Introduction to HMC!!

Hardware Management Console is a technology invented by IBM for the purpose of providing a standard interface to configuring and operating partitioned (also known as an LPAR or virtualized system) and SMP systems such as IBM System i or IBM System p series.

The HMC is a Linux kernel using Busybox to provide the base utilities and X Window using the Fluxbox window manager to provide graphical logins. The HMC also utilizes Java applications to provide additional functionality. The IBM Hardware Management Console provides systems administrators a tool for planning, deploying, and managing IBM System p and IBM System i servers.

Functions performed by the HMC include:

Creating and maintaining a multiple partition environment Creating and maintaining a multiple partition environment Displaying a virtual operating system session terminal for each partition Displaying a virtual operator panel of contents for each partition Detecting, reporting, and storing changes in hardware conditions Powering managed systems on and off Acting as a service focal point Activating CoD

 HMC maximums At the time or writing, the following are general support considerations with respect to the HMC: A maximum of 48 non-590/595 servers are supported A maximum of 32 590/595 servers For all systems the maximum number of LPARs is 254. In an HMC managed enterprise, a maximum of 2 HMCs can manage a server at one time.

How to reset "hscroot" password?

Instructions for hscroot password reset:

1 Power off the HMC.2 Power on the HMC, and as soon as the Loading grub message is displayed

quickly press the F1 key to get into grub.

The Grub menu will show one line with the text hmc.

3 On the Grub menu, select e for edit. The next GRUB screen is displayed with two lines:

root (hd0,0)kernel (hd0,1)/boot/bzImage ro root=/dev/hda2 vga=0x317 apm=power-off

Note: The root device can vary by model: hda2 C03, C04, CR2, and hdc2 for CR3.

4 Move the cursor down to the line starting with kernel. Select e for edit.

Move the cursor to the right and append the following to the end of the string:

V5.1.0 to V6.1.1: init=/bin/bashV6.1.2 and later: init=/bin/rcpwsh

The final string will vary slightly by version and model:

kernel (hd0,1)/boot/bzImage ro root=/dev/hda2 vga=0x317 apm=power-off init=/bin/rcpwsh

Press the Enter key to save the changes.

5 Press b to boot the changed selection.

This will boot to a bash shell: (none):/#.

6 Verify root is mounted read/write. Type the following command:

mount -o remount,rw /dev/hda2 /

Note: The root device can vary by model: hda2 C03, C04; hdc2 for CR2,CR3; sda2 for CR4.

7 Reset root and hscroot passwords. Run the following commands to reset the passwords. The command will prompt the user to enter the new password and a confirmation password. Any warning concerning the password being too simplistic can be ignored.

Reset root:

/usr/bin/passwd

Reset hscroot:

/usr/bin/passwd hscroot

8 Reboot the HMC (left ctl+left alt+del).

9 Log on as hscroot.

10 Immediately after logon, use the Web-based System Manager (HMC GUI) or the chhmcusr.

HMC useful key combinations

CTRL-ALT-F1: Switch to Linux command line; no login possible. If you then click on CTRL-ALT-DEL the system will reboot.CTRL-ALT-F2: Takes you back to the Xserver window.CTRL-ALT-BACKSPACE: Kills of the Xserver and will start a new -fresh- one, so you can login again.

HMC Commands

1. HMC Version

hscroot@hmc> lshmc -V Version: 3 Release: 3.2HMC Build level 20040827.1power4 HMCs could never show a version higher 3.x - HMC version 4.x and higher are only for power5 systems. Power6 systems need HMCs version 7.x.

2. Network configuration of the HMC

hscroot@hmc> lshmc -n

3. Reboot the HMC

power4 + power5:

hscroot@hmc> hmcshutdown -t now -r

4. How to change the HMC password (of user hscroot)

power4 + power5:

hscroot@hmc> chhmcusr -u hscroot -t passwdEnter the new password:Retype the new password:

5. Show Available Filesystem Space

power5:

hscroot@hmc> monhmc -r disk -n 0Filesystem 1K-blocks Used Available Use% Mounted on/dev/sda2 16121184 4958484 10343788 33% /udev 517300 156 517144 1% /dev/dev/sda3 6040320 1341736 4391744 24% /var/dev/sda7 8056524 154132 7493140 3% /dump/dev/sda8 38669964 203056 36502564 1% /extraIt's just the same as you would expect from the UNIX command df.

LPAR Management: Status Information

1. LPAR Status

That's how you get an overview of all systems controlled by your HMC: power4:

hscroot@hmc> lslpars

power5:

hscroot@hmc> lssyscfg -r sys -F name:serial_num:statepserver1:656D24A:Operatingpserver2:656FFFF:OperatingThe format string 'lpar_id:name:serial_num:state' also tells you the serial number of the systems. You can omit the field 'serial_num' if you don't need to know.However, for every system from the list above you get the LPAR overview as shown below:

hscroot@hmc> lssyscfg -m pserver -r lpar -F name:state

Example:

hscroot@hmc> lssyscfg -m pserver1 -r lpar -F name:statemylpar1:Runningmylpar2:Runningmylpar3:Not ActivatedDon't know where to start? Find the managed system to an LPAR with a query:

hscroot@hmc> for m in $(lssyscfg -r sys -F name); do echo $m ; lssyscfg -r lpar -m $m -F name:state ; done

2. Show Status and LED/LCD Display of an LPAR

power4:

hscroot@hmc> lssyscfg -r lpar -m pserver -n mylpar

power5:

hscroot@hmc> lsrefcode -m pserver -r lpar --filter "lpar_names=mylpar" -F lpar_name:refcodeYou can even see the history of LED codes. Just use -n <NUM> for the last NUM codes. For example, if you want to see the last 5 LED codes of an LPAR type

hscroot@hmc> lsrefcode -m pserver -r lpar --filter "lpar_names=mylpar" -n 5 -F lpar_name:refcodemylpar:mylpar:0c33mylpar:mylpar:0539mylpar:0538... and for the status LEDs:

hscroot@hmc> lsled -m pserver -r sa -t virtuallpar --filter ""lpar_names=mylpar""

3. Show Status and LED/LCD Display of a Systems Running in FullPartitionMode

power4:

hscroot@hmc> lssyscfg -r sys -n pserver

4. Overview LPAR IDs

power5:

hscroot@hmc> lssyscfg -r lpar -m pserver -F lpar_id:name:serial_num:state | sort -n1:vioserver1:Running2:vioserver2:Running3:mylpar1:Not Activated4:mylpar2:Running5:mylpar3:Running6:mylpar4:Running7:mylpar5:Running8:mylpar6:Running9:mylpar7:Running10:mylpar8:Not Activated

5. Overview Connection State

Are all service processors connected to my HMC? power5:

hscroot@hmc> lssysconn -r all -F type_model_serial_num:ipaddr:state | sort9117-570*65AE18C:172.16.255.253:Connected9117-570*65AE18C:172.16.254.255:Connected9117-570*65AE2AC:172.16.255.254:Connected9117-570*65AE2AC:172.16.254.254:Connected9117-570*650D70D:172.16.255.252:Connected9117-570*650D70D:172.16.253.255:Connected9117-570*650D71D:172.16.254.253:Connected9117-570*650D71D:172.16.255.251:Connected9131-52A*065F7BB:172.16.253.254:Connected9131-52A*065F8BA:172.16.254.252:ConnectedThe link to the name of the managed system is the serial number - not the IP address! The IP addresses listed above are mounted on the service processor's private NIC and managed by the integrated DHCP server of the HMC.

6. Show a List of All I/O Adapters

The command below will show a list of all adapters physically plugged into a Managed System: power5:

hscroot@hmc> lshwres -r io -m pserver --rsubtype slot --filter -F lpar_name:drc_name:descriptionnull:U78C0.001.DBJC357-P2-C8-T5:Universal Serial Bus UHC Specmylpar1:U78C0.001.DBJC357-P2-C1:Fibre Channel Serial Busnull:U78C0.001.DBJC357-P2-C2:Fibre Channel Serial Busvios2:U78C0.001.DBJC357-P2-T3:RAID Controllervios2:U78C0.001.DBJC357-P2-C8-T7:Generic XT-Compatable Serial Controllervios2:U78C0.001.DBJC357-P2-C5:Fibre Channel Serial Busvios2:U78C0.001.DBJC357-P2-C6:Ethernet controllervios2:U78C0.001.DBJC357-P2-C9-T2:PCI-E SAS Controllervios2:U78C0.001.DBJC357-P2-C9-T1:PCI-E SAS Controllernull:U78C0.001.DBJC373-P2-C8-T5:Universal Serial Bus UHC Specmylpar1:U78C0.001.DBJC373-P2-C1:Fibre Channel Serial Busnull:U78C0.001.DBJC373-P2-C2:Fibre Channel Serial Busvios1:U78C0.001.DBJC373-P2-T3:RAID Controllervios1:U78C0.001.DBJC373-P2-C8-T7:Generic XT-Compatable Serial Controllervios1:U78C0.001.DBJC373-P2-C5:Fibre Channel Serial Busvios1:U78C0.001.DBJC373-P2-C6:Ethernet controllervios1:U78C0.001.DBJC373-P2-C9-T2:PCI-E SAS Controllervios1:U78C0.001.DBJC373-P2-C9-T1:PCI-E SAS ControllerA leading "none" indicates that the adapter is not assigned to an LPAR. To show a list of all I/O adapters owned by a specific LPAR use the "--filter" modifier: power5:

hscroot@hmc> lshwres -r io -m pserver --rsubtype slot -F lpar_name:drc_name:description --filter "lpar_names=mylpar1"mylpar1:U78C0.001.DBJC357-P2-C1:Fibre Channel Serial Busmylpar1:U78C0.001.DBJC373-P2-C1:Fibre Channel Serial Bus

7. Overview DLPAR status

power5:

hscroot@hmc> lspartition -dlpar<#0> Partition:<6*9117-MMB*656D24A, mylpar1.unixwerk.de, 111.111.15.66> Active:<0>, OS:<AIX, 5.3, 5300-09-08-1036>, DCaps:<0x0>, CmdCaps:<0x0, 0x0>, PinnedMem:<512><#1> Partition:<2*9117-MMB*656D24A, vios1.unixwerk.de, 111.111.15.65> Active:<1>, OS:<AIX, 6.1, 6100-06-00-0000>, DCaps:<0x4f9f>, CmdCaps:<0x1b, 0x1b>, PinnedMem:<520><#2> Partition:<1*9117-MMB*656D24A, vios2.unixwerk.de, 111.111.15.64> Active:<1>, OS:<AIX, 6.1, 6100-06-00-0000>, DCaps:<0x4f9f>, CmdCaps:<0x1b, 0x1b>, PinnedMem:<518><#3> Partition:<3*9117-570*656FFFF, mylpar2.unixwerk.de, 111.111.226.4>

Active:<1>, OS:<AIX, 5.3, 5300-09-04-0920>, DCaps:<0x2f>, CmdCaps:<0xb, 0xb>, PinnedMem:<1707><#4> Partition:<1*9117-570*656FFFF, mylpar3.unixwerk.de, 111.111.226.2> Active:<1>, OS:<AIX, 5.3, 5300-09-04-0920>, DCaps:<0x2f>, CmdCaps:<0xb, 0xb>, PinnedMem:<884><#5> Partition:<1*9133-55A*650D71D, mylpar7.unixwerk.de, 111.111.0.26> Active:<1>, OS:<AIX, 5.3, 5300-09-03-0918>, DCaps:<0x2f>, CmdCaps:<0xb, 0xb>, PinnedMem:<406><#6> Partition:<4*9117-570*656FFFF, mylpar4.unixwerk.de, 111.111.226.5> Active:<1>, OS:<AIX, 5.3, 5300-09-04-0920>, DCaps:<0x2f>, CmdCaps:<0xb, 0xb>, PinnedMem:<967>A value <1> for Active: should be fine.

LPAR Management: Operations

1. Soft Reset of an LPAR

power4:

hscroot@hmc> chsysstate -m pserver -r lpar -n mylpar -o reset

power5:

hscroot@hmc> chsysstate -r lpar -m pserver -o shutdown -n mylpar

2. Soft Reset of a System Running in FullPartitionMode

power4:

hscroot@hmc> chsysstate -n pserver -r sys -o reset

3. Hard Reset of an LPAR

power4:

hscroot@hmc> chsysstate -m pserver -r lpar -n mylpar -o off

power5:

hscroot@hmc> chsysstate -r lpar -m pseries -o shutdown -n mylpar --immed

4. Hard Reset of a System Running in FullPartitionMode

power4:

hscroot@hmc> chsysstate -n pserver -r sys -o off

5. Virtual Console

That's how you get a connection to an LPAR's serial console: power4 + power5:

hscroot@hmc> mkvterm -m pserver -p mylparIf your system is running in FullSystemPartition-Mode you connect with a command like this: power4:

hscroot@hmc> mkvterm -m pserverYou can escape from the console connection by typing ~~. (twice tilde followed by a dot) If you cannot connect to the serial console and you get an error message instead:

All available virtual terminal sessions have been opened and are in use. To force a new open session, perform a Close Terminal Session operationwhich frees up the session.there is still another active connection to this console. You can close this connection with: power4 + power5:

hscroot@hmc> rmvterm -m pserver -p mylparIf you're not sure which managed system belongs to an LPAR you could walk through the vtmenu:

hscroot@hmc> vtmenu Retrieving name of managed system(s) . . .

---------------------------------------------------------- Managed Systems: ---------------------------------------------------------- 1) pserver1 2) pserver2 3) pserver3

Enter Number of Managed System. (q to quit): 1

---------------------------------------------------------- Partitions On Managed System: pserver1

---------------------------------------------------------- 1) mylpar1 Running 2) mylpar2 Running 3) mylpar3 Running 4) mylpar4 Running 5) mylpar5 Running

Enter Number of Running Partition (q to quit):Just enter a number and you will be connected to the console of the corresponding LPAR.

6. Activation of an LPAR

power4:

hscroot@hmc> chsysstate -r lpar -m pserver -o on [ -f myprofile ] -n mylpar

power5:

hscroot@hmc> chsysstate -r lpar -m pserver -o on -f myprofile -n mylpar

7. How to Power on a System Running in FullPartitionMode

power4:

hscroot@hmc> chsysstate -o on -r sys -n pserver -c full

8. Bring the key switch to position NORMAL

This might be necessary on some power5 HMCs when an LPAR does not properly boot after issuing the power on command above. You might see a message like this:

0514-440 cfgcon: failed to create log file: check path name, permissions, and available spaceWhen seeing this you can only access diag mode or boot the LPAR in singleuser mode. This command sets the key switch back to normal position: power5:

hscroot@hmc> chsysstate -r lpar -o chkey -k norm -n mylpar -m pserver

LPAR Configuration

1. Change an LPAR's Name

Let's say we have these five LPARs defined on a managed system:

hscroot@hmc> lssyscfg -r lpar -m pserver -F lpar_id:name:state1:vios1:Running2:vios2:Running3:barney:Running4:mylpar2:Running5:mylpar3:RunningNow we want to change the name of LPAR 3 from barney to mylpar1: power5:

hscroot@hmc> chsyscfg -r lpar -m pserver -i "name=barney,new_name=mylpar1"We check and see that the name of LPAR 3 indeed has changed to mylpar1:

hscroot@hmc> lssyscfg -r lpar -m pserver -F lpar_id:name:state1:vios1:Running2:vios2:Running3:mylpar1:Running4:mylpar2:Running5:mylpar3:Running

2. Rename a Managed System

This would change the name of the manages system pserver to pserver1: power5:

hscroot@hmc> chsyscfg -r sys -m pserver -i "new_name=pserver1"

3. DLPAR: Increase the Number of Processing Units of an LPAR

To assign 8 additonal processing units to an LPAR run the following command: power5:

hscroot@hmc> chhwres -r proc -m pserver -o a -p mylpar --procunits 8

lshmc -v Shows vital product data, such as the serial number.

lshmc -V Shows the release of the HMC.

lshmc -n Shows network information of the HMC.

hmcshutdown -r -t now Reboot the HMC.

lssysconn -r all Show the connected managed systems.

chhmcusr -u hscpe -t passwd -v abc1234 Change the password of user hscpe.

lshmcusr List the users of the HMC.

ls -al /var/hsc/log/hmclogger.logls -al /var/hsc/log/cimserver.log Intersting log files of the HMC.

monhmc -r disk Look at the filesystems of the HMC. Try using "proc", "mem" and "swap as well.

vtmenu Open a virtual console from the HMC. Exit by typing "~." (tilde dot) or "~~." (tilde tilde dot).

rmvterm -m SYSTEM-9117-570-SN10XXXXX -p name Forces the closure of a virtual terminal session.

chsysstate -m SYSTEM-9131-52A-SN10XXXXX -r lpar -o on -n name -f default_profilechsysstate -m SYSTEM-9131-52A-SN10XXXXX -r lpar -o shutdown -n name --immed Change the state of a partition.

lssyscfg -r prof -m SYSTEM-9117-570-SN10XXXXX List partition profiles for a managed system.

lspartition 

Securing the HMC

This article is a cookbook tool to help you secure the Hardware Management Console (HMC). It provides detailed instructions for what should be done, and what could be done, in a straightforward manner.The HMC plays a central role in the IBM virtualization strategy. It controls hardware, configures logical partitions (LPAR), and assigns both physical and virtual devices. It is vital to systems management in a virtualized environment. IBM created and designed the HMC as a closed system to perform only those functions specifically assigned to it. The Licensed Internal Code of the HMC is based on an open operating system that has been customized to enhance security. You should do additional customization to complete the securing process.In this article, you'll learn the steps that should be taken during installation of the HMC. Optional measures that might be implemented later, if desired, are also included. The author wraps up with some maintenance guidelines for ensuring that a secure system stays secure.AssumptionsThe how-to steps in this article assume you are at the HMC console using the Web-based System Manager, which is the graphical user interface (GUI). Whenever the command-line interface is required, it is noted. Some of the configuration can be performed remotely, but some must be done at the console. While some initial configuration can be performed using the Setup Wizard, the methods described in this article focus on using the configuration menus of the HMC.

During installationThis section covers the steps you should take during installation of the HMC.Install in a secure locationWhenever possible, an HMC should be installed in a secured area, such as a data center. The HMC should be close enough to the POWER5 servers it manages to allow a customer engineer easy access to all systems. If the HMC cannot be installed in a secured area, consider creating a power-on password, as described in the Optional steps section.Change the default passwordsThe default super administrative user on the HMC is hscroot. The initial password is set at the factory to abc123. The default root password is passw0rd. The first step is to change hscroot and root passwords to a combination of seven letters and numbers.Follow these steps to change HMC user passwords:

1. In the Navigation area, expand the HMC Management folder.2. Click the HMC users icon.3. In the Content area, click Manage HMC Users and Access. The User Profiles window should open.4. Highlight the user ID you wish to change, click User at the top left on the menu, then select Modify from the

pull-down menu.5. On the Modify User menu, enter the new password and confirm it by entering a second time.6. Click OK.

Create users with the appropriate rolesThe hscroot user cannot be removed from the system, but the user ID should not be shared among administrators. Each administrator should have a unique user ID and password that has the appropriate task and resource roles, including ahscroot equivalent if necessary.Tasks are functions that a user can perform, and the managed resource role defines where those tasks might be carried out. Predefined task roles include:

Super administrator Service representative Operator Product engineer Viewer

By default, these roles apply to all resources managed by the HMC. You can create customized HMC roles by modifying those that are predefined and limit them to specific resources.In addition to creating IDs for systems administrators, it is a good practice during installation to create the hscpe user with the product engineer role. To create a user:

1. In the Navigation area of Web-based System Manager, expand the HMC Management folder and click the Users icon.

2. In the Content area, click Manage HMC Users and Access. The User Profiles window should open.3. Click User > Add. Fill in the appropriate fields (tasks and roles) and click OK.

Enable remote command-line accessCommand-line access to the HMC is only available using Secure Shell (SSH). By default, the HMC does not permit remote command-line access. This is generally not the desired setting. Allowing remote command-line access requires two steps:

1. Enable remote access on the HMC Configuration menu.2. Open port 22 on the appropriate network adapter's firewall.

You must have either the super administrator or service representative role to control this setting. To enable remote command-line access:

1. In the Navigation area, click the HMC Management icon.2. In the Content area, double-click the HMC Configuration icon.3. In the Contents area, click Enable/Disable Remote Command Execution.4. Check the box Enable remote command execution.5. Click OK.

To configure a firewall to allow Web-based System Manager and SSH traffic:1. In the Navigation area, click the HMC Management icon.2. In the Content pane, click Customize Network Settings.3. Click the LAN Adapters tab.4. Select the adapter that you want to work with (probably eth1) and click Details.5. Click the Firewall tab.6. Using one of the following methods, you can allow any IP address using a particular application through the

firewall, or you can specify one or more IP addresses: o Allow any IP address using a particular application through the firewall:

1. From the top box on the left, highlight the application.2. Click Allow Incoming on the right. The application displays in the bottom box to signify

that it has been selected.o Specify which IP addresses to allow through the firewall:

1. From the top box on the left, highlight an application.2. Click Allow Incoming by IP Address on the right.3. On the Hosts Allowed window, enter the IP address and the network mask.4. Click Add and then click OK.

7. Click OK.Any change to the network settings requires that the HMC be rebooted. It is usually best to make these firewall changes during the initial network configuration.Disable remote virtual terminalsBy default, the HMC does not allow remote Web-based System Manager users to open a virtual terminal on an LPAR. Many customers do want to enable this, but it does present a security risk. Why? Because the virtual terminal program launched by the Web-based System Manager client does not use encrypted traffic, even if the Web-based System Manager client itself uses Secure Socket Layer (SSL) encryption. (Go to the Require Web-based System Manager clients to use SSL encryptionsection for a discussion of secure Web-based System Manager.) Logins, passwords, and confidential data entered or displayed in the virtual terminal window are transmitted in plain text over the network.If this issue raises concerns in your environment, you should not allow it. A secure alternative would be to use a separate program, such as SSH, to access the LPAR. Another option is to log in to the HMC using SSH and run the mkvterm or vtmenucommands. These commands give you access to the partitions, and their network packets are encrypted from end to end.To configure remote virtual terminal access:

1. In the Navigation area, click HMC Configuration.2. In the Contents pane, click Enable or Disable Remote Virtual Terminal.3. In the pop-up window, check the box to enable remote virtual terminal connections. To continue the default

policy of not allowing remote virtual terminal connections, make sure the box is not checked.4. Click OK.

Use a private network to manage serversUsing a private network in which the HMC acts as a Dynamic Host Configuration Protocol (DHCP) server for all managed systems, is preferred. If the system managed by an HMC has a Bulk Power Controller, the HMC must use a private network. The private network is non-routable. It consists of just one HMC and one port on each service processor being managed. (With dual HMCs, you can have two private networks per service processor, each on a separate IP network connecting to one of the two HMCs.) Administrators can select one of 20 possible IP subnet address ranges from the pull-down menu on the DHCP or private network configuration screen. Avoid selecting an IP address range that is adjacent to the address of another network adapter in the HMC.To configure the HMC as a DHCP server:

1. In the Navigation area, expand the HMC that you want to work with. HMCs are listed by hostname or IP address.

2. Expand HMC Management.3. Click HMC Configuration.4. In the Contents pane, click Customize network settings.5. Click the LAN Adapters tab.6. Select the adapter that you want to work with and click Details.

7. Click the LAN Adapter tab.8. In the DHCP Server section, check Enable DHCP Server to enable the HMC as a DHCP server.9. Enter the address range of the DHCP server.10. Click OK.

Use an open network for LPAR monitoring and remote accessConfigure a second adapter, for example eth1, to allow remote administrative access to the HMC and to monitor LPAR on managed systems. Remember to open the network firewall ports on this adapter for Web-based System Manager and SSH, as described above. As part of the HMC service strategy, the HMC monitors the state of managed partitions over the open network using the Resource Monitoring and Control (RMC) protocol, which uses port 657. RMC is also required for dynamic logical partitioning (DLPAR.)To configure a LAN adapter on an open network:

1. From the Navigation window, select HMC Management.2. In the Contents window, select HMC Configuration.3. Select the Customize Network Settings task.4. On the Customize Network Settings menu, click the LAN Adapters tab.5. Highlight the adapter you wish to configure, such as eth1, and click the Details tab.6. On the LAN Adapter Details menu, select the Open radio button.7. Select the correct Media Speed to pick the correct speed and duplex connection.8. Click the Partition communication box to automatically set up RMC for managed LPAR.9. Fill in the correct Transmission Control Protocol/Internet Protocol (TCP/IP) interface address and subnet

mask.10. Click the Firewall tab and follow the steps listed above for allowing Web-based System Manager and SSH

through the firewall, either by application or application and IP address.11. From the Customize Network Settings menu, select Name Services and Routing menus and fill in Domain

Name Service and routing IP addresses, as required by your network administrator.12. Reboot the HMC after all network changes have been made.

Change the passwords on the service processorThe first time an HMC connects to a managed server, you can either set the service processor's HMC Access password or enter the password that was set previously. The service processor uses this password to authenticate and authorize management operations initiated by the HMC. While setting the HMC Access password, you can also set the service processor's administrator and general passwords. The default administrator user ID is admin and the password is admin. The default general user ID is general and the password is general. All passwords should be changed during system installation. Keep these and all passwords in a secure and accessible location.To set the HMC Access password during initial installation over a private network:

1. In the Server and Partition: Server Management window, you will see the new managed server appear as an IP address with a message that says Authentication Pending.

2. Set the managed system password. This sets the HMC Access password on the service processor. (On the service processor's menus, this is simply called the HMC password.)

3. By opening the Admin and General tabs, you can set the passwords for the general and admin users.The service processor has both an ASCII and GUI. The latter is HTTPS-based and called the Advanced System Management Interface. To set or change passwords on the service processor using the Advanced System Management Interface, follow these steps:

1. Connect an Ethernet cable from a laptop to the HMC1 port on the managed system's service processor.2. Configure the laptop's IP address to 192.168.2.146.3. In the laptop's browser, open URL https://192.168.2.147.4. On the Advanced System Management Interface Welcome pane, enter the admin user ID and password.5. In the Navigation area, expand Login Profile.6. Select Change Password.7. Specify the required information (the HMC user and password) and then click Continue.

The changes made to the Advanced System Management Interface password take place immediately.Set up secure call-home communicationsCustomers can configure their servers to notify IBM Service when hardware problems occur. On IBM System p™, four outbound connection methods exist:

Local modem Internet Internet virtual private network (VPN) Pass-through systems (another HMC)

The Internet option employs SSL and only allows outbound traffic. Both the modem and Internet VPN options use Internet Protocol Security (IPSec) to create a secure connection. All options transmit only service-related data to IBM. The modem and Internet VPN options can be configured for inbound traffic, if desired. As of HMC V6.1, the Internet option also supports proxy servers.

To set up secure outbound communication using the Internet method:1. The HMC must have a Local Area Network (LAN) adapter that is connected to a network with Internet

access.2. The LAN adapter must be configured with a default gateway that provides access to the Internet.3. If a firewall is in place between the HMC and the Internet, it must allow outgoing TCP/IP connections on port

443 from the HMC to each of the following IP addresses: o 129.42.160.48 and 207.25.252.200 (IBM Service to the system authentication server)o 129.42.160.49 and 207.25.252.204 (HMC access to IBM Service for North or South America)o 129.42.160.50 and 207.25.252.205 (HMC access to IBM Service for all other regions)

You only need to specify the IP addresses necessary to set up access to the system authentication server and those appropriate for your region.

4. From the Service Applications folder, select Remote Support.5. Select the Customize Outbound Connectivity task.6. On the Customize Outbound Connectivity menu, select Internet.7. Check the box that says Enable local system as a call-home server.8. Check the box that reads Allow an existing Internet connection for service.9. If an Internet proxy is used, fill in the necessary information on the menu.10. Select Test to verify that outbound connectivity is successful.

Optional stepsThis section discusses optional measures you can implement after installation, if you so choose.Require Web-based System Manager clients to use SSL encryptionYou can require that all remote access to the HMC use SSL encryption. To do so, you need to configure System Manager Security on the HMC and require remote Web-based System Manager clients to use the SSL-encrypted version. The administrator must perform these configuration steps from the HMC console.The steps required to set up System Manager Security are:

1. Configure Certificate Authority on the HMC.2. Generate private and public key ring files.3. Install the private key ring file on the HMC.4. Select the security connection mode for your HMC; for example, SSL encryption required for all remote

clients.5. Copy the public key ring file to a formatted diskette.6. Distribute the public key ring file to remote Web-based System Manager clients.

To configure Certificate Authority on your HMC:1. Expand the System Manager Security folder on the desktop and then select Certificate Authority in the

navigation area.2. Select Configure this system as a System Manager Certificate Authority task.3. The Define Internal Certificate Authority wizard opens. Click Next.4. The wizard prompts you for an organization name. Enter an appropriate name and click Next.5. The wizard displays the expiration date for the certificate that you are going to create. Verify the date (the

default expiration period is four years in the future) and then click Next.6. The wizard prompts you to enter a password for the Certificate Authority's key ring file. Type the appropriate

password twice and click Next.7. The wizard shows an information message that says Certificate Authority has been

configured. SelectFinish.To configure private and public key ring files:

1. Expand the System Manager Security folder. Select the Certificate Authority application in the navigation area.

2. Select the Generate Servers' Private Key Ring Files task.3. A window opens prompting you for the password entered in step 6 above.4. A window appears labeled Certificate Servers Private Key Ring Files. Verify that the HMC host name that

appears in the box at the upper left is correct and then click Add.5. Check the box Encrypt the server private key files at the bottom of the screen. The system will prompt

you for the Certificate Authority key ring file password that was created in step 6 above. Enter the password twice.

6. Fill in the organization name in the appropriate box and click OK.7. An information window is displayed when the key generation has been completed. Click OK to close the

information window.To copy the public key ring file to a diskette: (The public and private key ring files were created in the previous step.)

1. Expand the System Manager Security folder and select the Certificate Authority application in the navigation area.

2. Select the Copy this Certificate Authority's Public Key Ring File to diskette task.3. The Copy Certificate Authority Public Key to Diskette window opens.

o If you are going to use the diskette to distribute the public key ring file for remote Web-based System Manager clients on HMC or AIX® systems, insert the diskette media in the drive. The media does not have to be formatted.

o If you are going to use the diskette to distribute the public key ring file for use on Windows-based PC clients, use a formatted diskette.

4. When you have inserted the diskette, choose the appropriate selection (for "HMC or AIX Client" or for "PC client") and then click OK.

5. An information window is displayed when the copy has been completed. Click OK to close the information window.

If you selected "HMC or AIX Client," the diskette contains only one file, SM.pubkr, in TAR format. If you selected "PC Client," the diskette contains only one file, SM.pubkr, in DOS format. Do not copy this file to a network accessible place, such as an FTP server. If a malicious user steals the file, the security mechanism provided by the HMC does not block access from this rogue user.To install the private key ring file for this server:

1. Expand the System Manager Security folder, and then select the Server Security application in the Navigation area.

2. Select the Install the private key ring file for this server task. The Install Private Key Ring File window opens.

o If you have just generated the pair of private key ring files on your HMC, select the Directory option and then click OK.

o If the private key ring file is stored in a TAR archive on the HMC, select the TAR file option. Click OK and specify the file name and location.

o If you have the backup diskette media that stores the server private key ring files, select the TAR diskette option and click OK. (You can back up the server private key file using the "Copy Servers' Private Key Ring Files to diskette" task provided in the Certificate Authority application.)

3. A window opens that prompts you to enter the password that was used for creating the private key on the HMC. Enter the password and click OK.

4. The information window is displayed once the task has completed. Click OK to close.Install the Web-based System Manager client on the remote workstation first, and then the security image can be installed.

1. From the remote client, open a browser to the following URL: http:<HMC_fully_qualified_hostname>/remote_client.html.

2. Enter a valid user ID and password.3. Follow the steps to install the client using either the Install Shield or Java™ Web Start method.4. To install the SSL security package for Web-based System Manager, open a browser to the following URL:

http:<HMC_fully_qualified_hostname>/remote_client_security.html.5. Follow the instructions, using either the Install Shield or Java Web Start method.

Afterward, distribute the Certificate Authority's public key to your Windows®, Linux®, or AIX remote clients. Use command-line or standalone tools to copy the Certificate Authority's public key from removable media to the code base directory of the remote client. The Certificate Authority's public key file must be copied in binary format. The code base directory locations are:

On a Windows client: Program files\websm\codebase On an AIX client: /usr/websm/codebase On a Linux client: /opt/websm/codebase

To configure this system as a Secure System Manager Server:1. Expand the System Manager Security folder, then select the Server Security application in the Navigation

window.2. Select the Configure this system as a Secure System Manager Server task.3. The Configure System Manager Security wizard opens. Click Next.4. The wizard prompts you to select either of the following options:

o Always use a secure connection. Select this option if you wish to disallow non-SSL connections from remote Web-based System Manager clients to the HMC.

o Allow the user to choose secure or unsecured connections. This leaves it to the remote user to decide how to connect to the HMC, and that might not be something the systems administrator is willing to allow.

5. Select the appropriate security option from those just described and select Next.6. An information window is displayed. Click OK to close it.

Assign a power-on password

If you have an HMC that is not in a secure area, such as a data center, you might consider giving it a power-on password. This would prevent someone from inserting a bootable diskette or CD and pressing the power button to reboot into standalone mode. The power-on password would need to be entered before the HMC could finish the Initial Program Load (IPL). It would also be required if an attempt was made during IPL to press F1 and launch the setup menu.There is some risk associated with this. If a password is set and forgotten, it requires a service call to replace the HMC planar or battery -- this can result in a system outage. Therefore, it is imperative that any power-on or administrator password be stored in a secure and readily accessible location.To configure a power-on password:

1. Boot the server.2. When prompted with the option, press F to enter the configuration utility. (The utility name might vary

depending on the HMC model and BIOS level.)3. Look for either a System Security or Passwords submenu.4. Follow the prompts to create and save a power-on password.

Disable remote Web-based System Manager accessIt is possible to disallow remote access to the HMC, meaning that systems administrators would be forced to go to the system console to perform their work. This usually isn't desirable, but it is another security option.To disable remote Web-based System Manager access:

1. Edit the open network (typically eth1) Firewall tab to disallow Web-based System Manager through the firewall.

2. From the command-line interface, enter chhmc –c websm –s disable.

Long-term managementThis section covers some maintenance guidelines to help you keep your system secure.Monitor for security updatesMake sure you keep track of new releases, updates, and emergency fixes. You can do this in two ways:

Use the technical support subscription service to receive e-mails when updates become available on the Web.

Monitor the Web manually on a regular basis at the Hardware Management Console site.You can sign up for e-mail notification from a tool under Additional Resources on this HMC Web site.The subscription Web page has a Bulletins tab. Clicking that tab lets you search for specific information by topic and month. For example, you can search HMC updates under All Topics, Corrective service, or Security fixes.Audit using lssvcevents and syslogdA systems administrator can monitor activities on an HMC, such as changes to partition profiles or other important actions, from either the graphical or the command-line interface.To monitor entries from the GUI:

1. In the Navigation area, click HMC Management.2. In the Content window, double-click HMC Configuration.3. Select the View Console Events task.4. The View Console Events window opens with events listed by date, time, and event.5. The View pull-down menu at the top left of the screen lets you select a different time range, or view events in

order of occurrence or in reverse order of occurrence.To view the console events from the command line:

1. Log in to the HMC with SSH using a valid user ID with the system administrator role.2. Enter the command lssvcevents –t console to view console events.3. Enter lssvcevents -–help to see a description of other flags available to help you narrow a search

by topic and date.You'll find that there are better ways to target the search when you use the command line. You can filter events for specific types of entries, and you can search within specified date ranges more efficiently using the command-line interface.To enable syslogd and send entries to a remote server:

1. Log in to the HMC with SSH.2. From the command line, enter:

chhmc –c syslog –s add –h remotehost.company.com

3. On remotehost.company.com, the syslogd daemon must be running and set up to receive messages over the network. On most Linux systems, this can be done by adding the â€“r option to the SYSLOGD_OPTIONS in the /etc/sysconfig/syslog file. In AIX, the /etc/syslog.conf file would be edited by un-commenting the appropriate lines at the bottom of the file, such as: *.debug /tmp/syslog.out rotate size 100k files 4

*.crit /dev/console

4.Then, the systems administrator would enter: # touch /tmp/syslog.out# refresh –s syslogd

Maintain HMC code at an appropriate levelThere is a close relationship between HMC and server firmware. The HMC is used to manage system firmware. New system firmware, such as that issued for a new server, might require an HMC be updated or upgraded to a particular level. Fortunately, HMC code can support multiple system firmware levels, so it is not necessary to update all servers to the latest level found on the newest server.There is a code matrix that shows the system firmware levels supported by various current HMC levels. The matrix is at POWER5 code matrix. Under Supported code combinations, you'll see charts for servers based on model. There are two classifications: high-end servers and everything else. The chart is color coded.

Everything in gray is no longer receiving maintenance updates. Everything in yellow is supported, but at a reduced level. Everything green is considered the maximum stability level. Everything blue represents the latest code level.

From an HMC and system firmware management perspective, you need to be able to support the firmware on the newest server you have received and keep all others in the green or yellow boxes. Fortunately, updating HMC code is less disruptive because it doesn't impact running production servers. An HMC can be rebooted without affecting the LPAR it manages.

SummaryIBM has designed the HMC to be a special-purpose server. The code that runs the HMC eliminates many services you would expect to find in an open operating system, such as telnet access, sendmail, and so forth. The HMC uses a restricted shell to restrict access to those commands designed by developers to further the functions required of the HMC.You must install and manage a new HMC correctly to make sure prudent safeguards are in place. This includes changing passwords and maintaining them over time and being sensitive to network connectivity. The HMC has several mechanisms to help control remote access, including requiring SSL encryption for all remote access.It is possible, but usually not desirable, to manage an HMC from the console only. For full DLPAR and Service Focal Point function, only one port needs to be open between the HMC and the LPAR its manages, port 657. The HMC can be configured to notify IBM Service over a secure Internet connection when a hardware error has occurred or a problem appears imminent.Maintaining the HMC, including monitoring for security updates and other corrective service, is a customer responsibility that is made easier with several tools that IBM has made available.

Hmc Upgrade...!!!

The following are the step by steps to upgrade the HMC :