Bind ICM to port 443
To run SAP Portal on the standard web ports 80 and 443 you should use Web Dispatcher. In that case, WD runs on the privileged ports and SAP Portal / NetWeaver Java / ICM continue to run on their usual 5nnXX ports. Changing the ports directly on ICM of NetWeaver is something I cannot recommend, and you should not do it.
Configuration of ICM
To run NetWeaver on low ports, follow the procedure outlined in SAP Note 421359. ICMBND is the executable that will run at port 443. This file does not exists. To create it, follow the steps outlined in the SAP Note as user root:
- cd /usr/sap/<SID>/J00/exe
- cp icmbnd.new icmbnd
- chown root:sapsys icmbnd
- chmod 4750 icmbnd
- ls –al icmbnd
The super user bit is now set. With this, the executable can now “act” as being root and listen on port 443. The instance profile must now be changed to include the new ICM parameters to bind to port 443 for HTTPS and to use the external program icmbnd for doing that.
Currently the port configuration may look like this:
After the change
Note: The parameter exe/icmbnd should not be needed as long as the binary resides in the normal place. I added it here to show how the parameter looks when configured.
Restart SAP system: stopsap; startsap.
NetWeaver is now listening on port 443.
Default configuration is that NetWeaver first asks the client to provide a certificate and if none is given, proceeds with the normal authentication defined in logon profile.
This can be disabled be setting the parameter VCLIENT=0 in the instance profile: