TCP/IP Connections and the KMA
If there is a firewall between the KMA and other OKM entities (such as OKM Manager, agents, and other KMAs in the same cluster), the firewall must allow the entities to establish TCP/IP connections with the KMA on specific ports.
- OKM Manager-to-KMA communication requires ports 3331, 3332, 3333, 3335.
- Agent-to-KMA communication requires ports 3331, 3332, 3334, 3335.
- KMA-to-KMA communication requires ports 3331, 3332, 3336.
Note:
For KMAs that use IPv6 addresses, configure IPv4-based edge firewalls to drop all outbound IPv4 protocol 41 packets and UDP port 3544 packets to prevent internet hosts from using any IPv6-over-IPv4 tunnelled traffic to reach internal hosts.
Refer to your firewall configuration documentation for details. The table below lists ports KMAs explicitly use or ports on which KMAs provide services.
Table 1-1 KMA Port Connections
| Port Number | Protocol | Direction | Description |
|---|---|---|---|
|
22 |
TCP |
Listening |
SSH (only when Technical Support is enabled) |
|
123 |
TCP/UDP |
Listening |
NTP |
|
3331 |
TCP |
Listening |
OKM CA Service |
|
3332 |
TCP |
Listening |
OKM Certificate Service |
|
3333 |
TCP |
Listening |
OKM Management Service |
|
3334 |
TCP |
Listening |
OKM Agent Service |
|
3335 |
TCP |
Listening |
OKM Discovery Service |
|
3336 |
TCP |
Listening |
OKM Replication Service |
The table below shows other services listening on ports that might not be used.
Table 1-2 Other Services
| Port Number | Protocol | Direction | Description |
|---|---|---|---|
|
53 |
TCP/UDP |
Connecting |
DNS (only when KMA is configured to use DNS) |
|
68 |
UDP |
Connecting |
DHCP (only when KMA is configured to use DHCP) |
|
111 |
TCP/UDP |
Listening |
RPC (KMAs respond to rpcinfo queries). This port is open to external requests only on KMS 2.1 and earlier |
|
161 |
UDP |
Connecting |
SNMP (only when SNMP Managers are defined) |
|
161 |
UDP |
Listening |
SNMP (only when Hardware Management Pack is enabled) |
|
514 |
TCP |
Connecting |
Remote syslog (only when remote syslog servers are defined and configured to use TCP unencrypted) |
|
546 |
UDP |
Connecting |
DHCPv6 (only when KMA is configured to use DHCP and IPv6) |
|
4045 |
TCP/UDP |
Listening |
NFS lock daemon (KMS 2.0 only) |
|
6514 |
TLS over TCP |
Connecting |
Remote syslog (only when remote syslog servers are defined and configured to use TLS) |
Note:
Port 443 must be open to enable customers to access the Service Processor web interface and the OKM Console through the firewall. Refer to the Oracle Key Manager 3 Service Manual (internal only) to see ELOM and ILOM ports.
The table below lists the KMA ELOM/ILOM ports. These ports would be enabled if access to the ELOM/ILOM is required from outside the firewall; otherwise, they do not need to be enabled for the ELOM/ILOM IP address.
Table 1-3 ELOM/ILOM Ports
| Port Number | Protocol | Direction | Description |
|---|---|---|---|
|
22 |
TCP |
Listening |
SSH (for ELOM/ILOM command-line interface) |
|
53 |
TCP/UDP |
Connecting |
DNS (only needed when DNS is configured) |
|
68 |
UDP |
Connecting |
If DHCP is needed for the ELOM/ILOM. Note: Documentation for DHCP and the ELOM/ILOM is not available; although, it is supported. |
|
80 |
TCP |
Listening |
HTTP (for the ELOM/ILOM web interface) If HTTP is needed; otherwise, users can see instructions for how to connect to the remote console at: ELOM:
ILOM: |
|
161 |
UDP |
Listening /Connecting |
SNMPv3 (configurable, this is the default port) |
|
443 |
TCP /TLS |
Listening |
Embedded/Integrated Lights Out Manager Desktop Management Task Force (DMTF) Web services for Management Protocol (WS-Man) over Transport Layer Security (TLS) |
|
623 |
UDP |
Listening |
Intelligent Platform Management Interface (IPMI) |