IBMi - AS400 connector uses non-SSL port 8476 with SSL/TLS enabled
search cancel

IBMi - AS400 connector uses non-SSL port 8476 with SSL/TLS enabled


Article ID: 244959


Updated On:


CA Privileged Access Manager (PAM)


We have some users that have a few devices in our production PAM that utilize some unsecure ports (8470 - 8479), and last week they had a change made to the firewall settings that closed those ports.  The result now is that their AS/400 device is no longer able to rotate new credentials, and any time the account attempts to be checked in it goes to an unverified state, due to the network traffic being closed.  Below is more info and the users concerns:

  1. The unsecure ports of 8470 -8476 are blocked.

  2. The alternate secure ports 9470 - 9476 should be used by all applications

  3. When we first implemented PAM for the 400, they were using the unsecure ports but I believe they changed over to use only secure ports

  4. PAM is used for generating and providing passwords for class A systems. No unsecure ports should be used for this type of communications - communications that are changing passwords that would be send / received using unsecured (hackable/viewable) ports.

  5. PCI guidelines require all unsecured ports to be shutdown

Next Steps:

  1. Broadcom should have an alternate method of communicating through the secured ports
  2. Is there a ticket open with Broadcom to determine how the unsecured ports can be converted to use only the secured ports

Is it possible to assign the secure ports to be used by PAM for these devices? 


Release : Affects any PAM release as of July 2022



There is a defect in the IBMi (formerly AS400) connector in the case where the unlock option is enabled in the target application:

With this option checked, PAM will use the non-SSL port to check on the account lock status irrespective of the SSL/TLS setting in the target application.


If you don't need the Unlock feature, you can uncheck it as a workaround. PAM Engineering is aware of the problem and it is expected to be fixed in future releases.