184 lines
12 KiB
HTML
184 lines
12 KiB
HTML
<?xml version="1.0" encoding="UTF-8"?>
|
|
<!DOCTYPE html
|
|
PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
|
|
<html lang="en-us" xml:lang="en-us">
|
|
<head>
|
|
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
|
|
<meta name="security" content="public" />
|
|
<meta name="Robots" content="index,follow" />
|
|
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
|
|
<meta name="DC.Type" content="reference" />
|
|
<meta name="DC.Title" content="Secure your Operations Console configuration" />
|
|
<meta name="abstract" content="Operations Console security consists of service device authentication, user authentication, data privacy, and data integrity." />
|
|
<meta name="description" content="Operations Console security consists of service device authentication, user authentication, data privacy, and data integrity." />
|
|
<meta name="DC.Relation" scheme="URI" content="rzajrplanconfig.htm" />
|
|
<meta name="copyright" content="(C) Copyright IBM Corporation 2000, 2006" />
|
|
<meta name="DC.Rights.Owner" content="(C) Copyright IBM Corporation 2000, 2006" />
|
|
<meta name="DC.Format" content="XHTML" />
|
|
<meta name="DC.Identifier" content="security" />
|
|
<meta name="DC.Language" content="en-us" />
|
|
<!-- All rights reserved. Licensed Materials Property of IBM -->
|
|
<!-- US Government Users Restricted Rights -->
|
|
<!-- Use, duplication or disclosure restricted by -->
|
|
<!-- GSA ADP Schedule Contract with IBM Corp. -->
|
|
<link rel="stylesheet" type="text/css" href="./ibmdita.css" />
|
|
<link rel="stylesheet" type="text/css" href="./ic.css" />
|
|
<title>Secure your Operations Console configuration</title>
|
|
</head>
|
|
<body id="security"><a name="security"><!-- --></a>
|
|
<!-- Java sync-link --><script language="Javascript" src="../rzahg/synch.js" type="text/javascript"></script>
|
|
<h1 class="topictitle1">Secure your Operations Console configuration</h1>
|
|
<div><p>Operations Console security consists of service device authentication,
|
|
user authentication, data privacy, and data integrity.</p>
|
|
<div class="section"><p>Operations Console local console directly attached to the server
|
|
has implicit device authentication, data privacy, and data integrity due to
|
|
its point-to-point connection. User authentication security is required to
|
|
sign on to the console display. For information regarding service tools user
|
|
IDs and passwords refer to link to Service tools user IDs and passwords</p>
|
|
</div>
|
|
<div class="section"><p>The following figure is intended to give you an overview of your
|
|
Operations Console LAN security. The access password (1), if correct, induces
|
|
Operations Console to send (2) the service tools device ID (QCONSOLE) and
|
|
its encrypted password to the server. The server checks the two values (3),
|
|
and if they match, updates both the device and DST with a new encrypted password.
|
|
The connection process then validates the service tools user ID and password
|
|
before sending the system console display to the PC (4). </p>
|
|
</div>
|
|
<div class="section"><p><br /><img src="rzajr506.gif" alt="Operations Console LAN security" /><br /></p>
|
|
</div>
|
|
<div class="section"><p>The iSeries™ console
|
|
security consists of service device authentication, user authentication, data
|
|
privacy, data integrity, and data encryption:</p>
|
|
<dl><dt class="dlterm">Service device authentication</dt>
|
|
<dd>This security assures one physical device is the console. Operations Console
|
|
local console directly attached to the server is a physical connection similar
|
|
to a twinaxial console. The serial cable you use for Operations Console using
|
|
a direct connection may be physically secured similar to a twinaxial connection
|
|
to control access to the physical console device. Operations Console local
|
|
console on a network uses a version of Secured Sockets Layer (SSL) that supports
|
|
device and user authentication, but without using certificates.</dd>
|
|
<dt class="dlterm">Device authentication</dt>
|
|
<dd>The device authentication is based on a service tools device ID. Service
|
|
tools device IDs are administered in Dedicated Service Tools (DST) and System
|
|
Service Tools (SST). They consist of a service tools device ID and a service
|
|
tools device ID password. The iSeries is shipped with a default service
|
|
tools device ID of QCONSOLE with a default password of QCONSOLE. Operations
|
|
Console local console on a network encrypts and changes the password during
|
|
each successful connection. You must use the default password to initially
|
|
set up your server if using a local console on a network (LAN).<div class="important"><span class="importanttitle">Important:</span> The
|
|
device authentication requires a unique service tools device ID for each PC
|
|
that will be configured with a local console on a network (LAN) connection.</div>
|
|
<p>When
|
|
using Operations Console local console on a network, the configuration wizard
|
|
adds the necessary information to the PC. The configuration wizard asks for
|
|
the service tools device ID, and an access password. The access password protects
|
|
the service tools device ID information (service tools device ID and password)
|
|
on the PC.</p>
|
|
<p>When establishing a network connection, the Operations Console
|
|
configuration wizard prompts you for the access password to access the encrypted
|
|
service tools device ID and password. The user will also be prompted for a
|
|
valid service tools user ID and password.</p>
|
|
<div class="note"><span class="notetitle">Note:</span> When using the graphical
|
|
control panel on systems with a keystick, on a logical partition, setting
|
|
the mode to secure may require you to use the LPAR menu on the primary to
|
|
select another mode.</div>
|
|
</dd>
|
|
<dt class="dlterm">User authentication</dt>
|
|
<dd>This security provides assurance as to who is using the service device.
|
|
All problems related to user authentication are the same regardless of console
|
|
type. For more information, see <a href="../rzamh/rzamh1.htm">Service tools</a>.</dd>
|
|
<dt class="dlterm">Data privacy</dt>
|
|
<dd>This security provides confidence that the console data can only be read
|
|
by the intended recipient. Operations Console local console directly attached
|
|
to the server uses a physical connection similar to a twinaxial console or
|
|
secure network connection for LAN connectivity to protect console data. Operations
|
|
Console using a direct connection has the same data privacy of a twinaxial
|
|
connection. If the physical connection is secure as discussed under service
|
|
device authentication, the console data remains protected. To protect the
|
|
data, ensure only authorized people enter the computer room. <p> Operations
|
|
Console local console on a network uses a secure network connection if the
|
|
appropriate cryptographic products are installed. The console session uses
|
|
the strongest encryption possible depending on the cryptographic products
|
|
installed on the iSeries and
|
|
the PC running Operations Console. If no cryptographic products are installed,
|
|
there will be no data encryption.</p>
|
|
</dd>
|
|
<dt class="dlterm">Data integrity</dt>
|
|
<dd>This security provides confidence that the console data has not changed
|
|
en route to the recipient. Operations Console local console directly attached
|
|
to the server has the same data integrity as a twinaxial connection. If the
|
|
physical connection is secure, the console data remains protected. Operations
|
|
Console local console on a network uses a secure network connection if the
|
|
appropriate cryptographic products are installed. The console session uses
|
|
the strongest encryption possible depending on the cryptographic products
|
|
installed on the iSeries and
|
|
the PC running Operations Console. If no cryptographic products are installed,
|
|
there will be no data encryption.</dd>
|
|
<dt class="dlterm">Data encryption</dt>
|
|
<dd>Enhanced authentication and data encryption provide network security for
|
|
console procedures. Operations Console local console on a network uses a version
|
|
of SSL which supports device and user authentication but without using certificates.</dd>
|
|
</dl>
|
|
</div>
|
|
<div class="section"><h4 class="sectiontitle">Administration</h4><p>Operations Console administration
|
|
allows system administrators to control access to console functions, including
|
|
the remote control panel and virtual control panel. When using Operations
|
|
Console local console on a network, device and user authentication are controlled
|
|
through the service tools device ID.</p>
|
|
</div>
|
|
<div class="section"><div class="important"><span class="importanttitle">Important:</span> Consider the following when administering
|
|
Operations Console local console over a network:<ul><li>For more information about service tools user IDs, see <a href="../rzamh/rzamh1.htm">Service tools</a>.</li>
|
|
<li>For the remote control panel, mode selections require security authorization
|
|
for the user that authenticates the connection, such as that provided by QSECOFR.
|
|
Mode selections include: Manual, Normal, Auto, Secure. Auto and Secure are
|
|
only available on servers with a keystick. Also, when connecting the remote
|
|
control panel using a network, the service tools device ID must have authority
|
|
to the control panel data on the system or the partition the remote control
|
|
panel connects to.</li>
|
|
<li>When a mismatch occurs in the service tools device password between the iSeries server
|
|
and the Operations Console PC, you need to resynchronize the password on both
|
|
the PC and the server. To do this, see <a href="rzajrresynchrpa.htm#resynchrpa">Resynchronize
|
|
the PC and service tools device ID password</a>. A mismatch will occur
|
|
if, for example, your PC fails, if you decide to exchange the PC for a different
|
|
one or if you upgrade it. </li>
|
|
<li>Since QCONSOLE is a default service tools device ID, if you elect not
|
|
to use this device ID it is <span class="uicontrol">highly recommended</span> that
|
|
you temporarily configure a connection using this ID and successfully connect.
|
|
Then, delete the configuration but DO NOT reset the device ID on the server.
|
|
This will prevent an unauthorized access from someone using the known default
|
|
service tools device ID. Should you have a need to use this device ID later,
|
|
it can be reset at that time using the control panel or menus.</li>
|
|
<li>If you implement a network security tool that probes ports for intrusion
|
|
protection be aware that Operations Console uses ports 449, 2300, 2301, 2323,
|
|
3001, and 3002 for normal operations. In addition, port 2301, which is used
|
|
for the console on a partition running Linux is also vulnerable to probes.
|
|
If your tool were to probe any of these ports it may cause loss of the console
|
|
which might result in an IPL to recover. These ports should be excluded from
|
|
intrusion protection tests. </li>
|
|
</ul>
|
|
</div>
|
|
</div>
|
|
<div class="section"><h4 class="sectiontitle">Protection tips</h4><p>When using Operations Console local
|
|
console on a network, IBM<sup>®</sup> recommends the following items:</p>
|
|
<ol><li>Create an additional service tools device ID for each PC that will be
|
|
used as a console with console and control panel attributes. </li>
|
|
<li>Add one or two additional backup device IDs for use in an emergency. </li>
|
|
<li>Install Cryptographic Access Provider programs on the iSeries server and
|
|
install Client Encryption on the Operations Console PC.</li>
|
|
<li>Choose nontrivial access passwords.</li>
|
|
<li>Protect the Operations Console PC in the same manner you would protect
|
|
a twinaxial console or an Operations Console with direct connectivity.</li>
|
|
<li>Change your password for the following DST user IDs: QSECOFR, 22222222,
|
|
and QSRV.</li>
|
|
<li>Add backup service tools user IDs with enough authority to enable or disable
|
|
user and service tools device IDs.</li>
|
|
</ol>
|
|
</div>
|
|
</div>
|
|
<div>
|
|
<div class="familylinks">
|
|
<div class="parentlink"><strong>Parent topic:</strong> <a href="rzajrplanconfig.htm" title="In order to plan for your configuration, you should find out the specific connectivity types allowed by the various Operations Console configurations. The scenarios included offer specific configurations examples to help you select a console configuration most suited to your needs. If you plan ahead, you can include additional features in your configuration.">Plan for your configuration</a></div>
|
|
</div>
|
|
</div>
|
|
</body>
|
|
</html> |