|Link to this page: http://wiki.scn.sap.com/wiki/x/KAOEFQ|
To give an overview about the service/<parameter> parameters of sapstartsrv
What parameters are available to influence the bahaviour of SAP Start Service (the sapstartsrv process)?
Meaning of parameters
Additional OS user groups authorized for system administration (Unix only)
Specifies additional operating system user groups that are authorized to administer the system using the Web service interface of the start service. Specify the user groups separated by spaces.
Additional OS users authorized for system administration
Specifies additional operating system users that are authorized to administer the system using the Web service interface of the start service. Specify the user names separated by spaces.
Data collector command line
Data collector command that is executed by the start service during the generation of a snapshot. This allows the data collector to store additional artifacts in the snapshot for support purposes.
Data collector mandatory for snapshot creation
If this parameter is activated, the successful call of the data collector is mandatory when the start service generates a snapshot. If the data collector call fails, no snapshot is generated by the start service.
Maximum allowed runtime for data collector
Timeout for the call of a data collector when the start service is generating a snapshot. If the data collector does not exit itself before the timeout is reached, the start service terminates it.
Dynamic library for third party high availability (HA) software integration
Shared library that is to be loaded by the start service to permit integration into third-party HA software. The shared library must fulfill the SAP HA interface specification. This means that the start service of an instance that is under HA control can start or stop the instance correctly without, for example, triggering an undesired failover in the HA cluster.
Kill instance processes during start service stop (Microsoft Windows only)
If this parameter is activated, the start service does not stop the instance processes belonging to its instance in an orderly way using a SIGINT signal, but rather hard kills them. The parameter should not be activated in general, but can be useful in HA configuration.
Bind specific host name or IP address for HTTP/HTTPS Web service ports
Host name or IP address to which the start service is to bind its HTTP and HTTPS port. Normally all IP addresses (0.0.0.0) are bound. However, if the Web service interface is only to be accessible using a particular IP address, you can specify it here.
Access control list (ACL) file of sapstartsrv HTTP port
This parameter specifies the file that the start service uses as an access control list (ACL) for the access authorizations for connections over its HTTP port. If the profile parameter is set, the file must exist and its syntax must be correct. If this is not the case, the start service ends. The syntax of the ACL file is described in ACL Syntax. If the specified ACL file does not exist or is contains errors, the start service ends immediately.
Bind specific host name or IP address for HTTP Web service port
Host name or IP address to which the start service is to bind its HTTP port. Normally all IP addresses (0.0.0.0) are bound. However, if the Web service interface is only to be accessible using a particular IP address over HTTP, you can specify it here.
Access control list (ACL) file of sapstartsrv HTTPS port
This parameter specifies the file that the start service uses as an access control list (ACL) for the access authorizations for connections over its HTTPS port. If the profile parameter is set, the file must exist and its syntax must be correct. If this is not the case, the start service ends. The syntax of the ACL file is described in ACL Syntax. If the specified ACL file does not exist or is contains errors, the start service ends immediately.
Bind specific host name or IP address for HTTPS Web service port
Host name or IP address to which the start service is to bind its HTTPS port. Normally all IP addresses (0.0.0.0) are bound. However, if the Web service interface is only to be accessible using a particular IP address over HTTPS, you can specify it here.
Maximum number of snapshots to be archived
Maximum number of snapshots that the start service is to archive for each instance in the DIR_GLOBAL directory. If more snapshots are generated, the oldest is deleted in each case.
Disable automatic service restart after executable update (Microsoft Windows only)
If this parameter is activated, the start service no longer restarts itself when its executable has been updated (by sapcpe). The parameter should not be activated in general, but can be useful in HA configuration.
Enabled Web service ports
Web service port types that are activated in the start service. Specify the port types to be activated separated by spaces.
Protected Web service functions requiring user authorization
Protected methods of the Web service interface of the SAP start service. Calling this method requires successful authentication and authorization. In the simple syntax, you specify all of the methods to be protected, separated by spaces. For example:
service/protectedwebmethods = Start Stop RestartService
In the advanced syntax, you can optionally add individual modules to or remove individual modules from one of four different predefined settings:
[ALL SDEFAULT DEFAULT NONE] + -<method1> + -<method2>... + -<methodN>]
The following values are possible:
ALL = All methods are protected.
SDEFAULT = Almost all methods are protected. However, an authentication-free initial display of a system in SAP MMC/MC is still allowed, for example.
DEFAULT = Protects all methods that change the status of the system. However, authentication-free access to traces is permitted.
NONE = No methods are protected.
We recommend the setting SDEFAULT.
SDEFAULT -GetVersionInfo = Protects most methods, but permits authentication-free querying of the version information.
DEFAULT +GetVersionInfo = Protects only the methods that change the status, and also the querying of the version information.
Instance priority during system start/stop
Start priority of the instance during system start/stop. The start service usually determines the start priority automatically using the processes configured in an instance and can therefore start or stop an entire system in the correct sequence. Instances with the same start priority are started in parallel. Only once these are fully started is the process continued with the next priority level (in the case of a system stop, the same applies in the reverse sequence). To do this, the priorities are lexically compared and sorted. In exceptional cases or in the case of unknown process types that require a particular start/stop sequence, you can manually adjust the start priority.
Processes monitored using a status file
Specifies the process types that are to be monitored by the start service using a status file <processname>.status. Specify the individual process types separated by spaces. The process to be monitored is responsible for generating and updating the status file.
Start service trace level
Trace level of the start service (sapstartsrv.log trace). Since the start service periodically performs a number of monitoring operations that could potentially fail (which is not an error), the start service usually uses trace level 0 to avoid unnecessary and easily misunderstood error messages.
Set umask for all instance processes (UNIX only)
You can use service/umask to set a general file authorization mask. Specify the value in octal notation (see also umask operating system command). It is set by the start service and sapstart at the beginning of startup, so that all processes of an instance with this umask are started. If the value is empty, the start service and sapstart do not change the umask, meaning that the umask vlaues with which the processes were started are used for all processes of the instance (on UNIX, this is usually the root umask, since the start service is started as a daemon by root during the OS boot, or the <sid>adm umask, if the start service was started from a <sid>adm shell).
Additional users authenticated by client certificate authorized for system administration
When this parameter is set, a client certificate can be used to authenticate for execution of protected webmethods. This is a vector parameter in the format <parameter name>_<index>. The recognized index range starts at 0. Index gaps are not permitted. Specifies additional users that are authenticated with X.509 certificates and that are authorized to administer the system using the Web service interface of the start service. Set a parameter for each user, starting with service/sso_admin_user_0. Specify the subject DN of the respective client certificate as the parameter value. You can use the wildcards * and ?. Prerequisites: correct configuration of SSL on the instances of the systems with suitable server certificates so that the start service can provide HTTPS communication (port 5XX14) and can validate the client certificates, signed client certificate must be available, issuer of client certificate must be trusted at sapstartsrv
service/sso_admin_user_0 = CN=D??????, O=SAP-AG, C=DE
service/sso_admin_user_1 = CN=C123456, O=SAP-AG, C=DE
authorizes, for example, various D users and the user C123456.
Note: The parameters must be set in the profile the corresponding sapstartsrv (instance, SAP Host Agent) was started with. Usually this is the start profile (up to release 710) or the instance profile (as of and incl. release 710). For SAP Host Agent this is the hostagent profile (under /usr/sap/hostcontrol) To activate the new parameter values the sapstartsrv process must be restarted. Not all parameters are known by every release.
SAP Note 927637: Web service authentication in sapstartsrv as of Release 7.00
SAP Note 1495075: Access Control Lists (ACL)
SAP Note 1439348: Extended security settings for sapstartsrv
SAP Note 877795: Problems with sapstartsrv from Release 7.00 and 6.40 patch 169