Port 3661: can-ferret-ssl — IBM Tivoli's Monitoring Window

What Port 3661 Is

Port 3661 is officially registered with IANA under the service name can-ferret-ssl. That name belongs to two related entries:

• IBM Tivoli Directory Service using SSL
• Candle Directory Services using SSL

Both refer to the same lineage. Candle Corporation was an enterprise performance monitoring company whose software was absorbed into IBM's Tivoli product suite. Their SSL directory services ran on port 3661. IBM registered the port in January 2003 and kept the "can-ferret" name — short for Candle Ferret — even as the Candle brand disappeared.¹

In practice, port 3661 is most commonly encountered as the default HTTPS service console port for IBM Tivoli Monitoring (ITM) agents. Every agent that gets installed on a monitored system opens this port, alongside its HTTP counterpart on port 1920. The service console provides a web interface for checking agent status and configuration.²

The Name

"Can-ferret-ssl" sounds like a joke, but it isn't. "Can" is short for Candle, "ferret" was the internal codename for the directory lookup service, and "ssl" means what it always means. The name got frozen in the IANA registry before anyone thought to tidy it up, and there it stays — a small fossil of a corporate acquisition.

The Range

Port 3661 sits in the registered port range (1024–49151). These ports are assigned by IANA to specific services, but unlike well-known ports (0–1023), they don't require root or administrator privileges to open. Any process can bind to them.

This matters because IBM Tivoli agents open 3661 on every system they're installed on — and that list includes a lot of servers in enterprise environments. Security scanners routinely flag it, not because it's inherently dangerous, but because it's an unexpected open port that many administrators don't realize their monitoring agent is opening.³

Security Considerations

IBM has documented that ports 1920 and 3661 are opened by default by ITM agents and can appear in vulnerability scans. The agent service console is protected by SSL, but organizations with strict port policies sometimes want it disabled or moved.

IBM provides guidance for closing port 3661 or reconfiguring it to use ephemeral ports instead. If you're seeing it open on a system and don't recognize it, check whether IBM Tivoli Monitoring or any Candle-era software is installed.

How to Check What's Listening

Linux/macOS:

# See what's using port 3661
sudo ss -tlnp | grep 3661
# or
sudo lsof -i :3661

Windows:

netstat -ano | findstr :3661
# Then look up the PID:
tasklist /fi "PID eq <pid>"

If you see a Tivoli monitoring process, it's expected. If you see something else, investigate.