Port 1129: SAP Host Agent (Secure) — The encrypted management channel

Port 1129 is the HTTPS port for SAP Host Agent, a management tool that runs on every SAP system host. When SSL is configured, SAP Host Agent switches from port 1128 (HTTP) to port 1129 (HTTPS), encrypting all administrative communication.¹

What Runs on This Port

SAP Host Agent (also called SAPHostControl) uses port 1129 to provide secure SOAP web services for managing SAP systems. These services handle:

• Operating system monitoring
• SAP instance discovery and management
• Database discovery
• System inventory
• Host control operations

The agent exposes 42 web methods at https://<hostname>:1129/SAPHostControl/?wsdl and 91 web methods at https://<hostname>:1129/SAPControl/?wsdl.²

HTTP vs. HTTPS: Ports 1128 and 1129

Port 1128 sends SAP Host Agent traffic in plaintext. Port 1129 exists so that same traffic doesn't have to.

When you configure SSL for SAP Host Agent, the SAPStartSrv process binds to both ports by default:

• Port 1128: HTTP (unencrypted)
• Port 1129: HTTPS (encrypted with SSL/TLS)

The secure approach is to enable 1129 and disable 1128 entirely, forcing all administrative traffic through the encrypted channel.³

Why This Port Matters

SAP systems run critical business operations—financials, supply chain, human resources. The Host Agent provides administrative access to these systems. Traffic on port 1128 includes commands like starting and stopping SAP instances, reading system metrics, and querying databases.

Sending this traffic unencrypted means anyone on the network can read administrative commands and system details. Port 1129 encrypts the same operations, protecting both the data and the credentials used to authenticate.

Since SAP Host Agent 7.21 PL40, the agent can automatically generate a self-signed SSL certificate, making HTTPS configuration straightforward.²

Security Considerations

While port 1129 encrypts the connection, encryption alone doesn't prevent unauthorized access. SAP Host Agent supports access control lists (ACLs) that restrict which clients can connect:

• HTTP ACL: configured with service/http/acl_file
• HTTPS ACL: configured with service/https/acl_file

Even with SSL enabled on 1129, an improperly configured ACL can allow unauthorized connections.⁴

Organizations running SAP should:

1. Enable SSL and use port 1129
2. Disable port 1128 if unencrypted access isn't required
3. Configure ACLs to restrict access to trusted management tools
4. Use certificates signed by a trusted certificate authority rather than self-signed certificates in production

Checking What's Listening

On Linux or Unix systems:

# See if SAP Host Agent is listening on 1129
sudo netstat -tlnp | grep 1129

# Or with ss
sudo ss -tlnp | grep 1129

# Or with lsof
sudo lsof -i :1129

On Windows:

netstat -ano | findstr 1129

If you see a process listening on 1129, it's likely the SAP Host Agent with SSL enabled.

Related Ports

• Port 1128: SAP Host Agent (HTTP, unencrypted)
• Ports 5XX13-5XX14: SAP instance control ports (XX is the instance number)
• Port 3299: SAP System Management (SAP Management Console)