Link to this page: http://wiki.scn.sap.com/wiki/x/D4BFG |
---|
Purpose
To explain the difference between two options of service/protectedwebmethods parameter.
Overview
The SAPControl Webservice interface of sapstartsrv differentiates between protected and unprotected Webservice methods. Protected methods are executed only after a successful user authentication. This is not required for unprotected methods. The default setting is set so that all methods that change the status of the instance or the system when called are protected.
The parameter service/protectedwebmethods determines what methods are protected. It can have two different _default_ values: DEFAULT or SDEFAULT.
DEFAULT
Old default: protect all actions that can alter the state of the instance.
It is active if service/protectedwebmethods = DEFAULT is set in startup profile of corresponding instance.
Protected web methods are (example of kernel 753):
Bootstrap
CheckPSE
CheckUpdateSystem
ConfigureLogFileList
CreatePSECredential
CreateSnapshot
DeletePSE
DeleteSnapshots
EnqRemoveLocks
EnqRemoveUserLocks
GetCallstack
GWCancelConnections
GWDeleteClients
GWDeleteConnections
HAFailoverToNode
HASetMaintenanceMode
InstanceStart
InstanceStop
J2EEControlCluster
J2EEControlComponents
J2EEControlProcess
J2EEDisableDbgSession
J2EEEnableDbgSession
OSExecute
RestartInstance
RestartSystem
SendSignal
SetProcessParameter
SetProcessParameter2
Shutdown
Start
StartBypassHA
StartSystem
Stop
StopBypassHA
StopService
StopSystem
StorePSE
UpdateInstancePSE
UpdateSCSInstance
UpdateSystem
UpdateSystemPKI
GetAgentConfig
GetListOfMaByCusGrp
GetMcInLocalMs
GetMtesByRequestTable
GetMtListByMtclass
InfoGetTree
MscCustomizeWrite
MscDeleteLines
MscReadCache
MsGetLocalMsInfo
MsGetMteclsInLocalMs
MtChangeStatus
MtCustomizeWrite
MtDbsetToWpsetByTid
MtDestroyMarkNTry
MteGetByToolRunstatus
MtGetAllToCust
MtGetAllToolsToSet
MtGetMteinfo
MtGetTidByName
MtRead
MtReset
PerfCustomizeWrite
PerfRead
PerfReadSmoothData
ReadDirectory
ReadFile
ReadProfileParameters
ReferenceRead
Register
RequestLogonFile
SnglmgsCustomizeWrite
SystemObjectSetValue
TextAttrRead
ToolGetEffective
ToolSet
ToolSetRuntimeStatus
TriggerDataCollection
Unregister
UtilAlChangeStatus
UtilMtGetAidByTid
UtilMtGetTreeLocal
UtilMtReadAll
UtilReadRawalertByAid
UtilSnglmsgReadRawdata
SDEFAULT
New default: protect almost everything, just allowing consoles to show the initial view.
It is active if service/protectedwebmethods = SDEFAULT is set in startup profile of corresponding instance.
Protected web methods are (example of kernel 753):
ABAPAcknowledgeAlerts
ABAPCheckRFCDestinations
ABAPGetComponentList
ABAPGetSystemWPTable
ABAPGetWPTable
ABAPReadRawSyslog
ABAPReadSyslog
AnalyseLogFiles
Bootstrap
CheckParameter
CheckPSE
CheckUpdateSystem
ConfigureLogFileList
CreatePSECredential
CreateSnapshot
DeletePSE
DeleteSnapshots
EnqGetLockTable
EnqGetStatistic
EnqRemoveLocks
EnqRemoveUserLocks
GetAccessPointList
GetAlerts
GetAlertTree
GetCallstack
GetEnvironment
GetLogFileList
GetProcessParameter
GetQueueStatistic
GetStartProfile
GetSystemUpdateList
GetTraceFile
GetVersionInfo
GWCancelConnections
GWDeleteClients
GWDeleteConnections
GWGetConnectionList
GWGetClientList
HACheckConfig
HACheckFailoverConfig
HACheckMaintenanceMode
HAFailoverToNode
HAGetFailoverConfig
HASetMaintenanceMode
ICMGetCacheEntries
ICMGetConnectionList
ICMGetProxyConnectionList
ICMGetThreadList
InstanceStart
InstanceStop
J2EEControlCluster
J2EEControlComponents
J2EEControlProcess
J2EEDisableDbgSession
J2EEEnableDbgSession
J2EEGetApplicationAliasList
J2EEGetCacheStatistic
J2EEGetCacheStatistic2
J2EEGetClusterMsgList
J2EEGetComponentList
J2EEGetEJBSessionList
J2EEGetProcessList
J2EEGetProcessList2
J2EEGetRemoteObjectList
J2EEGetSessionList
J2EEGetSharedTableInfo
J2EEGetThreadCallStack
J2EEGetThreadList
J2EEGetThreadList2
J2EEGetThreadTaskStack
J2EEGetVMGCHistory
J2EEGetVMGCHistory2
J2EEGetVMHeapInfo
J2EEGetWebSessionList
J2EEGetWebSessionList2
ListConfigFiles
ListDeveloperTraces
ListLogFiles
ListSnapshots
OSExecute
ParameterValue
ReadConfigFile
ReadDeveloperTrace
ReadLogFile
ReadSnapshot
RestartInstance
RestartService
RestartSystem
SendSignal
SetProcessParameter
SetProcessParameter2
ShmDetach
Shutdown
Start
StartBypassHA
StartSystem
Stop
StopBypassHA
StopService
StopSystem
StorePSE
UpdateInstancePSE
UpdateSCSInstance
UpdateSystem
UpdateSystemPKI
WebDispGetServerList
WebDispGetGroupList
WebDispGetVirtHostList
WebDispGetUrlPrefixList
GetAgentConfig
GetListOfMaByCusGrp
GetMcInLocalMs
GetMtesByRequestTable
GetMtListByMtclass
InfoGetTree
MscCustomizeWrite
MscDeleteLines
MscReadCache
MsGetLocalMsInfo
MsGetMteclsInLocalMs
MtChangeStatus
MtCustomizeWrite
MtDbsetToWpsetByTid
MtDestroyMarkNTry
MteGetByToolRunstatus
MtGetAllToCust
MtGetAllToolsToSet
MtGetMteinfo
MtGetTidByName
MtRead
MtReset
PerfCustomizeWrite
PerfRead
PerfReadSmoothData
ReadDirectory
ReadFile
ReadProfileParameters
ReferenceRead
Register
RequestLogonFile
SnglmgsCustomizeWrite
SystemObjectSetValue
TextAttrRead
ToolGetEffective
ToolSet
ToolSetRuntimeStatus
TriggerDataCollection
Unregister
UtilAlChangeStatus
UtilMtGetAidByTid
UtilMtGetTreeLocal
UtilMtReadAll
UtilReadRawalertByAid
UtilSnglmsgReadRawdata
Protected webmethods
DEFAULT vs. SDEFAULT
DEFAULT | SDEFAULT |
ABAPAcknowledgeAlerts | |
ABAPCheckRFCDestinations | |
ABAPGetComponentList | |
ABAPGetSystemWPTable | |
ABAPGetWPTable | |
ABAPReadRawSyslog | |
ABAPReadSyslog | |
AnalyseLogFiles | |
Bootstrap | Bootstrap |
CheckParameter | |
CheckPSE | CheckPSE |
CheckUpdateSystem | CheckUpdateSystem |
ConfigureLogFileList | ConfigureLogFileList |
CreatePSECredential | CreatePSECredential |
CreateSnapshot | CreateSnapshot |
DeletePSE | DeletePSE |
DeleteSnapshots | DeleteSnapshots |
EnqGetLockTable | |
EnqGetStatistic | |
EnqRemoveLocks | EnqRemoveLocks |
EnqRemoveUserLocks | EnqRemoveUserLocks |
GetAccessPointList | |
GetAgentConfig | GetAgentConfig |
GetAlerts | |
GetAlertTree | |
GetCallstack | GetCallstack |
GetEnvironment | |
GetListOfMaByCusGrp | GetListOfMaByCusGrp |
GetLogFileList | |
GetMcInLocalMs | GetMcInLocalMs |
GetMtesByRequestTable | GetMtesByRequestTable |
GetMtListByMtclass | GetMtListByMtclass |
GetProcessParameter | |
GetQueueStatistic | |
GetStartProfile | |
GetSystemUpdateList | |
GetTraceFile | |
GetVersionInfo | |
GWCancelConnections | GWCancelConnections |
GWDeleteClients | GWDeleteClients |
GWDeleteConnections | GWDeleteConnections |
GWGetClientList | |
GWGetConnectionList | |
HACheckConfig | |
HACheckFailoverConfig | |
HACheckMaintenanceMode | |
HAFailoverToNode | HAFailoverToNode |
HAGetFailoverConfig | |
HASetMaintenanceMode | HASetMaintenanceMode |
ICMGetCacheEntries | |
ICMGetConnectionList | |
ICMGetProxyConnectionList | |
ICMGetThreadList | |
InfoGetTree | InfoGetTree |
InstanceStart | InstanceStart |
InstanceStop | InstanceStop |
J2EEControlCluster | J2EEControlCluster |
J2EEControlComponents | J2EEControlComponents |
J2EEControlProcess | J2EEControlProcess |
J2EEDisableDbgSession | J2EEDisableDbgSession |
J2EEEnableDbgSession | J2EEEnableDbgSession |
J2EEGetApplicationAliasList | |
J2EEGetCacheStatistic | |
J2EEGetCacheStatistic2 | |
J2EEGetClusterMsgList | |
J2EEGetComponentList | |
J2EEGetEJBSessionList | |
J2EEGetProcessList | |
J2EEGetProcessList2 | |
J2EEGetRemoteObjectList | |
J2EEGetSessionList | |
J2EEGetSharedTableInfo | |
J2EEGetThreadCallStack | |
J2EEGetThreadList | |
J2EEGetThreadList2 | |
J2EEGetThreadTaskStack | |
J2EEGetVMGCHistory | |
J2EEGetVMGCHistory2 | |
J2EEGetVMHeapInfo | |
J2EEGetWebSessionList | |
J2EEGetWebSessionList2 | |
ListConfigFiles | |
ListDeveloperTraces | |
ListLogFiles | |
ListSnapshots | |
MscCustomizeWrite | MscCustomizeWrite |
MscDeleteLines | MscDeleteLines |
MscReadCache | MscReadCache |
MsGetLocalMsInfo | MsGetLocalMsInfo |
MsGetMteclsInLocalMs | MsGetMteclsInLocalMs |
MtChangeStatus | MtChangeStatus |
MtCustomizeWrite | MtCustomizeWrite |
MtDbsetToWpsetByTid | MtDbsetToWpsetByTid |
MtDestroyMarkNTry | MtDestroyMarkNTry |
MteGetByToolRunstatus | MteGetByToolRunstatus |
MtGetAllToCust | MtGetAllToCust |
MtGetAllToolsToSet | MtGetAllToolsToSet |
MtGetMteinfo | MtGetMteinfo |
MtGetTidByName | MtGetTidByName |
MtRead | MtRead |
MtReset | MtReset |
OSExecute | OSExecute |
ParameterValue | |
PerfCustomizeWrite | PerfCustomizeWrite |
PerfRead | PerfRead |
PerfReadSmoothData | PerfReadSmoothData |
ReadConfigFile | |
ReadDeveloperTrace | |
ReadDirectory | ReadDirectory |
ReadFile | ReadFile |
ReadLogFile | |
ReadProfileParameters | ReadProfileParameters |
ReadSnapshot | |
ReferenceRead | ReferenceRead |
Register | Register |
RequestLogonFile | RequestLogonFile |
RestartInstance | RestartInstance |
RestartService | |
RestartSystem | RestartSystem |
SendSignal | SendSignal |
SetProcessParameter | SetProcessParameter |
SetProcessParameter2 | SetProcessParameter2 |
ShmDetach | |
Shutdown | Shutdown |
SnglmgsCustomizeWrite | SnglmgsCustomizeWrite |
Start | Start |
StartBypassHA | StartBypassHA |
StartSystem | StartSystem |
Stop | Stop |
StopBypassHA | StopBypassHA |
StopService | StopService |
StopSystem | StopSystem |
StorePSE | StorePSE |
SystemObjectSetValue | SystemObjectSetValue |
TextAttrRead | TextAttrRead |
ToolGetEffective | ToolGetEffective |
ToolSet | ToolSet |
ToolSetRuntimeStatus | ToolSetRuntimeStatus |
TriggerDataCollection | TriggerDataCollection |
Unregister | Unregister |
UpdateInstancePSE | UpdateInstancePSE |
UpdateSCSInstance | UpdateSCSInstance |
UpdateSystem | UpdateSystem |
UpdateSystemPKI | UpdateSystemPKI |
UtilAlChangeStatus | UtilAlChangeStatus |
UtilMtGetAidByTid | UtilMtGetAidByTid |
UtilMtGetTreeLocal | UtilMtGetTreeLocal |
UtilMtReadAll | UtilMtReadAll |
UtilReadRawalertByAid | UtilReadRawalertByAid |
UtilSnglmsgReadRawdata | UtilSnglmsgReadRawdata |
WebDispGetGroupList | |
WebDispGetServerList | |
WebDispGetUrlPrefixList | |
WebDispGetVirtHostList |
The way to check the current settings
The following property lists the protected web methods of corresponding instance:
property: Protected Webmethods
propertytype: Attribute
value: <list of ptotected webmethods>
sapcontrol -nr <instance number> -function ParameterValue service/protectedwebmethods
displays the current parameter setting, e.g.:
05.12.2017 16:57:06
ParameterValue
OK
SDEFAULT
Not protected webmethods
You want to know which webmethods are then not protected? Execute the commands:
Commands:
- sapcontrol -nr <instance number> -function GetInstanceProperties | grep -i webmethods | grep -vi protected | tr ',' '\n' | tr -d ' ' | sort > all.txt
- sapcontrol -nr <instance number> -function GetInstanceProperties | grep -i webmethods | grep -i protected | tr ',' '\n' | tr -d ' ' | sort > protected.txt
- diff protected.txt all.txt -ywa | grep '>'
And the outcome is (in this example):
comm all.txt protected.txt -23
AccessCheck
GetInstanceProperties
GetNetworkId
GetProcessList
GetSecNetworkId
GetSystemInstanceList
The above in bold are the methods which are not protected.
Related Documents
How to use the SAPControl Web Service Interface
Related SAP Notes/KBAs
SAP Note 1439348: Extended security settings for sapstartsrv
SAP Note 927637: Web service authentication in sapstartsrv as of Release 7.00
SAP note 2493171: Information Disclosure in SAP NetWeaver Instance Agent Service
2 Comments
Adam Csaba Goetz
document updated
Vanderlei Vitorio Gomes
Hi,
concerning to the point "Not protected webmethods". What is the reason for having methods included in SDEFAULT which are not present in the listed webmethods from function GetInstanceProperties?
In another words, if you type the following command, why we have methods listed? (assuming the same commands mentioned above)
in my understanding SDEFAULT contains a bit less methods than all possible methods, therefore this "diff ... grep '<'" should return nothing, or?