SAP Host Agent, also known as SAPHostControl, offers web methods as SOAP Web Services to perform certain task on a host (for example OS monitoring, SAP instance and DB discovery, inventory and management).
The last security issue regarding a web method in SAP Host Agent dates back to 2017. Almost all documentations and write-ups about web method protection are focusing on SAP Instance Agent (SAPStartSrv). Therefore, I decided to spend some time looking at this topic for SAP Host Agent while I was writing my blogpost about Protecting web methods offered by SAP Instance Agent.
In the following I will do the question and answer game (as you may recognise from other blogposts of myself) to develop a basic understanding of the SAP Host Agent and its web methods.
SAP Host Agent can be found on any server which runs SAP components or is related to SAP systems, e.g., anyDB server.
SAP Host Agent is a SAPStartSrv in Host mode, also known as SAPHostControl. Typically it consists of the process sapstartsrv, running in context of user sapadm, saphostexec, running in context of user root and saposcol, running in context of user root.
SAP Host Agent reads its parameters from the the SAP Host Agent profile which is stored in Linux as usr/sap/hostctrl/exe/host_profile, in Windows as C:\Program Files\SAP\hostctrl\exe\host_profile.
Please note: The SAP Host Agent uses partly the same parameters as the SAP Instance Agent while the SAP Instance Agent reads its parameters from the DEFAULT.PFL or instance profiles.
SAPStartSrv in Host mode binds 1128 (HTTP) and 1129 (HTTPS).
By default SAPStartSrv in Host mode binds its ports on all available NICs (indicated by 0.0.0.0):
~> sudo ss -tlpn | grep -e 112[89]
LISTEN 0 20 0.0.0.0:1128 0.0.0.0:* users:(("sapstatsrv",pid=15692,fd=16))
LISTEN 0 20 0.0.0.0:1129 0.0.0.0:* users:(("sapstatsrv",pid=15692,fd=9))
This could be adjusted by parameters service/hostname, service/http/hostname, service/https/hostname.
For example, service/hostname and service/http/hostname could be set to 127.0.0.1 and service/https/hostname could be set to $(SAPLOCALHOST) to reduce the attack surface.
~> sudo ss -tlpn | grep -e 112[89]
LISTEN 0 20 127.0.0.1:1128 0.0.0.0:* users:(("sapstatsrv",pid=26912,fd=11))
LISTEN 0 20 192.168.75.135:1129 0.0.0.0:* users:(("sapstatsrv",pid=26912,fd=9))
saphostexec will be addressed through sapstartsrv using local sockets.
Access to these ports can be controlled individually by an ACL defined in parameter service/http/acl_file for http and service/https/acl_file for https.
This should be considered if, for example, no proper network separation is in place.
As mentioned above, the SAPStartSrv in Host mode is able to allocate an HTTPS port. Therefore the relevant certificates have to be present in the SSL Server PSE specified by parameter ssl/server_pse.
As of SAP Host Agent 7.21 PL40, there is a feature for the automatic setup of a self-signed standard SSL Server PSE. This can be enabled by setting the parameter saphostagent/ssl_setup = true.
Please note: The PSE generated during the automatic setup can not be used for X.509 based logon. The automatic setup will only create a SAPSSLS.pse if there is none, it will not overwrite existing ones.
When it comes to encryption, SAP Host Agent relays on the CommonCryptoLib (CCL) which is bundled to it. SAP Host Agent 7.21 PL50 comes for example with CCL 8.5.36.
For incoming connections the protocol (TLS 1.0, TLS 1.1, TLS 1.2) and the available cryptographic algorithms can be adjusted using profile parameter ssl/ciphersuites.
For outgoing connections it is the profile parameter ssl/client_ciphersuites.
Some of the tools coming with SAP Host Agent do not relay on the host_profile and need to have the corresponding environment parameters SAPSSL_CLIENT_CIPHERSUITES and SAPSSL_CIPHERSUITES set for the executing user. Since the user sapadm is typically a non-login user without a shell those environment variables should be set through the host_profile using SETENV_<xx>=<environment_variable>=<value>.
Details about how to determine suitable values for those parameters can be found at my blogpost CommonCryptoLib: TLS protocol versions and cipher suites.
Typical clients are saphostctrl, sapcontrol, SMD Agent, SDA (Simple Diagnostics Agent), SAP LaMa, SWDM. But there may be also custom developed scripts or 3rd party tools, e.g., for monitoring purposes or start/stop of systems. For testing or troubleshooting also postman or SoapUI may be used as a client.
saphostexec provides web methods which can be queried using, for example, /usr/sap/hostctrl/exe/saphostctrl. saphostexec of SAP Host Agent 7.21 PL50 provides 49 web methods.
A WSDL is available at https://<hostname>:1129/SAPHostControl/?wsdl
In addition to that, sapstartsrv of SAPHostControl provides also some web methods which can be queried using, for example, /usr/sap/hostctrl/exe/sapcontrol. sapstartsrv of SAP Host Agent 7.21 PL50 provides 9 web methods.
Some but not all of these web methods are included in the WSDL at https://<hostname>:1129/SAPControl/?wsdl.
All web methods provided by saphostexec are protected by default, except web method 'Ping'.
For the web methods provided by sapstartsrv of SAPHostControl the protection depends on the setting of profile parameter service/protectedwebmethods.
Per default the following applies:
Protected | Unprotected |
AnalyseLogFiles | CheckHostAgent |
ConfigureLogFileList | GetNetworkId |
GetLogFileList | GetSecNetworkId |
ListLogFiles | RequestLogonFile |
StartService | WaitforServiceStarted |
ReadLogFile |
Protection can be disabled for all these web methods by setting service/protectedwebmethods = NONE or
can be extended to all web methods - except CheckHostAgent, RequestLogonFile and WaitforServiceStarted (*) - by setting service/protectedwebmethods = ALL.
(*) Please note: This seems to be undocumented!
OS level authentication using Unix domain sockets or Windows named pipes,
Local Logon ticket (requested by web method RequestLogonFile),
Username and password (make sure to always use https to prevent sending credentials over an unencrypted channel),
Client certificate (X.509).
SAPStartSrv in Host mode has no own user store. The authentication relies on users configured for access.
The user sapadm is always allowed to authenticate.
Additional OS users may be defined by profile parameter service/admin_users.
OS user groups may also be defined by profile parameter service/admin_groups.
Besides authentication with OS users it is also possible to allow additional users to authenticate with X.509 client certificates. Therefore, their certificates' DN has to be configured in profile parameter service/sso_admin_user_<xx>.
Please note: This parameter also supports wildcards '?' or '*', which have to be used carefully.
There is also a possibility to deactivate user and password based authentication by profile parameter saphostagent/authentication_method.
Even if saphostexec opens up all web methods to authenticated users most of them require additional sub-sequent authentication. For example
The SAP Host Agent provides a mini-web server which is utilzed by some tools like SUM, SDA Deployment, etc.
These tools can be configured in Linux in /usr/sap/hostctrl/exe/config.d/http.server.settings or in Windows in C:\Program Files\SAP\hostctrl\exe\config.d\http.server.settings.
This config file allows to configure authentication for these web applications based on their URL prefix.
The authentication directive controls which additional users are allowed to authenticate. This can be used for OS level authentication, username and password authentication, as well as X.509 client certificate authentication for additional users.
Examples can be found at SDA Deployment Using SSO - Additional Topics - Community Wiki (sap.com)
Go to blogpost Protecting web methods offered by SAP Instance Agent.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
11 | |
11 | |
9 | |
7 | |
5 | |
4 | |
4 | |
4 | |
3 | |
3 |