Sorry I don't know except that all HMC's are now at the same microcode level. As it's the weekend I will try to find out next week. That's when we are going to try again actually in the data centre to avoid any firewall issues.
We didn't actually fix the firewall issue - that's still outstanding. We decided to work on that in parallel since we cannot see the Z14 HMC from the zBC12 HMC even in the same room on the same LAN segment. To clarify the situation. We are replacing an existing zBC12 with a z14 ZR1. All our HMC's, both in this location and in our primary DC are supposed to be at the same driver level and credentials sync from a master. Our tech folks plan was to use the zBC12 HMC to access the new z14 HMC so that they could populate all the details from the zBC12 to the Z14 (LPAR definitions, logon credentials, IOCDS etc.). So far that is not working. I am intrigued and somewhat concerned about your Top Gun's comment that a zBC12 HMC cannot see a Z14 HMC. If that is the case then we are barking up the wrong tree :-( Then sneakernet my well be the only way to copy the configuration across. The goal is to get the z14 up using the same IOCDS (well similar) to that on the zBC12 as it will be patched into the same DS8870 and want to get it IPL'ed and workload tested. I didn't see the new IP pors that need to be accessed through the firewall but we are asking for all the ports based on this document to be open. https://www-01.ibm.com/support/docview.wss?uid=isg229b0fe89af786b2885258194006dd308&aid=1 Still if we can't see the HMC on the same subnet and VLAN in the same room, then firewall rule are not really relevant. On Sat, Mar 23, 2019 at 7:27 PM Mike Smith <mike.sm...@nasrp.com> wrote: > What is the feature Code of the HMC on the zBC12? That will determine the > maximum driver level that can be applied, but I doubt that it's the same > driver level as the z14. In prior conversations with our Top Gun I was > led to believe that an HMC associated with a zBC12 will not see the HMC on > a z14. Of course, I could be wrong, but the only way it might work > would be if you got an extra HMC FC0082 or FC0083 with the z14 and replaced > the old zBC12 HMC. > > The earlier notes mentioned that you resolved the firewall issues so you > must have found the documentation relating to the additional ports that > need to be opened for a z14. Did you also see the information about the > new IP addresses that need to be accessed through your firewall so the z14 > can contact the new "Enhanced" Support Center? > > Regards, > > Mike > > -----Original Message----- > From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On > Behalf Of Laurence Chiu > Sent: Thursday, March 21, 2019 11:46 AM > To: IBM-MAIN@LISTSERV.UA.EDU > Subject: Re: Remote access to Z14 ZR1 Support Element via HMC question > > Thanks > > We did do a major HMC firmware upgrade across the complex recently and that > issue was checked during our diagnostic call but all HMCs are on the same > level. > > Hopefully it's the domain issue else will be at our wits end. For some > reason our support organisation does not want to copy the zBC12 > configuration information across to the new z14 using a USB drive but > really want the HMC for the zBC12 to connect to the z14 so the > configuration information is already loaded. > > On Thu, Mar 21, 2019, 8:07 PM Parwez <parwez_ha...@hotmail.com> wrote: > > > While I can't answer your specific Q. A general point - a HMC with > 'lower' > > level of HMC code can't control/access System requiring a 'higher' level > > of HMC code. A HMC with higher level code e.g the z14 ZR1 HMC can > > access/control Systems all the way back to z10 EC and BC. If your zBC12 > HMC > > is at level 2.12.1 then this could be the issue. If your zBC12 HMC > hardware > > is of the right spec, then there is nothing to stop you upgrading it to > the > > same level code as the z14 ZR1 HMC. > > > > Regards > > Parwez > > > > ________________________________ > > From: IBM Mainframe Discussion List <IBM-MAIN@LISTSERV.UA.EDU> on behalf > > of Laurence Chiu <lch...@gmail.com> > > Sent: 21 March 2019 06:07 > > To: IBM-MAIN@LISTSERV.UA.EDU > > Subject: Re: Remote access to Z14 ZR1 Support Element via HMC question > > > > OK an update. We haven't solved the remote access issue yet but the guys > > wanted to do use the zBC12 HMC to discover the Z14 HMC. But despite all > > networking being fine (all the HMC's and the SE's are in the same LAN > > segment) the zBC12 HMC could not see the Z14 HMC. Yet if they logged onto > > the Z14 HMC it could see the Z14 SE fine. I asked the question (since one > > of my colleagues has done this before) since the new machine is a drop-in > > replacement using the same DS8K SAN, why don't they just copy the config > > from the zBC12 HMC to a USB drive and load it onto the Z14. I was told > that > > wasn't standard practice, even though it would work. > > > > Further diagnosis reveals a potential issue with the domain settings on > the > > new HMC's and SE's not matching those on the existing ones. The new > HMC's > > were setup with domain defaults I am told and they are probably not what > > the old HMC's were setup with. Something along the lines of " The > “Current > > domain name” is displayed on the window. If NOT SET is displayed, it > > indicates that default domain security is in effect for this console." > This > > is from the > > Hardware Management Console Operations Guide - Version 2.14.0 > > > > > http://www-01.ibm.com/support/docview.wss?uid=isg23e9d1b6de8c163f985258195006801cc > > pages 712 onwards > > > > Now if the existing HMC's have an actual domain name setting in them, > then > > it make sense they cannot connect to a HMC with default domain security > > since there is a mismatch. > > > > That apparently is our next diagnostic step. Just wonder if other folks > > on this list have ever encountered problems similar to this? Thanks > > > > On Thu, Mar 21, 2019 at 2:55 PM Laurence Chiu <lch...@gmail.com> wrote: > > > > > Thanks > > > > > > Looking at this list and the firewall requests that have been raised, > it > > > seems we're covered. > > > > > > Interesting as noted we have a zBC12 in the same room and there is no > > > problem accessing it and the new HMC'S for the z14 are in the same > subnet > > > so should be covered by the same firewall rules. > > > > > > However nobody can tell if they've ever tried to access the SE on the > > > zBC12 remotely because as another poster said, if your configuration is > > > stable then there is little need to do that. > > > > > > That could certainly point to a firewall rule that's never been tested. > > > > > > Again back to my original point, why can't the support element > > > configuration be done locally why we try to figure out the network > issues > > > for remote access > > > > > > > > > > > > On Thu, Mar 21, 2019, 3:10 AM Edgington, Jerry < > > > jerry.edging...@westernsouthernlife.com> wrote: > > > > > >> Dana, > > >> > > >> Here is my "cheat sheet" for HMC ports and direction. However, I > don't > > >> know if they have changed for z14 ZR1, but they work for z13s. > > >> > > >> ○ HMC inbound IP ports from internal network > > >> § Type Source Port Usage > > >> ICMP 8 Establish communication with > > >> resources managed by HMC > > >> TCP 58787 - 58788 Automatic discovery of > > >> zServers > > >> UDP 58788 Automatic discovery of > zServers > > >> UDP 9900 HMC to HMC auto discovery > > >> TCP 55555 SSL communication from servers > > >> TCP 9920 SSL HMC and zServers > > >> TCP 443 Remote user access to HMC > > >> TCP 9950-9959 Proxy Single Object > > >> Operations to server > > >> TCP 9960 Java applet-based tasks (not > > >> required since v2.12.1) > > >> UDP 161 SMNP automation of the HMC > > >> TCP 161 SMNP automation of the HMC > > >> TCP 3161 SMNP automation of the HMC > > >> TCP 6794 SSL automation traffic, > > including > > >> HMC Mobile app > > >> TCP 61612 Web Services API message > broker, > > >> flowing STOMP > > >> TCP 61617 Web Services API message > broker, > > >> flowing OpenWire > > >> UDP 123 Set the time of the servers > > >> UDP 520 Communications with routers > from > > >> HMC > > >> TCP 22 Remote access by Product > > >> Engineering > > >> TCP 21 Inbound FTP requests > > >> TCP 3900-3909 AMM for zBX > > >> > > >> > > >> ○ HMC outbound IP ports to network to internal network > > >> Type Source Port Usage > > >> ICMP 8 Establish communication with > > >> resources managed by HMC > > >> UDP 9900 HMC to HMC auto discovery > > >> TCP 58787 - 58788 Automatic discovery of > > >> zServers > > >> UDP 58788 Automatic discovery of > zServers > > >> TCP 55555 SSL communication from servers > > >> TCP 9920 SSL HMC and zServers > > >> TCP 443 Single Object Operations to > > >> server console > > >> TCP 9960 Java applet-based tasks (not > > >> required since v2.12.1) > > >> TCP 25345 Single Object Operations to > > >> server console > > >> TCP X LDAP port to authenticate > Users > > >> TCP 443 Call home requests RSF, and > HMC > > >> mobile app > > >> TCP 3900 AAM for zBX > > >> TCP 21 Load system software or > utility > > >> programs > > >> TCP 22 SSH > > >> UDP 123 Connect to NTP server > > >> TCP 25 SMTP for email > > >> > > >> ○ SE inbound IP ports from internal network > > >> § Type Source Port Usage > > >> ICMP 8 Establish communication with > > >> resources managed by HMC > > >> TCP 58787 Automatic discovery of > zServers > > >> UDP 58787 Automatic discovery of > zServers > > >> TCP 55555 SSL communication from servers > > >> TCP 9920 SSL HMC and zServers > > >> TCP 443 Call home requests RSF, and > HMC > > >> mobile app > > >> TCP 9950-9959 Manage DataPower XI50z > > >> from HMC > > >> TCP 9960 Java applet-based tasks (not > > >> required since v2.12.1) > > >> UDP 161 SMNP automation of the HMC > > >> TCP 161 SMNP automation of the HMC > > >> TCP 3161 SMNP automation of the HMC > > >> UDP 123 Set the time of the servers > > >> UDP 520 Communications with routers > from > > >> HMC > > >> TCP 22 Remote access by Product > > >> Engineering > > >> TCP 21 Inbound FTP requests > > >> TCP 3900-3909 AMM for zBX > > >> > > >> ○ SE outbound IP ports to internal networks > > >> § Type Source Port Usage > > >> ICMP 8 Establish communication with > > >> resources managed by HMC > > >> UDP 9900 HMC to HMC auto discovery > > >> TCP 58787 Automatic discovery of > zServers > > >> UDP 58787 Automatic discovery of > zServers > > >> TCP 55555 SSL communication from servers > > >> TCP 9920 SSL HMC and zServers > > >> TCP 443 Single Object Operations to > > >> server console > > >> TCP 9960 Java applet-based tasks (not > > >> required since v2.12.1) > > >> TCP 25345 Single Object Operations to > > >> server console > > >> TCP X LDAP port to authenticate > Users > > >> TCP 443 Call home requests RSF, and > HMC > > >> mobile app > > >> TCP 3900 AAM for zBX > > >> TCP 21 Load system software or > utility > > >> programs > > >> TCP 22 SSH > > >> UDP 520 Communications with routers > from > > >> HMC > > >> UDP 123 Set the time of the servers > > >> > > >> -----Original Message----- > > >> From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] > > On > > >> Behalf Of Dana Mitchell > > >> Sent: Wednesday, March 20, 2019 10:06 AM > > >> To: IBM-MAIN@LISTSERV.UA.EDU > > >> Subject: Re: Remote access to Z14 ZR1 Support Element via HMC question > > >> > > >> As far as firewall rules go, we can access SOO remotely so I'm > looking > > >> back at some of my old firewall requests, and it looks like for a new > > HMC I > > >> requested ports 443,9960 and 2300 to be opened. But in the current > doc, > > >> port 2300 is not referenced, so I don't recall what that was for. > > >> > > >> Your other question about accessing the SE's, I would say that > wouldn't > > >> be neccessary very much at all once the machine is setup, perhaps for > > CHP > > >> problem determination type of thing, but I can't think of normal day > to > > day > > >> requirements. > > >> > > >> Dana > > >> > > >> On Wed, 20 Mar 2019 22:02:21 +1300, Laurence Chiu <lch...@gmail.com> > > >> wrote: > > >> > > >> > > > >> >Any thoughts from the group on this parallel approach. I have no idea > > >> >how often the SE needs to be accessed but this is a fairly static > > >> >environment so I would think not that often. > > >> > > > >> > > >> ---------------------------------------------------------------------- > > >> For IBM-MAIN subscribe / signoff / archive access instructions, send > > >> email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > > >> > > >> ---------------------------------------------------------------------- > > >> For IBM-MAIN subscribe / signoff / archive access instructions, > > >> send email to lists...@listserv.ua.edu with the message: INFO > IBM-MAIN > > >> > > > > > > > ---------------------------------------------------------------------- > > For IBM-MAIN subscribe / signoff / archive access instructions, > > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > > > > ---------------------------------------------------------------------- > > For IBM-MAIN subscribe / signoff / archive access instructions, > > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > > > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
