Learn more about how to enhance the security of your HMC based on your corporate security
standards.
The default configuration of HMC provides ample security for most enterprise users. With the
Hardware Management Console (HMC) Version 8.4.0, or later, you can further enhance the security of
the HMC based on your corporate security standards. To enhance the security of
HMC, you must set the HMC to minimum of Level 1 security. You may
choose to go to Level 2 and Level 3 security depending on your environment and the corporate
security requirements.
Note: Before changing the security level, ensure that you check with your
corporate security compliance team.
To secure the
HMC, do the following procedure:
Level 1 security
- Change the default hscroot predefined password. For more information
about password policy, see Enhanced password policy
.
- If the HMC is not in a physically secure environment, set the grub
password by running the following command: chhmc -c grubpasswd -s enable --passwd <new
grub password>
- If you have configured Integrated Management Module (IMM) on HMC, set a strong IMM password.
- Set strong password for admin users and general users on all servers.
- Update the HMC with all the released security fixes. For more details about the security fixes,
see IBM® Fix Central.
Level 2 security (Optional)
If you have multiple users, complete the following steps
to enhance the security:
- Create account for each user on the HMC and assign the required roles and resources to users
that are created. For more information about the various roles in HMC, see HMC tasks, user roles, IDs, and
associated commands.
Note: Ensure that you assign only the required resources and roles for users that are created on the
HMC. You can also create custom roles, if necessary.
- Enable user data replication between Hardware Management Consoles. The user data replication
can be done in Master-slave mode or Peer-Peer mode. For more information on user data replication,
see
Manage Data Replication.
- Import a certificate signed by the Certificate Authority.
Level 3 security (Optional)
If you have multiple Hardware Management Consoles and
system administrators, complete the following steps to enhance the security:
- Use centralized authentication such as LDAP or Kerberos. For more information about how to
configure LDAP, see How to Configure LDAP on HMC.
- Enable user data replication between Hardware Management Consoles.
- Ensure that HMC is in NIST SP 800-131A mode so that the HMC uses only strong ciphers.
- Block ports that are not required in the firewall. For HMC ports that can be used, see the
following table:
Table 1. Port used by the user for interaction with HMC| Port |
Description |
Type |
Protocol version (Default mode) |
Protocol Version (NIST Mode) |
|---|
| 22 |
Open SSH |
TCP |
SSH v2.0 |
SSH v2.0 |
| 123 |
NTP |
UDP |
NTP |
NTP |
| 161 |
SNMP Agent |
UDP |
SNMP v3 |
SNMP v3 |
| 162 |
SNMP Trap |
UDP |
SNMP v3 |
SNMP v3 |
| 427 |
SLP |
UDP |
NA |
NA |
| 443 |
HMC GUI and REST API |
TCP |
https (TLS 1.2, 1.1) |
https (TLS 1.2) |
| 657 |
RMC |
TCP |
RSCT (Plain text + hash and sign) |
RSCT (Plain text + hash and sign) |
| 2300 |
5250 Terminal for IBM i |
TCP |
Plain text |
Plain text |
| 2301 |
5250 Secure terminal for IBM i |
TCP |
TLS 1.2 |
TLS 1.2 |
| 5989 |
CIM (legacy, removed) |
TCP |
Non-functional |
Non-functional |
| 9900 |
FCS: HMC-HMC discovery |
UDP |
FCS |
FCS |
| 9920 |
FCS: HMC-HMC communication |
TCP |
https (TLS 1.2) |
https (TLS 1.2) |
| 9960 |
VTerm applet in GUI |
TCP |
https (TLS 1.2, 1.1) |
https (TLS 1.2) |
| 12443 |
HMC REST API (legacy port) |
TCP |
https (TLS 1.2, 1.1, 1.0 for HMC Version 8.6.0, and before) |
https (TLS 1.2) |
| 12347 |
RSCT Peer Domain |
UDP |
RSCT (Plain text + hash and sign) |
RSCT (Plain text + hash and sign) |
| 12348 |
RSCT Peer Domain |
UDP |
RSCT (Plain text + hash and sign) |
RSCT (Plain text + hash and sign) |
Note: You must use only ssh (port 22), https (port 443 and port 12443), and VTerm (port 9960) that
are exposed to an intranet. Remaining ports must be used in private or isolated network. You can use
a separate Ethernet port and VLAN for the Resource Monitoring and Control (RMC) (port 657), FCS
(port 9900 and port 9920), and RSCT Peer Domain ( port 12347 and port 12348).
