Everyone can access SAP host agent and trigger operations from remote locations by default.
When installing SAP Host Agent, it is setup to accept every connection from any host. As long as the authentication is valid the host agent will perform the triggered operation. This bears a high risk to be used by others that are not supposed to trigger operations that way. Even encrypted connections will not prevent to connect.
There are two ways to secure connections to the SAP host agent. The first way is to bind the sapstartsrv service of host agent to a specific IP or hostname. Using IP would be the recommended way, because a hostname can be switched to another IP address.
Option 1 is about to bind a specific IP or hostname for host agent communication. If your managed host has multiple network interfaces, for example, dedicated backup LAN, storage LAN and client LAN, but the host agent should only be triggered through the client network, option 1 is the right configuration. To bind the IP or hostname proceed as follows use the profile parameter service/hostname.
Specify the following value in the host_profile of the SAP Host Agent:
service/hostname = <host_name> or
service/hostname = <IP_Address>
After you applied the profile parameter restart the SAP Host Agent by executing the following command: /usr/sap/hostctrl/saphostexec -restart.
SAP Host Agent should now bind only the specified IP address.
You can verify the result on the command line level by using netstat.
On Linux, you can check this as follows:
Command: /usr/sap/hostctrl/exe# netstat -tlnp | grep 1128
Output: tcp 00 127.0.0.1:11280 0.0.0:* LISTEN 8013/sapstartsrv
You can see that only 127.0.0.1 is bound.
Option 2 is the other way around and you will create an access control list within the host agent profile. With the help of this list each host agent will refuse or grant the connection. If you use this option make sure to add all your SAP Landscape Management installments, for example, productive SAP Landscape Management, standby SAP Landscape Management and maybe also your development SAP Landscape Management. Also, Solution Manager might be added to that ACL.
Specify the following value in the host_profile of the SAP Host Agent:
service/http/acl_file = <Path_to_an_ACL_file> or
service/https/acl_file = <Path_to_an_ACL_file> if you use HTTPS.
You can also set both values.
Example:
permit 10.1.2.0/24 # permit client network
permit 192.168.7.7 # permit server
permit 10.0.0.0/8 1 # screening rule (learning mode, trace-level 1)
deny 0.0.0.0/0 # deny the rest
Restart the SAP Host Agent by executing the following command:
/usr/sap/hostctrl/saphostexec -restart
The ACL file should be configured as specified in SAP Note 1495075. Information is published on the SAP site.
SAP Host Agent will still bind all available addresses, but as soon a client tries to connect, it is either refused or accepted according to the ACL file configuration.