Skip to end of metadata
Go to start of metadata

Purpose

To explain the difference between two options of service/protectedwebmethods parameter.

Overview

The SAPControl Webservice interface of sapstartsrv differentiates between protected and unprotected Webservice methods. Protected methods are executed only after a successful user authentication. This is not required for unprotected methods. The default setting is set so that all methods that change the status of the instance or the system when called are protected.

The parameter service/protectedwebmethods determines what methods are protected. It can have two different _default_ values: DEFAULT or SDEFAULT.

DEFAULT

Old default: protect all actions that can alter the state of the instance.
It is active if service/protectedwebmethods = DEFAULT is set in startup profile of corresponding instance.
Protected web methods are (example of kernel 753):

 

    • Bootstrap
      CheckPSE
      CheckUpdateSystem
      ConfigureLogFileList
      CreatePSECredential
      CreateSnapshot
      DeletePSE
      DeleteSnapshots
      EnqRemoveLocks
      EnqRemoveUserLocks
      GetCallstack
      GWCancelConnections
      GWDeleteClients
      GWDeleteConnections
      HAFailoverToNode
      HASetMaintenanceMode
      InstanceStart
      InstanceStop
      J2EEControlCluster
      J2EEControlComponents
      J2EEControlProcess
      J2EEDisableDbgSession
      J2EEEnableDbgSession
      OSExecute
      RestartInstance
      RestartSystem
      SendSignal
      SetProcessParameter
      SetProcessParameter2
      Shutdown
      Start
      StartBypassHA
      StartSystem
      Stop
      StopBypassHA
      StopService
      StopSystem
      StorePSE
      UpdateInstancePSE
      UpdateSCSInstance
      UpdateSystem
      UpdateSystemPKI
      GetAgentConfig
      GetListOfMaByCusGrp
      GetMcInLocalMs
      GetMtesByRequestTable
      GetMtListByMtclass
      InfoGetTree
      MscCustomizeWrite
      MscDeleteLines
      MscReadCache
      MsGetLocalMsInfo
      MsGetMteclsInLocalMs
      MtChangeStatus
      MtCustomizeWrite
      MtDbsetToWpsetByTid
      MtDestroyMarkNTry
      MteGetByToolRunstatus
      MtGetAllToCust
      MtGetAllToolsToSet
      MtGetMteinfo
      MtGetTidByName
      MtRead
      MtReset
      PerfCustomizeWrite
      PerfRead
      PerfReadSmoothData
      ReadDirectory
      ReadFile
      ReadProfileParameters
      ReferenceRead
      Register
      RequestLogonFile
      SnglmgsCustomizeWrite
      SystemObjectSetValue
      TextAttrRead
      ToolGetEffective
      ToolSet
      ToolSetRuntimeStatus
      TriggerDataCollection
      Unregister
      UtilAlChangeStatus
      UtilMtGetAidByTid
      UtilMtGetTreeLocal
      UtilMtReadAll
      UtilReadRawalertByAid
      UtilSnglmsgReadRawdata

 

SDEFAULT

New default: protect almost everything, just allowing consoles to show the initial view.
It is active if service/protectedwebmethods = SDEFAULT is set in startup profile of corresponding instance.
Protected web methods are (example of kernel 753):

    • ABAPAcknowledgeAlerts
      ABAPCheckRFCDestinations
      ABAPGetComponentList
      ABAPGetSystemWPTable
      ABAPGetWPTable
      ABAPReadRawSyslog
      ABAPReadSyslog
      AnalyseLogFiles
      Bootstrap
      CheckParameter
      CheckPSE
      CheckUpdateSystem
      ConfigureLogFileList
      CreatePSECredential
      CreateSnapshot
      DeletePSE
      DeleteSnapshots
      EnqGetLockTable
      EnqGetStatistic
      EnqRemoveLocks
      EnqRemoveUserLocks
      GetAccessPointList
      GetAlerts
      GetAlertTree
      GetCallstack
      GetEnvironment
      GetLogFileList
      GetProcessParameter
      GetQueueStatistic
      GetStartProfile
      GetSystemUpdateList
      GetTraceFile
      GetVersionInfo
      GWCancelConnections
      GWDeleteClients
      GWDeleteConnections
      GWGetConnectionList
      GWGetClientList
      HACheckConfig
      HACheckFailoverConfig
      HACheckMaintenanceMode
      HAFailoverToNode
      HAGetFailoverConfig
      HASetMaintenanceMode
      ICMGetCacheEntries
      ICMGetConnectionList
      ICMGetProxyConnectionList
      ICMGetThreadList
      InstanceStart
      InstanceStop
      J2EEControlCluster
      J2EEControlComponents
      J2EEControlProcess
      J2EEDisableDbgSession
      J2EEEnableDbgSession
      J2EEGetApplicationAliasList
      J2EEGetCacheStatistic
      J2EEGetCacheStatistic2
      J2EEGetClusterMsgList
      J2EEGetComponentList
      J2EEGetEJBSessionList
      J2EEGetProcessList
      J2EEGetProcessList2
      J2EEGetRemoteObjectList
      J2EEGetSessionList
      J2EEGetSharedTableInfo
      J2EEGetThreadCallStack
      J2EEGetThreadList
      J2EEGetThreadList2
      J2EEGetThreadTaskStack
      J2EEGetVMGCHistory
      J2EEGetVMGCHistory2
      J2EEGetVMHeapInfo
      J2EEGetWebSessionList
      J2EEGetWebSessionList2
      ListConfigFiles
      ListDeveloperTraces
      ListLogFiles
      ListSnapshots
      OSExecute
      ParameterValue
      ReadConfigFile
      ReadDeveloperTrace
      ReadLogFile
      ReadSnapshot
      RestartInstance
      RestartService
      RestartSystem
      SendSignal
      SetProcessParameter
      SetProcessParameter2
      ShmDetach
      Shutdown
      Start
      StartBypassHA
      StartSystem
      Stop
      StopBypassHA
      StopService
      StopSystem
      StorePSE
      UpdateInstancePSE
      UpdateSCSInstance
      UpdateSystem
      UpdateSystemPKI
      WebDispGetServerList
      WebDispGetGroupList
      WebDispGetVirtHostList
      WebDispGetUrlPrefixList
      GetAgentConfig
      GetListOfMaByCusGrp
      GetMcInLocalMs
      GetMtesByRequestTable
      GetMtListByMtclass
      InfoGetTree
      MscCustomizeWrite
      MscDeleteLines
      MscReadCache
      MsGetLocalMsInfo
      MsGetMteclsInLocalMs
      MtChangeStatus
      MtCustomizeWrite
      MtDbsetToWpsetByTid
      MtDestroyMarkNTry
      MteGetByToolRunstatus
      MtGetAllToCust
      MtGetAllToolsToSet
      MtGetMteinfo
      MtGetTidByName
      MtRead
      MtReset
      PerfCustomizeWrite
      PerfRead
      PerfReadSmoothData
      ReadDirectory
      ReadFile
      ReadProfileParameters
      ReferenceRead
      Register
      RequestLogonFile
      SnglmgsCustomizeWrite
      SystemObjectSetValue
      TextAttrRead
      ToolGetEffective
      ToolSet
      ToolSetRuntimeStatus
      TriggerDataCollection
      Unregister
      UtilAlChangeStatus
      UtilMtGetAidByTid
      UtilMtGetTreeLocal
      UtilMtReadAll
      UtilReadRawalertByAid
      UtilSnglmsgReadRawdata

Protected webmethods
DEFAULT vs. SDEFAULT

DEFAULT

SDEFAULT

 ABAPAcknowledgeAlerts
 ABAPCheckRFCDestinations
 ABAPGetComponentList
 ABAPGetSystemWPTable
 ABAPGetWPTable
 ABAPReadRawSyslog
 ABAPReadSyslog
 AnalyseLogFiles
BootstrapBootstrap
 CheckParameter
CheckPSECheckPSE
CheckUpdateSystemCheckUpdateSystem
ConfigureLogFileListConfigureLogFileList
CreatePSECredentialCreatePSECredential
CreateSnapshotCreateSnapshot
DeletePSEDeletePSE
DeleteSnapshotsDeleteSnapshots
 EnqGetLockTable
 EnqGetStatistic
EnqRemoveLocksEnqRemoveLocks
EnqRemoveUserLocksEnqRemoveUserLocks
 GetAccessPointList
GetAgentConfigGetAgentConfig
 GetAlerts
 GetAlertTree
GetCallstackGetCallstack
 GetEnvironment
GetListOfMaByCusGrpGetListOfMaByCusGrp
 GetLogFileList
GetMcInLocalMsGetMcInLocalMs
GetMtesByRequestTableGetMtesByRequestTable
GetMtListByMtclassGetMtListByMtclass
 GetProcessParameter
 GetQueueStatistic
 GetStartProfile
 GetSystemUpdateList
 GetTraceFile
 GetVersionInfo
GWCancelConnectionsGWCancelConnections
GWDeleteClientsGWDeleteClients
GWDeleteConnectionsGWDeleteConnections
 GWGetClientList
 GWGetConnectionList
 HACheckConfig
 HACheckFailoverConfig
 HACheckMaintenanceMode
HAFailoverToNodeHAFailoverToNode
 HAGetFailoverConfig
HASetMaintenanceModeHASetMaintenanceMode
 ICMGetCacheEntries
 ICMGetConnectionList
 ICMGetProxyConnectionList
 ICMGetThreadList
InfoGetTreeInfoGetTree
InstanceStartInstanceStart
InstanceStopInstanceStop
J2EEControlClusterJ2EEControlCluster
J2EEControlComponentsJ2EEControlComponents
J2EEControlProcessJ2EEControlProcess
J2EEDisableDbgSessionJ2EEDisableDbgSession
J2EEEnableDbgSessionJ2EEEnableDbgSession
 J2EEGetApplicationAliasList
 J2EEGetCacheStatistic
 J2EEGetCacheStatistic2
 J2EEGetClusterMsgList
 J2EEGetComponentList
 J2EEGetEJBSessionList
 J2EEGetProcessList
 J2EEGetProcessList2
 J2EEGetRemoteObjectList
 J2EEGetSessionList
 J2EEGetSharedTableInfo
 J2EEGetThreadCallStack
 J2EEGetThreadList
 J2EEGetThreadList2
 J2EEGetThreadTaskStack
 J2EEGetVMGCHistory
 J2EEGetVMGCHistory2
 J2EEGetVMHeapInfo
 J2EEGetWebSessionList
 J2EEGetWebSessionList2
 ListConfigFiles
 ListDeveloperTraces
 ListLogFiles
 ListSnapshots
MscCustomizeWriteMscCustomizeWrite
MscDeleteLinesMscDeleteLines
MscReadCacheMscReadCache
MsGetLocalMsInfoMsGetLocalMsInfo
MsGetMteclsInLocalMsMsGetMteclsInLocalMs
MtChangeStatusMtChangeStatus
MtCustomizeWriteMtCustomizeWrite
MtDbsetToWpsetByTidMtDbsetToWpsetByTid
MtDestroyMarkNTryMtDestroyMarkNTry
MteGetByToolRunstatusMteGetByToolRunstatus
MtGetAllToCustMtGetAllToCust
MtGetAllToolsToSetMtGetAllToolsToSet
MtGetMteinfoMtGetMteinfo
MtGetTidByNameMtGetTidByName
MtReadMtRead
MtResetMtReset
OSExecuteOSExecute
 ParameterValue
PerfCustomizeWritePerfCustomizeWrite
PerfReadPerfRead
PerfReadSmoothDataPerfReadSmoothData
 ReadConfigFile
 ReadDeveloperTrace
ReadDirectoryReadDirectory
ReadFileReadFile
 ReadLogFile
ReadProfileParametersReadProfileParameters
 ReadSnapshot
ReferenceReadReferenceRead
RegisterRegister
RequestLogonFileRequestLogonFile
RestartInstanceRestartInstance
 RestartService
RestartSystemRestartSystem
SendSignalSendSignal
SetProcessParameterSetProcessParameter
SetProcessParameter2SetProcessParameter2
 ShmDetach
ShutdownShutdown
SnglmgsCustomizeWriteSnglmgsCustomizeWrite
StartStart
StartBypassHAStartBypassHA
StartSystemStartSystem
StopStop
StopBypassHAStopBypassHA
StopServiceStopService
StopSystemStopSystem
StorePSEStorePSE
SystemObjectSetValueSystemObjectSetValue
TextAttrReadTextAttrRead
ToolGetEffectiveToolGetEffective
ToolSetToolSet
ToolSetRuntimeStatusToolSetRuntimeStatus
TriggerDataCollectionTriggerDataCollection
UnregisterUnregister
UpdateInstancePSEUpdateInstancePSE
UpdateSCSInstanceUpdateSCSInstance
UpdateSystemUpdateSystem
UpdateSystemPKIUpdateSystemPKI
UtilAlChangeStatusUtilAlChangeStatus
UtilMtGetAidByTidUtilMtGetAidByTid
UtilMtGetTreeLocalUtilMtGetTreeLocal
UtilMtReadAllUtilMtReadAll
UtilReadRawalertByAidUtilReadRawalertByAid
UtilSnglmsgReadRawdataUtilSnglmsgReadRawdata
 WebDispGetGroupList
 WebDispGetServerList
 WebDispGetUrlPrefixList
 WebDispGetVirtHostList

The way to check the current settings

The following property lists the protected web methods of corresponding instance:

property: Protected Webmethods
propertytype: Attribute
value: <list of ptotected webmethods>

sapcontrol -nr <instance number> -function ParameterValue service/protectedwebmethods
displays the current parameter setting, e.g.:

05.12.2017 16:57:06
ParameterValue
OK

SDEFAULT

Not protected webmethods

You want to know which webmethods are then not protected? Execute the commands:

Commands:

  1. sapcontrol -nr <instance number> -function GetInstanceProperties | grep -i webmethods | grep -vi protected | tr ',' '\n' | tr -d ' ' | sort > all.txt
  2. sapcontrol -nr <instance number> -function GetInstanceProperties | grep -i webmethods | grep -i protected | tr ',' '\n' | tr -d ' ' | sort > protected.txt
  3. diff protected.txt all.txt -ywa | grep '>'

And the outcome is (in this example):

comm all.txt protected.txt -23

AccessCheck
GetInstanceProperties
GetNetworkId
GetProcessList
GetSecNetworkId
GetSystemInstanceList

The above in bold are the methods which are not protected.

Related Documents

How to use the SAPControl Web Service Interface

Related SAP Notes/KBAs

SAP Note 1439348: Extended security settings for sapstartsrv
SAP Note 927637: Web service authentication in sapstartsrv as of Release 7.00
SAP note 2493171: Information Disclosure in SAP NetWeaver Instance Agent Service

 

2 Comments

  1. Hi,

    concerning to the point "Not protected webmethods". What is the reason for having methods included in SDEFAULT which are not present in the listed webmethods from function GetInstanceProperties?

    In another words, if you type the following command, why we have methods listed? (assuming the same commands mentioned above)

    1. diff protected.txt all.txt -ywa | grep '<'

    in my understanding SDEFAULT contains a bit less methods than all possible methods, therefore this "diff ... grep '<'" should return nothing, or?