IBM i

Expand all | Collapse all

Finding Non-Encrypted Connections to your IBM i

  • 1.  Finding Non-Encrypted Connections to your IBM i

    Posted Thu February 04, 2021 11:04 AM
    Morning All

    I was inspired by Mr Forstie and thought I'd scratch my one itch and use an IBM i Service to answer a question that the command line would not give me!

    Using an IBM i service to list Non-Encrypted links:


    Connecting securely to our systems is more important now than ever before and this is just as true for IBM i as any other platform.  As I'm sure you know you can encrypt your connections to IBM i at no extra cost and there have been many articles written on how to set this up.

    What is not so widely written about is how to tell what connections to your system are NOT ENCRYPTED.   


    In this example I have created a simple piece of SQL that uses and IBM i Service to list all the encrypted ports on my system, so anything else must therefore be unencrypted.

    select *

      from qsys2.netstat_job_info

      where local_port not in

            (9470, 9471, 9472, 9473, 9474, 9475, 9476, 448, 2005, 2010, 5544, 5566, 5577, 992, 22, 9480, 942)

            and Local_Address <> ('127.0.0.1')

            and Local_Address not like ('::%')

            and Local_Address <> ('0.0.0.0')


    If you have a custom job that runs encrypted on your system you simply add it to the list of ports in the "where local_port not in" clause. 

    It's amazing just how many new connection types can sneak on to your system, and not all of them are encrypted!  I ran this on one of my test servers and was quickly reminded that someone had started up the ftp service and not locked it some to encrypted only.

    If you want to know more about what ports are open on your server, then I'd start here on the IBM website but remember as you add new workloads (especially ones you've created yourself) then you will need to add these ports in to your audit.

    https://www.ibm.com/support/pages/tcpip-ports-required-ibm-i-access-and-related-functions


    There is loads more you could add to this statement to customise it for your environment and I'd love to know what you would suggest?

    Cheers Steve

    ------------------------------
    Steve Bradshaw Friendly Techie Bloke
    ------------------------------


  • 2.  RE: Finding Non-Encrypted Connections to your IBM i

    IBM Select
    Posted Fri February 05, 2021 09:00 AM
    Thank you very much for that!

    ------------------------------
    James Sparkman
    ------------------------------