Protected web methods
In this blog I want to show some things about protected web methods. All in all this article is the result of all of my personal notes I created in the last years.
First time I had some “fun” with the protected web methods in a customer project. I tried to update a usual JAVA instance on a Windows Server with SUM at the customer place and I failed. That was very embarrassing, because the customer sit next to me :$ .
The cause and solution for all the problems at this time was just one line in the DEFAULT.PFL. Exactly the difference between DEFAULT and SDEFAULT.
SAP release some more Information about this topic in the last years, so this is more a collection of sources and facts, not a howto. Most of this is based on the Start Stop wiki https://wiki.scn.sap.com/wiki/display/SI/SAP+Start+Service
What we are dealing with
The webmethodes exist to control the webservice interface of the sapstrartsrv process. If you are not really familiar with sapstartsrv, then you should become it! This knowledge is very important for this topic and a lot of topics in SAP Basis administration.
wiki about start and stop instances: https://wiki.scn.sap.com/wiki/display/SL/Starting+and+stoping+the+instance+during+update+manually
Check the version:
Write your own instance controller:
with the webmethods of the sapstartsrv process you can control your SAP instances. The webmethods are protected. So an os user, for example, could not interact “accidentally” with sapstartsrv process. Default admin user is <sid>adm. You can add more with the parameter service/admin_users in profile, like <daa>adm.
With the <sid>adm user you can do a lot of evil things, even you don’t know it’s password. So SAP added another line of defence with the profile parameter service/protectedwebmethods.
Further information in note 927637 and 1439348 (also for sso)
You can control the protection of the web methods with the profile parameter service/protectedwebmethods. The parameter should be set to the old value DEFAULT or the new SDEFAULT. I set it in the DEFAULT.PFL, so it is valid for all instances. It’s also kernel default, so in a newer (ABAP) Netweaver system you don’t need to do anything.
More important is the parameter in JAVA, because there is not a really good parameter default check, as it is in ABAP.
The difference about DEFAULT and SDEFAULT is described in this wiki
You can also exclude protections, I describe it in the next topic.
Solutions for scenarios
I collected some scenarios with my best way solution.
After you have changed the parameter, you have to restart the sapstartsrv service. You can do this at any time, it has no effect on instance availability. NR is your instance number.
<sid>adm> sapcontrol -nr <NR> -function RestartService
Solman Monitoring cannot connect to service sapstartsrv
You need to exclude JAVA instance webmethods from protection:
service/protectedwebmethods = SDEFAULT -J2EEGetProcessList2 -J2EEGetProcessList -ReadLogFile -ABAPReadSyslog -ListLogFilesError
JAVA NWA System Overview shows grey or red lights
service/protectedwebmethods = SDEFAULT -PerfRead -MtGetTidByName -J2EEGetProcessList
SUM can’t control sapcontrol
Cancel the whole update and change the parameter to
service/protectedwebmethods = DEFAULT service/protectedwebmethods = NONE
Restart SUM from beginning.
Connection problems with DAA
Note 1939330 https://launchpad.support.sap.com/#/notes/1939330
Maintain parameter service/admin_users
Protect start/stop service with ACL
Parameter service/http/acl_file and service/https/acl_file
Create ACL file with syntax from note 1495075 https://launchpad.support.sap.com/#/notes/1495075
Most security audits will note the admin_user and hostname parameters.
Service/admin_user -> Just follow the recommendation in note 927637
Service/hostnames -> That is a tricky case. You can set it, but then that could cause problems with SUM and MMC.