Cover security related topics of the SAP Start Service, the "sapstartsrv" process.
This WIKI page will list security related topics of the sapstartsrv process.
The parameter "service/protectedwebmethods" can be used to configure which webmethods are publicly available (meaning that no authentication is required) or that admin access / authentication is required.
The SAP Note 927637 explains how this parameter works.
The parameter accepts four keywords:
- NONE → all webmethods are not protected
- ALL → all webmethods are protected
- DEFAULT → some of the webmethods are protected and this was the default value of the parameter on older SAP kernel versions
- SDEFAULT → more methods were added to the list of protected webmethods and this is the current default value of the parameter
This wiki page shows how to verify which methods are currently protected.
Restricting access to the sapstartsrv port(s)
The parameters "service/http/acl_file" and "service/https/acl_file" can be set pointing to a text file containing an Access Control List (ACL), limiting which IP addresses are allowed to connect to the sapstartsrv HTTP and HTTPS port, respectively.
The syntax of the ACL file is explained at the SAP Note 1495075.
Granting full access to additional users and groups
If a webmethod is not protected (see previous section), it can be called anonymously (without authentication).
Otherwise, you must provide the password of the "SIDadm" user ID (or of a local administrator, if SAP runs on Windows).
It is possible to grant access to additional users and groups by defining the parameters "service/admin_users" and/or "service/admin_groups".
A list of users/groups separated by spaces can be provided.
Admin users can also be defined with SSO (based on X.590 client certificate) by using the parameter "service/sso_admin_user_X" (where "X" is a sequential number starting in zero).
The parameter's documentation can be read at the transaction RZ11.
The sapstartsrv uses the SSL server certificate of the SAPSSLS.pse of the local instance.
BC-CST wiki page: Protected web methods of sapstartsrv
Related SAP Notes/KBAs
SAP Note 927637: Web service authentication in sapstartsrv as of Release 7.00
SAP Note 1495075: Access control lists (ACL)