Register Login

Extended Security Settings for sapstartsrv- Common Indication

Common Indication occurs due to an Error in the Extended Security settings for sapstartsrv

Hello Experts,

What is the common indication that occurs due to an error in the extended security settings for sapstartsrv?

How can I get these inconsistencies eliminated or resolved?


Comments

  • 09 May 2016 1:32 pm Abhijeet Mudgal Helpful Answer

    The common indication that occurs due to an error in the extended security settings for sapstartsrv is that it allows the user to read the system information without requesting user authorization.

  • 09 May 2016 1:34 pm Rohit Mahajan Helpful Answer

    The user can follow the below given steps in order to eliminate the inconsistency or get the issue resolved.

    • Protecting additional Webservice methods: 927637 designate the choices that can be used to protect additional Webservice methods. As of 8.00, a more preventive default setting will be used. In this, the methods that remain unprotected are :
    • A few non-critical internal infrastructure methods 
    • Methods that allow SAP MMC/MC to display an initial view 
    • The general status of an SAP landscape 

    All additional information requires authentication. There can be compatibility problems with Webservice clients in releases that have already been delivered. They may not react appropriately to the changes, and may assume the default setting implicitly. Therefore, the default setting should not be changed. To activate the new default configuration, after implementing a current sapstartsrv or kernel patch (640 patch 337, 700 patch 263, 701 patch 101, 710 patch 208, 711 patch 93, 720 patch 45), set the following in the default profile:

  • 09 May 2016 1:35 pm Abhijeet Mudgal Helpful Answer
    • Update all SAP MMC installations for a seamless changeover. Please note that only an existing SAP MMC (720 patch level 59 changelist 1179176) works appropriately if the changed default configuration is activated.
    • service/protectedwebmethods = SDEFAULT
    • Restart all sapstartsrv to activate the changes.
    • Set up SSO: The sapstartsrv supports single sign-on (SSO) that is based on the X.509 certificate from 720 and 640 patch 337, 700 patch 263, 701 patch 101, 710 patch 208, 711 patch 93. This prevents frequent entering of passwords and therefore, helps in the daily work particularly during the management of larger system landscapes. Criterion for this is that 
    • SAP SSL is configured on all instances of a system
    •  Webservice client can send a suitable client certificate for authentication. 

    If HTTPS is activated in the "Security" properties of the MMC configuration, then 7.20 SAP MMC supports it. SAP MMC sends an (optional) client certificate to sapstartsrv server if there is a right certificate available in the Windows My Certificate Store of the user. If the option “-prot WINHTTPS" is used, the Windows sapcontrol commadline webservice client supports this. To set the subject DN of permitted administrators, you can use the profile parameter service/sso_admin_user_ in the default profile. In this, * and ? can be used as wildcards to specify a group of users, for 
    example:

    • service/sso_admin_user_0 = CN=D??????, O=SAP-AG, C=DE
    • service/sso_admin_user_1 = CN=C??????, O=SAP-AG, C=DE
  • 09 May 2016 1:35 pm Abhijeet Mudgal Helpful Answer
    • After the configuration has been changed, all affected sapstartsrv must be restarted to activate the changes.
    • Restrict network access: Restricting the remote access via the network to ports 5XX13 / 5XX14 of the sapstartsrv agents to a lowest level required for process is another option that is available. 
    • Restricting the network access will allow only the sapstartsrv of a system to communicate with each other. In this, the Webservice clients use (SAP MMC, SAP MC, ...) from the computers from which they run (for example, Administrator Desktop PC).
    • Additionally, the existing sapstartsrv (as of 720 patch 45) offer the option to specify network ACL lists by using the profile parameters service/http/acl_file and service/https/acl_file. After the profile parameters are set or the ACL lists are changed, the affected sapstartsrv must be restarted to activate the changes.