Protecting web methods offered by SAP Host Agent

SAP Host Agent, also known as SAPHostControl, offers web methods as SOAP Web Services to perform certain task on a host.

The last security issue regarding a web method in SAP Host Agent dates back to 2017. Almost all documentations and write-ups about web method protection are focusing on SAP Instance Agent (SAPStartSrv). Therefore, I decided to spend some time looking at this topic while i was writing my blogpost about Protecting web methods offered by SAP Instance Agent.

In the following i will do the question and answer game (as you may recognise from other blogposts of myself) to develop a basic understanding of the SAP Host Agent and its web methods.

SAP Host Agent / SAPHostControl

Where do we find SAP Host Agent?

SAP Host Agent can be found on any server which runs SAP components or is related to SAP systems, e.g., anyDB server.

What is SAP Host Agent technically?

SAP Host Agent is a SAPStartSrv in Host mode, also known as SAPHostControl.

It reads its parameters from the the SAP Host Agent profile /usr/sap/hostctrl/exe/host_profile (Windows: C:\Program Files\SAP\hostctrl\exe).

Which ports are used by SAPHostCtrl?

SAPStartSrv in Host mode binds 1128 (HTTP) and 1129 (HTTPS).

On which ip addresses are these ports accessible?

By default SAPStartSrv in Host mode binds its ports on all available NICs (indicated by

~> sudo ss -tlpn | grep -e 112[89]
LISTEN 0 20* users:(("sapstatsrv",pid=15692,fd=16))
LISTEN 0 20* users:(("sapstatsrv",pid=15692,fd=9))

This could be adjusted by parameters ‘service/hostname’, ‘service/http/hostname’, ‘service/https/hostname’ (in host_profile).

For example ‘service/hostname’ and ‘service/http/hostname could be set to and ‘service/https/hostname’ could be set to $(SAPLOCALHOST) to reduce the attack surface.

~> sudo ss -tlpn | grep -e 112[89]
LISTEN 0 20* users:(("sapstatsrv",pid=26912,fd=11))
LISTEN 0 20* users:(("sapstatsrv",pid=26912,fd=9))

Who is accessing this ports?

Typical clients are saphostctrl, sapcontrol, SMD Agent, SDA (Simple Diagnostics Agent), SAP LaMa, SWDM. But there may be also custom developed scripts or 3rd party tools, e.g., for monitoring purposes or start/stop of systems. For testing or troubleshooting also postman or SoapUI may be used as a client.

Does SAP Host Agent also provide web methods?

SAP Host Agent 7.21 PL50 provides 49 web methods which can be queried by SAPHostCtrl (/usr/sap/hostctrl/exe/saphostctrl).

A WSDL is available at https://<hostname>:1129/SAPHostControl/?wsdl

Since SAP Host Agent is based on SAPStartSrv it also has some web methods which can be queried with sapcontrol. SAP Host Agent 7.21 PL50 comes with sapcontrol (/usr/sap/hostctrl/exe/sapcontrol, sapcontrol 7.21 PL1214) which allows to query 9 additional web methods.

Some of these web methods are included in the WSDL at https://<hostname>:1129/SAPControl/?wsdl.

Which web methods can be accessed without authentication?

SAPHostCtrl web methods are protected by default, except web method ‘Ping’.

For SAPStartSrv web methods the protection depends on the setting of profile parameter ‘service/protectedwebmethods’ (in host_profile).

Per default the following applies:

Protected Unprotected
AnalyseLogFiles CheckHostAgent
ConfigureLogFileList GetNetworkId
GetLogFileList GetSecNetworkId
ListLogFiles RequestLogonFile
StartService WaitforServiceStarted

Protection can be disabled for all web methods by setting service/protectedwebmethods = NONE or

can be extended to all web methods except ‘CheckHostAgent’, ‘RequestLogonFile’ and ‘WaitforServiceStarted’ by setting service/protectedwebmethods = ALL.

Please note: This seems to be undocumented!

Which authentication methods are supported in general?

OS level authentication using Unix domain sockets or Windows named pipes,

Local Logon ticket (requested by web method RequestLogonFile),

Username and password,

Client certificate (X.509).

Which users are allowed to authenticate?

SAPHostCtrl has no own user store. The authentication relies on users configured for access.

The user sapadm is always allowed to authenticate.

Additional OS users may be defined by profile parameter ‘service/admin_users’

OS user groups may also be defined by profile parameter ‘service/admin_groups’.

Besides authentication with OS users it is also possible to allow additional users to authenticate with X.509 client certificates. Therefore, their certificates’ DN has to be configured in profile parameter ‘service/sso_admin_user_<xx>’.

Please note: This parameter also supports wildcards ‘?’ or ‘*’, which have to be used carefully.

What about authorisations?

While SAPHostCtrl opens up all web methods to authenticated users most web methods require sub-sequent authentication. For example

    • web method ‘GetDatabaseStatus’ needs DB credentials to be present in the SAP Secure Store (located in /usr/sap/hostctrl//exe/<SID>/security/rsecssfs).
    • some web methods are proxied to SAPStartSrv (SAP Instance Agent) and thats why they have to be started with an OS user which is also allowed to authenticate at SAPStartSrv (SAP Instance Agent).
    • Web method ‘ExecuteOperation’ allows even to assign custom authentication within every configured operation.

What about the file http.server.settings?

The SAPHostCtrl provides a mini-web server which is utilzed by some tools like SUM, SDA Deployment, etc.

These tools can be configured using the /usr/sap/hostctrl/exe/config.d/http.server.settings (Windows C:\Program Files\SAP\hostctrl\exe\config.d\http.server.settings.

This config file allows to configure authentication for these web applications based on their URL prefix.

The ‘authentication’ directive controls which additional users are allowed to authenticate. This can be used for OS level authentication, username and password authentication, as well as X.509 client certificate authentication for additional users.

Examples can be found at SDA Deployment Using SSO – Additional Topics – Community Wiki (