Security of your Operations Console configuration

Operations Console security consists of service device authentication, user authentication, data privacy, and data integrity.

User authentication security is required to sign on to the console display.

The Operations Console client code requires less user interaction than previous releases when you are connecting a local console on a network configuration. By default, you do not need to maintain the access password unless you need to remain in a manually maintained environment. The system can also maintain the service tools device IDs. See the Operations Console simplification topic for more details. The system requires the same process to successfully connect, but part of this can be performed by Operations Console.

The following list gives you an overview of your Operations Console LAN security as shown in Figure 1.

A user enters the correct password.
Operations Console sends the service tools device ID (QCONSOLE) and its encrypted password to the system.
The system checks the two values. If they match, the system updates both the device and DST with a newly encrypted password.
The connection process then validates the service tools user ID and password before sending the system console display to the PC.

Figure 1. Operations Console LAN security

The IBM® i console security consists of:

Service device authentication

This security assures that one physical device is the console. Operations Console local console on a network uses a version of Secure Sockets Layer (SSL) that supports device and user authentication, but without using certificates.

Device authentication

The device authentication is based on a service tools device ID. By default, the system administers service tools device IDs. The initial value for the number of automatically created service tools device IDs is set to 10. With the default service tools device ID QCONSOLE, 11 PCs can be connected to a system at the same time, each with a unique service tools device ID. If you set this value to zero, you will have to administer the service tools device IDs manually. Service tools device IDs are administered manually in dedicated service tools (DST) and system service tools (SST). They consist of a service tools device ID and a service tools device ID password. The default service tools device ID is QCONSOLE and the default password is QCONSOLE. An Operations Console local console on a network encrypts and changes the password during each successful connection. You must use the default password to initially set up your system if you use a local console on a network (LAN).

Note:

Auto created device IDs do not automatically have the Remote Control Panel (RCP) privilege granted. This privilege can be changed with an option in the DST environment on the DST Service tools security data menu. The default service tools device ID QCONSOLE has the RCP privilege granted by default. End of change

The device authentication requires a unique service tools device ID for each PC that is configured with a local console on a network (LAN) connection.

When using a local console on a network (LAN), the configuration wizard determines if the system is capable of automatically creating a service tools device ID. If it is, the system skips the process for the user to create a service tools device ID. If you need to manually assign a user-created service tools device ID to a new configuration without turning off the autocreate function, simply disconnect the PC from the network while you create the configuration so that Operations Console cannot validate the function. You will then be prompted for the user-created service tools device ID. By default, the initial service tools device ID password is set to the name of the service tools device ID in uppercase.

Note: The access password protects the service tools device ID information (service tools device ID and password) on the PC. By default, Operations Console manages the access password for you. During the configuration process, you are not presented a window in which to assign an access password. However, should you elect to manually administer this password, you can change it using the Properties and the Access Password tab.

When establishing a network connection, the Operations Console no longer prompts you for the access password to access the encrypted service tools device ID and password unless you have manually set it after the configuration was created. However, you are prompted for a valid service tools user ID and password.

User authentication

This security provides assurance as to who is using the service device. All problems related to user authentication are the same regardless of console type. For more information, see the Service tools topic.

Data privacy

This security provides confidence that the console data can only be read by the intended recipient. If the physical connection is secure as discussed under service device authentication, the console data remains protected. To protect the data, ensure that only authorized people enter the computer room.

Operations Console local console on a network uses a secure network connection.

Data integrity

This security provides confidence that the console data has not changed en route to the recipient. If the physical connection is secure, the console data remains protected. An Operations Console local console on a network uses a secure network connection.

Data encryption

Enhanced authentication and data encryption provide network security for console procedures. Operations Console local console on a network uses a version of SSL which supports device and user authentication but without using certificates.

Administration

Operations Console administration allows system administrators to control access to console functions, including the remote control panel. When using Operations Console local console on a network, device and user authentication are controlled through the service tools device ID.

Important: Consider the following situations when administering Operations Console local console over a network:

For the remote control panel, mode selections require security authorization for the user that authenticates the connection, such as that provided by QSECOFR. Mode selections include Manual, Normal, Auto, and Secure. Auto and Secure are only available on systems with a keystick. Also, when connecting the remote control panel using a network, the service tools device ID must have authority to the control panel data on the system or on the partition that the remote control panel connects to.
When a mismatch occurs in the service tools device ID password between the system and the Operations Console PC, you might need to resynchronize the password on the system. A mismatch occurs if one of the following conditions happens:
- Your PC fails.
- You decide to exchange the PC for a different one.
- You upgrade the system and Autocreate service tools device IDs on the system is set to zero or you are using Licensed Internal Code earlier than IBM i 7.1
For more information, see Operations Console simplification.
Because QCONSOLE is a default service tools device ID, if you choose not to use this device ID, it is suggested that you temporarily configure a connection using this ID to successfully connect. Then, delete the configuration but do not reset the device ID on the system. This prevents unauthorized access from someone using the known default service tools device ID. If you need to use this device ID later, you can reset it then using the control panel or menus.
If you implement a network security tool that probes ports for intrusion protection, be aware that Operations Console uses ports 449, 2300, 2323, 3001, and 3002 for normal operations. If your tool probes any of these ports, it might cause loss of the console, which might result in an IPL to recover. Exclude these ports from intrusion protection tests.

Console control features

Beginning with version 6.1.1, the display of the Console Information Status screen has been set by default to be bypassed. This setting reduces the number of screens displayed before the IBM i screen is displayed. Similar to takeover when the IBM i screen is resumed, a user can take over from whoever last signed on to the IBM i. If IBM i Operations console detects that the same user (which means the same PC IP address, the same Device ID, and the same User ID) and with the Skipped setting, the normal Takeover Sign on screen will also be skipped. If this feature is not desired, it can be disabled by setting the option to Show.

Protection tips

When using an Operations Console local console on a network, it is suggested that you complete the following tasks:

If you changed the value of Autocreate service tools device IDs on the system to 0, do the following:
Create an additional service tools device ID for each PC that will be used as a console with console and control panel attributes.

For more information, see Operations Console simplification.
Add one or two additional backup device IDs for use in an emergency. This is not necessary if you use the option Autocreate service tools device IDs and its value is not zero.
Choose nontrivial access passwords. This is not necessary if you let the Operations Console manage this password.
Change your password for the following DST user IDs: QSECOFR, 22222222, and QSRV.
Note: Do not change the password for user 11111111. This is the only user that is included in the system without an expired password. If you experience a problem with authentication using another user ID, you can attempt to authenticate with 11111111/11111111.
Add backup service tools user IDs with enough authority to enable or disable user and service tools device IDs.