|Skip Navigation Links|
|Exit Print View|
| Oracle Integrated Lights Out Manager (ILOM) 3.1
This section describes how to best configure Simple Network Management Protocol (SNMP) to be used with Oracle ILOM for maximum security. This section contains the following topics:
SNMP is a standard protocol used to monitor or manage a system. Oracle ILOM provides an SNMP solution for both monitoring and management, but it must be configured prior to use. It is important to understand the security implications of the various SNMP user-configurable options before configuring this service.
SNMPv1 and SNMPv2c provide no encryption and use community strings as a form of authentication. Community strings are sent in cleartext over the network and are usually shared across a group of individuals, rather than being private to an individual user. SNMPv3, conversely, uses encryption to provide a secure channel as well as individual usernames and passwords. SNMPv3 user passwords are localized so that they can be stored securely on management stations.
SNMPv1, SNMPv2c, and SNMPv3 are all supported by Oracle ILOM and can be enabled or disabled separately. In addition, “sets” can be enabled or disabled to provide an additional layer of security. This configurable option determines whether the SNMP service will allow settable SNMP MIB properties to be set. Disabling sets effectively makes the SNMP service useful for monitoring only.
By default, SNMPv1 and SNMPv2c are disabled. SNMPv3 is enabled by default, but requires creating one or more SNMP users prior to use. There are no preconfigured SNMPv3 users.
For information about how to enable or disable specific SNMP protocol versions and to create SNMPv3 users, see the Oracle ILOM 3.1 Protocol Management Reference Guide.
For maximum SNMP security, use SNMPv1 and SNMPv2c only for monitoring and do not enable “sets” when these less secure protocols are enabled. SNMPv3 can be securely used with sets enabled as a means of configuring Oracle ILOM features using SNMP. Because SNMP can be used to configure other security features, such as adding web interface and command-line interface user accounts, ensure you choose strong SNMPv3 user passwords whenever sets are enabled.
Note - You can set a MIB object when: 1) the MIB object supports modification; 2) the MAX-ACCESS element for the MIB object is set to read-write; and 3) the user attempting to perform the set is authorized to do so.
Oracle's Sun MIBs that support configurable objects and where “sets” are applicable are as follows:
SUN-HW-CTRL-MIB – This MIB is used to configure hardware policies, such as power management policies.
SUN-ILOM-CONTROL-MIB – This MIB is used to configure Oracle ILOM features, such as creating users and configuring services.
For other information about enabling SNMP management in Oracle ILOM or for a complete list of Oracle-supported SNMP MIBs, see the Oracle ILOM Protocol Management Reference for SNMP, IPMI, CIM and Ws-MAN.
The SNMP Engine ID is intended to be an identifier that is unique to each Oracle ILOM system. Although the Engine ID can be changed, for security reasons, keep this identifier unique across the data center. Having two or more systems with the same Engine ID reduces some of the security advantages of the SNMPv3 protocol.
For more information about SNMP, see the Oracle ILOM 3.1 Protocol Management Reference Guide.