Chapter 16. IBM Remote Support Manager for Storage
501
Draft Document for Review March 28, 2011 12:24 pm
7914RSM.fm
The person identified as the primary contact for the RSM for Storage system is notified by
e-mail whenever a change in the remote access settings occurs and all state changes are
also written to the security log.
The user ID reserved for remote access (rservice) is only valid when Remote Access is
enabled. Attempts to log in using the root, admin, or lservice user IDs are rejected.
The initial login password is changed daily at midnight UTC. IBM Service has an internal
tool that provides the current password for RSM for Storage systems.
After validation of the initial login password, remote users are presented with a challenge
string, which also requires access to an internal IBM tool in order to obtain the correct
response. The response also includes an IBM employee user name that is recorded in the
RSM for Storage security log.
User ID
During installation, the RSM software creates three user IDs:
admin: This is the administrative user that can perform management and configuration
tasks.
lservice: This is the local service user intended for use by IBM Service when on site. This
User ID has r
estrictions regarding the directories it can access. This is to prevent any
configuration change that might affect the security of the system.
rservice: This is the remote service (IBM Service) user that is used exclusively for remote
access to the system and only valid when Remote Access is enabled. This user ID also
does not have the ability to change any of the RSM security features.
Passwords for user ID
admin
and
lservice
for the RSM for Storage browser user interface can
be changed by the Linux
root
user using the command
rsm-passwd admin
or
rsm-passwd
lservice
. We suggest setting a different password for each user ID.
For the remote user
(rservice)
, the password is automatically generated by RSM and it is
changed daily at midnight UTC. IBM Service has an internal tool that provides the current
password, so you do not need to provide the current RSM password to IBM Service.
The Switch User (
su
) command is disabled to prevent a normal user from attempting to
become “root” and have unrestricted access to the system. The RSM for Storage software
makes other changes in program and directory permissions to limit what programs and files
these users can access.
Internal firewall
RSM for Storage includes an internal firewall to limit the scope of access a remote user has to
your network. Without an internal firewall, the remote user will have unrestricted access to
your network. The RSM software configures an internal firewall on the RSM system to limit
the scope of access that users of the RSM system have to your network, as shown in
Figure 16-6 on page 502. When no alerts are active, the firewall only allows incoming SNMP
traps and outbound SMTP email. When an alert occurs, a rule is automatically added to the
firewall to allow access to the configured controllers for the storage subsystem reporting the
problem. There may be times when you want to allow IBM Service to be able to access a
device to troubleshoot a problem (such as a performance issue) for a subsystem that is not
reporting a failure. You can manually enable “service access” for any configured storage
subsystem. Service Access settings have a configurable timeout from 12 to 96 hours, after
which the firewall rules for access are removed.
Note: For this reason, do not create additional users on this system.
Summary of Contents for DS3500
Page 2: ......
Page 5: ...iii Draft Document for Review March 28 2011 12 24 pm 7914edno fm ...
Page 789: ......