Default open ports

The following ports are open by default on the IBM® StoredIQ®.

SSH port 22

By default, port 22 is open on all IBM StoredIQ hosts. The port is used for Secure Shell (SSH) communication and allows remote administration access to the VM. In general, traffic is encrypted using password authentication. To add a layer of security, you can establish key-based authentication for passwordless SSH logins to any of the IBM StoredIQ nodes in your environment as described in Configuring SSH key-based authentication.

Default open ports on the AppStack

Port number Protocol
22 tcp
80 tcp
443 tcp

Default open ports on the IBM StoredIQ data server

Port number Protocol Service
22 tcp PROD-ssh
80 tcp PROD-web
443 tcp PROD-https (UI and Web Services APIs)
11103 tcp PROD-transport (IBM StoredIQ transport services; communication between the gateway and the data server)
11104

Enable or disable ports or services on the IBM StoredIQ data server

To manage ports, you can use the /usr/local/storediq/bin/util/port_handler.pyc script with the appropriate parameter:
python /usr/local/storediq/bin/util/port_handler.pyc -parameter
-s
To list the current rules in iptables
-l
To list the supported services
-d port_number|'port_range'
To delete a port or a range of port numbers from iptables, for example:
python /usr/local/storediq/bin/util/port_handler.pyc -d '21200:21299'
-e 'service_name'
To enable a specific service, for example, to enable HTTPS services:
python /usr/local/storediq/bin/util/port_handler.pyc -e 'PROD-https'
-d 'service_name'
To disable a specific service, for example, to disable HTTPS services:
python /usr/local/storediq/bin/util/port_handler.pyc -d 'PROD-https'

Default open ports on the nodes in the Elasticsearch cluster

Port number Protocol Service
21 tcp ftp
22 tcp sshd
80 tcp  
443 tcp  
8888 tcp SimpleHTTPServer (used for copying the siq-elasticsearch.yml configuration file from the Elasticsearch node to the data server)
9200 tcp6 docker-proxy (listening for REST requests)

You can restrict access to this port by enabling stunnel with HTTPS or by setting up a firewall. For more information, see Securing Elasticsearch cluster communication or Restricting access to port 9200 on Elasticsearch nodes.

9300 tcp6 docker-proxy (internode communication)

Default open ports on the IBM StoredIQ gateway

Port number Protocol Service
22 tcp PROD-ssh
80 tcp PROD-web
443 tcp PROD-https (UI and Web Services APIs)
5432 tcp PROD-postgres
5434 tcp PROD-transport (IBM StoredIQ transport services; communication between the gateway and the data server)
8765
7766
11102
11103
11104

Supported chain and rules on the IBM StoredIQ gateway

In iptables, the following firewall and chain rules are defined:

'PROD-transport':['5434','8765','7766','11102','11103','11104'],
            'PROD-https':['443'],
            'PROD-ssh':['22'],
            'PROD-web':['80'],
            'PROD-postgres':[’5432’]
'desktop' service:
            'PROD-broker':['21000'],
            'PROD-collectionsvc':['21300:21399'],
            'PROD-desktopupgrade':['21004'],
            'PROD-objlistmgr':['21100:21199'],
            'PROD-objlistsvc':['21200:21299'],
            'PROD-registration':['21001'],
            'PROD-session':['21002'],
            'PROD-task':['21003'],

Open ports for desktop client access to the data server

To open ports for desktop client access to the data server on OVA deployed systems, follow these steps:
  1. Log in to the data server as root and run this command:
    python /usr/local/storediq/bin/util/port_handler.pyc -e desktop
  2. Run this command: iptables -L INPUT

    In the output of the command, check the list position of the rule that is named PROD-reject, for example, the 6th position on the list.

  3. Run this command: iptables -A INPUT -j PROD-reject
  4. Run this command: iptables -D INPUT list_position

    list_position is the position number of the PROD-reject rule that you determined in step 2.

  5. Run the following command:
    python /usr/local/storediq/bin/util/port_handler.pyc -e desktop
Tip: These steps are required only on an IBM StoredIQ OVA deployed system. The correct ports are open on an upgraded system.