Securing the SAP Host Agent
SAP Host Agent, also known as SAPHostControl, offers web methods as SOAP Web Services to perform certain task on a host (for example OS monitoring, SAP instance and DB discovery, inventory and management).
The last security issue regarding a web method in SAP Host Agent dates back to 2017. Almost all documentations and write-ups about web method protection are focusing on SAP Instance Agent (SAPStartSrv). Therefore, I decided to spend some time looking at this topic for SAP Host Agent while I was writing my blogpost about Protecting web methods offered by SAP Instance Agent.
2021-05-11: Adjusted the title to a more bold one.
2021-03-17: Added section for encrypted communication. Rephrased some sections to be more precise.
In the following I will do the question and answer game (as you may recognise from other blogposts of myself) to develop a basic understanding of the SAP Host Agent and its web methods.
SAP Host Agent / SAPHostControl
Where do we find SAP Host Agent?
SAP Host Agent can be found on any server which runs SAP components or is related to SAP systems, e.g., anyDB server.
What is SAP Host Agent technically?
SAP Host Agent is a SAPStartSrv in Host mode, also known as SAPHostControl. Typically it consists of the process ‘sapstartsrv’, running in context of user sapadm, ‘saphostexec’, running in context of user root and ‘saposcol’, running in context of user root.
It reads its parameters from the the SAP Host Agent profile
Which ports are used by SAP Host Agent?
SAPStartSrv in Host mode binds 1128 (HTTP) and 1129 (HTTPS).
On which ip addresses are these ports accessible?
By default SAPStartSrv in Host mode binds its ports on all available NICs (indicated by 0.0.0.0):
~> sudo ss -tlpn | grep -e 112 LISTEN 0 20 0.0.0.0:1128 0.0.0.0:* users:(("sapstatsrv",pid=15692,fd=16)) LISTEN 0 20 0.0.0.0:1129 0.0.0.0:* users:(("sapstatsrv",pid=15692,fd=9))
This could be adjusted by parameters ‘service/hostname’, ‘service/http/hostname’, ‘service/https/hostname’ (in host_profile).
For example ‘service/hostname’ and ‘service/http/hostname could be set to 127.0.0.1 and ‘service/https/hostname’ could be set to $(SAPLOCALHOST) to reduce the attack surface.
~> sudo ss -tlpn | grep -e 112 LISTEN 0 20 127.0.0.1:1128 0.0.0.0:* users:(("sapstatsrv",pid=26912,fd=11)) LISTEN 0 20 192.168.75.135:1129 0.0.0.0:* users:(("sapstatsrv",pid=26912,fd=9))
saphostexec will be addressed through sapstartsrv using local sockets.
Can access to these ports be secured by any ACLs?
Access to these ports can be controlled individually by an ACL defined in parameter ‘service/http/acl_file’ for http and ‘service/https/acl_file’ for https (in host_profile).
This should be considered if for example no proper network separation is in place.
What about encrypted communication?
As mentioned above the SAPStartSrv in Host mode is able to allocate an HTTPS port. Therefore the relevant certificates have to be present in the SSL Server PSE specified by parameter ‘ssl/server_pse’.
As of SAP Host Agent 7.21 PL40 there is a feature for the automatic setup of a self-signed standard SSL Server PSE. This can be enabled by setting the parameter
saphostagent/ssl_setup = true.
Please note: The PSE generated during the automatic setup can not be used for X.509 based logon. The automatic setup will only create a SAPSSLS.pse if there is none, it will not overwrite existing ones.
How to configure the protocols and cryptographic algorithms?
When it comes to encryption SAP Host Agent relays on the CommonCryptoLib (CCL) which is bundled to it. SAP Host Agent 7.21 PL50 comes for example with CCL 8.5.36.
For incoming connections the protocol (TLS 1.0, TLS 1.1, TLS 1.2) and the available cryptographic algorithms can be adjusted using profile parameter ‘ssl/ciphersuites’ (in host_profile).
For outgoing connections it is the profile parameter ‘ssl/client_ciphersuites’ (in host_profile).
Some of the tools coming with SAP Host Agent do not relay on the host_profile and need to have the corresponding environment parameters SAPSSL_CLIENT_CIPHERSUITES and SAPSSL_CIPHERSUITES set for the executing user. Since the user sapadm is typically a non-login user without a shell those environment variables should be set through the host_profile using
Details about how to determine suitable values for those parameters can be found at my blogpost CommonCryptoLib: TLS protocol versions and cipher suites.
Which clients are accessing these ports?
Typical clients are saphostctrl, sapcontrol, SMD Agent, SDA (Simple Diagnostics Agent), SAP LaMa, SWDM. But there may be also custom developed scripts or 3rd party tools, e.g., for monitoring purposes or start/stop of systems. For testing or troubleshooting also postman or SoapUI may be used as a client.
Does SAP Host Agent also provide web methods?
saphostexec provides web methods which can be queried using for example
/usr/sap/hostctrl/exe/saphostctrl. saphostexec of SAP Host Agent 7.21 PL50 provides 49 web methods.
A WSDL is available at https://<hostname>:1129/SAPHostControl/?wsdl
In addition to that sapstartsrv of SAPHostControl provides also some web methods which can be queried using for example
/usr/sap/hostctrl/exe/sapcontrol. sapstartsrv of SAP Host Agent 7.21 PL50 provides 9 web methods.
Some but not all of these web methods are included in the WSDL at https://<hostname>:1129/SAPControl/?wsdl.
Which web methods can be accessed without authentication?
All web methods provided by saphostexec are protected by default, except web method ‘Ping’.
For the web methods provided by sapstartsrv of SAPHostControl the protection depends on the setting of profile parameter ‘service/protectedwebmethods’ (in host_profile).
Per default the following applies:
Protection can be disabled for all these web methods by setting
service/protectedwebmethods = NONE or
can be extended to all web methods except ‘CheckHostAgent’, ‘RequestLogonFile’ and ‘WaitforServiceStarted’ by setting
service/protectedwebmethods = ALL.
Please note: This seems to be undocumented!
Which authentication methods are supported in general?
OS level authentication using Unix domain sockets or Windows named pipes,
Local Logon ticket (requested by web method RequestLogonFile),
Username and password (make sure to always use https to prevent sending credentials over an unencrypted channel),
Client certificate (X.509).
Which users are allowed to authenticate?
SAPStartSrv in Host mode has no own user store. The authentication relies on users configured for access.
The user sapadm is always allowed to authenticate.
Additional OS users may be defined by profile parameter ‘service/admin_users’
OS user groups may also be defined by profile parameter ‘service/admin_groups’.
Besides authentication with OS users it is also possible to allow additional users to authenticate with X.509 client certificates. Therefore, their certificates’ DN has to be configured in profile parameter ‘service/sso_admin_user_<xx>’.
Please note: This parameter also supports wildcards ‘?’ or ‘*’, which have to be used carefully.
There is also a possibility to deactivate user and password based authentication by profile parameter ‘saphostagent/authentication_method’.
What about authorizations?
Even if saphostexec opens up all web methods to authenticated users most of them require additional sub-sequent authentication. For example
- Web method ‘GetDatabaseStatus’ needs DB credentials to be present in the SAP Secure Store (located in /usr/sap/hostctrl//exe/<SID>/security/rsecssfs).
- Some web methods are proxied to SAP Instance Agent and thats why they have to be started with an OS user which is capable to authenticate against SAPStartSrv of SAP Instance Agent. E.g., an OS user defined in profile parameter ‘service/admin_users’ of SAP Instance Agent.
- Web method ‘ExecuteInstallationProcedure’ seems to have a hardcoded check (“The user daaadm is not authorized to process the operation ExecuteInstallationProcedure”).
- Web method ‘ExecuteOperation’ allows to assign custom authentication within every configured operation.
What about the file http.server.settings?
The SAP Host Agent provides a mini-web server which is utilzed by some tools like SUM, SDA Deployment, etc.
These tools can be configured using the
This config file allows to configure authentication for these web applications based on their URL prefix.
The ‘authentication’ directive controls which additional users are allowed to authenticate. This can be used for OS level authentication, username and password authentication, as well as X.509 client certificate authentication for additional users.
Examples can be found at SDA Deployment Using SSO – Additional Topics – Community Wiki (sap.com)
Go to blogpost Protecting web methods offered by SAP Instance Agent.