icm/server_port_<xx>
The SAP ICM server port or SAP Web Dispatcher server port is configured with profile parameter icm/server_port_<xx>. The following services are also configured with it: TIMEOUT, PROCTIMEOUT, EXTBIND, HOST, SSLCONFIG, VCLIENT, ACLFILE, MIN_RECEIVE_RATE, CHECK_RECEIVE_RATE_AFTER, and MAX_RECEIVE_TIMEOUT.
The parameter cannot be changed dynamically in transaction RZ11. But the server ports can still be configured using the ICM monitor (transaction: SMICM) or the Web administration interface and the tools of the SAP start service.
icm/server_port_<xx> is a generic profile parameter. Generic profile parameters are used to specify several items, for example, different ports on which a software component is to receive requests. The index <xx> is for a number without a leading 0. The indexes do not need to be used in ascending order. For example, you are allowed to configure icm/server_port_2 only.
The character string has the following syntax:
PROT=<Protocol name>, PORT=<port or service name>[, TIMEOUT=<timeout>, PROCTIMEOUT=<proctimeout>, EXTBIND=1, HOST=<host name>, SSLCONFIG=ssl_config_<xx>, VCLIENT=<SSL client verification>, ACLFILE=<ACL file>, MIN_RECEIVE_RATE=<transfer rate in size and time>, CHECK_RECEIVE_RATE_AFTER=<time in seconds after which the request rate check is to start>, MAX_RECEIVE_TIMEOUT=<maximum time that a request is allowed to take>]
Protocols supported with AS ABAP:
HTTP, HTTPS, SMTP
Protocols supported for AS Java:
HTTP, HTTPS, P4, P4SEC, IIOP, IIOPSEC, TELNET
Protocols supported for ABAP and Java (DUAL):
HTTP, HTTPS, SMTP, P4, P4SEC, IIOP, IIOPSEC, TELNET
Protocols supported for SAP Web Dispatcher
HTTP, HTTPS
You cannot see these default values in the profile. If you make changes in the profile, you have to overwrite the default values by setting the relevant parameters, or add further ports with the next available number.
If you want to set different values to the default values, you must always specify the options for the protocol PROT to be used and the service name (or port number) PORT; the other services (TIMEOUT, EXTBIND, and so on) are optional.
Unlike with the SAP Internet Communication Manager, there are no default values with the SAP Web Dispatcher.
Default Values AS ABAP
icm/server_port_0 = PROT=HTTP , PORT=0 , TIMEOUT=30 , PROCTIMEOUT=60
icm/server_port_1 = PROT=SMTP , PORT=0 , TIMEOUT=120 , PROCTIMEOUT=120
Outbound connections across HTTP and SMTP are possible with default values, but no ports for inbound connections are open.
Default Values AS Java
icm/server_port_0 = PROT=HTTP , PORT=5$ (SAPSYSTEM) 00, TIMEOUT=60 , PROCTIMEOUT=600
icm/server_port_1 = PROT=P4 , PORT=5$ (SAPSYSTEM) 04
icm/server_port_2 = PROT=IIOP, PORT=5$(SAPSYSTEM)07
icm/server_port_3 = PROT=TELNET , PORT=5$ (SAPSYSTEM) 08, HOST=localhost
Default Values with ABAP and Java (Dual)
icm/server_port_0 = PROT=HTTP , PORT=5$ (SAPSYSTEM) 00 , TIMEOUT=30 , PROCTIMEOUT=60
icm/server_port_1 = PROT=P4 , PORT=5$ (SAPSYSTEM) 04
icm/server_port_2 = PROT=IIOP, PORT=5$(SAPSYSTEM)07
icm/server_port_3 = PROT=TELNET , PORT=5$ (SAPSYSTEM) 08, HOST=localhost
icm/server_port_4 = PROT=SMTP , PORT=0 , TIMEOUT=120 , PROCTIMEOUT=120
Note that the value 0 for PORTS means that no port is opened for inbound connections for the specified protocol. For security reasons, ports for inbound connections must be explicitly configured.
You can also define the following services:
| Service | Description |
|---|---|
| PORT | With option PORT you can specify the port by its number or service name. Precisely one service can be bound on any one port. If another program already uses the port or service, the service cannot be started. It is not allowed for multiple services to be linked on one port. |
| TIMEOUT | The keep-alive timeout specifies how long the network connection remains open once the request has been successfully processed. This means that the TCP/IP connection may not have to be set up again for further requests that may arrive. Note that if you configure the timeout in parameter icm/server_port_<xx>, you override the specifications made in parameter icm/keep_alive_timeout. |
| PROCTIMEOUT | Processing timeout for communicating with the back end (work process) The processing timeout specifies the timeout between sending an HTTP request and receiving an HTTP response. |
| EXTBIND | To bind port numbers smaller than 1024 on UNIX, use option EXTBIND=1. The external binding program runs under the root user, and is authorized to bind these ports. |
| HOST | You can use the optional parameter HOST=<computer name or IP address> to specify that the port should not be bound to all host names (default), but only to the specified host. In this way the host with only one open port can be reached under various URLs. |
| SSLCONFIG | If you have used parameter icm/ssl_config_<xx> to define the SSL configuration, you have to set option SSLCONFIG to value ssl_config_<xx>. Make sure that you set <xx> in accordance with parameter icm/ssl_config_<xx> - see example D. |
| VCLIENT | With optional parameter VCLIENT you can specify whether the client should have an X.509 certificate when you use SSL. There are three verification levels: 0: No certification is required and the server does not ask for one. 1: The server asks the client to transfer a certificate. If the client does not send a certificate, authentication is carried out by another method, (for example, HTTP BASIC authentication, see RFC 2617) (see default values). 2: The client must transfer a valid certificate to the server, otherwise access is denied. Note that this server-specific value overrides the value set with parameter icm/HTTPS/verify_client. |
| ACLFILE | Option ACLFILE specifies the file that is used as the access control list (ACL). If the profile parameter is set, the file must exist and its syntax be correct. |
| MIN_RECEIVE_RATE | Specifies the minimum data rate. The transfer rates are configured as pairs of from_size (in kbytes) and min_rate (in kbytes/sec). The first from_size parameter is set to "0“. A maximum of three transfer rates can be configured. The transfer rates must be assigned in ascending order and be separated by semicolons. There is no default value. |
| CHECK_RECEIVE_RATE_AFTER | When a connection (e.g. TCP/IP connection) is first being established, it may be very slow to open. For this reason, the data rate check can only be started after a predefined time set in seconds. The default value is five seconds. |
| MAX_RECEIVE_TIMEOUT | The maximum time in seconds that a connection is allowed to remain open can be configured. There is no default value. |
Slowloris are a special type of Denial of Service (DoS) attacks used for blocking the availability of a Web server/application server. It is generally difficult to fend of this type of attack. To keep the application server available even when it is being attacked by a slowloris at this moment, the three subparameters below have been implemented in parameter icm/server_port. You can use them to link specific conditions to the data rate of a request.
- MIN_RECEIVE_RATE
- CHECK_RECEIVE_RATE_AFTER
- MAX_RECEIVE_TIMEOUT
Example
Below are four examples of the possible configuration:
Example A:PROT=HTTP, PORT=8080, TIMEOUT=15
Opens port 8080 for HTTP requests and closes the network connection after 15 seconds if there is no activity.
Example B:PROT=HTTP, PORT=80, TIMEOUT=45, EXTBIND=1, HOST=prd.sap.de
Opens port 80 for HTTP requests and closes the network connection after 45 seconds if there is no activity. Since port 80 under UNIX can only be bound by the user root, the external binding program is activated. The port is bound only to the host name prd.sap.de.
Example C:PROT=HTTPS, PORT=443, TIMEOUT=15, PROCTIMEOUT=45, VCLIENT=0
Opens port 443 for HTTPS requests and closes the network connection after 15 seconds if there is no activity. The timeout for processing in the backend is 45 seconds. No request comes from the server to transfer a certificate.
Example D:PROT=HTTPS, PORT=8444, SSLCONFIG=ssl_config_0
Opens port 8444 for HTTPS requests and sets the SSL configuration as it is set in parameter ssl_config_0.