IBM i

 View Only
Expand all | Collapse all

TLS Port for Web Services Server

  • 1.  TLS Port for Web Services Server

    Posted Wed April 06, 2022 02:04 PM
    Where can I find recent information specific to what port to set as the TLS port in configuring TLS for a web services server?  I'm getting a Warning message ZUI_13321 about the port I've selected saying the port is in use.  Do we need to set a unique port for each web services server where we want to configure TLS?  How do I determine what port numbers that can be set there?

    ------------------------------
    Amy Vozza
    ------------------------------


  • 2.  RE: TLS Port for Web Services Server

    Posted Wed April 06, 2022 02:59 PM
    The netstat command can tell you about ports in use.
    Probably your https server (apache, the admin server, etc.) is using the default TLS port (443)

    ------------------------------
    Jack Woehr
    IBM Champion 2021 -2022
    ------------------------------



  • 3.  RE: TLS Port for Web Services Server

    Posted Wed April 06, 2022 03:26 PM
    Do we need to set a unique port for each web services server where we want to configure TLS?  If so, can I just designate any unused port for that?

    ------------------------------
    Amy Vozza
    ------------------------------



  • 4.  RE: TLS Port for Web Services Server

    Posted Thu April 07, 2022 02:37 AM
    Hi Amy

    Assuming you do only have one IP address enabled für you server you will definitely have to use a different port for each web services server. Otherwise you are not able to route the traffic to that server http(s)://<server-ip or server-dns>:<destination port>/...

    And yes you may use any unused port, best practice is to use anything free in the higher port number range eg. 60001 for customer workloads. To determine already used ports you may use netstat as posted by Jack or this sql services:

    SELECT CONNECTION_TYPE, LOCAL_PORT, PROTOCOL, LOCAL_PORT_NAME, COUNT(*) AS CONNECTIONS
    FROM QSYS2.NETSTAT_INFO
    GROUP BY CONNECTION_TYPE, LOCAL_PORT, PROTOCOL, LOCAL_PORT_NAME
    ORDER BY 1, 2


    ------------------------------
    Markus Neuhold
    ------------------------------



  • 5.  RE: TLS Port for Web Services Server

    Posted Thu April 07, 2022 11:26 AM
    Thanks for the information.  Knowing a range to look at is helpful.  That SQL makes it easier, too. 

    It sure would be awesome if the Configure TLS wizard brought up the next available port to use for that instead of us having to manually find one.

    ------------------------------
    Amy Vozza
    ------------------------------



  • 6.  RE: TLS Port for Web Services Server

    Posted Fri April 08, 2022 09:12 AM
    Available is in the eye of the beholder.  Some service using one of the ports in that range may be down at this time.  So netstat, or the sql service mentioned, will show it as available.
    However if you do want to have it generate based on the next available port then you can try submitting an idea at:  
    https://ideas.ibm.com


    ------------------------------
    Robert Berendt
    ------------------------------



  • 7.  RE: TLS Port for Web Services Server

    Posted Mon April 11, 2022 09:46 AM
    That's good to know.  Is there no easy way to know what port is actually available and not just down?  Thanks for the info about submitting ideas.

    ------------------------------
    Amy Vozza
    ------------------------------



  • 8.  RE: TLS Port for Web Services Server

    Posted Mon April 11, 2022 10:11 AM
    Knowing what ports may possibly be in use, but just not active at this time, would be difficult.  Not only are there config files for various IBM supplied websites, such as Navigator, but there are a myriad of other such files on your system.  For example a vendor package such as GoAnywhere.
    Just knowing the hoops one might have to jump through when changing IP addresses (such as a data center move) is tricky.
    Change IP Address - MidrangeWiki

    ------------------------------
    Robert Berendt
    ------------------------------



  • 9.  RE: TLS Port for Web Services Server

    IBM Champion
    Posted Tue April 12, 2022 03:30 PM

    Next to impossible really Rob.  For example I have 3 or 4 "play" HTTP configurations all of which use the same port. But at any given time any on of those or none will be active.  And of course these days not only is Apache is not the only game in town but there might be midcroservices running under something like ILEastic where the port used is declared in the code itself.  =node.js does the same thing.  

    A better bet might be to look to the firewall;l configuration - can't use a port that won't open!



    ------------------------------
    Jon Paris
    ------------------------------



  • 10.  RE: TLS Port for Web Services Server

    Posted Tue April 12, 2022 03:40 PM
    I can see some merit to that firewall rule.  Providing it is locked down that tight.
    Unbeknownst to me awhile back our network guy started some monitoring for certain IP addresses and ports.  And I'm sure he felt it was a reasonable amount of time.  And I bet there are those who would even agree.  Then he locked it down by anything not used in that time period.  Now it takes much wailing and gnashing of teeth to get a port opened up.  For example, ordering PTF's directly from IBM i.  Things like this which could easily fall outside of a time period many might find reasonable.

    ------------------------------
    Robert Berendt
    ------------------------------



  • 11.  RE: TLS Port for Web Services Server

    IBM Champion
    Posted Tue April 12, 2022 03:46 PM
    Just to add my voice and say the same thing that others have said...  It's really not possible.  

    A port number is just a (numeric) variable in a program.  There's no way the system could know every possible instance that a program would use a different port.  On my system I have thousands of one-off test programs that I've written over the past 20ish years that I keep as examples, and a lot of them listen on TCP ports because I do a lot of writing/teaching TCP/IP programming.   The system would have to analyze all of those programs and somehow know every possible port they could use -- and then because they were one-off programs, that port would never be used again.  It really wouldn't work.

    Likewise, third party applications often come with optional features that you don't use -- and many times these have network capabilities that use ports.  You wouldn't want the system telling you that all of these are being used when you never plan to use that particular feature.

    Your best bet would be to create documentation (Word doc, spreadsheet, Wiki, etc) or maybe a database where you document all of the applications you use and what ports they use.   Sorry -- I wish there were an easier way.  (This is a daily problem for me because I'm constantly working on network applications and need a free port to use!)

    ------------------------------
    Scott Klement
    Director
    Profound Logic Software
    Oak Creek WI
    ------------------------------



  • 12.  RE: TLS Port for Web Services Server

    Posted Wed April 13, 2022 10:50 AM
    The wizard for creating the web services server automatically lists ports to use.  So those ports are not necessarily available either?  I don't suppose there's a way for the system to 'reserve' ports or a range of ports for a purpose, or maybe that wouldn't be a good idea.

    ------------------------------
    Amy Vozza
    ------------------------------