Solving common problems while securing the HMC

Learn how to solve some problems that you might encounter when you secure the HMC.

How to secure the connection between the Hardware Management Console (HMC) and the system?

The HMC connects to the system through the Flexible Service Processor (FSP). A proprietary binary protocol called Network Client protocol (NETC) is used for managing both FSP and Power® hypervisor. The following table lists ports that are used by the HMC:

Table 1. Ports on FSP that are used to interact with the HMC
Port on FSP	Description	Protocol version (Default mode)	Protocol Version (NIST mode)
443	Advanced System Management Interface	HTTPS (TLS 1.2)	HTTPS (TLS 1.2)
30000	NETC	NETC (TLS 1.2). Falls back to SSLv3 for support of older firmware.	NETC (TLS 1.2)
30001	VTerm	NETC (TLS 1.2). Falls back to SSLv3 for support of older firmware.	NETC (TLS 1.2)

How to lock the HMC?

If you want to enhance the security for your infrastructure, you can use an Intrusion Prevention System (IPS) device or add all Hardware Management Consoles and IBM® Power systems servers behind a firewall. Also, you can disable network services on the HMC if you do not use it remotely or if you want to lock the HMC down. To disable network services on the HMC, complete the following steps:

Disable remote command execution by using the SSH port.
Disable remote virtual terminal (VTerm).
Disable remote web access(HMC graphical user interface and REST API).
Block ports in firewall by using HMC network settings for each configured Ethernet port.

How to set the HMC in NIST SP 800-131A compliance mode?

With HMC Version 8.1.0, or later, when you set the HMC in the compliance mode, only strong ciphers listed by NIST SP 800-131A are supported. You might not be able to connect to older Power systems servers such as, POWER5 servers that do not support Transport Layer Security (TLS 1.2). For more information about changing the security mode, see HMC V8R8 NIST mode.

How to view and change ciphers that are used by the HMC?

With HMC Version 8.1.0, or later, the HMC supports more secure cipher sets that are defined in NIST 800-131A. Ciphers that are used in the default mode are strong. For more information about encryption ciphers that are used by the HMC, run the lshmcencr command. If your corporate standards requires the use of a different set of ciphers, run the chhmcencr command to modify the encryption ciphers.

To list the encryption ciphers that are used by the HMC to encrypt user password, run the following command:

lshmcencr -c passwd -t c

To list the encryption ciphers that can currently be used by the HMC web user interface and REST API, run the following command:

lshmcencr -c webui -t c

To list the encryption ciphers and MAC algorithm that can currently be used by the HMC SSH interface, run the following command:

lshmcencr -c ssh -t c

lshmcencr -c sshmac -t c

How to check the strength of the certificate on the HMC?

The self-signed certificates on the HMC use SHA256 with 2048-bit RSA encryption, which is strong. If you are using CA signed certificates, ensure that you are not using the 1024-bit encryption, which is weak. The following certificates can be used for the HMC:

The CA signed certificate can be used for the HMC graphical user interface and REST API (port 443).
The port 9920 is used for HMC to HMC communication. You cannot replace this certificate with your own certificate.

How to choose between a self-signed certificate (default) or a CA signed certificate?

The HMC auto-generates a certificate during installation. However, you can generate a Certificate Signing Request (CSR) from the HMC and get a new certificate that is issued by a Certificate Authority. You can import this certificate into HMC. Ensure that you also obtain a domain name for the HMC. For more details about managing the certificates in HMC, see Manage Certificates.

How to audit the HMC?

The audit on the Hardware Management Consoles focuses on configured ciphers and the usage activity of the various HMC users. Use the following commands to view the usage activity of various HMC users:

Table 2. Ciphers that are used by the HMC
Purpose	Command
Password encryption (global setting)	`lshmcencr -c passwd -t c`
Password encryption for each user	`lshmcusr -Fname:password_encryption`
SSH ciphers	`lshmcencr -c ssh -t c`
SSH MAC	`lshmcencr -c sshmac -t c`
Cipher that are used for the HMC graphical user interface and REST API	`lshmcencr -c webui -t c`

Use the following commands to monitor various console and serviceable events information for uses in the HMC:

Table 3. Commands to view the logged on users and console or serviceable events information in the HMC
Information	Command
GUI users	`lslogon –r webui –u`
GUI tasks	`lslogon –r webui –t`
CLI users	`lslogon –r ssh –u`
CLI tasks	`lslogon –r ssh –t`
Operations on HMC	`lssvcevents -t console -d <number of days>`
Operations on System	`lssvcevents –t hardware –m <managed system> -d <number of days>`

Centralized monitoring events for the HMC: If you have many Hardware Management Consoles, set the rsyslog file to collect all the usage data.

How does IBM fix the HMC security vulnerabilities?

IBM has a security incidence response process named IBM Product Security Incident Response Team (PSIRT). The IBM Product Security Incident Response Team (PSIRT) is a global team that manages the receipt, investigation and internal coordination of security vulnerability information related to IBM offerings. Open Source and IBM components that are shipped with the HMC are actively monitored and analyzed. Interim fixes and security fixes are provided by IBM for all supported releases of the HMC.

How to track new interim fixes on the HMC?

The security bulletin contains information about the vulnerability and interim fixes for supported HMC versions. To track interim fixes on the HMC, you can:

Search the latest security bulletins at IBM Security Bulletin.
Follow @IBMPowereSupp on Twitter for notifications.
Subscribe to email notifications at IBM Support.