IBM Data Retention Infrastructure (DRI) System ... · 1.0 Introduction This document describes...

IBM Data Retention Infrastructure (DRI) - System Connectivity and Security Version 3.21

© International Business Machines Corporation 2020 of 42

Stefan Lehmann [email protected] Tucson, Arizona

IBM Data Retention Infrastructure (DRI)

System Connectivity and Security



Table of Contents 1.0 Introduction .................................................................................................................................... 5

1.1 Current Device Support .......................................................................................................... 5 1.2 Data Privacy .............................................................................................................................. 5

2.0 Connectivity .................................................................................................................................... 6 2.1 Outbound Connectivity .............................................................................................................. 7 2.1.1 Call Home ................................................................................................................................. 8 2.1.2 Call Home via Electronic Customer Care (ECC) .................................................................. 8 2.1.3 ECuRep data offload ............................................................................................................. 11 2.1.4 Blue Diamond data offload .................................................................................................. 12 2.1.5 DRI Call Home Database ...................................................................................................... 12 2.1.6 Call Home Web ...................................................................................................................... 13 2.2 Remote Access Connectivity ................................................................................................... 15 2.2.1 Remote Access ...................................................................................................................... 15 2.2.2 Remote Access via Assist On-Site (AOS) ........................................................................... 16 2.2.3 Remote Access via remote support center ....................................................................... 20

3.0 Service Access Security ............................................................................................................. 21 4.0 Machine specific information ................................................................................................... 23

4.1 TS3000 System Console (TSSC)............................................................................................. 23 4.2 TS7700 virtual tape systems .................................................................................................. 25 4.3 TS4500 Tape Library ................................................................................................................ 28

5.0 System functions ......................................................................................................................... 29 5.1 LDAP via Secure Authentication Service (SAS) .................................................................... 29 5.2 Direct LDAP using Microsoft Active Directory ...................................................................... 29 5.3 RACF support with direct LDAP .............................................................................................. 30 5.4 System Managed Encryption .................................................................................................. 30 5.5 SNMP Audit Logging ................................................................................................................. 30 5.6 RSYSLOG Audit Logging ........................................................................................................... 30

Appendix A: TS7700 remote access via AOS .............................................................................. 31 Appendix B: Legacy ECC ................................................................................................................... 36 Appendix C: Remote Support Network Tables ........................................................................... 37 Appendix D: Legacy Device Support.............................................................................................. 38

D.1 TS7600 ProtecTIER.................................................................................................................. 38 D.2 TS3500 Tape Library ................................................................................................................ 39 D.3 3592-C07 Control Unit ............................................................................................................ 39

References ........................................................................................................................................... 40 Trademarks .......................................................................................................................................... 42



Changes

• Version 3.00 (09/19/2017) o Changed Font to IBM Plex o Change “remote support” to “remote access” for AOS and remote support center o Added SFTP option for ECuRep data offload o Certain remote support center server discontinued o Added Appendix F to summarize Remote Support network requirements

• Version 3.01 (10/06/2017) o Replace System z with IBM Z

• Version 3.02 (11/11/2017) o Added additional remote support center server o Added remote support center port 443 information o Fixed problem where PDF was no longer searchable

• Version 3.03 (05/07/2018) o Added ECuRep sftp server hostname o Added Blue Diamond data offload o Added AOTM support via port 443

• Version 3.10 (04/05/2019) o Added note for port 443 support for TSSC AOTM interface o Replaced TSSC “Grid” references with “AOTM” where appropriate o Replaced “Dial-Out” with “Call Home” and “Dial-In” with “Remote Access” o Corrected ECuRep upload server information o Removed Modem references (discontinued) o Removed AOS 3.3 references (discontinued) o Removed Appendix A: Direct attached Modem and WTI switch o Removed Appendix B: Legacy Support o Removed pre-V3.00 version history and added dates o Minor cleanup throughout the document

• Version 3.20 (05/20/2020) o Added Data Privacy statement o Added GDPR and HIPAA references o Added ECuRep and CSP references o Added TSSC vs IMC clarification o Updated ECuRep data offload server information o Added Rsyslog port 415 for TSSC and TS7700 and Rsyslog audit logging o Removed TSSC code dependencies prior to v8.5 (recommended level for ~2 years) o Added recommended code level references o Added SKLM TLS port 441 and KMIP TLS port 5696 for TS7700 o Added Appendix D: Legacy Device Support o Moved TS7600 ProtecTIER to Appendix D o Moved Tape Controller 3592 Model C07 to Appendix D o Moved TS3500 to Appendix D o Minor cleanup throughout the document



• Version 3.21 (06/02/2020) o Corrected KMIP port reference in change history to 5696



1.0 Introduction This document describes security aspects when deploying IBM Data Retention Infrastructure (DRI) storage systems into a client’s environment. The primary focus is on system Call Home as well as Remote Access capability. Additionally, it also covers security aspects when connecting DRI storage systems to a client’s network infrastructure, such as for access to the storage systems web user interface (GUI) or notification methods such as SNMP traps and Rsyslog. This document also describes data that is exchanged between DRI storage systems and IBM Service Delivery Center (SDC) and the methods and protocols for this exchange. The DRI storage systems utilize external interfaces that are not directly associated with the data paths. Rather, these interfaces are associated with system control, service, and status information. These interfaces support client interaction and/or feedback as well as attachment to IBM remote support infrastructure for product service and support. This document describes these interfaces and discusses related security considerations. The two main methods of data exchange for the purpose of remote support are Call Home and Remote Access connectivity. 1.1 Current Device Support This document covers IBM security considerations associated with external interfaces for the following IBM products:

• IBM TS7700 virtualization engine • IBM TS4500 Tape Library These systems are hereafter collectively called “Attached Systems”.

• IBM TS3000 System Console (TSSC)

1.2 Data Privacy We intend to protect your personal information and to maintain its integrity. IBM implements reasonable physical, administrative and technical safeguards to help us protect your personal information from unauthorized access, use and disclosure. For example, the products only provide IBM data about the asset usage and configuration and does not reflect private use of the asset. When diagnostics are required to be sent to IBM, in the case of a problem submission, that data is routed directly to a secured infrastructure and only individuals with a need to know are given access while working to resolve your problem. When appropriate, we also require that our suppliers protect such information from unauthorized access, use and disclosure. Please visit the IBM Privacy Policy for additional information on this topic: https://www.ibm.com/privacy/details/us/en/

https://www.ibm.com/privacy/details/us/en/



2.0 Connectivity Attached Systems use various methods to communicate back to IBM to accommodate different client environments. This section outlines these different ways in which Attached Systems can be configured to communicate with IBM. TSSC/IMC Remote Support Diagram

Figure 1 – Remote Support Diagram TSSC (TS3000 System Console) and IMC (Integrated Management Console) are different names for the same hardware and functional code yet different mechanical packaging. The TSSC is used for products such as TS7700 and provided via Feature Code using a 1u tray, whereas TS4500 integrates IMC as local user interface as part of the overall solution. Any call home (ECC), remote access (AOS, remote support center) and other functionality can be utilized identically with either system.



2.1 Outbound Connectivity Each Attached System is configured by the SSR to define how the outbound connectivity back to IBM will occur. Each Attached System uses its ability to connect to IBM for various situations including reporting problems, downloading system fixes, reporting inventory, and transmitting error specific data. The types of data the Attached System sends to IBM are covered in more detail in the system specific sections. The Call Home feature sends service-related machine information from the Attached Systems to the Enhanced Customer Data Repository (ECuRep) and opens a problem ticket in the IBM Remote Technical Assistance Information Network (ReTAIN®) or, where applicable, a case in the Cognitive Support Platform (CSP). Call Home uses a secure broadband connection. DRI storage systems require the use of TSSC or IMC for remote support. Call Home security properties for the Attached Systems are as follows: 1. Call Home is originated from the client location to the IBM connection point. The IBM service

support systems (ReTAIN or CSP) do not initiate connections to the Attached Systems. 2. The data exchanged between the Attached Systems and ReTAIN or CSP is service-related data

only. 3. On the first data exchange of each transmission, ReTAIN or CSP validate that the calling system is

under warranty or entitled to service due to a maintenance agreement. If not, it will disconnect. The Attached System will only provide service-related trace, log, configuration and dump files which contain information specific to machine functionality. No user data or content is included in the call home information. All data send via Call Home or through manual data upload is stored in ECuRep and exclusively accessible through this repository. General Data Protection Regulation (GDPR) related Changes to ECuRep and Testcase FTP File Uploads https://www.ibm.com/support/pages/gdpr-related-changes-ecurep-and-testcase-ftp-file-uploads Enhanced Customer Data Repository (ECuRep) - Terms of use https://www.ibm.com/support/pages/node/739407 To address the unique concerns of the Health Insurance Portability and Accountability Act (HIPAA), client’s may sign up for Blue Diamond, in which case all data will be moved from ECuRep into Blue Diamond: https://msciftpgw.im-ies.ibm.com/EFTClient/Account/Login.htm

https://www.ibm.com/support/pages/gdpr-related-changes-ecurep-and-testcase-ftp-file-uploads

https://www.ibm.com/support/pages/node/739407

https://msciftpgw.im-ies.ibm.com/EFTClient/Account/Login.htm



2.1.1 Call Home Call Home is the process where the Attached System sends data files to IBM that provide helpful information to Service (SSR), Support Center and Development personnel. These data files are stored in ECuRep where they are processed by the IBM DRI Call Home Database which is used for data analysis and data mining. Call Home can be enabled or disabled by service tools or menu selections. Call Home primarily provides two different, but related, capabilities:

• Heartbeat Call Home o Sends system status (machine configuration & wellness check) on periodic basis. o Ensures proper connectivity for potential problem call home events.

Call Home Database can send email notifications to registered IBM support personnel if scheduled heartbeat call home does not occur.

o Default setting is heartbeat call home every 7 days, while the recommendation is to use daily heartbeat. The time interval can be modified anywhere between 1 and 14 days.

• Error initiated Call Home o Collects data at the time of an error.

Critical for root cause analysis. o Sends detailed information to IBM.

No user data or content is included in the call home information. o Provides IBM Service with information to proactively prepare an action plan to handle the

problem prior to on-site call. 2.1.2 Call Home via Electronic Customer Care (ECC) Note: All communication is initiated outbound only, with no need to allow inbound connections.

Figure 2 – ECC Connection



Electronic Customer Care (ECC) provides a method to connect IBM storage systems with IBM remote support. The package provides support for broadband Call Home connection. All information sent back to IBM is Transport Layer Security (TLS) encrypted. Electronic Customer Care (ECC) is a family of services, featuring problem reporting via opening Problem Management Record (PMR) or CSP Case, sending of data files and downloading of fixes. The ECC client provides a coordinated end-to-end electronic service between IBM's business operations, its partners and clients to perform electronic serviceability activities such as problem reporting, inventory reporting and fix automation. This becomes increasingly important as clients are running heterogeneous, disparate environments and are seeking a means to simplify the complexities of those environments. NIST compliant Call Home and Fix Acquisition using ECC Edge Note: NIST (National Institute of Standards and Technology) - https://www.nist.gov/ ECC Edge simplifies client implementation effort as well as increases network security. Once enabled it requires a smaller amount of ECC hosts for proper operation compared to the older legacy ECC implementation and thus reducing the administrative overhead for client network configuration. It is recommended clients open 129.42.0.0/18 for convenience, plus the additional 170.225.15.41 for large data upload. All data traffic is being encrypted using TLS v1.2 and only NIST compliant encryption ciphers will be used. Hostname IP Address Port Description esupport.ibm.com 129.42.56.189 443, 80 1) ECC Edge transaction gateway esupport.ibm.com 129.42.60.189 443, 80 1) ECC Edge transaction gateway esupport.ibm.com 129.42.54.189 443, 80 1) ECC Edge transaction gateway www6.software.ibm.com 170.225.15.41 443 File upload proxy for status reporting and

problem reporting (larger ~50MB). Table 1 – ECC Edge Port Information 1) Fix Acquisition through port 80 or 443 as configured per client preference Note: All communication is initiated outbound only, with no need to allow inbound connections. Note: For Legacy ECC support refer to “Appendix B: Legacy ECC”. The TSSC provides the ability to use ECC with a Proxy Server or Direct Connection. Direct Connection implies that there is no HTTP proxy between the configured TSSC and the outside network to IBM. Selecting this method requires no further setup other than possibly adjusting client firewall rules in order to allow the outbound HTTPS traffic to select ECC server.

https://www.nist.gov/



ECC provides support for client provided HTTP proxy. A client may require all traffic to go through a proxy server. In this case, the TSSC connects directly to the client proxy server, which initiates all communications to the Internet.

Figure 3 – ECC Connection with Proxy Server “Connect through HTTP Proxy” implies there is a client HTTP Proxy server which the client requires all call home traffic to go through. When selecting this option, enter the Proxy IP Address and Proxy Port. If necessary, enter any required proxy server username and password. The client should supply these values.

Figure 4 – TSSC Screenshot for HTTP Proxy Setting for ECC



Proxy Server requirements • The Proxy must not terminate the connection between ECC client running on TSSC and ECC

server located at IBM. o During the SSL/TLS handshake the ECC server presents a certificate, which the ECC

client must trust or the SSL/TLS handshake will fail. o For the ECC client to trust the certificate the root certificate (signer of the server

certificate) must exist in the ECC client trust store. o If the client proxy terminates the connection, then the client proxy is presenting a

certificate, not the IBM ECC server, and this certificate would have to be trusted by the client, yet it doesn’t as the clients root certificate does not exist in the ECC client trust store (i.e. DisableServerCertValidation).

Note: Current TSSC code provides the ability to import a client provided certificate into the TSSC trust store in order to overcome this prior dependency.

• Proxy configuration rules may need to be modified to prevent internal functions to intercept SSL in order to perform policy inspection, as this may result in failure to properly communicate between ECC client and ECC server (i.e. disable-SSL-interception).

• Similarly, it may be required to bypass SSL acceleration for all referenced *.ibm.com websites. • NTLM authentication (NTLMSSP) is not supported. Any NTLM proxy must utilize basic

authentication in order to work properly with the ECC client. Note: Microsoft no longer recommends NTLM in applications: https://msdn.microsoft.com/en-us/library/cc236715.aspx

2.1.3 ECuRep data offload TSSC supports anonymous (S)FTP data offload into ECuRep. For the client or SSR to take advantage of the functionality the client must allow outbound access to the related IBM server. Note: ECuRep intends to disable anonymous data upload in 3Q2020, at which time the provided TSSC functionality will cease operation. Manual upload via web upload can be used instead yet require a client specific IBM ID. Hostname IP Address Port Description testcase.boulder.ibm.com 170.225.15.31 22 ECuRep server – Americas (SFTP) sftp.ap.ecurep.ibm.com 169.56.38.162,

169.56.38.163 22 ECuRep server – Asia Pacific (SFTP)

sftp.ecurep.ibm.com 192.109.81.25 22 ECuRep server – Europe (SFTP) Table 2 – ECuRep Port Information Note: Refer to “Enhanced Customer Data Repository (ECuRep) - Send data (FTP)” for latest reference: https://www.ibm.com/support/pages/enhanced-customer-data-repository-ecurep-send-data-ftp

https://msdn.microsoft.com/en-us/library/cc236715.aspx

https://www.ibm.com/support/pages/enhanced-customer-data-repository-ecurep-send-data-ftp



2.1.4 Blue Diamond data offload TSSC supports HTTPS data offload into Blue Diamond. For the client or SSR to take advantage of the functionality the client must allow outbound access to the related IBM server. Hostname IP Address Port Description msciftpgw.im-ies.ibm.com 170.225.222.12 443 Blue Diamond server

Table 3 – Blue Diamond Port Information 2.1.5 DRI Call Home Database The Attached System opens a problem management record (PMR) in ReTAIN, or alternatively a Case in CSP, which is used to manage the problem record between the various support levels to drive it to resolution. The ReTAIN or CSP record includes high level error information which provides the support team the actions most commonly needed to resolve the problem. An expert system may automatically update the PMR or CSP Case with the recommended service actions based on the cause of the call home. Additional detailed information is then placed into ECuRep and processed by the DRI Call Home DB which will aid in further problem determination if need be or can be mined to analyze trends and configuration information.

Figure 5 – Call Home and Data Retention



2.1.6 Call Home Web A web-based client user interface that has been created to allow clients to access call home data of their IBM systems through IBM Support, which can be accessed through the following web site: http://support.ibm.com

Figure 6 – Call Home Web in IBM Support Once logged in the client will be able to manage registered systems and view call home events.

Figure 7 – IBM Call Home Web

http://support.ibm.com/



For any system information such as the following may be reported.

Figure 8 – Call Home Web System Details DRI storage systems do not support auto registration for Call Home Web. A manual bulk upload process is required. This can be done by providing a simple spreadsheet containing the following information:

Figure 9 – Boarding Spreadsheet Columns marked in red are mandatory. Machine Type: 4-digit IBM machine type of the system (required) Model: 3-character IBM model of the system (optional) Serial Number: 7-character IBM serial number of the system (required) Country: 2-character country identifier (required) IBM Customer Number: IBM Customer Number (required) System Name: Customer provided reference of the system (optional) Note: This value can later be added/changed within Call Home Web Warranty or Contract: Indication if the system is under warranty or maintenance contract (optional) Expiration Date: Expiration date of warranty or maintenance contract (optional) Group(s): Customer provided group information of the system (optional) Note: This value can later be added/changed within Call Home Web, as desired by client to logically group the systems. Web Ids: Customer provided IBM ID that is used to log-on to Support Portal (required) Comma separated for multiple IDs. To request a boarding spreadsheet, send an email to [email protected] with the subject “Request Call Home Web boarding spreadsheet”. For further details, including an instructional video, refer to the IBM Call Home assistance website: https://www.ibm.com/support/home/site-assistance Call Home Web can be accessed through the IBM Technical Support app available for Android and iOS. Look for “IBM Technical Support” in the respective app store.

mailto:[email protected]

https://www.ibm.com/support/home/site-assistance



2.2 Remote Access Connectivity Remote Access connectivity configuration allows IBM Service Representatives to connect directly to the Attached System. The external interfaces are collectively referred to as Remote Support Facility (RSF). The RSF interface is dependent on the Attached System. Remote access is used by Service, Support Center and/or Development personnel to logon to the Attached System in order to provide real time support. DRI storage systems typically require using the TSSC or IMC for remote access. Once connected to the TSSC or IMC, all Attached Systems managed by TSSC or IMC can be remotely serviced. Remote Access security properties for the Attached Systems are as follows: 1. IBM remote access will only access log, configuration, trace and dump files which contain

information specific to machine functionality. 2. Remote Access requires a non-fixed password authentication process for access into both the

TSSC and any connected storage device. AOS and remote support center service can be enabled or disabled by menu selections. Both remote access methods utilize a broadband internet connection. 2.2.1 Remote Access Remote Access is the ability for the Service, Support Center and/or Development personnel to connect to the Attached System to gather service log information and provide real time support. This enables faster problem resolution of many issues on the Attached System.



2.2.2 Remote Access via Assist On-Site (AOS) Note: All communication is initiated outbound only, with no need to allow inbound connections.

Figure 10 – AOS Connection with optional Proxy Server AOS provides support for broadband Remote Access communication via TSSC/IMC. Support engineers can troubleshoot issues with a client’s machine during a remote access session. Assist On-Site Security Security and privacy are fundamental concerns when granting remote access to corporate IT assets. Assist On-Site uses the latest security technology to ensure that the data exchanged between IBM Support engineers and clients is completely secure. Identities are verified and protected with industry-standard authentication technology, and Assist On-Site sessions are kept secure and private with the use of randomly generated session keys and advanced encryption. Assist On-Site allows IBM Support engineers to remotely access client’s computers to identify and resolve technical issues in real time. Assist On-Site facilitates problem determination and remediation by providing a powerful suite of tools that enables IBM Support engineers to quickly complete root cause analysis and take appropriate corrective action. Once a screen-sharing session has begun, the Support engineer is connected to the client’s computer (here TSSC/IMC) via a relay server. Large, randomly generated session keys are issued to both participants to ensure that only the designated parties are connected. During the session, all transferred information, including screen views, file-transfer data and identities, are encrypted. Encryption and decryption are from end to end, so data can’t be intercepted during transit and can only be viewed via the Assist On-Site console. Assist On-Site sessions are protected by strong password authentication. Support engineers are authenticated using a challenge and response password exchange. Assist On-Site implements outbound connections, protected by TLS encryption over a port 443 session, to prevent intruder access to the information exchanged during all Assist On-Site sessions.



Chat, screen viewing, screen-sharing and file transfer data is encrypted end to end and packets are never decrypted in transit by the communication servers. Assist On-Site works seamlessly with most firewalls. Usually, Assist On-Site connections are possible without any firewall reconfiguration. Assist On-Site requires access to outbound ports at both ends of a connection, so there is no need to open holes in firewalls. Assist On-site will automatically choose the relay server which will provide the best end-to-end performance. All relay servers are available from all geographies, with performance typically better from the relay server closest to the client system. Hostname IP Address Port Description aos.uk.ihost.com 195.171.173.165 443 UK AOS Broker 1) aoshats.us.ihost.com 72.15.223.62 443 US AOS Broker 1)

Table 4 – AOS 4.0 Port Information 1) IBM recommends the use of both AOS broker for redundancy. A client may restrict the use to a specific broker as needed, requiring a manual change of the AOS configuration. Note: All communication is initiated outbound only, with no need to allow inbound connections. TSSC provides the ability to connect either with or without a Proxy server. “Connect Through HTTP Proxy” implies there is a client HTTP Proxy server which the client requires all call home traffic to go through. When selecting this option, enter the “Proxy IP Address” and “Proxy Port”. If necessary, enter any required proxy server username and password. The client should supply these values.

Figure 11 – TSSC Screenshot for HTTP Proxy Setting for AOS



Proxy Server requirements • The Proxy must not terminate the connection between AOS client running on TSSC and AOS

server located at IBM. o During the SSL handshake the AOS server presents a self-signed certificate, which the

AOS client must trust or the SSL handshake will fail. o For the AOS client to trust the certificate the root certificate (signer of the server

certificate) must exist in the AOS client trust store. o If the client proxy terminates the connection, i.e. because self-signed certificates are

disallowed per default, then the client proxy is presenting a certificate, not the IBM AOS server, and this certificate would have to be trusted by the client, yet it doesn’t as the clients root certificate does not exist in the AOS client trust store (i.e. DisableServerCertValidation).

Note: Current TSSC code provides the ability to import a client provided certificate into the TSSC trust store in order to overcome this prior dependency.

• Some proxies may encounter problems when attempting man-in-the-middle (MITM) detection, as the actual communication protocol is not standard HTTP(S) yet a proprietary binary protocol (i.e. url.domain=aoshats.us.ihost.com detect_protocol (none)).

• Proxy configuration rules may need to be modified to prevent internal functions to intercept SSL in order to perform policy inspection, as this may result in failure to properly communicate between AOS client and AOS server, as a proprietary binary protocol is used (i.e. disable-SSL-interception).

• Similarly, it may be required to bypass SSL acceleration for all referenced *.ihost.com websites. • Blue Coat proxy identify AOS data traffic as “Remote Support Tool” and may disallow such data

traffic. If the proxy is performing web filtering based upon vendor web filter categories for all URLs and the proxy policy is set to block such category, then it has to be ensured that the AOS data traffic to the required target server will be allowed by putting it on the authorized list (i.e. whitelist configuration).

• It may be required to override a default proxy policy for required authentication for outbound traffic (i.e. do-not-authenticate).

• It may be required to specifically allow the AOS URLs in the web access policy layer of the proxy if the proxy uses a default do-not-allow-access policy (i.e. allow-access).

• NTLM authentication (NTLMSSP) is not supported. Any NTLM proxy must utilize basic authentication in order to work properly with the AOS client. Note: Microsoft no longer recommends NTLM in applications: https://msdn.microsoft.com/en-us/library/cc236715.aspx

https://msdn.microsoft.com/en-us/library/cc236715.aspx



Further details on AOS Connection (reference numbers below)

Figure 12 – AOS Connection with optional Proxy Server

1. AOS client sends heartbeat every 2 minutes to AOS server to check for AOS connection request. (outbound from client firewall perspective). Heartbeat contains system credentials such as client name, client number, systems machine type, model and serial number, hostname and access control list (ACL).

2. Remote support engineer uses AOS console application to connect to AOS server. 3. AOS server authenticates remote support engineer and determines ACL and team assignment. 4. AOS support console requests list of allowed AOS clients. This list is based on the ACL / Team

assignment for this support engineer. 5. Support engineer creates connection request to AOS server through AOS console. 6. With the next heartbeat AOS client is notified about connection request. 7. AOS client establishes remote access connection to AOS server using any of the listed

connection options. 8. AOS server is logging the established session and can record screen session on support

engineer request. 9. Local user may need to accept session based on system configuration. This is a configurable

item on the client. It’s recommended to not require local accept. 10. AOS client and AOS console switch into the configured session-mode.

1. Shared Screen (default) 2. Port Forwarding

11. Remote support engineer changes between Shared Screen and Port Forwarding as needed. 12. Support engineer performs maintenance activity.



2.2.3 Remote Access via remote support center Note: All communication is initiated outbound only, with no need to allow inbound connections. As an alternative to AOS a second remote access offering is provided through remote support center.

Figure 13 – remote support center connection with optional Proxy Server To perform remote access through remote support center, the TSSC must be able to initiate an outbound SSH connection to IBM. If the TSSC does not have direct access to the internet (for example, due to a firewall), a remote support center proxy to facilitate the connection to IBM will be required. IBM remote support center uses the Secure Shell (SSH) protocol for transporting data. The encryption used by SSH provides confidentiality and integrity of the transferred data even over insecure mediums. The solution is comprised of three main components:

1. The remote support center remote access client installed on TSSC: • A software that is installed on the IBM system and handles remote access connectivity. • Relies on a single outgoing TCP connection (open port 22 SSH) and is not able to receive

inbound connections of any kind. • Client has control of the access.

2. The front servers: • Serve as a hub at which the IBM systems and the remote-access back server connect. • The front servers are located in an IBM DMZ and receive and maintain connections from the

IBM System remote support client and the back server. • Strictly inbound, do not initiate any outbound communication. • Are a pass-thru for the encrypted connection. Cannot be used to manipulate sensitive data.

3. Back servers • Only IBM Authorized service personnel can access. • Authenticates the IBM service representative.

o The IBM service representative connects to the back server by using a Secure Shell (SSH) client or an HTTPS connection with any browser.

Hostname IP Address Port Description y03lcxapp002.ahe.boulder.ibm.com 204.146.30.139 22, 443 1) remote support center front server y01lcxapp002.ahe.pok.ibm.com 129.33.206.139 22, 443 1) remote support center front server y03s0008.ahe.boulder.ibm.com 204.146.30.157 22, 443 1) remote support center front server y01lcxahttp008.ahe.pok.ibm.com 129.33.207.37 22, 443 1) remote support center front server

Table 5 – remote support center Port Information 1) Port 443 required for remote support center proxy only Note: All communication is initiated outbound only, with no need to allow inbound connections.



3.0 Service Access Security

Figure 14 – Remote Access Security Multiple service access levels are defined for the Attached Systems. Each authentication service access level ID has a different password. Authentication service passwords are static once installed on the Attached Systems. The use of the authentication service userids, Service, and Enhanced are limited. They only allow authorized service personnel to authenticate in order to gain access to the system. Service levels for the Attached Systems are:

1. Service Level user (IBM System Service Representative)

2. Enhanced Level user (IBM Product Field Engineer, IBM product development, IBM Support Center, IBM Field Specialist/TopGun)

Authorized service personnel must logon to an Attached System with one of these authentication IDs. Once they are logged on with the authentication ID, they are now required to enter their IBM granted service personnel authentication ID. They are then presented with a randomly generated authentication access code, which needs to be authenticated against an IBM internal and secured authentication server. The access code must be entered either locally or remotely so a temporary password is granted. The temporary password is valid for 24 hours. For TSSC/IMC Service Level and Enhanced Level authenticated userid logons are placed into a command line session. For TS7700 Service Level authenticated userid logons are automatically placed into a Service Menu session. Command line access is not allowed. Any attempt to break out of the Service menus results in being disconnected. These service access levels will be enforced by the TSSC and/or the Attached System. LDAP can also be used to provide another level of security for service personnel. Local service personnel must authenticate locally on TS7700 to be allowed logon authority for any of the Attached Systems unless otherwise noted. An encrypted challenge password is displayed locally on the LED display of the Attached Systems. The challenge password in conjunction with the service level password is required to log in locally. Local security is the client’s responsibility.



Once logged in with one of the service level passwords, they are locked into the authentication Service menu. They must provide an authentication ID and select remote or local authentication. When remote is selected, an encrypted message is presented. To decrypt the message, they must log into one of the decryption sites within IBM. Once decrypted, the IBM service representative must logon with their own authorized ID and the decrypted password. The remote session is valid for 24 hours. To reactivate it, they must re-authenticate with the decryption server. The authenticated userid and password is propagated to all Attached Systems. Once the IBM service representative authenticates through the TSSC, they may logon to any of the Attached Systems using their ID and temporary password within a 24 hours period. Non-IBM authorized personnel are not granted access to the decryption sites and do not have remote access to the Attached Systems.



4.0 Machine specific information 4.1 TS3000 System Console (TSSC)

Figure 15 – TSSC Connectivity TSSC/IMC code level recommendation: https://www.ibm.com/support/pages/tssc-imc-ts3000-code-update-recommendation The TSSC utilizes ECC and AOS/remote support center to provide broadband connectivity for both Call Home and/or Remote Access. The TSSC has Ethernet connectivity to all Attached Systems via a private internal network. Both Call Home (ECC) and Remote Access (AOS, remote support center) utilize outbound traffic only which is limited to HTTPS (ECC), SSH (remote support center) and a proprietary protocol (AOS) as well as DNS (optional). All service-related data is encrypted. All other protocols, such as SNMP and LDAP are used by TSSC for service functionality independent from ECC and AOS.

https://www.ibm.com/support/pages/tssc-imc-ts3000-code-update-recommendation



The following table provides information on what ports need to be opened for connection to the client network.

Port Function Direction from TSSC Protocol PING Outbound ICMP 22 SSH Outbound TCP 53 DNS Bi-directional UDP 80 HTTP Bi-directional 1) TCP 162 SNMP Trap Outbound UDP 389 LDAP Outbound TCP 415 RSYSLOG Outbound TCP / UDP 443 HTTPS Bi-directional 1) TCP 636 LDAP with TLS Outbound TCP 16311 3) LDAP using SAS Outbound TCP

Table 6 – TSSC External Port Information 2) 1) Bi-directional in case of client web access, otherwise Outbound only 2) For AOTM Port Information refer to section “4.2 TS7700 virtual tape systems” 3) SSPC support has been deprecated The Call Home and Remote Access services need to be configured and started locally on the TSSC. The AOS service also provides an “Unattended Mode” functionality that will allow remote access without the need for someone to locally confirm the remote takeover of the TSSC. If the “Unattended Mode” option is not enabled, then a local service user must be present to allow takeover of the TSSC. Either client or SSR may start and stop the AOS service. For more information refer to section “2.2.2 Remote Access via Assist On-Site (AOS)” Similarly, remote support center requires manual start and stop by a local user. TSSC provides embedded security features such as a built-in firewall and the ability to send SNMP traps or Rsyslog when a user logs in or out of the system. The TSSC can also send SNMP traps for failed call home attempts.

Figure 16 – TSSC SNMP Trap Alerting Figure 17 – TSSC Rsyslog configuration



4.2 TS7700 virtual tape systems TS7700 code level recommendation: https://www.ibm.com/support/pages/ts7700-code-update-recommendation The TS7700 virtual tape systems provide two Ethernet connections to the client’s network for access to the TS7700 Management Interface, as well as to allow the storage system to communicate with SNMP servers, encryption key managers as well as LDAP servers. The client is to supply three IP addresses for the TS7700 Management Interface. Two of these IP addresses are for physical addresses and one of them is a virtual address. If one path of the two physical Ethernet connections goes down the virtual address will use the alternate physical Ethernet connection. The client should use the virtual Ethernet connections IP for communication to the TS7700 Management Interface. The TS7700 virtual tape systems use the following ports for client connection

Port Function Direction from TS7700 Protocol PING Outbound ICMP 53 DNS Bi-directional UDP 80 HTTP Inbound TCP 123 NTP Bi-directional UDP 162 SNMP Trap Outbound UDP 389 LDAP Outbound TCP 415 RSYSLOG Outbound TCP 441 SKLM TLS (R5.0) Outbound TCP 443 HTTPS Inbound TCP 636 LDAP with TLS Outbound TCP 3801 TKLM/ISKLM Server Outbound TCP 5696 KMIP TLS (R5.0) Outbound TCP 16311 1) LDAP using SAS Outbound TCP

Table 7 – TS7700 Management Interface Port Information 1) SSPC support has been deprecated The TS7700 management interface (MI) is a web-based user interface to the TS7700 for client information and management. The MI is used to manage user access to the TS7700. The following user security policy settings are available.

• Disable account expiration o User accounts will not expire.

• Enable account expiration o Allow accounts to expire after a set number of days from when their passwords are set.

• Disable account lockout o User accounts will not be locked when using an incorrect password.

• Enable account lockout o The account will be allowed a certain amount of failed logon attempts for a user before

locking the account out of logging into the management interface.

https://www.ibm.com/support/pages/ts7700-code-update-recommendation



TS7700 Grid A TS7700 cluster connects with two or four 1Gb/s or 10Gb/s Ethernet links to its peer clusters. The client must supply TCP/IP addresses for each Ethernet link defined for Grid communication. These TCP/IP addresses must be unique across this network and reachable by all TCP/IP addresses configured for the Grid across the Distributed Library WAN. The Grid network allows these addresses to be connected to one another by opening the following TCP/IP ports: The TS7700 virtual tape systems use the following ports for Grid connection

Port Function Direction from TS7700 Protocol Ping Bi-directional ICMP 9 Discard Service (for bandwidth

measuring tools) Bi-directional TCP

20/211) FTP (File Transfer Protocol) Bi-directional TCP 221) SSH Bi-directional TCP 80 HTTP Bi-directional TCP 123 NTP (Network Time Protocol) Bi-directional UDP 350 Distributed Library file transfer Bi-directional TCP 443 HTTPS Bi-directional TCP 1415 Websphere Message Queues Bi-directional TCP 1416 Websphere Message Queue Bi-directional TCP

Table 8 – TS7700 Grid Port Information 1) used by PFE/Development during remote access (recommended) Note: TS7700 cluster within a Grid only communicate with other cluster of the same Grid via their Grid connections. Automatic Ownership Takeover Manager (AOTM) The TSSC provides Autonomic Ownership Takeover Manager (AOTM) functionality and connectivity to a remote TS7700 cluster. AOTM allows the System Console to create a temporary alternative communication path around a failing communication path in a TS7700 virtual tape systems Grid configuration to determine the health of the remote system. AOTM is done automatically by a TSSC, without a request being made by an operator. ATOM utilizes ports 80 or 443 and is required for AOTM to function. In addition, ICMP pings are desirable for easier service (i.e. it is easy to ping remote systems and verify they are responding). However, only port 80 or 443 is required for AOTM to function. Note: AOTM initially attempts to use port 80 yet transparently fails over to port 443 as required.



Figure 18 – Autonomic Ownership Takeover Manager configuration for four clusters in a hybrid Grid TSSC will connect to the AOTM Network with an additional connection

Port Function Direction from TSSC Protocol 1) PING Bi-directional ICMP 20/21 1) FTP Bi-directional TCP 22 1) SSH Bi-directional TCP 80 HTTP Bi-directional TCP 443 HTTPS Bi-directional TCP 9666 COMM Bi-directional TCP

Table 9 – TSSC AOTM Port Information 1) used by PFE/Development during remote access (recommended) Note: TSSC within a Grid only communicate with other TSSC of the same Grid via the AOTM interface. Note: While it is recommended to use different sub-networks for External and AOTM adapter connections, it is supported for them to be connected to the same subnet. If the client’s network is configured such that AOTM and External adapters are on the same network, verify the HTTP firewall entries are the same for both the AOTM and External Interface for the TSSC as shown below. Also, ensure the client network firewall settings match the TSSC for the same connections within the client network.

Figure 19 – Example of consistent firewall settings for External and Grid interfaces



4.3 TS4500 Tape Library TS4500 code level recommendation: https://www.ibm.com/support/pages/ibm-ts4500-code-update-recommendation The TS4500 Tape Library provides up to two Ethernet connections per library frame to the client’s network for access to the TS4500 Library Web Specialist. The client is to supply one IP address per desired TS4500 Web Specialist connection. The TS4500 Tape Library uses the following ports

Port Function Direction from TS4500 Protocol PING Bi-directional ICMP 25 SMTP Outbound TCP 53 DNS Outbound UDP 67/68 DHCP Outbound UDP 80 HTTP Bi-directional TCP 123 NTP Outbound UDP 161/162 SNMP Bi-directional TCP 389 LDAP Outbound TCP 443 HTTPS Bi-directional TCP 514 SYSLOG Outbound UDP 543 KERBEROS Inbound TCP 636 LDAP with SSL Outbound TCP 1527 SQL query for TSR Inbound TCP 3801 TKLM/ISKLM Server (LME Only) Outbound TCP

Table 10 – TS4500 Port Information The TS4500 Tape Library utilizes an Integrated Management Console (IMC), which provides the same functionality for call home and remote access as the TSSC. All TSSC specific dependencies apply. Refer to section “4.1 TS3000 System Console (TSSC)” for details.

https://www.ibm.com/support/pages/ibm-ts4500-code-update-recommendation



5.0 System functions 5.1 LDAP via Secure Authentication Service (SAS) Note: LDAP via Secure Authentication Service has been deprecated. The option for Lightweight Directory Access Protocol (LDAP) access control is available on TS7700 virtual tape systems, TS3500 Tape Library and TSSC using the System Storage™ Productivity Center (SSPC), a server operating with the Tivoli® Storage Productivity Center (TPC) software. Remote authentication is supported using the Tivoli Secure Authentication Service (SAS) client and server, and the WebSphere® Federated Repositories. The TS7700, TS3500 or TSSC must connect to an SSPC appliance or a server using TPC. The SAS client is integrated into the Attached Systems firmware, while the SAS server and the WebSphere Federated Repositories are integrated into TPC 4.1 and higher. TPC is available as a software-only package or as an integrated solution on the SSPC appliance. When SAS is enabled, the Attached System passes user authentication requests to the SAS server on the SSPC or TPC, where they are forwarded to the clients Lightweight Directory Access Protocol (LDAP) or Microsoft® Active Directory (AD) server. The LDAP or AD server then authenticates the users ID and password; if they are valid then one or more user groups are assigned. The Attached System then assigns the user a role based on the LDAP or AD group. This central repository allows you to accomplish the following security tasks from a single interface, without logging in to multiple machines: • Add or remove a user • Reset or change a password • Assign, change, or delete the role of a user

A central repository can also simplify the process of responding to new security requirements. For instance, rules for passwords can be changed in one location without reconfiguring multiple, affected machines. By comparison, when local authentication is employed, each individual machine maintains an internal database of user IDs, with corresponding passwords and roles. 5.2 Direct LDAP using Microsoft Active Directory Both TS4500, TS7700 as well as TSSC/IMC support direct LDAP in combination with Microsoft Active Directory or any other LDAP server such as OpenLDAP or IBM Tivoli Directory Server in addition to original LDAP support using SAS. Refer to whitepaper “TS7700 virtual tape systems LDAP security” for additional details for TS7700.



5.3 RACF support with direct LDAP TS7700, TS4500 and TSSC added support for RACF utilizing direct LDAP in addition to original LDAP support using SAS as well as direct LDAP with Microsoft Active Directory and others. Refer to whitepaper “TS7700 virtual tape systems LDAP security” for additional details for TS7700. 5.4 System Managed Encryption The TS3500 and TS4500 Tape Library along with TS7700 virtual tape systems and/or TS1120 C07 tape controller allow System-Managed Tape Encryption on IBM Z. The solution utilizes switches between the internal LAN network connected to the controller and the client’s LAN network. The network provides access to the clients External Key Manager (EKM), Tivoli Key Lifecycle Manager (TKLM), or IBM Security Key Lifecycle Manager (ISKLM). 5.5 SNMP Audit Logging This topic describes the Simple Network Management Protocol (SNMP) audit logging, which provides logging information about specific TS7700 and TS3500 user actions. The TS7700 and TS3500 provide various interfaces, other than the host application, that allow a user to configure different configuration settings, move cartridges within or out of the library and perform other actions. In order to provide additional capabilities for monitoring these actions, the TS7700 and TS3500 provide notifications, in the form of SNMP traps, which provides a log of when certain activities are performed. SNMP audit logging sends the log information as SNMP trap over a TCP/IP connection to an SNMP server, just as SNMP traps are sent for warning notifications. By default, SNMP audit logging is disabled. 5.6 RSYSLOG Audit Logging As a modern alternative to SNMP audit logging, TS7700, TS4500 as well as TSSC/IMC have added support for audit logging capability by allowing to synch certain internal system logs to a client provided Rsyslog server. Details can be found in the product specific Customer Knowledge Center.



Appendix A: TS7700 remote access via AOS Note: Apart from using a different remote access tool, the process is the same when utilizing remote support center.

1. Remote support engineer receives system generated PMR (Problem Management Record). Based on PMR information remote support engineer determines if remote access is required. Remote support engineer requests approval from client for remote access.

2. Remote support engineer launches AOS “Controller” application.

3. Remote support engineer logs into application using personal user ID. IBM password restrictions apply.

IBM Security and Use Standards for IBM Employees (ITCS300) apply.



4. Remote support engineer identifies client system for remote login,

and initiates connection request.

5. Remote support engineer logs into TSSC as required.



6. Remote support engineer issues “Connect to Tape system”.

7. Remote support engineer selects system for connection, provides generic user ID,

and starts login sequence for storage system.



8. Remote support engineer enters personal user ID and selects remote authentication. Note: This personal user ID is separate from AOS personal user ID. Note: Local authentication is restricted to onsite service personnel (enforced).

9. Storage system presents authentication key.

10. Remote support engineer launches “RMSS Product Access” dB using personal user ID and password,

to compute personalized access password.



Note: The “RMSS Product Access” dB is a secured IBM internal application. Access is restricted and controlled following ITCS 104. Note: Personal user ID is separate from previous AOS and authentication personal user IDs.

11. Remote support engineer logs into storage system using personal user ID provided in step 8 and authenticated password from step 10.

Note: The temporary account for the remote support engineer is valid for 24 hours.

Note: Login to TSSC as shown in step 5 may be performed following the same authentication steps as shown in steps 8 to 11.



Appendix B: Legacy ECC The following table provides information on what ports need to be opened for connection to the client network.

Hostname IP Address Port Description eccgw01.boulder.ibm.com 207.25.252.197 443 ECC transaction gateway eccgw02.rochester.ibm.com 129.42.160.51 443 ECC transaction gateway www.ecurep.ibm.com 192.109.81.20 443 File upload for status reporting and

problem reporting www6.software.ibm.com 170.225.15.41 443 File upload proxy for status reporting and

problem reporting. www-945.ibm.com 129.42.26.224 443 Problem reporting server v4 www-945.ibm.com 129.42.42.224 443 Problem reporting server v4 www-945.ibm.com 129.42.50.224 443 Problem reporting server v4 www.ibm.com 129.42.56.216 1) 443 Service provider file (CCF) download www.ibm.com 129.42.54.216 1) 443 Service provider file (CCF) download www.ibm.com 129.42.60.216 1) 443 Service provider file (CCF) download www-03.ibm.com 204.146.30.17 443 Service provider file (CCF) download

Table 11 – ECC Port Information 1) Use of IP addresses for www.ibm.com is discouraged, DNS lookup highly recommended. Note: Clients are encouraged to migrate to ECC Edge. Note: All communication is initiated outbound only, with no need to allow inbound connections. Fix Download In addition to above list of servers for proper call home functionality additional server are required to enable fix download capability. This is used by TSSC to automatically download updated service documentation, storage device code images (eg. 3592 and LTO tape drive code) and service tool updates. Hostname IP Address Port Description download3.boulder.ibm.com 170.225.15.76 80 Fix Download download3.mul.ie.ibm.com 129.35.224.114 80 Fix Download download4.boulder.ibm.com 170.225.15.107 80 Fix Download download4.mul.ie.ibm.com 129.35.224.107 80 Fix Download delivery04-bld.dhe.ibm.com 170.225.15.104

129.35.224.104 80 Fix Download

delivery04-mul.dhe.ibm.com 129.35.224.115 170.225.15.115

80 Fix Download

delivery04.dhe.ibm.com 129.35.224.105 170.225.15.105

80 Fix Download

Table 12 – ECC Fix Download Port Information Note: All communication is initiated outbound only, with no need to allow inbound connections. Note: Due to the overall effort to allow the rather large amount of hostnames / IP addresses combined, for call home and fix download functionality to be allowed for external network connection, it is recommended to utilize ECC Edge.

http://www.ibm.com/

http://www.ibm.com/

http://www.ibm.com/



Appendix C: Remote Support Network Tables Hostname IP Address Port Description esupport.ibm.com 129.42.56.189 443, 80 1) ECC Edge transaction gateway esupport.ibm.com 129.42.60.189 443, 80 1) ECC Edge transaction gateway esupport.ibm.com 129.42.54.189 443, 80 1) ECC Edge transaction gateway www6.software.ibm.com 170.225.15.41 443 File upload proxy for status reporting and

problem reporting (larger ~50MB). Table 1 – ECC Edge Port Information 1) Fix Acquisition through port 80 or 443 as configured per client preference Note: All communication is initiated outbound only, with no need to allow inbound connections. Note: For Legacy ECC support refer to “Appendix B: Legacy ECC”. Hostname IP Address Port Description testcase.boulder.ibm.com 170.225.15.31 22 ECuRep server – Americas (SFTP) sftp.ap.ecurep.ibm.com 169.56.38.162,

169.56.38.163 22 ECuRep server – Asia Pacific (SFTP)

sftp.ecurep.ibm.com 192.109.81.25 22 ECuRep server – Europe (SFTP) Table 2 – ECuRep Port Information Hostname IP Address Port Description msciftpgw.im-ies.ibm.com 170.225.222.12 443 Blue Diamond server

Table 3 – Blue Diamond Port Information Hostname IP Address Port Description aos.uk.ihost.com 195.171.173.165 443 UK AOS Broker 1) aoshats.us.ihost.com 72.15.223.62 443 US AOS Broker 1)

Table 4 – AOS 4.0 Port Information 1) IBM recommends the use of both AOS broker for redundancy. A client may restrict the use to a specific broker as needed, requiring a manual change of the AOS configuration. Note: All communication is initiated outbound only, with no need to allow inbound connections. Hostname IP Address Port Description y03lcxapp002.ahe.boulder.ibm.com 204.146.30.139 22, 443 1) remote support center front server y01lcxapp002.ahe.pok.ibm.com 129.33.206.139 22, 443 1) remote support center front server y03s0008.ahe.boulder.ibm.com 204.146.30.157 22, 443 1) remote support center front server y01lcxahttp008.ahe.pok.ibm.com 129.33.207.37 22, 443 1) remote support center front server

Table 5 – remote support center Port Information 1) Port 443 required for remote support center proxy only Note: All communication is initiated outbound only, with no need to allow inbound connections.



Appendix D: Legacy Device Support D.1 TS7600 ProtecTIER The TS7600 ProtecTIER DeDuplication systems can be accessed using the ProtecTIER manager application. The TS7600 uses the following ports for client connection

Port Function Direction from TS7600 Protocol 20/21 FTP Bi-directional TCP 22 SSH Bi-directional TCP 25 SMTP Outbound TCP 123 NTP Outbound UDP 161/162 SNMP Bi-directional UDP 3501, 3502, 3503, 3506 PT Manager Bi-directional TCP 6202 Replication Manager Bi-directional TCP

Table 13 – TS7600 Management Port Information The TS7600 uses the following ports for client connection

Port Function Direction from TS7600 Protocol 6520, 6530, 6540, 6550, 6560 Replication Bi-directional TCP

Table 14 – TS7600 Replication Port Information TS7650 remote access is secured by TSSC login security as described in section “3.0 Service access security” whereas TS7610/TS7620 do not allow direct remote access. Local service personal will use default userids and passwords for service access, that are client changeable. TS7650G model DD6 no longer supports TSSC. Instead it utilizes embedded ECC for call home and AOS for remote access. Note: TS7650G model DD6 does not provide support for client web proxy when using ECC.



D.2 TS3500 Tape Library The TS3500 Tape Library provides up to one Ethernet connection per library frame to the client’s network for access to the TS3500 Library Web Specialist. The client is to supply one IP address per desired TS3500 Web Specialist connection. The TS3500 Tape Library uses the following ports

Port Function Direction from TS3500 Protocol PING Bi-directional ICMP 67/68 DHCP Outbound UDP 80 HTTP Bi-directional TCP 161/162 SNMP Bi-directional TCP 443 HTTPS Bi-directional TCP 3801 TKLM/ISKLM Server (LME Only) Outbound TCP 16311 LDAP using SAS Outbound TCP

Table 15 – TS3500 Port Information D.3 3592-C07 Control Unit The 3592-C07 Tape Control Unit requires the use of TSSC for call home capability. Refer to section “4.1 TS3000 System Console (TSSC)” for additional port information. The 3592-C07 Tape Control Unit uses the following ports for client connection

Port Function Direction from TS7700 Protocol PING Outbound ICMP 80 HTTP Inbound TCP 443 HTTPS Inbound TCP 3801 TKLM/ISKLM Server Outbound TCP

Table 16 – 3592-C07 Management Interface Port Information



References IBM TS3000 System Console (TSSC) IBM TS4500 Knowledge Center http://www.ibm.com/support/knowledgecenter/STQRQ9/com.ibm.storage.ts4500.doc/ts4500_ichome.html IBM TS7700 Knowledge Center https://www.ibm.com/support/knowledgecenter/STFS69_5.0.0/hydra_c_ichome.html IBM Security Key Lifecycle Manager Knowledge Center http://www.ibm.com/support/knowledgecenter/SSWPVP/welcome IBM XIV Remote Support Proxy overview http://www.ibm.com/support/knowledgecenter/STJTAG/com.ibm.help.xiv_rsp12.doc/xiv_rspoverview.html

http://www.ibm.com/support/knowledgecenter/STQRQ9/com.ibm.storage.ts4500.doc/ts4500_ichome.html

https://www.ibm.com/support/knowledgecenter/STFS69_5.0.0/hydra_c_ichome.html

http://www.ibm.com/support/knowledgecenter/SSWPVP/welcome

http://www.ibm.com/support/knowledgecenter/STJTAG/com.ibm.help.xiv_rsp12.doc/xiv_rspoverview.html



Disclaimers Copyright © 2020 by International Business Machines Corporation. The information provided by this media supports the products and services described with consideration for the conditions described herein. IBM may not offer the products, services, or features discussed in this document in other countries. Consult your local IBM representative for information on the products and services currently available in your area. Any reference to an IBM product, program, or service is not intended to state or imply that only that IBM product, program, or service may be used. Any functionally equivalent product, program, or service that does not infringe any IBM intellectual property right may be used instead. However, it is the user's responsibility to evaluate and verify the operation of any non-IBM product, program, or service. IBM may have patents or pending patent applications covering subject matter described in this document. The furnishing of this document does not give you any license to these patents. You can send license inquiries to: IBM Director of Licensing IBM Corporation North Castle Drive Armonk, NY 10504-1785 U.S.A. The following paragraph does not apply to the United Kingdom or any other country where such provisions are inconsistent with local law: INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THIS PUBLICATION "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Some states do not allow disclaimer of express or implied warranties in certain transactions, therefore, this statement may not apply to you. This information could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein; these changes will be incorporated in new editions of the publication. IBM may make improvements and/or changes in the product(s) and/or the program(s) described in this publication at any time without notice. Any references in this information to non-IBM Web sites are provided for convenience only and do not in any manner serve as an endorsement of those Web sites. The materials at those Web sites are not part of the materials for this IBM product and use of those Web sites is at your own risk. IBM may use or distribute any of the information you supply in any way it believes appropriate without incurring any obligation to you. Any performance data contained herein was determined in a controlled environment. Therefore, the results obtained in other operating environments may vary significantly. Some measurements may have been made on development-level systems and there is no guarantee that these measurements will be the same on generally available systems. Furthermore, some measurement may have been estimated through extrapolation. Actual results may vary. Users of this document should verify the applicable data for their specific environment. Information concerning non-IBM products was obtained from the suppliers of those products, their published announcements or other publicly available sources. IBM has not tested those products and cannot confirm the



accuracy of performance, compatibility or any other claims related to non-IBM products. Questions on the capabilities of non-IBM products should be addressed to the suppliers of those products. All statements regarding IBM's future direction or intent are subject to change or withdrawal without notice, and represent goals and objectives only. This information is for planning purposes only. The information herein is subject to change before the products described become available. This information contains examples of data and reports used in daily business operations. To illustrate them as completely as possible, the examples include the names of individuals, companies, brands, and products. All of these names are fictitious and any similarity to the names and addresses used by an actual business enterprise is entirely coincidental. Trademarks The following are trademarks or registered trademarks of International Business Machines in the United States, other countries, or both. IBM®, System StorageTM, TotalStorage®, DFSMS/MVS, S/390, z/OS, zSeries, RETAIN®, Virtualization engine®, OS/2®, AIX®,

Other company, product, or service names may be the trademarks or service marks of others.

IBM Data Retention Infrastructure (DRI) System ... · 1.0 Introduction This document describes...

Documents

Transcript of IBM Data Retention Infrastructure (DRI) System ... · 1.0 Introduction This document describes...