ICM: Binding ports < 1024 on UNIX

ICM: Binding ports < 1024 on UNIX

05:18 No Comments

ICM: Binding ports < 1024 on UNIX


SAP notes

Refer to the following SAP notes:
  • 2354759 - Service not started in host <hostname/IP address>:<port> -- NIEMYHOST_VERIFY
  • 421359 - ICM: Binding ports < 1024 on UNIX

Cause

The SAP Web Dispatcher is configured with the port 443
alemavt06:wd1adm 89> grep icm/server WD1_W03_alemavt06
icm/server_port_0 = PROT=HTTPS,PORT=443

During the start of the SAP Web Dispatcher, the following error appears
alemavt06:wd1adm 73> tail -f dev_webdisp
...
[Thr 139928454227712] *** ERROR => NiIBindSocket: SiBind failed for hdl 25/sock 10
    (SI_EADDR_NAVAIL/13; I4; ST; 0.0.0.0:443) [nixxi.cpp    3831]
[Thr 139928454227712] *** ERROR => IcmBindService: You might not have the permissions to bind the service: alemavt06.alema.local:443 [icxxserv.c   3817]
[Thr 139928454227712] *** ERROR => IcmBindService: NiBuf2Listen failed for host alemavt06.alema.local:443 (rc=-16): NIEMYHOST_VERIFY [icxxserv.c   3822]
[Thr 139928454227712] *** WARNING => IcmAddService: Could not start service (rc=-1) PORT=443,PROT=HTTPS,TIMEOUT=60,PROCTIMEOUT=60,VCLIENT=1 [icxxserv.c   1311]
[Thr 139928454227712] IcmAddHiddenService: Hidden service WEBSOCKET started
[Thr 139928454227712] Started service PORT=8003,PROT=HTTP,TIMEOUT=60,PROCTIMEOUT=60

The SAP Web Dispatcher user cannot bind the port 443 because the process on Unix must have superuser authorization rights.

Procedure


Log on with the root user

Go inside SAP executable directory (CDEXE)
alemavt06:/usr/sap # cd /sapmnt/WD1/exe/uc/linuxx86_64

Check the existence of the binary "icmbnd.new"
alemavt06:/sapmnt/WD1/exe/uc/linuxx86_64 # ls -l | grep icmbnd
-rwxr-xr-x 1 wd1adm sapsys  2256990 Feb  6 20:28 icmbnd.new

Copy the binary from "icmbnd.new" to "icmbnd"
alemavt06:/sapmnt/WD1/exe/uc/linuxx86_64 # cp icmbnd.new icmbnd

Adapt the authorization of "icmbnd"
alemavt06:/sapmnt/WD1/exe/uc/linuxx86_64 # chown root:sapsys icmbnd
alemavt06:/sapmnt/WD1/exe/uc/linuxx86_64 # chmod 4750 icmbnd

Check the new authorizations for "icmbnd"
alemavt06:/sapmnt/WD1/exe/uc/linuxx86_64 # ls -l | grep icmbnd
-rwsr-x--- 1 root   sapsys  2256990 Mar  6 13:59 icmbnd
-rwxr-xr-x 1 wd1adm sapsys  2256990 Feb  6 20:28 icmbnd.new

To prevent the ICM/SAP Web Dispatcher from attempting to bind the port itself, an additional option must be specified when the ports are configured with icm/server_port_: "EXTBIND=1".
alemavt06:wd1adm 91> grep icm/server WD1_W03_alemavt06
icm/server_port_0 = PROT=HTTPS,PORT=443, TIMEOUT=15, EXTBIND=1



Restart the SAP Web Dispatcher
alemavt06:wd1adm 92> stopsap ; startsap

Check the log
alemavt06:wd1adm 58> view dev_webdisp
...
[Thr 139773473732480] Started service PORT=443,PROT=HTTPS,TIMEOUT=15,PROCTIMEOUT=15,EXTBIND=1,VCLIENT=1
[Thr 139773473732480] SSL settings: verify_client: 1, cache_size: -1, cache_lifetime: -1, credfile: SAPSSLS.pse, ciphers: default
[Thr 139773235496704] IcmAddHiddenService: Hidden service WEBSOCKET started

Share this

Unknown

0 Comment to "ICM: Binding ports < 1024 on UNIX"

Enregistrer un commentaire

Inscription à : Publier les commentaires (Atom)