
In this blog I want to show some things about protected web methods. All in all this article is the result of all of my personal notes I created in the last years.
First time I had some "fun" with the protected web methods in a customer project. I tried to update a usual JAVA instance on a Windows Server with SUM at the customer place and I failed. That was very embarrassing, because the customer sit next to me :$ .
The cause and solution for all the problems at this time was just one line in the DEFAULT.PFL. Exactly the difference between DEFAULT and SDEFAULT.
SAP release some more Information about this topic in the last years, so this is more a collection of sources and facts, not a howto. Most of this is based on the Start Stop wiki https://wiki.scn.sap.com/wiki/display/SI/SAP+Start+Service
The webmethodes exist to control the webservice interface of the sapstrartsrv process. If you are not really familiar with sapstartsrv, then you should become it! This knowledge is very important for this topic and a lot of topics in SAP Basis administration.
wiki about start and stop instances: https://wiki.scn.sap.com/wiki/display/SL/Starting+and+stoping+the+instance+during+update+manually
Check the version:
https://wiki.scn.sap.com/wiki/display/SI/How+to+check+the+sapstartsrv+release+and+patch+level
Technical documentation:
Write your own instance controller:
https://wiki.scn.sap.com/wiki/display/ATopics/Scripting+SAP+MMC+Operations
with the webmethods of the sapstartsrv process you can control your SAP instances. The webmethods are protected. So an os user, for example, could not interact "accidentally" with sapstartsrv process. Default admin user is <sid>adm. You can add more with the parameter service/admin_users in profile, like <daa>adm.
With the <sid>adm user you can do a lot of evil things, even you don't know it's password. So SAP added another line of defence with the profile parameter service/protectedwebmethods.
Further information in note 927637 and 1439348 (also for sso)
https://launchpad.support.sap.com/#/notes/927637
https://launchpad.support.sap.com/#/notes/1439348
You can control the protection of the web methods with the profile parameter service/protectedwebmethods. The parameter should be set to the old value DEFAULT or the new SDEFAULT. I set it in the DEFAULT.PFL, so it is valid for all instances. It's also kernel default, so in a newer (ABAP) Netweaver system you don't need to do anything.
More important is the parameter in JAVA, because there is not a really good parameter default check, as it is in ABAP.
The difference about DEFAULT and SDEFAULT is described in this wiki
https://wiki.scn.sap.com/wiki/display/SI/Protected+web+methods+of+sapstartsrv
You can also exclude protections, I describe it in the next topic.
I collected some scenarios with my best way solution.
After you have changed the parameter, you have to restart the sapstartsrv service. You can do this at any time, it has no effect on instance availability. NR is your instance number.
<sid>adm> sapcontrol -nr <NR> -function RestartService
It is described in Note 2348537 https://launchpad.support.sap.com/#/notes/2348537and 2506964 https://launchpad.support.sap.com/#/notes/2506964
You need to exclude JAVA instance webmethods from protection:
service/protectedwebmethods = SDEFAULT -J2EEGetProcessList2 -J2EEGetProcessList -ReadLogFile -ABAPReadSyslog -ListLogFilesError
Note 2544271 https://launchpad.support.sap.com/#/notes/2544271and 1883695 https://launchpad.support.sap.com/#/notes/1883695
service/protectedwebmethods = SDEFAULT -PerfRead -MtGetTidByName -J2EEGetProcessList
Note 1563660 https://launchpad.support.sap.com/#/notes/1563660and 1664214 https://launchpad.support.sap.com/#/notes/1664214
Cancel the whole update and change the parameter to
service/protectedwebmethods = DEFAULT
service/protectedwebmethods = NONE
Restart SUM from beginning.
Note 1939330 https://launchpad.support.sap.com/#/notes/1939330
Maintain parameter service/admin_users
https://launchpad.support.sap.com/#/notes/927637
Parameter service/http/acl_file and service/https/acl_file
Create ACL file with syntax from note 1495075 https://launchpad.support.sap.com/#/notes/1495075
Most security audits will note the admin_user and hostname parameters.
Service/admin_user -> Just follow the recommendation in note 927637
Service/hostnames -> That is a tricky case. You can set it, but then that could cause problems with SUM and MMC.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
7 | |
7 | |
7 | |
6 | |
4 | |
4 | |
4 | |
4 | |
4 | |
3 |