share in pittsburgh – session 15591 pittsburgh...hmc data replication (cont.) configuration task...
TRANSCRIPT
© 2014 IBM Corporation
SHARE in Pittsburgh – Session 15591 Top 10 Things You Should Be Doing On Your HMC But You're NOT
You Probably AreTuesday, August 5th 2014
Jason StapelsHMC Development
2 © 2014 IBM Corporation
IBM® System z Hardware Management Console (HMC) 2.12.1
SHARE in Pittsburgh – Session 15591
Agenda
● Setting up HMC for Remote Use● Securing User IDs● Create Custom Users and Roles● Custom Authentication Settings● Communicating with other Users● Using HMC Data Replication● HMC Certificate Management● Monitor System Events● Absolute Capping● Custom Groups
3 © 2014 IBM Corporation
IBM® System z Hardware Management Console (HMC) 2.12.1
SHARE in Pittsburgh – Session 15591
Setting up the HMC for Remote Use
4 © 2014 IBM Corporation
IBM® System z Hardware Management Console (HMC) 2.12.1
SHARE in Pittsburgh – Session 15591
Setting up HMC for Remote Use
● Enables access from anywhere on the Local Area Network● Work with your Network Administrator to allow port 443 (HTTPS) and
optionally port 9960 (Applets)
● Could also allow remote access using an existing business VPN
● Allows the HMC to be physically secured● Lock it in a restricted area and ask people to login remotely
● Multiple users can access the HMC at the same time● HMC is design to handle concurrent users
● Read “IBM System z HMC Security” technical note for more details● https://www.ibm.com/servers/resourcelink/lib03011.nsf/pages/zHmcSecurity/$file/zHMCSecurity.pdf
5 © 2014 IBM Corporation
IBM® System z Hardware Management Console (HMC) 2.12.1
SHARE in Pittsburgh – Session 15591
Setting up HMC for Remote Use (cont.)
● Enable locally through the Customize Console Services task
6 © 2014 IBM Corporation
IBM® System z Hardware Management Console (HMC) 2.12.1
SHARE in Pittsburgh – Session 15591
Setting up HMC for Remote Use (cont.)
● Then, enable specific users for remote access● Use the ACSADMIN user if you don't have one already
● Use the User Profiles task● Select the profile and then select Modify from the menu
7 © 2014 IBM Corporation
IBM® System z Hardware Management Console (HMC) 2.12.1
SHARE in Pittsburgh – Session 15591
Setting up HMC for Remote Use (cont.)
● Click the User Properties... button
8 © 2014 IBM Corporation
IBM® System z Hardware Management Console (HMC) 2.12.1
SHARE in Pittsburgh – Session 15591
Setting up HMC for Remote Use (cont.)
● Then check the Allow remote access via web checkbox
9 © 2014 IBM Corporation
IBM® System z Hardware Management Console (HMC) 2.12.1
SHARE in Pittsburgh – Session 15591
Setting up HMC for Remote Use (cont.)
● Or through the Manage Users Wizard
10 © 2014 IBM Corporation
IBM® System z Hardware Management Console (HMC) 2.12.1
SHARE in Pittsburgh – Session 15591
Securing User IDs
11 © 2014 IBM Corporation
IBM® System z Hardware Management Console (HMC) 2.12.1
SHARE in Pittsburgh – Session 15591
Securing User IDs
● Best Practices● Do not share HMC user IDs among multiple people
● Make sure each user ID is permitted access only to the tasks and managed resources needed to perform job responsibilities (see slides)
● Define password rules that adhere to the guidelines for the customer enterprise and make sure each user ID is configured to use these password rules (see slides)
● Use data replication to ensure that User Profile information (user Ids, roles, password rules, etc) are automatically synchronized among all HMCs installed in the enterprise (see slides)
● Disable the default user IDs● Even better DELETE them
● At a minimum change the default passwords for these accounts
12 © 2014 IBM Corporation
IBM® System z Hardware Management Console (HMC) 2.12.1
SHARE in Pittsburgh – Session 15591
Securing User Ids (cont.)
● Use the User Profiles task to modify existing profiles● Check the Disable user field
Or just deletethe user
13 © 2014 IBM Corporation
IBM® System z Hardware Management Console (HMC) 2.12.1
SHARE in Pittsburgh – Session 15591
Create Custom Users and Roles
14 © 2014 IBM Corporation
IBM® System z Hardware Management Console (HMC) 2.12.1
SHARE in Pittsburgh – Session 15591
Create Custom Users and Roles
● Creating a custom user profile for each person that uses the HMC allows for the following benefits:
● Specific access to the required objects for each user
● Specific access to the required tasks for each user
● More granularity in the audit logs, know exactly which person performed specific actions
● No more sharing of user credentials and passwords
● Each user will have a unique saved sessions on disconnects
15 © 2014 IBM Corporation
IBM® System z Hardware Management Console (HMC) 2.12.1
SHARE in Pittsburgh – Session 15591
Create Custom Users and Roles (cont.)
● User management tasks● User Profiles
● Customize User Controls
● Password Profiles
● User Settings
● Manage Users Wizard● Incorporates user management tasks in a guided step-by-step process
16 © 2014 IBM Corporation
IBM® System z Hardware Management Console (HMC) 2.12.1
SHARE in Pittsburgh – Session 15591
Create Custom Users and Roles (cont.)
● A guided step-by-step process● Incorporates User Options, Roles, Controls, Authentication, and More
17 © 2014 IBM Corporation
IBM® System z Hardware Management Console (HMC) 2.12.1
SHARE in Pittsburgh – Session 15591
Create Custom Users and Roles (cont.)
● Limit access to specific objects● Create a custom role with specific objects a user should have access to
Select and existingrole to filter
Available Objects
Next, select the objectthe role should have
access to and press theAdd button
18 © 2014 IBM Corporation
IBM® System z Hardware Management Console (HMC) 2.12.1
SHARE in Pittsburgh – Session 15591
Create Custom Users and Roles (cont.)
● Limit access to specific tasks● Create a task role with specific tasks a user should have access to
Select and existingrole to filter
Available Tasks
Next, select the taskthe role should have
access to and press theAdd button
19 © 2014 IBM Corporation
IBM® System z Hardware Management Console (HMC) 2.12.1
SHARE in Pittsburgh – Session 15591
Create Custom Users and Roles (cont.)
● Assign custom roles to user profiles● The user profile will be limited to the specific objects and tasks
Select the custom resourceand task roles the usershould have access to
Select the custom resourceand task roles the usershould have access to
20 © 2014 IBM Corporation
IBM® System z Hardware Management Console (HMC) 2.12.1
SHARE in Pittsburgh – Session 15591
Custom Authentication Settings
21 © 2014 IBM Corporation
IBM® System z Hardware Management Console (HMC) 2.12.1
SHARE in Pittsburgh – Session 15591
Custom Authentication Settings
● Users can be configured for either local authentication or LDAP ● Local Authentication
● Governed by Password Profiles
● Allows HMC users to meet corporate password rules
● Lightweight Directory Access Protocol (LDAP)● Provided by many enterprise directory servers
● IBM Security Directory Server
● Microsoft Active Directory
● Apple Workgroup Manager
● Allows HMC users to hook into existing corporate authentication
● Single password across all HMCs and corporate network
22 © 2014 IBM Corporation
IBM® System z Hardware Management Console (HMC) 2.12.1
SHARE in Pittsburgh – Session 15591
Custom Authentication Settings (cont.)
● Use the Password Profiles task
23 © 2014 IBM Corporation
IBM® System z Hardware Management Console (HMC) 2.12.1
SHARE in Pittsburgh – Session 15591
Custom Authentication Settings (cont.)
● Custom password rules are defined through various profiles that are managed through the Password Profiles task
24 © 2014 IBM Corporation
IBM® System z Hardware Management Console (HMC) 2.12.1
SHARE in Pittsburgh – Session 15591
Custom Authentication Settings (cont.)
● LDAP servers are configured through the Manage Enterprise Directory Server Definitions task
25 © 2014 IBM Corporation
IBM® System z Hardware Management Console (HMC) 2.12.1
SHARE in Pittsburgh – Session 15591
Custom Authentication Settings (cont.)
● Specify host name and other connection properties
● Enter a distinguished name (DN) pattern to match (as shown)
● Or search a directory entry on a DN tree through a property filter
26 © 2014 IBM Corporation
IBM® System z Hardware Management Console (HMC) 2.12.1
SHARE in Pittsburgh – Session 15591
Custom Authentication Settings (cont.)
● Configure the authentication type to the User Profile
Set AuthenticationType Set Password ProfileOr LDAP Server
27 © 2014 IBM Corporation
IBM® System z Hardware Management Console (HMC) 2.12.1
SHARE in Pittsburgh – Session 15591
Communicating with Other Users
28 © 2014 IBM Corporation
IBM® System z Hardware Management Console (HMC) 2.12.1
SHARE in Pittsburgh – Session 15591
Communicating With Other Users
● Console Messenger task allows sending broadcast messages or start one-on-one chat sessions with other users
● Must be enabled on the console and for the user
29 © 2014 IBM Corporation
IBM® System z Hardware Management Console (HMC) 2.12.1
SHARE in Pittsburgh – Session 15591
Console Messenger
All HMCs with console messenger enabled and with the same security domain are listed.
30 © 2014 IBM Corporation
IBM® System z Hardware Management Console (HMC) 2.12.1
SHARE in Pittsburgh – Session 15591
Users and Tasks
● Can also be initiated fromthe User and Tasks task
31 © 2014 IBM Corporation
IBM® System z Hardware Management Console (HMC) 2.12.1
SHARE in Pittsburgh – Session 15591
Two-Way Communication
Instant Status
32 © 2014 IBM Corporation
IBM® System z Hardware Management Console (HMC) 2.12.1
SHARE in Pittsburgh – Session 15591
HMC Data Replication
33 © 2014 IBM Corporation
IBM® System z Hardware Management Console (HMC) 2.12.1
SHARE in Pittsburgh – Session 15591
HMC Data Replication
● An HMC task and underlying communication framework● Allows the exchange of configuration data between linked
machines:
● A convenient way to keep multiple HMC synchronized● Can be disabled to prevent this exchange● Exchanges of data (inbound and outbound) are logged
● Acceptable Status Settings● Associated Activation Profiles● Customer Information Data● Group Data
● Monitor System Events Data● Object Locking Data● Outbound Connectivity Data● User Profile Data
34 © 2014 IBM Corporation
IBM® System z Hardware Management Console (HMC) 2.12.1
SHARE in Pittsburgh – Session 15591
HMC Data Replication (cont.)
● Enabled via Configure Data Replication task● Occurs from the slave machine● Master must be runnable/reachable● Master need not be enabled for exchange
35 © 2014 IBM Corporation
IBM® System z Hardware Management Console (HMC) 2.12.1
SHARE in Pittsburgh – Session 15591
HMC Data Replication (cont.)
● Configuration task allows you to● Search for/select masters
● Select which data types to replicate
● Establish 'local' modification warnings● Warns task user, on the slave, that their changes may interfere with data that is
being replicated
● It may cause a data item to become 'ahead' of the master
36 © 2014 IBM Corporation
IBM® System z Hardware Management Console (HMC) 2.12.1
SHARE in Pittsburgh – Session 15591
HMC Data Replication (cont.)
MasterName
Requested DataTypes From The
Master
Warn Users WhenThey Change SelectedData on Local Machine
Used to Force UpdatesIf Slave Gets 'Ahead'
Of Master
37 © 2014 IBM Corporation
IBM® System z Hardware Management Console (HMC) 2.12.1
SHARE in Pittsburgh – Session 15591
HMC Data Replication (cont.)
Typical Master/Slave
Master HMC
Slave HMCSlave HMC Slave HMC
38 © 2014 IBM Corporation
IBM® System z Hardware Management Console (HMC) 2.12.1
SHARE in Pittsburgh – Session 15591
HMC Data Replication (cont.)
Redundant Masters
Master HMC
Slave HMCSlave HMC Slave HMC
Master HMC
Changes made on either master:● Propagate to all slaves● And the peer master
39 © 2014 IBM Corporation
IBM® System z Hardware Management Console (HMC) 2.12.1
SHARE in Pittsburgh – Session 15591
HMC Data Replication (cont.)
Redundant Masters (Outage)
Master HMC
Slave HMCSlave HMC Slave HMC
DOWN
40 © 2014 IBM Corporation
IBM® System z Hardware Management Console (HMC) 2.12.1
SHARE in Pittsburgh – Session 15591
HMC Certificate Management
41 © 2014 IBM Corporation
IBM® System z Hardware Management Console (HMC) 2.12.1
SHARE in Pittsburgh – Session 15591
HMC Certificate Management
● Self-signed certificate created at the time of HMC installation● Not used until remote communications enabled
● Recommend replacing the self-signed certificate with one signed by a Certificate Authority (CA)
● If the remote users using a network which potentially isn't secure
● If the self-signed certificate is not replaced and a user adds the certificate as an exception, there is a risk of the HMC being “spoofed” and capturing HMC credentials
● If your company does not have its own CA, you can purchase a certificate from a commercial CA that is already in your browser
● Check your browser for a list of CA certificates already installed and trusted
42 © 2014 IBM Corporation
IBM® System z Hardware Management Console (HMC) 2.12.1
SHARE in Pittsburgh – Session 15591
HMC Certificate Management (cont.)
● Use the New Certificate action in the Certificate Management task to change the current certificate
43 © 2014 IBM Corporation
IBM® System z Hardware Management Console (HMC) 2.12.1
SHARE in Pittsburgh – Session 15591
HMC Certificate Management (cont.)
● Select Signed by a Certificate Authority
44 © 2014 IBM Corporation
IBM® System z Hardware Management Console (HMC) 2.12.1
SHARE in Pittsburgh – Session 15591
HMC Certificate Management (cont.)
● Fill in the specifics for the HMC (e.g. your organization and company)
● The IP address (v4 and/or v6) and the TCP/IP host name of the HMC is included automatically in the certificate
● You will be guided to write the Certificate Signing Request (CSR) to the USB Flash Drive (UFD)
45 © 2014 IBM Corporation
IBM® System z Hardware Management Console (HMC) 2.12.1
SHARE in Pittsburgh – Session 15591
HMC Certificate Management (cont.)
● After generating a new certificate using the CSR, use Import Server Certificate to load the new certificate
● Load the new certificate using removable media ● The new certificate will now be used for new HMC connections
46 © 2014 IBM Corporation
IBM® System z Hardware Management Console (HMC) 2.12.1
SHARE in Pittsburgh – Session 15591
Monitor System Events
47 © 2014 IBM Corporation
IBM® System z Hardware Management Console (HMC) 2.12.1
SHARE in Pittsburgh – Session 15591
Monitor System Events
● Allows you to receive an email when a particular event happens for objects that you're interested in
● Supported event types● State Changes
● Hardware Message
● Operating System Messages
● Security Log
● Performance Index
● Availability Status
● Uses an SMTP server to send out email● It's recommended that you use a private SMTP server designated just for the
HMCs use
48 © 2014 IBM Corporation
IBM® System z Hardware Management Console (HMC) 2.12.1
SHARE in Pittsburgh – Session 15591
Monitor System Events (cont.)
● Launch Monitor System Events task● Configure SMTP settings
49 © 2014 IBM Corporation
IBM® System z Hardware Management Console (HMC) 2.12.1
SHARE in Pittsburgh – Session 15591
Monitor System Events (cont.)
● Manage existing monitors or click the Add button to create a new monitor
50 © 2014 IBM Corporation
IBM® System z Hardware Management Console (HMC) 2.12.1
SHARE in Pittsburgh – Session 15591
Monitor System Events (cont.)
● Enter in a name for the monitor● Choose the event type● Select event targets
and details● Limit to a particular
schedule● Enter in one or more
email addresses to benotified when the monitoris triggered
51 © 2014 IBM Corporation
IBM® System z Hardware Management Console (HMC) 2.12.1
SHARE in Pittsburgh – Session 15591
Monitor System Events (cont.)
● Email contains events summary since last email
52 © 2014 IBM Corporation
IBM® System z Hardware Management Console (HMC) 2.12.1
SHARE in Pittsburgh – Session 15591
Absolute Capping
53 © 2014 IBM Corporation
IBM® System z Hardware Management Console (HMC) 2.12.1
SHARE in Pittsburgh – Session 15591
Absolute Capping
● Introduced to ensure software licensing Terms and Conditions related to capacity are always met (ie. Software Pricing)
● A method to define an absolute cap for a given partition● If specified, always works independently of any other capping
● Defines an absolute number of processors to cap the partition's activity to
● Specified to hundredths of a processor (eg. 4.56 processors) worth of capacity
● Value not tied to the LICCC processors maximum● A value from 0.01 to 255 valid
● Activation profiles more portable as you migrate to higher machine capacity or newer systems
● If you specify a value above current machine maximum or number of processors defined for an LPAR (Image), absolute capping will be ignored but other capping means will still be honored
54 © 2014 IBM Corporation
IBM® System z Hardware Management Console (HMC) 2.12.1
SHARE in Pittsburgh – Session 15591
Absolute Capping (cont.)
● Support added for:● Activation Profiles
● Customize Activation Profiles● Classic editor
● Profile wizard
● Change LPAR Controls Task
● Change LPAR Weights Scheduled Operation
● APIs● SNMP APIs
● CIMMOM APIs
● WebServices APIs
55 © 2014 IBM Corporation
IBM® System z Hardware Management Console (HMC) 2.12.1
SHARE in Pittsburgh – Session 15591
Absolute Capping (cont.)
● Existing ways to cap the utilization of a partition● Dedicated processors
● Active manipulation of LPAR weights (i.e. WLM)
● capping via LPAR weights
● Limit number of shared logical processors to physical capping requirement (may actually cause LPAR to have under-defined logical processors as compared to the partition's weight)
56 © 2014 IBM Corporation
IBM® System z Hardware Management Console (HMC) 2.12.1
SHARE in Pittsburgh – Session 15591
Absolute Capping (cont.)
● Potential drawbacks with methods mentioned● Dedicated processors
● Not very granular, may want to cap less than one processor's worth of capacity
● May not be possible if there aren't enough engines
● Loses processor utilization efficiency of non dedicated processors
● Existing non dedicated processor capping is based off of the weight of all active partitions
● Customers may fail to compute the capacity correctly
● Configuration change (processors add) may lead to more capacity being allocated than desired
● If partitions are deactivated, other active partitions capping increases● If only one shared active partition left, result => no capping (100 % of shared pool)
57 © 2014 IBM Corporation
IBM® System z Hardware Management Console (HMC) 2.12.1
SHARE in Pittsburgh – Session 15591
Absolute Capping (cont.)
May be combined withtraditional capping orWLM, but not both
58 © 2014 IBM Corporation
IBM® System z Hardware Management Console (HMC) 2.12.1
SHARE in Pittsburgh – Session 15591
Absolute Capping (cont.)
Click on link to makeChanges to the Absolute
Capping setting
59 © 2014 IBM Corporation
IBM® System z Hardware Management Console (HMC) 2.12.1
SHARE in Pittsburgh – Session 15591
Custom Groups
60 © 2014 IBM Corporation
IBM® System z Hardware Management Console (HMC) 2.12.1
SHARE in Pittsburgh – Session 15591
Custom Groups
● A custom group is a set of objects that have been grouped based on a specific set of criteria:
● Group based on a name pattern
● Group based on an object type
● Group based on a specific selection of objects
● A convenient way to work with only the objects that you care about● Set your group up based on a location or a environment type● Easily run tasks against the custom group
61 © 2014 IBM Corporation
IBM® System z Hardware Management Console (HMC) 2.12.1
SHARE in Pittsburgh – Session 15591
Custom Groups
● Quickly access from the Tree Navigation pane
● Use the Grouping task to configure
Accessed from theDaily Tasks
62 © 2014 IBM Corporation
IBM® System z Hardware Management Console (HMC) 2.12.1
SHARE in Pittsburgh – Session 15591
Custom Groups (cont.)
● Creating a new custom group based on name filters● Be sure to use the FULL object name
Use the Object's FullName When CreatingA Resource Pattern
63 © 2014 IBM Corporation
IBM® System z Hardware Management Console (HMC) 2.12.1
SHARE in Pittsburgh – Session 15591
Custom Groups (cont.)
● Or create a group from a selection of objects
Select Objects ThenLaunch Grouping Task
From Daily Actions
64 © 2014 IBM Corporation
IBM® System z Hardware Management Console (HMC) 2.12.1
SHARE in Pittsburgh – Session 15591
Japanese
Thank YouEnglish
MerciFrench
Russian
DankeGerman
GrazieItalian
GraciasSpanish
ObrigadoPortuguese
Arabic
Simplified Chinese
Traditional Chinese
Hindi
Tamil
Thai
Korean
KiitosFinnish
Dank U wel Dutch
TakkNorwegian
Swedish
Tack
65 © 2014 IBM Corporation
IBM® System z Hardware Management Console (HMC) 2.12.1
SHARE in Pittsburgh – Session 15591
Q&A
66 © 2014 IBM Corporation
IBM® System z Hardware Management Console (HMC) 2.12.1
SHARE in Pittsburgh – Session 15591
SHARE in Pittsburgh – Session 15591
67 © 2014 IBM Corporation
IBM® System z Hardware Management Console (HMC) 2.12.1
SHARE in Pittsburgh – Session 15591
Please see http://www.ibm.com/legal/copytrade.shtml for copyright and trademark information.
The following are trademarks of the International Business Machines Corporation in the United States and/or other countries.
The following are trademarks or registered trademarks of other companies.
* Registered trademarks of IBM Corporation
* All other products may be trademarks or registered trademarks of their respective companies.
Java and all Java-related trademarks and logos are trademarks of Sun Microsystems, Inc., in the United States and other countries
Linux is a registered trademark of Linus Torvalds in the United States, other countries, or both.
UNIX is a registered trademark of The Open Group in the United States and other countries.
Microsoft, Windows and Windows NT are registered trademarks of Microsoft Corporation.
Red Hat, the Red Hat "Shadow Man" logo, and all Red Hat-based trademarks and logos are trademarks or registered trademarks of Red Hat, Inc., in the United States and other countries.
SET and Secure Electronic Transaction are trademarks owned by SET Secure Electronic Transaction LLC.
Notes: Performance is in Internal Throughput Rate (ITR) ratio based on measurements and projections using standard IBM benchmarks in a controlled environment. The actual throughput that any user will experience will vary depending upon considerations such as the amount of multiprogramming in the user's job stream, the I/O configuration, the storage configuration, and the workload processed. Therefore, no assurance can be given that an individual user will achieve throughput improvements equivalent to the performance ratios stated here. IBM hardware products are manufactured from new parts, or new and serviceable used parts. Regardless, our warranty terms apply.All customer examples cited or described in this presentation are presented as illustrations of the manner in which some customers have used IBM products and the results they may have achieved. Actual environmental costs and performance characteristics will vary depending on individual customer configurations and conditions.This publication was produced in the United States. IBM may not offer the products, services or features discussed in this document in other countries, and the information may be subject to change without notice. Consult your local IBM business contact for information on the product or services available in your area.All statements regarding IBM's future direction and intent are subject to change or withdrawal without notice, and represent goals and objectives only.Information about non-IBM products is obtained from the manufacturers of those products or their published announcements. IBM has not tested those products and cannot confirm the performance, compatibility, or any other claims related to non-IBM products. Questions on the capabilities of non-IBM products should be addressed to the suppliers of those products.Prices subject to change without notice. Contact your IBM representative or Business Partner for the most current pricing in your geography.
APPN*CICS*DB2*DB2 Connecte-business logo*Enterprise Storage Server*ESCON*FICONFICON ExpressGDPS*Geographically Dispersed Parallel SysplexHiperSocketsHyperSwapIBMIBM eServerIBM ^*
IBM logo*IMSInfoprint*Language Environment*MQSeries*Multiprise*NetView*On demand business logoOS/2*OS/390*Parallel Sysplex*POWERPR/SMProcessor Resource/Systems ManagerpSeries*RACF*
Resource LinkRMFS/390*S/390 Parallel Enterprise ServerSysplex Timer*TotalStorage*VM/ESA*VSE/ESAVTAM*WebSphere*z/Architecturez/OS*z/VM*zSeries*zSeries Entry License Charge