Technology Blogs by Members
Explore a vibrant mix of technical expertise, industry insights, and tech buzz in member blogs covering SAP products, technology, and events. Get in the mix!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Protected web methods

bennen
Discoverer
‎10-24-2018 8:21 PM

In this blog I want to show some things about protected web methods. All in all this article is the result of all of my personal notes I created in the last years.


First time I had some "fun" with the protected web methods in a customer project. I tried to update a usual JAVA instance on a Windows Server with SUM at the customer place and I failed. That was very embarrassing, because the customer sit next to me :$ .


The cause and solution for all the problems at this time was just one line in the DEFAULT.PFL. Exactly the difference between DEFAULT and SDEFAULT.


SAP release some more Information about this topic in the last years, so this is more a collection of sources and facts, not a howto. Most of this is based on the Start Stop wiki https://wiki.scn.sap.com/wiki/display/SI/SAP+Start+Service



What we are dealing with


Sapstartsrv


The webmethodes exist to control the webservice interface of the sapstrartsrv process. If you are not really familiar with sapstartsrv, then you should become it! This knowledge is very important for this topic and a lot of topics in SAP Basis administration.


wiki about start and stop instances: https://wiki.scn.sap.com/wiki/display/SL/Starting+and+stoping+the+instance+during+update+manually


Check the version:


https://wiki.scn.sap.com/wiki/display/SI/How+to+check+the+sapstartsrv+release+and+patch+level


Technical documentation:


http://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/60e24f7b-1ba1-2b10-c0a0-e514b8556...


Write your own instance controller:


https://wiki.scn.sap.com/wiki/display/ATopics/Scripting+SAP+MMC+Operations



web methods


with the webmethods of the sapstartsrv process you can control your SAP instances. The webmethods are protected. So an os user, for example, could not interact "accidentally" with sapstartsrv process.  Default admin user is <sid>adm. You can add more with the parameter  service/admin_users in profile, like <daa>adm.


With the <sid>adm user you can do a lot of evil things, even you don't know it's password. So SAP added another line of defence with the profile parameter service/protectedwebmethods.


Further information in note 927637 and 1439348 (also for sso)


https://launchpad.support.sap.com/#/notes/927637


https://launchpad.support.sap.com/#/notes/1439348



Parameter


service/protectedwebmethods


You can control the protection of the web methods with the profile parameter service/protectedwebmethods. The parameter should be set to the old value DEFAULT or the new SDEFAULT. I set it in the DEFAULT.PFL, so it is valid for all instances. It's also kernel default, so in a newer (ABAP) Netweaver system you don't need to do anything.



More important is the parameter in JAVA, because there is not a really good parameter default check, as it is in ABAP.


The difference about DEFAULT and SDEFAULT is described in this wiki


https://wiki.scn.sap.com/wiki/display/SI/Protected+web+methods+of+sapstartsrv


You can also exclude protections, I describe it in the next topic.



Solutions for scenarios


I collected some scenarios with my best way solution.


After you have changed the parameter, you have to restart the sapstartsrv service. You can do this at any time, it has no effect on instance availability. NR is your instance number.



<sid>adm> sapcontrol -nr <NR> -function RestartService

Solman Monitoring cannot connect to service sapstartsrv


It is described in Note 2348537 https://launchpad.support.sap.com/#/notes/2348537and 2506964 https://launchpad.support.sap.com/#/notes/2506964


You need to exclude JAVA instance webmethods from protection:



service/protectedwebmethods = SDEFAULT -J2EEGetProcessList2 -J2EEGetProcessList -ReadLogFile -ABAPReadSyslog -ListLogFilesError

JAVA NWA System Overview shows grey or red lights


Note 2544271 https://launchpad.support.sap.com/#/notes/2544271and 1883695 https://launchpad.support.sap.com/#/notes/1883695



service/protectedwebmethods = SDEFAULT -PerfRead -MtGetTidByName -J2EEGetProcessList

SUM can't control sapcontrol


Note 1563660 https://launchpad.support.sap.com/#/notes/1563660and 1664214 https://launchpad.support.sap.com/#/notes/1664214


Cancel the whole update and change the parameter to



service/protectedwebmethods = DEFAULT 



service/protectedwebmethods = NONE

Restart SUM from beginning.



Connection problems with DAA


Note 1939330 https://launchpad.support.sap.com/#/notes/1939330



No authorization


Maintain parameter service/admin_users


https://launchpad.support.sap.com/#/notes/927637



Protect start/stop service with ACL


Parameter service/http/acl_file and service/https/acl_file


Create ACL file with syntax from note 1495075 https://launchpad.support.sap.com/#/notes/1495075



Security Audits


Most security audits will note the admin_user and hostname parameters.


Service/admin_user -> Just follow the recommendation in note 927637


Service/hostnames -> That is a tricky case. You can set it, but then that could cause problems with SUM and MMC.

Labels in this area
Popular Blog Posts