Secure your Operations Console configuration

Operations Console security consists of service device authentication, user authentication, data privacy, and data integrity.

Operations Console local console directly attached to the server has implicit device authentication, data privacy, and data integrity due to its point-to-point connection. User authentication security is required to sign on to the console display. For information regarding service tools user IDs and passwords refer to link to Service tools user IDs and passwords

The following figure is intended to give you an overview of your Operations Console LAN security. The access password (1), if correct, induces Operations Console to send (2) the service tools device ID (QCONSOLE) and its encrypted password to the server. The server checks the two values (3), and if they match, updates both the device and DST with a new encrypted password. The connection process then validates the service tools user ID and password before sending the system console display to the PC (4).


Operations Console LAN security

The iSeries™ console security consists of service device authentication, user authentication, data privacy, data integrity, and data encryption:

Service device authentication
This security assures one physical device is the console. Operations Console local console directly attached to the server is a physical connection similar to a twinaxial console. The serial cable you use for Operations Console using a direct connection may be physically secured similar to a twinaxial connection to control access to the physical console device. Operations Console local console on a network uses a version of Secured Sockets Layer (SSL) that supports device and user authentication, but without using certificates.
Device authentication
The device authentication is based on a service tools device ID. Service tools device IDs are administered in Dedicated Service Tools (DST) and System Service Tools (SST). They consist of a service tools device ID and a service tools device ID password. The iSeries is shipped with a default service tools device ID of QCONSOLE with a default password of QCONSOLE. Operations Console local console on a network encrypts and changes the password during each successful connection. You must use the default password to initially set up your server if using a local console on a network (LAN).
Important: The device authentication requires a unique service tools device ID for each PC that will be configured with a local console on a network (LAN) connection.

When using Operations Console local console on a network, the configuration wizard adds the necessary information to the PC. The configuration wizard asks for the service tools device ID, and an access password. The access password protects the service tools device ID information (service tools device ID and password) on the PC.

When establishing a network connection, the Operations Console configuration wizard prompts you for the access password to access the encrypted service tools device ID and password. The user will also be prompted for a valid service tools user ID and password.

Note: When using the graphical control panel on systems with a keystick, on a logical partition, setting the mode to secure may require you to use the LPAR menu on the primary to select another mode.
User authentication
This security provides assurance as to who is using the service device. All problems related to user authentication are the same regardless of console type. For more information, see Service tools.
Data privacy
This security provides confidence that the console data can only be read by the intended recipient. Operations Console local console directly attached to the server uses a physical connection similar to a twinaxial console or secure network connection for LAN connectivity to protect console data. Operations Console using a direct connection has the same data privacy of a twinaxial connection. If the physical connection is secure as discussed under service device authentication, the console data remains protected. To protect the data, ensure only authorized people enter the computer room.

Operations Console local console on a network uses a secure network connection if the appropriate cryptographic products are installed. The console session uses the strongest encryption possible depending on the cryptographic products installed on the iSeries and the PC running Operations Console. If no cryptographic products are installed, there will be no data encryption.

Data integrity
This security provides confidence that the console data has not changed en route to the recipient. Operations Console local console directly attached to the server has the same data integrity as a twinaxial connection. If the physical connection is secure, the console data remains protected. Operations Console local console on a network uses a secure network connection if the appropriate cryptographic products are installed. The console session uses the strongest encryption possible depending on the cryptographic products installed on the iSeries and the PC running Operations Console. If no cryptographic products are installed, there will be no data encryption.
Data encryption
Enhanced authentication and data encryption provide network security for console procedures. Operations Console local console on a network uses a version of SSL which supports device and user authentication but without using certificates.

Administration

Operations Console administration allows system administrators to control access to console functions, including the remote control panel and virtual control panel. When using Operations Console local console on a network, device and user authentication are controlled through the service tools device ID.

Important: Consider the following when administering Operations Console local console over a network:
  • For more information about service tools user IDs, see Service tools.
  • For the remote control panel, mode selections require security authorization for the user that authenticates the connection, such as that provided by QSECOFR. Mode selections include: Manual, Normal, Auto, Secure. Auto and Secure are only available on servers with a keystick. Also, when connecting the remote control panel using a network, the service tools device ID must have authority to the control panel data on the system or the partition the remote control panel connects to.
  • When a mismatch occurs in the service tools device password between the iSeries server and the Operations Console PC, you need to resynchronize the password on both the PC and the server. To do this, see Resynchronize the PC and service tools device ID password. A mismatch will occur if, for example, your PC fails, if you decide to exchange the PC for a different one or if you upgrade it.
  • Since QCONSOLE is a default service tools device ID, if you elect not to use this device ID it is highly recommended that you temporarily configure a connection using this ID and successfully connect. Then, delete the configuration but DO NOT reset the device ID on the server. This will prevent an unauthorized access from someone using the known default service tools device ID. Should you have a need to use this device ID later, it can be reset at that time using the control panel or menus.
  • If you implement a network security tool that probes ports for intrusion protection be aware that Operations Console uses ports 449, 2300, 2301, 2323, 3001, and 3002 for normal operations. In addition, port 2301, which is used for the console on a partition running Linux is also vulnerable to probes. If your tool were to probe any of these ports it may cause loss of the console which might result in an IPL to recover. These ports should be excluded from intrusion protection tests.

Protection tips

When using Operations Console local console on a network, IBM® recommends the following items:

  1. Create an additional service tools device ID for each PC that will be used as a console with console and control panel attributes.
  2. Add one or two additional backup device IDs for use in an emergency.
  3. Install Cryptographic Access Provider programs on the iSeries server and install Client Encryption on the Operations Console PC.
  4. Choose nontrivial access passwords.
  5. Protect the Operations Console PC in the same manner you would protect a twinaxial console or an Operations Console with direct connectivity.
  6. Change your password for the following DST user IDs: QSECOFR, 22222222, and QSRV.
  7. Add backup service tools user IDs with enough authority to enable or disable user and service tools device IDs.
Parent topic: Plan for your configuration