Securing the HMC

Learn how to enhance the security of your Hardware Management Console (HMC) that is based on your corporate security standards.

The default configuration of the HMC provides ample security for most enterprise users. With the Hardware Management Console (HMC) Version 8.4.0, or later, you can further enhance the security of the HMC that is based on your corporate security standards. To enhance the security for the HMC, you must set the HMC to a minimum of Level 1 security. You may choose Level 2 and Level 3 security depending on your environment and the corporate security requirements.
Note: Before changing the security level, check with your corporate security compliance team.

Level 1 security

To secure the HMC (level 1 security), complete the following steps:

  1. Change the predefined password for the default hscroot user. For more information about password policy, see Enhanced password policy.
  2. If the HMC does not belong to a physically secure environment, set the grub password by running the following command: chhmc -c grubpasswd -s enable --passwd <new grub password>
  3. If you have configured the Integrated Management Module (IMM) on the HMC, set a strong IMM password.
  4. Set a strong password for the admin user and general users on all servers.
  5. Update the HMC with the latest released security fixes. For more information about the security fixes, see IBM® Fix Central.

Level 2 security

If you have multiple users, complete the following steps to enhance the security for the HMC:

  1. Create an account for each user on the HMC and assign the required roles and resources to users. For more information about the various roles in the HMC, see HMC tasks, user roles, IDs, and associated commands.
    Note: Ensure that you assign only the required resources and roles for users that are created on HMC. If necessary, you can also create custom roles.
  2. Enable user data replication between different Hardware Management Consoles. The user data replication can be performed in Master-slave mode or Peer-Peer mode. For more information about user data replication, see Manage Data Replication.
  3. Import a certificate that is signed by the Certificate Authority.

Level 3 security

If you have multiple Hardware Management Consoles and system administrators, complete the following steps to enhance the security for the HMC:

  1. Use centralized authentication such as Lightweight Directory Access Protocol (LDAP) or Kerberos. For more information about configuring LDAP, see How to Configure LDAP on HMC.
  2. Enable user data replication between different Hardware Management Consoles.
  3. Ensure that the HMC is in NIST SP 800-131A mode so that the HMC uses only strong ciphers.
  4. Block ports that are not required in the firewall. For information about the HMC ports that can be used, see the following table:
    Table 1. Port used by the user for interaction with HMC
    Port Description Type Protocol version (Default mode) Protocol Version (NIST mode)
    22 Open SSH TCP SSH v3 SSH v3
    123 NTP UDP NTP NTP
    161 SNMP Agent UDP SNMP v3 SNMP v3
    162 SNMP Trap UDP SNMP v3 SNMP v3
    427 SLP UDP N/A N/A
    443 HMC GUI and REST API TCP HTTPS (TLS 1.2) HTTPS (TLS 1.2)
    657 RMC TCP/UDP RSCT (Plain text + hash and sign) RSCT (Plain text + hash and sign)
    2300 5250 Terminal for IBM i TCP Plain text Plain text
    2301 5250 Secure terminal for IBM i TCP TLS 1.2 TLS 1.2
    5989 CIM (legacy port, non-functional) TCP Non-functional Non-functional
    9900 FCS: HMC-HMC discovery UDP FCS FCS
    9920 FCS: HMC-HMC communication TCP HTTPS (TLS 1.2) HTTPS (TLS 1.2)
    9960 VTerm applet in GUI TCP HTTPS (TLS 1.2) HTTPS (TLS 1.2)
    12443 HMC REST API (legacy port) TCP HTTPS (TLS 1.2) HTTPS (TLS 1.2)
    12347 RSCT Peer Domain UDP RSCT (Plain text + hash and sign) RSCT (Plain text + hash and sign)
    12348 RSCT Peer Domain UDP RSCT (Plain text + hash and sign) RSCT (Plain text + hash and sign)
    Notes:
    • You must use only SSH (port 22), HTTPS (port 443 and port 12443), 5250 secure terminal for IBM i (port 2301), and VTerm (port 9960) that are exposed to an intranet. All other ports must be used in a private or isolated network. You can use a separate Ethernet port and VLAN for the Resource Monitoring and Control (RMC) (port 657), FCS (port 9900 and port 9920), and RSCT Peer Domain (port 12347 and port 12348).
    • Ports listed in the netstat command are used for internal processes only.