Managing secure service accounts
About this task
The DS Service GUI is a management console (HMC) interface for use by IBM® Hardware Support. Access to the HMC is managed through the DS Service GUI. As an administrator you can manage users, user roles, and authentication methods. The recommended practice for account management is to create personal IDs to enable individual accountability. The DS Service GUI on the HMC also supports remote authentication and centralized user ID and password control through LDAP.
To add or manage users from the DS Service GUI, select HMC Management in the left hand pane. Then select Manage User Profiles and Access. When creating additional users only use the predefined roles of esshmccustomer or esshmcserv as listed in Table 1. Do not create users with the user role esshmcpe. This is reserved for IBM Support.
To configure remote authentication from the DS Service GUI, select HMC Management in the left hand pane. Then select Configure LDAP.
Predefined users | User role | Access requirement |
---|---|---|
customer | esshmccustomer | Requires a password for access regardless of authentication method. |
CE | esshmcserv | Local access only. Requires an IBM Support Representative to be at the HMC. |
PE | esshmcpe | Requires the IBM proprietary challenge/response key for remote access. |
Role | esshmccustomer | esshmcserv | esshmcpe |
---|---|---|---|
Access | Administration | Service (IBM SSR) | Service (IBM Remote Support) |
Default user ID | customer | IBM use only | IBM use only |
Default Password | cust0mer | IBM use only | IBM use only |
Remove last user in this role | No | If the last user in this role is removed, the default user in this role will be created at the next HMC reboot. | If the last user in this role is removed, the default user in this role will be created at the next HMC reboot. This user should not be deleted. No users with this role should be made. |
Backup and restore in the event of HMC rebuild | Yes | Yes | Yes |
LDAP Authentication | Yes | Yes | Yes, additionally the default user with this role can log in only by using the IBM proprietary challenge/response process. |
Note, the user IDs root and hscroot are not log in IDs, and cannot be accessed externally. Follow these recommended practices to manage access to your service account in the DS Service GUI and remote access by IBM Hardware Support.
Procedure
Complete the following steps to achieve the level of secure access that is required for service accounts on your storage system.