JavaScript is required to for searching.
Skip Navigation Links
Exit Print View
Oracle Integrated Lights Out Manager (ILOM) 3.1

Security Guide

search filter icon
search icon

Document Information

1.  Oracle ILOM Security Principles and Considerations

Key Deployment Security Considerations for Oracle ILOM

Important Security Principles for Oracle ILOM

General Security Principles

Basic Security Principles

2.  Oracle ILOM Security at Deployment

Understanding the Default Settings of Oracle ILOM

Changing the Default root User Account

Understanding User Roles and Privileges

Enabling or Disabling Unwanted Services to Control Open Ports

Understanding the Single Sign-On Feature

Configuring the Oracle ILOM Web Interface for Maximum Security

Using SSL Certificates

Understanding Web Security Settings

Configuring the Web Interface Session Time-Out

Configuring the Oracle ILOM CLI for Maximum Security

Configuring the CLI Session Time-Out

Understanding SSH Key Generation

Using User SSH Keys

Configuring SNMP for Maximum Security

Differences Between SNMPv1/v2c and SNMPv3

SNMP Security Guidelines for Choosing Whether to Enable Sets

Understanding the Engine ID

Configuring Ws-Man for Maximum Security

User Authentication Services and Security

Configuring Banner Messages

Security Implications of Enabling Sideband Management

Security Considerations for a Local Management Connection

3.  Oracle ILOM Security After Deployment

Understanding the KCS Interface to Oracle ILOM

Understanding the LAN Interconnect Interface for Oracle ILOM

Connecting to Oracle ILOM Using Secure Protocols

Using IPMI 2.0 To Ensure Traffic Is Encrypted

Using Remote KVMS Securely

KVMS Encryption

Multiple User Sessions and Remote KVMS

Using the Host Lock Feature to Prevent Unauthorized Use

Using Serial Console Redirection (start /HOST/console)

Monitoring Audit Events to Find Unauthorized Access

Understanding the Physical Presence Check Feature

Changing Administrator Passwords Frequently

Updating to the Latest Firmware

Using Remote KVMS Securely

Oracle ILOM provides the ability to remotely redirect the keyboard, video, and mouse of the host server to a remote client, as well as to mount remote storage. These features are collectively called Remote KVMS. Remote KVMS allows you to see the graphical console of the host operating system on the server by running Java applications called Oracle ILOM Remote Console and CLI Storage Redirection on a client machine.

The Oracle ILOM Remote Console and CLI Storage Redirection applications use a series of network protocols to communicate remotely with Oracle ILOM. Using the Java application, you can also control the host keyboard and mouse and mount a local storage device (such as a CD or DVD drive) on the remote server.

KVMS Encryption

The following table describes, in more detail, the way in which Remote KVMS information is transmitted over the network.

Table 3-2 Remote KVMS Transmission

KVMS Feature
Encrypted/Not Encrypted
Results
Mouse redirection
Encrypted
The coordinates of your mouse are securely sent over the network to Oracle ILOM.
Keyboard redirection
Encrypted
Any characters that you type on the client machine are transmitted to Oracle ILOM using an encrypted protocol.
Video redirection
Encrypted
The video data is transmitted using an encrypted protocol between the Java client and Oracle ILOM.
Storage redirection
Not Encrypted
Data read and written to a storage device is transmitted over the network to Oracle ILOM without encryption.

Multiple User Sessions and Remote KVMS

Remote KVMS video redirects what you would see if you were looking at a physical monitor connected to that server. While it is possible to have multiple remote clients with KVMS sessions to Oracle ILOM, each session will display the exact same video since there is typically only one video output for a single server.

Likewise, anything that you type on the screen from one Remote KVMS session will be visible to other KVMS users connected to the same machine. Most importantly, if one user logs in to the host operating system inside of the Oracle ILOM Remote Console and CLI Storage Redirection applications as a privileged user, all other KVMS users will be able to share that authenticated session. Therefore, it is important to understand that the Remote KVMS feature allows for shared connections.

Using the Host Lock Feature to Prevent Unauthorized Use

Because the host console is considered a shared network resource when using Remote KVMS, if one user logs into the host console and closes the Oracle ILOM Remote Console and CLI Storage Redirection applications without having logged out from the host operating system, a second user who connects to the same console using Remote KVMS will be able to use the previously authenticated operating system session. For this reason, Oracle ILOM provides the ability to automatically lock the host operating system whenever a Remote KVMS session is disconnected. For maximum security, enable or configure this feature in Oracle ILOM.

For information about how to enable the host lock feature, see the Oracle ILOM 3.1 Configuration and Maintenance Guide.