65 lines
4.6 KiB
HTML
65 lines
4.6 KiB
HTML
|
<?xml version="1.0" encoding="UTF-8"?>
|
||
|
<!DOCTYPE html
|
||
|
PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
|
||
|
<html lang="en-us" xml:lang="en-us">
|
||
|
<head>
|
||
|
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
|
||
|
<meta name="security" content="public" />
|
||
|
<meta name="Robots" content="index,follow" />
|
||
|
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
|
||
|
<meta name="DC.Type" content="concept" />
|
||
|
<meta name="DC.Title" content="Ports and port restrictions for DDM/DRDA" />
|
||
|
<meta name="abstract" content="With the advent of new choices for security of distributed data management (DDM) communications, the iSeries server administrator can restrict certain communications modes by blocking the ports they use. This topic discusses some of these considerations." />
|
||
|
<meta name="description" content="With the advent of new choices for security of distributed data management (DDM) communications, the iSeries server administrator can restrict certain communications modes by blocking the ports they use. This topic discusses some of these considerations." />
|
||
|
<meta name="DC.Relation" scheme="URI" content="rbae5elementtcpip.htm" />
|
||
|
<meta name="copyright" content="(C) Copyright IBM Corporation 1999, 2006" />
|
||
|
<meta name="DC.Rights.Owner" content="(C) Copyright IBM Corporation 1999, 2006" />
|
||
|
<meta name="DC.Format" content="XHTML" />
|
||
|
<meta name="DC.Identifier" content="rbae5ports" />
|
||
|
<meta name="DC.Language" content="en-us" />
|
||
|
<!-- All rights reserved. Licensed Materials Property of IBM -->
|
||
|
<!-- US Government Users Restricted Rights -->
|
||
|
<!-- Use, duplication or disclosure restricted by -->
|
||
|
<!-- GSA ADP Schedule Contract with IBM Corp. -->
|
||
|
<link rel="stylesheet" type="text/css" href="./ibmdita.css" />
|
||
|
<link rel="stylesheet" type="text/css" href="./ic.css" />
|
||
|
<title>Ports and port restrictions for DDM/DRDA</title>
|
||
|
</head>
|
||
|
<body id="rbae5ports"><a name="rbae5ports"><!-- --></a>
|
||
|
<!-- Java sync-link --><script language="Javascript" src="../rzahg/synch.js" type="text/javascript"></script>
|
||
|
<h1 class="topictitle1">Ports and port restrictions for DDM/DRDA</h1>
|
||
|
<div><p>With the advent of new choices for security of distributed data
|
||
|
management (DDM) communications, the <span class="keyword">iSeries™</span> server
|
||
|
administrator can restrict certain communications modes by blocking the ports
|
||
|
they use. This topic discusses some of these considerations.</p>
|
||
|
<p>The DDM or DRDA<sup>®</sup> TCP/IP
|
||
|
server listens on port 447 (the well-known DDM port) and 446 (the well-known DRDA port)
|
||
|
as well as 448 (the well-known SSL port). The <span class="keyword">DB2 Universal Database™ for iSeries</span> implementation
|
||
|
of DDM does not distinguish between the two ports 446 and 447, however, so
|
||
|
both DDM and DRDA access
|
||
|
can be done on either port.</p>
|
||
|
<p>Using the convention recommended for IPSec, the port usage for the DDM
|
||
|
TCP/IP server follows: </p>
|
||
|
<ul><li>446 for clear text datastreams</li>
|
||
|
<li>447 for IPSec encrypted datastreams (suggested)</li>
|
||
|
<li>448 for SSL encrypted datastreams (required)</li>
|
||
|
</ul>
|
||
|
<p>You can block usage of one or more ports at the server by using the <span class="cmdname">Configure
|
||
|
TCP/IP (CFGTCP)</span> command. To do this, choose the 'Work with TCP/IP
|
||
|
port restrictions' option of that command. You can add a restriction so that
|
||
|
only a specific user profile other than the one that QRWTLSTN runs under (normally
|
||
|
QUSER) can use a certain port, such as 446. That effectively blocks 446. If
|
||
|
447 were configured for use only with IPSec, then blocking 446 would allow
|
||
|
only encrypted datastreams to be used for DDM and DRDA access over native TCP/IP. You could
|
||
|
block both 447 and 448 to restrict usage only to SSL. It might be impractical
|
||
|
to follow these examples for performance or other reasons (such as current
|
||
|
limited availability of SSL-capable clients), but they are given to show the
|
||
|
possible configurations.</p>
|
||
|
</div>
|
||
|
<div>
|
||
|
<div class="familylinks">
|
||
|
<div class="parentlink"><strong>Parent topic:</strong> <a href="rbae5elementtcpip.htm" title="DDM and DRDA over native TCP/IP does not use i5/OS communications security services and concepts such as communications devices, modes, secure location attributes, and conversation security levels which are associated with Advanced Program-to-Program Communication (APPC). Therefore, security setup for TCP/IP is quite different.">Elements of security in a TCP/IP network</a></div>
|
||
|
</div>
|
||
|
</div>
|
||
|
</body>
|
||
|
</html>
|