1. Security Guide
  2. Secure Installation and Configuration
  3. Network Connections and the KMA

Network Connections and the KMA

If there is a firewall between the KMA and other OKM entities (such as OKM Manager, agents, and other KMAs in the same cluster), the firewall must allow the entities to establish TCP/IP connections with the KMA on specific ports.

Note:

For KMAs that use IPv6 addresses, configure IPv4-based edge firewalls to drop all outbound IPv4 protocol 41 packets and UDP port 3544 packets to prevent internet hosts from using any IPv6-over-IPv4 tunneled traffic to reach internal hosts.

Refer to your firewall configuration documentation for details. The table below lists ports KMAs explicitly use or ports on which KMAs provide services.

Table 1-1 KMA Port Connections

Port Number Protocol Direction Description

22

TCP

Listening

SSH (only when Technical Support is enabled)

123

TCP/UDP

Listening

NTP

3331

TCP

Listening

OKM CA Service

Required for communications:
  • OKM Manager-to-KMA
  • Agent-to-KMA
  • KMA-to-KMA

3332

TCP

Listening

OKM Certificate Service

Required for communications:
  • OKM Manager-to-KMA
  • Agent-to-KMA
  • KMA-to-KMA

3333

TCP

Listening

OKM Management Service

Required for OKM Manager-to-KMA communications.

3334

TCP

Listening

OKM Agent Service

Required for Agent-to-KMA communications.

3335

TCP

Listening

OKM Discovery Service

Required for communications:
  • OKM Manager-to-KMA
  • Agent-to-KMA

3336

TCP

Listening

OKM Replication Service

Required for KMA-to-KMA communications.

The table below shows other services listening on ports that might not be used.

Table 1-2 Other Services

Port Number Protocol Direction Description

53

TCP/UDP

Connecting

DNS (only when KMA is configured to use DNS)

68

UDP

Connecting

DHCP (only when KMA is configured to use DHCP)

161

UDP

Connecting

SNMP (only when SNMP Managers are defined)

161

UDP

Listening

SNMP (only when Hardware Management Pack is enabled)

Remote Syslog Server

If a remote syslog server is available in the customer's environment, the OKM administrator may choose to define an entry for this remote syslog server for KMAs in the OKM Cluster. This entry includes the network address and port number where the remote syslog service resides. If a remote syslog server is defined for a given KMA, the KMA will connect to that network address and port number whenever it sends a message to that remove syslog server.

Integrated Lights Out Manager (ILOM) Ports

ILOM ports are enabled if access to the ILOM is required from outside the firewall; otherwise, they do not need to be enabled for the ILOM IP address. For information about ILOM ports and configuration, refer to Oracle's Integrated Lights Out Manager publications at https://docs.oracle.com/en/servers/management.html.