Edit: Link still works.
Originally posted July 14, 2015 on AIXchange
This white paper, published in April, examines HMC 830 connectivity security:
This document describes data that is exchanged between the Hardware Management Console (HMC) and the IBM Service Delivery Center (SDC). In addition it also covers the methods and protocols for this exchange. This includes the configuration of “Call Home” (Electronic Service Agent) on the HMC for automatic hardware error reporting. All the functionality that is described herein refers to Power Systems HMC version V6.1.0 and later as well as the HMC used for the IBM Storage System DS8000.
The document covers HMC connectivity methods, with the caveat that “starting in 2015, new products will no longer have outbound VPN connectivity capabilities.”
Before the HMC tries to connect to the IBM servers, it first establishes an encrypted VPN tunnel between the HMC and the IBM VPN server gateway. The HMC initiates this tunnel using Encapsulated Security Payload (ESP, Protocol 50) and User Datagram Protocol (UDP). After it is established, all further communications are handled through TCP sockets, which always originate from the HMC.
For the HMC to communicate successfully, the client’s external firewall must allow traffic for protocol ESP and port 500 UDP to flow freely in both directions. The use of SNAT and masquerading rules to mask the HMC’s source IP address are both acceptable, but port 4500 UDP must be open in both directions instead of protocol ESP. The firewall may also limit the specific IP addresses to which the HMC can connect.
Although modem connectivity is still supported for some systems, its use is being deprecated and the support has been removed from POWER8. IBM recommends the usage of internet connectivity for faster service, due to the size of error data files that may be sent to IBM Support. …
Configuring the Electronic Service Agent tool on your HMC enables outbound communications to IBM Support only. Electronic Service Agent is secure, and does not allow inbound connectivity. However, HMC can configure customer controlled inbound communications. Inbound connectivity configurations allow an IBM Service Representative to connect from IBM directly to your HMC or the systems that the HMC manages. The following sections describe two different approaches to remote service. Both approaches allow only a one time use after enabling.
Reasons for connecting to IBM
* Reporting a problem with the HMC or one of the systems it is managing back to IBM
* Downloading fixes for systems the HMC manages (Power HMC only)
* Reporting inventory and system configuration information back to IBM
* Sending extended error data for analysis by IBM
* Closing out a problem that was previously open
* Reporting heartbeat and status of monitored systems
* Sending performance and utilization data for system I/O, network, memory, and processors (Power HMC only)
* Transmission of live partition mobility (LPM) data (Power HMC only)
* Track maintenance statistics (Power HMC)
* Transmission of deconfigured resources (Power HMC only).
In addition, there’s a list of the data that is sent to IBM, including filenames and the information they contain:
When Electronic Service Agent on the HMC opens up a problem report for itself, or one the systems that it manages, that report is called home to IBM. All the information in that report gets stored for up to 60 days after the closure of the problem. Problem data that is associated with that problem report is also called home and stored. That information and any other associated packages will be stored for up to three days and then deleted automatically. Support Engineers who are actively working on a problem may offload the data for debugging purposes and then delete it when finished. Hardware inventory reports and other various performance and utilization data may be stored for many years.
There are also sections that cover multiple HMCs and the IP addresses and ports that IBM uses for connectivity.
As always I recommend that you take the time to read the whole document.