|
|
APRM® Technical Alert
|
|---|
|
|
APRM® Technical Alert
|
|---|
|
|
Product: |
APRM - V5R3M1 and later |
|
|
OS Level: |
i5/OS - V5R3M0 and later |
|
|
Date: |
December 10, 2008 |
Version 7.3.3 of the HMC code added some new security features that can affect APRM's ability to connect to the HMC.
With version 7.3.3 of the HMC code, IBM has added the ability of the HMC to forcibly end a user's session after a predetermined connection's signon time regardless of activity. Also, the protocol(s) supported for Secure Shell (SSH) connectivity are controllable.
APRM must connect to the HMC via Secure Shell (SSH) from each i5/OS partition when APRM is started in that partition and must keep that connection open for as long as the partition continues to use APRM. Usually, this time frame is from shortly after IPL until either the partition is powered-down or enters a restricted state. For this to succeed, the HMC user that APRM connects as must not have its session terminated by the HMC after some predetermined time has elapsed.
Current versions of APRM communicate using Secure Shell (SSH) protocol 1. There are two standard protocols for SSH: protocol 1 and protocol 2. Version 7.3.3 of the HMC code has added the ability of the HMC to restrict access to either protocol, if that is desired. According to IBM's web site for the HMC, the default setting is to allow protocol 2 only (although that does not seem to be enforced on an upgrade from prior versions of the HMC's programming).
The HMC user for APRM's use should be designated to have an INFINITE time before it is logged-off. This can, at HMC release 7.3.3 be set only from the GUI, not from the command line. Use the Manage User Profiles and Access dialog box and note a new popup window to set the timeout and remote access properties for the user.
The HMC should be configured to allow Secure Shell access at both protocols 1 and 2. This can, at HMC release 7.3.3 be done only from an HMC command line. The appropriate hmc command is:
chhmc --sshprotocol all
The HMC command to list both the protocol(s) supported and whether or not SSH is allowed to communicate at all is:
lshmc -r
The desired response to that lshmc command is:
ssh=enable,sshprotocol=all
© Copyright 2008 Barsa Consulting Group, LLC. All rights reserved.
