Port 448: DDM-SSL — The Secure Door to IBM's Distributed Databases

Port 448 is the SSL-encrypted channel for IBM's Distributed Data Management (DDM) and Distributed Relational Database Architecture (DRDA) protocols. When IBM i systems (formerly AS/400, iSeries) need to access remote databases securely, they connect through this port.

What Runs on Port 448

DDM-SSL (DDM-Remote DB Access Using Secure Sockets) uses port 448 for both TCP and UDP.¹ It's the secure version of database communication protocols that run on ports 446 and 447.

When an IBM i system initiates a DRDA or DDM connection that requires SSL/TLS encryption, it connects to port 448 instead of the unencrypted alternatives.²

The DDM/DRDA Story

Distributed Data Management Architecture (DDM) was IBM's open architecture for accessing data on remote computers, formally published in 1986.³ It was designed to let application programs access files on remote systems transparently—the program doesn't need to know whether a file is local or thousands of miles away.

In 1990, IBM extended DDM to create DRDA (Distributed Relational Database Architecture), which brought SQL and relational database access to the architecture.³ Both protocols allowed AS/400 systems to share data across networks, but they had a problem: everything traveled in plaintext.

Port 448 exists because someone at IBM understood that sending database queries, authentication tokens, and result sets across networks without encryption was dangerous.

The Port Trilogy: 446, 447, 448

IBM's database communication uses three well-known ports:⁴

• Port 446: Traditional DRDA port
• Port 447: Traditional DDM port
• Port 448: SSL/TLS encrypted port for both

Here's the strange part: IBM i systems don't functionally distinguish between ports 446 and 447. Both DDM and DRDA traffic can flow through either port.⁴ But port 448 remains distinct—it's the one that encrypts everything.

When you configure an IBM i relational database entry for a secure connection, you set it to *SSL and specify port 448.⁵

How It Works

The DRDA SSL daemon listens on port 448.⁵ When a client system needs secure database access:

1. Create a relational database entry configured for SSL
2. Set the port to 448
3. The connection is established with full SSL/TLS encryption
4. Database operations proceed exactly like ports 446/447, but encrypted

The protocol handles authentication, SQL queries, record-level access, and result sets—all wrapped in SSL.

Who Created It

Steven Ritland, working at IBM (srr@vnet.ibm.com), registered port 448 with IANA for DDM-SSL.⁶ The registration formalized what IBM systems needed: a dedicated port for encrypted database access.

Security Considerations

Use Port 448, Not 446 or 447: If you're running DDM or DRDA over the Internet or untrusted networks, port 448 is not optional. Ports 446 and 447 send everything in plaintext—credentials, queries, data.⁷

Firewall Configuration: Port 448 needs to be open for IBM i database communication, but only expose it to systems that need it. Database ports are high-value targets.⁸

Certificate Management: SSL on port 448 requires proper certificate configuration on both the application requester and application server systems.⁵

Related Ports

• Port 446: DRDA (unencrypted)
• Port 447: DDM (unencrypted)
• Port 50000: DB2 default port (different IBM database product)

Checking Port 448

To see if something is listening on port 448:

# Linux/Mac
sudo lsof -i :448
netstat -an | grep 448

# Windows
netstat -an | findstr :448

# Check if port 448 is open on a remote system
telnet hostname 448
nc -zv hostname 448

On IBM i systems, check the DDM/DRDA SSL server status:

NETSTAT *CNN
WRKTCPSTS