on 08-16-2013 6:29 PM
We are trying to enable HTTPS on our Netweaver 7.3 AS Java system. We've followed the guide here:
http://help.sap.com/saphelp_nw73/helpdata/en/4a/015cc68d863132e10000000a421937/content.htm
Per the guide we created the following entry in our instance profile and restarted the system:
icm/server_port_0 = PROT=HTTPS, PORT=51701, VCLIENT=0
The system, after being restarted, doesn't have a new ICM port open, let alone HTTPS working on it. We use telnet (from localhost) to try the port and we get connection refused. No firewalls are involved in this situation.
We've tried different parameters, such as:
icm/server_port_00 = PROT=HTTPS, PORT=51701, VCLIENT=0
To take SSL out of the equation we even tried parameters such as:
icm/server_port_00 = PROT=HTTP, PORT=51701
and
icm/server_port_0 = PROT=HTTP, PORT=51701
None of these profile parameters produce any live TCP ports/newly active services.
Please advise.
Hi Philip
Kindly refer SAP note for ICM paramters
Note 737625 - Parameter recommendations for the ICM
Note 1853021 - Processing HTTPS request in Single Sign-On context
Thanks
Ram
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hello Phillip,
The parameter icm/server_port_00 is not valid. It must have only one digit if it is under 10.
You also must start it at 0, and it must be sequential (e.g., if you set icm/server_port_0, 1 and 3, the port 3 will be ignored).
Do you see any error at the ICM trace file (dev_icm), when you have the parameter set like below?
icm/server_port_0 = PROT=HTTPS, PORT=51701
The error entries would mention something like "could not start service". Can you please post the error here?
Regards,
Isaías
You sir, get the gold star.
Summary: We were using cryptolib 5.5.5 p130. We did not have a valid ticket file (which I found out once reading the dev_icm). As a solution I updated our sapcryptolib to > p133, which doesn't require a ticket anymore. We're now at p136.
Once I did this and restarted the system:
[Thr 18] Started service PORT=51701,PROT=HTTPS,TIMEOUT=60,PROCTIMEOUT=60,VCLIENT=1
Hi Phillip,
AS Java already has a whole range of default ports defined (see http://help.sap.com/saphelp_nw73/helpdata/en/a2/f9d7fed2adc340ab462ae159d19509/frameset.htm), even when you don't see the parameters in the profile. icm/server_port_0 usually defines the HTTP port (e.g. 51700 for instance 17.) icm/server_port_1 usually defines the HTTPS port.
That the HTTPS port does not come up probably has a reason such as missing SAPCRYPTOLIB or PSE stores. I suggest to remove your parameter, restart the instance, and then check the ICM trace file dev_icm and search for 51701. You should find an error why the port cannot be started.
Regards,
Tobias
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
I removed all icm/server_port_xx parameters.
pd3adm> grep -i https dev_icm
pd3adm> grep -i crypto dev_icm
pd3adm> grep -i ssl dev_icm
pd3adm> grep 517 dev_icm
[Thr 18] Started service PORT=51700,PROT=HTTP,TIMEOUT=60,PROCTIMEOUT=600
[Thr 18] Started service PORT=51704,PROT=P4,TIMEOUT=60,PROCTIMEOUT=60
[Thr 18] Started service PORT=51707,PROT=IIOP,TIMEOUT=60,PROCTIMEOUT=60
[Thr 18] Started service HOST=localhost,PORT=51708,PROT=TELNET,TIMEOUT=60,PROCTIMEOUT=60
[Thr 05] JNCMIP4MsPutLogon: set p4 logon port (port:51704) (lbcount: 1)
[Thr 05] JNCMIIIOPMsPutLogon: set iiop logon port (port:51707) (lbcount: 1)
[Thr 05] JNCMITelnetMsPutLogon: set telnet logon port (port:51708) (lbcount: 1)
[Thr 05] JNCMIHttpMsPutLogon: set http logon port (port:51700) (lbcount: 1)
That looks correct, it is the default setup. Now enter the following in the instance profile, restart and grep for the results again.
icm/server_port_4 = PROT=HTTP,PORT=5$(SAPSYSTEM)01,TIMEOUT=60,PROCTIMEOUT=600
If it comes up, you can go from there meaning change it to HTTPS and figure out why it's not working.
Hi Philip,
Let's do this step by step.
Could you please check the SAPCRYPTOLIB installation?
Check whether you see in dev_icm the SAPCRYPTOLIB initialization. I don't have a NW 7.3 Java to give you an example, but it should look like:
"...
[Thr 3628] =================================================
[Thr 3628] = SSL Initialization platform tag=(NTAMD64)
[Thr 3628] = (720_REL,Aug 12 2013,mt,ascii-uc,SAP_UC/size_t/void* = 16/64/64)
[Thr 3628] profile param "ssl/ssl_lib" = "C:\usr\sap\XXX\DVEBMGS00\exe\sapcrypto.dll"
[Thr 3628] resulting Filename = "C:\usr\sap\XXX\DVEBMGS00\exe\sapcrypto.dll"
[Thr 3628] = found SAPCRYPTOLIB 5.5.5C pl36 (Jul 3 2013) MT,AESNI,NB
[Thr 3628] = current UserID: ZZZZZZZZ\SAPServiceXXX
[Thr 3628] = found SECUDIR environment variable
[Thr 3628] = using SECUDIR=C:\usr\sap\XXX\DVEBMGS00\sec
[Thr 3628] = Success SapCryptoLib SSL ready!
[Thr 3628] =================================================
..."
If you have more than one instance in the same server, then you can add the SECUDIR environment variable in the start profile, like:
"...
SETENV_01 = SECUDIR=$(DIR_INSTANCE)/sec
..."
You can check more about the SAPCRYPTOLIB installation here.
Let me know about how it goes for you.
Thanks,
Cris
It's notable that we have no other existing icm/server_port_XX entries. Therefore the value of 00 or 0 is appropriate.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Noticing what just wrote (I didn't know that), try port_4 since there are 4 default ports in AS JAVA (0..3). See the attached link for details.
http://help.sap.com/saphelp_nw73ehp1/helpdata/en/48/3ae05299c172d0e10000000a42189c/frameset.htm
User | Count |
---|---|
85 | |
10 | |
10 | |
9 | |
6 | |
6 | |
6 | |
5 | |
4 | |
3 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.