Basis Errors and Solutions

Symptom

Internet Communication Manager (ICM) 7.10 contains errors.

Other terms

icm, icman, sapwebdisp, HTTP, SMTP, Internet, HTTP request, 0d0a, \r\n, OOB, x-forwarded-for, ClientProtocol, watchdog, GET, POST, HEAD, PUT, SSL, dev_icm, dev_webdisp, soft cancel, cancel

Reason and Prerequisites
ICM Patch Collection (I)

contains the following changes:
Initial ICM version

ICM Patch Collection (II)

contains the following changes:
Fix for a crash of the ICM in function IcmConnDumpUsedSlotsFix for a crash in alloc/free functions when using IIOP

ICM Patch Collection (III)

contains the following changes:
Fix for transferring the client certificate with large POST requests

ICM Patch Collection (IV)

contains the following changes:
Fix for hanging Java deployment during update from Support Package 1 to Support Package 2This patch collection ensures that unanswered P4 requests are answered, even if the connection to the Java startup framewok has been interrupted.

ICM Patch Collection (V)

contains the following changes:
Monitoring connections could disappear in the ICM. Error trace in dev_icm: “IcmExtLogonAllocSlot: max number of conns reached”When you restart the ICM in a double stack system, the ICM can no longer connect to the Java server process.

ICM Patch Collection (VI)

contains the following changes:
Fix for monitoring (MMC, SAPMC) if a large number (several hundred) connections are open in ICM.Fix for monitoring (MMC, SAPMC) after restarting the instance

ICM Patch Collection (VII)

Minimum kernel patch level for NW 7.10 Support Package 3.

ICM Patch Collection (VIII)

contains the following changes:
The system now ignores a Java session ID (JSESSIONID) that has no values.The error that occurred with P4 connections using SSL has been corrected.

ICM Patch Collection (IX)

contains the following changes:
For large POST requests, the system may have written the HTTP response before the HTTP request was fully read. In the client (for example, browser), the network connection may have been terminated unexpectedly.
With this correction, the system will now read the entire HTTP request before it writes the HTTP response.Previously, when restarting the AS Java in a double-stack system, the ICM may have terminated.The previous limitation of the ICM URL prefix table to 250 elements was lifted. You can now create more than 250 URLs and external aliases in transaction SICF. The system issues the error in the ICM tracefile, with the following text:
*** ERROR => HttpSAPR3Handler: too many entries 250 – skip

ICM Patch Collection (X)

contains the following changes:
The ICM sometimes crashed after a memory bottleneck in the P4 communication. The trace file dev_w* contains the following entries:
[Thr 3104] Fri Oct 26 21:59:04 2007
[Thr 3104] *** ERROR => IcmJSessSendConnClosedMsg: FcaGetOutbuf failed: -4 [icxxjcom.c 5823]
[Thr 3104] *** ERROR => IcmJSessSendConnClosedMsg: FcaGetOutbuf failed: -4 [icxxjcom.c 5823]
[Thr 3104] *** ERROR => P4RecvRequest(-1/-1): IcmMplxAllocBuf failed 50 times – giving up: -3 [p4_plg.c 1455]
[Thr 3104] *** WARNING => P4PlugInReadHandler(id=-1/0): P4RecvRequest failed: -3 [p4_plg.c 1205]
[Thr 3104] *** ERROR => IcmMplxClose: duplicate free of connection (id=-1/0) [icxxmplx.c 2421]When you enter the HOST parameter in icm/HTTP/admin_ and icm/HTTP/auth_, at runtime, the system does not use the host name on which the connection was accepted. Instead, the system uses the host name that was entered in icm/server_port_ (or it uses the default host name). As a result, the system rejects requests and issues the error “forbidden (wrong server addr)”.If the host had defined several IP addresses or P4 ports, the 7.10 application server could not communicate with older J2EE servers (6.40, 6.45). The dev_icm trace file contains the following entries: “client with this banner already exists”
ICM Patch Collection (XI)

contains the following changes:
When you use the portal to change the external session ID (ESID), the application server retains six sessions in the default. You can now use the parameter icm/HTTP/esid_max_ctx to increase this value to a maximum of 16.An MPI memory leak that may have occurred in the following cases was corrected:you send client requests from the ABAP to the external serverthe ICM cannot open the connectionin the ABAP, the object CL_HTTP_CLIENT is reused (this only occurs in very rare cases)
The following entries in the trace file dev_icm may indicate a leak: *** WARNING => Connection request from (71/5145/0) to host: , service: failed (NIECONN_REFUSED)

ICM Patch Collection (XII)

contains the following changes:
Consistency checks for user entries in the Web Admin pages are improved.Fragmented HTTP POST requests for AS Java with the flag expect 100-continue may have resulted in invalid HTTP responses.”Accept header” of the HTTP requests may have been taken into account incorrectly. HTML error pages were sent to the client, even if they were not marked as allowed.

ICM Patch Collection (XIII)

contains the following changes:
The ICM SSL has not forwarded client certificates that were forwarded by a previous reverse proxy in HTTP header fields to the backend. This is an error. This error has been corrected.With this change, HTTP log are only written when the entire HTTP response is available. Previously, they were written as soon as the complete HTTP response header was available.
After this change, the content length of a HTTP response is logged, even if it is not explicitly specified in the header content length.
In addition, the response times logged in the HTTP log contain the entire processing time up to the complete response.When using P4, IIOP or the RMI log, the connection setup with partner could end in a timeout (for example, due to network problems, router problems or firewall problems). The network stack did not transmit this timeout to the ICM and therefore, it could not send a response to the Jave server node. The thread in the Java engine is locked as of that moment.When using specific IP addresses for the P4 log, the ICM sometimes sent an invalid handshake to the partner.

ICM Patch Collection (XIV)

contains the following changes:
The system did not correctly transfer a SSL client certificate (X.509) to the Java server if the client demanded a “100-continue” reply at the same time. A .NET-based client demands these replies by default.The length of the random value for the encryption of the user passwords was increased from 32 to 48 bit. The increases the probability that the same password was saved in different ways.

ICM Patch Collection (XV)

contains the following changes:
For some error situations in Web AS, the ICM only closed the network connection to the client. It now returns an error page (”500 Internal Server Error”).In rare cases, the ICM no longer sent a reply to the client (for example, the browser) when the processing in Web AS took a long time. From the client viewpoint, the ICM stalled during the the processing of a request.During the communication of P4 via SSL (P4SEC), wait situations occurred that that resulted in poor response times. We have improved this system behavior.The HTTP client sometimes stalled when large data sets were sent and the server had already sent a response at the start.

ICM patch Collection (XVI)

contains the following changes:
In high-load scenarios, errors occurred on z/OS.
The trace file dev_icm may contain the following error message:
“IcmQueueGetFirst: **** Queue empty ****”.

ICM Patch Collection (XVII)

contains the following changes:
Removing the restriction of 20 IP addresses when notifying the J2EE engine of the access points.
This restriction may cause deployment errors.
The trace file dev_icm may contain the following error message:
“*** ERROR => client with this banner already exists: …”
The HTTP parser was made more strict in order to close security gaps. See Note 1170848.

ICM Patch Collection (XVIII)

contains the following changes:
Accessing predefined variables in the modification handler (for example, $(HTTP_USER_AGENT)) did not always work. In addition, an error in the algorithm for checking regular expressions has been corrected.

ICM Patch Collection (XIX)

contains the following changes:
On certain platforms, the system reported the following exception when monitoring ICM connections in the SAP MC even though the ICM did not have any open connections at the time:
javax.xml.rpc.soap.SOAPFaultException: IcmMniGetConnList failed: No more memory.
This error has been corrected.Using icmbnd to bind ports lower than 1024 could have led to blocked threads because a mutex was not released.The latency periods during the processing of HTTP(S) requests have been reduced by activating a polling-free implementation for waiting on HTTP responses from Web AS ABAP and Web AS JAVA by default (see also Note 1307291).

ICM Patch Collection (XX)

contains the following changes:
The following error is corrected as of patch level 150: When using icmbnd on Unix, in the operating system, the length of the
list queue of the accept() call was restricted to 20, instead of the
value that was specified in the profile parameter icm/listen_queue_len (default 512) being used. The error could cause clients not to be able to connect to the Web Dispatcher in load situations.

ICM Patch Collection (XXI)

contains the following changes:
The HTTP modification handler (icm/HTTP/mod_) could correctly process only certificates with a maximum length of 1024 characters. This change will enable certificates of any length to be processed.

ICM Patch Collection (XXII)

contains the following changes:
A dynamic change to the service definition in transaction smicm resulted in the loss of the assigned SSL configuration.For the HTTP File Access Handler (icm/HTTP/file_access_), you can now also specify a maximum cache duration for the client/browser (with the argument MAXAGE=+.On some platforms, the following error message may be displayed in the ICM trace:
“IcmJSessGetServerList: no more memory for 0 entries”.
This error has been corrected.

ICM Patch Collection (XXIII)

contains the following changes:
For specific POST requests, HTTP 500 “Connection timed out” may have been issued if HyperText Transfer Protocol with SSL (HTTPS) was used.
This error occurred only if the POST request was smaller than 64k bytes.In certain cases, Web sessions were lost (leak) in Web AS Java.
Before this error occurred, the following error traces were displayed:
*** ERROR => IcmCreateFCAReq: server overload – already … requests in queue to server [icxxthr.c ...]
*** ERROR => HttpJ2EETriggerServer: request dispatching to server … failed: No more memory(-3) [http_j2ee2.c ...]

Solution

The patch collections are included in Release 7.10 as of the following kernel patch levels:
I: Kernel patch level 2
II: Kernel patch level 4
III: Kernel patch level 10
IV: Kernel patch level 10
V: Kernel patch level 12
VI: Kernel patch level 52
VII: Kernel patch level 60
VIII: Kernel patch level 64
IX: Kernel patch level 65
X: Kernel patch level 82
XI: Kernel patch level 84
XII: kernel patch level 88
XIII: kernel patch level 90
XIV: kernel patch level 94
XV: kernel patch level 102
XVI: kernel patch level 103
XVII: kernel patch level 108
XVIII: kernel patch level 126
XIX: kernel patch level 146
XX: kernel patch level 150
XXI: kernel patch level 152
XXII: kernel patch level 156