We are in the process of patching an IBM Mainframe vulnerability (C-IBM-zSeries: SN-2023-058):
The SNMP interface of IBM Z and LinuxONE Hardware Management Console (HMC) and Support Element (SE) is vulnerable to man-in-the-middle attacks, and may compromise local sys tem security.
If SNMP APIs are enabled, IBM strongly recommends addressing this vulnerability by enabling TLS for SNMP.
Move all SNMP-based system management application traffic from old port 161 to the newly introduced port 10161
to leverage the TLS encrypted channel.SNMP over (D)TLS is an additional or alternate security mechanism to SNMP's User-Based Security Model (USM).
The main advantage of using SNMP over (D)TLS is the ability to integrate SNMP management into an organization's existing X. 509 public-key security infrastructure.
The Hardware Access Facility (HAF) has not been enabled in our AP servers - is there any remaining concern with switching the HMC SNMP port from 161 to 10161 from an AP perspective?
Release : 11.7
If HAF has not been configured in the AP server environment and the APCMOSI rexx program is not in use, then there is no impact to Automation Point associated with switching to port 10161 on the HMCs.
Please note that the APCMOSI rexx program would need to have been copied from the AP Sample rexx directory to the %AP_SITE%\site\myfiles\REXX directory in order for it to be in use in the environment.