January 2018 Newsletter

Greetings iTech Fan!

It’s the new year, with all new possibilities.  We wish you a very Happy New Year. I think everyone in the world decided that they wanted to get off of IBM i 7.1 before April 30, 2018 when support ends, and called us. We have been doing about 10 OS upgrades a week now for some time, and the schedule doesn’t look like that will slow down anytime soon. The good news is we are continuing to add to our staff, to be able to support our customers. If you are still on IBM i 7.1 you might want to reach out to us to upgrade you to 7.2 or 7.3 before April 30, 2018 so you don’t have to pay the extra Software Maintenance (SWMA) fee that you will encounter.  Figure it this way, for what you will be paying in additional SWMA if you stay on 7.1, we can do the OS upgrade so it is essentially a savings.  That’s right, having iTech upgrade you from 7.1 to 7.2 or 7.3, would be cheaper than paying the additional charge for IBM i 7.1 SWMA.  Plus you have at your fingertips all the new features and functions that have been added in recent releases. What are you waiting for?

We are expanding our remote systems administration offerings by adding security monitoring as an additional service.  There has been so many security issues in the news lately, are you sure that your machine hasn’t been affected?  Perhaps you should schedule a security health check to make sure that everything is in order. In addition, we offer an ongoing security monitoring service to keep you secure.  The more connected your computers become the more opportunities exist for exploitation. This access can allow people from both inside and outside of your company to access data or perform a function that they should not be doing. If this is something you are concerned about, and really everyone should be, then contact our sales team.  They can setup a presentation to discuss how we can help you meet your security goals.  Or better yet, talk to our sales group  by calling 1-203-744-7854 press 3 for sales.

This newsletter has 6 articles. The first article is on our first set of IBM i Security Roadshows we are doing in the northeast US. The second article by Steve on Meltdown and Spectre. The third article is by Yvonne on 2018 Deadlines for PCI DSS Compliance and how iTech Solutions can help you. The fourth article is by Phil on General Data Protection Regulation.  The fifth article lists some of the upcoming events in which iTech Solutions will be participating. The last article is for your reference with updated PTF information. Please note that for all 7.1 customers that are on the Quarterly or Semi-annual iTech Solutions PTF maintenance plan, we will be installing the latest PTFs as you are most likely now on Technology Refresh 11. For the 7.2 customers, we will be installing 7.2 Technology Refresh 7, and 7.3 will be Technology Refresh 3.

iTech Solutions Introduces New IBM i Security Framework and Monitoring Service at regional Seminar Series.  

DANBURY, CT — iTech Solutions Group, LLC. Introduces new IBM i Security Monitoring Service

At an upcoming regional seminar series, iTech Solutions Group will unveil a service unlike anything else in the industry. This new framework covers in detail all the mandatory and advisory security controls needed, with a dominant focus on the IBM i Server. This new Framework provides a security baseline for the community.. To complement this, iTech has built an onboarding methodology centered on best practice IBM iSecurity Controls Policies, which sets out the terms under which your system will be protected. The methodology also describes the procedures governing how you will achieve compliance and ongoing change control.

The seminar schedule dates are:
February 5 – Providence, RI
February 6 – Framingham, MA
February 7 – Waitsfield, VT
February 8 – Manchester, NH
February 12 – Westbury, LI
February 13 – Norwalk, CT
February 14 – New York City
February 15 – Fairfield, NJ

Pete Massiello, President and CEO of iTech Solutions Group, said “One of the key principles of the new service is to create momentum to drive improvements in security and risk management. Using this service will allow clients to drive their business forwards without worrying about a lack of inside skills, multiple tool configurations and increasingly more stringent legislation. This service is 100% designed to support clients’ current cyber-risk management processes and enhance where appropriate.”

Key Features of the new iTech IBM i Security Service:

    • Monitor the system security: To identify any security breaches and threats and unwanted/unauthorized access or access attempts.
    • Fully control and apply all the security needs and recommendations: To have full control on all security areas and to be able to close any breaches or potential threats from inside and outside the system.
    • Control access to the server: Especially through TCP/IP connections (ODBC, .NET, DDM, FTP…etc).
    • Event Monitoring: Monitor any critical system aspects that may lead to major system crash or performance degradation and send direct alerts to concerned people via SMS and e-mail to be able to take quick actions in order not to affect business continuity.
    • Reporting: Customizable, user-friendly reports bringing all security events to the forefront
    • Capability to close all major audit findings related to security and system monitoring on IBM i.
    • Compliance Reporting: Compliance policies configured and violations reported.

According to Phil Pearson, Chief Information Security Officer, “iTech is hosting customer security workshop sessions entitled Taking Back Control of your IBM i in order to guide and support IBM i customers in understanding how to better improve their security posture and help prepare for compliance and audit reporting”. To register for an upcoming seminar, please refer to the Events section of the website at: https://www.itechsol.com/events/. We are looking forward to seeing you at one of our events, please register for a session near you.

Spectre and Meltdown – What Do You Do?

Spectre And Meltdown Threats

The Spectre (Variant 1 & 2) and Meltdown (Variant 3) threats that target speculative execution on all CPU’s will affect IBM Power7, Power7+, Power8 and Power9 systems and IBM has stated that it will have firmware patches for Power Systems available but does not state if its patches will cover all three variants of the vulnerabilities. IBM has not issued fixes for Power6, Power6+, and Power7 systems.

What is not known at this time is what kind of performance impact the fixes for Spectre and Meltdown will have. It will probably depend on the nature of the CPU architecture, the way the memories are isolated and checked to keep users out of kernel space, and the way the applications make use of speculative execution.

It is possible that systems that are CPU or memory bound are going to thrash after the fixes are applied. Our advice is to benchmark the throughput of your system for some period of time before applying the patches, apply the patches and then run the tests again so that you fully understand and can document the impact.

As of January 13th, IBM has released operating system patches for IBM i 7.1, 7.2 and 7.3 to compliment the firmware patches for POWER7+ and POWER8 processors already released. Both the IBM i and firmware patches must be applied in order to mitigate the Spectre and Meltdown vulnerabilities. These PTFs:  MF64553 (7.1), MF64552 (7.2), and MF64551 (7.3) were added to the latest Group Security and HIPER Group PTF packages as of January 26th.

In addition, IBM has released additional operating system patches for IBM i 7.1, 7.2 and 7.3 on January 26th, MF64571, MF64565, and MF64568 respectively.

Our opinion at iTech is that most customers will eventually receive these patches by way of updating their HIPER and/or Security PTFs. It’s inevitable. After patching, IBM i customers with excess capacity should not see much in the way of any performance degradation. It’s likely to be noticeable at all. However, overloaded systems that are already taxed for performance may experience adverse effects by applying these fixes. If you’re unsure how taxed your system is then please contact us for a performance assessment before applying any of these PTFs.

Please keep watching the PSIRT blog for further developments.

https://www.ibm.com/blogs/psirt

The good news is that you have to be an authorized user in order exploit these vulnerabilities. Security from the IBM i level to your firewall is more important than ever. While there has been no documented case of someone breaching IBM i security without a user ID and password, there are many ways to gain access to an IBM i partition if adequate security measures are not followed. Hardening IBM i isn’t just moving from QSECURITY level 30 to 40. A properly hardened system should include, but certainly not limited to, the following basic measures:

Password level security – Ensure your system can use up to 128 characters for a password. The default 10 character limit of QPWDLVL 0 is not good enough.

NetServer – Ensure that no guest account exists for IBM NetServer. This will allow anyone access to your IBM i partition file shares without a user ID and password. This, combined with sharing the root (/) of your IFS can be extremely dangerous. Furthermore, if you’re on 7.1 or older version of IBM i then you are using the SMB1 protocol for file sharing. SMB1 has been deemed insecure for many years now.

Encryption – If you communicate to and from your IBM i in plain text then the length of your password does not matter. There is no excuse to encrypt your IBM i communication for any service accessed over the network which passes user IDs, passwords or other confidential information.

PTF and operating system currency –Technology that has not been patched or updated runs the risk of being compromised. This is especially true if you use open technology such as Java, OpenSSL and Apache. Java 6 and Apache 2.2 went out of support two weeks ago…have you removed Java 6 yet? Have you upgraded to 7.2 to move to Apache 2.4?

The Spectre and Meltdown vulnerabilities are perhaps the biggest security problems in the history of modern computing, but if you’re not covering the basics you may have bigger and more pressing security problems to worry about.

If you need a hand with keeping updated on PTFs, or want someone to handle the entire PTF process for you, then contact iTech Solutions.

2018 Deadlines for PCI DSS Compliance and how iTech Solutions can help you.

Important PCI Data Security Standard requirements have been introduced in PCI DSS v3.2 and they become effective February 1st, 2018. Notably, they are now mandatory while prior to this compliance was simply considered Best Practice.

Many customers are asking us what this is going to mean to them. An example is in order to safeguard payment data organizations must disable Secure Sockets Layer/Early Transport Layer Security (SSL/early TLS) protocols and upgrade to TLS 1.2 by July 1st, 2018.

As always iTech Solutions is your trusted business partner and here to help your organization navigate the new requirements. We recommend disabling SSL entirely and migrating to a more modern encryption protocol. At this time the minimum is TLS v1.1 however we strongly encourage TLS v1.2 where feasible. In fact, not all implementation of TLS v1.1 are considered secure, as NIST has formally recognized. Understanding these versions and how to configure them is key to securing transmissions.

The specific legislation is as follows.

As of PCI DSS v3.1 SSL and early TLS are not considered strong cryptography nor secure protocols. The PCI DSS requirements directly at issue are:

  • Requirement 2.2.3 Implement additional security features for any required services, protocols, or daemons that are considered to be insecure.
  • Requirement 2.3 Encrypt all non-console administrative access using strong cryptography.
  • Requirement 4.1 Use strong cryptography and security protocols to safeguard sensitive cardholder data during transmission over open, public networks.

It is important that the SSL protocol (all versions) cannot be fixed to be considered secure. There are no known methods to remediate vulnerabilities such as the POODLE attack vector. This has resulted in SSL and early TLS no longer being sufficient enough to meet the need of organizations implementing strong cryptography to protect payment data over public or untrusted communication channels.

This is where iTech can support your company and your need for a modern security practice responsive to all the threats impinging upon businesses today. Our new services encompass monitoring and intrusion detection. First, it is important to set up your system securely however it is then important to maintain the security of your infrastructure. This is more difficult than the initial configuration and is where we excel. In order to ensure your security controls remain effective and adequate continuous monitoring is needed and is in fact mandatory in all regulations/laws impacting information technology. It isn’t enough to identify a potential vulnerability. Once weakness is found there must be a control in place to prevent it from being exploited which then must be continuously monitored for effectiveness.

“Defense in Depth”

One type of monitoring or a single approach to security exposure isn’t sufficient. Our practice encompasses five types of oversight to ensure a comprehensive best practice. Further each of these controls are configured to cover preventive, detective, and corrective needs.

  1. First, we will analyze your system proactively for known vulnerabilities. For IBM i, a good example of vulnerability analysis includes a regular security posture assessments.  In the case of PCI this involves ensuring that each of the requirements are implemented and are being maintained.  This will be evaluated continuously and if violated we can alert the customer  (Detective, Corrective control)
  2. The second type is intrusion-detection monitoring. This is what we call active monitoring.  iTech’s service has the ability to detect when the system is under attack at the IP stack level. iTech’s monitoring service is primed for identifying intrusion-detection events, for example; iTech will alert you when the system is experiencing a denial-of-service attack. In addition, we monitor IBM i message queues such as QSYSMSG for messages about invalid sign-on attempts. If an agreed threshold such as more than, 50 invalid sign-on attempts occur in one minute. iTech will let you know, or even do something about it! This is common in brute force attacks (Detective Control)
  3. The third type of monitoring is the attitude of “The best form of attack is defense” more commonly known as proactive monitoring.  In regards to each clients need we tailor our monitoring to align with the clients policies.   iTech will then set up the security and subsequent monitoring, watching for when these rules are violated. When this happens and it will, we put into plan the remediation agreed within the rules agreed.  For example, remote access is only allowed from specific IP address and only at certain times of the day, or FTP is denied by default but can be used under specific conditions.  (Preventative/Corrective Control)
  4. Exit programs are used by iTech to provide another layer of defense. They not only allow us the ability to control access to objects, but for in depth monitoring and logging the activity that occurs for IBM i servers such as FTP, Distributed Data Management (DDM), and so on. (Preventative Control)
  5. PCI DSS Requirement 10.6.1 mandates, you proactively monitor security logs for the occurrence of security events by requiring “daily” reviews of logs for critical system components. iTech will provide the required reports and analysis where agreed.  (Detective and Corrective Control)

The whole point to monitoring is to facilitate timely response to potentially malicious activities before they become a big problem. How (and how quickly) an organization responds to a confirmed malicious event may be the difference between a minor security event and a major breach of cardholder data. Organizations must be prepared for such instances, and have appropriate response procedures and countermeasures prepared—in advance—to respond in a timely and efficient manner.   It is therefore understood that monitoring becomes the fundamental foundation in the act of defense against the criminals.  Let us show you how we can help you monitor your environment, contact iTech Solutions.

 

GDPR: What American business’s Need to Know.

The General Data Protection Regulation (GDPR) epitomizes what it means to live by democratic laws.  For all the best intentions (or not in some cases) it is clear the way in which data is handled, processed, and shared has failed us. The GDPR standard is about to dramatically impact data management around the world.

For American companies’ annual regulatory compliance audits have been a part of doing business for all of the 21st century. Most American organizations in the USA have been subjected to a plethora of annualized inspections throughout their lifetime. Below is an example of the regulatory requirements and standards we are familiar with:

Sarbanes Oxley (publicly held companies)

SAS 70/SSAE16/SSAE18 (companies that have customers who need proof of IT Security levels)

ISO 27001/ISO 27002 (for Information Security standardization)

NIST-800-53r4 (for a higher level of Information Security control than ISO)

NIST CSF (Cyber Security Framework – for companies that want to go beyond penetration testing to show level of control towards cyber security risk)

PCI DSS (intense control valuation for merchants/service providers who process, store and/or transmit payment card data).

HIPPA Health Insurance Portability and Accountability Requires the protection and confidential handling of protected health information (PHI). This act goes back to 1996.

GDPR – what impact will this legislation have on American Business?

The General Data Protection Regulation has a much wider scope than the EU-US Privacy Shield, which only protects the flow of personal data in transatlantic data exchanges. US companies within the scope of GDPR should assume they will have to comply with the regulation´s requirements.

What is it, when, and how do I comply?

GDPR will be the global law of the land starting in May 2018. This will require any company doing business with European Union (EU)-based residents to maintain strict data protection protocols. The standard will have a significant impact on business and redefines the entire practice of data security. The GDPR requires organizations to keep accurate and up-to-date records that are continually monitored and validated to be in compliance with GDPR standards.

The processes for collecting data must be relevant to how the data will be used by the company (for example, consumer shopping data but not medical history data for e-commerce companies.) Companies should be willing and able to explain exactly what data has been collected and why. Security practices must demonstrate a clear ability to safeguard against loss, damage, and destruction; data should not be held longer than is necessary.

What are the penalties and fines?

The new enforcement procedures and fines associated with the GDPR compliance are perhaps what have most US corporate leaders sitting up and paying close attention. The hefty penalties associated with the non-compliance of GDPR could quickly reach millions of dollars. Companies that do not comply will fall into one of two categories with the higher level possibly costing as much as 20 million Euros or 4% of the company’s net income. Any company failing to comply with the regulation will be subject to a 4 percent forfeiture of its annual revenues.

Under GDPR there’s no distinction between a company headquartered in London UK, Berlin Germany, or New York USA.  The law instead focuses on personally identifiable information (PII) and where the person associated with the data resides. Anybody that has any kind of PII data on a European customer will have to comply.

It doesn’t matter how big or how small, if you have a breach, you’re legally liable. How that will happen is hard to say. All USA companies are subjected by state law to notify the data subject (individuals) if their data has been breached (timescales vary from state to state although GDPR is 72 hours.). This public acknowledgement could lead to a knock on the door by the EU office of compliance. The same organization will also proactively asking for everybody’s compliance plans after May. They’ll create an inventory of companies doing business in their geographies and they have already started to question larger enterprises.

American companies that don’t comply shouldn’t expect the US government to shield them when the GDPR-backed EU states attempt to collect forfeited revenue. “The US government is compelled to make sure those judgements are enforced. How this is enforced is yet to be seen, but the government in the EU will have to fight and the US will have to comply. “

What You will Need to do to Comply

As the regulation requires companies need to put someone in charge of managing the compliance process. This person, whom the GDPR law dubs the “Data Protection Officer (DPO),” will be the point person responsible for managing the DATA PROTECTION team through the ways in which your company has been securing its data. This person will also be responsible for pulling together the disparate lines of business within your company to produce a methodology for getting and staying GDPR-compliant.

Compliance

To stay compliant, you’ll need to employ at least one encryption method for your data and servers, any resources such as network attached storage, disks, and drives. Corporations will need to provide satisfactory network access and secure communications. You’ll need to strictly manage user access and carefully select who can access what, when, and how. In addition, a full auditing methodology should be strictly adhered to when accessing PII as well as for transactions that include PII data. Companies will need to cut out any practices that access or process data for unauthorized purposes, continuously monitor and verify data to ensure relevance, and completely and irreversibly purge customer data when asked to do so. Organizations will be required to conduct full risk assessments and work with partners, especially those connected via application programming interfaces (APIs), to ensure ongoing compliance.

You will need to redesign how you serve consent and disclosure forms to your customers. This will include obtaining agreement for every single use-case that you have developed for your customer’s data. Your customers will need to be able to select those that they agree with and decline those they do not like, and you need to be able to be able to store your customer’s preferences in your databases.

You will need to plan, practice, and update your breach response. Should your organization’s data be breached you’ll need to notify your associated GDPR supervisor immediately to describe the breach and its consequences in full. Then you’ll need to communicate the ramifications of the breach to impacted customers.

Good News

While this feels like a hard-line position it ultimately makes good business sense to safeguard data and be responsible stewards of customer information. In addition to being information technology professionals we are also all consumers and it is likely most of us have been the victims of what feels like an endless stream of data breaches.  Customers are the reason most of us are in business and they deserve to know we are looking after them.

Closer to home, companies doing business in New York under the New York Department of Financial Services’ Cyber Security Requirements are covered to a certain extent. This regulation requires New York-based businesses to implement and maintain a written policy or policies, approved by a Senior Officer or the Covered Entity’s board of directors. The regulation which began in earnest in 2017 requires a Security leader (CISO or equivalent) and a Cyber Security practice that is dedicated to managing and monitoring for security related events.

Like all new regulations this will take a bit of time for you and your teams to understand in detail. The new “privacy equivalent of SOX” is going to have a significant impact on US companies that sell products or services to EU customers. It is wise to start preparing the work now and for some of you totally re-architecting your data handling practice. Those that embrace this change could find this leading to your company building a sustainable competitive advantage in the market. Thus avoiding the reputational damage that could happen if your company is found to be non-compliant.

It’s a lot to take in, we are here to help you contact your iTech rep.

 

Events

 

February 5 – February 15

Take Back Control of your IBM i Security. Attend one of our free seminars to learn how to take back control of your IBM i Security. Learn the current risks, what you need to be looking for, and how to prevent, manage, and monitor the security of your IBM i.

You can register via the Hyperlinks which are after the city. Those cities without Hyperlinks, we are working on locations.

February 5 – Providence, RI – Providence Marriott
February 6 – Framingham, MA – Framingham Sheraton
February 7 – Waitsfield, VT – Cabot Creamery
February 8 – Manchester, NH – The Backyard Brewery (Formerly Yard Restaurant)

February 12 – Westbury, LI – Westbury Manor
February 13 – Norwalk, CT – Norwalk Inn
February 14 – New York City – IBM 590 Madison Ave.
February 15 – Fairfield, NJ – Crowne Plaza Fairfield

February 21, 2018 – The New England Midrange Users Group (NEMUG)

Hear Pete Massiello speak on What you need to know to successfuly upgrade to IBM i 7.3

March 13 – 15 2018 – Wisconsin Midrange Computer Professional Association – Lake Lawn Resort, Delavan, WI

Visit the iTech Solutions booth in the Expo and learn how we can help you get the most out of your Power Systems running IBM i.

Pete will be presenting:

  • The Wednesday Keynote
  • What you need to know to successfully upgrade to IBM i 7.3

Yvonne will be presenting on:

  • Modernization Testing
  • Basics of Testing for Programmers

April 23 – 25, 2018 – Northeast User Group Conference, Sheraton Framingham, MA

Visit the iTech Solutions booth in the Expo and learn how we can help you get the most out of your Power Systems running IBM i. In addition, hear Steve Pitcher and Pete Massiello speak on Various System Administration topics.

Monday April 30 to Friday May 4, IBM Technical University Hilton Orlando Resort, Orlando, FL

  • What you need to know when upgrading to IBM i 7.2 & 7.3
  • Tip and Tricks to Improve System Performance & Save Disk Space
  • Cool Things in IBM Navigator for IBM i to Help you be a Rock Star Administrator
  • Step by step guide to IBM i Hosting IBM i.

May 20 – 23, 2018 – COMMON Annual Conference & Expo, POWER-UP18 at Marriott River Center, San Antonio, TX

Visit the iTech Solutions booth in the Expo and learn how we can help you get the most out of your Power Systems running IBM i. In addition hear Pete Massiello, Yvonne Enselman, and Steve Pitcher speak on a variety of IBM i System administration topics.

Sept 27, 2018 – VTMUG Technical Conference – Double Tree Hotel Burlington, VT

Visit Laurie & Paul at our booth and learn how iTech Solutions can help you with your IBM i. Pete Massiello will be speaking on various Systems Management sessions to be determined.

Oct 15 – 17, 2018 – COMMON Fall Conference & Expo, Pittsburgh Marriott City Center, Pittsburgh, PA     Booth #20

Visit the iTech Solutions booth in the Expo and learn how we can help you get the most out of your Power Systems running IBM i. In addition hear Pete Massiello, Yvonne Enselman, and Steve Pitcher speak on a variety of IBM i System administration topics.

Oct 15 – 18, 2018 – Jack Henry Annual Conference – Gaylord Texan Hotel, Grapevine, TX

Visit the iTech Solutions booth in the Expo and learn how we can help you get the most out of your Power Systems running IBM i

 

Release levels and PTFs

People are always asking me how often they should be performing PTF maintenance, and when is the right time to upgrade their operating system. I updated this article from last month with the current levels of PTFs. Let’s look at PTFs. First, PTFs are Program Temporary Fixes that are created by IBM to fix a problem that has occurred or to possibly prevent a problem from occurring. In addition, some times PTFs add new functionality, security, or improve performance. Therefore, I am always dumbfounded as to why customers do not perform PTF maintenance on their machine at least quarterly. If IBM has come out with a fix for your disk drives, why do you want to wait for your disk drive to fail with that problem, only to be told that there is a fix for that problem, and if you had applied the PTF beforehand, you would have averted the problem. Therefore, I think a quarterly PTF maintenance strategy is a smart move. Many of our customers are on our quarterly PTF maintenance program, and that provides them with the peace of mind of knowing their system is up to date on PTFs. Below is a table of the major group PTFs for the last few releases. This is what we are installing for our customers on iTech Solutions Quarterly Maintenance program.

7.3 7.2 7.1 6.1 V5R4
Cumul Pack 17283 17290 17192 15063 12094
Tech. Refresh  3 7 11
Grp Hipers 50 113 214 210 204
DB Group 8 20 43 33 33
Java Group 7 15 30 41 34
Print Group 3 13 31 49
Backup/Recov. 16 38 71 61 57
Blade/IXA/IXS 1 16 30 15
HTTP 13 26 52 46 36
TCP/IP 3 10 17 22
Security 21 56 76 60  33
High Availability 5 8 15  5
Hardware 13 30 40  17
Open Source 6 6 6

The easiest way to check your levels is to issue the command WRKPTFGRP. They should all have a status of installed, and you should be up to the latest for all the above, based upon your release. Now there are more groups than the ones listed above, but these are the general ones that most people require. We can help you know which group PTFs you should be installing on your machine based upon your licensed programs. Here is a nice tidbit. The Cumulative PTF package number is broken down as YDDD, where Y is the year and DDD is the day it was released. Therefore, if we look at the cumulative package for V7R1, the ID is 16120. We can determine that it was created on the 120th day of 2016, which is April 29th, 2016. Look at your machine and this will give you a quick indication of just how far out of date in PTFs you may be.

HMCs

If you have a Hardware Management Console (HMC,) you should be running:

Model Release Service Pack End of Service
HMC (CR7 & above) V8R8.7
  1. SP1 MH01725
Not Announced
HMC V8R8.6
  1. MH01655
  2. SP2 MH01690
  3. MH01742
10/31/2018
HMC V8R8.5
  1. MH01617
  2. SP3 MH01689 (must be installed from classic GUI or command line)
  3. MH01721
  4. MH01730 (can be installed on any SP, required for upgrade to 8.8.6 or 8.8.7).
05/31/2018
HMC V8R8.4
  1. MH01560 (must be installed from command line using UPDHMC)
  2. SP3 MH01652 (must be installed from command line using UPDHMC)
  3. MH01730
  4. MH01729 (must be installed from classic GUI or from command line; can be installed on any SP, required for upgrade to 8.8.6)
11/30/2017
HMC V8R8.3
  1. SP3 MH01619
  2. MH01717
07/31/2017
HMC  V8R8.2
  1. SP3 MH01583
  2. MH01688
10/31/2017
HMC (CR4 last release) V7R7.9
  1. SP3 MH01546
  2. MH01587
  3. MH01687
12/30/2016
HMC V7R7.8
  1. SP1 MH01397
  2. SP2 MH01432
  3. MH01570
10/31/2015
or V7R7.7
  1. SP3 MH01379
  2. SP4 MH01415
  3. MH01516
02/28/2015
HMC C03 V7R3.5
  1. SP4 MH01277
05/31/2014

If we have a model listed above in the HMC column that is the highest level of firmware that model of the HMC can be upgraded to.

  • Note that release 8.8.x does not support any POWER5 servers.
  • Version 7.7.9 is not supported as of 12/30/2016 and cannot be installed on HMC models C03, C04 or CR2.
  • If an HMC is used to manage any POWER7 processor based server, the HMC must be a model CR3 or later model rack-mount HMC or C05 or later desk side HMC.
  • HMC V8R8.1 is supported on rack-mount models CR5, CR6, CR7 and CR8; and on desktop model C08. These listed models meet or exceed the V8R8.1 minimum memory requirement of 2GB however 4GB is recommended.
  • If you want to manage a POWER8 machine, you need to be on at least HMC 8.8.1

Some notes on the new HMC release V8R8.6 that just came out:

  • Will be the last release to support POWER6.
  • Will be the last release to allow ‘classic’ UI login.
  • Will be the last release that supports the model CR5, CR6 and C08.
  • The HMC must be at version V8 R8.4.0 or later to be upgraded to HMC V8 R8.6.0. This requirement is enforced during installation.

If you have a Flexible Service Processor (FSP) your firmware should be:

Machine Processor Model Version End of Service
Power5 or 5+ 520, 515, 525, 550, 570 SF240_418_382 11/30/2012
Power6 940x, M15, M25, M50 EL350_176_038 01/31/2017
8203-E4A, 8204-E8A, 8204-E4A EL350_176_038 01/31/2017
MMA, 560, 570 EM350_176_038 01/31/2017
9119-FHA EH350_176_038 01/31/2017
Power7 8231-E1B, 8202-E4B, 8231-E2B, 8205-E6B, 8233-E8B, 8236-E8C AL730_154_035 08/09/2017
9117-MMB, 9179-MHB AM780_091_040 (last release)
8231-E1C, 8202-E4C, 8205-E6C AL740_163_042
9117-MMC, 9179-MHC AM770-119_032 (last release)
Power7+ 8231-E1D, 8202-E4D, 8231-E2D, 8205-E6D AL770_119_032

AL770_120_032  **Includes Meltdown and Spectre Fixes **

8408-E8D, 9109-RMD AM770_119_032

AM770_120_032  **Includes Meltdown and Spectre Fixes **

9117-MMD, 9179-MHD AM780_091_040

AM780_094_040  **Includes Meltdown and Spectre Fixes **

Power8 8408-E8E, 8284-21A,  8284-22A, 8286-41A, or 8286-42A SV860_127_056 (If HMC requires HMC 8.8.6+)

SV860_138_056  **Includes Meltdown and Spectre Fixes ** (If HMC requires HMC 8.8.6+)

9119-MHE or 9119-MME SC860_127_056

SC860_138_056  **Includes Meltdown and Spectre Fixes **

If you need help with upgrading your HMC or FSP just give us a call. We will be happy to perform the function for you or assist you in doing it. Contact Pete Massiello.

Leave a Reply

Your email address will not be published. Required fields are marked *

*