Configuration security

Operations Console security consists of service tools device authentication, device authentication, user authentication, data privacy, and data integrity.

A local console that is directly attached has implicit device authentication, data privacy, and data integrity due to its point-to-point connection. User authentication security is required to sign on to the console display.

Enhanced authentication and data encryption provides network security for console procedures. Operations Console network connections use a version of Secured Sockets Layer (SSL), which supports device and user authentication but without using certificates. By default, Operations Console uses the strongest encryption possible for authentication and data.

The following figure gives you an overview of your Operations Console LAN security. The access password (1), if correct, induces Operations Console to send (2) the service tools device ID (QCONSOLE) and its encrypted password to the server. The server checks the two values (3), and if they match, the server calculates a new service tools device ID password and informs the client of the change. The connection process then validates the service tools user ID and password before sending the system console display to the PC (4).


Operations Console LAN security

The console security consists of service tools device authentication, device authentication, user authentication, data privacy, data integrity, and data encryption:

Data encryption
Enhanced authentication and data encryption provide network security for console procedures. A local console on a network (LAN) uses a version of SSL that supports device and user authentication but without using certificates.
Data integrity
This security provides confidence that the console data has not changed en route to the recipient. A local console that is directly attached has the same data integrity as a twinaxial connection. If the physical connection is secure, the console data remains protected.
Data privacy
This security provides confidence that the console data can only be read by the intended recipient. A local console that is directly attached uses a physical connection similar to a twinaxial console or secure network connection for LAN connectivity to protect console data. Operations Console using a direct connection has the same data privacy as a twinaxial connection. If the physical connection is secure as discussed under service device authentication, the console data remains protected. To protect the data, ensure only authorized people have access to the console.
Device authentication
The device authentication is based on a service tools device ID. Service tools device IDs are administered in dedicated service tools (DST) and system service tools (SST). These IDs consist of a service tools device ID and a service tools device ID password. The default service tools device ID is QCONSOLE with a default password of QCONSOLE. A local console on a network (LAN) encrypts and changes the password during each successful connection. You must use the default device ID QCONSOLE to install a new server if using a local console on a network (LAN).
Important: The device authentication requires a unique service tools device ID for each PC that is configured with a local console on a network (LAN).
When using a local console on a network (LAN), the configuration wizard adds the necessary information to the PC. The configuration wizard asks for the service tools device ID name and an access password. The initial service tools device ID password defaults to the name of the service tools device ID in uppercase.
Note: The access password protects the service tools device ID information (service tools device ID and password) on the PC.
When establishing a network connection, the Operations Console configuration wizard prompts you for the access password to access the encrypted service tools device ID and password. The user is also prompted for a valid service tools user ID and password.
Service tools device authentication
This security assures one physical device is the console. A local console that is directly attached is a physical connection similar to a twinaxial console. The serial cable you use for Operations Console using a direct connection can be physically secured similar to a twinaxial connection to control access to the physical console device.
User authentication
This security provides assurance as to who is using the service device. All problems related to user authentication are the same regardless of console type. For more information, see Service tools user IDs and passwords.

Security administration

Operations Console administration allows system administrators to control access to console functions, including the remote control panel and virtual control panel. When using a local console on a network (LAN), device and user authentication are controlled through the service tools device IDs and service tools user IDs.

Important: Consider the following when administering a local console on a network (LAN):
  • For more information about service tools user IDs, see Service tools user IDs and passwords.
  • For the remote control panel, mode selections require security authorization for the user that authenticates the connection, such as that provided by QSECOFR. Also, when connecting the remote control panel using a network, the service tools device ID must have authority to the control panel data on the system or the logical partition that the remote control panel connects to.
  • When a mismatch occurs in the service tools device ID password between the server and the Operations Console PC, resynchronize the password on both the PC and the server. However, the PC should auto-synchronize after the service tools device ID password is reset at the server on the next connection. For more information on resynchronizing the passwords, see Resynchronize the PC's and the server's service tools device ID passwords. A mismatch occurs, for example, if your PC is exchanged and you need to re-create your connection configuration.
  • Since QCONSOLE is a default service tools device ID, you can elect not to use this device ID.
    Important: To prevent unauthorized access, you can temporarily configure a connection using this ID and successfully connect. Then, delete the configuration, but do not reset the device ID on the server. This prevents an unauthorized person from using the known default service tools device ID. If you have a need to use this device ID later, it can be reset at that time using the control panel or menus.
  • If you implement a network security tool that probes ports for intrusion protection, be aware that Operations Console uses ports 449, 2300, 2301, 2323, 3001, and 3002 for normal operations. Port 2301 is used for the console on a logical partition running Linux® and is also vulnerable to probes. If your tool were to probe any of these ports, it might cause you to lose the console, which would require you to restart the server to recover the console. These ports should be excluded from intrusion protection tests.

Security protection tips

When using a local console on a network (LAN), review the following items:

  1. Create an additional backup service tools device ID for each PC that is used as a console with any required console and control panel attributes for use in an emergency.
  2. Choose a nontrivial access password.
  3. Protect the Operations Console PC in the same manner you would protect a twinaxial console or a local console directly attached.
  4. Change your password for the following DST user IDs: QSECOFR, 22222222, and QSRV.
  5. Add backup service tools user IDs with enough authority to enable or disable user and service tools device IDs.
Parent topic: Planning for your Operations Console configuration
Send feedback | Rate this page