POWER7 information

Setting the security mode for service processor

You can use the Advanced System Management Interface (ASMI) to set or display the security modes at which the service processor runs.

The security mode can be set from ASMI only if the system is not managed by an Hardware Management Console (HMC). For the HMC managed systems, the ASMI security mode displays the read-only value, which is the current security setting of the service processor.

To perform this operation, you must have one of the following authority levels:
  • Administrator
  • Authorized service provider

To set the security mode, complete the following steps:

Note: The following procedure only applies to the following systems running on specific HMC versions.

For systems running on HMC version 7.30:

  • IBM® Power® 710 Express and IBM Power 730 Express (8231-E2B)
  • IBM Power 720 Express (8202-E4B)
  • IBM Power 740 Express (8205-E6B)
  • IBM Power 750 (8233-E8B)
  • IBM Power 755 (8236-E8C)
  • IBM Power 770 (9117-MMB)
  • IBM Power 780 (9179-MHB)

For systems running on HMC version 7.40:

  • IBM Power 710 Express (8231-E1C)
  • IBM Power 720 Express (8202-E4C)
  • IBM Power 730 Express ( 8231-E2C)
  • IBM Power 740 Express ( 8205-E6C)

For systems running on HMC version 7.60:

  • IBM Power 770 (9117-MMD)
  • IBM Power 780 (9179-MHD)
  • IBM Power ESE (8412-EAD)
  • IBM Power 795 (9119-FHB)
  1. On the ASMI Welcome pane, specify your user ID and password, and click Log In.
  2. In the navigation area, expand System Configuration > Security Configuration.
  3. Select one of the following security mode and click Save settings to update the security mode of the service processor.
    DEFAULT:
    This mode enables interoperability with HMC having no TLS support while providing a high security level. Choose this mode when the HMC has no TLS support and the CIM client and browsers are capable of communication over TLSv1.2 (Currently it is only Microsoft Internet Explorer 8.0 or later). SSLv3 is enabled only on the service processor communication interface with the HMC.
    ENABLED:
    This mode provides a basic security level and is suitable for interoperability with the HMC, CIM client, and browsers that do not support TLS. SSLv3 is enabled on all service processor communication interfaces.
    DISABLED:
    This mode uses TLSv1.2 to provide a very high security level. Choose this mode when the HMC, CIM client, and browsers are all capable of communications over TLSv1.2 (Currently it is only Microsoft Internet Explorer 8.0 or later). SSLv3 is disabled on all service processor communication interfaces.
    Notes:
    • Changing the SSL security mode is only allowed on the primary service processor.
    • A successful update of the security mode causes the ASMI connection to be reset and the browser may not be able to confirm the successful completion of operation. Reload the menu after 5 - 10 seconds to verify that the security mode has been changed.
Note: The following procedure only applies to the following systems running on specific HMC versions.

For systems running on HMC version 7.31 or later:

  • IBM Power 775 Supercomputer (9125-F2C)
  1. On the ASMI Welcome pane, specify your user ID and password, and click Log In.
  2. In the navigation area, expand System Configuration > Security Configuration.
  3. Select one of the following security mode and click Save settings to update the security mode of the service processor.
    DEFAULT:
    This mode provides interoperability for various interfaces along with security. It allows SSLv3 and higher for the HMC interface, TLSv1.0 or higher for the ASMI, and TLSv1.2 for CIM client. This mode allows a connection from an HMC that does not support TLS.
    ENABLED:
    This mode provides a basic security level and is suitable for interoperability with the HMC, CIM client, and browsers that do not support TLS. SSLv3 is enabled on all service processor communication interfaces.
    DISABLED:
    This mode provides a high security level by disabling SSLv3 on all service processor communication interfaces. This mode uses TLSv1.2 for the HMC and CIM interface and TLSv1.0 or higher for the ASMI to provide a high security level.
    Notes:
    • Changing the SSL security mode is only allowed on the primary service processor.
    • A successful update of the security mode causes the ASMI connection to be reset and the browser may not be able to confirm the successful completion of operation. Reload the menu after 5 - 10 seconds to verify that the security mode has been changed.
Note: The following procedure only applies to the following systems running on specific HMC versions.

For systems running on HMC version 7.70 or later:

  • IBM Power 720 Express (8202-E4B, 8202-E4C, and 8202-E4D)
  • IBM Power 740 Express (8205-E6B, 8205-E6C, and 8205-E6D)
  • IBM Power 710 Express (8231-E1C, 8231-E1D, and 8268-E1D)
  • IBM Power 730 Express (8231-E2B, 8231-E2C, and 8231-E2D)
  • IBM Power 750 (8408-E8D)
  • IBM Power 760 (9109-RMD)
  • IBM Power 770 (9117-MMC)
  • IBM Power 780 (9179-MHC)

For systems running on HMC version 7.80 or later:

  • IBM Power 770 (9117-MMB and 9117-MMD)
  • IBM Power 780 (9179-MHB and 9179-MHD)
  • IBM Power ESE (8412-EAD)
  • IBM Power 795 (9119-FHB)
  1. On the ASMI Welcome pane, specify your user ID and password, and click Log In.
  2. In the navigation area, expand System Configuration > Security Configuration.
  3. Select one of the following security mode and click Save settings to update the security mode of the service processor.
    LEGACY:
    Supports the connectivity of the service processor with the earlier clients or connecting by using any security mode. SSLv3 is enabled on all service processor communication interfaces.
    Note: This is the default security mode.
    NIST_COMPACT:
    Allows the service processor to run in the highest security mode. This setting may not allow some earlier clients to connect with the service processor. This mode enables interoperability with HMC having no TLS support while providing a high security level. Choose this mode when the HMC has no TLS support and the CIM client and browsers are capable of communication over TLSv1.2 (Currently it is only Microsoft Internet Explorer 8.0 or later). SSLv3 is enabled only on the service processor communication interface with the HMC.
    NIST_SP800_131A:
    This setting provides the security strength in compliance with NIST SP800-131A recommendations. This mode uses TLSv1.2 to provide a very high security level. Choose this mode when the HMC, CIM client, and browsers are all capable of communications over TLSv1.2 (Currently it is only Microsoft Internet Explorer 8.0 or later). SSLv3 is disabled on all service processor communication interfaces.
    Note: Use this option when:
    • There is no HMC managing this service processor.
    • The HMC managing the service processor does not have NIST support. When a NIST-capable HMC is managing the service processor, this security mode setting is taken from the HMC. The current security mode configuration may be lost when a NIST-capable HMC connects to the HMC.
    Note: A successful update of the security mode causes the ASMI connection to be reset and the browser may not be able to confirm the successful completion of operation. Reload the menu after 5 - 10 seconds to verify that the security mode has been changed.
Parent topic: Changing system configuration

Send feedback Rate this page

Last updated: Mon, April 24, 2017