Skip to end of metadata
Go to start of metadata


Cover security related topics of the SAP Start Service, the "sapstartsrv" process.


This WIKI page will list security related topics of the sapstartsrv process.

Protected webmethods

The parameter "service/protectedwebmethods" can be used to configure which webmethods are publicly available (meaning that no authentication is required) or that admin access / authentication is required.

The SAP Note 927637 explains how this parameter works.

The parameter accepts four keywords:

  • NONE        → all webmethods are not protected
  • ALL            → all webmethods are protected
  • DEFAULT   → some of the webmethods are protected and this was the default value of the parameter on older SAP kernel versions
  • SDEFAULT → more methods were added to the list of protected webmethods and this is the current default value of the parameter

This wiki page shows how to verify which methods are currently protected.

Restricting access to the sapstartsrv port(s)

The parameters "service/http/acl_file" and "service/https/acl_file" can be set pointing to a text file containing an Access Control List (ACL), limiting which IP addresses are allowed to connect to the sapstartsrv HTTP and HTTPS port, respectively.

The syntax of the ACL file is explained at the SAP Note 1495075.

Granting full access to additional users and groups

If a webmethod is not protected (see previous section), it can be called anonymously (without authentication).

Otherwise, you must provide the password of the "SIDadm" user ID (or of a local administrator, if SAP runs on Windows).

It is possible to grant access to additional users and groups by defining the parameters "service/admin_users" and/or "service/admin_groups".

A list of users/groups separated by spaces can be provided.

Configuring SSO

Admin users can also be defined with SSO (based on X.590 client certificate) by using the parameter "service/sso_admin_user_X" (where "X" is a sequential number starting in zero).

The parameter's documentation can be read at the transaction RZ11.

The sapstartsrv uses the SSL server certificate of the SAPSSLS.pse of the local instance.

Related Content

Related Documents

BC-CST wiki page: Protected web methods of sapstartsrv

Related SAP Notes/KBAs

SAP Note 927637: Web service authentication in sapstartsrv as of Release 7.00

SAP Note 1495075: Access control lists (ACL)

  • No labels