DevOps and System Administration Forum
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Read only

HTTP Inbound Connections

former_member204161
Active Participant

‎2020 Oct 01 5:26 PM

0 Kudos
2,441

Hi SAP Experts ,

We are implementing Security recommendations by converting all SAP URLS to HTTPS. We have many connections that are direct (not via integration platform) and do not have a complete picture of all applications calling SAP ECC (via message server)

Two queries related to this :

1. Can we activate any tracing to find what are the inbound HTTP calls to SAP ERP . I didn't find these log by default in ICM logs

2. We wants to convert all SICF services to HTTPS . By changing the root , we find that the child services do not get changed . Is there any way to mass change all services ?

Thanks for your help!

Regards,

Shaswat

7 REPLIES 7
Read only

cris_hansen
Product and Topic Expert
Product and Topic Expert

‎2020 Oct 01 5:30 PM

1,955

Hello Shaswat,

You can use the ICM trace (dev_icm) trace file to have more details:
- increase the trace level to 2;
- set icm/trace_secured_data = 1.

AFAIK, there is no mass-update tool for SICF. But you should consider HTTPURLLOC instead.

Regards,
Cris

Read only

former_member204161
Active Participant
In response to cris_hansen

‎2020 Oct 02 2:49 PM

0 Kudos
1,955

Will increasing the trace level capture the source of the request ? I did not see that in SAP Help .

Regarding HTTPURLLOC yes it helps when a URL is to be generated by an ABAP program . Here my intent is to have the standard SAP services (as defined in SICF) require HTTPS by default . For example, all BSPs in the system to require secure HTTPS by changing the root node but that does not work . I was expecting a change in the root SICF node to be inherited but that doesnt seem to be the case

Regards,

Shaswat

Read only

cris_hansen
Product and Topic Expert
Product and Topic Expert
In response to cris_hansen

‎2020 Oct 02 3:01 PM

0 Kudos
1,955

Hi Shaswat,

The dev_icm will show you from where the request is coming from. If you increase the trace level you can see the HTTP header, so you will know the service being called.

Changes in the root element will only be inherited if "use Global Settings" is used in every single ICF service, which is not the case. An example:

Regards,

Cris

Preview file
75 KB
Read only

dasistdochscheisse
Active Participant

‎2020 Oct 02 7:11 AM

0 Kudos
1,955

Cant't that be done by redirecting the http-Port to https in the instance profile?

Read only

former_member204161
Active Participant
In response to dasistdochscheisse

‎2020 Oct 02 2:55 PM

0 Kudos
1,955

Hi Ulf ,

Thanks for your reply and good suggestion . It solves the problem only partially .

All the requests would get re-directed to HTTPS URL, but the SICF service itself continues to run in HTTP mode.

Will this work or be applicable if the target itself (the SICF service) does not require HTTPS ?

Regards,

Shaswat

Read only

Isaias_SAP
Product and Topic Expert
Product and Topic Expert
In response to dasistdochscheisse

‎2020 Oct 03 11:03 PM

0 Kudos
1,955

Hello shaswat.c ,

There would be no issues if an incoming connection is HTTPS and the SICF service is not requiring HTTPS.

The request would continue to be processed through HTTPS.

Regards,

Isaías

Read only

Isaias_SAP
Product and Topic Expert
Product and Topic Expert

‎2020 Oct 03 11:01 PM

0 Kudos
1,955

Hello Shaswat,

Another option is to use the ICM log file.

It would be much easier to analyze then an ICM level 2 trace :-).

You could use a custom log format with "%j":

Regards,

Isaías