Technology Blogs by Members
Explore a vibrant mix of technical expertise, industry insights, and tech buzz in member blogs covering SAP products, technology, and events. Get in the mix!
Showing results for 
Search instead for 
Did you mean: 

In this blog I want to show some things about protected web methods. All in all this article is the result of all of my personal notes I created in the last years.

First time I had some "fun" with the protected web methods in a customer project. I tried to update a usual JAVA instance on a Windows Server with SUM at the customer place and I failed. That was very embarrassing, because the customer sit next to me :$ .

The cause and solution for all the problems at this time was just one line in the DEFAULT.PFL. Exactly the difference between DEFAULT and SDEFAULT.

SAP release some more Information about this topic in the last years, so this is more a collection of sources and facts, not a howto. Most of this is based on the Start Stop wiki

What we are dealing with


The webmethodes exist to control the webservice interface of the sapstrartsrv process. If you are not really familiar with sapstartsrv, then you should become it! This knowledge is very important for this topic and a lot of topics in SAP Basis administration.

wiki about start and stop instances:

Check the version:

Technical documentation:

Write your own instance controller:

web methods

with the webmethods of the sapstartsrv process you can control your SAP instances. The webmethods are protected. So an os user, for example, could not interact "accidentally" with sapstartsrv process.  Default admin user is <sid>adm. You can add more with the parameter  service/admin_users in profile, like <daa>adm.

With the <sid>adm user you can do a lot of evil things, even you don't know it's password. So SAP added another line of defence with the profile parameter service/protectedwebmethods.

Further information in note 927637 and 1439348 (also for sso)



You can control the protection of the web methods with the profile parameter service/protectedwebmethods. The parameter should be set to the old value DEFAULT or the new SDEFAULT. I set it in the DEFAULT.PFL, so it is valid for all instances. It's also kernel default, so in a newer (ABAP) Netweaver system you don't need to do anything.

More important is the parameter in JAVA, because there is not a really good parameter default check, as it is in ABAP.

The difference about DEFAULT and SDEFAULT is described in this wiki

You can also exclude protections, I describe it in the next topic.

Solutions for scenarios

I collected some scenarios with my best way solution.

After you have changed the parameter, you have to restart the sapstartsrv service. You can do this at any time, it has no effect on instance availability. NR is your instance number.

<sid>adm> sapcontrol -nr <NR> -function RestartService

Solman Monitoring cannot connect to service sapstartsrv

It is described in Note 2348537 2506964

You need to exclude JAVA instance webmethods from protection:

service/protectedwebmethods = SDEFAULT -J2EEGetProcessList2 -J2EEGetProcessList -ReadLogFile -ABAPReadSyslog -ListLogFilesError

JAVA NWA System Overview shows grey or red lights

Note 2544271 1883695

service/protectedwebmethods = SDEFAULT -PerfRead -MtGetTidByName -J2EEGetProcessList

SUM can't control sapcontrol

Note 1563660 1664214

Cancel the whole update and change the parameter to

service/protectedwebmethods = DEFAULT 

service/protectedwebmethods = NONE

Restart SUM from beginning.

Connection problems with DAA

Note 1939330

No authorization

Maintain parameter service/admin_users

Protect start/stop service with ACL

Parameter service/http/acl_file and service/https/acl_file

Create ACL file with syntax from note 1495075

Security Audits

Most security audits will note the admin_user and hostname parameters.

Service/admin_user -> Just follow the recommendation in note 927637

Service/hostnames -> That is a tricky case. You can set it, but then that could cause problems with SUM and MMC.

Labels in this area