cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Security warning entries in dev_icm_sec flooding the logfile

former_member262469
Explorer

on ‎07-21-2010 10:42 AM

0 Kudos

Hi,

our SAP Web Dispatcher writes many dev_icm_log-files. At the moment the counter at the end of the log-file-name is at 191 after about three weeks and I´m pretty sure we will be at 195 or 196 at the end of the day.

Most or nearly all of the entries in the log-file looks like the following example and occur several times per minute (of course with different IP-addresses).


***********************************************************************************
******                              SECURITY WARNING                         ******
***********************************************************************************
Wed Jul 21 10:50:35 2010
Error: Permission denied (-13), Permission denied: authorization failed for user >< [http_auth_mt.c 930]
[Thr 2471504800] CONNECTION (id=140/971368):
    used: 1, type: 1, role: 1, stateful: 0
    NI_HDL: 49, protocol: HTTP(1)
    local host:  1.2.3.4:8100 ()
    remote host: 1.2.3.5:46576 ()
    status: READ_REQUEST
    connect time: 21.07.2010 10:49:39
    MPI request:        <151a9a>   MPI response:        <151a9b>
    request_buf_size:   65468    response_buf_size:   0
    request_buf_used:   551      response_buf_used:   0
    request_buf_offset: 0        response_buf_offset: 0

***********************************************************************************

I tried to find a reason for this entries, but haven´t been successful until know. It´s only a warning but if there is a solution I would solve the problem even if it is just to get a "clean" log-file.

The Web Dispatcher runs on Linux and shows this as version "SAP Web Dispatcher Version 7.00.11, multithreaded, ASCII, 32 BIT" with patch level 255.

The profile parameter for the icm security log are not changed from the default, which is:


icm/security_log  	LOGFILE=dev_icm_sec,MAXSIZEKB=500

Maybe you have a solution or even have a hint how I can further analyse the problem. Grep-ing the log-files with thread or connection id unfortunately don helped me. I also wasn´t successful by searching for SAP notes.

In connection with the dev_icm_sev log file I have another question where you maybe can help. I´m looking for a for log-rotation of this file or something like this. Using the day of the month in the name of the log-file don´t seems to be a solution at the moment because we have more than one log-file per day. This maybe can be solved with no or a bigger MAXSIZEKB but I would prefer something like ten files which are rotated.

Thanks in advance and best regards

Jan Hormann

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (1)

Answers (1)

former_member262469
Explorer
‎07-21-2010 12:19 PM
0 Kudos

Additional Information:

I forget to add the information that I can find a corresponding entry in the dev_webdisp file every time I have an entry in the dev_icm_sec log-file.


[Thr 2471504800] Wed Jul 21 10:50:35 2010
[Thr 2471504800] *** ERROR => Permission denied: authorization failed for user >< {008cd268} [http_auth_mt.c 930]

Show replies
Show replies
cris_hansen
Advisor
Advisor
‎07-21-2010 6:17 PM
0 Kudos

Hello Jan,

"Permission denied: authorization failed for user" means that someone (from IP 1.2.3.5) tried to access a content and it is not authorized to do so (probably error 403 Access denied should be raised in the web browser).

You can try to find more information about this setting a higher trace level in the web dispatcher - well, at least you find the who/when/what/where...

I hope this helps.

Best regards,

Cristiano

PS: If you are using HTTPS, it might be useful to set icm/trace_secured_data = 1, so you will be able to log the HTTPS data.

former_member262469
Explorer
‎07-22-2010 10:44 AM
0 Kudos

Hello Christiano,

your hint was very helpful. I was completely focused on the dev_icm_sec and that I changed these trace to trace-level 3, which seems to have not the expected effect, so that I don´t think about changing other trace levels to get more information. After your post I also changed the trace level for dev_webdisp and found requests with more information than before which cause these messages in dev_webdisp and dev_icm_sec.

After "blocking" these requests/ make changes so that these requests don´t arrive at the Web Dispatcher I get much less log entries.

I will observe it for a while, but it looks if you hint helped me to solve this issue.

Thank you very much

Jan

Former Member
‎07-20-2011 8:49 AM
0 Kudos

Hello Jan

Could you please tell the solution for this as we have faced same issue.

If u solved this issue please help me to solve ..

It is very very urgent issue because number of users are effecting

Thanks

Keshari

Ask a Question