Run SAP Cloud Connector on port 443

SAP Cloud Connector (SCC) is running out of the box on port 8443. SCC Users often like to run SCC on port standard HTTPS port 443. This port can be easily set directly during installation, when you are using windows. But it is a bit tricky to do that on linux.

The SCC contains a shell script allowing you to change the port in the configuration file:

<scc_installation_dir>/changeport.sh  <port>

This script just modifies the configuration files without checking, if changing the configuration may cause any problems: On unix the usage of ports below 1024 is only allowed for the root user. The SCC process runs as the sccadmin user, and this way starting the SSC fails. In SCC log you see the error message in this case:

Failed to initialize end point associated with ProtocolHandler [“http-bio-443”]

java.net.BindException: errno: 13 (Permission denied), error: Bind failed (port 443 to address 0.0.0.0) <null>:443

Running the SCC as a root user would do the job, but using the root user for the SCC is not really fun due to security reasons. Fortunately, there are other possible solutions such as using the tool Authbind, which I tested successfully . It overrides the standard bind() function in the C-library and allows to define a user and then to enable this user to bind a privileged port. Unfortunately there is no rpm package with Authbind available for SLES or for RedHat. I had to download Authbind from Debian distribution. So the first steps are the download and the installation of Authbind from this distribution.

Note 1: Everything below can be done by root user – use sudo su or login as root.
Note 2: Steps here are shell commands. Commands starting with [[ … ]] are commands beginning with a test, checking if command should be executed
Note 3: Please read Note 1 and Note 2.

1. Check if authbind already installed: which authbind
2. Change to a temporary directory: cd /tmp

3. Download authbind: wget http://ftp.debian.org/debian/pool/main/a/authbind/authbind_2.1.1.tar.gz

(If it is required, set the proxy for wget: export HTTP_PROXY=http://<proxy in your network>

4. Install authbind with follow commands (you may execute the command sequence at once):

 tar zxvf authbind_2.1.1.tar.gz; cd authbind-2.1.1; make; make install; cd .. ; rm -rf authbind-2.1.1

Now you have finished the installation of Authbind and you should enable the user sccadmin to use the port 443.

5. Allow sccadmind to bind the port 443:

touch /etc/authbind/byport/443; chmod 500 /etc/authbind/byport/443; chown sccadmin /etc/authbind/byport/443

5. Finally it is important that the script that start the SCC uses Authbind. To achieve this, you need to adapt the shell script, which starts the SCC process:

[[ ! $(grep authbind /opt/sap/scc/daemon.sh) ]] && sed -i 's/javaCommandLine=\"/javaCommandLine=\"exec /usr/local/bin/authbind  --deep /' /opt/sap/scc/daemon.sh

Note: This shell command modifies /opt/sap/scc/daemon.sh and modifies the javaCommandLine, so that java process will be started by authbind.

6. Authbind recommends to set java.net.preferIPv4Stack option in server configuration. Add this option to configuration file:

[[ ! $(grep preferIPv4Stack /opt/sap/scc/props.ini) ]] && sed -i '12 a\-Djava\.net\.preferIPv4Stack=true' /opt/sap/scc/props.ini

Note: This shell command adds ‘-Djava.net.preferIPv4Stack=true‘ to /opt/sap/scc/props.ini.

7. reinstall the service script: /opt/sap/scc/daemon.sh reinstall

8. Restart SCC process by: service scc_daemon restart

Enjoy.

Though I got it running on SLES and RedHat, you may encounter troubles in your specific environment. So I would recommend  that you try out the whole process in a test environment so that you can check if the procedure described above works in your environment.  Only after this you should use it on a productive system.