Managing secure service accounts

About this task

The DS Service GUI is a management console (HMC) interface for use by IBM® Hardware Support. Access to the HMC is managed through the DS Service GUI. As an administrator you can manage users, user roles, and authentication methods. The recommended practice for account management is to create personal IDs to enable individual accountability. The DS Service GUI on the HMC also supports remote authentication and centralized user ID and password control through LDAP.

To add or manage users from the DS Service GUI, select HMC Management in the left hand pane. Then select Manage User Profiles and Access. When creating additional users only use the predefined roles of esshmccustomer or esshmcserv as listed in Table 1. Do not create users with the user role esshmcpe. This is reserved for IBM Support.

To configure remote authentication from the DS Service GUI, select HMC Management in the left hand pane. Then select Configure LDAP.

There are three predefined users for Customer, Service, and Engineering as shown in Table 1.
Table 1.
Predefined users User role Access requirement
customer esshmccustomer Requires a password for access regardless of authentication method.
CE esshmcserv Local access only. Requires an IBM Support Representative to be at the HMC.
PE esshmcpe Requires the IBM proprietary challenge/response key for remote access.
The roles, access, and properties for each user ID are described in Table 2.
Table 2.
Role esshmccustomer esshmcserv esshmcpe
Access Administration Service (IBM SSR) Service (IBM Remote Support)
Default user ID customer IBM use only IBM use only
Default Password cust0mer IBM use only IBM use only
Remove last user in this role No If the last user in this role is removed, the default user in this role will be created at the next HMC reboot. If the last user in this role is removed, the default user in this role will be created at the next HMC reboot. This user should not be deleted. No users with this role should be made.
Backup and restore in the event of HMC rebuild Yes Yes Yes
LDAP Authentication Yes Yes Yes, additionally the default user with this role can log in only by using the IBM proprietary challenge/response process.

Note, the user IDs root and hscroot are not log in IDs, and cannot be accessed externally. Follow these recommended practices to manage access to your service account in the DS Service GUI and remote access by IBM Hardware Support.

Procedure

Complete the following steps to achieve the level of secure access that is required for service accounts on your storage system.

  1. Assign one or more service administrators to manage service on your storage system.
  2. Access the DS Service GUI from a web browser on a system that has network access to the Hardware Management Console (HMC) at https://HMC_IP/service, where HMC_IP is the IP address or host name of the HMC. You can also access the DS Service GUI from the link on the login page of the DS8000® Storage Management GUI.
  3. Log in to the DS Service GUI by using the service administrator account. You will be required to change the password at the first login. The service administrator account is pre-configured with user ID (customer) and password (cust0mer). Create additional administrative users with the role esshmccustomer as needed for administration tasks.

  4. Add or modify other users for IBM Hardware support as needed using the esshmcserv role. When creating new users with this role the default user property not allow remote access, requiring IBM Hardware support to be at the console locally. This can be changed for each user under User Properties.
  5. Determine how you want IBM Remote Support to access your storage system and set remote service access controls accordingly. Before installation of the storage system, your IBM service representative consults with you about the types of remote service access available. Assist On-site (AOS) is the preferable method of secure remote service. AOS provides a mechanism to establish a secure network connection to IBM over the internet with SSL encryption. It can be configured so that the service administrator must approve remote service access and can monitor remote service activity. For more details, see information about remote support settings.