Port 1128: SAP Host Agent — The enterprise monitoring port that never sleeps

Port 1128 is where SAP systems listen for management commands. It's the HTTP endpoint for SAP Host Agent, a SOAP web service that monitors operating systems, discovers databases, and controls SAP instances across enterprise environments.

What Runs on Port 1128

SAP Host Agent uses port 1128 for unencrypted SOAP over HTTP communication.¹ The service runs on every SAP system and exposes web methods for lifecycle management tasks—OS monitoring, database discovery, instance control, and system provisioning.

Port 1129 carries the same traffic over HTTPS when encryption is required.²

The service exposes a WSDL (Web Services Description Language) file at http://<hostname>:1128/SAPHostControl/?wsdl that describes all available operations. Modern versions provide 49+ web methods that can be queried using the saphostctrl command-line tool.³

How It Works

SAP Host Agent is started by SAPStartSrv in Host mode, which binds to port 1128 and begins listening for SOAP requests. The service accepts commands like:

• Ping — Check if the agent is responding (unprotected by default)
• GetDatabaseStatus — Query database health and availability
• ListInstances — Discover SAP instances running on the host
• GetSystemInstanceList — Retrieve detailed instance information
• OSExecute — Run operating system commands (protected)

Most methods require authentication. The Ping method is intentionally left unprotected so monitoring systems can perform basic health checks without credentials.⁴

Client programs that interact with port 1128 include:

• saphostctrl (command-line client)
• sapcontrol (SAP control interface)
• SAP Solution Manager Diagnostics Agent
• SAP Landscape Management (LaMa)
• SAP Software Delivery Manager (SWDM)

The Evolution

SAP Host Agent replaced an earlier tool called SAPOSCOL (SAP Operating System Collector)—one of the most literally-named programs in enterprise software history.⁵ SAPOSCOL collected OS statistics for reporting and monitoring. The Host Agent does everything SAPOSCOL did, plus database monitoring, instance management, and provisioning.

The old collector hasn't disappeared. It still runs—but now it's managed by the Host Agent that replaced it. This is characteristic of enterprise systems: new layers wrap old layers, everything keeps running, nothing is ever truly removed.

Security Considerations

By default, SAPStartSrv binds port 1128 to all available network interfaces (0.0.0.0), making it accessible from any network the host is connected to.⁶

Known vulnerabilities:

• Unprotected Ping method reveals system information without authentication
• Some web methods have had privilege escalation vulnerabilities⁷
• SOAP over HTTP (port 1128) transmits credentials and data unencrypted

Best practices:

• Use port 1129 (HTTPS) instead of 1128 when possible
• Restrict network access to port 1128 using firewalls
• Monitor access logs for unauthorized queries
• Keep SAP Host Agent updated to patch known vulnerabilities
• Protect sensitive web methods with strong authentication

The service has been a target for security researchers because it exposes powerful OS-level operations over a network interface. SAP has progressively tightened default protections in newer versions.

Checking What's Listening

To see if SAP Host Agent is running on port 1128:

Linux/macOS:

lsof -i :1128
netstat -an | grep 1128
curl http://localhost:1128/SAPHostControl/?wsdl

Windows:

netstat -ano | findstr :1128

If you see SAPStartSrv or saphostctrl in the process list, SAP Host Agent is running. Accessing the WSDL URL will return XML describing the service interface if it's accessible.

Related Ports

• Port 1129 — SAP Host Agent over HTTPS (encrypted version of 1128)
• Port 3200-3299 — SAProuter (SAP's network routing service)
• Port 5##13 — SAP instance message server (## = instance number)
• Port 5##14 — SAP instance gateway service

Why This Port Matters

Port 1128 is how SAP administrators know what's happening inside their systems. When a database goes down at 3am, when an instance needs to be restarted, when system health needs to be checked before a deployment—those questions get answered through port 1128.

In enterprises running SAP, this port is never quiet. Monitoring systems ping it constantly. Management tools query it for inventory. Automation scripts call its methods to orchestrate deployments. It's the nervous system of SAP infrastructure—the channel through which administrators sense and control their systems.

The port carries SOAP, which feels almost quaint now. REST and gRPC have taken over most new development. But SAP systems run for decades. Port 1128 speaks SOAP because that's what was modern when the Host Agent was designed, and changing it would mean updating thousands of enterprise systems simultaneously. So SOAP it remains.