Hardware Management Console and Support Elements
The Hardware Management Console (HMC) supports many functions and tasks to extend the management capabilities of IBM z14 servers. When tasks are performed on the HMC, the commands are sent to one or more Support Elements (SEs), which then issue commands to their central processor complexes (CPCs).
|
Note: Throughout this chapter, “z14” refers to IBM z14 Model M0x (Machine Type 3906) unless otherwise specified.
|
This chapter includes the following topics:
11.1 Introduction to the HMC and SE
The HMC is a stand-alone computer that runs a set of management applications. The HMC is a closed system, which means that no other applications can be installed on it.
The HMC is used to set up, manage, monitor, and operate one or more CPCs. It manages IBM Z hardware, its logical partitions (LPARs), and provides support applications. At least one HMC is required to operate an IBM Z server. An HMC can manage multiple Z CPCs, and can be at a local or a remote site.
The SEs are two integrated servers in the A frame that are supplied together with the z14 server. One SE is the primary SE (active) and the other is the alternative SE (backup). As with the HMCs, the SEs are closed systems, and no other applications can be installed on them.
When tasks are performed at the HMC, the commands are routed to the active SE of the CPC. The SE then issues those commands to their CPC. One HMC can control up to 100 SEs and one SE can be controlled by up to 32 HMCs.
Some functions are available only on the SE. With Single Object Operations (SOOs), these functions can be used from the HMC. For more information, see “Single Object Operations” on page 427.
With Driver 27 (Version 2.13.1), the IBM Dynamic Partition Manager (DPM) was introduced for Linux only CPCs with Fibre Channel Protocol (FCP) attached storage. DPM is a mode of operation that enables customers with little or no knowledge of IBM Z technology to set up the system efficiently and with ease. For more information, see IBM Knowledge Center.
At IBM Knowledge Center, click the search engine window and enter dpm.
The HMC Remote Support Facility (RSF) provides an important communication to a centralized IBM support network for hardware problem reporting and service. For more information, see 11.4, “Remote Support Facility” on page 425.
11.2 HMC and SE changes and new features
The initial release that is included with z14 servers is HMC application Version 2.14.0. Use the “What’s New” task to examine the new features that are available for each release. For more information about HMC and SE functions, use the HMC and SE console help system or see IBM Knowledge Center.
At IBM Knowledge Center, click IBM Z. Then, click z14.
11.2.1 Driver Level 36 HMC and SE new features
The following support has been added with Driver 36:
•Dynamic I/O for Standalone CF CPCs (requires z/OS or z/VM support)
•CTN Split and CTN merge
•Coupling Facility Control Code 23 (enhancements and new features)
•Various OSA-ICC 3270 enhancements:
– IPv6 support
– TLS level limits negotiation for secure OSA-ICC connections
– Separate security certificates management (per PCHID)
•Support Element remote logging from HMC handling (Single Object Operations -SOO) enhancements
•Help infrastructure updates
The content from the following publications is incorporated into the HMC and SE help system:
– IBM Z Hardware Management Console Operations Guide Version 2.14.1
– IBM Z Hardware Management Console Operations Guide for Ensembles Version 2.14.1
– IBM Z Support Element Operations Guide Version 2.14.1
11.2.2 Driver Level 32 HMC and SE changes and features
The z14 HMC and SE with Driver Level 32 features the following enhancements and changes:
•Classic User Interface style no longer supported. The z14 HMC and SE support only tree Style User Interface.
•New set of Enhanced Computing features is implemented for tampering protection. For more information, see 11.2.3, “Enhanced Computing and z14 HMC” on page 410.
•Starting with version 2.13.1 HMC Tasks no longer include Java Applets based implementations. Java Applets were used in Operating System Messages, Integrated 3270 Console, Integrated ASCII, and Text Console.
•Version 2.14.0 implements new IOCDS Source option on Input/Output configuration task. This option enables you to edit IOCDS source directly on HMC Console. However, an alternative method with remote browsing on Support Element is still available.
•Starting with z14, all FTP operations that originate from the SE are proxied through a managing HMC. This change allows the FTP SE-originated operations to follow our security recommendation.
In addition, all HMC/SE tasks that support FTP provide three options of FTP: FTP, FTPS, and SFTP. For more information, see 11.3.1, “Network planning for the HMC and SE” on page 419.
•Secure console-to-console communication was established for z14 HMC consoles, which instituted new security standards (even on internal communication). For more information, see 11.3.1, “Network planning for the HMC and SE” on page 419.
•Functional enhancements are included in SNMP/BCPii API interfaces, such as queries to Virtual Flash Memory or queries to Secure Service Container. The security of the BCPii interface was also enhanced. You can disable BCPii’s sending or receiving capability for each partition. The cross-partition authority setting on SE remains the same.
•Remote Browser IP Address Limiting function was implemented because of security reasons. It allows you to specify a valid remote browser IP or valid mask for a group of IP addresses. Global settings to enable/disable remote access are still available.
•Multi-factor authentication was implemented for z14 HMC/SE/TKE. The feature enables you to log in with higher security levels by using two factors. First factor is traditional login and password; the second factor is a passcode that is sent on your smartphone. For more information, see 11.3.6, “HMC Multi-factor authentication” on page 424.
•The HMC Global OSA/SF now provides a global view of all OSA PCHIDs and the monitoring and diagnostic information that was available in the Query Host command. For more information, see 11.3.4, “OSA Support Facility changes” on page 422.
•Compliance mode for CCA PCI-HSM and EP11 and other certificates is now displayed on the SE. Setup and administration tasks are done on Trusted Key Entry (TKE). For more information, see 11.5.14, “Cryptographic support” on page 443.
•Enhancements and changes were made for the Server Time Protocol (STP), which are described in 11.5.7, “Server Time Protocol support” on page 436.
•A new Mobile application interface is provided for the HMC 2.14.0 and systems, including z14, z13/z13s, and zEC12/zBC12, which includes security technology. For more information, see 11.4.3, “HMC and SE remote operations” on page 426.
For more information, see the HMC and SE (Version 2.14.0) console help system or see IBM Knowledge Center. At IBM Knowledge Center, click IBM Z. Then, click z14.
11.2.3 Enhanced Computing and z14 HMC
Enhanced Computing is a set of security features that were implemented with z14 HMC Console to improve its resistance to security attacks. z14 HMC consoles, TKE devices, and SEs are firmware-compliant with NIST Computer Security Standard 800-147, which results in the following benefits:
•Current IBM Z Firmware is protected during delivery by using Digital Signatures.
•BIOS Secure boot function is used by SE/HMC/TKE.
•Signature and hash verification of SE/HMC IBM Z firmware.
•Non-stop monitoring and checking the integrity of files.
•Code measurements are stored in Trusted Platform Module (TPM) on SE and HMC.
•Provides security logs for internal analysis.
•Trusted third Party Validation (IBM Resource Link by using zRSF data).
•Analyzes periodic call home measurement data.
•Initiates challenge and response to verify authenticity of the data.
•Display of local console data analysis, Resource Link analysis, and notification of lack of receiving console data (console locked or blocked network reporting of data).
Firmware tamper detection
z14 also offers an enhancement on the Support Element that provides notification if tampering (see Figure 11-1 on page 411) with booting of firmware on the server (CPC) is detected. This enhancement is designed to meet the BIOS Protection Guidelines recommended and published by the National Institute of Standards and Technology (NIST) in Special Publication 800-147B. If tampering is detected, the Support Element issues a customer alert by using a warning or a lock of the Support Element, depending on the configuration.
Figure 11-1 Enhanced computing
11.2.4 Rack-mounted HMC
Feature code FC 0083 provides a rack-mounted HMC.
The HMC is a 1U IBM server and includes an IBM 1U standard tray that features a monitor and a keyboard. The system unit and tray must be mounted in the rack in two adjacent 1U locations in the “ergonomic zone” between 21U and 26U in a standard 19-inch rack.
The customer must provide the rack. Three C13 power receptacles are required: Two for the system unit and one for the display and keyboard, as shown in Figure 11-2.
Figure 11-2 Rack-mounted HMC
11.2.5 New SEs
The SEs are no longer two notebook computers in one z14 server. Instead, two servers are now installed at the top of the A frame. They are managed by the keyboards, pointing devices, and displays that are mounted in the front and rear of the tray of the Z frame (where the SE notebooks were in previous IBM Z servers), as shown in Figure 11-3. The SEs include internal USB attached smart card readers to support Flash Express and Feature on Demand (FoD).
Figure 11-3 SEs location
11.2.6 New backup options for HMCs and primary SEs
This section describes the new backup options that are available for HMC Version 2.14.0.
Backup of primary SEs or HMCs to an FTP server
With Driver 32 or later, you can perform a backup of primary SEs or HMCs to a File Transfer Protocol (FTP) server. Starting with z14 systems, you have three FTP options: FTP, FTPS, or SFTP. For more information see 11.3.1, “Network planning for the HMC and SE” on page 419.
|
Note: If you do a backup to an FTP server for a z14 server, ensure that you set up a connection to the FTP server by using the Configure Backup Setting task. If a connection to the FTP server is not set up, a message appears that prompts you to configure the connection.
|
The FTP server must be supplied by the customer. You can enable a secure FTP connection to your server.
The information that is required to configure your backup FTP server is shown in Figure 11-4.
Figure 11-4 Configure Backup Settings
|
Note: Backup FTP site is a static setting for an HMC. If an alternative FTP site is needed to perform a backup, this process is done from another HMC.
|
Backing up HMCs
A backup of the HMC can be performed to the following media:
•USB flash memory drive (UFD)
•FTP server
•UFD and FTP server
The destination options of the Backup Critical Console Data task are shown in Figure 11-5.
Figure 11-5 Backup Critical Console Data destinations
Optional 32 GB UFD FC 0848
With z13 server, the 32 GB UFD is available for backups. An 8 GB UFD is included by default with the system. SE and HMC backup files are larger in later IBM Z servers.
Backup of primary SEs
The backup for the primary SE of a z14 can be made to the following media:
•Primary SE HDD and alternative SE HDD
•Primary SE HDD and alternative SE HDD and FTP server
It is no longer possible to complete the primary SE backup to an UFD of a z14. The SE Backup options for external media are listed in Table 11-1.
Table 11-1 SE Backup options
|
System Type
|
UFD Media
|
FTP Server
|
|
z14
|
No
|
Yes
|
|
z13/z13s
|
No
|
Yes
|
|
zBX 004
|
No
|
Yes
|
|
zEC12/zBC12
|
Yes
|
No
|
|
z196/z114
|
Yes
|
No
|
|
z10EC/z10BC
|
Yes
|
No
|
|
z9EC/z9BC
|
Yes
|
No
|
Examples of the different destination options of the SE Backup Critical Data for different CPC machine types are shown in Figure 11-5 on page 413.
For more information, see the HMC and SE console help system or IBM Knowledge Center.
At IBM Knowledge Center, click IBM Z. Then, click z13 or z14.
Scheduled operations for the backup of HMCs and SEs
The Scheduled Operation task with the new backup options for HMC is changed, as shown in Figure 11-6.
Figure 11-6 Scheduled Operation for HMC backup
The Scheduled Operation task with the new backup options for the SEs is changed, as shown in Figure 11-7.
Figure 11-7 Scheduled Operation for SEs backup
11.2.7 SE driver support with the HMC driver
|
HMC legacy systems support (Statement of Direction1): IBM z14 is planned to be the last release that will allow HMC support across the prior four generations of server (N through N-4).
Future HMC releases are intended to be tested for support of the previous two generations (N through N-2). For example, the next HMC release would support the zNext generation, plus z14 generation and z13/z13s generation.
This change will improve the number and extent of new features and functions that can be pre-tested and maintained in a given release with IBM’s continued high-reliability qualification procedures.
|
1 All statements regarding IBM plans, directions, and intent are subject to change or withdrawal without notice. Any reliance on these statements of general direction is at the relying party’s sole risk and will not create liability or obligation for IBM.
The driver of the HMC and SE is equivalent to a specific HMC and SE version, as shown in the following examples:
•Driver 79 is equivalent to Version 2.10.2
•Driver 86 is equivalent to Version 2.11.0
•Driver 93 is equivalent to Version 2.11.1
•Driver 15 is equivalent to Version 2.12.1
•Driver 22 is equivalent to Version 2.13.0
•Driver 27 is equivalent to Version 2.13.1
•Driver 32 is equivalent to Version 2.14.0
•Driver 36 is equivalent to Version 2.14.1
An HMC with Version 2.14.1 or Version 2.14.0 can support different IBM Z types. Some functions that are available on Version 2.14.1 and later are supported only when the HMC is connected to an IBM Z server with Version 2.14.1.
The SE drivers and versions that are supported by the z14 HMC Version 2.14.1 (Driver 36) and earlier versions are listed in Table 11-2.
Table 11-2 Summary of SE drivers
|
IBM Z family name
|
Machine type
|
SE driver
|
SE version
|
Ensemble node potential
|
|
z14 Model M0x
|
3906
|
32, 36
|
2.14.0, 2.14.1
|
Yesa
|
|
z14 Model ZR1
|
3907
|
32, 36
|
2.14.0, 2.14.1
|
Yesa
|
|
z13s
|
2965
|
27
|
2.13.1
|
Yes1
|
|
z13
|
2964
|
22, 27
|
2.13.0, 2.13.1
|
Yesa
|
|
zBX Node
|
2548 Model 004
|
22
|
2.13.0
|
Required
|
|
zBC12
|
2828
|
15
|
2.12.1
|
Yes
|
|
zEC12
|
2827
|
15
|
2.12.1
|
Yes
|
|
z114
|
2818
|
93
|
2.11.1
|
Yes
|
|
z196
|
2817
|
93
|
2.11.1
|
Yes
|
|
z10 BC
|
2098
|
79
|
2.10.2
|
No
|
|
z10 EC
|
2097
|
79
|
2.10.2
|
No
|
1 A CPC in DPM mode cannot be a member of an ensemble; however, the CPC can still be managed by the ensemble HMC.
|
Note: The z9 EC / z9 BC (Driver 67, SE version 2.9.2), the z900/z800 (Driver 3G, SE Version 1.7.3) and z990/z890 (Driver 55, SE Version 1.8.2) systems are no longer supported. If you are using these older systems, consider managing these systems by using separate HMCs that are running older drivers.
|
11.2.8 HMC feature codes
HMCs that are older than FC 0091 are not supported for z14 servers at Driver 32 or 36.
The following HMC feature codes are available:
•FC 0082 M/T 2461-TW2
This feature is a tower model HMC that works with z14, z13, and z13s servers.
•FC 0083 M/T 2461-SE1
This feature is the new rack-mounted HMC that works with z14 13 and z13s servers.
The following previous HMCs can be carried forward (the carry forward HMCs do not provide the Enhanced feature):
•Tower FC 0092
•Tower FC 0095
•1U Rack FC 0094
•1U Rack FC 0096
11.2.9 User interface
Starting with HMC Version 2.14.0 only Tree Style User Interface (default) is available. The Classic Style User Interface was discontinued.
11.2.10 Customize Product Engineering Access: Best practice
At times, the HMC or the SE must be accessed in a support role to perform problem determination.
The task to set the authorization for IBM Product Engineering access to the console is shown in Figure 11-8. When access is authorized, an IBM product engineer can use an exclusive user ID and reserved password to log on to the console that provides tasks for problem determination.
As shown in Figure 11-8, the task is available only to users with ACSADMIN authority. Consider the following points:
•Customers must ensure that they have redundant administrator users for each console.
•Customers must document contact information and procedures.
•The “Welcome Text” task can be used to identify contact information so that IBM Service personnel know how to engage customer administrators if HMC/SE access is needed.
•The options are disabled by default.
Figure 11-8 Customize Product Engineering Access tab
11.3 HMC and SE connectivity
The HMC has two Ethernet adapters that are supported by HMC Driver 22 or later for connectivity to up to two different Ethernet LANs.
The SEs on z14 M0x servers are connected to the System Control Hubs (SCH) to control the internal network. In previous IBM Z servers, the customer network was connected to the bulk power hub (BPH). Now, the SEs are directly connected to the customer network.
The HMC-to-CPC communication is now possible through only an Ethernet switch that is connected to the J03 or J04 port on the SEs. Other IBM Z servers and HMCs also can be connected to the switch. To provide redundancy, install two Ethernet switches.
Only the switch (and not the HMC directly) can be connected to the SEs.
The connectivity between HMCs and the SEs is shown in Figure 11-9.
Figure 11-9 HMC and SE connectivity
The LAN ports for the SEs that are installed in the CPC are shown in Figure 11-10.
Figure 11-10 SE Physical connection
Various methods are available for setting up the network. It is your responsibility to plan and design the HMC and SE connectivity. Select the method that is based on your connectivity and security requirements.
|
Security: The configuration of network components, such as routers or firewall rules, is beyond the scope of this book. Whenever the networks are interconnected, security exposures can exist. For more information about HMC security, see Integrating the Hardware Management Console‘s Broadband Remote Support Facility into your Enterprise, SC28-6951.
For more information about the HMC settings that are related to access and security, see the HMC and SE (v.2.14.1) console help system or see IBM Knowledge Center.
At IBM Knowledge Center, click IBM Z. Then, click z14.
|
11.3.1 Network planning for the HMC and SE
Plan the HMC and SE network connectivity carefully to allow for current and future use. Many of the IBM Z capabilities benefit from the various network connectivity options that are available. The following functions, which depend on the HMC connectivity, are available to the HMC:
•Lightweight Directory Access Protocol (LDAP) support, which can be used for HMC user authentication
•Network Time Protocol (NTP) client/server support
•RSF through broadband
•HMC access through a remote web browser
•Enablement of the SNMP and CIM APIs to support automation or management applications, such as IBM System Director Active Energy Manager (AEM)
These examples are shown in Figure 11-11.
Figure 11-11 HMC connectivity
FTP, FTPS, and SFTP support
FTP, FTPS, and SFTP protocols are now supported on HMC/SE environment. All three FTP protocols require login and password credentials.
FTPS is based on Secure Sockets Layer cryptographic protocol (SSL) and requires certificates to authenticate servers. SFTP is based on Secure Shell cryptographic protocol (SSH) and requires SSH keys to authenticate servers. Required certificates and key pairs are hosted on the z14 HMC Console.
All three protocols are supported for tasks that previously used only FTP. Although several tasks used only removable media, FTP connections are used with z14 HMC console. The recommended network topology for HMC, SE, and FTP server is shown in Figure 11-12.
Figure 11-12 Recommended Network Topology for HMC, SE, and FTP server
The following FTP server requirements must be met:
•Support “passive” data connections
•A server configuration that allows the client to connect on an ephemeral port
The following FTPS server requirements must be met:
•Operate in “explicit” mode
•Allows a server to offer secure and unsecured connections
•Must support “passive” data connections
•Must support secure data connections
SFTP server requirements must support password-based authentication.
The FTP server choices for HMC are shown in Figure 11-13.
Figure 11-13 New FTP protocols drop-down list
FTP through HMC
It is highly recommended to keep IBM Z servers, HMC consoles, and SEs on an isolated network. This approach prevents SEs making FTP connections with outside networks and applies to all FTP supported protocols: FTP, FTPS, and SFTP.
With z14 HMC, all FTP connections that originate from SEs are taken to HMC consoles. Secure FTP server credentials must be imported to one or more managing HMC consoles.
After the HMC console completes all FTP operations, the HMC console performs the FTP operation on the SE’s behalf and returns the results. The IBM Z platform must be managed by at least one HMC to allow FTP operations to work.
Secure console-to-console communication
Before z14, IBM Z HMC consoles used anonymous cipher suites to set console-to-console communication. Anonymous cipher suite is a part of SSL/TLS protocol and it can be used to create internal point-to-point connections. Anonymous cipher suite does not exchange certificates, which can be the source of a security breach.
Therefore, z14 HMC consoles abandon anonymous cipher suite and implement an industry standard-based, password-driven cryptography system. The Domain Security Settings are used to provide authentication and high-quality encryption. Because of these changes, we now recommend that customers use unique Domain Security settings to provide maximum security. The new system provides greater security than anonymous cipher suites, even if the default settings are used.
To allow greater flexibility in password selection, the password limit was increased to 64 characters and special characters are allowed for z14 only installations. If communication with older systems is needed, the previous password limits must be followed (6 - 8 characters, only uppercase and number characters allowed).
For more information about HMC networks, see the following resources:
•The HMC and SE (Version 2.14.0) console help system, or see IBM Knowledge Center.
At IBM Knowledge Center, click IBM Z. Then, click z14.
•IBM z14 Installation Manual for Physical Planning, GC28-6965.
11.3.2 Hardware prerequisite changes
The following HMC changes are important for z14 servers:
•IBM does not provide Ethernet switches with the system.
Ethernet switches
Ethernet switches for HMC and SE connectivity are provided by the customer. Existing supported switches can still be used.
Ethernet switches and hubs often include the following characteristics:
•A total of 16 auto-negotiation ports
•100/1000 Mbps data rate
•Full or half duplex operation
•Auto medium-dependent interface crossover (MDIX) on all ports
•Port status LEDs
|
Note: The recommendation is to use 1000 Mbps/Full duplex.
|
RSF is broadband-only
RSF through a modem is not supported on the z14 HMC. Broadband is needed for hardware problem reporting and service. For more information, see 11.4, “Remote Support Facility” on page 425.
11.3.3 TCP/IP Version 6 on the HMC and SE
The HMC and SE can communicate by using IPv4, IPv6, or both. Assigning a static IP address to an SE is unnecessary if the SE communicates only with HMCs on the same subnet. The HMC and SE can use IPv6 link-local addresses to communicate with each other.
IPv6 link-local addresses feature the following characteristics:
•Every IPv6 network interface is assigned a link-local IP address.
•A link-local address is used on a single link (subnet) only and is never routed.
•Two IPv6-capable hosts on a subnet can communicate by using link-local addresses, without having any other IP addresses assigned.
11.3.4 OSA Support Facility changes
Since OSA/SF was moved from z/OS to HMC/SE environment, it was noted that it is no longer easy to obtain a global view of all OSA PCHIDs and the monitoring and diagnostic information previously available in the Query Host command.
To address this issue, the following changes were made:
•If a CPC is targeted, the initial panel provides a global view of all OSA PCHIDs.
•The user can browse to various OSA Advanced Facilities subtasks from the initial panel, which makes the process of getting to them less cumbersome.
•Today’s View Port Parameters and Display OAT entries support exporting data of one OSA PCHID. A new action is added to the initial panel that exports the data for all OSA PCHIDs.
•The initial panel was changed to display status information of all OSA PCHID (see Figure 11-14).
Figure 11-14 OSA Advanced Facilities panel
11.3.5 Assigning addresses to the HMC and SE
An HMC can have the following IP configurations:
•Statically assigned IPv4 or statically assigned IPv6 addresses
•Dynamic Host Configuration Protocol (DHCP)-assigned IPv4 or DHCP-assigned IPv6 addressees
•Auto-configured IPv6:
– Link-local is assigned to every network interface.
– Router-advertised, which is broadcast from the router, can be combined with a Media Access Control (MAC) address to create a unique address.
– Privacy extensions can be enabled for these addresses as a way to avoid the use of the MAC address as part of the address to ensure uniqueness.
An SE can have the following IP addresses:
•Statically assigned IPv4 or statically assigned IPv6
•Auto-configured IPv6 as link-local or router-advertised
IP addresses on the SE cannot be dynamically assigned through DHCP to ensure repeatable address assignments. Privacy extensions are not used.
The HMC uses IPv4 and IPv6 multicasting1 to discover automatically SEs. The HMC Network Diagnostic Information task can be used to identify the IP addresses (IPv4 and IPv6) that are being used by the HMC to communicate to the CPC SEs.
IPv6 addresses are easily identified. A fully qualified IPV6 address features 16 bytes. It is written as eight 16-bit hexadecimal blocks that are separated by colons, as shown in the following example:
2001:0db8:0000:0000:0202:b3ff:fe1e:8329
Because many IPv6 addresses are not fully qualified, shorthand notation can be used. In shorthand notation, the leading zeros can be omitted, and a series of consecutive zeros can be replaced with a double colon. The address in the previous example also can be written in the following manner:
2001:db8::202:b3ff:fe1e:8329
If an IPv6 address is assigned to the HMC for remote operations that use a web browser, browse to it by specifying that address. The address must be surrounded with square brackets in the browser’s address field, as shown in the following example:
https://[fdab:1b89:fc07:1:201:6cff:fe72:ba7c]
The use of link-local addresses must be supported by your browser.
11.3.6 HMC Multi-factor authentication
Multi-factor authentication is an optional feature, which is configured on per-user, per-template basis. It enhances security of the z14 systems by requiring not only what you know, which is first factor, but also what you have available, which means that only person who owns a specific phone number can log in.
Multi-factor authentication first factor is login and password; the second factor is a time-based, one-time password that is sent to your smartphone. This password is defined in RFC 6238 standard and uses a cryptographic hash function that combines a secret key with the current time to generate a one-time password.
The secret key is generated by HMC/SE/TKE while the user is performing first factor logon. The secret key is known only to HMC/SE/TKE and to the user’s smartphone. For that reason it needs to be protected as much as your first factor password.
Multi-factor authentication code (MFA code) that was generated as a second factor is time-sensitive. Therefore, it is important to remember that it should be used soon after it is generated.
The algorithm within the HMC that is responsible for MFA code generation changes the code every 30 seconds. However, to make things easier, the HMC and SE console accepts current, previous, and next MFA codes. It is also important to have HMC, SE, TKE, and smartphone clocks synced. If the clocks are not synced, the MFA logon attempt fails. Another important fact is that time zone differences are irrelevant because the MFA code algorithm uses UTC.
11.4 Remote Support Facility
The HMC RSF provides important communication to a centralized IBM support network for hardware problem reporting and service. The following types of communication are provided:
•Problem reporting and repair data
•Microcode Change Level (MCL) delivery
•Hardware inventory data, which is also known as vital product data (VPD)
•On-demand enablement
|
Consideration: RSF through a modem is not supported on the z14 HMC. Broadband connectivity is needed for hardware problem reporting and service.
|
11.4.1 Security characteristics
The following security characteristics are in effect:
•RSF requests always are initiated from the HMC to IBM. An inbound connection is never started from the IBM Service Support System.
•All data that is transferred between the HMC and the IBM Service Support System is encrypted with high-grade SSL/Transport Layer Security (TLS) encryption.
•When starting the SSL/TLS-encrypted connection, the HMC validates the trusted host with the digital signature that is issued for the IBM Service Support System.
•Data that is sent to the IBM Service Support System consists of hardware problems and configuration data.
|
More information: For more information about the benefits of Broadband RSF and the SSL/TLS-secured protocol, and a sample configuration for the Broadband RSF connection, see Integrating the HMC Broadband Remote Support Facility into Your Enterprise, SC28-6927.
|
11.4.2 RSF connections to IBM and Enhanced IBM Service Support System
If the HMC and SE are at Driver 22 or later, the driver uses a new remote infrastructure at IBM when the HMC connects through RSF for certain tasks. Check your network infrastructure settings to ensure that this new infrastructure works.
At the time of this writing, RSF still uses the “traditional” RETAIN connection. You must add access to the new Enhanced IBM Service Support System to your current RSF infrastructure (proxy, firewall, and so on).
To have the best availability and redundancy and to be prepared for the future, the HMC must access IBM by using the internet through RSF in the following manner: Transmission to the enhanced IBM Support System requires a domain name server (DNS). The DNS must be configured on the HMC if you are not using a proxy for RSF. If you are using a proxy for RSF, the proxy must provide the DNS.
The following host names and IP addresses are used and your network infrastructure must allow the HMC to access the following host names:
•www-945.ibm.com on port 443
•esupport.ibm.com on port 443
The following IP addresses (IPv4, IPv6, or both) can be used:
•IBM Enhanced support facility:
– IPV4:
• 129.42.56.189
• 129.42.60.189
• 129.42.54.189
– IPV6:
• 2620:0:6c0:200:129:42:56:189
• 2620:0:6c2:200:129:42:60:189
• 2620:0:6c4:200:129:42:54:189
•Legacy IBM support Facility:
– IPV4:
• 129.42.26.224
• 129.42.42.224
• 129.42.50.224
– IPV6:
• 2620:0:6c0:1::1000
• 2620:0:6c2:1::1000
• 2620:0:6c4:1::1000
|
Note: All other previous IP addresses are no longer supported.
|
11.4.3 HMC and SE remote operations
You can use the following methods to perform remote manual operations on the HMC:
•Use of a remote HMC
A remote HMC is a physical HMC that is on a different subnet from the SE. This configuration prevents the SE from being automatically discovered with IP multicast.
A remote HMC requires TCP/IP connectivity to each SE to be managed. Therefore, any customer-installed firewalls between the remote HMC and its managed objects must permit communication between the HMC and the SE. For service and support, the remote HMC also requires connectivity to IBM, or to another HMC with connectivity to IBM through RSF. For more information, see 11.4, “Remote Support Facility” on page 425.
•Use of a web browser to connect to an HMC
The z14 HMC application simultaneously supports one local user and any number of remote users. The user interface in the web browser is the same as the local HMC and has the same functions. Some functions are not available.
Access by the UFD requires physical access to the HMC. Logon security for a web browser is provided by the local HMC user logon procedures. Certificates for secure communications are provided, and can be changed by the user. A remote browser session to the primary HMC that is managing an ensemble allows a user to perform ensemble-related actions, such as limiting remote web browser access.
You can now limit remote web browser access by specifying an IP address from the Customize Console Services task. To enable or disable the Remote operation service, click Change... in the Customize Console Services window, as shown in Figure 11-15.
Figure 11-15 Customizing HMC remote operation
Microsoft Internet Explorer, Mozilla Firefox, and Goggle Chrome were tested as remote browsers. For more information about web browser requirements, see the HMC and SE console help system or IBM Knowledge Center.
At IBM Knowledge Center, click IBM Z. Then, click z14.
Single Object Operations
It is not necessary to be physically close to a SE to use it. The HMC can be used to access the SE remotely by using the SOO task. The interface is the same as the interface that is used on the SE. For more information, see the HMC and SE console help system or IBM Knowledge Center.
At IBM Knowledge Center, click IBM Z. Then, click z14.
HMC mobile interface
The new mobile application interface allows HMC users to securely monitor and manage systems from anywhere. iOS and Android HMC applications are available to provide system and partition views, the ability to monitor status and Hardware and Operating System Messages, and the ability to receive mobile push notifications from the HMC by using the existing zRSF (IBM Z Remote Support Facility) connection.
A full set of granular security controls are provided from the HMC console, to the user, to the monitor only, and mobile app password, including multi-factor authentication. This mobile interface is optional and is disabled by default.
11.5 HMC and SE key capabilities
The HMC and SE feature many capabilities. This section describes the key areas. For more information about these capabilities, see the HMC and SE (Version 2.14.0) console help system or IBM Knowledge Center.
At IBM Knowledge Center, click IBM Z. Then, click z14.
11.5.1 Central processor complex management
The HMC is the primary place for CPC control. For example, the input/output configuration data set (IOCDS) includes definitions of LPARs, channel subsystems, control units, and devices, and their accessibility from LPARs. IOCDS can be created and put into production from the HMC.
The HMC is used to start the power-on reset (POR) of the server. During the POR, processor units (PUs) are characterized and placed into their respective pools, memory is put into a single storage pool, and the IOCDS is loaded and initialized into the hardware system area (HSA).
The hardware messages task displays hardware-related messages at the CPC, LPAR, or SE level. It also displays hardware messages that relate to the HMC.
11.5.2 LPAR management
Use the HMC to define LPAR properties, such as the number of processors of each type, how many are reserved, and how much memory is assigned to it. These parameters are defined in LPAR profiles and stored on the SE.
Because Processor Resource/Systems Manager (PR/SM) must manage LPAR access to processors and the initial weights of each partition, weights are used to prioritize partition access to processors.
You can use the Load task on the HMC to perform an IPL of an operating system. This task causes a program to be read from a designated device, and starts that program. You can perform the IPL of the operating system from storage, the HMC DVD-RAM drive, the USB flash memory drive (UFD), or an FTP server.
When an LPAR is active and an operating system is running in it, you can use the HMC to dynamically change certain LPAR parameters. The HMC provides an interface to change partition weights, adds logical processors to partitions, and adds memory.
LPAR weights can also be changed through a scheduled operation. Use the Customize Scheduled Operations task to define the weights that are set to LPARs at the scheduled time.
Channel paths can be dynamically configured on and off (as needed for each partition) from an HMC.
The Change LPAR Controls task for z14 servers can export the Change LPAR Controls table data to a comma-separated value (.csv)-formatted file. This support is available to a user when they are connected to the HMC remotely by a web browser.
Partition capping values can be scheduled and are specified on the Change LPAR Controls scheduled operation support. Viewing more information about a Change LPAR Controls scheduled operation is available on the SE.
Absolute physical HW LPAR capacity setting
Driver 15 introduced the capability to define (in the image profile for shared processors) the absolute processor capacity that the image is allowed to use (independent of the image weight or other cappings).
To indicate that the LPAR can use the undedicated processors absolute capping, select Absolute capping on the Image Profile Processor settings to specify an absolute number of processors at which to cap the LPAR’s activity. The absolute capping value can be “None” or a value for the number of processors (0.01 - 255.0).
LPAR group absolute capping
This step is the next step in partition capping options that are available on z14 and z13/z13s servers at Driver level 27 and newer. Following on to LPAR absolute capping, LPAR group absolute capping uses a similar methodology to enforce the following components:
•Customer licensing
•Non-z/OS partitions where group soft capping is not an option
•z/OS partitions where ISV does not support software capping
A group name, processor capping value, and partition membership are specified at the hardware console, along with the following properties:
•Set an absolute capacity cap by CPU type on a group of LPARs.
•Allows each of the partitions to use capacity up to their individual limits if the group's aggregate consumption does not exceed the group absolute capacity limit.
•Includes updated SysEvent QVS support (used by vendors who implement software pricing).
•Only shared partitions are managed in these groups.
•Can specify caps for one or more processor types in the group.
•Specified in absolute processor capacity (for example, 2.5 processors).
•Use Change LPAR Group Controls (as with windows that are used for software group-defined capacity), as shown in Figure 11-16 (snapshot on a z13 server).
Figure 11-16 Change LPAR Group Controls: Group absolute capping
Absolute capping is specified as an absolute number of processors to which the group's activity is capped. The value is specified to hundredths of a processor (for example, 4.56 processors) worth of capacity.
The value is not tied to the Licensed Internal Code (LIC) configuration code (LICCC). Any value 0.01 - 255.00 can be specified. This configuration makes the profiles more portable and means that you do not have issues in the future when profiles are migrated to new machines.
Although the absolute cap can be specified to hundredths of a processor, the exact amount might not be that precise. The same factors that influence the “machine capacity” also influence the precision with which the absolute capping works.
11.5.3 Operating system communication
The Operating System Messages task displays messages from an LPAR. You also can enter operating system commands and interact with the system. This task is especially valuable for entering Coupling Facility Control Code (CFCC) commands.
The HMC also provides integrated 3270 and ASCII consoles. These consoles allow an operating system to be accessed without requiring other network or network devices, such as TCP/IP or control units.
Updates to x3270 support
The Configure 3270 Emulators task on the HMC and TKE consoles was enhanced with Driver 15 to verify the authenticity of the certificate that is returned by the 3270 server when a secure and encrypted SSL connection is established to an IBM host. This 3270 Emulator with encrypted connection is also known as Secure 3270.
Use the Certificate Management task if the certificates that are returned by the 3270 server are not signed by a well-known trusted certificate authority (CA) certificate, such as VeriSign or Geotrust. An advanced action within the Certificate Management task, Manage Trusted Signing Certificates, is used to add trusted signing certificates.
For example, if the certificate that is associated with the 3270 server on the IBM host is signed and issued by a corporate certificate, it must be imported, as shown in Figure 11-17.
Figure 11-17 Manage Trusted Signing Certificates
The import from the remote server option can be used if the connection between the console and the IBM host can be trusted when the certificate is imported, as shown in Figure 11-18 on page 431. Otherwise, import the certificate by using removable media.
Figure 11-18 Import Remote Certificate example
A secure Telnet connection is established by adding the prefix L: to the IP address:port of the IBM host, as shown in Figure 11-19.
Figure 11-19 Configure 3270 Emulators
11.5.4 HMC and SE microcode
The microcode for the HMC, SE, and CPC is included in the driver or version. The HMC provides the management of the driver upgrade through Enhanced Driver Maintenance (EDM). EDM also provides the installation of the latest functions and the patches (MCLs) of the new driver.
When you perform a driver upgrade, always check the Driver (xx) Customer Exception Letter option in the Fixes section at the IBM Resource Link.
For more information, see 9.9, “z14 Enhanced Driver Maintenance” on page 383.
Microcode Change Level
Regular installation of Microcode Change Levels (MCLs) is key for reliability, availability, and serviceability (RAS), optimal performance, and the following new functions:
•Install MCLs on a quarterly basis at a minimum.
•Review hiper MCLs continuously to decide whether to wait for the next scheduled fix application session or to schedule one earlier if the risk assessment warrants.
|
Tip: The IBM Resource Link1 provides access to the system information for your IBM Z server according to the system availability data that is sent on a scheduled basis. It provides more information about the MCL status of your z14 servers. For more information about accessing the Resource Link, see the IBM Resource Link website.
At the Resource Link website, click Tools → Machine Information, choose your IBM Z server, and then, click EC/MCL.
|
1 Registration is required to access the IBM Resource Link.
Microcode terms
The microcode features the following characteristics:
•The driver contains engineering change (EC) streams.
•Each EC stream covers the code for a specific component of z14 servers. It includes a specific name and an ascending number.
•The EC stream name and a specific number are one MCL.
•MCLs from the same EC stream must be installed in sequence.
•MCLs can include installation dependencies on other MCLs.
•Combined MCLs from one or more EC streams are in one bundle.
•An MCL contains one or more Microcode Fixes (MCFs).
How the driver, bundle, EC stream, MCL, and MCFs interact with each other is shown in Figure 11-20.
Figure 11-20 Microcode terms and interaction
Microcode installation by MCL bundle target
A bundle is a set of MCLs that are grouped during testing and released as a group on the same date. You can install an MCL to a specific target bundle level. The System Information window is enhanced to show a summary bundle level for the activated level, as shown in Figure 11-21.
Figure 11-21 System Information: Bundle level
OSC Concurrent Patch
Concurrent patch for OSC channels is now supported.
11.5.5 Monitoring
This section describes monitoring considerations.
Monitor task group
The Monitor task group on the HMC and SE includes monitoring-related tasks for z14 servers, as shown in Figure 11-22.
Figure 11-22 HMC Monitor Task Group
The Monitors Dashboard task
The Monitors Dashboard task supersedes the System Activity Display (SAD). In the z14 server, the Monitors Dashboard task in the Monitor task group provides a tree-based view of resources.
Multiple graphical views exist for displaying data, including history charts. The Open Activity task (known as SAD) monitors processor and channel usage. It produces data that includes power monitoring information, power consumption, and the air input temperature for the server.
An example of the Monitors Dashboard task is shown in Figure 11-23.
Figure 11-23 Monitors Dashboard task
You can display more information for the following components (see Figure 11-24):
•Power consumption
•Environmentals
•Aggregated processors
•Processors (with SMT information)
•System Assist Processors
•Logical Partitions
•Channels
•Adapters: Crypto utilization percentage is displayed according to the physical channel ID (PCHID) number.)
Figure 11-24 Monitors dashboard Detailed settings
Environmental Efficiency Statistics task
The Environmental Efficiency Statistics task is part of the Monitor task group. It provides historical power consumption and thermal information for the zEnterprise CPC, and is available on the HMC.
The data is presented in table format and graphical “histogram” format. The data also can be exported to a .csv-formatted file so that the data can be imported into a spreadsheet. For this task, you must use a web browser to connect to an HMC.
11.5.6 Capacity on-demand support
All capacity on demand (CoD) upgrades are performed by using the SE Perform a Model Conversion task. Use the task to retrieve and activate a permanent upgrade, and to retrieve, install, activate, and deactivate a temporary upgrade. The task shows a list of all installed or staged LICCC records to help you manage them. It also shows a history of recorded activities.
The HMC for IBM z14 servers features the following CoD capabilities:
•SNMP API support:
– API interfaces for granular activation and deactivation
– API interfaces for enhanced CoD query information
– API event notification for any CoD change activity on the system
– CoD API interfaces, such as On/Off CoD and Capacity BackUp (CBU)
•SE window features (accessed through HMC Single Object Operations):
– Window controls for granular activation and deactivation
– History window for all CoD actions
– Description editing of CoD records
•HMC/SE provides the following CoD information:
– Millions of service units (MSU) and processor tokens
– Last activation time
– Pending resources that are shown by processor type instead of only a total count
– Option to show more information about installed and staged permanent records
– More information for the Attention state by providing seven more flags
HMC and SE are a part of the z/OS Capacity Provisioning environment. The Capacity Provisioning Manager (CPM) communicates with the HMC through IBM Z APIs, and enters CoD requests. For this reason, SNMP must be configured and enabled by using the Customize API Settings task on the HMC.
For more information about using and setting up CPM, see the following publications:
•z/OS MVS™ Capacity Provisioning User’s Guide, SC33-8299
•IBM Z System Capacity on Demand User’s Guide, SC28-6943
11.5.7 Server Time Protocol support
With the STP functions, the role of the HMC is extended to provide the user interface for managing the Coordinated Timing Network (CTN). Consider the following points:
•z14 servers rely on STP for time synchronization, and continue to provide support of a pulse per second (PPS) port. STP with PPS maintains an accuracy of 10 microseconds as measured at the PPS input of the z14 server. If STP uses a Network Time Protocol (NTP) server without PPS, time accuracy of 100 milliseconds to the External Time Source (ETS) is maintained.
•The z14 server cannot be in the same CTN with a z196 system or earlier systems and cannot become member of a mixed CTN.
•An STP-only CTN can be managed by using different HMCs. However, the HMC must be at the same driver level (or later) than any SE that is to be managed. Also, all SEs to be managed must be known (defined) to that HMC.
In a STP-only CTN, the HMC can be used to perform the following tasks:
•Initialize or modify the CTN ID.
•Initialize the time (manually or by contacting an NTP server).
•Initialize the time zone offset, Daylight Saving Time offset, and leap second offset.
•Assign the roles of preferred, backup, and current time servers, and arbiter.
•Adjust time by up to plus or minus 60 seconds.
•Schedule changes to the offsets listed. STP can automatically schedule Daylight Saving Time, based on the selected time zone.
•Monitor the status of the CTN.
•Monitor the status of the coupling links that are initialized for STP message exchanges.
•For diagnostic purposes, the PPS port state on a z14 server can be displayed and fenced ports can be reset individually.
STP changes and enhancements
The STP-related functions included dramatic changes and gained a new, intuitive GUI. Administrators of IBM Z are guided through a system time management workflow, which reduces the need to refer to external documentation.
The in-line definition of technical terms eliminates the need to look up documentation to determine definitions. Detailed instructions and guidelines are provided within task workflow.
New tasks provide a visual representation of STP topology. Current system time networks are shown in topological display. A preview of any configuration action is also shown in topological display. Those changes make administrator more confident and enable catching more errors.
|
Attention: A Schedule leap second offset change to 26 seconds that is scheduled for 12/31/2014 is shown in Figure 11-25. This leap is not a real leap second that is released by the International Earth Rotation and Reference System Services. It was temporarily set only to show the panel appearance.
|
Figure 11-25 CTN topology visible on HMC Manage System Time window
Enhanced Console Assisted Recovery
Enhanced Console Assisted Recovery (ECAR) speeds up the process of BTS takeover by performing the following steps:
1. When the Primary Time Server (PTS/CTS) detects a checkstop condition, the CEC informs its SE and HMC.
2. The PTS SE recognizes the checkstop pending condition, and calls the PTS SE STP code.
3. The PTS SE sends an ECAR request thorough HMC to the Backup Time Server (BTS) SE.
4. The BTS SE communicates with the BTS to start the takeover.
ECAR support is faster than the original CAR support because the console path changes from a 2-way path to a 1-way path. Also, almost no lag time is incurred between the system checkstop and the start of CAR processing. Because the request is generated from the PTS before system logging, it avoids the potential of recovery being held up.s
Requirements
ECAR is available on z14 and z13/z13s servers on Driver 27 and later only. In a mixed environment with previous generation machines, you should define a z14, z13, or z13s server as the PTS and CTS.
For more information about planning and setup, see the following publications:
•Server Time Protocol Planning Guide, SG24-7280
•Server Time Protocol Implementation Guide, SG24-7281
•Server Time Protocol Recovery Guide, SG24-7380
11.5.8 CTN Split and Merge
With HMC 2.14.1, STP management was enhanced with two new actions: CTN split and CTN merge.
CTN Split
The HMC menus for Server Time Protocol (STP) were enhanced to provide support when one or more systems must be split in to a separate CTN without interruption in the clock source.
The task is available under the Advanced Actions option in the Manage System Time task. Several checks are performed to avoid potential disruptive actions. If targeted CTN only has members with the roles, task launch fails with an error message. If targeted CTN has at least one system without any roles, task launches. An informational warning is presented to the user to acknowledge that sysplex workloads are divided appropriately.
Merging two CTNs
When two separate CTNs must be merged in to the single CTN without interruption in the clock source, the system administrator must perform the “Join existing CTN” action, which is started from the Advanced Actions option.
|
Note: After joining the selected CTN, all systems within the current CTN are synchronized with the Current Time Server of the selected CTN. A coupling link must be in place connecting the CTS of the selected CTN and the CTS of the current CTN.
|
During the transition state, most of the STP actions for the two affected CTNs are disabled. After the merge is completed, STP actions are enabled again.
For more information about planning and understanding STP server roles, see the following publications:
•Server Time Protocol Planning Guide, SG24-7280
•Server Time Protocol Implementation Guide, SG24-7281
•Server Time Protocol Recovery Guide, SG24-7380
11.5.9 NTP client and server support on the HMC
The NTP client support allows a STP-only CTN to use an NTP server as an ETS. This capability addresses the following requirements:
•Clients who want time accuracy for the STP-only CTN
•Clients who use a common time reference across heterogeneous systems
The NTP server becomes the single time source (the ETS) for STP and other servers that are not IBM Z servers (such as AIX®, and Microsoft Windows) that include NTP clients.
The HMC can act as an NTP server. With this support, the z14 server can receive the time from the HMC without accessing a LAN other than the HMC and SE network. When the HMC is used as an NTP server, it can be configured to receive the NTP source from the internet. For this type of configuration, a LAN that is separate from the HMC/SE LAN can be used.
HMC NTP broadband authentication support
HMC NTP authentication can be used since HMC Driver 15. The SE NTP support is unchanged. To use this option on the SE, configure the HMC with this option as an NTP server for the SE.
Authentication support with a proxy
Some client configurations use a proxy for external access outside the corporate data center. NTP requests are User Datagram Protocol (UDP) socket packets and cannot pass through the proxy. The proxy must be configured as an NTP server to get to target servers on the web. Authentication can be set up on the client’s proxy to communicate with the target time sources.
Authentication support with a firewall
If you use a firewall, HMC NTP requests can pass through it. Use HMC authentication to ensure untampered time stamps.
NTP symmetric key and autokey authentication
With symmetric key and autokey authentication, the highest level of NTP security is available. HMC Level 2.12.0 and later provide windows that accept and generate key information to be configured into the HMC NTP configuration. They can also issue NTP commands.
The HMC offers the following symmetric key and autokey authentication and NTP commands:
•Symmetric key (NTP V3-V4) authentication
Symmetric key authentication is described in RFC 1305, which was made available in NTP Version 3. Symmetric key encryption uses the same key for encryption and decryption. Users that are exchanging data keep this key to themselves. Messages encrypted with a secret key can be decrypted only with the same secret key. Symmetric key authentication supports network address translation (NAT).
•Symmetric key autokey (NTP V4) authentication
This autokey uses public key cryptography, as described in RFC 5906, which was made available in NTP Version 4. You can generate keys for the HMC NTP by clicking Generate Local Host Key in the Autokey Configuration window. This option issues the ntp-keygen command to generate the specific key and certificate for this system. Autokey authentication is not available with the NAT firewall.
•Issue NTP commands
NTP command support is added to display the status of remote NTP servers and the current NTP server (HMC).
For more information about planning and setup for STP and NTP, see the following publications:
•Server Time Protocol Planning Guide, SG24-7280
•Server Time Protocol Implementation Guide, SG24-7281
•Server Time Protocol Recovery Guide, SG24-7380
11.5.10 Security and user ID management
This section addresses security and user ID management considerations.
HMC and SE security audit improvements
With the Audit and Log Management task, audit reports can be generated, viewed, saved, and offloaded. The Customize Scheduled Operations task allows you to schedule audit report generation, saving, and offloading. The Monitor System Events task allows Security Logs to send email notifications by using the same type of filters and rules that are used for hardware and operating system messages.
With z14 servers, you can offload the following HMC and SE log files for customer audit:
•Console event log
•Console service history
•Tasks performed log
•Security logs
•System log
Full log offload and delta log offload (since the last offload request) are provided. Offloading to removable media and to remote locations by FTP is available. The offloading can be manually started by the new Audit and Log Management task or scheduled by the Customize Scheduled Operations task. The data can be offloaded in the HTML and XML formats.
HMC user ID templates and LDAP user authentication
Lightweight Directory Access Protocol (LDAP) user authentication and HMC user ID templates enable the addition and removal of HMC users according to your own corporate security environment. These processes use an LDAP server as the central authority.
Each HMC user ID template defines the specific authorization levels for the tasks and objects for the user who is mapped to that template. The HMC user is mapped to a specific user ID template by user ID pattern matching. The system then obtains the name of the user ID template from content in the LDAP server schema data.
Default HMC user IDs
It is no longer possible to change the Managed Resource or Task Roles of the default user ID’s operator, advanced, sysprog, acsadmin, and service.
If you want to change the roles for a default user ID, create your own version by copying a default user ID.
View-only user IDs and view-only access for HMC and SE
With HMC and SE user ID support, users can be created that include “view-only” access to selected tasks. Support for “view-only” user IDs is available for the following purposes:
•Hardware messages
•Operating system messages
•Customize or delete activation profiles
•Advanced facilities
•Configure on and off
HMC and SE secure FTP support
You can use a secure FTP connection from a HMC/SE FTP client to a customer FTP server location. This configuration is implemented by using the Secure Shell (SSH) File Transfer Protocol, which is an extension of SSH. You can use the Manage SSH Keys console action, which is available to the HMC and SE, to import public keys that are associated with a host address.
The Secure FTP infrastructure allows HMC and SE applications to query whether a public key is associated with a host address and to use the Secure FTP interface with the appropriate public key for a host. Tasks that use FTP now provide a selection for the secure host connection.
When selected, the task verifies that a public key is associated with the specified host name. If a public key is not provided, a message window opens that points to the Manage SSH Keys task to enter a public key. The following tasks provide this support:
•Import/Export IOCDS
•Advanced Facilities FTP IBM Content Collector Load
•Audit and Log Management (Scheduled Operations only)
•FCP Configuration Import/Export
•OSA view Port Parameter Export
•OSA Integrated Console Configuration Import/Export
11.5.11 HMC 2.14.1 Enhancements
HMC Version 2.14.1 introduces the following enhancements:
•IPv6 Support for OSA-ICC 3270
In addition to IPV4 protocol, HMC 2.14.1 was added IPv6 support for OSA-ICC 3270 for compliance with existing regulations that require all computer purchases to support IPv6.
•TLS level negotiation limits for OSA-ICC 3270
The supported TLS protocol levels for the OSA-ICC 3270 client connection can now be specified. Supported protocol levels are TLS 1.0, TLS 1.1, and TLS 1.2. Consider the following points:
– TLS 1.0 → OSA-ICC 3270 server permits TLS 1.0, TLS 1.1, and TLS 1.2 client connections.
– TLS 1.1 → OSA-ICC 3270 server permits TLS 1.1 and TLS 1.2 client connections.
– TLS 1.2 → OSA-ICC 3270 server permits only TLS 1.2 client connections.
TLS 1.2 was introduced for z13 Driver level 27 (HMC 2.13.1) for OSA-Express4S and OSA-Express5S.
•Separate Security Certificates for OSA-ICC 3270
Separate and unique OSA-ICC 3270 certificates are now supported for clients who host workloads across multiple business units or data centers where cross-site coordination is required. Clients can avoid interruption of all the TLS connections at the same time when they must renew expired certificates. The certificate for the PCHID is independently managed with respect to expiry or renewal and other properties (such as self-signed or CA signed).
OSA-ICC continues to also support a single certificate for all OSA-ICC PCHIDs in the system.
•SCSI load normal enhancements
Before z14 Driver 36, when performing a standard (CCW-type) load, the user can choose to clear memory or not clear memory (that is, “normal”). However, memory is always cleared during a SCSI load.
For z14 with HMC 2.14.1 and Driver level 36, SCSI load can be performed without clearing memory first (that is, “SCSI load normal”). When activated, an LPAR loads its operating system from a SCSI-capable DASD. If the LPAR was previously activated, the user can choose to clear the LPAR’s memory before reloading the OS (this process makes the load process take longer), or load the OS without clearing the memory (that is, SCSI load normal).
|
Notes: Memory is always cleared as part of activating an image before any load is performed. Therefore, not clearing the memory is not an option when activating with an image profile.
When managed by HMC version 2.14.1, a z14 Driver level 32 or older system cannot take advantage of the SCSI load normal option.
|
•Support Element login enhancements for HMC connections
With HMC 2.14.1, the following results are observed when attempting to access an SE by using Single Object Operations (SOO) from an HMC, and an SOO session exists:
– Access is still initially denied, but the denial panel now offers an option to disconnect the remote user ID.
– When selecting this option, a confirmation panel is displayed, which requires the HMC user to confirm before proceeding with the disconnect.
– If confirmed, the SOO session to the SE from the other HMC is ended and its associated user is disconnected. Establishment of the new SOO session proceeds immediately.
– Security log entry is written on the SE to record information about the disconnected HMC or session and the disconnecting HMC or session.
|
Note: When the user is physically logged in (that is, by using the SE’s keyboard or display), sessions are not disconnected. Only the “Chat” option is available.
|
11.5.12 System Input/Output Configuration Analyzer on the SE and HMC
The System Input/Output Configuration Analyzer task supports the system I/O configuration function.
The information that is needed to manage a system’s I/O configuration must be obtained from many separate sources. The System Input/Output Configuration Analyzer task enables the system hardware administrator to access, from one location, the information from those sources. Managing I/O configurations then becomes easier, particularly across multiple servers.
The System Input/Output Configuration Analyzer task runs the following functions:
•Analyzes the current active IOCDS on the SE.
•Extracts information about the defined channel, partitions, link addresses, and control units.
•Requests the channels’ node ID information. The Fibre Channel connection (FICON) channels support remote node ID information, which is also collected.
The System Input/Output Configuration Analyzer is a view-only tool. It does not offer any options other than viewing. By using the tool, data is formatted and displayed in five different views. The tool provides various sort options, and data can be exported to a UFD for later viewing.
The following views are available:
•PCHID Control Unit View shows PCHIDs, channel subsystems (CSS), CHPIDs, and their control units.
•PCHID Partition View shows PCHIDS, CSS, CHPIDs, and the partitions in which they exist.
•Control Unit View shows the control units, their PCHIDs, and their link addresses in each CSS.
•Link Load View shows the Link address and the PCHIDs that use it.
•Node ID View shows the Node ID data under the PCHIDs.
11.5.13 Automated operations
As an alternative to manual operations, an application can interact with the HMC and SE through an API. The interface allows a program to monitor and control the hardware components of the system in the same way a user performs these tasks. The HMC APIs provide monitoring and control functions through SNMP and the CIM. These APIs can get and set a managed object’s attributes, issue commands, receive asynchronous notifications, and generate SNMP traps.
The HMC supports the CIM as an extra systems management API. The focus is on attribute query and operational management functions for IBM Z servers, such as CPCs, images, and activation profiles. z13 servers contain a number of enhancements to the CIM systems management API. The function is similar to the function that is provided by the SNMP API.
For more information about APIs, see IBM Z Application Programming Interfaces, SB10-7164.
11.5.14 Cryptographic support
This section describes the cryptographic management and control functions that are available in the HMC and the SE.
Cryptographic hardware
z14 servers include standard cryptographic hardware and optional cryptographic features for flexibility and growth capability.
The HMC/SE interface provides the following capabilities:
•Defining the cryptographic controls
•Dynamically adding a Crypto feature to a partition for the first time
•Dynamically adding a Crypto feature to a partition that already uses Crypto
•Dynamically removing a Crypto feature from a partition
The Crypto Express6S, a new Peripheral Component Interconnect Express (PCIe) cryptographic coprocessor, is an optional z14 exclusive feature. Crypto Express6S provides a secure programming and hardware environment on which crypto processes are run. Each Crypto Express6S adapter can be configured by the installation as a Secure IBM CCA coprocessor, a Secure IBM Enterprise Public Key Cryptography Standards (PKCS) #11 (EP11) coprocessor, or an accelerator.
When EP11 mode is selected, a unique Enterprise PKCS #11 firmware is loaded into the cryptographic coprocessor. It is separate from the Common Cryptographic Architecture (CCA) firmware that is loaded when a CCA coprocessor is selected. CCA firmware and PKCS #11 firmware cannot coexist in a card.
The Trusted Key Entry (TKE) Workstation with smart card reader feature is required to support the administration of the Crypto Express6S when configured as an Enterprise PKCS #11 coprocessor.
To support the new Crypto Express6S card, the Cryptographic Configuration window was changed to support the following card modes:
•Accelerator mode (CEX6A)
•CCA Coprocessor mode (CEX6C)
•PKCS #11 Coprocessor mode (CEX6P)
An example of the Cryptographic Configuration window is shown in Figure 11-26.
Figure 11-26 Cryptographic Configuration window
The Usage Domain Zeroize task is provided to clear the appropriate partition crypto keys for a usage domain when you remove a crypto card from a partition. Crypto Express6/5S in EP11 mode is configured to the standby state after the zeroize process.
For more information, see IBM z13 Configuration Setup, SG24-8260.
Digitally signed firmware
Security and data integrity are critical issues with firmware upgrades. Procedures are in place to use a process to digitally sign the firmware update files that are sent to the HMC, SE, and TKE. By using a hash algorithm, a message digest is generated that is then encrypted with a private key to produce a digital signature.
This operation ensures that any changes that are made to the data are detected during the upgrade process by verifying the digital signature. It helps ensure that no malware can be installed on IBM Z products during firmware updates. It also enables the z14 Central Processor Assist for Cryptographic Function (CPACF) functions to comply with Federal Information Processing Standard (FIPS) 140-2 Level 1 for Cryptographic LIC changes. The enhancement follows the IBM Z focus of security for the HMC and the SE.
z14 Crypto Card CEX6S is compliant with CCA PCI HSM.
The following CCA compliance levels for Crypto Express6S are available on SE:
•CCA: Non-compliant (default)
•CCA: PCI-HSM 2016
•CCA: PCI-HSM 2016
The following EP11 compliance levels (Crypto Express5S and Crypto Express6S) are available:
•FIPS 2009 (default
•FIPS 2011
•BSI 2009
•BSI 2011
11.5.15 Installation support for z/VM that uses the HMC
Starting with z/VM V5R4 and z10, Linux on Z can be installed in a z/VM virtual machine from HMC workstation media. This Linux on Z installation can use the communication path between the HMC and the SE. No external network or extra network setup is necessary for the installation.
11.5.16 Dynamic Partition Manager
DPM is an IBM Z mode of operation that provides a simplified approach to create and manage virtualized environments, which reduces the barriers of its adoption for new and existing customers.
Setting up is a disruptive action. The selection of the DPM mode of operation is done by using a function that is called “Enable Dynamic Partition Manager”, which is under the SE CPC Configuration menu.
Enabling DPM with the SE interface is shown in Figure 11-27.
Figure 11-27 Enabling DPM (SE interface)
After the CPC is restarted and you log on to the HMC in which this CPC is defined, the HMC shows the welcome window that is shown in Figure 11-28.
Figure 11-28 HMC welcome window
New LPARs can be added by selecting Get Started. For more information, see IBM Knowledge Center.
At IBM Knowledge Center, click the search engine window and enter dpm.
1 For a customer-supplied switch, multicast must be enabled at the switch level.
..................Content has been hidden....................
You can't read the all page of ebook, please click here login for view all page.