, in the launchpad website. However, to implement it your SNOTE must be able to consume an SAP Note containing TCI. Please refer to note #2187425 for more information on this topic. 

Important: 

Remember, if your SAP_BASIS version is lower than 700, you will not be able to download or upload a digitally signed note. Therefore, you will have to upload an SAP Note through SNOTE transaction in TXT file format. To do it, please follow below steps:

  • First, download the digitally signed note from SAP support portal
  • Next, verify if it is digitally signed by using SAPCAR that extracts a zip file
  • Now you will get a zip file that you can de-compress to get a .txt file
  • Last but not least, upload the text file in the system using:
    • SNOTE transaction
    • Go to
    • Upload SAP Note 

If your version is 700 or higher, you can either implement the correction instructions (as mentioned previously) or update according support package.

What are the risks?

There are several risks if you upload an SAP Note that is not digitally signed. For example, when you are downloading a note with SNOTE transaction, it can be intercepted and modified when in transport from the support portal. If this happens, you may upload it to your system and get seriously compromised and even hurt in terms of performance and integrity. The most severe issues are that a customer may upload an SAP Note without knowing it was tampered with. Therefore, it would be harder to detect where the issue was generated by the malicious code, as you would be unable to track where it originated.

Installing a digitally signed note

The example below demonstrates how to implement an SAP digitally signed note, which was released in December’s SAP Patch Tuesday

The note for this example has no manual steps before nor after its implementation. Therefore, you should go to SNOTE transaction and download note #2698996. After that, select the implement button (F8) and follow the steps provided by SAP:

Click on the implement button or tick (✓) until it is implemented and change the processing status to finished. Then take a look at the log of installation to prove that this note was digitally signed. Here is a screenshot of how the log looks:

 

 

As the picture shows, the SAP digitally signed note was successfully implemented on our SAP system.

Is this note digitally signed? 

To confirm whether an SAP Note has been digitally signed or has not, you must follow this procedure. When an SAP Note is downloaded and implemented, it registers a log that can be seen by the user. In transaction SNOTE, please select the note you are interested in. Then select the log button on the top of the screen (or press Alt+Shift+F5). Just to make this idea clear, here is a screenshot of SNOTE where you need to select the log button:

There is a section called “Note Log” where you can see a few English/German words. If an SAP Note has been digitally signed, the log will show something like “digital signierter,” which means “digitally signed” in English. In the image shown below is an example:

Conclusion

At Onapsis, we are committed to providing our customers with the best recommendations and solutions for the security of their SAP systems. The ability to install digitally signed notes is beneficial because it assures integrity and authenticity of your systems. Also, as mentioned before, notes without a digital signature are now discontinued. For these reasons, if you are interested in installing new patches, features or software in general, you need to prepare your system in order to accept digitally signed notes. Do not hesitate to ask us for more information about how OSP can protect your business-critical applications.

References 

https://www.sap.com/documents/2018/02/4adcaa40-f37c-0010-82c7-eda71af51…

https://launchpad.support.sap.com/#/notes/2537133

Request a
Business Risk Illustration

Examine the security posture and risk exposure of your business-critical applications to determine the potential impact of a cyberattack on your organization.

Engage