Client
| IP address of the node where the source device is located.
| 1024–65535
| DN
| IP address of the node where the DN is located.
| dataPortBase
| TCP
| [Function] Port for the client to send connection requests. [Description] The port number ranges from 1024 to 65529. The actual value is equal to the value of the GUC parameter port. [Enabled by default after installation] Yes
| Yes
| Method 1: username/password, based on SHA-256 or SM3 authentication. | SSL encryption | User plane | openGauss 1.0.0 | None | SQL
|
Method 2: username/password, based on MD5 authentication (This method is not supported by default. It is reserved for compatibility with open-source third-party tools and is not recommended.) | SSL encryption |
Method 3: certificate authentication | Data is encrypted using SSL. |
Internal tool | IP address of the node where the cluster is located. | 1024–65535 | dataPortBase+1 | TCP | [Function] Port for the internal tool to send connection requests. [Description] The port number ranges from 1025 to 65530. The actual value is equal to the value of the GUC parameter port plus 1. [Enabled by default after installation] Yes | Yes | Method 1: username/password, based on SHA-256, SM3, or MD5 authentication (MD5 is not supported by default. It is reserved for compatibility with open-source third-party tools and is not recommended.) Method 2: Local trust authentication (only for initial users whose usernames are the same as that of the OS user who runs the database) | SSL encryption | Maintenance plane | openGauss 1.0.0 | None | Storage |
Primary and standby DNs | IP address of the node where the source device is located. | 1024–65535 | haPort
| TCP | [Function] Port for replication between primary and standby DNs. The standby DN connects to the primary DN. [Description] The port number ranges from 1025 to 65530. The actual value is equal to the value of localport in the connection string of the GUC parameter replconninfo. The default value is the value of port plus 1, which is the same as the value of dataPortBase plus 1. [Enabled by default after installation] Yes | Yes | IP address authentication or IP address + Kerberos authentication | SSL encryption | Maintenance plane | openGauss 1.0.0 | None | Storage |
Client | IP address of the node where the source device is located. | 1024-65535 | TCP | [Function] Port for connecting to a DN to extract logical logs. [Description] The port number ranges from 1025 to 65530. The actual value is equal to the value of localport in the connection string of the GUC parameter replconninfo. The default value is the value of port plus 1, which is the same as the value of dataPortBase plus 1. [Enabled by default after installation] Yes | Yes | Username/Password, based on SHA-256, SM3, or MD5 authentication (MD5 is not supported by default. It is reserved for compatibility with open-source third-party tools and is not recommended.) | SSL encryption | User plane | openGauss 1.0.0 | None | Storage |
Standby DN | IP address of the node where the source device is located. | 1024–65535 | remote heartbeat port | TCP | [Function] Port for the heartbeat connection request between the primary and standby DNs. [Description] The port number ranges from 1029 to 65535. The actual value is equal to the value of remoteheartbeatport in the connection string of the GUC parameter replconninfo. The default value is the value of port plus 5. [Enabled by default after installation] Yes | Yes | IP address authentication | Data is not encrypted. | Maintenance plane | openGauss 1.0.0 | None | Storage |
Primary and standby DNs | IP address of the node where the source device is located. | 1024–65535 | dcf_config Port | TCP | [Function] Port for processing connection and message requests between the primary and standby DNs. [Description] The port number ranges from 1024 to 65535. The source port number is a random port number. The destination port is subject to the port number set in the configuration file. [Enabled by default after installation] Yes when the DCF mode is enabled. | Yes | IP address authentication + SSL certificate authentication | SSL encryption | Maintenance plane | openGauss 3.0.0 | None | DCF |
CM Agent/cm_ctl | IP address of the node where the source device is located. | 1024–65535 | CM Server | IP address of the node where theIP address of the node where the CM Server is located. | cmServerPortBase | TCP | [Function] Port for processing CM Agent and cm_ctl connection requests. [Description] The port number ranges from 1024 to 65534, and the default value is 5000. [Enabled by default after installation] Yes | Yes | IP address authentication, IP address + Kerberos authentication, or IP address authentication + SSL certificate authentication | SSL encryption | Maintenance plane | openGauss 3.0.0 | None | CM |
Kerberos client (DN/CM Agent) | IP address of the node where the source device is located. | 1024–65535 | Kerberos | IP address of the node where the Kerberos service is located. | 21732 | UDP | [Function] Port for listening on the Kerberos KDC service, which provides the authentication capability between nodes in a cluster. (This port is enabled after the Kerberos authentication is enabled.) [Description] The default value is 21732. [Enabled by default after installation] User-defined | No | User name+password or keytab file authentication | AES-256 algorithm is used for encryption. | Maintenance plane | openGauss 1.0.0 | None | Security |
CMServer | IP address of the node where the source device is located. | 1024–65535 | CM Server | IP address of the node where the CM Server is located. | cmServerPortHa cmServerPortBase+1 | TCP | [Function] Port for internal communication between CMSs. [Description] The port number ranges from 1024 to 65535. The source port number is a random port number. If the destination port number is not set in the XML file, the default port number is the value of cmServerPortBase plus 1. If the destination port number is set, the value is used. [Enabled by default after installation] Yes | Yes | IP address authentication or IP address authentication + SSL certificate authentication | SSL encryption | Maintenance plane | openGauss 3.0.0 | None | CM |
Prometheus server | IP address of the node where the source device is located. | 1024–65535 | Prometheus exporter | IP address of the node where the exporter is located. | Specified by the exporter parameter --web.listen-port. | HTTPS/HTTP | [Function] Port for the open-source monitoring system Prometheus to collect and process monitoring information. [Description] The default value is 9187 for openGauss-exporter and 8181 for reprocessing-exporter. [Enabled by default after installation] No. The port is user-defined. | Yes | Prometheus server supports SSL certificate authentication, but Prometheus exporter does not support certificate authentication. | SSL encryption | User plane | openGauss 3.0.0 | None | AI |
Server running the UWAL service | IP address configured by openGauss for UWAL | Random | Server running the UWAL service | IP address of the node where theIP address configured by openGauss for UWAL | The value ranges from 9000 to 65535 and defaults to 9999. | TCP | This port is used to listen to TCP connections. | Yes.The value is transferred through the UWAL interface when the UWAL service is running. | TLS | TLS_AES_128_GCM_SHA258 | Data plane | openGauss 5.1.1 | None | None |
Server running the UWAL service | IP address configured by openGauss for UWAL | Random | Server running the UWAL service | IP address of the node where theIP address configured by openGauss for UWAL | The value ranges from 9000 to 65535 and defaults to 9999. | RDMA | If the RDMA protocol is selected, two ports are required. One is the port number for TCP communication, which is transferred through the UWAL interface. The other is port unmber for RDMA communication, which is the port number transferred through the WAL interface plus 1. | Yes.The value is transferred through the UWAL interface when the UWAL service is running. | TLS | EVP_aes_128_gcm | Data plane | openGauss 5.1.1 | None | None |
Server running the distributed lock service | IP address configured by openGauss for the distributed lock service | Random | RDMA/UB NIC | IP address of the node where theIP address configured by openGauss for the distributed lock service | The value ranges from 1024 to 65535 and defaults to 21616. | TCP | The default service port number of the DLock primary server for the client is 21616. If the configured port number is within the port range of new connections, the port number may bei occupied. As a result, the server init/reinit operation fails. It is recommended that the port number be out of the port number range of new connections or the management service port number be configured in ip_local_reserved_ports. | Yes, which can be configured when the server is started. | SSL authentication. The earliest protocol version supported is TLS1_3_VERSION. | The cipher suite is TLS_AES_256_GCM_SHA384. | DLock management plane | openGauss 5.1.1 | None | Distributed service scenarios such as databases and big data. |
Server running the distributed lock service | IP address configured by openGauss for the distributed lock service | Random | RDMA/UB NIC | IP address of the node where theIP address configured by openGauss for the distributed lock service | Value ranges: 1024-65535 | TCP | DLock uses the URMA component as the underlying communication library. URMA applies for a listening port from the system to exchange information required for RDMA connection setup. | No, which is allocated by the system. | None | None | URMA management plane | openGauss 5.1.1 | None | In the RDMA scenario, this port is used to exchange information required for connection setup on the data plane. User data is not involved, and thus authentication and encryption are not required. Even if the connection is hijacked or forged, the security of the data plane is not affected. |
Server running the distributed lock service | N/A | N/A | RDMA/UB NIC | IP address of the node where theN/A | N/A | RoCE v2 | The RDMA scenario does not involve the concept of port. | N/A | N/A | The cipher suite is TLS_AES_256_GCM_SHA384. | Data plane | openGauss 5.1.1 | None | The DLock management plane is responsible for authentication, and the encryption and decryption keys are obtained through interaction with this plane. |