system software, ibm power event

© 2012 IBM Corporation

IBM System SoftwareHindsgavl – 2 maj 2012

Jan Kristian Nielsen - Client Architect2 maj 2012


IBM System Software Hierarchy

Hardware

Hypervisor (Firmware)

PowerSC

PowerVM

VMControl

IBM Systems Director

IBM TivoliEnterprise-wide

Single System

PowerHA

Operating Systems


System Management

© 2009 IBM Corporation4

IBM Systems Director 6.3

� Simplify platform management across server and storage

infrastructure

� Focus on health, status,

automation

� Manage physical and virtual resources

� Common navigation, look and feel

� Enable upward integration to

enterprise service management

© 2009 IBM Corporation6

IBM® Systems Director provides platform lifecycle management

� Consolidation of Platform Management Tools– Single consistent cross-platform management tool

– Simplified tasks via Web based interface

– Manage many systems from one console

� Physical and Virtual Management – Discovery and Inventory of physical and virtual resources

– Configuration and provisioning of platform resources

– Status, Health, and Monitoring of platform resources

– Visualization of server resource topologies

– Move virtual servers between systems without disruption to running workloads

� Platform Update Management– Simplified consistent cross-platform tools to

– acquire

– distribute

– install

– firmware, driver and OS updates


What can IBM® Systems Director manage?

� Blade and Modular System resources:– BladeCenter, Blade servers (x, Power, Cell), I/O modules

– System x servers

– VMware ESX, VMware 3i, MSVS, Xen

– Windows, Linux

� POWER System resources: – HMC, IVM, Virtual I/O Server, System i/p Servers

– AIX, POWER Linux, IBM i

� Mainframe System resources: – Linux on zSeries

– z/VM

� HP, Dell, and other OEM x86 systems

� SNMP-based devices:– Network, storage, power distribution units, etc.

� CIM-based devices – CIM = Common Information Model

� Storage resources (SMI-S)– LSI (IRC), DS3000, DS4000, DS6000, RSSM

– SAS Switch (NSSM, RSSM), Brocade FC Switch, Qlogic FC Switch


IBM Systems Director - End-to-End Management –

Hardware

Other Systems Management Software

VM

Co

ntr

ol

Ne

two

rk C

on

tro

l

Automation

Status

Configuration

Discovery

Update

Remote Access

Virtualization Core Director Services

Configuration

System x & Blade Center

System z

Power Systems

Storage Configuration

$$

WP

AR

Ma

na

ge

r

Sto

rag

e C

on

tro

l

Ad

dit

ion

al

Plu

g-I

ns

VM

Co

ntr

ol

Ima

ge M

an

ag

er

Tra

ns

itio

n M

gr

for

HP

SIM

BO

FM

Se

rvic

e &

Su

pp

ort

Ma

na

ge

r

Managed virtual and physical environments

Resource Management

Base Systems Director Managers

& Hardware

Platform Managers

IBM and non-IBM hardware

Ac

tive

En

erg

y M

an

ag

er

IBM® Systems Director Editions

Advanced Managers

&Priced Plug-Ins

Enterprise ServiceManagement

Integrated Service Management

8


IBM Systems Director topology

99

�� ThreeThree--tier architecturetier architecture

�� Thousands of managed endThousands of managed end--pointspoints

�� Upward Integration modules supporting:Upward Integration modules supporting:

–– IBM Tivoli, Computer Associates, Hewlett Packard, MicrosoftIBM Tivoli, Computer Associates, Hewlett Packard, Microsoft

IBM Systems Director Agents IBM Systems Director Agents

Managed Systems Managed Systems (All IBM Server platforms, Desktops, Laptops, SNMP devices, CIM (All IBM Server platforms, Desktops, Laptops, SNMP devices, CIM devicesdevices))

ManagementManagement

InterfaceInterface

WebWeb--based based InterfaceInterface

IBM System Director ServerIBM System Director Server

Deploying agents:Deploying agents:

••Common AgentCommon Agent

••Platform AgentPlatform Agent

••(No Agent)(No Agent)

Database (Local or Remote) Database (Local or Remote) –– Apache Derby (local default), SQL, DB2 or OracleApache Derby (local default), SQL, DB2 or Oracle


IBM Tivoli and Systems DirectorTogether deliver a comprehensive, ultra-scalable end-to-end systems and service management solution

Hardware

Operating System

Middleware

Physical/Virtual Resourcesand Applications

IBM Systems Director

“Care and feeding” of

platform hardware

Tell me what I have

Let me configure, install

and tweak it

Tell me if it’s working

Let me update it

IBM Tivoli

IBM

Sys

tem

s D

ire

cto

r

IBM

Tiv

oli

Network

Integrated visibility, control & automation across business

and technology assets

See the business with

real-time dashboards

Govern the business with

integrated asset

control solutions

Optimize the business with

automated solutions

Functionality

Functionality


PowerSC


IBM Power Systems

Power is Performance Redefined

PowerSCSECURITY AND COMPLIANCE

12

The Foundation of Trust for AIX

Illustration by Chris Short


IBM Power Systems


1. Trusted BootHow can I be sure that a VM’s OS has booted in a known-trusted state?

2. Trusted ExecutionHow can I be sure that the application binaries are safe to run?

3. Trusted LoggingHow can I be sure that audit files are safe from malicious modification?

4. Compliance Automation

How can I raise alerts in when security policies are violated?

5. Trusted Network ConnectHow do I ensure that a new system is trustworthy when it attempts to join a secure network?

Security Concerns in a virtualized environment

vTrusted Platform Module

App

OS

VM2

App

OS

VM3

App

OS

VM4

App

OS

VM1

Trusted

Logging

SVM

Hardened

VIOS

PowerSCPlatform Management

Hypervisor

TNC

13


IBM Power Systems


PowerSC Answers These Questions

14

1. Trusted BootHow can I be sure that a VM’s OS has booted in a known-trusted state?

2. Trusted Execution How can I be sure that the application binaries are safe to run?

3. Trusted LoggingHow can I be sure that audit files are safe from malicious modification?

4. Compliance AutomationHow can I be sure data security standards are being followed?

5. Trusted Network Connect

How do I ensure that a new system is trustworthy when it attempts to join a secure

network?


IBM Power Systems


PowerSC – Trusted Boot and Trusted Execution

Challenge: Ensure that every virtual machine image in your datacenter hasn’t be altered either by accident or maliciously.

PowerSC Solution: Trusted Boot forms the core root of trust for the image, i.e. a foundation for trust. Each stage of the boot process measures the next, starting at the firmware.

• PowerSC offers the only solution on the market to form a chain of trust for VMs all the way from boot to application!

• Improve QoS by reducing the risk of accidental or malicious image tampering

• Reduce the time it takes to ensure that every VM in your datacenter is running authorized and trusted software.

How PowerSC works:

1.Measure the boot process and securely store the results in a Virtual Trusted Platform Module(vTPM)

2.Provide a sealed set of measurements to the requestor

3.Verify these measurements against a reference manifest

15

Applications

O/S

Kernel

BIOS


IBM Power Systems

Power is Performance Redefined16

PowerSC Moves to “Known Good Model”Only Allow Known Trusted Software to Run

� Security Vulnerability Detection tends to work on a “Known Bad Model” This reactive model

blocks intrusions based on historical break-ins .

� PowerSC Trusted Boot employs a more efficient

“Known Good Model” which only allows trusted images to run.

Power Systems are “hermetically sealed” with

tight interlocks between the hardware, virtualization and software.


IBM Power Systems


“But I’ve already written Scripts to check Security and Compliance”

A: Home Grown scripts are expensive to maintain and error prone:

� Who certifies to auditors that these scripts match security standards?

� Are scripts secure to modification or tampering?

� What is the cost of maintenance of scripts?

� Who monitors data security standards and ensures that the scripts are updated?

� Is there a standard set of scripts in the company or does every group roll their own?

� What happens when the author of the scripts leave the company?

� Do all administrators understand what the scripts do and what are the expected

results?

17


IBM Power Systems


PowerSC – Security Compliance Automation

Challenge: Demonstrate compliance to Regulatory standards by setting security configurations on systems in a uniform manner.

PowerSC solution: Compare settings across all of the systems in the datacenter against prebuilt profiles, e.g. Payment Card Industry (PCI), DoDSTIG and COBIT.

• Lower Administration costs by setting security configs in a repeatable manner

• Lower Admin costs by automating compliance reporting

• Automatic remediation of servers that are out of compliance

How PowerSC works:

•A single dashboard monitors compliance and generates audit reports.

•Sets and checks compliance for systems based on prebuilt security profiles

18


IBM Power Systems


PowerSC – Trusted Network Connect

Challenge: Ensure that images are trusted and at the proper patch level when they connect to the network.

PowerSC Solution: Trusted Network Connect and Patch Management detects noncompliant virtual machines during activation and alerts administrators immediately.

• Reduce business risk by active notification of down level systems via email and SMS.

• Lower admin costs by automatically spotting non compliant systems within the virtual data center and cloud environments

• Lower costs of demonstrating compliance. Monitoring at virtual machine activation proves compliance to patch policy

Out of

compliance

How PowerSC works:

•An image that does not meet trusted measurements and patch levels will trigger an alert to the administrator.

19


IBM Power Systems


PowerSC – Trusted Logging

Challenge: Prevent malicious users from “covering their tracks.”

Power SC Solution: Move log events to a secure external VM via the hypervisor. Centralized logging ensures that even when virtual machines are discarded the audit logs remain on the central location for audit purposes.

• Discourage malicious activity by ensuring individual accountability; trace actions to authenticated individuals.

• Reduce the time it takes to identify tampering and/or unauthorized changes

• Reduce the time it takes to demonstrate Security Compliance by maintaining strict control over audit logs.

How PowerSC works:

•Trusted Logging provides tamperproof secure centralized protection for AIX audit and system logs and is integrated with PowerVM virtualization.

•Limited access to the Secure VM to a few privileged super users

•Guest VM logs can be managed and backed up from a single location within each physical server.

•Log scraping agents and reporting agents can be removed from guest OS.

20


IBM Power Systems


� PowerSC Express

– Basic compliance for

AIX

� PowerSC Standard

– Security and

compliance for virtual

& cloud environments

PowerSC EditionsSecurity and Compliance Options

PowerSC Editions Express Standard

Security and Compliance Automation

��

Trusted Logging ��

Trusted Boot**��*

Trusted Network Connect and Patch Management

��

** Requires POWER7 System with eFW7.4


IBM Power Systems


http://www.ibm.com/systems/power/software/security/

Learn more about PowerSC on the Web

Put Page here


PerformanceAdvisors


Performance Advisors

� Run advisors on test or production systems. � Advisors will evaluate the environment for performance optimization

opportunities

– Gives guidance on how to make the necessary changes.

� Three advisors available….

– Java,

– VIOS & Virtual Ethernet

– Virtualization.

� “Built in Smarts” to detect some of the most common problems that are encountered

� Available on Developer Works

– FREE OF CHARGE

� Link: https://www.ibm.com/developerworks/wikis/display/WikiPtype/Other+Performance+Tools


� What is it?The VIOS advisor is a standalone application that polls key performance metrics for minutes or hours, before analyzing the results to produce a report that summarizes the health of the environment and proposes potential actions that can be taken to address performance inhibitors.

• How does it work?

VIOS Partition

VIOS Advisor

STEP 1) Download VIOS Advisor STEP 2) Run Executable

VIOS Partition

STEP 3) View XML File

The VIOS Advisor can monitor from 5min and up to 24hours

https://www.ibm.com/developerworks/wikis/display/WikiPtype/VIOS+Advisor

Open up .xml file using your favorite web-browser to get an easy to interpret report summarizing your VIOS status.

Only a single executable is

required to run within the VIOS

Introducing the VIOS Advisor


https://www.ibm.com/developerworks/wikis/display/WikiPtype/VIOS+Advisor

Get a comprehensive summary of your VIOS’ health on a single page.

Screenshot: 1 Overview


Addresses these common issues:Monitors



Identifies overstressed drives.�Latencies�Drive Saturation

Component: Drive Performance

Detects oversaturation of fibre-channel adapters, especially in NPIV (N-Port ID Virtualization) environments

�Adapter Saturation�Idle adapters�Port Speeds

Component: FC Adapters

Informs when memory allocated to the VIOS could contribute or iscausing negative performance impacts.

�Memory Sizing�VMM Paging Rate�Swap Space�Pinned Memory

Component: Memory

VIOS undersized due to insufficient CPU allocation. Shared processing pool is over utilized.

�CPU Capacity�Shared Processing Capacity VIOS

–Uncapped Processor Weight Capacity

–Virtual Processor Count

–SMT (simultaneous multithreading)

Mode

–Shared Pool Utilization

�Dedicated Processing Capacity VIOS

–Dedicated Processor Donation


Component: CPU

Components Monitored by VIOS Advisor


IBM Power Systems


END

29

system software, ibm power event

Technology

ibm systems director

ibm power systems powersc

ibm corporationillustration

ibm corporation9

ibm system softwarehindsgavl

ibm server platforms

systems withoutdisruption

systems directortogether