system software, ibm power event
DESCRIPTION
IBM Power - System software Med IBM Power System Software kan du optimere og forenkle driften af din IT. Hør bl.a. om vores effektive nye software modul, IBM PowerSC (Security and Compliance). Jan Kristian Nielsen, Client Architect, IBMTRANSCRIPT
© 2012 IBM Corporation
IBM System SoftwareHindsgavl – 2 maj 2012
Jan Kristian Nielsen - Client Architect2 maj 2012
© 2009 IBM Corporation
IBM System Software Hierarchy
Hardware
Hypervisor (Firmware)
PowerSC
PowerVM
VMControl
IBM Systems Director
IBM TivoliEnterprise-wide
Single System
PowerHA
Operating Systems
© 2009 IBM Corporation
System Management
© 2009 IBM Corporation4
IBM Systems Director 6.3
� Simplify platform management across server and storage
infrastructure
� Focus on health, status,
automation
� Manage physical and virtual resources
� Common navigation, look and feel
� Enable upward integration to
enterprise service management
© 2009 IBM Corporation6
IBM® Systems Director provides platform lifecycle management
� Consolidation of Platform Management Tools– Single consistent cross-platform management tool
– Simplified tasks via Web based interface
– Manage many systems from one console
� Physical and Virtual Management – Discovery and Inventory of physical and virtual resources
– Configuration and provisioning of platform resources
– Status, Health, and Monitoring of platform resources
– Visualization of server resource topologies
– Move virtual servers between systems without disruption to running workloads
� Platform Update Management– Simplified consistent cross-platform tools to
– acquire
– distribute
– install
– firmware, driver and OS updates
© 2009 IBM Corporation
What can IBM® Systems Director manage?
� Blade and Modular System resources:– BladeCenter, Blade servers (x, Power, Cell), I/O modules
– System x servers
– VMware ESX, VMware 3i, MSVS, Xen
– Windows, Linux
� POWER System resources: – HMC, IVM, Virtual I/O Server, System i/p Servers
– AIX, POWER Linux, IBM i
� Mainframe System resources: – Linux on zSeries
– z/VM
� HP, Dell, and other OEM x86 systems
� SNMP-based devices:– Network, storage, power distribution units, etc.
� CIM-based devices – CIM = Common Information Model
� Storage resources (SMI-S)– LSI (IRC), DS3000, DS4000, DS6000, RSSM
– SAS Switch (NSSM, RSSM), Brocade FC Switch, Qlogic FC Switch
© 2009 IBM Corporation
IBM Systems Director - End-to-End Management –
Hardware
Other Systems Management Software
VM
Co
ntr
ol
Ne
two
rk C
on
tro
l
Automation
Status
Configuration
Discovery
Update
Remote Access
Virtualization Core Director Services
Configuration
System x & Blade Center
System z
Power Systems
Storage Configuration
$$
WP
AR
Ma
na
ge
r
Sto
rag
e C
on
tro
l
Ad
dit
ion
al
Plu
g-I
ns
VM
Co
ntr
ol
Ima
ge M
an
ag
er
Tra
ns
itio
n M
gr
for
HP
SIM
BO
FM
Se
rvic
e &
Su
pp
ort
Ma
na
ge
r
Managed virtual and physical environments
Resource Management
Base Systems Director Managers
& Hardware
Platform Managers
IBM and non-IBM hardware
Ac
tive
En
erg
y M
an
ag
er
IBM® Systems Director Editions
Advanced Managers
&Priced Plug-Ins
Enterprise ServiceManagement
Integrated Service Management
8
© 2009 IBM Corporation
IBM Systems Director topology
99
�� ThreeThree--tier architecturetier architecture
�� Thousands of managed endThousands of managed end--pointspoints
�� Upward Integration modules supporting:Upward Integration modules supporting:
–– IBM Tivoli, Computer Associates, Hewlett Packard, MicrosoftIBM Tivoli, Computer Associates, Hewlett Packard, Microsoft
IBM Systems Director Agents IBM Systems Director Agents
Managed Systems Managed Systems (All IBM Server platforms, Desktops, Laptops, SNMP devices, CIM (All IBM Server platforms, Desktops, Laptops, SNMP devices, CIM devicesdevices))
ManagementManagement
InterfaceInterface
WebWeb--based based InterfaceInterface
IBM System Director ServerIBM System Director Server
Deploying agents:Deploying agents:
••Common AgentCommon Agent
••Platform AgentPlatform Agent
••(No Agent)(No Agent)
Database (Local or Remote) Database (Local or Remote) –– Apache Derby (local default), SQL, DB2 or OracleApache Derby (local default), SQL, DB2 or Oracle
© 2009 IBM Corporation
IBM Tivoli and Systems DirectorTogether deliver a comprehensive, ultra-scalable end-to-end systems and service management solution
Hardware
Operating System
Middleware
Physical/Virtual Resourcesand Applications
IBM Systems Director
“Care and feeding” of
platform hardware
Tell me what I have
Let me configure, install
and tweak it
Tell me if it’s working
Let me update it
IBM Tivoli
IBM
Sys
tem
s D
ire
cto
r
IBM
Tiv
oli
Network
Integrated visibility, control & automation across business
and technology assets
See the business with
real-time dashboards
Govern the business with
integrated asset
control solutions
Optimize the business with
automated solutions
Functionality
Functionality
© 2009 IBM Corporation
PowerSC
© 2012 IBM Corporation
IBM Power Systems
Power is Performance Redefined
PowerSCSECURITY AND COMPLIANCE
12
The Foundation of Trust for AIX
Illustration by Chris Short
© 2012 IBM Corporation
IBM Power Systems
Power is Performance Redefined
1. Trusted BootHow can I be sure that a VM’s OS has booted in a known-trusted state?
2. Trusted ExecutionHow can I be sure that the application binaries are safe to run?
3. Trusted LoggingHow can I be sure that audit files are safe from malicious modification?
4. Compliance Automation
How can I raise alerts in when security policies are violated?
5. Trusted Network ConnectHow do I ensure that a new system is trustworthy when it attempts to join a secure network?
Security Concerns in a virtualized environment
vTrusted Platform Module
App
OS
VM2
App
OS
VM3
App
OS
VM4
App
OS
VM1
Trusted
Logging
SVM
Hardened
VIOS
PowerSCPlatform Management
Hypervisor
TNC
13
© 2012 IBM Corporation
IBM Power Systems
Power is Performance Redefined
PowerSC Answers These Questions
14
1. Trusted BootHow can I be sure that a VM’s OS has booted in a known-trusted state?
2. Trusted Execution How can I be sure that the application binaries are safe to run?
3. Trusted LoggingHow can I be sure that audit files are safe from malicious modification?
4. Compliance AutomationHow can I be sure data security standards are being followed?
5. Trusted Network Connect
How do I ensure that a new system is trustworthy when it attempts to join a secure
network?
© 2012 IBM Corporation
IBM Power Systems
Power is Performance Redefined
PowerSC – Trusted Boot and Trusted Execution
Challenge: Ensure that every virtual machine image in your datacenter hasn’t be altered either by accident or maliciously.
PowerSC Solution: Trusted Boot forms the core root of trust for the image, i.e. a foundation for trust. Each stage of the boot process measures the next, starting at the firmware.
• PowerSC offers the only solution on the market to form a chain of trust for VMs all the way from boot to application!
• Improve QoS by reducing the risk of accidental or malicious image tampering
• Reduce the time it takes to ensure that every VM in your datacenter is running authorized and trusted software.
How PowerSC works:
1.Measure the boot process and securely store the results in a Virtual Trusted Platform Module(vTPM)
2.Provide a sealed set of measurements to the requestor
3.Verify these measurements against a reference manifest
15
Applications
O/S
Kernel
BIOS
© 2012 IBM Corporation
IBM Power Systems
Power is Performance Redefined16
PowerSC Moves to “Known Good Model”Only Allow Known Trusted Software to Run
� Security Vulnerability Detection tends to work on a “Known Bad Model” This reactive model
blocks intrusions based on historical break-ins .
� PowerSC Trusted Boot employs a more efficient
“Known Good Model” which only allows trusted images to run.
Power Systems are “hermetically sealed” with
tight interlocks between the hardware, virtualization and software.
© 2012 IBM Corporation
IBM Power Systems
Power is Performance Redefined
“But I’ve already written Scripts to check Security and Compliance”
A: Home Grown scripts are expensive to maintain and error prone:
� Who certifies to auditors that these scripts match security standards?
� Are scripts secure to modification or tampering?
� What is the cost of maintenance of scripts?
� Who monitors data security standards and ensures that the scripts are updated?
� Is there a standard set of scripts in the company or does every group roll their own?
� What happens when the author of the scripts leave the company?
� Do all administrators understand what the scripts do and what are the expected
results?
17
© 2012 IBM Corporation
IBM Power Systems
Power is Performance Redefined
PowerSC – Security Compliance Automation
Challenge: Demonstrate compliance to Regulatory standards by setting security configurations on systems in a uniform manner.
PowerSC solution: Compare settings across all of the systems in the datacenter against prebuilt profiles, e.g. Payment Card Industry (PCI), DoDSTIG and COBIT.
• Lower Administration costs by setting security configs in a repeatable manner
• Lower Admin costs by automating compliance reporting
• Automatic remediation of servers that are out of compliance
How PowerSC works:
•A single dashboard monitors compliance and generates audit reports.
•Sets and checks compliance for systems based on prebuilt security profiles
18
© 2012 IBM Corporation
IBM Power Systems
Power is Performance Redefined
PowerSC – Trusted Network Connect
Challenge: Ensure that images are trusted and at the proper patch level when they connect to the network.
PowerSC Solution: Trusted Network Connect and Patch Management detects noncompliant virtual machines during activation and alerts administrators immediately.
• Reduce business risk by active notification of down level systems via email and SMS.
• Lower admin costs by automatically spotting non compliant systems within the virtual data center and cloud environments
• Lower costs of demonstrating compliance. Monitoring at virtual machine activation proves compliance to patch policy
Out of
compliance
How PowerSC works:
•An image that does not meet trusted measurements and patch levels will trigger an alert to the administrator.
19
© 2012 IBM Corporation
IBM Power Systems
Power is Performance Redefined
PowerSC – Trusted Logging
Challenge: Prevent malicious users from “covering their tracks.”
Power SC Solution: Move log events to a secure external VM via the hypervisor. Centralized logging ensures that even when virtual machines are discarded the audit logs remain on the central location for audit purposes.
• Discourage malicious activity by ensuring individual accountability; trace actions to authenticated individuals.
• Reduce the time it takes to identify tampering and/or unauthorized changes
• Reduce the time it takes to demonstrate Security Compliance by maintaining strict control over audit logs.
How PowerSC works:
•Trusted Logging provides tamperproof secure centralized protection for AIX audit and system logs and is integrated with PowerVM virtualization.
•Limited access to the Secure VM to a few privileged super users
•Guest VM logs can be managed and backed up from a single location within each physical server.
•Log scraping agents and reporting agents can be removed from guest OS.
20
© 2012 IBM Corporation
IBM Power Systems
Power is Performance Redefined22
� PowerSC Express
– Basic compliance for
AIX
� PowerSC Standard
– Security and
compliance for virtual
& cloud environments
PowerSC EditionsSecurity and Compliance Options
PowerSC Editions Express Standard
Security and Compliance Automation
���� ����
Trusted Logging ����
Trusted Boot**����*
Trusted Network Connect and Patch Management
����
** Requires POWER7 System with eFW7.4
© 2012 IBM Corporation
IBM Power Systems
Power is Performance Redefined23
http://www.ibm.com/systems/power/software/security/
Learn more about PowerSC on the Web
Put Page here
© 2009 IBM Corporation
PerformanceAdvisors
© 2009 IBM Corporation
Performance Advisors
� Run advisors on test or production systems. � Advisors will evaluate the environment for performance optimization
opportunities
– Gives guidance on how to make the necessary changes.
� Three advisors available….
– Java,
– VIOS & Virtual Ethernet
– Virtualization.
� “Built in Smarts” to detect some of the most common problems that are encountered
� Available on Developer Works
– FREE OF CHARGE
� Link: https://www.ibm.com/developerworks/wikis/display/WikiPtype/Other+Performance+Tools
© 2009 IBM Corporation
� What is it?The VIOS advisor is a standalone application that polls key performance metrics for minutes or hours, before analyzing the results to produce a report that summarizes the health of the environment and proposes potential actions that can be taken to address performance inhibitors.
• How does it work?
VIOS Partition
VIOS Advisor
STEP 1) Download VIOS Advisor STEP 2) Run Executable
VIOS Partition
STEP 3) View XML File
The VIOS Advisor can monitor from 5min and up to 24hours
https://www.ibm.com/developerworks/wikis/display/WikiPtype/VIOS+Advisor
Open up .xml file using your favorite web-browser to get an easy to interpret report summarizing your VIOS status.
Only a single executable is
required to run within the VIOS
Introducing the VIOS Advisor
© 2009 IBM Corporation
https://www.ibm.com/developerworks/wikis/display/WikiPtype/VIOS+Advisor
Get a comprehensive summary of your VIOS’ health on a single page.
Screenshot: 1 Overview
© 2009 IBM Corporation
Addresses these common issues:Monitors
Addresses these common issues:Monitors
Addresses these common issues:Monitors
Identifies overstressed drives.�Latencies�Drive Saturation
Component: Drive Performance
Detects oversaturation of fibre-channel adapters, especially in NPIV (N-Port ID Virtualization) environments
�Adapter Saturation�Idle adapters�Port Speeds
Component: FC Adapters
Informs when memory allocated to the VIOS could contribute or iscausing negative performance impacts.
�Memory Sizing�VMM Paging Rate�Swap Space�Pinned Memory
Component: Memory
VIOS undersized due to insufficient CPU allocation. Shared processing pool is over utilized.
�CPU Capacity�Shared Processing Capacity VIOS
–Uncapped Processor Weight Capacity
–Virtual Processor Count
–SMT (simultaneous multithreading)
Mode
–Shared Pool Utilization
�Dedicated Processing Capacity VIOS
–Dedicated Processor Donation
Addresses these common issues:Monitors
Component: CPU
Components Monitored by VIOS Advisor
© 2012 IBM Corporation
IBM Power Systems
Power is Performance Redefined
END
29