We have some users that have a few devices in our production PAM that utilize some unsecure ports (8470 - 8479), and last week they had a change made to the firewall settings that closed those ports.  The result now is that their AS/400 device is no longer able to rotate new credentials, and any time the account attempts to be checked in it goes to an unverified state, due to the network traffic being closed.  Below is more info and the users concerns:

1. The unsecure ports of 8470 -8476 are blocked.

2. The alternate secure ports 9470 - 9476 should be used by all applications

3. When we first implemented PAM for the 400, they were using the unsecure ports but I believe they changed over to use only secure ports

4. PAM is used for generating and providing passwords for class A systems. No unsecure ports should be used for this type of communications - communications that are changing passwords that would be send / received using unsecured (hackable/viewable) ports.

5. PCI guidelines require all unsecured ports to be shutdown

Next Steps:

1. Broadcom should have an alternate method of communicating through the secured ports
2. Is there a ticket open with Broadcom to determine how the unsecured ports can be converted to use only the secured ports

Is it possible to assign the secure ports to be used by PAM for these devices? 

Release : Affects any PAM release as of July 2022

Component : PRIVILEGED ACCESS MANAGEMENT

With this option checked, PAM will use the non-SSL port to check on the account lock status irrespective of the SSL/TLS setting in the target application.