Skip to Content
Technical Articles
Author's profile photo Benjamin Nenninger
Benjamin Nenninger
October 24, 2018 3 minute read

Protected web methods

In this blog I want to show some things about protected web methods. All in all this article is the result of all of my personal notes I created in the last years.

First time I had some “fun” with the protected web methods in a customer project. I tried to update a usual JAVA instance on a Windows Server with SUM at the customer place and I failed. That was very embarrassing, because the customer sit next to me :$ .

The cause and solution for all the problems at this time was just one line in the DEFAULT.PFL. Exactly the difference between DEFAULT and SDEFAULT.

SAP release some more Information about this topic in the last years, so this is more a collection of sources and facts, not a howto. Most of this is based on the Start Stop wiki https://wiki.scn.sap.com/wiki/display/SI/SAP+Start+Service

What we are dealing with

Sapstartsrv

The webmethodes exist to control the webservice interface of the sapstrartsrv process. If you are not really familiar with sapstartsrv, then you should become it! This knowledge is very important for this topic and a lot of topics in SAP Basis administration.

wiki about start and stop instances: https://wiki.scn.sap.com/wiki/display/SL/Starting+and+stoping+the+instance+during+update+manually

Check the version:

https://wiki.scn.sap.com/wiki/display/SI/How+to+check+the+sapstartsrv+release+and+patch+level

Technical documentation:

http://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/60e24f7b-1ba1-2b10-c0a0-e514b855624b?QuickLink=index&overridelayout=true&35665408489838

Write your own instance controller:

https://wiki.scn.sap.com/wiki/display/ATopics/Scripting+SAP+MMC+Operations

web methods

with the webmethods of the sapstartsrv process you can control your SAP instances. The webmethods are protected. So an os user, for example, could not interact “accidentally” with sapstartsrv process.  Default admin user is <sid>adm. You can add more with the parameter  service/admin_users in profile, like <daa>adm.

With the <sid>adm user you can do a lot of evil things, even you don’t know it’s password. So SAP added another line of defence with the profile parameter service/protectedwebmethods.

Further information in note 927637 and 1439348 (also for sso)

https://launchpad.support.sap.com/#/notes/927637

https://launchpad.support.sap.com/#/notes/1439348

Parameter

service/protectedwebmethods

You can control the protection of the web methods with the profile parameter service/protectedwebmethods. The parameter should be set to the old value DEFAULT or the new SDEFAULT. I set it in the DEFAULT.PFL, so it is valid for all instances. It’s also kernel default, so in a newer (ABAP) Netweaver system you don’t need to do anything.

More important is the parameter in JAVA, because there is not a really good parameter default check, as it is in ABAP.

The difference about DEFAULT and SDEFAULT is described in this wiki

https://wiki.scn.sap.com/wiki/display/SI/Protected+web+methods+of+sapstartsrv

You can also exclude protections, I describe it in the next topic.

Solutions for scenarios

I collected some scenarios with my best way solution.

After you have changed the parameter, you have to restart the sapstartsrv service. You can do this at any time, it has no effect on instance availability. NR is your instance number.

<sid>adm> sapcontrol -nr <NR> -function RestartService

Solman Monitoring cannot connect to service sapstartsrv

It is described in Note 2348537 https://launchpad.support.sap.com/#/notes/2348537and 2506964 https://launchpad.support.sap.com/#/notes/2506964

You need to exclude JAVA instance webmethods from protection:

service/protectedwebmethods = SDEFAULT -J2EEGetProcessList2 -J2EEGetProcessList -ReadLogFile -ABAPReadSyslog -ListLogFilesError

JAVA NWA System Overview shows grey or red lights

Note 2544271 https://launchpad.support.sap.com/#/notes/2544271and 1883695 https://launchpad.support.sap.com/#/notes/1883695

service/protectedwebmethods = SDEFAULT -PerfRead -MtGetTidByName -J2EEGetProcessList

SUM can’t control sapcontrol

Note 1563660 https://launchpad.support.sap.com/#/notes/1563660and 1664214 https://launchpad.support.sap.com/#/notes/1664214

Cancel the whole update and change the parameter to

service/protectedwebmethods = DEFAULT 

service/protectedwebmethods = NONE

Restart SUM from beginning.

Connection problems with DAA

Note 1939330 https://launchpad.support.sap.com/#/notes/1939330

No authorization

Maintain parameter service/admin_users

https://launchpad.support.sap.com/#/notes/927637

Protect start/stop service with ACL

Parameter service/http/acl_file and service/https/acl_file

Create ACL file with syntax from note 1495075 https://launchpad.support.sap.com/#/notes/1495075

Security Audits

Most security audits will note the admin_user and hostname parameters.

Service/admin_user -> Just follow the recommendation in note 927637

Service/hostnames -> That is a tricky case. You can set it, but then that could cause problems with SUM and MMC.

Assigned Tags

      Be the first to leave a comment
      You must be Logged on to comment or reply to a post.