JavaScript is required to for searching.
Skip Navigation Links
Exit Print View
Oracle Integrated Lights Out Manager (ILOM) 3.1

Security Guide

search filter icon
search icon

Document Information

1.  Oracle ILOM Security Principles and Considerations

Key Deployment Security Considerations for Oracle ILOM

Important Security Principles for Oracle ILOM

General Security Principles

Basic Security Principles

2.  Oracle ILOM Security at Deployment

Understanding the Default Settings of Oracle ILOM

Changing the Default root User Account

Understanding User Roles and Privileges

Enabling or Disabling Unwanted Services to Control Open Ports

Understanding the Single Sign-On Feature

Configuring the Oracle ILOM Web Interface for Maximum Security

Using SSL Certificates

Understanding Web Security Settings

Configuring the Web Interface Session Time-Out

Configuring the Oracle ILOM CLI for Maximum Security

Configuring the CLI Session Time-Out

Understanding SSH Key Generation

Using User SSH Keys

Configuring SNMP for Maximum Security

Differences Between SNMPv1/v2c and SNMPv3

SNMP Security Guidelines for Choosing Whether to Enable Sets

Understanding the Engine ID

Configuring Ws-Man for Maximum Security

User Authentication Services and Security

Configuring Banner Messages

Security Implications of Enabling Sideband Management

Security Considerations for a Local Management Connection

3.  Oracle ILOM Security After Deployment

Understanding the KCS Interface to Oracle ILOM

Understanding the LAN Interconnect Interface for Oracle ILOM

Connecting to Oracle ILOM Using Secure Protocols

Using IPMI 2.0 To Ensure Traffic Is Encrypted

Using Remote KVMS Securely

KVMS Encryption

Multiple User Sessions and Remote KVMS

Using the Host Lock Feature to Prevent Unauthorized Use

Using Serial Console Redirection (start /HOST/console)

Monitoring Audit Events to Find Unauthorized Access

Understanding the Physical Presence Check Feature

Changing Administrator Passwords Frequently

Updating to the Latest Firmware

Configuring SNMP for Maximum Security

This section describes how to best configure Simple Network Management Protocol (SNMP) to be used with Oracle ILOM for maximum security. This section contains the following topics:

Differences Between SNMPv1/v2c and SNMPv3

SNMP is a standard protocol used to monitor or manage a system. Oracle ILOM provides an SNMP solution for both monitoring and management, but it must be configured prior to use. It is important to understand the security implications of the various SNMP user-configurable options before configuring this service.

SNMPv1 and SNMPv2c provide no encryption and use community strings as a form of authentication. Community strings are sent in cleartext over the network and are usually shared across a group of individuals, rather than being private to an individual user. SNMPv3, conversely, uses encryption to provide a secure channel as well as individual usernames and passwords. SNMPv3 user passwords are localized so that they can be stored securely on management stations.

SNMPv1, SNMPv2c, and SNMPv3 are all supported by Oracle ILOM and can be enabled or disabled separately. In addition, “sets” can be enabled or disabled to provide an additional layer of security. This configurable option determines whether the SNMP service will allow settable SNMP MIB properties to be set. Disabling sets effectively makes the SNMP service useful for monitoring only.

By default, SNMPv1 and SNMPv2c are disabled. SNMPv3 is enabled by default, but requires creating one or more SNMP users prior to use. There are no preconfigured SNMPv3 users.

For information about how to enable or disable specific SNMP protocol versions and to create SNMPv3 users, see the Oracle ILOM 3.1 Protocol Management Reference Guide.

SNMP Security Guidelines for Choosing Whether to Enable Sets

For maximum SNMP security, use SNMPv1 and SNMPv2c only for monitoring and do not enable “sets” when these less secure protocols are enabled. SNMPv3 can be securely used with sets enabled as a means of configuring Oracle ILOM features using SNMP. Because SNMP can be used to configure other security features, such as adding web interface and command-line interface user accounts, ensure you choose strong SNMPv3 user passwords whenever sets are enabled.

Note - You can set a MIB object when: 1) the MIB object supports modification; 2) the MAX-ACCESS element for the MIB object is set to read-write; and 3) the user attempting to perform the set is authorized to do so.

Oracle's Sun MIBs that support configurable objects and where “sets” are applicable are as follows:

For other information about enabling SNMP management in Oracle ILOM or for a complete list of Oracle-supported SNMP MIBs, see the Oracle ILOM Protocol Management Reference for SNMP, IPMI, CIM and Ws-MAN.

Understanding the Engine ID

The SNMP Engine ID is intended to be an identifier that is unique to each Oracle ILOM system. Although the Engine ID can be changed, for security reasons, keep this identifier unique across the data center. Having two or more systems with the same Engine ID reduces some of the security advantages of the SNMPv3 protocol.

For more information about SNMP, see the Oracle ILOM 3.1 Protocol Management Reference Guide.