The FUJITSU Server BS2000 SE Series unites the existing server lines S servers and SQ servers in the server line SE servers.
Depending on requirements, the SE server contains all the system components needed for operation as an overall application:

• Server Unit /390 for BS2000 guest systems

• Server Unit x86 with BS2000, Linux or Windows guest systems

• Application Units x86 for operating Native or hypervisor systems (e.g. Linux, Windows, VMware, OVM, etc.)

• Shareable tape and disk periphery

• A high-speed, server-internal infrastructure to connect the components with each other and with the customer's IP and FC networks.

The SE server offers the following advantages:

• Cross-system administration with state-of-the-art, browser-based GUI (SE Manager) as a single point of operation

• Centralized system monitoring of all components

• End-to-end redundancy concept

• Joint service process

• All options for consolidation through virtualization

• SE components and infrastructure are preconfigured and supplied to customers ready to use

SE servers consequently enable flexible and application-specific implementation which fulfills high SLAs through the use of high-end components and an end-to-end redundancy concept, and nevertheless permits cost-effective operation of the overall system with few resources thanks to its uniformity.

Intel x86-based server systems with their VMware, Linux or Windows system platforms also profit from the concepts for stable system operation tested on the mainframe:

• Selection of high-quality server components

• Redundant hardware components

• Prepared operating concepts which also include high availability

• Comprehensive tests before release

• Comprehensive service concept.

The management interface which is uniform for all SE servers, the SE Manager, permits a view of all the system components involved and, from this higher-level perspective, enables the resources to be optimized through efficient distribution of the application to the systems which are currently utilized least.

It is possible to combine two SE servers in a management cluster to a management entity and therefore utilize the advantages of the SE Manager for two SE servers at the same time. Every Management Unit can be used to control all components of the cluster, thus enhancing protection against failure. Within an SU Cluster, a live migration can be performed to migrate BS2000 systems without interruption.

SE servers consequently permit particularly stable system operation which includes not only the mainframe platforms which have to date been known to be particularly failsafe, but also other Server Units and the infrastructure and peripherals employed by the SE server. This can be achieved with fewer resources for administration and system operation than for separate operation of different IT systems.

The base systems of the Management Unit, HNC and Server Unit x86 (M2000, HNC and X2000) are systems which satisfy stringent security requirements. The statically implemented security of hardened systems is concerned here which is not significantly influenced by administration measures.

The base systems of these units (M2000, HNC and X2000), which are based on SUSE Linux Enterprise Server (SLES) 11, can be described as hardened for the following reasons:

• Only signed software components which are absolutely essential for operation are installed.

• Nonprivileged accounts are used for administration and operator access. These are equipped with clearly defined (and restricted) functions and access rights as part of a differentiated role strategy. No access to the system is possible outside this role strategy. Rights cannot be escalated; access to the root account is locked.

• The role and user strategies enable personalized accounts to be configured and passwords and password attributes to be managed.

• The data traffic between the administration PC and Management Unit, HNC and Server Unit x86 is encrypted.

• All ports which are not used are closed.
  Services are started only when they are actually used.

The configuration of the base systems is based on the recommendations of the Center for Internet Security (CIS, http://www.cisecurity.org). Deviations from these recommendations result only from the functions required for operation. These deviations do not, however, lead to security holes.

This Security Manual describes mainly the security and hardening measures at the level of the base operating system M2000 of the externally accessible Management Unit on the basis of the functions of the operating and service strategy. HNC and Server Unit x86 are protected to the outside and are therefore not described in detail. Where necessary, differences that need to be taken into account for the Application Units are examined.

Security-relevant aspects of BS2000 or other operating systems and applications which are operated using the systems are not examined.