Connecting securely to our systems is more important now than ever before and this is just as true for IBM i as any other platform. As I’m sure you know you can encrypt your connections to IBM i at no extra cost and there have been many articles written on how to set this up.
What is not so widely written about is how to tell what connections to your system are NOT ENCRYPTED.
Using an IBM i service to list Non-Encrypted links:
In this example I have created a simple piece of SQL that uses and IBM i Service to list all the encrypted ports on my system, so anything else must therefore be unencrypted.
select *
from qsys2.netstat_job_info
where local_port not in
(9470, 9471, 9472, 9473, 9474, 9475, 9476, 448, 2005, 2010, 5544, 5566, 5577, 992, 22, 9480, 942)
and Local_Address <> (‘127.0.0.1’)
and Local_Address not like (‘::%’)
and Local_Address <> (‘0.0.0.0’)
ProTip: If you have a custom job that runs encrypted on your system you simply add it to the list of ports in the “where local_port not in” clause.
It’s amazing just how many new connection types can sneak on to your system, and not all of them are encrypted! I ran this on one of my test servers and was quickly reminded that someone had started up the ftp service and not locked it some to encrypted only.
If you want to know more about what ports are open on your server, then I’d start here on the IBM website but remember as you add new workloads (especially ones you’ve created yourself) then you will need to add these ports in to your audit.
https://www.ibm.com/support/pages/tcpip-ports-required-ibm-i-access-and-related-functions
i-UG goes Hybrid
We are returning to the Mount Hotel in my home town of Wolverhampton for another Hybrid event on the 18th March, we hope to see you there.
For more details check out www.i-ug.co.uk
Leave a Reply