Ports and port restrictions

With the advent of new choices for the security of distributed data management (DDM) communications, the system administrator can restrict certain communications modes by blocking the ports they use. This topic discusses some of these considerations.

The DDM or DRDA TCP/IP server listens on port 446 (the well-known DRDA port), port 447 (the well-known DDM port), and port 448 (the well-known SSL port). The Db2® for i implementation of DDM does not distinguish between the two ports 446 and 447, however, so both DDM and DRDA access can be done on either port.

Using the convention recommended for IPSec, the port usage for the DDM TCP/IP server follows:

  • 446 for clear text data streams
  • 447 for IPSec encrypted data streams (suggested)
  • 448 for SSL encrypted data streams (required)

You can block usage of one or more ports at the server by using the Configure TCP/IP (CFGTCP) command. To do this, choose the Work with TCP/IP port restrictions option of that command. You can add a restriction so that only a specific user profile other than the one that QRWTLSTN runs under (normally QUSER) can use a certain port, such as 446. That effectively blocks 446. If 447 were configured for use only with IPSec, then blocking 446 would allow only encrypted data streams to be used for DDM and DRDA access over native TCP/IP. You could block both 446 and 447 to restrict usage only to SSL. It might be impractical to follow these examples for performance or other reasons (such as current limited availability of SSL-capable clients), but they are given to show the possible configurations.