ibm-information-center/dist/eclipse/plugins/i5OS.ic.rzajr_5.4.0.1/rzajrsecurity.htm

184 lines
12 KiB
HTML
Raw Normal View History

2024-04-02 14:02:31 +00:00
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE html
PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html lang="en-us" xml:lang="en-us">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta name="security" content="public" />
<meta name="Robots" content="index,follow" />
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
<meta name="DC.Type" content="reference" />
<meta name="DC.Title" content="Secure your Operations Console configuration" />
<meta name="abstract" content="Operations Console security consists of service device authentication, user authentication, data privacy, and data integrity." />
<meta name="description" content="Operations Console security consists of service device authentication, user authentication, data privacy, and data integrity." />
<meta name="DC.Relation" scheme="URI" content="rzajrplanconfig.htm" />
<meta name="copyright" content="(C) Copyright IBM Corporation 2000, 2006" />
<meta name="DC.Rights.Owner" content="(C) Copyright IBM Corporation 2000, 2006" />
<meta name="DC.Format" content="XHTML" />
<meta name="DC.Identifier" content="security" />
<meta name="DC.Language" content="en-us" />
<!-- All rights reserved. Licensed Materials Property of IBM -->
<!-- US Government Users Restricted Rights -->
<!-- Use, duplication or disclosure restricted by -->
<!-- GSA ADP Schedule Contract with IBM Corp. -->
<link rel="stylesheet" type="text/css" href="./ibmdita.css" />
<link rel="stylesheet" type="text/css" href="./ic.css" />
<title>Secure your Operations Console configuration</title>
</head>
<body id="security"><a name="security"><!-- --></a>
<!-- Java sync-link --><script language="Javascript" src="../rzahg/synch.js" type="text/javascript"></script>
<h1 class="topictitle1">Secure your Operations Console configuration</h1>
<div><p>Operations Console security consists of service device authentication,
user authentication, data privacy, and data integrity.</p>
<div class="section"><p>Operations Console local console directly attached to the server
has implicit device authentication, data privacy, and data integrity due to
its point-to-point connection. User authentication security is required to
sign on to the console display. For information regarding service tools user
IDs and passwords refer to link to Service tools user IDs and passwords</p>
</div>
<div class="section"><p>The following figure is intended to give you an overview of your
Operations Console LAN security. The access password (1), if correct, induces
Operations Console to send (2) the service tools device ID (QCONSOLE) and
its encrypted password to the server. The server checks the two values (3),
and if they match, updates both the device and DST with a new encrypted password.
The connection process then validates the service tools user ID and password
before sending the system console display to the PC (4). </p>
</div>
<div class="section"><p><br /><img src="rzajr506.gif" alt="Operations Console LAN security" /><br /></p>
</div>
<div class="section"><p>The iSeries™ console
security consists of service device authentication, user authentication, data
privacy, data integrity, and data encryption:</p>
<dl><dt class="dlterm">Service device authentication</dt>
<dd>This security assures one physical device is the console. Operations Console
local console directly attached to the server is a physical connection similar
to a twinaxial console. The serial cable you use for Operations Console using
a direct connection may be physically secured similar to a twinaxial connection
to control access to the physical console device. Operations Console local
console on a network uses a version of Secured Sockets Layer (SSL) that supports
device and user authentication, but without using certificates.</dd>
<dt class="dlterm">Device authentication</dt>
<dd>The device authentication is based on a service tools device ID. Service
tools device IDs are administered in Dedicated Service Tools (DST) and System
Service Tools (SST). They consist of a service tools device ID and a service
tools device ID password. The iSeries is shipped with a default service
tools device ID of QCONSOLE with a default password of QCONSOLE. Operations
Console local console on a network encrypts and changes the password during
each successful connection. You must use the default password to initially
set up your server if using a local console on a network (LAN).<div class="important"><span class="importanttitle">Important:</span> The
device authentication requires a unique service tools device ID for each PC
that will be configured with a local console on a network (LAN) connection.</div>
<p>When
using Operations Console local console on a network, the configuration wizard
adds the necessary information to the PC. The configuration wizard asks for
the service tools device ID, and an access password. The access password protects
the service tools device ID information (service tools device ID and password)
on the PC.</p>
<p>When establishing a network connection, the Operations Console
configuration wizard prompts you for the access password to access the encrypted
service tools device ID and password. The user will also be prompted for a
valid service tools user ID and password.</p>
<div class="note"><span class="notetitle">Note:</span> When using the graphical
control panel on systems with a keystick, on a logical partition, setting
the mode to secure may require you to use the LPAR menu on the primary to
select another mode.</div>
</dd>
<dt class="dlterm">User authentication</dt>
<dd>This security provides assurance as to who is using the service device.
All problems related to user authentication are the same regardless of console
type. For more information, see <a href="../rzamh/rzamh1.htm">Service tools</a>.</dd>
<dt class="dlterm">Data privacy</dt>
<dd>This security provides confidence that the console data can only be read
by the intended recipient. Operations Console local console directly attached
to the server uses a physical connection similar to a twinaxial console or
secure network connection for LAN connectivity to protect console data. Operations
Console using a direct connection has the same data privacy of a twinaxial
connection. If the physical connection is secure as discussed under service
device authentication, the console data remains protected. To protect the
data, ensure only authorized people enter the computer room. <p> Operations
Console local console on a network uses a secure network connection if the
appropriate cryptographic products are installed. The console session uses
the strongest encryption possible depending on the cryptographic products
installed on the iSeries and
the PC running Operations Console. If no cryptographic products are installed,
there will be no data encryption.</p>
</dd>
<dt class="dlterm">Data integrity</dt>
<dd>This security provides confidence that the console data has not changed
en route to the recipient. Operations Console local console directly attached
to the server has the same data integrity as a twinaxial connection. If the
physical connection is secure, the console data remains protected. Operations
Console local console on a network uses a secure network connection if the
appropriate cryptographic products are installed. The console session uses
the strongest encryption possible depending on the cryptographic products
installed on the iSeries and
the PC running Operations Console. If no cryptographic products are installed,
there will be no data encryption.</dd>
<dt class="dlterm">Data encryption</dt>
<dd>Enhanced authentication and data encryption provide network security for
console procedures. Operations Console local console on a network uses a version
of SSL which supports device and user authentication but without using certificates.</dd>
</dl>
</div>
<div class="section"><h4 class="sectiontitle">Administration</h4><p>Operations Console administration
allows system administrators to control access to console functions, including
the remote control panel and virtual control panel. When using Operations
Console local console on a network, device and user authentication are controlled
through the service tools device ID.</p>
</div>
<div class="section"><div class="important"><span class="importanttitle">Important:</span> Consider the following when administering
Operations Console local console over a network:<ul><li>For more information about service tools user IDs, see <a href="../rzamh/rzamh1.htm">Service tools</a>.</li>
<li>For the remote control panel, mode selections require security authorization
for the user that authenticates the connection, such as that provided by QSECOFR.
Mode selections include: Manual, Normal, Auto, Secure. Auto and Secure are
only available on servers with a keystick. Also, when connecting the remote
control panel using a network, the service tools device ID must have authority
to the control panel data on the system or the partition the remote control
panel connects to.</li>
<li>When a mismatch occurs in the service tools device password between the iSeries server
and the Operations Console PC, you need to resynchronize the password on both
the PC and the server. To do this, see <a href="rzajrresynchrpa.htm#resynchrpa">Resynchronize
the PC and service tools device ID password</a>. A mismatch will occur
if, for example, your PC fails, if you decide to exchange the PC for a different
one or if you upgrade it. </li>
<li>Since QCONSOLE is a default service tools device ID, if you elect not
to use this device ID it is <span class="uicontrol">highly recommended</span> that
you temporarily configure a connection using this ID and successfully connect.
Then, delete the configuration but DO NOT reset the device ID on the server.
This will prevent an unauthorized access from someone using the known default
service tools device ID. Should you have a need to use this device ID later,
it can be reset at that time using the control panel or menus.</li>
<li>If you implement a network security tool that probes ports for intrusion
protection be aware that Operations Console uses ports 449, 2300, 2301, 2323,
3001, and 3002 for normal operations. In addition, port 2301, which is used
for the console on a partition running Linux is also vulnerable to probes.
If your tool were to probe any of these ports it may cause loss of the console
which might result in an IPL to recover. These ports should be excluded from
intrusion protection tests. </li>
</ul>
</div>
</div>
<div class="section"><h4 class="sectiontitle">Protection tips</h4><p>When using Operations Console local
console on a network, IBM<sup>®</sup> recommends the following items:</p>
<ol><li>Create an additional service tools device ID for each PC that will be
used as a console with console and control panel attributes. </li>
<li>Add one or two additional backup device IDs for use in an emergency. </li>
<li>Install Cryptographic Access Provider programs on the iSeries server and
install Client Encryption on the Operations Console PC.</li>
<li>Choose nontrivial access passwords.</li>
<li>Protect the Operations Console PC in the same manner you would protect
a twinaxial console or an Operations Console with direct connectivity.</li>
<li>Change your password for the following DST user IDs: QSECOFR, 22222222,
and QSRV.</li>
<li>Add backup service tools user IDs with enough authority to enable or disable
user and service tools device IDs.</li>
</ol>
</div>
</div>
<div>
<div class="familylinks">
<div class="parentlink"><strong>Parent topic:</strong> <a href="rzajrplanconfig.htm" title="In order to plan for your configuration, you should find out the specific connectivity types allowed by the various Operations Console configurations. The scenarios included offer specific configurations examples to help you select a console configuration most suited to your needs. If you plan ahead, you can include additional features in your configuration.">Plan for your configuration</a></div>
</div>
</div>
</body>
</html>