JavaScript is required to for searching.
Skip Navigation Links
Exit Print View
Oracle Integrated Lights Out Manager (ILOM) 3.1

Security Guide

search filter icon
search icon

Document Information

1.  Oracle ILOM Security Principles and Considerations

Key Deployment Security Considerations for Oracle ILOM

Important Security Principles for Oracle ILOM

General Security Principles

Basic Security Principles

2.  Oracle ILOM Security at Deployment

Understanding the Default Settings of Oracle ILOM

Changing the Default root User Account

Understanding User Roles and Privileges

Enabling or Disabling Unwanted Services to Control Open Ports

Understanding the Single Sign-On Feature

Configuring the Oracle ILOM Web Interface for Maximum Security

Using SSL Certificates

Understanding Web Security Settings

Configuring the Web Interface Session Time-Out

Configuring the Oracle ILOM CLI for Maximum Security

Configuring the CLI Session Time-Out

Understanding SSH Key Generation

Using User SSH Keys

Configuring SNMP for Maximum Security

Differences Between SNMPv1/v2c and SNMPv3

SNMP Security Guidelines for Choosing Whether to Enable Sets

Understanding the Engine ID

Configuring Ws-Man for Maximum Security

User Authentication Services and Security

Configuring Banner Messages

Security Implications of Enabling Sideband Management

Security Considerations for a Local Management Connection

3.  Oracle ILOM Security After Deployment

Understanding the KCS Interface to Oracle ILOM

Understanding the LAN Interconnect Interface for Oracle ILOM

Connecting to Oracle ILOM Using Secure Protocols

Using IPMI 2.0 To Ensure Traffic Is Encrypted

Using Remote KVMS Securely

KVMS Encryption

Multiple User Sessions and Remote KVMS

Using the Host Lock Feature to Prevent Unauthorized Use

Using Serial Console Redirection (start /HOST/console)

Monitoring Audit Events to Find Unauthorized Access

Understanding the Physical Presence Check Feature

Changing Administrator Passwords Frequently

Updating to the Latest Firmware

Configuring the Oracle ILOM Web Interface for Maximum Security

This section describes how to best configure the Oracle ILOM web interface for maximum security. This section contains the following topics:

Using SSL Certificates

Secure Socket Layer (SSL) certificates are used both to encrypt communication over a network and to ensure the authenticity of a server or client. Oracle ILOM includes a self-designed SSL certificate that allows the HTTP over SSL protocol to be used out-of-box, without the need for uploading a certificate. When connecting to the Oracle ILOM web interface for the first time, the user is notified that a self-signed certificate is being used and is asked to accept its use. Using the certificate provided, all communication between the web browser and Oracle ILOM is fully encrypted.

However, it is also possible to upload a trusted certificate for improved security. A trusted certificate means that the certificate is granted in conjunction with a trusted certificate authority. Using a trusted certificate from a known certificate authority ensures the authenticity of the Oracle ILOM web server. Using untrusted (self-signed) certificates opens up the possibility of a man-in-the-middle (MITM) attack.

For more information about uploading a custom SSL certificate, see the Oracle ILOM 3.1 Configuration and Maintenance Guide.

Understanding Web Security Settings

The Oracle ILOM web interface provides several configurable security settings. By default, Oracle ILOM is configured to allow only the strongest Secure Socket Layer encryption (SSLv3 and TLSv1) with the strongest ciphers. However, Oracle ILOM also supports SSLv2 as well as weaker ciphers. It might be necessary that you enable SSLv2 or “weak ciphers” to support older web browsers.

If possible, configure the web interface with the default secure settings. For more information about changing the HTTPS service settings, see the Oracle ILOM 3.1 Configuration and Maintenance Guide.

Configuring the Web Interface Session Time-Out

The Oracle ILOM web interface has a configurable session time-out. The session time-out determines how many minutes will lapse until an inactive web session is automatically logged out. This feature reduces the risk of an unauthorized user finding an unattended computer with an authenticated session to Oracle ILOM.

The default time-out is 15 minutes, which is suitable for most users. Lowering the time-out means that the user might have to re-enter his or her user name and password more often, as sessions expire. However, it will shorten the amount of time during which authenticated sessions remain active.

For information about changing the web session time-out, see the Oracle ILOM 3.1 Configuration and Maintenance Guide.