IBM Support

TCP/IP Port Restrictions

Troubleshooting


Problem

This document describes the function of TCP/IP Port Restrictions

Resolving The Problem


TCP/IP Port Restrictions are a method to reserve a specific port or port range to be used by a user, or
group of users. A common misunderstanding is that port restrictions define a user (or group of users) to
be denied access to an application. That is the exact opposite of the port restrictions' functionality. Generally
speaking, the port restrictions are used with custom applications as opposed to IBM applications.

This is due to IBM applications initializing and listening on their TCP/IP port with IBM profiles:
(QTCP, QUSER,QPGMR, and so on).

If a port restriction were put in place for an IBM application, and the user defined in the port restriction was an
end user versus the IBM profile needed to start the application, that application would fail to start.

The most common error seen in this example would be:

Message ID . . . . . . :   TCP7701       Severity . . . . . . . :   40      
Message type . . . . . :   Diagnostic                                        
Date sent  . . . . . . :   mm/dd/yy      Time sent  . . . . . . :   hh:mm:ss
                                                                             
Message . . . . :   XYZ server unable to establish connection.            
Cause . . . . . :   The XYZ server program could not establish the TCP port
  for the required connection.                                              
Technical description . . . . . . . . :   The XYZ server program issued the
  socket call bind, which failed with an errno value of 3401.              

Administrators have other options to secure TCP/IP applications. Those options include, but are not limited
to:

  1. The use of Application Administration (found within System i Navigator)
  2. Exit Point Programming
  3. Third-Party Security Applications

If port restrictions are incorrectly used, it may be necessary to remove the port restriction and restart the
given application.

For further information regarding TCP/IP Port Restrictions, see the System i Information Center at the
following URL:

http://publib.boulder.ibm.com/iseries/

[{"Product":{"code":"SWG60","label":"IBM i"},"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Component":"Communications-TCP","Platform":[{"code":"PF012","label":"IBM i"}],"Version":"Version Independent","Edition":"","Line of Business":{"code":"LOB08","label":"Cognitive Systems"}}]

Historical Number

557006157

Document Information

Modified date:
18 December 2019

UID

nas8N1012361