cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Profile parameter icm/server_port_0 being ignored

Go to solution
Former Member

on ‎08-16-2013 6:29 PM

0 Kudos

We are trying to enable HTTPS on our Netweaver 7.3 AS Java system.  We've followed the guide here:

http://help.sap.com/saphelp_nw73/helpdata/en/4a/015cc68d863132e10000000a421937/content.htm

Per the guide we created the following entry in our instance profile and restarted the system:

icm/server_port_0 = PROT=HTTPS, PORT=51701, VCLIENT=0

The system, after being restarted, doesn't have a new ICM port open, let alone HTTPS working on it.  We use telnet (from localhost) to try the port and we get connection refused.  No firewalls are involved in this situation.

We've tried different parameters, such as:

icm/server_port_00 = PROT=HTTPS, PORT=51701, VCLIENT=0

To take SSL out of the equation we even tried parameters such as:

icm/server_port_00 = PROT=HTTP, PORT=51701

and

icm/server_port_0 = PROT=HTTP, PORT=51701

None of these profile parameters produce any live TCP ports/newly active services.

Please advise.

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

Sriram2009
Active Contributor
‎08-16-2013 6:45 PM
0 Kudos

Hi Philip

Kindly refer SAP note for ICM paramters

Note 737625 - Parameter recommendations for the ICM

Note 1853021 - Processing HTTPS request in Single Sign-On context

Thanks

Ram

Show replies
Show replies
isaias_freitas
Advisor
Advisor
‎08-16-2013 6:57 PM
0 Kudos

Hello Phillip,

The parameter icm/server_port_00 is not valid. It must have only one digit if it is under 10.

You also must start it at 0, and it must be sequential (e.g., if you set icm/server_port_0, 1 and 3, the port 3 will be ignored).

Do you see any error at the ICM trace file (dev_icm), when you have the parameter set like below?

icm/server_port_0 = PROT=HTTPS, PORT=51701

The error entries would mention something like "could not start service". Can you please post the error here?

Regards,

Isaías

Former Member
‎08-16-2013 7:20 PM
0 Kudos

You sir, get the gold star.

Summary: We were using cryptolib 5.5.5 p130.  We did not have a valid ticket file (which I found out once reading the dev_icm).  As a solution I updated our sapcryptolib to > p133, which doesn't require a ticket anymore.  We're now at p136.

Once I did this and restarted the system:

[Thr 18] Started service PORT=51701,PROT=HTTPS,TIMEOUT=60,PROCTIMEOUT=60,VCLIENT=1

isaias_freitas
Advisor
Advisor
‎08-16-2013 7:28 PM
0 Kudos

Hello Phillip,

I believe that the correct asnwer was sent by Tobias .

Cheers,

Isaías

Answers (2)

Answers (2)

tobias_winterhalter
Employee
Employee
‎08-16-2013 6:52 PM
0 Kudos

Hi Phillip,

AS Java already has a whole range of default ports defined (see http://help.sap.com/saphelp_nw73/helpdata/en/a2/f9d7fed2adc340ab462ae159d19509/frameset.htm), even when you don't see the parameters in the profile. icm/server_port_0 usually defines the HTTP port (e.g. 51700 for instance 17.) icm/server_port_1 usually defines the HTTPS port.

That the HTTPS port does not come up probably has a reason such as missing SAPCRYPTOLIB or PSE stores. I suggest to remove your parameter, restart the instance, and then check the ICM trace file dev_icm and search for 51701. You should find an error why the port cannot be started.

Regards,

Tobias

Show replies
Show replies
Former Member
‎08-16-2013 7:06 PM
0 Kudos

I removed all icm/server_port_xx parameters.

pd3adm> grep -i https dev_icm

pd3adm> grep -i crypto dev_icm

pd3adm> grep -i ssl dev_icm

pd3adm> grep 517 dev_icm

[Thr 18] Started service PORT=51700,PROT=HTTP,TIMEOUT=60,PROCTIMEOUT=600

[Thr 18] Started service PORT=51704,PROT=P4,TIMEOUT=60,PROCTIMEOUT=60

[Thr 18] Started service PORT=51707,PROT=IIOP,TIMEOUT=60,PROCTIMEOUT=60

[Thr 18] Started service HOST=localhost,PORT=51708,PROT=TELNET,TIMEOUT=60,PROCTIMEOUT=60

[Thr 05] JNCMIP4MsPutLogon: set p4 logon port (port:51704) (lbcount: 1)

[Thr 05] JNCMIIIOPMsPutLogon: set iiop logon port (port:51707) (lbcount: 1)

[Thr 05] JNCMITelnetMsPutLogon: set telnet logon port (port:51708) (lbcount: 1)

[Thr 05] JNCMIHttpMsPutLogon: set http logon port (port:51700) (lbcount: 1)

Former Member
‎08-16-2013 7:12 PM
0 Kudos

That looks correct, it is the default setup. Now enter the following in the instance profile, restart and grep for the results again.

icm/server_port_4 = PROT=HTTP,PORT=5$(SAPSYSTEM)01,TIMEOUT=60,PROCTIMEOUT=600

If it comes up, you can go from there meaning change it to HTTPS and figure out why it's not working.

cris_hansen
Advisor
Advisor
‎08-16-2013 7:26 PM
0 Kudos

Hi Philip,

Let's do this step by step.

Could you please check the SAPCRYPTOLIB installation?

Check whether you see in dev_icm the SAPCRYPTOLIB initialization. I don't have a NW 7.3 Java to give you an example, but it should look like:

"...

[Thr 3628] =================================================

[Thr 3628] = SSL Initialization    platform tag=(NTAMD64)

[Thr 3628] =   (720_REL,Aug 12 2013,mt,ascii-uc,SAP_UC/size_t/void* = 16/64/64)

[Thr 3628]   profile param "ssl/ssl_lib" = "C:\usr\sap\XXX\DVEBMGS00\exe\sapcrypto.dll"

[Thr 3628]            resulting Filename = "C:\usr\sap\XXX\DVEBMGS00\exe\sapcrypto.dll"

[Thr 3628] =   found SAPCRYPTOLIB  5.5.5C pl36  (Jul  3 2013) MT,AESNI,NB

[Thr 3628] =   current UserID: ZZZZZZZZ\SAPServiceXXX

[Thr 3628] =   found SECUDIR environment variable

[Thr 3628] =   using SECUDIR=C:\usr\sap\XXX\DVEBMGS00\sec

[Thr 3628] = Success    SapCryptoLib SSL ready!

[Thr 3628] =================================================

..."

If you have more than one instance in the same server, then you can add the SECUDIR environment variable in the start profile, like:

"...

SETENV_01 = SECUDIR=$(DIR_INSTANCE)/sec

..."

You can check more about the SAPCRYPTOLIB installation here.

Let me know about how it goes for you.

Thanks,

Cris


Former Member
‎08-16-2013 6:38 PM
0 Kudos

It's notable that we have no other existing icm/server_port_XX entries.  Therefore the value of 00 or 0 is appropriate.

Show replies
Show replies
Former Member
‎08-16-2013 6:49 PM
0 Kudos

Can you try icm/server_port_4 or any value >= 4? There might be a reason for you not being able to change the default ports.

Former Member
‎08-16-2013 6:56 PM
0 Kudos

Just tried the line:

icm/server_port_5 = PROT=HTTPS, PORT=51791, VCLIENT=0

Not joy

Former Member
‎08-16-2013 7:01 PM
0 Kudos

Use HTTP just to rule out profile (and SSL) problems. If port_5 comes up with HTTP then you can go from there. Maybe omit VCLIENT too.

Former Member
‎08-16-2013 7:03 PM
0 Kudos

Noticing what just wrote (I didn't know that), try port_4 since there are 4 default ports in AS JAVA (0..3). See the attached link for details.

http://help.sap.com/saphelp_nw73ehp1/helpdata/en/48/3ae05299c172d0e10000000a42189c/frameset.htm

Ask a Question