AIX (Advanced Interactive eXecutive) is a series of proprietary Unix operating systems developed and sold by IBM.
Performance Optimization With Enhanced RISC (POWER) version 7 enables a unique performance advantage for AIX OS.
POWER7 features new capabilities using multiple cores and multiple CPU threads, creating a pool of virtual CPUs.
AIX 7 includes a new built-in clustering capability called Cluster Aware
AIX POWER7 systems include the Active Memory Expansion feature.

Saturday, September 3, 2011

Securing the HMC

This article is a cookbook tool to help you secure the Hardware Management Console (HMC). It provides detailed instructions for what should be done, and what could be done, in a straightforward manner.
The HMC plays a central role in the IBM virtualization strategy. It controls hardware, configures logical partitions (LPAR), and assigns both physical and virtual devices. It is vital to systems management in a virtualized environment. IBM created and designed the HMC as a closed system to perform only those functions specifically assigned to it. The Licensed Internal Code of the HMC is based on an open operating system that has been customized to enhance security. You should do additional customization to complete the securing process.
In this article, you'll learn the steps that should be taken during installation of the HMC. Optional measures that might be implemented later, if desired, are also included. The author wraps up with some maintenance guidelines for ensuring that a secure system stays secure.
The how-to steps in this article assume you are at the HMC console using the Web-based System Manager, which is the graphical user interface (GUI). Whenever the command-line interface is required, it is noted. Some of the configuration can be performed remotely, but some must be done at the console. While some initial configuration can be performed using the Setup Wizard, the methods described in this article focus on using the configuration menus of the HMC.
This section covers the steps you should take during installation of the HMC.
Whenever possible, an HMC should be installed in a secured area, such as a data center. The HMC should be close enough to the POWER5 servers it manages to allow a customer engineer easy access to all systems. If the HMC cannot be installed in a secured area, consider creating a power-on password, as described in the Optional steps section.
The default super administrative user on the HMC is hscroot. The initial password is set at the factory to abc123. The default root password is passw0rd. The first step is to change hscroot and root passwords to a combination of seven letters and numbers.
Follow these steps to change HMC user passwords:
  1. In the Navigation area, expand the HMC Management folder.
  2. Click the HMC users icon.
  3. In the Content area, click Manage HMC Users and Access. The User Profiles window should open.
  4. Highlight the user ID you wish to change, click User at the top left on the menu, then select Modify from the pull-down menu.
  5. On the Modify User menu, enter the new password and confirm it by entering a second time.
  6. Click OK.
The hscroot user cannot be removed from the system, but the user ID should not be shared among administrators. Each administrator should have a unique user ID and password that has the appropriate task and resource roles, including ahscroot equivalent if necessary.
Tasks are functions that a user can perform, and the managed resource role defines where those tasks might be carried out. Predefined task roles include:
  • Super administrator
  • Service representative
  • Operator
  • Product engineer
  • Viewer
By default, these roles apply to all resources managed by the HMC. You can create customized HMC roles by modifying those that are predefined and limit them to specific resources.
In addition to creating IDs for systems administrators, it is a good practice during installation to create the hscpe user with the product engineer role. To create a user:
  1. In the Navigation area of Web-based System Manager, expand the HMC Management folder and click the Users icon.
  2. In the Content area, click Manage HMC Users and Access. The User Profiles window should open.
  3. Click User > Add. Fill in the appropriate fields (tasks and roles) and click OK.
Command-line access to the HMC is only available using Secure Shell (SSH). By default, the HMC does not permit remote command-line access. This is generally not the desired setting. Allowing remote command-line access requires two steps:
  1. Enable remote access on the HMC Configuration menu.
  2. Open port 22 on the appropriate network adapter's firewall.
You must have either the super administrator or service representative role to control this setting. To enable remote command-line access:
  1. In the Navigation area, click the HMC Management icon.
  2. In the Content area, double-click the HMC Configuration icon.
  3. In the Contents area, click Enable/Disable Remote Command Execution.
  4. Check the box Enable remote command execution.
  5. Click OK.
To configure a firewall to allow Web-based System Manager and SSH traffic:
  1. In the Navigation area, click the HMC Management icon.
  2. In the Content pane, click Customize Network Settings.
  3. Click the LAN Adapters tab.
  4. Select the adapter that you want to work with (probably eth1) and click Details.
  5. Click the Firewall tab.
  6. Using one of the following methods, you can allow any IP address using a particular application through the firewall, or you can specify one or more IP addresses:
    • Allow any IP address using a particular application through the firewall:
      1. From the top box on the left, highlight the application.
      2. Click Allow Incoming on the right. The application displays in the bottom box to signify that it has been selected.
    • Specify which IP addresses to allow through the firewall:
      1. From the top box on the left, highlight an application.
      2. Click Allow Incoming by IP Address on the right.
      3. On the Hosts Allowed window, enter the IP address and the network mask.
      4. Click Add and then click OK.
  7. Click OK.
Any change to the network settings requires that the HMC be rebooted. It is usually best to make these firewall changes during the initial network configuration.
By default, the HMC does not allow remote Web-based System Manager users to open a virtual terminal on an LPAR. Many customers do want to enable this, but it does present a security risk. Why? Because the virtual terminal program launched by the Web-based System Manager client does not use encrypted traffic, even if the Web-based System Manager client itself uses Secure Socket Layer (SSL) encryption. (Go to the Require Web-based System Manager clients to use SSL encryptionsection for a discussion of secure Web-based System Manager.) Logins, passwords, and confidential data entered or displayed in the virtual terminal window are transmitted in plain text over the network.
If this issue raises concerns in your environment, you should not allow it. A secure alternative would be to use a separate program, such as SSH, to access the LPAR. Another option is to log in to the HMC using SSH and run the mkvterm or vtmenucommands. These commands give you access to the partitions, and their network packets are encrypted from end to end.
To configure remote virtual terminal access:
  1. In the Navigation area, click HMC Configuration.
  2. In the Contents pane, click Enable or Disable Remote Virtual Terminal.
  3. In the pop-up window, check the box to enable remote virtual terminal connections. To continue the default policy of not allowing remote virtual terminal connections, make sure the box is not checked.
  4. Click OK.
Using a private network in which the HMC acts as a Dynamic Host Configuration Protocol (DHCP) server for all managed systems, is preferred. If the system managed by an HMC has a Bulk Power Controller, the HMC must use a private network. The private network is non-routable. It consists of just one HMC and one port on each service processor being managed. (With dual HMCs, you can have two private networks per service processor, each on a separate IP network connecting to one of the two HMCs.) Administrators can select one of 20 possible IP subnet address ranges from the pull-down menu on the DHCP or private network configuration screen. Avoid selecting an IP address range that is adjacent to the address of another network adapter in the HMC.
To configure the HMC as a DHCP server:
  1. In the Navigation area, expand the HMC that you want to work with. HMCs are listed by hostname or IP address.
  2. Expand HMC Management.
  3. Click HMC Configuration.
  4. In the Contents pane, click Customize network settings.
  5. Click the LAN Adapters tab.
  6. Select the adapter that you want to work with and click Details.
  7. Click the LAN Adapter tab.
  8. In the DHCP Server section, check Enable DHCP Server to enable the HMC as a DHCP server.
  9. Enter the address range of the DHCP server.
  10. Click OK.
Configure a second adapter, for example eth1, to allow remote administrative access to the HMC and to monitor LPAR on managed systems. Remember to open the network firewall ports on this adapter for Web-based System Manager and SSH, as described above. As part of the HMC service strategy, the HMC monitors the state of managed partitions over the open network using the Resource Monitoring and Control (RMC) protocol, which uses port 657. RMC is also required for dynamic logical partitioning (DLPAR.)
To configure a LAN adapter on an open network:
  1. From the Navigation window, select HMC Management.
  2. In the Contents window, select HMC Configuration.
  3. Select the Customize Network Settings task.
  4. On the Customize Network Settings menu, click the LAN Adapters tab.
  5. Highlight the adapter you wish to configure, such as eth1, and click the Details tab.
  6. On the LAN Adapter Details menu, select the Open radio button.
  7. Select the correct Media Speed to pick the correct speed and duplex connection.
  8. Click the Partition communication box to automatically set up RMC for managed LPAR.
  9. Fill in the correct Transmission Control Protocol/Internet Protocol (TCP/IP) interface address and subnet mask.
  10. Click the Firewall tab and follow the steps listed above for allowing Web-based System Manager and SSH through the firewall, either by application or application and IP address.
  11. From the Customize Network Settings menu, select Name Services and Routing menus and fill in Domain Name Service and routing IP addresses, as required by your network administrator.
  12. Reboot the HMC after all network changes have been made.
The first time an HMC connects to a managed server, you can either set the service processor's HMC Access password or enter the password that was set previously. The service processor uses this password to authenticate and authorize management operations initiated by the HMC. While setting the HMC Access password, you can also set the service processor's administrator and general passwords. The default administrator user ID is admin and the password is admin. The default general user ID is general and the password is general. All passwords should be changed during system installation. Keep these and all passwords in a secure and accessible location.
To set the HMC Access password during initial installation over a private network:
  1. In the Server and Partition: Server Management window, you will see the new managed server appear as an IP address with a message that says Authentication Pending.
  2. Set the managed system password. This sets the HMC Access password on the service processor. (On the service processor's menus, this is simply called the HMC password.)
  3. By opening the Admin and General tabs, you can set the passwords for the general and admin users.
The service processor has both an ASCII and GUI. The latter is HTTPS-based and called the Advanced System Management Interface. To set or change passwords on the service processor using the Advanced System Management Interface, follow these steps:
  1. Connect an Ethernet cable from a laptop to the HMC1 port on the managed system's service processor.
  2. Configure the laptop's IP address to 192.168.2.146.
  3. In the laptop's browser, open URL https://192.168.2.147.
  4. On the Advanced System Management Interface Welcome pane, enter the admin user ID and password.
  5. In the Navigation area, expand Login Profile.
  6. Select Change Password.
  7. Specify the required information (the HMC user and password) and then click Continue.
The changes made to the Advanced System Management Interface password take place immediately.
Customers can configure their servers to notify IBM Service when hardware problems occur. On IBM System p™, four outbound connection methods exist:
  • Local modem
  • Internet
  • Internet virtual private network (VPN)
  • Pass-through systems (another HMC)
The Internet option employs SSL and only allows outbound traffic. Both the modem and Internet VPN options use Internet Protocol Security (IPSec) to create a secure connection. All options transmit only service-related data to IBM. The modem and Internet VPN options can be configured for inbound traffic, if desired. As of HMC V6.1, the Internet option also supports proxy servers.
To set up secure outbound communication using the Internet method:
  1. The HMC must have a Local Area Network (LAN) adapter that is connected to a network with Internet access.
  2. The LAN adapter must be configured with a default gateway that provides access to the Internet.
  3. If a firewall is in place between the HMC and the Internet, it must allow outgoing TCP/IP connections on port 443 from the HMC to each of the following IP addresses:
    • 129.42.160.48 and 207.25.252.200 (IBM Service to the system authentication server)
    • 129.42.160.49 and 207.25.252.204 (HMC access to IBM Service for North or South America)
    • 129.42.160.50 and 207.25.252.205 (HMC access to IBM Service for all other regions)
    You only need to specify the IP addresses necessary to set up access to the system authentication server and those appropriate for your region.
  4. From the Service Applications folder, select Remote Support.
  5. Select the Customize Outbound Connectivity task.
  6. On the Customize Outbound Connectivity menu, select Internet.
  7. Check the box that says Enable local system as a call-home server.
  8. Check the box that reads Allow an existing Internet connection for service.
  9. If an Internet proxy is used, fill in the necessary information on the menu.
  10. Select Test to verify that outbound connectivity is successful.

This section discusses optional measures you can implement after installation, if you so choose.
You can require that all remote access to the HMC use SSL encryption. To do so, you need to configure System Manager Security on the HMC and require remote Web-based System Manager clients to use the SSL-encrypted version. The administrator must perform these configuration steps from the HMC console.
The steps required to set up System Manager Security are:
  1. Configure Certificate Authority on the HMC.
  2. Generate private and public key ring files.
  3. Install the private key ring file on the HMC.
  4. Select the security connection mode for your HMC; for example, SSL encryption required for all remote clients.
  5. Copy the public key ring file to a formatted diskette.
  6. Distribute the public key ring file to remote Web-based System Manager clients.
To configure Certificate Authority on your HMC:
  1. Expand the System Manager Security folder on the desktop and then select Certificate Authority in the navigation area.
  2. Select Configure this system as a System Manager Certificate Authority task.
  3. The Define Internal Certificate Authority wizard opens. Click Next.
  4. The wizard prompts you for an organization name. Enter an appropriate name and click Next.
  5. The wizard displays the expiration date for the certificate that you are going to create. Verify the date (the default expiration period is four years in the future) and then click Next.
  6. The wizard prompts you to enter a password for the Certificate Authority's key ring file. Type the appropriate password twice and click Next.
  7. The wizard shows an information message that says Certificate Authority has been configured. SelectFinish.
To configure private and public key ring files:
  1. Expand the System Manager Security folder. Select the Certificate Authority application in the navigation area.
  2. Select the Generate Servers' Private Key Ring Files task.
  3. A window opens prompting you for the password entered in step 6 above.
  4. A window appears labeled Certificate Servers Private Key Ring Files. Verify that the HMC host name that appears in the box at the upper left is correct and then click Add.
  5. Check the box Encrypt the server private key files at the bottom of the screen. The system will prompt you for the Certificate Authority key ring file password that was created in step 6 above. Enter the password twice.
  6. Fill in the organization name in the appropriate box and click OK.
  7. An information window is displayed when the key generation has been completed. Click OK to close the information window.
To copy the public key ring file to a diskette: (The public and private key ring files were created in the previous step.)
  1. Expand the System Manager Security folder and select the Certificate Authority application in the navigation area.
  2. Select the Copy this Certificate Authority's Public Key Ring File to diskette task.
  3. The Copy Certificate Authority Public Key to Diskette window opens.
    • If you are going to use the diskette to distribute the public key ring file for remote Web-based System Manager clients on HMC or AIX® systems, insert the diskette media in the drive. The media does not have to be formatted.
    • If you are going to use the diskette to distribute the public key ring file for use on Windows-based PC clients, use a formatted diskette.
  4. When you have inserted the diskette, choose the appropriate selection (for "HMC or AIX Client" or for "PC client") and then click OK.
  5. An information window is displayed when the copy has been completed. Click OK to close the information window.
If you selected "HMC or AIX Client," the diskette contains only one file, SM.pubkr, in TAR format. If you selected "PC Client," the diskette contains only one file, SM.pubkr, in DOS format. Do not copy this file to a network accessible place, such as an FTP server. If a malicious user steals the file, the security mechanism provided by the HMC does not block access from this rogue user.
To install the private key ring file for this server:
  1. Expand the System Manager Security folder, and then select the Server Security application in the Navigation area.
  2. Select the Install the private key ring file for this server task. The Install Private Key Ring File window opens.
    • If you have just generated the pair of private key ring files on your HMC, select the Directory option and then click OK.
    • If the private key ring file is stored in a TAR archive on the HMC, select the TAR file option. Click OK and specify the file name and location.
    • If you have the backup diskette media that stores the server private key ring files, select the TAR diskette option and click OK.
      (You can back up the server private key file using the "Copy Servers' Private Key Ring Files to diskette" task provided in the Certificate Authority application.)
  3. A window opens that prompts you to enter the password that was used for creating the private key on the HMC. Enter the password and click OK.
  4. The information window is displayed once the task has completed. Click OK to close.
Install the Web-based System Manager client on the remote workstation first, and then the security image can be installed.
  1. From the remote client, open a browser to the following URL: http:<HMC_fully_qualified_hostname>/remote_client.html.
  2. Enter a valid user ID and password.
  3. Follow the steps to install the client using either the Install Shield or Java™ Web Start method.
  4. To install the SSL security package for Web-based System Manager, open a browser to the following URL: http:<HMC_fully_qualified_hostname>/remote_client_security.html.
  5. Follow the instructions, using either the Install Shield or Java Web Start method.
Afterward, distribute the Certificate Authority's public key to your Windows®, Linux®, or AIX remote clients. Use command-line or standalone tools to copy the Certificate Authority's public key from removable media to the code base directory of the remote client. The Certificate Authority's public key file must be copied in binary format. The code base directory locations are:
  • On a Windows client: Program files\websm\codebase
  • On an AIX client: /usr/websm/codebase
  • On a Linux client: /opt/websm/codebase
To configure this system as a Secure System Manager Server:
  1. Expand the System Manager Security folder, then select the Server Security application in the Navigation window.
  2. Select the Configure this system as a Secure System Manager Server task.
  3. The Configure System Manager Security wizard opens. Click Next.
  4. The wizard prompts you to select either of the following options:
    • Always use a secure connection. Select this option if you wish to disallow non-SSL connections from remote Web-based System Manager clients to the HMC.
    • Allow the user to choose secure or unsecured connections. This leaves it to the remote user to decide how to connect to the HMC, and that might not be something the systems administrator is willing to allow.
  5. Select the appropriate security option from those just described and select Next.
  6. An information window is displayed. Click OK to close it.
If you have an HMC that is not in a secure area, such as a data center, you might consider giving it a power-on password. This would prevent someone from inserting a bootable diskette or CD and pressing the power button to reboot into standalone mode. The power-on password would need to be entered before the HMC could finish the Initial Program Load (IPL). It would also be required if an attempt was made during IPL to press F1 and launch the setup menu.
There is some risk associated with this. If a password is set and forgotten, it requires a service call to replace the HMC planar or battery -- this can result in a system outage. Therefore, it is imperative that any power-on or administrator password be stored in a secure and readily accessible location.
To configure a power-on password:
  1. Boot the server.
  2. When prompted with the option, press F to enter the configuration utility. (The utility name might vary depending on the HMC model and BIOS level.)
  3. Look for either a System Security or Passwords submenu.
  4. Follow the prompts to create and save a power-on password.
It is possible to disallow remote access to the HMC, meaning that systems administrators would be forced to go to the system console to perform their work. This usually isn't desirable, but it is another security option.
To disable remote Web-based System Manager access:
  1. Edit the open network (typically eth1) Firewall tab to disallow Web-based System Manager through the firewall.
  2. From the command-line interface, enter chhmc –c websm –s disable.

This section covers some maintenance guidelines to help you keep your system secure.
Make sure you keep track of new releases, updates, and emergency fixes. You can do this in two ways:
  • Use the technical support subscription service to receive e-mails when updates become available on the Web.
  • Monitor the Web manually on a regular basis at the Hardware Management Console site.
You can sign up for e-mail notification from a tool under Additional Resources on this HMC Web site.
The subscription Web page has a Bulletins tab. Clicking that tab lets you search for specific information by topic and month. For example, you can search HMC updates under All Topics, Corrective service, or Security fixes.
A systems administrator can monitor activities on an HMC, such as changes to partition profiles or other important actions, from either the graphical or the command-line interface.
To monitor entries from the GUI:
  1. In the Navigation area, click HMC Management.
  2. In the Content window, double-click HMC Configuration.
  3. Select the View Console Events task.
  4. The View Console Events window opens with events listed by date, time, and event.
  5. The View pull-down menu at the top left of the screen lets you select a different time range, or view events in order of occurrence or in reverse order of occurrence.
To view the console events from the command line:
  1. Log in to the HMC with SSH using a valid user ID with the system administrator role.
  2. Enter the command lssvcevents –t console to view console events.
  3. Enter lssvcevents -–help to see a description of other flags available to help you narrow a search by topic and date.
You'll find that there are better ways to target the search when you use the command line. You can filter events for specific types of entries, and you can search within specified date ranges more efficiently using the command-line interface.
To enable syslogd and send entries to a remote server:
  1. Log in to the HMC with SSH.
  2. From the command line, enter:
    chhmc –c syslog –s add –h remotehost.company.com
  3. On remotehost.company.com, the syslogd daemon must be running and set up to receive messages over the network. On most Linux systems, this can be done by adding the â€“r option to the SYSLOGD_OPTIONS in the /etc/sysconfig/syslog file. In AIX, the /etc/syslog.conf file would be edited by un-commenting the appropriate lines at the bottom of the file, such as:
    *.debug /tmp/syslog.out rotate size 100k files 4
    *.crit /dev/console

    Then, the systems administrator would enter:
    # touch /tmp/syslog.out
    # refresh –s syslogd
There is a close relationship between HMC and server firmware. The HMC is used to manage system firmware. New system firmware, such as that issued for a new server, might require an HMC be updated or upgraded to a particular level. Fortunately, HMC code can support multiple system firmware levels, so it is not necessary to update all servers to the latest level found on the newest server.
There is a code matrix that shows the system firmware levels supported by various current HMC levels. The matrix is at POWER5 code matrix. Under Supported code combinations, you'll see charts for servers based on model. There are two classifications: high-end servers and everything else. The chart is color coded.
  • Everything in gray is no longer receiving maintenance updates.
  • Everything in yellow is supported, but at a reduced level.
  • Everything green is considered the maximum stability level.
  • Everything blue represents the latest code level.
From an HMC and system firmware management perspective, you need to be able to support the firmware on the newest server you have received and keep all others in the green or yellow boxes. Fortunately, updating HMC code is less disruptive because it doesn't impact running production servers. An HMC can be rebooted without affecting the LPAR it manages.
IBM has designed the HMC to be a special-purpose server. The code that runs the HMC eliminates many services you would expect to find in an open operating system, such as telnet access, sendmail, and so forth. The HMC uses a restricted shell to restrict access to those commands designed by developers to further the functions required of the HMC.
You must install and manage a new HMC correctly to make sure prudent safeguards are in place. This includes changing passwords and maintaining them over time and being sensitive to network connectivity. The HMC has several mechanisms to help control remote access, including requiring SSL encryption for all remote access.
It is possible, but usually not desirable, to manage an HMC from the console only. For full DLPAR and Service Focal Point function, only one port needs to be open between the HMC and the LPAR its manages, port 657. The HMC can be configured to notify IBM Service over a secure Internet connection when a hardware error has occurred or a problem appears imminent.
Maintaining the HMC, including monitoring for security updates and other corrective service, is a customer responsibility that is made easier with several tools that IBM has made available.

No comments: