Technical Articles
Run SAP Cloud Connector on port 443
SAP Cloud Connector (SCC) is running out of the box on port 8443. SCC Users often like to run SCC on port standard HTTPS port 443. This port can be easily set directly during installation, when you are using windows. But it is a bit tricky to do that on linux.
The SCC contains a shell script allowing you to change the port in the configuration file:
<scc_installation_dir>/changeport.sh <port>
This script just modifies the configuration files without checking, if changing the configuration may cause any problems: On unix the usage of ports below 1024 is only allowed for the root user. The SCC process runs as the sccadmin user, and this way starting the SSC fails. In SCC log you see the error message in this case:
Failed to initialize end point associated with ProtocolHandler [“http-bio-443”]
java.net.BindException: errno: 13 (Permission denied), error: Bind failed (port 443 to address 0.0.0.0) <null>:443
Running the SCC as a root user would do the job, but using the root user for the SCC is not really fun due to security reasons. Fortunately, there are other possible solutions such as using the tool Authbind, which I tested successfully . It overrides the standard bind() function in the C-library and allows to define a user and then to enable this user to bind a privileged port. Unfortunately there is no rpm package with Authbind available for SLES or for RedHat. I had to download Authbind from Debian distribution. So the first steps are the download and the installation of Authbind from this distribution.
Note 1: Everything below can be done by root user – use sudo su or login as root.
Note 2: Steps here are shell commands. Commands starting with [[ … ]] are commands beginning with a test, checking if command should be executed
Note 3: Please read Note 1 and Note 2.
1. Check if authbind already installed: which authbind
2. Change to a temporary directory: cd /tmp
3. Download authbind: wget http://ftp.debian.org/debian/pool/main/a/authbind/authbind_2.1.1.tar.gz
(If it is required, set the proxy for wget: export HTTP_PROXY=http://<proxy in your network>
4. Install authbind with follow commands (you may execute the command sequence at once):
tar zxvf authbind_2.1.1.tar.gz; cd authbind-2.1.1; make; make install; cd .. ; rm -rf authbind-2.1.1
Now you have finished the installation of Authbind and you should enable the user sccadmin to use the port 443.
5. Allow sccadmind to bind the port 443:
touch /etc/authbind/byport/443; chmod 500 /etc/authbind/byport/443; chown sccadmin /etc/authbind/byport/443
5. Finally it is important that the script that start the SCC uses Authbind. To achieve this, you need to adapt the shell script, which starts the SCC process:
[[ ! $(grep authbind /opt/sap/scc/daemon.sh) ]] && sed -i 's/javaCommandLine=\"/javaCommandLine=\"exec /usr/local/bin/authbind --deep /' /opt/sap/scc/daemon.sh
Note: This shell command modifies /opt/sap/scc/daemon.sh and modifies the javaCommandLine, so that java process will be started by authbind.
6. Authbind recommends to set java.net.preferIPv4Stack option in server configuration. Add this option to configuration file:
[[ ! $(grep preferIPv4Stack /opt/sap/scc/props.ini) ]] && sed -i '12 a\-Djava\.net\.preferIPv4Stack=true' /opt/sap/scc/props.ini
Note: This shell command adds ‘-Djava.net.preferIPv4Stack=true‘ to /opt/sap/scc/props.ini.
7. reinstall the service script: /opt/sap/scc/daemon.sh reinstall
8. Restart SCC process by: service scc_daemon restart
Enjoy.
Though I got it running on SLES and RedHat, you may encounter troubles in your specific environment. So I would recommend that you try out the whole process in a test environment so that you can check if the procedure described above works in your environment. Only after this you should use it on a productive system.
Hello Ilja Farber,
So helpful your document but I have two questions:
Where should I add the command line in the step 5 (start the SCC uses Authbind) ? Is the shell script daemon.sh or rcscc_daemon?
What is the server configuration in the step 6? Where is it located?
Thank you so much,
Má
Hello Ma,
just copy the whole command to shell. It replaces javaCommand in daemon.sh using 'sed' command. Check [[ ! $(grep authbind /opt/sap/scc/daemon.sh) ]] prevent changes, if the authbind is already used in SCC start script.
Good luck 😉
Hi,
The command no longer works on SCC 2.15.0.
[[ ! $(grep authbind /opt/sap/scc/daemon.sh) ]] && sed -i ‘s/javaCommandLine=\”/javaCommandLine=\”exec /usr/local/bin/authbind –deep /’ /opt/sap/scc/daemon.sh
Could you provide more details on how exactly the command does not work. Actually 2.15 or 2.16 still has daemon.sh and it still contains "javaCommandLine=".
Hi,
I got it working finally. Seems the sed command you provided doesnt work on opensuse 15.4. Also, you need to enclose the command in code qoutes, otherwise the blog adds a second hyphen before "deep"
Here is the fully working sed command:
Can you update the blog with this info ?
actually 2 hypens before deep are intended, compare the man page for authbind (https://manpages.debian.org/testing/authbind/authbind.1.en.html).
I changed the command's format, to ensure 2 hypens are not displayed as single long hypen.