Network security

To be useful, the HMC must be attached to a network, so that it can manage the system resources that are associated with it. In some cases, for HMC located close to the systems it is managing, this network is a dedicated network that is fully contained on a single raised floor. However, when a customer has multiple data centers or attaches the HMC to its corporate intranet to allow for remote access, network security is of utmost importance.

Because the HMC can be a multihomed computer (that is, it has multiple network interfaces), it can be connected to a dedicated network that contains the system resources and the corporate intranet at the same time. In fact, this configuration is a prevalent customer configuration because it provides a level of physical separation for the system resources, while simultaneously allowing for the use of advanced HMC capabilities, such as remote access and Internet connectivity for remote support.

The HMC Licensed Internal Code includes a full-function firewall that controls network access to the HMC. By default, the HMC allows almost no inbound network traffic. HMC to SE communications ports are opened as System and zBX Nodes are defined to the HMC. Also, as different features of the HMC are enabled (for example: remote access, SNMP-based automation, Web Services automation), more inbound network traffic is allowed. The following table shows the various TCP/IP ports that the HMC uses for inbound network traffic.

Note: There is no ability for the customer to control the internal firewall, other than through enabling and disabling HMC/SE features.
Table 1. Hardware Management Console inbound traffic from customer networks
TCP/IP Source Port Usage
TCP 67, 69, 4011
UDP 67, 68, 69, 4011
Manage Console Recovery task. These ports utilized for allowing the HMC to become a Boot Server for a selected Recovery Image when the Boot Server is successfully started on the Manage Console Recovery task.
ICMP Type 8 Establish communications with system resources that are managed by the HMC.
TCP 58787 - 58788
UDP 58788
Automatic discovery of the mainframes
TCP 4455 Automatic discovery of Director/Timer consoles.
Note: This is not supported in HMC version 2.13.0 or higher.
UDP 9900 Hardware Management Console to Hardware Management Console automatic discovery.
UDP 9901
TCP 9901
Hardware Management Console to Hardware Management Console automatic discovery over IPv6 connection.
TCP 55555 SSL encrypted communications from the mainframes. The internal firewall allows inbound traffic only from the mainframes that are defined to the HMC.
TCP 9920 SSL encrypted communications from HMC and the mainframes.
TCP 443 Remote user access to the HMC. Inbound traffic for this port is only allowed by the internal firewall if Remote operation is Enabled for the HMC by using the Customize Console Services task.
TCP 9950 - 9959 Proxy Single Object Operations sessions to the mainframe.
TCP 9960 Remote user applet-based tasks. Inbound traffic for this port is only allowed by the internal firewall if Remote operation is Enabled for the HMC by using the Customize Console Services task.
Note: This is not supported in HMC version 2.16.0 or higher.
UDP 161
TCP 161
TCP 3161
TCP 10161
SNMP automation of the HMC. Inbound traffic for these ports is only allowed by the internal firewall when SNMP automation is enabled by using the Customize API Settings task.
TCP 5988
TCP 5989
UDP 427
CIM automation of the HMC. Inbound traffic for these ports is only allowed by the internal firewall when CIM automation is enabled by using the Customize API Settings task.
Note: This is not supported in HMC version 2.14.0 or higher.
TCP 6794 Web Services SSL encrypted automation traffic. Inbound traffic for this port is only allowed by the internal firewall when Web Services automation is enabled by using the Customize API Settings task.
TCP 61612 Connecting to the Web Services API message broker and flowing Streaming Text Oriented Messaging Protocol (STOMP) over the connection when the Web Services API is enabled by using the Customize API Settings task.
TCP 61617 Connecting to the Web Services API message broker and flowing OpenWire over the connection when the Web Services API is enabled by using the Customize API Settings task.
UDP 123 Set the time of the mainframes.
UDP 520 Interactions with routers and only used on the Hardware Management Console if routed is enabled on the Routing tab of the Customize Network Settings task.
TCP 22 Remote access by Product Engineering and only allowed by the internal firewall if remote product engineering access is configured by using the Customize Product Engineering Access task. Also, on an alternate HMC within an ensemble, allows the primary HMC to establish a connection with the alternate HMC for replicating configuration information.
TCP 21 Inbound FTP requests. This port is only enabled when Electronic Service Agent or the Enable FTP Access to Mass Storage Media task is being used. FTP is an unencrypted protocol; for maximum security these tasks must not be used on the HMC.
TCP 3900 - 3909 Running the Remote Control Applet of the Advanced Management Module (AMM) within a z BladeCenter Extension (zBX).
Note: This is not supported in HMC version 2.15.0 or higher.
Table 2. Support Element inbound traffic from customer networks
TCP/IP Source Port Usage
ICMP Type 8

Establish communications with Hardware Management Consoles (HMCs) managing the server.

TCP/UDP 58787 Automatic discovery of system resources by HMCs
TCP 55555 SSL encrypted communications from Hardware Management Consoles.
TCP 9920 SSL encrypted communications from Hardware Management Consoles.
TCP 443

Remote user access to the Support Element. Inbound traffic for this port is only allowed by the internal firewall if the Single Object Operations task is performed to the Support Element from the HMC.

UDP 161
TCP 161
TCP 3161
TCP 10161

SNMP automation. Inbound traffic for these ports is only allowed by the internal firewall when SNMP automation is enabled by using the Customize API Settings task.

UDP 520 Interactions with routers and only used on the Support Element if routed is enabled on the Routing tab of the Customize Network Settings task.
TCP 22 Remote access by Product Engineering and only allowed by the internal firewall if remote product engineering access is configured by using the Customize Product Engineering Access task.
In addition to these inbound requests, the HMC also initiates requests to the system resources that it is managing, and to other HMCs. For security best practices, outbound connections not listed in Table 3 should be blocked for environments where the HMC is attached to the corporate intranet. In addition, blocking outbound connections to any IP addresses other than associated with the servers listed in the Table 3 would provide additional security.

The following table shows the types of outbound network traffic that is initiated by the HMC.

Table 3. HMC outbound traffic to customer networks
TCP/IP Source Port Usage
TCP 67, 69, 4011
UDP 67, 68, 69, 4011
Manage Console Recovery task. These ports utilized for allowing the HMC to become a Boot Server for a selected Recovery Image when the Boot Server is successfully started on the Manage Console Recovery task.
ICMP Type 8 Establish communications with system resources that are managed by the HMC.
UDP 9900 HMC-to-HMC automatic discovery.
UDP 9901
TCP 9901
Hardware Management Console to Hardware Management Console automatic discovery IPv6 connection.
TCP 58787
UDP 58787
Automatic discovery of and establishing communications with the mainframes.
TCP 55555 SSL encrypted communications to the mainframes. The internal firewall allows only inbound traffic from the mainframes that are defined to the HMC.
TCP 9920 SSL encrypted communications to Hardware Management Console and mainframes.
TCP 443 Single Object Operations to the mainframe console.
TCP 9960 Applet-based tasks during a Single Object Operations session for the mainframe console.
Note: This is not supported in HMC version 2.16.0 or higher.
TCP 4455 Communications with Director/Timer consoles being managed by the HMC.
Note: This is not supported in HMC version 2.13.0 or higher.
UDP 161 Communications with IBM Fiber Saver managed by the HMC.
Note: This is not supported in HMC version 2.13.0 or higher.
TCP x User authentication that uses an LDAP server where x is the port that the LDAP server is running on.
TCP x User authentication that uses an MFA server where x is the port that the MFA server is running on.
TCP x Fiber Channel Endpoint Security that uses a Key Manager where x is the port that the key manager is running on.
TCP 443 Call-home requests as part of the Remote Support Facility (RSF).
TCP 3900 Running the Remote Control Applet of the Advanced Management Module (AMM) within a z BladeCenter Extension (zBX).
Note: This is not supported in HMC version 2.15.0 or higher.
TCP 21 Load system software or utility programs.
TCP 22 Retrieve the SSH public key of hosts, by using the Manage SSH Keys task, for securing SSH File Transfer Protocol (SFTP) connections to FTP servers. Also, used for the SFTP connections. In addition, on a primary HMC within an ensemble, allows the primary HMC to establish a connection with the alternate HMC for replicating configuration information.
UDP 123 Connecting to a Network Time Protocol (NTP) server.
TCP 25 Send email events to a Simple Mail Transfer Protocol (SMTP) server for delivery, by using the Monitor System Events task, when the HMC is configured. (Might be a port other than 25, but 25 the default SMTP port that most SMTP servers use.)
UDP x
TCP x
Sending SNMP traps to a remote server using a user specified UDP or TCP port.
Table 4. Support Element outbound traffic from customer networks
TCP/IP Source Port Usage
ICMP Type 8

Establish communications with Hardware Management Consoles (HMCs) managing the Support Element.

UDP 9900 Hardware Management console to Hardware Management Console automatic discovery.

TCP 58787
UDP 58787
Automatics discovery of system resources by HMCs.
TCP 55555 SSL encrypted communications from Hardware Management Consoles.
TCP 9920 SSL encrypted communications from Hardware Management Consoles.
TCP x User authentication using an LDAP server where x is the port that the LDAP server is running on.
TCP 21 Load system software or utility programs.
TCP 22

Retrieve the SSH public key of hosts, using the Manage SSH Keys task, for securing SFTP connections to FTP servers. Also, used for the SFTP connections.

UDP 520 Interactions with routers and only used on the Support Element if routed is enabled in the Customize Network Settings task.
UDP 123 Connecting to a Network Time Protocol (NTP) server.
UDP x
TCP x
Sending SNMP traps to a remote server using a user specified UDP or TCP port.
Table 5. Z System outbound traffic to customer networks
TCP/IP Source Port Usage
UDP 123

Connections to Network Time Protocol (NTP) servers

UDP 319, 320 Connections to Precision Time Protocol (PTP) servers