Security of your Operations Console configuration

Operations Console security consists of user authentication, data privacy, and data integrity.

User authentication security is required to sign on to the console display.

The IBM® i console security consists of:

User authentication
This security provides assurance as to who is using the service device. All problems related to user authentication are the same regardless of console type. For more information, see the Service tools topic.
Data privacy
This security provides confidence that the console data can only be read by the intended recipient. If the physical connection is secure as discussed under service device authentication, the console data remains protected. To protect the data, ensure that only authorized people enter the computer room.

Operations Console local console on a network uses a secure network connection.

Data integrity
This security provides confidence that the console data has not changed en route to the recipient. If the physical connection is secure, the console data remains protected. An Operations Console local console on a network uses a secure network connection.
Data encryption
Enhanced authentication and data encryption provide network security for console procedures. 5250 Console on a network uses TLS.

Administration

Operations Console administration allows system administrators to control access to console functions, including the remote control panel.

Important: Consider the following situations when administering Operations Console local console over a network:
  • For the remote control panel, mode selections require security authorization for the user that authenticates the connection, such as that provided by QSECOFR. Mode selections include Manual and Normal. Also, when connecting the remote control panel using a network, the service tools user ID must have authority to the control panel data on the system or on the partition that the remote control panel connects to.
  • If you implement a network security tool that probes ports for intrusion protection, be aware that Operations Console uses ports 449, 2300, 2323, 3001, and 3002 for normal 5250. If your tool probes any of these ports, it might cause loss of the console, which might result in an IPL to recover. Exclude these ports from intrusion protection tests.

Console control features

If IBM i Operations Console detects that the same user (which means the same PC IP address and the same User ID) and with the Skipped setting enabled, the normal Takeover Sign on screen will also be skipped. If this feature is not desired, it can be disabled by setting the option to Show.

Protection tips

When using an Operations Console local console on a network, change your password for the following DST user IDs: QSECOFR, 11111111, 22222222, and QSRV.