As organizations continue to scale their digital capabilities, the volume and complexity of applications are growing rapidly. This makes the reliability and resilience of the underlying IT infrastructure more critical than ever. Maintaining infrastructure currency—through timely updates, patching, and modernization—is essential to ensure optimal performance and prevent functional degradation.

Equally important is the security posture of the infrastructure. Outdated or unpatched systems are prime targets for cyber threats. Proactively identifying and addressing security vulnerabilities is not just a technical necessity but a strategic imperative. This translates to reduced risk exposure, improved compliance, and enhanced trust with stakeholders. A secure and up-to-date infrastructure is foundational to sustaining business continuity and enabling innovation at scale.

To address and alleviate these challenges, IBM Power11 together with AI-infused IBM Concert, enables Autonomous IT for critical patch management, reducing risk, ensuring up-time, and improving productivity for the IT operations team.

The entire lifecycle—from inventory discovery (Discover), advisory ingestion, risk assessment (Understand), and recommendation (Recommend), to remediation action generation and executing the action when approved (Act) —is fully automated. IBM Concert takes care of parsing advisories, evaluating risks across your environment, and preparing precise remediation steps, all without manual intervention. You only need to review and approve the actions and Concert will leverage IBM Power11 platform’s extreme automation capabilities to perform updates, without business disruption. Every step is tracked and auditable, offering complete visibility and traceability. Concert also integrates with existing change and incident management systems, ensuring that remediation aligns with enterprise processes and governance policies—enabling automated, compliant, and scalable risk mitigation

Discover:

The IBM Power feature in IBM Concert provides a workflow that discovers your Hardware Management Console, Power System (System Firmware) and VIOS components and their related release levels and creates an inventory that can be viewed in the Concert UI.  To enable communication between Concert and the target HMC, you will need to create an authentication for the Power HMC

You can create an authentication under the workflows by selecting config data as type and providing the username and password of the HMC which is securely stored in Concert. 

Note: Please make sure to select the overridable flag when creating the authentication, so that you can update the credential at a later point of time, as needed.

Once the authentication is created, you can run the inventory workflow in concert by providing the HMC authentication. The inventory workflow discovers the HMC details, Power System and Virtual IO Server (VIOS) inventory along with their current installed version. 

You can view the list of Systems, HMC and VIOS in the IBM Power menu in the Concert UI. You can schedule the inventory workflow to be run at regular intervals, e.g., once in 24 hours.

Understand and Recommend:

Once the system inventory is discovered, the next step is to assess vulnerabilities and recommend actions. The inventory workflow also triggers an advisory flow, which looks at the current version of the platform components - HMC, System Firmware and VIOS level and identifies known CVEs in their current version. 

What makes this step powerful is our use of Watsonx.ai to extract and structure advisory data, especially when the inputs vary in format.

·       For VIOS, advisories are available in machine-readable JSON format.

·       For HMC and System Firmware, we leverage Watsonx.ai to interpret the PSIRT bulletins, extract the relevant vulnerability and remediation information, and convert it into structured JSON. This enables automation at scale and eliminates the need for manual parsing of security content—a non-trivial problem solved using GenAI.

Once advisories are in place, Concert performs an automated assessment to match them against your environment. It identifies which systems are affected and generates a precise set of remediation actions, such as firmware, HMC or VIOS updates, for each component.



Through IBM Concert's Power dashboard, you can:

·        View total CVEs grouped by severity: Critical, High, Medium, and Low.

·        See CVEs broken down per system and per HMC.

·        Select a system to explore vulnerable components and the recommended actions.

·        Click on any CVE to review in-depth details, including impacted components.

·        For each action, you can view the version information, which components it applies to and learn what CVEs are fixed

Note: IBM Concert requires outbound connectivity to discover information about CVEs and the available updates to remediate them.

Act:

You can review each action and approve the patch or update to be applied at a scheduled time. Once an action is approved, Concert automatically triggers the update at the scheduled time using the HMC platform update APIs. The HMC platform update workflow validate redundancy for VIOS updates, validate system readiness for updates and downloads updates by connecting to the IBM website. 

Note: You need to enable outbound connection from HMC to IBM website, since the platform update workflow will connect to the IBM website to download updates.

For VIOS updates, platform update workflow will use the VIOS redundancy to perform the failover to make sure the partitions on the system can continue running using the paths from the redundant VIOS. For a disruptive system firmware update, the platform update workflow will move partitions using Live Partitions Mobility to another system, which you selected when reviewing and approving the update action, perform the update and bring back the partitions, allowing the applications on the partitions to continue running during the period of the update. 

Summary:

In today’s rapidly evolving threat landscape, having the capability to empower organizations to discover vulnerabilities, gain actionable insights, and swiftly remediate risks is not just beneficial—it’s essential. By bridging the gap between visibility and action, IBM Concert and IBM Power11 together enable technical teams to proactively secure infrastructure while providing executives with the assurance of reduced risk exposure and improved compliance. By leveraging the platform capabilities of IBM Power11, this solution enables seamless maintenance, allowing for zero-planned downtime and saving significant operational effort for enterprises.  Ultimately, the solution transforms vulnerability management from a reactive task into a strategic advantage, strengthening the organization’s overall security posture and resilience, while also enhancing business continuity.

Frequently Asked Questions:

Q: Where does the Concert application run? Is it available on-premises and/or delivered as SaaS?  

A: Both options are available. IBM Concert runs on x86 with manage-to Power. A SaaS option is also available.

Q: Is the Concert Vulnerability Management for Power only available for Power11 and beyond? 

A:  Concert will provide visibility to CVEs for Power11 and Power10. Remediation triggered from Concert will only be available for Power11. 

Q:  Does Concert work for both Power Scale-out and Power Enterprise Systems? 

A: Yes, the capabilities are applicable to all Power11 and Power10 system types. 

Q: Does the AI enhanced support process require the HMC or will it be available for single partition servers with no HMC?                    

A: The IBM Concert support for Power platform (System Firmware, HMC and VIOS) requires the HMC as a pre-requisite. Both discovery and applying the remediation plan rely on HMC function. 

Q: Do I need IBM Concert to perform platform and hardware maintenance?  

A: No. IBM Concert is an optional product providing vulnerability management features specifically for Power11 and Power10. It also supports a range of other use cases (platform agnostic) including Certificate Management, Concert Workflows, Application Vulnerability Management, and Application Resilience Posture Assessment.   

Q: How does the Automated Maintenance Framework on Power11 work if failover has to happen on Power10 or earlier versions of Power Servers?

A : Triggering remediation from Concert to the Power Server is a Power11 feature.  The Power Automated Maintenance Framework is also a Power11 feature. Zero Planned Downtime can leverage Power10 capacity for LPM evacuation.

Q: In case of VIOS update, if there are dual VIOS each needing update, how does the Automated Maintenance Framework update work to save moving out the LPARs?

A : Automated Maintenance Framework is smart enough to update the dual VIOS configuration in rolling fashion, one VIOS at a time without impacting the client workloads.

Q: A big challenge for our customer with this "Automated Platform Maintenance" could be that of the client’s IT-Operation processes. If an admin raises a maintenance action, they need to prepare for change requests with failback procedures etc. How do you suggest we can proceed with this in the current scheme of Operational Process?

A: Yes, we understand that clients have a process, and that these update/ remediation plans need to go through an approval process before executing. IBM Concert allows for the plan to be exported and sent off for approval before applying. IBM Concert also has integration with popular tools such as ServiceNow, etc

Learn More: 

·        Power Page

·        Concert Page

·        Announcement Page

By Hariganesh Muralidharan and Srinivasan Muthuswamy