Solution : https://service.sap.com/sap/support/notes/1439348 (SAP Service marketplace login required)
Summary :
The SAPControl Webservice interface of sapstartsrv allows certain methods to be executed without user authentication, primarily those not altering system or instance status, which includes access to system configuration and status information. However, these methods can expose details potentially useful for identifying vulnerable system configurations. To mitigate risks, the interface's protection scope is expandable via settings described in Note 927637. Default settings protect critical functions (e.g., start/stop), with additional protective measures available post-implementation of specific kernel or sapstartsr patches. Furthermore, support for Single Sign-On (SSO) using X.509 certificates is addressed, along with network access restrictions to minimize operational risks via ACL files.
Key words :
rid=/webcontent/uuid/f056bfb7-94e0-2b10-978a-c4783aae3e9e, solution protecting additional webservice methods note 927637 describes, sap mmc sdn home page https, windows sapcontrol commadline webservice client supports, sap mmc msi installation package, default profileservice/protectedwebmethods = sdefaultand restart, profile parameters service/http/acl_file, protect additional webservice methods, -critical internal infrastructure methods, pure network routing measures
Related Notes :
| 1552929 | |
| 927637 | Web service authentication in sapstartsrv as of Release 7.00 |