Open in app

Sign in

Write

Sign in

sapbasisbasics
2 min readJul 15, 2024

SAP Basis Basics Part 21

Binding ports < 1024 on UNIX

With the Internet Communication Manager (ICM) / SAP Web Dispatcher you can also bind privileged ports on UNIX with port numbers 0 up to and including 1023 (“well known ports”). The external binding program icmbnd is also delivered.

In the standard case, the ICM / Web Dispatcher binds the ports itself. If configured ports are to be bound by icmbnd, use the EXTBIND=1 option in the parameter specification for icm/server_port_<xx> in the profile.

On a UNIX system, only users with superuser (“root”) privileges can bind ports < 1024. Therefore, either the ICM process must be granted these rights, or the port must be bound by an external program and the list socket then transferred to the ICM.

For security reasons, the ICM should run with the standard permissions of the <sid>adm user of the SAP system. With these permissions, all ports > 1023 can be bound, provided they are not already bound by another program. In order to be able to bind ports < 1024, icmbnd is started directly by the ICM, the port is bound by icmbnd and the list socket is passed on to the ICM. To do this, icmbnd must be given the following superuser permissions:

chown root:sapsys icmbnd
chmod 4750 icmbnd

You can then use the ls -al command to see the permissions for icmbnd. They should look like this:

rwsr-x 1 root sapsys 1048044 Mar 20 16:19 icmbnd

To prevent the ICM from trying to bind the port itself, specify an additional option when configuring the ports with icm/server_port_<xx>: EXTBIND=1

The format for this parameter therefore has the form:

PROT=<protocol>, PORT=<port / service> [, TIMEOUT=<keepalive timeout>, EXTBIND=1]

TIMEOUT and EXTBIND are optional.

The icmbnd program is delivered under the name icmbnd.new from release 7.10. This prevents an icmbnd program belonging to the root user from being regularly overwritten by an icmbnd program without root rights when applying patches. When installing the kernel for the first time, icmbnd.new must be copied once to icmbnd and given the necessary (root) rights as described above.

icmbnd with super user authorization must be created on each application server in the local executable directory (DIR_EXECUTABLE), as the super user authorization is lost when copying the executables from the central executable directory to the local directory.

sapbasisbasics
sapbasisbasics

Written by sapbasisbasics

35 Followers
3 Following

https://www.linkedin.com/in/rico-frommherz-a306b273/

No responses yet

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams