Binding Ports Lower Than 1024 on UNIX (SAP Library - Architecture of the SAP Web Application Server)

Binding Ports Lower Than 1024 on UNIX

Use

With the Internet Communication Manager (ICM) you can bind ports with numbers 0 up to and including 1023 (well known ports) on Unix systems too. The external binding program icmbnd included in the standard delivery is used for this.

Usually the ICM itself binds the ports. If you want to use icmbnd to bind configured ports, change the parameter specification for icm/server_port_<xx> in the profile (transaction RZ11).

icm/server_port_<xx> = PROT=<protocol>, PORT=<Port>, TIMEOUT=<timeout>, EXTBIND=1

Integration

On Unix systems only users with superuser authorizations can bind ports with numbers lower than 1024. For this reason either the ICM process must be provided with these authorizations, or the port must be bound by an external program and then the listen socket transferred to the ICM.

Prerequisites

For Release 6.10 you need a kernel patch level higher than 37. You can find out the patch level of your kernel at operating system level using dw -V or icman -V.

Functions

For security reasons the ICM should run with the standard authorizations of the <sid>adm SAP System user. With these authorizations all ports higher than 1023 can be bound, provided they are not already bound by another program. To bind ports lower than 1024 the ICM starts icmbnd directly, icmbnd binds the port, and the listen socket is forwarded to the ICM. icmbnd must have the following superuser authorizations:

chown root icmbnd

chmod 4755 icmbnd

Activating External Binding

To ensure the ICM itself does not attempt to bind the port, you specify an additional option when you are configuring ports with icm/server_port_<xx>: EXTBIND=1

The format of this parameter is:

PROT=<protocol name>, PORT=<port or service name> [, TIMEOUT=<keep alive timeout>, EXTBIND=1]

TIMEOUT and EXTBIND are optional.

Example

icm/server_port_1 = PROT=HTTP, PORT=8080, TIMEOUT=30, EXTBIND=1

Note

Usually icmbnd is called directly from the ICM, though the program can also be called from external systems to make new ports known to the ICM. icmbnd can also be used to bind ports >= 1024, but then the startup time of the ICM is longer.

icmbnd is also available for Windows NT. As the user <sid>adm can bind any number of ports on this system, there is no need to use the icmbnd here.

Binding Program icmbnd

icmbnd is the ICM help program for binding ports.

Parameters

This program has the following parameters:

Parameters	Description	Optional/mandatory
-S <server port>	ICM administration port via which the listen socket of icmbnd is transferred to the ICM.	Mandatory
-l <listen port>	Port that is to be connected by icmbnd. This can be a port number or a port name (for example, HTTP, SMTP, NNTP).	Mandatory
-p <protocol>	Protocol specification for the port you want to bound (for example, HTTP, HTTPS, SMTP).	Mandatory
-k <keep alive>	Specification of the keep alive timeout (in seconds) for the port you want to bind. If this parameter is not specified, the ICM standard value is used.	Optional
-t <trace level>	Specification of trace level (1-3). Standard value is 1.	Optional
-f <trace file>	Name of the trace file to be used. Standard value is dev_icmbnd.	Optional

Error Messages

The following errors may occur and are logged by icmbnd:

Missing argument for option <option>

A required argument has not been entered in the command field.

Illegal option <option>

An invalid argument has been entered.

Missing values for service, listen port or protocol

One of the (mandatory) options -s -l or -p has not been specified.

IcmConnect to port %d failed (rc=%d)

A connection to the ICM to port number of argument –S <server port> could not be created. Please check the specification of parameter -S <server port>.

NiBuf2Listen failed(rc=%d)

The listen port could not be bound. Either the authorizations for binding ports are missing or the port is already bound by a another program.

IcmBndSendHdl failed (rc = %d)

NiSendHandle failed (rc = %d)

The listen socket could not be transferred to the ICM (communication error).

See also:

For more information see the following pages:

chown, chmod, getuid, setreuid, seteuid, setfsuid