Binding Ports Lower Than 1024 on UNIX

Use

With the Internet Communication Manager (ICM) /SAP Web dispatcher you can bind ports with numbers 0 up to and including 1023 (well known ports) on Unix systems too.The external binding program icmbnd included in the standard delivery is used for this.

Usually the ICM / Web dispatcher itself binds the ports. If you want to use icmbnd to bind configured ports, change the parameter specification for icm/server_port_<xx> in the profile (transaction RZ11).

icm/server_port_<xx> = PROT=<protocol>, PORT=<Port>, TIMEOUT=<timeout>, EXTBIND=1

Integration

On Unix systems only users with superuser authorizations can bind ports with numbers lower than 1024. For this reason either the ICM process must be provided with these authorizations, or the port must be bound by an external program and then the listen socket transferred to the ICM.

Features

For security reasons the ICM should run with the standard authorizations of the <sid>adm SAP System user. With these authorizations all ports higher than 1023 can be bound, provided they are not already bound by another program. To bind ports lower than 1024 the ICM starts icmbnd directly, icmbnd binds the port, and the listen socket is forwarded to the ICM. icmbnd must have the following superuser authorizations:

chown root:sapsys icmbnd

chmod 4750 icmbnd            

With the command ls -al you can see the authorizations for icmbnd. They should look like:

rwsr-x      1 root     sapsys   1048044 Mar 20 16:19 icmbnd    

Activating External Binding

To ensure the ICM itself does not attempt to bind the port, you specify an additional option when you are configuring ports with icm/server_port_<xx> to: EXTBIND=1

The format of this parameter is:

PROT=<protocol name>, PORT=<port or service name> [, TIMEOUT=<keep alive timeout>, EXTBIND=1]

TIMEOUT and EXTBIND are optional.

icm/server_port_1 = PROT=HTTP, PORT=8080, TIMEOUT=30, EXTBIND=1

¦      Usually icmbnd is called directly from the ICM, though the program can also be called from external systems to make new ports known to the ICM. icmbnd can also be used to bind ports >= 1024, but then the startup time of the ICM is longer.

¦      icmbnd is also available for Windows. As the user <sid>adm can bind any number of ports on this system, there is no need to use the icmbnd here.

Binding Program icmbnd

icmbnd is the ICM help program for binding ports.

icmbnd -S <server port> -l <listen port> -p <protocol> -k <keep alive> -t <trace level> -f <trace file>] -v[ersion]                

icmbnd can, of course, also be used for connecting ports >= 1024. The startup time of the ICM will then be longer. icmbnd is also available for Windows. As the user <SID>adm can bind any number of ports on this system, there is no need to use the icmbnd here.                                                       

So that the executable icmbnd can be found, one of the two parameters SAPSYSTEMNAME and exe/icmbnd  (file path for icmbnd ist he same as for exe/icman) must be set in the profile. Alternatively, you can set the variable DIR_EXECUTABLE (see Example: Profile File of an SAP Web Dispatcher).

Parameters

This program has the following parameters:

Parameter

Description

Optional/mandatory

-S <server port>

ICM administration port via which the listen socket of icmbnd is transferred to the ICM.

Mandatory

-l <listen port>

Port that is to be connected by icmbnd. This can be a port number or a port name (for example, HTTP, SMTP, NNTP).

Mandatory

-p <protocol>

Protocol specification for the port you want to bound (for example, HTTP, HTTPS, SMTP).

Mandatory

-k <keep alive>

Specification of the keep alive timeout (in seconds) for the port you want to bind. If this parameter is not specified, the ICM standard value is used.

Optional

-t <trace level>

Specification of trace level (1-3). The standard value is 1.

Optional

-f <trace file>

Name of the trace file to be used.
Standard value is dev_icmbnd.

Optional

-v [version]                                                     

icmbnd outputs the current version information and then terminates.                                                     

Optional

Error Messages

The following errors may occur and are logged by icmbnd:

?     Missing argument for option <option>

A required argument has not been entered in the command field.

?     Illegal option <option>

An invalid argument has been entered.

?     Missing values for service, listen port or protocol

One of the (mandatory) options -s -l or -p has not been specified.

?     IcmConnect to port %d failed (rc=%d)

A connection to the ICM to port number of argument –S <server port> could not be created. Please check the specification of parameter -S <server port>.

?     NiBuf2Listen failed(rc=%d)

The listen port could not be bound. Either the authorizations for binding ports are missing or the port is already bound by a another program.

?     IcmBndSendHdl failed (rc = %d)

?     NiSendHandle failed (rc = %d)

The listen socket could not be transferred to the ICM (communication error).

See also:

For more information see the following pages:

chown, chmod, getuid,  setreuid, seteuid,  setfsuid