Processor Hardware Connection Security Considerations

IBM Z® System Automation supports TCP/IP and SA-BCPii as the transport protocols for Support Element connections and TCP/IP for Hardware Management Console connections.

Inside IBM Z System Automation, TLS itself is not yet supported for any hardware automation connection. But you can use the hybrid SNMP connection (ISQET32) or the INTERNAL connection. Since ISQET32 or INTERNAL communication is kept inside IBM Z hardware, which includes the IBM Z hardware network, there is no need for additional transport security such as TLS to secure it in a public network environment. Ensure that you're aware of the following security considerations:

Connection Type Processor Type
Mainframe ProcOps Service Machines (PSM)
Hybrid SNMP
  • For ProcOps SNMP connections, only configure ISQET32 (hybrid SNMP) as the hostname. Do not define an HMC IP address or hostname.
            Processor Information                
...

 At least one address must be specified:   
   TCP/IP Address or Hostname or ISQET32 for BCPii redirection  . . .    
 ISQET32                                                          
   Alternate Address or Hostname or ISQET32 for BCPii redirection . .
  • The new SNMPv3 TLS configuration option in the Customize API Settings task, which is introduced with IBM z16, is not supported by System Automation.
  • The current SNMPv3 support in ProcOps is not TLS-compliant. 
            Processor Information                
...

 The following specifications are for SNMP processors only:
   Community Name  . . . . . . . . . COMM             
   ProcOps Target HW Name  . . . . . THW1          
   SNMPv3  . . . . . . . . . . . . .                (YES NO)  
   SNMPv3 User Name  . . . . . . . .                               
   SNMPv3 Password . . . . . . . . .
This connection type is not valid for PSM.
INTERNAL
  • INTERNAL connections are SA-BCPii connections to the processor's Support Element.
  • SA-BCPii connections do not require TLS level security. The connection end points are inside the IBM Z machines. The IBM Z CPC network used between multiple IBM Z systems is isolated from any customer network.
 This connection type is not valid for PSM.
TCP/IP This connection type is not valid for the mainframe type of processor. TCP/IP is the only valid connection option for PSM. But the underlying socket services do not exploit TLS.