Appendix E. Identity Management Server Ports Considerations

E.1. Identity Management components and associated services

Table E.1, “Identity Management components and associated services” lists the ports that individual Identity Management services expose externally.

Table E.1. Identity Management components and associated services

Component Service Ports through which access is allowed
Identity Management framework* Apache-based web-service and routes to other services HTTPS port 443 (TCP/TCP6)
LDAP directory server* 389-ds instance
port 389 (TCP/TCP6): normal LDAP traffic, with StartTLS extension or SASL GSSAPI to secure the connection
port 636 (TCP/TCP6): normal LDAP traffic over SSL
port 389 (UDP): a Connectionless LDAP access to facilitate integration with Active Directory services
Kerberos Key Distribution Center* krb5kdc
port 88 (TCP/TCP6 and UDP/UDP6): normal Kerberos traffic
port 464 (TCP/TCP6 and UDP/UDP6): Kerberos password change protocol access
Kerberos Administrator daemon* kadmind port 749 (TCP/TCP6): Kerberos remote administration protocol
Custodia key management* custodia HTTPS port 443 (TCP/TCP6): as part of the Identity Management framework
The System Security Services Daemon* sssd HTTPS port 443 (TCP/TCP6): as part of the Identity Management framework
MS-KKDCP proxy** Proxy access to Kerberos over HTTPS HTTPS port 443 (TCP/TCP6): as part of the Identity Management framework
Certificate Authority Dogtag instance on top of Tomcat
HTTPS port 443 (TCP/TCP6): as part of the Identity Management framework
HTTP access over port 80 (TCP/TCP6) but redirected to port 8080 (TCP/TCP6) according to the Apache rules set for Identity Management; the retrieved information is the OCSP responder and certificate status (the Certificate Revocation List)
HTTPS access over port 8443 (TCP/TCP6): for CA administration purposes
Internally, on IPA masters, ports 8005 and 8009 (TCP/TCP6) are used to run components of the Certificate Authority services on the 127.0.0.1 and ::1 local interface addresses
DNS named
port 53 (TCP/TCP6 and UDP/UDP6): standard DNS resolver
port 953 (TCP/TCP6): BIND service remote control on the 127.0.0.1 and ::1 local interface addresses
Active Directory integration Samba services (smbd, winbindd)
port 135 (TCP/TCP6): DCE RPC end-point mapper (smbd daemon)
port 138 (TCP/TCP6), NetBIOS Datagram service (optional, requires nmbd daemon to run)
port 139 (TCP/TCP6), NetBIOS Session service (smbd daemon)
port 445 (TCP/TCP6), SMB protocol over TCP/TCP6 (smbd daemon)
dynamically opened ports 49152-65535 (TCP/TCP6) for DCE RPC end-point services
Certificate Authority Vault KRA component of the Dogtag instance
HTTPS port 443 (TCP/TCP6): as part of the Identity Management framework
HTTP access over port 80 (TCP/TCP6) but redirected to port 8080 (TCP/TCP6) by Apache rules: for the OCSP responder and certificate status (Certificate Revocation List)
HTTPS access over port 8443 (TCP/TCP6): for CA administration purposes
Internally, on IPA masters, ports 8005 and 8009 (TCP/TCP6) are used to run components of the Certificate Authority services on the 127.0.0.1 and ::1 local interface addresses
* Services marked with an asterisk are compulsory in every Identity Management deployment.
** The MS-KKDCP proxy component is optional but enabled by default.