Managing secure service accounts
Follow these recommended practices to manage access to your service account in
the DS Service GUI and remote access by IBM Hardware Support.
Procedure
Complete the following steps to achieve the level of secure access that is required
for service accounts on your storage system.
1.
Assign one or more service administrators to manage service on your storage
system.
2.
Access the DS Service GUI from a web browser on a system that has network
access to the Hardware Management Console (HMC) at
https://HMC_IP/
service
, where HMC_IP is the IP address or host name of the HMC. You can
also access the DS Service GUI from the link on the login page of the DS8000
Storage Management GUI.
3.
Log in to the DS Service GUI by using the service administrator account and
change the password for that account.
The service administrator account is pre-configured with user ID (
customer
)
and password (
cust0mer
).
4.
Determine how you want IBM Hardware Support to access your storage
system and set remote service access controls accordingly.
Before installation of the storage system, your IBM service representative
consults with you about the types of remote service access available. IBM
recommends Assist On-site (AOS) as a secure remote service method. AOS
provides a mechanism to establish a secure network connection to IBM over the
internet with SSL encryption. It can be configured so that the service
administrator must approve remote service access and can monitor remote
service activity.
Planning for NIST SP 800-131A security conformance
The National Institute of Standards and Technology (NIST) SP 800-131A is a United
States standard that provides guidance for protecting data by using cryptographic
algorithms that have key strengths of 112 bits.
NIST SP 800-131A defines which cryptographic algorithms are valid and which
cryptographic algorithm parameter values are required to achieve a specific
security strength in a specific time period. Starting in 2014, a minimum security
strength of 112 bits is required when new data is processed or created. Existing
data processed with a security strength of 80 bits should remain secure until
around 2031, subject to additional NIST standards with guidelines for managing
secure data.
In general, storage systems allow the use of 112-bit security strengths if the other
unit that is attached to the network connection supports 112-bit security strength. If
security levels are set to conform with NIST SP 800-131A guidelines, the DS8880
storage system requires 112-bit security strength on all SSL/TLS connections, other
than remote support network connections.
On network connections that use SSL/TLS protocols, 112-bit security has the
following requirements:
v
The client and server must negotiate the use of TLS 1.2.
114
DS8882F Introduction and Planning Guide
Summary of Contents for DS8882F
Page 34: ...24 DS8882F Introduction and Planning Guide...
Page 46: ...36 DS8882F Introduction and Planning Guide...
Page 70: ...60 DS8882F Introduction and Planning Guide...
Page 86: ...76 DS8882F Introduction and Planning Guide...
Page 98: ...88 DS8882F Introduction and Planning Guide...
Page 120: ...110 DS8882F Introduction and Planning Guide...
Page 126: ...116 DS8882F Introduction and Planning Guide...
Page 132: ...122 DS8882F Introduction and Planning Guide...
Page 134: ...124 DS8882F Introduction and Planning Guide...
Page 138: ...128 DS8882F Introduction and Planning Guide...
Page 140: ...130 DS8882F Introduction and Planning Guide...
Page 158: ...148 DS8882F Introduction and Planning Guide...
Page 163: ......
Page 164: ...IBM Printed in USA GC27 9259 00...