ibm-information-center/dist/eclipse/plugins/i5OS.ic.ddp_5.4.0.1/rbal1ports.htm

69 lines
4.8 KiB
HTML

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE html
PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html lang="en-us" xml:lang="en-us">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta name="security" content="public" />
<meta name="Robots" content="index,follow" />
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
<meta name="DC.Type" content="concept" />
<meta name="DC.Title" content="Ports and port restrictions for DDM/DRDA" />
<meta name="abstract" content="With the advent of new choices for the security of distributed data management (DDM) communications, the iSeries server administrator can restrict certain communications modes by blocking the ports they use. This topic discusses some of these considerations." />
<meta name="description" content="With the advent of new choices for the security of distributed data management (DDM) communications, the iSeries server administrator can restrict certain communications modes by blocking the ports they use. This topic discusses some of these considerations." />
<meta name="DC.Relation" scheme="URI" content="rbal1elementsusetcp.htm" />
<meta name="DC.Relation" scheme="URI" content="../cl/cfgtcp.htm" />
<meta name="copyright" content="(C) Copyright IBM Corporation 1998, 2006" />
<meta name="DC.Rights.Owner" content="(C) Copyright IBM Corporation 1998, 2006" />
<meta name="DC.Format" content="XHTML" />
<meta name="DC.Identifier" content="rbal1ports" />
<meta name="DC.Language" content="en-us" />
<!-- All rights reserved. Licensed Materials Property of IBM -->
<!-- US Government Users Restricted Rights -->
<!-- Use, duplication or disclosure restricted by -->
<!-- GSA ADP Schedule Contract with IBM Corp. -->
<link rel="stylesheet" type="text/css" href="./ibmdita.css" />
<link rel="stylesheet" type="text/css" href="./ic.css" />
<title>Ports and port restrictions for DDM/DRDA</title>
</head>
<body id="rbal1ports"><a name="rbal1ports"><!-- --></a>
<!-- Java sync-link --><script language="Javascript" src="../rzahg/synch.js" type="text/javascript"></script>
<h1 class="topictitle1">Ports and port restrictions for DDM/DRDA</h1>
<div><p>With the advent of new choices for the security of distributed
data management (DDM) communications, the <span class="keyword">iSeries™</span> server
administrator can restrict certain communications modes by blocking the ports
they use. This topic discusses some of these considerations.</p>
<p>The DDM or DRDA<sup>®</sup> TCP/IP
server listens on port 447 (the well-known DDM port) and 446 (the well-known DRDA port)
as well as 448 (the well-known SSL port). The <span class="keyword">DB2 Universal Database™ for iSeries</span> implementation
of DDM does not distinguish between the two ports 446 and 447, however, so
both DDM and DRDA access
can be done on either port.</p>
<p>Using the convention recommended for IPSec, the port usage for the DDM
TCP/IP server follows: </p>
<ul><li>446 for clear text data streams</li>
<li>447 for IPSec encrypted data streams (suggested)</li>
<li>448 for SSL encrypted data streams (required)</li>
</ul>
<p>You can block usage of one or more ports at the server by using the <span class="cmdname">Configure
TCP/IP (CFGTCP)</span> command. To do this, choose the <tt>Work with TCP/IP
port restrictions</tt> option of that command. You can add a restriction so
that only a specific user profile other than the one that QRWTLSTN runs under
(normally QUSER) can use a certain port, such as 446. That effectively blocks
446. If 447 were configured for use only with IPSec, then blocking 446 would
allow only encrypted data streams to be used for DDM and DRDA access over
native TCP/IP. You could block both 447 and 448 to restrict usage only to
SSL. It might be impractical to follow these examples for performance or other
reasons (such as current limited availability of SSL-capable clients), but
they are given to show the possible configurations.</p>
</div>
<div>
<div class="familylinks">
<div class="parentlink"><strong>Parent topic:</strong> <a href="rbal1elementsusetcp.htm" title="DDM and DRDA over native TCP/IP does not use i5/OS communications security services and concepts such as communications devices, modes, secure location attributes, and conversation security levels which are associated with Advanced Program-to-Program Communication (APPC). Therefore, security setup for TCP/IP is quite different.">Elements of security in a TCP/IP network</a></div>
</div>
<div class="relref"><strong>Related reference</strong><br />
<div><a href="../cl/cfgtcp.htm">Configure TCP/IP (CFGTCP) command</a></div>
</div>
</div>
</body>
</html>