On Thursday, 05/26/2011 at 03:12 EDT, Rob van der Heij <rvdh...@gmail.com> wrote:
> Neither may be parts of IBM. At least two installations told me that > "IBM requires" that the original HMC user/pw combinations remain in > place for the (different) IBM support person to be able to support > them. I suppose that when the customer was more persuasive they could > convince their support person of something else. The bogosity index is extremeloy high on this one. Each person who accesses the HMC should be given their own ID. No sharing. Multiple CEs? Multiple IDs. Best Practice is to change all of the passwords to the default user IDs or delete them. Kind of like when you install RACF, the instructions tell you to remove authority from IBMUSER and REVOKE it. In fact, PCI requires you to change all vendor-supplied/default security-related settings, including passwords, encryption keys, and SNMP community strings. > Some Large shops have a separate LAN for delicate stuff and implement > access control with RSA gear. That includes a process to expire access > when people change roles, etc. This is where you find their HMC as > well the local consoles for the LPARs. You can't seriously tell them > to move some of that back into the public LAN and do local password > management again. Local password management? I'm not following you on this. My client has all 'normal' HMC IDs authenticated with the corporate directory server (Active Directory). Leave the HMC behind the RSA gear. It's not like general users of the operating systems are going to need HMC IDs. Alan Altmark z/VM and Linux on System z Consultant IBM System Lab Services and Training ibm.com/systems/services/labservices office: 607.429.3323 mobile; 607.321.7556 alan_altm...@us.ibm.com IBM Endicott
