166 DS8000 Series: Concepts and Architecture
Security mechanism 3 - Login security
When the network connection and session are established, the IBM Service personnel will be
able to log into the S-HMC, without a secure password, for the purpose of collecting problem
determination and sending the problem determination to the IBM data collection site.
If problem analysis shows that additional actions are needed to further refine the problem
definition, the next level of IBM Service may have a requirement for a higher level of access
to the storage facility. If this is the case, all of the previous security measures will also apply,
but to obtain a higher level of authorization, the service organization will be required to log in
to secure userids on the S-HMC. These userids are protected by S-HMC user management.
S-HMC user management
The S-HMC’s user management is governed by the following rules:
The allowed number of users is pre-defined.
No additional users can be defined to the S-HMC.
The password to these predefined users can be changed by IBM support personnel.
Users with higher privileges are protected by a challenge/authentication scheme.
The root user ID is locked.
User login is only allowed from the private network, or from an IBM remote support service
connection.
User activity is logged.
The S-HMC has auditing capabilities.
The functionality of standard software components is restricted to provide added security
advantages when integrating the S-HMC into your private network. These restrictions are as
follows:
The S-HMC acts as a firewall or proxy for incoming traffic.
The S-HMC does not have any IP forwarding or gateway capabilities.
Many standard services such FTP and TELNET do not exist on the S-HMC.
Only Secure Shell (SSH) is permitted over the remote connection.
No TCP/IP connection from the outside is allowed into the S-HMC, except the VPN
connection.
In an Internet configuration, the following firewall ports need to be open: 500 udp, 500 esp
(VPN), and 4500 udp.
The allowed destination IP addresses will only be the IBM services support centers:
207.25.252.196, 129.42.160.16, and 207.25.252.198.
9.2.4 FTP Offload option
As an alternative to a VPN connection via the Internet, the S-HMC can be set up to use the
file transfer protocol (ftp) for sending error data to IBM. It is the customer's responsibility to
provide a secure path from the S-HMC to the destination server (testcase.software.ibm.com)
on the Internet. Usually this involves some kind of ftp proxy or relay firewall. The S-HMC
supports seven different types of ftp firewalls.
Connectivity via ftp is also required for downloading DS8000 code packages from an IBM
remote code repository on the Internet.