JavaScript is required to for searching.
Skip Navigation Links
Exit Print View
Oracle Integrated Lights Out Manager (ILOM) 3.1

Security Guide

search filter icon
search icon

Document Information

1.  Oracle ILOM Security Principles and Considerations

Key Deployment Security Considerations for Oracle ILOM

Important Security Principles for Oracle ILOM

General Security Principles

Basic Security Principles

2.  Oracle ILOM Security at Deployment

Understanding the Default Settings of Oracle ILOM

Changing the Default root User Account

Understanding User Roles and Privileges

Enabling or Disabling Unwanted Services to Control Open Ports

Understanding the Single Sign-On Feature

Configuring the Oracle ILOM Web Interface for Maximum Security

Using SSL Certificates

Understanding Web Security Settings

Configuring the Web Interface Session Time-Out

Configuring the Oracle ILOM CLI for Maximum Security

Configuring the CLI Session Time-Out

Understanding SSH Key Generation

Using User SSH Keys

Configuring SNMP for Maximum Security

Differences Between SNMPv1/v2c and SNMPv3

SNMP Security Guidelines for Choosing Whether to Enable Sets

Understanding the Engine ID

Configuring Ws-Man for Maximum Security

User Authentication Services and Security

Configuring Banner Messages

Security Implications of Enabling Sideband Management

Security Considerations for a Local Management Connection

3.  Oracle ILOM Security After Deployment

Understanding the KCS Interface to Oracle ILOM

Understanding the LAN Interconnect Interface for Oracle ILOM

Connecting to Oracle ILOM Using Secure Protocols

Using IPMI 2.0 To Ensure Traffic Is Encrypted

Using Remote KVMS Securely

KVMS Encryption

Multiple User Sessions and Remote KVMS

Using the Host Lock Feature to Prevent Unauthorized Use

Using Serial Console Redirection (start /HOST/console)

Monitoring Audit Events to Find Unauthorized Access

Understanding the Physical Presence Check Feature

Changing Administrator Passwords Frequently

Updating to the Latest Firmware

Enabling or Disabling Unwanted Services to Control Open Ports

All Oracle ILOM services can be optionally disabled, which results in the closing of the respective open network ports for those services. While most services are enabled by default, you might want to disable some features or change default settings to make the Oracle ILOM environment more secure. Any Oracle ILOM service can be disabled, but will result in the loss of features. As a general rule, enable only those services that are absolutely necessary in the deployed environment. The loss of features must be weighed against the security benefit of having fewer network services enabled.

The following table describes the impact of enabling or disabling each service.

Table 2-4 Services When Disabled

Service
Description
Result of Enabling/Disabling
HTTP
A non-encrypted protocol for accessing the Oracle ILOM web interface
Enabling this service provides faster performance than encrypted HTTP (HTTPS). However, using this protocol might result in sensitive information being sent over the internet without encryption.
HTTPS
An encrypted protocol for accessing the Oracle ILOM web interface
Enabling this service provides secure communication between a web browser and Oracle ILOM. However, because it requires having an open network port on Oracle ILOM, there is an increase in vulnerability to an attack, such as denial of service.
ServiceTag
An Oracle discovery protocol used to identify servers and facilitate service requests
Disabling this service makes it impossible for Oracle Enterprise Manager Ops Center to discover Oracle ILOM, and prevents integration into other Oracle automatic service solutions.
IPMI
A standard management protocol
Disabling this service might prevent Oracle Enterprise Manager Ops Center, as well as some Oracle management connectors to third-party software, from managing the system.
SNMP
A standard management protocol for monitoring the health of Oracle ILOM and monitoring received trap notifications
Disabling this service might prevent Oracle Enterprise Manager Ops Center, as well as some Oracle management connectors to third-party software, from managing the system.
KVMS
A set of protocols for providing remote keyboard, video, mouse, and storage
Disabling this service makes the host console and remote storage functionality unavailable, preventing their use of the Oracle ILOM Remote Console and CLI Storage Redirection applications.
Ws-Man
A standard web-services protocol for management of a system
Disabling this service prevents the protocol from being used to manage Oracle ILOM.
SSH
A secure protocol for accessing a remote shell.
Disabling this service disallows command-line access over the network and might prevent Oracle Enterprise Manager Ops Center from discovering Oracle ILOM.
SSO
A single sign-on feature that reduces the number of times a user has to enter a user name and password
Disabling this service prevents launching KVMS without having to re-enter a password and allows drill-down from a CMM to a Blade SP without having to re-enter a password.

For information about enabling and disabling individual services, see the Oracle ILOM 3.1 Configuration and Maintenance Guide.