Network security
To be useful, the HMC must be attached to a network, so that it can manage the system resources that are associated with it. In some cases, for HMC located close to the systems it is managing, this network is a dedicated network that is fully contained on a single raised floor. However, when a customer has multiple data centers or attaches the HMC to its corporate intranet to allow for remote access, network security is of utmost importance.
Because the HMC can be a multihomed computer (that is, it has multiple network interfaces), it can be connected to a dedicated network that contains the system resources and the corporate intranet at the same time. In fact, this configuration is a prevalent customer configuration because it provides a level of physical separation for the system resources, while simultaneously allowing for the use of advanced HMC capabilities, such as remote access and Internet connectivity for remote support.
The HMC Licensed Internal Code includes a full-function firewall that controls network access to the HMC. By default, the HMC allows almost no inbound network traffic. HMC to SE communications ports are opened as System and zBX Nodes are defined to the HMC. Also, as different features of the HMC are enabled (for example: remote access, SNMP-based automation, Web Services automation), more inbound network traffic is allowed. The following table shows the various TCP/IP ports that the HMC uses for inbound network traffic.
TCP/IP Source Port | Usage |
---|---|
TCP 67, 69, 4011 UDP 67, 68, 69, 4011 |
Manage Console Recovery task. These ports utilized for allowing the HMC to become a Boot Server for a selected Recovery Image when the Boot Server is successfully started on the Manage Console Recovery task. |
ICMP Type 8 | Establish communications with system resources that are managed by the HMC. |
TCP 58787 - 58788 UDP 58788 |
Automatic discovery of the mainframes |
TCP 4455 | Automatic discovery of Director/Timer consoles. Note: This is not supported in
HMC version 2.13.0 or higher.
|
UDP 9900 | Hardware Management Console to Hardware Management Console automatic discovery. |
UDP 9901 TCP 9901 |
Hardware Management Console to Hardware Management Console automatic discovery over IPv6 connection. |
TCP 55555 | SSL encrypted communications from the mainframes. The internal firewall allows inbound traffic only from the mainframes that are defined to the HMC. |
TCP 9920 | SSL encrypted communications from HMC and the mainframes. |
TCP 443 | Remote user access to the HMC. Inbound traffic for this port is only allowed by the internal firewall if Remote operation is Enabled for the HMC by using the Customize Console Services task. |
TCP 9950 - 9959 | Proxy Single Object Operations sessions to the mainframe. |
TCP 9960 | Remote user applet-based tasks. Inbound traffic for this port is only allowed
by the internal firewall if Remote operation is
Enabled for the HMC by using the Customize Console
Services task. Note: This is not supported in HMC version 2.16.0 or
higher.
|
UDP 161 TCP 161 TCP 3161 TCP 10161 |
SNMP automation of the HMC. Inbound traffic for these ports is only allowed by the internal firewall when SNMP automation is enabled by using the Customize API Settings task. |
TCP 5988 TCP 5989 UDP 427 |
CIM automation of the HMC. Inbound traffic for these ports is only allowed by
the internal firewall when CIM automation is enabled by using the Customize API
Settings task. Note: This is not supported in HMC version 2.14.0 or
higher.
|
TCP 6794 | Web Services SSL encrypted automation traffic. Inbound traffic for this port is only allowed by the internal firewall when Web Services automation is enabled by using the Customize API Settings task. |
TCP 61612 | Connecting to the Web Services API message broker and flowing Streaming Text Oriented Messaging Protocol (STOMP) over the connection when the Web Services API is enabled by using the Customize API Settings task. |
TCP 61617 | Connecting to the Web Services API message broker and flowing OpenWire over the connection when the Web Services API is enabled by using the Customize API Settings task. |
UDP 123 | Set the time of the mainframes. |
UDP 520 | Interactions with routers and only used on the Hardware Management Console if routed is enabled on the Routing tab of the Customize Network Settings task. |
TCP 22 | Remote access by Product Engineering and only allowed by the internal firewall if remote product engineering access is configured by using the Customize Product Engineering Access task. Also, on an alternate HMC within an ensemble, allows the primary HMC to establish a connection with the alternate HMC for replicating configuration information. |
TCP 21 | Inbound FTP requests. This port is only enabled when Electronic Service Agent or the Enable FTP Access to Mass Storage Media task is being used. FTP is an unencrypted protocol; for maximum security these tasks must not be used on the HMC. |
TCP 3900 - 3909 | Running the Remote Control Applet of the Advanced Management Module (AMM)
within a z BladeCenter Extension
(zBX). Note: This is not supported in HMC version 2.15.0 or higher.
|
TCP/IP Source Port | Usage |
---|---|
ICMP Type 8 |
Establish communications with Hardware Management Consoles (HMCs) managing the server. |
TCP/UDP 58787 | Automatic discovery of system resources by HMCs |
TCP 55555 | SSL encrypted communications from Hardware Management Consoles. |
TCP 9920 | SSL encrypted communications from Hardware Management Consoles. |
TCP 443 |
Remote user access to the Support Element. Inbound traffic for this port is only allowed by the internal firewall if the Single Object Operations task is performed to the Support Element from the HMC. |
UDP 161 TCP 161 TCP 3161 TCP 10161 |
SNMP automation. Inbound traffic for these ports is only allowed by the internal firewall when SNMP automation is enabled by using the Customize API Settings task. |
UDP 520 | Interactions with routers and only used on the Support Element if routed is enabled on the Routing tab of the Customize Network Settings task. |
TCP 22 | Remote access by Product Engineering and only allowed by the internal firewall if remote product engineering access is configured by using the Customize Product Engineering Access task. |
The following table shows the types of outbound network traffic that is initiated by the HMC.
TCP/IP Source Port | Usage |
---|---|
TCP 67, 69, 4011 UDP 67, 68, 69, 4011 |
Manage Console Recovery task. These ports utilized for allowing the HMC to become a Boot Server for a selected Recovery Image when the Boot Server is successfully started on the Manage Console Recovery task. |
ICMP Type 8 | Establish communications with system resources that are managed by the HMC. |
UDP 9900 | HMC-to-HMC automatic discovery. |
UDP 9901 TCP 9901 |
Hardware Management Console to Hardware Management Console automatic discovery IPv6 connection. |
TCP 58787 UDP 58787 |
Automatic discovery of and establishing communications with the mainframes. |
TCP 55555 | SSL encrypted communications to the mainframes. The internal firewall allows only inbound traffic from the mainframes that are defined to the HMC. |
TCP 9920 | SSL encrypted communications to Hardware Management Console and mainframes. |
TCP 443 | Single Object Operations to the mainframe console. |
TCP 9960 | Applet-based tasks during a Single Object Operations
session for the mainframe console. Note: This is not supported in HMC version 2.16.0 or
higher.
|
TCP 4455 | Communications with Director/Timer consoles being managed by the
HMC. Note: This is not supported in HMC version 2.13.0 or higher.
|
UDP 161 | Communications with IBM
Fiber Saver managed by the HMC. Note: This is not supported in HMC version 2.13.0 or
higher.
|
TCP x | User authentication that uses an LDAP server where x is the port that the LDAP server is running on. |
TCP x | User authentication that uses an MFA server where x is the port that the MFA server is running on. |
TCP x | Fiber Channel Endpoint Security that uses a Key Manager where x is the port that the key manager is running on. |
TCP 443 | Call-home requests as part of the Remote Support Facility (RSF). |
TCP 3900 | Running the Remote Control Applet of the Advanced Management Module (AMM)
within a z BladeCenter Extension
(zBX). Note: This is not supported in HMC version 2.15.0 or higher.
|
TCP 21 | Load system software or utility programs. |
TCP 22 | Retrieve the SSH public key of hosts, by using the Manage SSH Keys task, for securing SSH File Transfer Protocol (SFTP) connections to FTP servers. Also, used for the SFTP connections. In addition, on a primary HMC within an ensemble, allows the primary HMC to establish a connection with the alternate HMC for replicating configuration information. |
UDP 123 | Connecting to a Network Time Protocol (NTP) server. |
TCP 25 | Send email events to a Simple Mail Transfer Protocol (SMTP) server for delivery, by using the Monitor System Events task, when the HMC is configured. (Might be a port other than 25, but 25 the default SMTP port that most SMTP servers use.) |
UDP x TCP x |
Sending SNMP traps to a remote server using a user specified UDP or TCP port. |
TCP/IP Source Port | Usage |
---|---|
ICMP Type 8 |
Establish communications with Hardware Management Consoles (HMCs) managing the Support Element. |
UDP 9900 | Hardware Management console to Hardware Management Console automatic discovery. |
TCP 58787 UDP 58787 |
Automatics discovery of system resources by HMCs. |
TCP 55555 | SSL encrypted communications from Hardware Management Consoles. |
TCP 9920 | SSL encrypted communications from Hardware Management Consoles. |
TCP x | User authentication using an LDAP server where x is the port that the LDAP server is running on. |
TCP 21 | Load system software or utility programs. |
TCP 22 |
Retrieve the SSH public key of hosts, using the Manage SSH Keys task, for securing SFTP connections to FTP servers. Also, used for the SFTP connections. |
UDP 520 | Interactions with routers and only used on the Support Element if routed is enabled in the Customize Network Settings task. |
UDP 123 | Connecting to a Network Time Protocol (NTP) server. |
UDP x TCP x |
Sending SNMP traps to a remote server using a user specified UDP or TCP port. |
TCP/IP Source Port | Usage |
---|---|
UDP 123 |
Connections to Network Time Protocol (NTP) servers |
UDP 319, 320 | Connections to Precision Time Protocol (PTP) servers |