Managing secure service accounts
Follow these recommended practices to manage access to your service account in
the DS Service GUI and remote access by IBM Hardware Support.
Procedure
Complete the following steps to achieve the level of secure access that is required
for service accounts on your storage system.
1.
Assign one or more service administrators to manage service on your storage
system.
2.
Access the DS Service GUI from a web browser on a system that has network
access to the Hardware Management Console (HMC) at
https://HMC_IP/
service
, where HMC_IP is the IP address or host name of the HMC. You can
also access the DS Service GUI from the link on the login page of the DS8000
Storage Management GUI.
3.
Log in to the DS Service GUI by using the service administrator account and
change the password for that account.
The service administrator account is pre-configured with user ID (
customer
)
and password (
cust0mer
).
4.
Determine how you want IBM Hardware Support to access your storage
system and set remote service access controls accordingly.
Before installation of the storage system, your IBM service representative
consults with you about the types of remote service access available. IBM
recommends Assist On-site (AOS) as a secure remote service method. AOS
provides a mechanism to establish a secure network connection to IBM over the
internet with SSL encryption. It can be configured so that the service
administrator must approve remote service access and can monitor remote
service activity.
Planning for NIST SP 800-131A security conformance
The National Institute of Standards and Technology (NIST) SP 800-131A is a United
States standard that provides guidance for protecting data by using cryptographic
algorithms that have key strengths of 112 bits.
NIST SP 800-131A defines which cryptographic algorithms are valid and which
cryptographic algorithm parameter values are required to achieve a specific
security strength in a specific time period. Starting in 2014, a minimum security
strength of 112 bits is required when new data is processed or created. Existing
data processed with a security strength of 80 bits should remain secure until
around 2031, subject to additional NIST standards with guidelines for managing
secure data.
In general, storage systems allow the use of 112-bit security strengths if the other
unit that is attached to the network connection supports 112-bit security strength. If
security levels are set to conform with NIST SP 800-131A guidelines, the DS8880
storage system requires 112-bit security strength on all SSL/TLS connections, other
than remote support network connections.
On network connections that use SSL/TLS protocols, 112-bit security has the
following requirements:
v
The client and server must negotiate the use of TLS 1.2.
186
DS8880 Introduction and Planning Guide
Summary of Contents for DS8880 Series
Page 1: ...IBM DS8880 Version 8 Release 5 Introduction and Planning Guide GC27 8525 16 IBM...
Page 12: ...xii DS8880 Introduction and Planning Guide...
Page 52: ...40 DS8880 Introduction and Planning Guide...
Page 68: ...56 DS8880 Introduction and Planning Guide...
Page 138: ...126 DS8880 Introduction and Planning Guide...
Page 184: ...172 DS8880 Introduction and Planning Guide...
Page 190: ...178 DS8880 Introduction and Planning Guide...
Page 194: ...182 DS8880 Introduction and Planning Guide...
Page 200: ...188 DS8880 Introduction and Planning Guide...
Page 206: ...194 DS8880 Introduction and Planning Guide...
Page 208: ...196 DS8880 Introduction and Planning Guide...
Page 216: ...204 DS8880 Introduction and Planning Guide...
Page 220: ...208 DS8880 Introduction and Planning Guide...
Page 222: ...210 DS8880 Introduction and Planning Guide...
Page 243: ......
Page 244: ...IBM Printed in USA GC27 8525 16...