We have some users that have a few devices in our production PAM that utilize some unsecure ports (8470 - 8479), and last week they had a change made to the firewall settings that closed those ports. The result now is that their AS/400 device is no longer able to rotate new credentials, and any time the account attempts to be checked in it goes to an unverified state, due to the network traffic being closed. Below is more info and the users concerns:
The unsecure ports of 8470 -8476 are blocked.
The alternate secure ports 9470 - 9476 should be used by all applications
When we first implemented PAM for the 400, they were using the unsecure ports but I believe they changed over to use only secure ports
PAM is used for generating and providing passwords for class A systems. No unsecure ports should be used for this type of communications - communications that are changing passwords that would be send / received using unsecured (hackable/viewable) ports.
PCI guidelines require all unsecured ports to be shutdown
Next Steps:
Is it possible to assign the secure ports to be used by PAM for these devices?
Release : Affects any PAM release as of July 2022
Component : PRIVILEGED ACCESS MANAGEMENT
There is a defect in the IBMi (formerly AS400) connector in the case where the unlock option is enabled in the target application:
With this option checked, PAM will use the non-SSL port to check on the account lock status irrespective of the SSL/TLS setting in the target application.
If you don't need the Unlock feature, you can uncheck it as a workaround. PAM Engineering is aware of the problem and it is expected to be fixed in future releases.