7.5 Security for Administrative Services

The Orchestration Console and the zosadmin command line tool are clients to the MBean and RMI servers. Cloud Manager Orchestration does not provide encryption for these administrative services, so you should be careful to use them only in a secure environment.

When the user logs in using either zosadmin login or the Orchestration Console, the user’s password is sent to the server, and then the server issues a per-session credential to be used for further operations. The user’s cleartext password is never stored to disk; however, it is currently sent “over the wire” in plain text form. For this reason, the administrative clients should only be used in a secure, trusted environment.

The zosadmin client stores the session credential obtained from a zosadmin login request in a temporary file for use by subsequent operations. This credential cannot be used to obtain the user’s password, but it could be used to take over the user’s current session until it times out or expires. For this reason, the files in the user’s .novell/zoc/ directory should be configured to disallow access by other users.