Trusted configuration
This section describes the actions the Security Administrator must take to help ensure that the computer system is configured for a secure mode of operation. The contents of this section specify the configuration of the evaluated product. Any deviation from the specified configuration will not be consistent with that of the evaluated product and may result in partitions that do not provide strict separation.
Subsequent sections in this document detail the security related characteristics of the evaluated product as well as security configurations that were not included in the evaluation. These details are provided to explain and highlight the differences between the various security settings. Nevertheless, to insure strict separation of Isolated logical partitions, only the configuration specified in this section should be used.
The Licensed Internal Code level of the evaluated configuration is specified in a Common Criteria related document called the Security Target. The installed LIC level for a HMC/CPC can be determined via the View Console Information/System Information task available in the HMC Management/Change Management Task List of the HMC/SE. A User ID with its authority based on the default SERVICE User ID must be used to display the complete configuration information.
- The hardware and any networks used to connect the hardware must be physically secure. Access to I/O devices must be restricted to authorized personnel. The Hardware Management Console must be physically protected from access other than by authorized system administrators.
- The network used for HMC/SE communications should be physically separate from the logical partition data networks.
- Any FTP Servers utilized for Firmware Management must be physically secure, restricted to authorized personnel and specify a secure network protocol of FTPS or SFTP.
- Devices must be configured so that no device is accessible by any partition other than the partition to be isolated (although they may be accessible by more than one channel path).
- Each I/O (physical) control unit must be allocated to only one Isolated logical partition in the current configuration.
- The Security Administrator must not reconfigure a channel path owned by an Isolated partition unless all attached devices and control units are attached to that path only.
- The Security Administrator should ensure that all devices and control units on a reconfigurable
path owned by an Isolated partition are reset before the path is allocated to another
partition.Note: This reallocation is NOT permitted for any devices/control units which retain customer data after being reset, unless the reallocation is permitted by the customer's security practices.
- No channel paths may be shared between an Isolated partition and any other partition(s).
- Logically partitioned (LPAR) mode must be selected as the mode of operation for the CPC.
- Dynamic I/O Configuration changes must be disabled.
- For Isolated partitions, Workload Manager must be disabled so that CPU and I/O resources are not managed across partitions.
- An Isolated partition must not be configured to enable hipersockets (Internal Queued Direct I/O).
- An Isolated partition must not be configured to enable SMC-L virtual network connections (internal). No Function Identifier (FID) of Type ISM should be specified in the IOCDS.
- Partitions must be prevented from receiving performance data from resources that are not allocated to them (Global Performance Data Control Authority must be disabled).
- At most one partition can have I/O Configuration Control Authority (for example, no more than one partition must be able to update any IOCDS) and this partition must be administered by a trustworthy administrator (i.e. the administrator of this partition is considered to be the Security Administrator). I/O Configuration Control should be enabled for a single, specific logical partition only during the short period of time when it is permitted to write a new IOCDS.
- The Security Administrator must ensure that write access is disabled for each IOCDS, unless that IOCDS is to be updated (the current IOCDS must not be updated).
- The Security Administrator must verify any changed IOCDS after a power-on reset with that IOCDS, before any partitions have been activated (the Security Administrator may determine whether the IOCDS has been changed by inspecting the date of the IOCDS).
- No partition should have Cross-partition Control Authority (for example; No partition should be able to reset or deactivate another partition).
- No Isolated partitions may have coupling facility channels which would allow communication to a Coupling Facility partition.
- The 'Use dynamically changed address' and 'Use dynamically changed parameter' checkboxes must not be selected in the Image or Load profile.
- The Hardware Management Console's Customizable Data Replication service should be disabled.
- Product Engineering (PE) access to the HMC/SE should normally be disabled but can be permitted for brief periods to allow PE diagnostic work.
- No Enterprise Directory Server (LDAP) Definitions should be created on the Hardware Management Console or the Support Element.
- The Hardware Management Console and the Support Element API setting for the Simple Network Management Protocol (SNMP) API should be disabled.
- The Hardware Management Console service for the Web Services Application Programming Interface should be disabled.
- The System BCPii Permissions must be disabled to prevent BCPii commands from being received.
- All partitions must have their BCPii Permissions disabled to prevent BCPii commands from being sent and received.