IBM. Integrating the Hardware Management Console s Broadband Remote Support Facility into your Enterprise. zenterprise System. SC Level 01b

Similar documents
Chapter 10 Troubleshooting

I. What is VPN? II. Types of VPN connection. There are two types of VPN connection:

Electronic Service Agent TM. Network and Transmission Security And Information Privacy

Setting up VPN Access for Remote Diagnostics Support

Connectivity Security White Paper. Electronic Service Agent for AIX and Virtual I/O Server (VIOS)

Chapter 12 Supporting Network Address Translation (NAT)

SOHO 6 Wireless Installation Procedure Windows 95/98/ME with Internet Explorer 5.x & 6.0

Step-by-Step Configuration

Cornerstones of Security

Linksys E2000 Wireless-N Router Configuration Guide

BASIC ANALYSIS OF TCP/IP NETWORKS

Cisco Expressway Basic Configuration

Computer Networks I Laboratory Exercise 1

H3C SSL VPN RADIUS Authentication Configuration Example

SonicWALL Global Management System Configuration Guide Standard Edition

Cleaning Encrypted Traffic

Using etoken for SSL Web Authentication. SSL V3.0 Overview

Intel Active Management Technology with System Defense Feature Quick Start Guide

Use Shrew Soft VPN Client to connect with IPSec VPN Server on RV130 and RV130W

Configuring Global Protect SSL VPN with a user-defined port

Creating a Gateway to Client VPN between Sidewinder G2 and a Mac OS X Client

Firewall VPN Router. Quick Installation Guide M73-APO09-380

Pre-lab and In-class Laboratory Exercise 10 (L10)

Multi-Homing Dual WAN Firewall Router

VPN. Date: 4/15/2004 By: Heena Patel

ERserver. iseries. Secure Sockets Layer (SSL)

SSL VPN. Virtual Appliance Installation Guide. Virtual Private Networks

Configuring a WatchGuard SOHO to SOHO IPSec Tunnel

F-Secure Messaging Security Gateway. Deployment Guide

1:1 NAT in ZeroShell. Requirements. Overview. Network Setup

Astaro User Portal: Getting Software and Certificates Astaro IPsec Client: Configuring the Client...14

Configuring a Check Point FireWall-1 to SOHO IPSec Tunnel

Power Systems. Installing and configuring the Hardware Management Console

Talk2M Free+ Remote-Access Connectivity Solution for ewon COSY devices. Getting Started Guide

Virtual Appliance Setup Guide

Deployment Guide: Transparent Mode

CCNA Discovery Networking for Homes and Small Businesses Student Packet Tracer Lab Manual

Chapter 3 Connecting the Router to the Internet

Configuring PA Firewalls for a Layer 3 Deployment

Steps for Basic Configuration

GlobalSCAPE DMZ Gateway, v1. User Guide

Broadband Phone Gateway BPG510 Technical Users Guide

Note: This case study utilizes Packet Tracer. Please see the Chapter 5 Packet Tracer file located in Supplemental Materials.

Appendix C Network Planning for Dual WAN Ports

Chapter 5 Customizing Your Network Settings

Networking Guide Redwood Manager 3.0 August 2013

ZULTYS. Optimum Business Trunking and the Zultys MX250 IP PBX Configuration Guide

JPMorgan Chase Treasury Workstation. Certification Setup Guide Version 2.0

SSL A discussion of the Secure Socket Layer

Bridgit Conferencing Software: Security, Firewalls, Bandwidth and Scalability

CREATING AN IKE IPSEC TUNNEL BETWEEN AN INTERNET SECURITY ROUTER AND A WINDOWS 2000/XP PC

Chapter 2 Preparing Your Network

Router Setup Manual. NETGEAR, Inc Great America Parkway Santa Clara, CA USA

Quick Start Guide. Cisco SPA232D Mobility Enhanced ATA

Sophos UTM. Remote Access via PPTP. Configuring UTM and Client

Chapter 17. Transport-Level Security

Astaro Security Gateway V8. Remote Access via SSL Configuring ASG and Client

Broadband Router ESG-103. User s Guide

Lab - Using Wireshark to View Network Traffic

ERserver. iseries. Remote Access Services: PPP connections

Decryption. Palo Alto Networks. PAN-OS Administrator s Guide Version 6.0. Copyright Palo Alto Networks

ZyWALL 5. Internet Security Appliance. Quick Start Guide Version 3.62 (XD.0) May 2004

Comtrend 1 Port Router Installation Guide CT-5072T

UIP1868P User Interface Guide

Issue 1 April 2, 2009 Using the VT2442 Web User Interface

Configuring Switch Ports and VLAN Interfaces for the Cisco ASA 5505 Adaptive Security Appliance

Barracuda Link Balancer Administrator s Guide

Chapter 4 Customizing Your Network Settings

USER GUIDE. Ethernet Configuration Guide (Lantronix) P/N: Rev 6

TLS and SRTP for Skype Connect. Technical Datasheet

Quick Start Guide. WRV210 Wireless-G VPN Router with RangeBooster. Cisco Small Business

Linksys Gateway SPA2100-SU Manual

Chapter 8 Advanced Configuration

Step By Step Guide: Demonstrate DirectAccess in a Test Lab

21.4 Network Address Translation (NAT) NAT concept

Configuring H.323 over Port Network Address Translation (PNAT) for Avaya IP Endpoints using the Avaya SG200 Security Gateway - Issue 1.

SSL SSL VPN

Application Notes for the Ingate SIParator with Avaya Converged Communication Server (CCS) - Issue 1.0

Application Note Startup Tool - Getting Started Guide

Network/VPN Overlap How-To with SonicOS 2.0 Enhanced Updated 9/26/03 SonicWALL,Inc.

Guideline for setting up a functional VPN

Security Secure Sockets Layer (SSL)

VoIPon Tel: +44 (0) Fax: +44 (0)

USB Ethernet Connectivity Kit

OBM (Out of Band Management) Overview

Preparing the Computers for TCP/IP Networking

How To Configure L2TP VPN Connection for MAC OS X client

Microsoft Dynamics GP Release

7. Configuring IPSec VPNs

Linux Network Security

Chapter 10. Network Security

IP Configuration Manual

: Interconnecting Cisco Networking Devices Part 1 v2.0 (ICND1)

Matrix Technical Support Mailer 167 NAVAN CNX200 PPTP VPN with Windows Client

< Introduction > This technical note explains how to connect New SVR Series to DSL Modem or DSL Router. Samsung Techwin Co., Ltd.

IBM i Version 7.3. Security Digital Certificate Manager IBM

1 Data information is sent onto the network cable using which of the following? A Communication protocol B Data packet

Copyright and Trademarks. How to Use this Guide. Phone Adapter with Router

Sophos UTM. Remote Access via SSL. Configuring UTM and Client

Chapter 3 LAN Configuration

Transcription:

IBM zenterprise System Integrating the Hardware Management Console s Broadband Remote Support Facility into your Enterprise SC28-6927-01

IBM zenterprise System Integrating the Hardware Management Console s Broadband Remote Support Facility into your Enterprise SC28-6927-01

ii Broadband RSF

Contents Integrating the HMC s Broadband Remote Support Facility into your Enterprise 1 Overview Security features on the HMC Data encryption using Secure Sockets Layer/Transport Layer Security Audit logs of outbound connections Isolation of Ethernet connections Hardware Management Console firewall Integrating HMC broadband into your Enterprise Outbound connections for service Integrating the customer s firewall Support for an HTTP proxy server 1 1 2 2 2 2 3 3 3 3 Resolving IP addresses of IBM Service Support System 4 IP Addresses for the IBM Service Support System 4 Checklist for setting up broadband RSF connectivity 4 Configuration example for broadband RSF 6 Configuring network settings on the HMC 6 Customizing outbound connectivity 13 Frequently asked questions (FAQ) 18 Appendix Secure Sockets Layer and Transport Layer Security 21 Secure Sockets Layer Transport Layer Security 21 22 iii

iv Broadband RSF

Integrating the HMC s Broadband Remote Support Facility into your Enterprise Overview There are number of options available to set up a broadband Hardware Management Console (HMC) connection that keeps your system secure and still satisfy your corporate security requirements This document describes the security features built into the Hardware Management Console to support broadband RSF, configuration options, and explain how to integrate security features in your Enterprise to work with broadband Remote Support Facility (RSF) There is also step-by-step instructions for setting up broadband RSF from the Hardware Management Console Note: With the introduction of zenterprise EC12, the Hardware Management Console Version 2120 no longer supports Dialup Remote Support Facility Using an internet (broadband) connection offers significant improvement over dialup: v Faster data transmission v Ability to transmit more data on an initial problem request potentially resulting in more rapid problem resolution v Improved transmission reliability v Reduced customer expenses (for example, the cost of a dedicated analog telephone line) v Capability to integrate with corporate firewall security policies The IBM Service Support System is migrating to a new infrastructure In HMC Version 2121, Problem Management (except Viewable Problems), Vital Product Data, and System Availability Data transmissions are now supported using the enhanced IBM Service Support System Note: Depending upon your current installation policies, there may be some changes required by your local networking team for your HMC to connect to the enhanced IBM Service Support System v Connectivity will be initiated to a new destination A new host name and set of IP addresses must be reachable from your system v Transmission using the enhanced IBM Service Support System requires a Domain Name Server (DNS) to be configured on your console, unless the connection is through an SSL proxy which has a DNS configured In HMC Version 2121, access to the traditional IBM Service Support System is still required While the Remote Support Facility still supports the use of the traditional IBM Service Support System as a backup for all requests, IBM recommends that you enable connectivity to the enhanced IBM Service Support System promptly If you do not, problem reporting may be delayed due to local firewall blockages Security features on the HMC Broadband support on the Hardware Management Console (HMC) was designed with the understanding that maintaining security of the system is a shared responsibility between IBM and the customer Following are built-in facilities on the Hardware Management Console: v Data encryption using SSL/TLS v Audit logs of outbound connections v Isolation of ethernet connections 1

v Hardware Management Console firewall Data encryption using Secure Sockets Layer/Transport Layer Security All data between the customer machine and IBM is encrypted using Transport Layer Security (TLS) sockets Secure Sockets Layer (SSL) technology ensures data confidentiality and integrity For more information on SSL/TLS protocol, see Secure Sockets Layer and Transport Layer Security, on page 21 Audit logs of outbound connections Audit logs are created for each outbound connection including the destination, common name of the certificate of the destination, and the cipher suite used for encryption Isolation of Ethernet connections There are multiple network interface cards available on the Hardware Management Console This allows you to isolate your support elements from any possible access on the enterprise LAN IBM recommends you use one of the Ethernet connections on each Hardware Management Console to connect to a private Ethernet LAN that communicates with your CPCs and support elements Another Ethernet connection on the Hardware Management Console should connect to the enterprise LAN or corporate firewall that will in turn connect to the Internet Figure 1 shows this type of configuration Figure 1 Separating Ethernet adapters In Figure 1, the Hardware Management Console uses a second network card to physically separate the local system network from the Internet-enabled network Hardware Management Console firewall The Hardware Management Console is always protected by an internal firewall that allows outbound SSL traffic to the IBM Service Support System The default is to block all inbound ports, which ensures that all service communication is initiated by the HMC The IBM Service Support System will never initiate an Internet connection Specific ports are only enabled as needed based on the IP addresses of the defined CPCs and enabled services (such as web browser access) 2 Broadband RSF

Integrating HMC broadband into your Enterprise Outbound connections for service A customer firewall that is connected to the Hardware Management Console must be configured to allow outbound connections to the IBM Service Support System All connections to the IBM Service Support System are outbound connections to port 443 The set of specific IP addresses to which your system requires outbound connectivity depend upon: v HMC version code (2120 or 2121) HMC version 2121 also utilizes the enhanced IBM Service Support system v Internet protocol (IPv4 and IPv6) For a list of these addresses, see IP Addresses for the IBM Service Support System on page 4 A list of these IP addresses is also available in the online help information on the Hardware Management Console To view the help, click Help on the Outbound Connectivity Settings window in the Customize Outbound Connectivity task Integrating the customer s firewall The customer s firewall may also take advantage of Source Network Address Translation (SNAT) and masquerading rules to conceal the Hardware Management Console s Internet address from the packets in the Internet The firewall may also limit the specific IP addresses to which the Hardware Management Console can connect Support for an HTTP proxy server A customer may additionally require all traffic to go through a proxy server In this case, the Hardware Management Console connects directly to the proxy server, which initiates all communications to the Internet (Figure 2) Figure 2 HMC broadband using an SSL proxy server To forward SSL sockets, the proxy server must support the basic proxy header functions (RFC 2616) and the CONNECT method Integrating the HMC s Broadband Remote Support Facility into your Enterprise 3

Optionally, basic proxy authentication (RFC 2617) may be configured so that the Hardware Management Console authenticates before attempting to forward sockets through the proxy server For the Hardware Management Console to communicate successfully, the HTTP proxy server or firewall must allow outbound connections to port 443 The proxy server may limit the specific IP addresses to which the Hardware Management Console can connect For a list of these required IP addresses, see IP Addresses for the IBM Service Support System Resolving IP addresses of IBM Service Support System If you select the Resolve IBM IP addresses on console option, the HTTP connect request will direct your SSL proxy to connect directly to the set IP address in the IP Addresses for the IBM Service Support System In this case, your HMC must be configured to have a DNS Note that the value selected in Protocol to Internet from the Customize Outbound Connectivity task must reflect the Internet Protocol used by the SSL proxy to connect to the internet Note: For example, the Hardware Management Console may connect to your SSL proxy using an IPv6 address, but the proxy may be configured to connect to the internet using IPv4 In this case, you would enter the IPv6 address of your SSL proxy server, but select IPv4 for Protocol to Internet from the Customize Outbound Connectivity task If you do not select the Resolve IBM IP addresses on console option, the connect request will direct your SSL proxy to connect to the host name, www-945ibmcom or esupportibmcom as required The actual outbound internet protocol will be determined by the proxy server and its DNS services IP Addresses for the IBM Service Support System A customer firewall between the Hardware Management Console and the Internet must be configured to allow outbound connections to the IBM Service Support System All connections to the IBM Service Support System are outbound connections to port 443 v Using IPv4 requires outbound connectivity to the following IP addresses: 1294226224 1294242224 1294250224 1294254189 (enhanced) 1294256189 (enhanced) 1294260189 (enhanced) v If you require access to the IBM Service Support System using the IPv6 internet, you must allow access to all of these additional addresses: 2620:0:6c0:1::1000 2620:0:6c2:1::1000 2620:0:6c4:1::1000 2620:0:6c4:200:129:42:54:189 (enhanced) 2620:0:6c0:200:1294256189 (enhanced) 2620:0:6c2:200:1294260189 (enhanced) Checklist for setting up broadband RSF connectivity The following set of checklists shows how the Hardware Management Console and Site Security Administrator teams might collaborate while configuring the HMC for broadband RSF Table 1 on page 5 is a planning checklist that the customer should complete before the site Security Administrator arrives 4 Broadband RSF

Table 1 Planning Checklist for setting up broadband RSF connectivity Step 1 2 Description Data Ensure that one of the HMC Ethernet adapters is configured to the enterprise LAN (see Isolation of Ethernet connections on page 2) Unless DHCP is used, record the IP address to configure Use DHCP? Yes or No If not: Record default gateway to corporate network Also, determine if you want to use RIP protocol for the dynamic routing path Please note that if you use RIP protocol, you may not need to specify a gateway address device in the User Interface Gateway Address: 3 Record version of Internet used (IPv4 or IPv6) Protocol to Internet: 4 Record the IBM Service Support System IP addresses that will be used (See IP Addresses for the IBM Service Support System on page 4) Port: 443 IP addresses: 5 Contact your site s security administrator to configure firewall permission to establish outbound connections to port 443 using the IP addresses from step 4 6 Contact your site s security administrator to determine Use HTTP proxy? Yes or No whether the HMC is required to connect to an HTTP proxy, and that the proxy conforms to the requirements described in Support for an HTTP proxy server on page 3 Status IP address: Network mask: Use RIP protocol? Yes or No Are you using an HTTP proxy? If yes, continue with steps 7-10 If not, go to directly to step 11 7 8 9 Determine whether the rules of the HTTP proxy configuration at the customer installation permit IP addresses to be used as the target of the mod_proxy 10 If IP addresses are not permitted, then the setting for Resolve IBM IP addresses on console must be set to False, and you should contact your network administrator to ensure that the proxy is configured to a valid Domain Name Server (DNS) Resolve IBM IP addresses on console: True or False 11 If an HTTP proxy is not required (see step 6) or if the setting for Resolve IBM IP addresses on console is True (see step 10), see your network administrator to obtain the IP addresses of one or more DNS servers to resolve internet addresses Record these addresses Primary DNS Server IP address: Record the Internet address and port number that will be used by the HMC to connect to the HTTP proxy IP address: Determine whether authentication is required to connect to the HTTP If so, record the user ID and password to be used by the HMC to connect to the proxy Use authentication? Yes or No Port: Connect User ID: Password: Secondary DNS Server IP address: The steps in Table 2 on page 6 should be completed during the HMC installation process Integrating the HMC s Broadband Remote Support Facility into your Enterprise 5

Table 2 Configuration Checklist for setting up broadband RSF connectivity Step Description 1 In the Customize Network Settings task on the HMC, click the LAN Adapters tab, and then click Details Configure the LAN Adapter using the data from Step 1 of Table 1 on page 5 2 Under the Name Servers tab, enter the DNS Server IP addresses from Step 11 of Table 1 on page 5 3 Under the Routing tab, add the data from Step 2 in Table 1 on page 5 4 Configure outbound connectivity on the HMC, using the data gathered from Steps 3, 6, 7, 8, and 10 from Table 1 on page 5 5 Test connectivity to the IBM Service Support System Data Status Configuration example for broadband RSF This section contains one example of how to modify a Hardware Management Console (already set up as a call home server using dial support) to use broadband The step numbers in Table 3 correspond to the step numbers in the checklist in Table 1 on page 5 Table 3 Configuration example for broadband RSF Step Configuration Question Configuration Answer 1 What is the IP address and network mask assigned for the HMC on the corporate network? Not DHCP IP address: 9601531 Network Mask: 2552552550 2 What is the IP address of the default gateway in the corporate network? Also, determine if you want to use RIP protocol for the dynamic routing path Gateway address: 96015254 Gateway device: eth0 3 Is the connection to the Internet IPV4 or IPv6? Protocol to internet: IPv4 6 Is the connection through an HTTP proxy server? Proxy? Yes 7 If so, what is its port and IP address? IP address: 96015251 Port: 8000 8 Does the HTTP proxy require authentication? If so, No authentication required what is the userid and password? 10 Should the proxy Connect be issued using IP addresses? Resolve IP addresses on console - True 11 What are the DNS addresses available at your installation? Primary address: 9031 Use RIP Protocol? No Secondary address: 90211 Note: Use the configuration answers from this configuration example table in the following procedures Configuring network settings on the HMC 1 Log on to the Hardware Management Console in ACSADMIN or SERVICE mode 2 If you are using the tree style interface: a In the navigation pane in the left portion of the window, click HMC Management b In the tasks pad in the bottom portion of the work pane, under Configuration, click Customize Network Settings 6 Broadband RSF

or If you are using the classic style interface: a Open Console Actions from the Views area b Open Hardware Management Console Settings from the Console Actions Work Area Integrating the HMC s Broadband Remote Support Facility into your Enterprise 7

c Open Customize Network Settings 3 The Customize Network Settings window is displayed 8 Broadband RSF

4 Click the LAN Adapters tab If there are more than one LAN adapters listed, click on the Ethernet LAN adapter that is connected to your corporate network (in this example, Ethernet eth0 00:14:5E:87:18:C2 (9601531)) 5 Click Details The LAN Adapter Details window is displayed 6 On the Basic Settings tab, select Specify an IP address Enter the static IP address 9601531 and the network mask 2552552550 (from step 1 in Table 3 on page 6) 7 Click OK to save the information 8 A Domain Name Service (DNS) must be configured on the HMC if: v The outbound connection is direct from the HMC to IBM, or v An SSL Proxy is defined, but IP address resolution is desired on the HMC Determine the appropriate Name Server(s) to use, and obtain them from your network administrator (from step 11 in Table 3 on page 6) A minimum of 1 address is valid, but 2 DNS server addresses are recommended, for reliability purposes Integrating the HMC s Broadband Remote Support Facility into your Enterprise 9

9 If you need to configure a Domain Name Server (see previous step), click the Name Services tab Select DNS enabled Add the IP addresses for the DNS servers to the search order Note: The first IP address entered will be the first one used in the search order Subsequent IP addresses will be used as secondary addresses The Domain Suffix Search Order may be specified, but no value is required for RSF name resolution 10 Click the Routing tab Enter the default gateway address 96015254 and the gateway device eth0 (from step 2 in Table 3 on page 6) In the example below, route daemon is not enabled 10 Broadband RSF

Note: Use the value in Step 2 of Table 3 on page 6 to determine whether or not to select Enable routed 11 Click OK to save the information 12 The Network Settings Update window is displayed 13 Click OK A Question pop-up window may display Verifying your network setup At this point, the Hardware Management Console network configuration is complete One way to verify that this is successful is to ping the default gateway Note: This may not be permitted in your installation If it is allowed: 1 If you are using the tree style interface: a In the navigation pane in the left portion of the window, click HMC Management b In the tasks pad in the top portion of the work pane, click Network Diagnostic Information or If you are using the classic style interface: a Open Console Actions from the Views area b Open Network Diagnostic Information from the Console Actions Work Area Integrating the HMC s Broadband Remote Support Facility into your Enterprise 11

2 The Network Diagnostic Information window is displayed 3 On the Ping tab window, enter 96015254 (the default gateway address from step 2 in Table 3 on page 6) and click Ping 96015254 4 If the ping completes successfully, the message 5 packets transmitted, 5 received, 0% packet loss is displayed Continue with Customizing outbound connectivity on page 13 12 Broadband RSF

5 If v v v v v v the ping does not complete successfully, here are some common things to check for: Ping not permitted to the gateway Wrong IP address or netmask setting in the Hardware Management Console Wrong default gateway IP address Properly seated Ethernet cable on the Hardware Management Console side or hub Wrong Ethernet media speed Try Auto-detection Ethernet adapter card not recognized by the Hardware Management Console Check resource name of Ethernet card (in this example eth0) by clicking the Interfaces tab 6 To validate the DNS set up, ping any external host name that supports the ping operation Customizing outbound connectivity 1 Log on to the Hardware Management Console in ENSADMIN, SYSPROG, or SERVICE mode 2 If you are using the tree style interface: a In the navigation pane in the left portion of the window, click Service Management b In the tasks pad in the bottom portion of the work pane, under Configuration, click Customize Outbound Connectivity or If you are using the classic style interface: a Open Console Actions from the Views area b Open Hardware Management Console Settings from the Console Actions Work Area Integrating the HMC s Broadband Remote Support Facility into your Enterprise 13

c Open Customize Outbound Connectivity 3 The Call-Home Server Consoles window is displayed 14 Broadband RSF

4 Click Configure The Outbound Connectivity Settings window is displayed 5 Ensure that the Enable the local console as a call-home server is selected 6 Verify if connection is through a proxy server v If yes (from step 6 in Table 3 on page 6), continue with step 7 v If no, go to step 12 7 In the Address field, enter the IP address 96015251 In the Port field, enter the port address 8000 (use values from step 7 in Table 3 on page 6) 8 Determine whether the rules of the HTTP proxy configuration at the customer installation permit IP addresses to be used as the target of the mod_proxy (from step 10 in Table 3 on page 6) If they are permitted, then select Resolve IBM IP addresses on console 9 Check if proxy authentication is required v If no, (from step 8 in Table 3 on page 6), go to step 12 Integrating the HMC s Broadband Remote Support Facility into your Enterprise 15

v If yes, continue with step 10 10 Select Use SSL Proxy Authentication Enter the user name and password 11 In the Internet Protocol list, select IPv4 (from step 3 in Table 3 on page 6) Most customers will connect to the IPv4 Internet only 12 Click Test The Test Internet window is displayed: 13 Click Start to verify that a broadband RSF connection can be made 14 A series of information messages display in the Test Status message box (shown in two parts, to include all information): 16 Broadband RSF

15 If the connection is successful, Test completed successfully is displayed Integrating the HMC s Broadband Remote Support Facility into your Enterprise 17

16 If the connection was not successful, record the error message and click Help The Test Internet help window is displayed Select Test Status A list of common error messages are displayed Follow the instructions on the window Frequently asked questions (FAQ) Following is a set of questions and answers regarding Remote Support Facility (RSF) security on Hardware Management Consoles (Version 2120 and 2121) Note: These FAQs are intended to address most security questions For additional information, have your IBM service representative document your question into a PMH record for Product Engineering to answer Does IBM initiate a connection into a customer system with Hardware Management Console? No Remote support connections for service are always initiated by the customer s Hardware Management Console to IBM An inbound connection is never initiated from the IBM Service Support System How are RSF connections made? Through Internet connection All communications are handled through TCP sockets initiated by the Hardware Management Console and use a high-grade SSL to encrypt the data that is transmitted The destination TCP/IP addresses are published to enable you to set up firewalls to allow connection The enhanced IBM Service Support System uses standard HTTPS protocols How does the IBM Service Support System validate the incoming connection? The IBM Service Support System validates that the incoming requesting system is known and authorized, or the connection is terminated There are two different validations for each incoming connection: v The Hardware Management Console validates the trusted host by a digital signature issued for the IBM Service Support System when initializing the SSL encrypted connection v IBM Service Support System also validates decrypted data from the Hardware Management Console and performs an entitlement check What data is transferred through the RSF connection? All data transferred is for service use only No customer data is transferred Is data transferred from IBM to the customer system encrypted? Yes All data transferred from IBM to the customer system is encrypted and checked prior to use What level of SSL encryption is used by the Hardware Management Console? All HMC communications with the IBM Service Support Systems are via SSL V3 / TLS 10 socket connections The cipher specification for each connection is available in the HMC Audit Log Are the RSF data exchange protocols published? No All the data exchange protocols are proprietary to IBM service and not published Does the Hardware Management Console have an internal firewall? 18 Broadband RSF

The Hardware Management Console enhancements included an always active internal firewall that has default policy of blocking all inbound ports Specific ports are only enabled as needed based on the IP addresses of the defined CPCs and enabled services (such as web browser access) Is there customer access to the underlying system of the Hardware Management Console? No The Hardware Management Console is a closed platform and only IBM can put code on the system What servers are supported on the new Hardware Management Console? Version 2121 supports: Server Machine Type G5, G6 9672 z900, z800 2064, 2066 z990, z890 2084, 2086 2094, 2096 z10 EC, z10 BC 2097, 2098 z196, z114 2817, 2818 zec12, zbc12 2827, 2828 z9 EC, z9 BC Can the Hardware Management Console connect using a NAT router to the Internet? Yes No Hardware Management Console configuration is required Does the Hardware Management Console support HTTP proxy or proxy in general? It requires the HTTP Proxy which must support the basic proxy header functions (RFC 2616) and the CONNECT method What operating system is used for the Hardware Management Console? An IBM proprietary imbedded operating system is used If I require additional information not covered in this section, how can I get more information? Request your IBM service representative to open a PMH record with your question Product Engineering will review your question and answer it Integrating the HMC s Broadband Remote Support Facility into your Enterprise 19

20 Broadband RSF

Appendix Secure Sockets Layer and Transport Layer Security Secure Sockets Layer The Secure Sockets Layer (SSL) is the industry standard for session encryption between clients and servers SSL uses asymmetric or public key cryptography to encrypt the session between a server and client The client and server applications negotiate a cipher suite and symmetric session key for use in that connection The key expires automatically and the SSL process creates a different key for each server connection and each client Consequently, even if unauthorized users intercept and decrypt a session key, they cannot use it to eavesdrop on later sessions Figure 3 shows an SSL encryption handshake sequence Server Client Handshake start 3 Check trust status of the certificate Secret key 6 Creates a secret key and encrypts it using the server s public key 1 Request secure connection (Client Hello) 2 Send server s certificate to client (Server Hello); optionally requests client certificate 4 Send available ciphers to the server; optionally sends client certificate to the server 5 Send chosen cipher to client 7 Send the encrypted secret key to the server Public Private Application Data Secure Data Flow Application Data 8 Decrypts secret key using server s private key Secret key 1 Client requests secure connection to the server (Client Hello) 2 Server sends server s certificate to the client (Server Hello) 3 Client checks trust status of the server s certificate Client checks if the server s domain name in server s certificate is included in the trusted domain list Server s public key is embedded in the server s certificate (green key) 4 Client sends available ciphers list to the server 5 Server sends chosen cipher to the client 6 Client creates a one-time secret key (yellow key ) for encrypted communication and encrypts the one-time secret key with server s public key that is embedded in the server s certificate 7 Client sends the encrypted one-time secret key to the server 8 Server decrypts secret key using server s private key (blue key) Figure 3 SSL encryption handshake sequence 21

Transport Layer Security Based on SSL Version 30, the specifications for Transport Layer Security (TLS) Version 10 are defined by the Internet Engineering Task Force in RFC 2246 TLS provides the following security improvements overs SSL Version 30: v Key-hashing for message authentication code TLS uses keyed-hash Message Authentication Code (HMAC), which ensures that a record cannot be altered while traveling over an open network, such as the Internet SSL Version 30 also provides keyed message authentication, but HMAC is considered more secure than the Message Authentication Code function that SSL Version 30 uses v Enhanced pseudo random function Pseudo Random Function (PRF) is used for generating key data In TLS, the PRF is defined with the HMAC The PRF uses two hash algorithms in a way that guarantees its security If either algorithm is exposed, then the data will remain secure as long as the second algorithm is not exposed v Improved finished message verification Both TLS Version 10 and SSL Version 30 provide a finished message to both end points that authenticates that the exchanged messages were not altered However, TLS bases this finished message on the PRF and HMAC values, which again is more secure than the SSL Version 30 v Consistent certificate handling Unlike the SSL Version 30, TLS attempts specify the type of certificate that must be exchanged between TLS implementations 22 Broadband RSF

Appendix Secure Sockets Layer and Transport Layer Security 23

IBM Printed in USA SC28-6927-01

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information