cancel
Showing results for 
Search instead for 
Did you mean: 

SAP Host Agent - service/protectedwebmethods

former_member204618
Active Contributor
0 Kudos

Hi All ,

I've read a lot of notes and threads but I am at a loss with this problem.

Having read blog sapstartsrv service parameters - Basis Corner - SCN Wiki and the notes mentioned therein I set the host_profile parameter to


service/protectedwebmethods = NONE

For testing purposes so we could call method GetDatabaseStatus amongst others without requiring username and password.

I also tried with

service/protectedwebmethods = DEFAULT -GetDatabaseStatus

But nothing I try seems to stop it asking for username and password, and yes I restarted the host agent each time the parameter was changed.  I thought the whole point of the parameter was to allow or disallow protected methods.

This doesn't seem to function as far as I can tell.

I am running the latest version of SAP Host Agent 720 PL206.

I've tried this on Windows and on HPUX but they both do the same thing.

Am I missing something here?

Thanks

Craig

Accepted Solutions (0)

Answers (2)

Answers (2)

Private_Member_27907
Participant
0 Kudos

Hi Craig,

maybe this SAP document is interesting for you: "How to use the SAPControl Web Service Interface"

  • "ALL” protects all methods.
  • "SDEFAULT” protects almost all methods, but still permits an initial display of a system in SAP MMC/MC without authentication.
  • "DEFAULT protects all methods that change the state of the system (but permits, for example, access to traces without authentication).
  • "NONE” does not protect any methods.

Recommended setting is "SDEFAULT”.


"SDEFAULT -GetVersionInfo”, for example, protects most methods, but permits the querying of version information without authentication.


"DEFAULT +GetVersionInfo”, for example, protects only methods that change the state of the system and also the querying of version information.

Check this blog for more info about that parameter.

Regards

former_member204618
Active Contributor
0 Kudos

Hi Tomás

Perhaps you have misunderstood, I have tried using those settings but nothing seems to change.  Even setting it to NONE doesn't do what it's supposed to do, as in no protected web methods hence no requesting for authentication!!!

Like I said it doesn't do what it's supposed to do for some reason.

I set it to DEFAULT -GetDatabaseStatus but I am still prompted for the username and password.


cd /usr/sap/hostctrl/exe

./saphostctrl -host myhost -function GetDatabaseStatus -dbname SID -dbtype ora

Error: HTTP error, HTTP/1.1 401 Unauthorized

Even trying the above command using NONE results in the same error.

What can be causing this?

Thanks

Craig

alwina_enns
Employee
Employee
0 Kudos

Hello Craig,

under which user you execute the command as above? What is the content of the host_profile? What are the permissions and owner of the executable sapuxuserchk for the SAPHOSTAGENT on unix?

Regards,
Alwina

former_member204618
Active Contributor
0 Kudos

Hi Alwina,

Perhaps I've missed something here but what difference does it make who the user is?  The whole point in removing the Protection on the method is to not care which user is calling the method, is it not?

Anyway here is the detail you requested.


SAPSYSTEMNAME = SAP

SAPSYSTEM = 99

service/protectedwebmethods = NONE

service/porttypes = SAPHostControl SAPOscol SAPCCMS

service/trace = 3

DIR_LIBRARY = C:\Program Files\SAP\hostctrl\exe

DIR_EXECUTABLE = C:\Program Files\SAP\hostctrl\exe

DIR_PROFILE = C:\Program Files\SAP\hostctrl\exe

DIR_GLOBAL = C:\Program Files\SAP\hostctrl\exe

DIR_INSTANCE = C:\Program Files\SAP\hostctrl\exe

DIR_HOME = C:\Program Files\SAP\hostctrl\work

I am on a HPUX system calling the

./saphostctrl -host myhost -function GetDatabaseStatus -dbname SID -dbtype ora


The myhost is running on Windows.


Cheers

Craig


alwina_enns
Employee
Employee
0 Kudos

Hello Craig,

I have asked about the user, because on our test system service/protectedwebmethods is not set in host_profile and I get results for your command on unix when I'm logged on as <sid>adm user. We have a Linux server. If you try to execute this command under an administrator, do you still get this authorization error?

With the profile like in your answer above it should work. What do you see in the sapstartsrv.log trace when you try to ask the status of the database? Is SSL configured for your SAPHOSTAGENT?

Regards,
Alwina

former_member204618
Active Contributor
0 Kudos

Hi Alwina,

Because I enabled tracing level 3 I get the following in the sapstartsrv.log :-


[Thr 11176] Start executing Webmethod GetDatabaseStatus

[Thr 11176] Operation GetDatabaseStatus; Socket type Network Socket; Remote IP 10.10.9.180; Remote port 59336; Username Not Available

[Thr 11176] KeyValueList-> BEGIN

[Thr 11176]                 Database/Name:SMS

[Thr 11176]                 Database/Type:ora

[Thr 11176] KeyValueList-> END

[Thr 11176] No username set for DefaultOperationCredentialAuthenticator

[Thr 11176] NiILocalCheck: SiBind failed (sirc=7;10049-WSAEADDRNOTAVAIL: Can't assign requested address 10.10.9.180)

[Thr 11176] NiLocalCheck: address 10.10.9.180 is not local

[Thr 11176] Authenticate: LocalConnection not-allowed for GetDatabaseStatus

[Thr 11176] Unauthorized (user authentication required)

[Thr 11176] *** ERROR => Webmethod GetDatabaseStatus failed: Unauthorized: User authentication required [saphostcontr 1836]

[Thr 11176] NiIPeek: peek for hdl 18 timed out (r; 0ms)

[Thr 11176] NiIPeek: peek successful for hdl 18 (w)

[Thr 11176] HostControl_SendHeader: HTTP/1.1 401 Unauthorized : null

[Thr 11176] HostControl_SendHeader: WWW-Authenticate : Basic realm="gSOAP Web Service"

[Thr 11176] HostControl_SendHeader: Server : gSOAP/2.7

[Thr 11176] HostControl_SendHeader: Send Additional Header -> No GSOAPHTTPRequest found

[Thr 11176] HostControl_SendHeader: Send Additional Header -> No GSOAPHTTPRequest found

[Thr 11176] HostControl_SendHeader: Connection : close

[Thr 11176] HostControl_SendHeader: Send Additional Header -> No GSOAPHTTPRequest found

[Thr 11176] NiIWrite: hdl 18 sent data (wrt=803,pac=1,RAW_IO)

[Thr 11176] NiIShutdownHandle: shutdown -w of hdl 18

[Thr 11176] NiICloseHandle: shutdown and close hdl 18/sock 792

No we don't use SSL, and the command is being run as the sidadm user on the HPUX box.

Thanks

Craig

alwina_enns
Employee
Employee
0 Kudos

Hello Craig,

do you know, which user is expected here:

[Thr 11176] Operation GetDatabaseStatus; Socket type Network Socket; Remote IP 10.10.9.180; Remote port 59336; Username Not Available

Are you trying to access the saphostagent from a remote host or locally? Does this command work if you execute it locally?

Regards,
Alwina

former_member204618
Active Contributor
0 Kudos

Hi Alwina,

I am trying to access the web service from the saphostagent remotely and yes I know what user would work if I passed it in and indeed does work if I pass in the option -user <username> <password>

Yes the command works locally without specifying the -user option.

Cheers

Craig

Former Member
0 Kudos

Hi Craig,

Sorry to say this but I did not understand what were you trying to do and why are you working in these parameters. Could you please provide more details on what are you trying to achieve and the error you are facing, this would help us to understand the issue and help you.

Regards,

Pradeep

former_member204618
Active Contributor
0 Kudos

Hi Pradeep

I am trying to allow SAP Management Console and other things like sapcontrol from another machine the ability to check status without having to authenticate.

We would also like to use these web services in a dashboard again without requiring user authentication especially since it's only information we are displaying.

Thanks

Craig

former_member185954
Active Contributor
0 Kudos

Hello Craig,

Maybe there is a ACL restricting your IP Address

1495075 - Access control lists (ACL)


Regards,

Siddhesh

former_member204618
Active Contributor
0 Kudos

Hi Siddhesh,

This isn't applicable I am not trying to access a sap system.  I am trying to access the saphostagent.

Thanks

Craig

former_member185954
Active Contributor
0 Kudos

Hello Craig,

From your trace file, I see the following entries.


Thr 11176] NiLocalCheck: address 10.10.9.180 is not local

[Thr 11176] Authenticate: LocalConnection not-allowed for GetDatabaseStatus

[Thr 11176] Unauthorized (user authentication required)

I think it is applicable, check point 9 on the Wiki page that you shared.

It looks like that the IP address isn't authorised to perform any Webmethods and hence is asked for userid/password

Try adding your IP in the ACL file, the following is from the wiki page you shared.


service/http/acl_file, service/https/acl_file
form: <permit deny> <ip-address[/mask]> [tracelevel] [# comment] (e.g. permit 10.1.2.0/24    # permit client network)
function: to filter the access to a server port

Hope it works out.

Regards,

Siddhesh

former_member204618
Active Contributor
0 Kudos

Hi Siddhesh,

I didn't have any ACL active either on the SAP System or specified in the saphostagent profile.

So I added one to the saphostagent host_profile


SAPSYSTEMNAME = SAP

SAPSYSTEM = 99

service/protectedwebmethods = NONE

service/porttypes = SAPHostControl SAPOscol SAPCCMS

service/trace = 3

service/http/acl_file = C:\Program Files\SAP\hostctrl\work\acl_file

DIR_LIBRARY = C:\Program Files\SAP\hostctrl\exe

DIR_EXECUTABLE = C:\Program Files\SAP\hostctrl\exe

DIR_PROFILE = C:\Program Files\SAP\hostctrl\exe

DIR_GLOBAL = C:\Program Files\SAP\hostctrl\exe

DIR_INSTANCE = C:\Program Files\SAP\hostctrl\exe

DIR_HOME = C:\Program Files\SAP\hostctrl\work


Using network access control list for http: C:\Program Files\SAP\hostctrl\work\acl_file

[Thr 11256] NiIAclAppendRule: parse ACL line 'permit 172.30.7.0/24 # permit client network'

[Thr 11256] NiIAclAppendRule: remove comment '# permit client network'

[Thr 11256] NiStrToAddrMask: '10.10.9.0/24' -> 10.10.9.0/24 (1/0)

[Thr 11256] NiIAclAppendRule: read permission 'permit', address '10.10.9.0/24'

[Thr 11256] NiIAclAppendRule: parse ACL line 'permit 10.10.9.180 # permit server network'

[Thr 11256] NiIAclAppendRule: remove comment '# permit server network'

[Thr 11256] NiStrToAddrMask: '10.10.9.180' -> 10.10.9.180/32 (0/0)

[Thr 11256] NiIAclAppendRule: read permission 'permit', address '10.10.9.180'

[Thr 11256] NiIAclAppendRule: parse ACL line 'permit 10.0.0.0/8 1 # screening rule (learning mode, trace-level 1)'

[Thr 11256] NiIAclAppendRule: remove comment '# screening rule (learning mode, trace-level 1)'

[Thr 11256] NiStrToAddrMask: '10.0.0.0/8' -> 10.0.0.0/8 (1/0)

[Thr 11256] NiIAclAppendRule: read permission 'permit', address '10.0.0.0/8'

[Thr 11256] NiIAclAppendRule: read tracelevel '1'

[Thr 11256] NiIAclAppendRule: parse ACL line 'deny 0.0.0.0/0 # deny the rest'

[Thr 11256] NiIAclAppendRule: remove comment '# deny the rest'

[Thr 11256] NiStrToAddrMask: '0.0.0.0/0' -> 0.0.0.0/0 (1/0)

[Thr 11256] NiIAclAppendRule: read permission 'deny', address '0.0.0.0/0'

But same problem :-


[Thr 11256] Thu Mar 26 14:56:45 2015

[Thr 11256] NiIPeekListen: peek successful for hdl 1

[Thr 11256] NiIAccept: hdl 1 accepted connection

[Thr 11256] NiICreateHandle: hdl 9 state NI_INITIAL_CON

[Thr 11256] NiAcl::checkAddress: 10.10.9.180 -> permit 10.10.9.0/24 (count=1,rule=1,line=1)

[Thr 11256] NiIInitSocket: set default settings for hdl 9/sock 760 (I4; ST)

[Thr 11256] NiIBlockMode: set blockmode for hdl 9 FALSE

[Thr 11256] NiIAccept: state of hdl 9 NI_ACCEPTED

[Thr 11256] NiIAccept: hdl 1 accepted hdl 9 from 10.10.9.180:53090

[Thr 11256] NiIAccept: hdl 9 took local address 180.10.5.10:1128

[Thr 11256] NiIBlockMode: set blockmode for hdl 9 TRUE

[Thr 10660] NiIRead: hdl 9 received data (rcd=862,pac=1,RAW_IO)

[Thr 10660] HTTP Parse - Start

[Thr 10660] - Parsing buffer 'POST / HTTP/1.1'

[Thr 10660] HTTPMessage::AddBodyContent: Allocate in 0x00000000075996D0 8192 bytes (left=8192)

[Thr 10660] HTTPMessage::AddBodyContent: Copy in 0x00000000075996D0 697 bytes (Size = 8192, Left=7495)

[Thr 10660] Trying to lock HTTPHandlerManager::GetInstance

[Thr 10660] Successfully locked HTTPHandlerManager::GetInstance

[Thr 10660] Successfully unlocked HTTPHandlerManager::GetInstance

[Thr 10660] Trying to lock HTTPHandlerManager

[Thr 10660] Successfully locked HTTPHandlerManager

[Thr 10660] Successfully unlocked HTTPHandlerManager

[Thr 10660] Start executing Webmethod GetDatabaseStatus

[Thr 10660] Operation GetDatabaseStatus; Socket type Network Socket; Remote IP 10.10.9.180; Remote port 53090; Username Not Available

[Thr 10660] KeyValueList-> BEGIN

[Thr 10660]                 Database/Name:SMS

[Thr 10660]                 Database/Type:ora

[Thr 10660] KeyValueList-> END

[Thr 10660] No username set for DefaultOperationCredentialAuthenticator

[Thr 10660] NiILocalCheck: SiBind failed (sirc=7;10049-WSAEADDRNOTAVAIL: Can't assign requested address 10.10.9.180)

[Thr 10660] NiLocalCheck: address 10.10.9.180 is not local

[Thr 10660] Authenticate: LocalConnection not-allowed for GetDatabaseStatus

[Thr 10660] Unauthorized (user authentication required)

[Thr 10660] *** ERROR => Webmethod GetDatabaseStatus failed: Unauthorized: User authentication required [saphostcontr 1836]

[Thr 10660] NiIPeek: peek for hdl 9 timed out (r; 0ms)

[Thr 10660] NiIPeek: peek successful for hdl 9 (w)

[Thr 10660] HostControl_SendHeader: HTTP/1.1 401 Unauthorized : null

[Thr 10660] HostControl_SendHeader: WWW-Authenticate : Basic realm="gSOAP Web Service"

[Thr 10660] HostControl_SendHeader: Server : gSOAP/2.7

[Thr 10660] HostControl_SendHeader: Send Additional Header -> No GSOAPHTTPRequest found

[Thr 10660] HostControl_SendHeader: Send Additional Header -> No GSOAPHTTPRequest found

[Thr 10660] HostControl_SendHeader: Connection : close

[Thr 10660] HostControl_SendHeader: Send Additional Header -> No GSOAPHTTPRequest found

[Thr 10660] NiIWrite: hdl 9 sent data (wrt=803,pac=1,RAW_IO)

[Thr 10660] NiIShutdownHandle: shutdown -w of hdl 9

[Thr 10660] NiICloseHandle: shutdown and close hdl 9/sock 760