Introducing SAP Management Console: Concepts and General Considerations
The SAP Management Console (SAP MC) provides a common framework for centralized system management. It allows you to monitor and perform basic administration tasks on the SAP system centrally, which simplifies system administration.
This tool allows a user to perform several actions, such as the following:
- Start, Stop and register systems and instances
- Monitoring the application server
- See logs and traces files
- Enabling debugging
- Create, read, list and delete system snapshots.
- Launch deployed applications
- Display profile parameters values
- Execute OS commands
These functions can also be (and are) used by: SAPControl, SAP monitoring tools, SAP Solution Manager, among others.
Architecture
The SAP MC is a tool that uses the service ‘SAP Start Service’. This service is present in ABAP, JAVA and HANA stacks, and there is one ‘SAP Start Service’ per instance. This is an example of its location in a basic ABAP system:
Usages of the SAP MC
The SAP MC can be used through Web User Interface or with the WebService:
- Web User Interface: accessing through any browser that supports Java applet (Internet Explorer or Firefox ESR) in:
http://<sap_host>:<5xx13>
https://<sap_host>:<5xx14>
Where <xx> must be replaced for the instance number of your SAP system - Calling the SAP MC webmethods through SOAP Protocol.
Accessing to the SAP Management Console
Web User Interface
By accessing the Web User Interface through the previous mentioned links, this is the expected view:
By selecting the corresponding system ID (SID), and then the instance, a login window will prompt (remember that the username and password of the SAP MC are the same as the OS):
After logging in, all the previous detailed actions will be available to execute. In addition, specific ‘methods’ can also be executed in the SAP MC panel:
- Start, Stop or Restart the instance
- Display of logs and trace files
- Values of profile parameters, etc.
Also, more systems can be added in the same console, facilitating the administration of these from the same place.
WebService (SOAP protocol)
The SAP MC has a WebService with several webmethods that allows you to perform administrative tasks. These webmethods can be consumed through SOAP Protocol. There are many different SOAP tools available, you can consume the WebService of the SAP MC with any of those.
- The WSDL interface definition can be obtained directly from the web service in:
- http://<sap_host>:<5xx13>/?wsdl (NOT RECOMMENDED)
- https://<sap_host>:<<5xx14>/?wsdl (RECOMMENDED)
A set of webmethods in the SAP MC, such as Start, Stop or GetInstanceProperties, will be available to execute.
SAP MC Security Considerations
Web User Interface
An important security issue that should be always considered, is that SSL should always be enabled in the system and access the Management Console through HTTPS.
Accessing the SAP MC through HTTP(S), could lead into a potential Man In The Middle attack, stealing the credentials that you are using to interact with the SAP MC. It’s important to take into consideration that the credentials used to authenticate against the SAP MC are the system OS credentials, and the impact that it could have if stolen.
To securely manage access to this service, the following parameters need to be configured:
- service/http/acl_file
- service/https/acl_file
These parameters should be configured with the location of the ACL file. This file must contain the connection rules permitting and denying the access.
Localhost must always be added. If not, ‘sapcontrol’ command will fail. Below are some recommendations to keep in mind:
- Before configuring this parameter, perform all the necessary tests to avoid possible connection problems in a productive system with the monitoring systems.
- Set this parameter in the default profile, to protect all instances in the system.
- Be careful when allowing large ranges of IPs, as permission may be given to unwanted hosts.
WebService | SOAP: Protecting the Webmethods
All the webmethods of the SAP MC should be protected. If they aren’t protected, an attacker could perform administrative tasks, without any kind of authentication, being able to Start, Stop and even modify parameter values of your system, and fully compromise it.
The protection of the webmethods can be configured with the parameter ‘service/protectedwebmethods’. This parameter can be configured either with a separated list of webmethods (like ‘Start Stop etc’) or one of the four default sets [ ALL | SDEFAULT | DEFAULT | NONE ].
Also, it can be configured with a concatenation of possible values, mixing default sets with custom methods, for example:
- service/protectedwebmethods = SDEFAULT +Start +Stop -GetInstanceProperties (where the plus and minus signs means to add or remove a specific method of the default set used)
Additional examples
- service/protectedwebmethods = SDEFAULT +Start +Stop -GetInstanceProperties
- All methods defined in SDEFAULT, adding Start and Stop, and removing GetInstanceProperties.
- It’s always recommended to protect almost all, using SDEFAULT (service/protectedwebmethods=SDEFAULT).
- In releases >= 738 access to almost all methods of the Web service is protected by default (service/protectedwebmethods=SDEFAULT).
- In early releases only access to critical methods altering the instance state was protected by default (service/protectedwebmethods=DEFAULT).
At Onapsis, we are committed to providing our customers with the best recommendations and solutions for the security of their SAP systems. The Onapsis Platform has several modules to check all these critical configurations. Adequate protection of your SAP’s Management Console is important to protect the integrity of your system.
More Resources
-
The Log4j Vulnerability and The Impact on Business-Critical SAP Applications
-
The Elephant Beetle in the Room: Older, Unpatched SAP Vulnerabilities Are Still A Threat
