ibm-information-center/dist/eclipse/plugins/i5OS.ic.ddm_5.4.0.1/rbae5ports.htm

65 lines
4.6 KiB
HTML
Raw Normal View History

2024-04-02 14:02:31 +00:00
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE html
PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html lang="en-us" xml:lang="en-us">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta name="security" content="public" />
<meta name="Robots" content="index,follow" />
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
<meta name="DC.Type" content="concept" />
<meta name="DC.Title" content="Ports and port restrictions for DDM/DRDA" />
<meta name="abstract" content="With the advent of new choices for security of distributed data management (DDM) communications, the iSeries server administrator can restrict certain communications modes by blocking the ports they use. This topic discusses some of these considerations." />
<meta name="description" content="With the advent of new choices for security of distributed data management (DDM) communications, the iSeries server administrator can restrict certain communications modes by blocking the ports they use. This topic discusses some of these considerations." />
<meta name="DC.Relation" scheme="URI" content="rbae5elementtcpip.htm" />
<meta name="copyright" content="(C) Copyright IBM Corporation 1999, 2006" />
<meta name="DC.Rights.Owner" content="(C) Copyright IBM Corporation 1999, 2006" />
<meta name="DC.Format" content="XHTML" />
<meta name="DC.Identifier" content="rbae5ports" />
<meta name="DC.Language" content="en-us" />
<!-- All rights reserved. Licensed Materials Property of IBM -->
<!-- US Government Users Restricted Rights -->
<!-- Use, duplication or disclosure restricted by -->
<!-- GSA ADP Schedule Contract with IBM Corp. -->
<link rel="stylesheet" type="text/css" href="./ibmdita.css" />
<link rel="stylesheet" type="text/css" href="./ic.css" />
<title>Ports and port restrictions for DDM/DRDA</title>
</head>
<body id="rbae5ports"><a name="rbae5ports"><!-- --></a>
<!-- Java sync-link --><script language="Javascript" src="../rzahg/synch.js" type="text/javascript"></script>
<h1 class="topictitle1">Ports and port restrictions for DDM/DRDA</h1>
<div><p>With the advent of new choices for security of distributed data
management (DDM) communications, the <span class="keyword">iSeries™</span> server
administrator can restrict certain communications modes by blocking the ports
they use. This topic discusses some of these considerations.</p>
<p>The DDM or DRDA<sup>®</sup> TCP/IP
server listens on port 447 (the well-known DDM port) and 446 (the well-known DRDA port)
as well as 448 (the well-known SSL port). The <span class="keyword">DB2 Universal Database™ for iSeries</span> implementation
of DDM does not distinguish between the two ports 446 and 447, however, so
both DDM and DRDA access
can be done on either port.</p>
<p>Using the convention recommended for IPSec, the port usage for the DDM
TCP/IP server follows: </p>
<ul><li>446 for clear text datastreams</li>
<li>447 for IPSec encrypted datastreams (suggested)</li>
<li>448 for SSL encrypted datastreams (required)</li>
</ul>
<p>You can block usage of one or more ports at the server by using the <span class="cmdname">Configure
TCP/IP (CFGTCP)</span> command. To do this, choose the 'Work with TCP/IP
port restrictions' option of that command. You can add a restriction so that
only a specific user profile other than the one that QRWTLSTN runs under (normally
QUSER) can use a certain port, such as 446. That effectively blocks 446. If
447 were configured for use only with IPSec, then blocking 446 would allow
only encrypted datastreams to be used for DDM and DRDA access over native TCP/IP. You could
block both 447 and 448 to restrict usage only to SSL. It might be impractical
to follow these examples for performance or other reasons (such as current
limited availability of SSL-capable clients), but they are given to show the
possible configurations.</p>
</div>
<div>
<div class="familylinks">
<div class="parentlink"><strong>Parent topic:</strong> <a href="rbae5elementtcpip.htm" title="DDM and DRDA over native TCP/IP does not use i5/OS communications security services and concepts such as communications devices, modes, secure location attributes, and conversation security levels which are associated with Advanced Program-to-Program Communication (APPC). Therefore, security setup for TCP/IP is quite different.">Elements of security in a TCP/IP network</a></div>
</div>
</div>
</body>
</html>