IBM s/390 manual Operating Systems Messages console, Security, Server memory

5.2 Operating Systems Messages console

Larger S/390 machines have an Operating Systems Messages console function that is provided through the Support Element (SE) or a Hardware Management Console (HMC). This console function is sometimes known as the “system console” or the “hardware system console.” OS/390 attempts to use it if all other MVS consoles fail.

FLEX-ES emulates this console through the CLI window--the window with the flexes prompt. Messages written from the S/390 to the Operating Systems Messages console appear after the flexes prompt. You need to press Enter (with the desktop focus in this window) to restore the flexes prompt. You can reply or enter commands through the Operating System Messages console by using the CLI command hwc:

5.3 Security

As we explained earlier, FLEX-ES is a layer of software that resides and operates between an OS/390 system and an underlying Linux system. All the security features and functions that come with an OS/390 system work as on any other S/390 platform. However, it is possible for a Linux user with sufficient privilege to gain access to the contents of an emulated DASD or central storage associated with an emulated CPU, and so forth.

A ThinkPad/EFS owner must plan and manage traditional Linux security functions for the underlying Linux system, as well as traditional S/390 security management. If the ThinkPad/EFS platform is used only for S/390 operation, this can be fairly simple.

A unique concern involves the OS/390 master console(s). These can be implemented through the Terminal Solicitor. This is convenient, but offers an opportunity for an unwanted person to connect as a master console. We suggest that you have a master console on the ThinkPad display and direct any other master consoles1 to specific IP addresses and not through the Terminal Solicitor. This is done by specifying an IP address in the FLEX-ES resources file, instead of a terminal name. This means, of course, that the client systems connecting to the emulated 3270 interfaces must have static IP addresses.

The FLEX-ES resource manager uses TCP/IP port 555 to talk with other instances of FLEX-ES resource managers. There may be a potential for problems if someone hacks this port. We are not aware of any instances of this, but it is a potential concern if you use an open network to link multiple FLEX-ES systems at this level. (Would you use an open network for shared DASD data flow on a “real” S/390? You need to look at this potential exposure from this viewpoint and not from a PC networking viewpoint.)

5.4 Server memory

The memsize + essize + cachesize*11 + DASD cache (described in “System definitions” on page 73 ) total values (when translated to bytes of storage) approximate the amount of Linux virtual storage needed to run an instance of S/390 emulation. If you emulate two S/390 systems (at the same time), you will need to add the values for each of the two emulated systems.2 You can emulate more S/390 instances, but each one will require more memory.

1We are using the term “master console” loosely here to mean any OS/390 operator console.

2Some of the DASD cache memory may be shared among multiple emulated S/390s.