Subject: Configuring Call Home on HMC 5.2 Using ssh Instead of VPN
Date: March 19, 2006
HMC V5.2, released in February, allows you to configure call-home to IBM Service using Secure Socket Layer connections. For many customers, this is preferable to using the Internet VPN option.
Here are instructions for configuring outbound communication using SSL:
- Go to the Remote Support menu under Service Applications.
- Select the Customize Outbound Connectivity task.
- Connectivity options include Modem, Internet, Internet VPN and Pass-Through Systems. (Pass-Through Systems are i5/OS partitions.) For SSL connectivity, select the Internet tab.
- A Note appears in bold face type suggesting going to the Help menu to see if additional firewall configuration is necessary. This refers to a firewall that exists between the HMC and the Internet. This is nearly always the case. If you follow the links for Internet connectivity in the Help text, you will arrive at a screen telling you to allow outbound communications on port 443 for the following IP addresses. You should have four IP addresses open, two for authentication and two for access to IBM Service by geography:
- 220.127.116.11 and 18.104.22.168 (IBM Service to System Authentication Server)
- 22.214.171.124 and 126.96.36.199 (Allow HMC access to IBM Service for North and South America)
- 188.8.131.52 and 184.108.40.206 (Allow HMC access to IBM Service for all other regions)
- At the top of this screen, you can check a box to make this HMC a call-home server for other HMCs on the same subnet. Notice the limitation that they must be on the same subnet.
- To enable call-home using SSL, check the box to Allow an Existing Internet Connection for Service.
- Use the Test button to make sure outbound connectivity is working. During the test, you will see detailed status information showing that sockets have been successfully opened on the remote IBM server.
This new functionality is for outbound communication only. If you desire inbound communication from IBM to your HMC and its managed servers, you would have to choose either modem or Internet VPN as your access method. Additional enhancements in call-home support can be expected in the future
Thanks to Ron Barker for this tip.
March 19, 2006