Document Information
Using This Documentation
Related Documentation
Documentation Feedback
Product Downloads
Download Product Software and Firmware
Oracle ILOM 3.1 Firmware Version Numbering Scheme
Support and Accessibility
Quick Start
Oracle ILOM 3.1 – Quick Start
Factory Default Settings
Mandatory Setup Tasks
Optional Setup Tasks
Daily Management Tasks
Routine Maintenance Tasks
Initial Setup FAQs
Configuration and Maintenance
Setting Up a Management Connection to Oracle ILOM and Logging In
Establishing a Management Connection to Oracle ILOM
Logging In to Oracle ILOM Server SP or CMM
Configuring Oracle ILOM for Maximum Security
Setting Up and Maintaining User Accounts
Managing User Credentials
Supported User Authentication Configuration Options
Assignable Oracle ILOM User Roles
Single Sign-On Service (Enabled by Default)
Maximum Number of User Sessions Supported
Viewable User Authenticated Sessions per Managed Device
CLI Authentication Using Local User SSH Key
Security Action: Change Default root Account Password
Password Recovery for root Account
Supported File Transfer Methods
Configuring Local User Accounts
Configuring Active Directory
Configuring LDAP
Configuring RADIUS
Modifying Default Settings for Network Deployment and Administration
Network Deployment Principles and Considerations
Modifying Default Management Access Configuration Properties
Modifying Default Connectivity Configuration Properties
Example Setup of Dynamic DNS
Assigning System Identification Information
Setting Properties for SP or CMM Clock
Suggested Resolutions for Network Connectivity Issues
Using Remote KVMS Consoles for Host Server Redirection
First-Time Setup for Oracle ILOM Remote Console
Launching and Using the Oracle ILOM Remote Console
First Time Setup for Oracle ILOM Storage Redirection CLI
Launching and Using the Oracle ILOM Storage Redirection CLI
Starting and Stopping a Host Serial Redirection Session
Host Serial Console Log Properties
Configuring Host Server Management Actions
Controlling Host Power to Server or Blade System Chassis
Setting Host Diagnostic Tests to Run
Setting Next Boot Device on x86 Host Server
Setting Boot Behavior on SPARC Host Server
Overriding SPARC Host Boot Mode
Managing SPARC Host Domains
Setting SPARC Host KeySwitch State
Setting SPARC Host TPM State
Setting Up Alert Notifications and Syslog Server for Event Logging
Configuring Alert Notifications
Configuring Syslog for Event Logging
Setting System Management Power Source Policies
Power-On and Cooling-Down Policies Configurable From the Server SP
System Management Power Supply Policies Configurable From CMM
Setting Power Alert Notifications and Managing System Power Usage
Setting Power Consumption Alert Notifications
Setting CMM Power Grant and SP Power Limit Properties
Setting SP Advanced Power Capping Policy to Enforce Power Limit
Setting SP Power Management Settings for Power Policy (SPARC)
Setting the CMM Power Supply Redundancy Policy
Performing Oracle ILOM Maintenance and Configuration Management Tasks
Performing Firmware Updates
Reset Power to Service Processor or Chassis Monitoring Module
Backing Up, Restoring, or Resetting the Oracle ILOM Configuration
Maintaining x86 BIOS Configuration Parameters
BIOS Configuration Management
Performing BIOS Configuration Tasks From Oracle ILOM
SAS Zoning Chassis Blade Storage Resources
Zone Management for Chassis-Level SAS-2 Capable Resources
Manageable SAS-2 Zoning-Capable Devices
Sun Blade Zone Manager Properties
Important SAS Zoning Allocations Considerations
Enabling Zoning and Creating SAS-2 Zoning Assignments
Managing Existing SAS-2 Storage Resource Allocations
Resetting Sun Blade Zone Manager Allocations to Factory Defaults
Resetting the Zoning Password to Factory Default for Third-Party In-Band Management
User's Guide
Oracle ILOM Overview
About Oracle ILOM
Oracle ILOM Features and Functionality
Supported Management Interfaces
Supported Operating System Web Browsers
Integration With Other Management Tools
Getting Started With Oracle ILOM 3.1
Logging In to Oracle ILOM
Navigating the Redesigned 3.1 Web Interface
Navigating the Command-Line Interface (CLI) Namespace Targets
Collecting System Information, Monitoring Health Status, and Initiating Host Management
Collecting Information, Status, and Initiating Common Actions
Administering Open Problems
Administering Service Actions: Oracle Blade Chassis NEMs
Managing Oracle ILOM Log Entries
Performing Commonly Used Host Management Actions (Web)
Applying Host and System Management Actions
Administering Host Management Configuration Actions
Administering System Management Configuration Actions
Troubleshooting Oracle ILOM Managed Devices
Network Connection Issues: Oracle ILOM Interfaces
Tools for Observing and Debugging System Behavior
Enabling and Running Oracle ILOM Diagnostic Tools
Real-Time Power Monitoring Through Oracle ILOM Interfaces
Monitoring Power Consumption
Monitoring Power Allocations
Analyzing Power Usage Statistics
Comparing Power History Performance
Managing Oracle Hardware Faults Through the Oracle ILOM Fault Management Shell
Protecting Against Hardware Faults: Oracle ILOM Fault Manager
Oracle ILOM Fault Management Shell
Using fmadm to Administer Active Oracle Hardware Faults
Using fmdump to View Historical Fault Management Logs
Using fmstat to View the Fault Management Statistics Report
Using the Command-Line Interface
About the Command-Line Interface (CLI)
CLI Reference For Supported DMTF Syntax, Command Verbs, Options
CLI Reference For Executing Commands to Change Properties
CLI Reference For Mapping Management Tasks to CLI Targets
CLI Reference
Basic CLI Command Reference for Oracle ILOM 3.1
System Information and Management
Host and System Control
Oracle ILOM Initial Setup
System Monitoring and Status
System Inventory
Oracle ILOM Maintenance
Oracle ILOM Configuration Management
Oracle ILOM Help
SNMP, IPMI, CIM, WS-MAN Protocol Management
SNMP Overview
About Simple Network Management Protocol
SNMP Components
Oracle ILOM SNMP MIBs
SNMP Command-Line Syntax Examples
Configuring SNMP Settings in Oracle ILOM
Managing SNMP Read and Write Access, User Accounts, and SNMP Trap Alerts (CLI)
Managing SNMP Read and Write Access, User Accounts, and SNMP Trap Alerts (Web)
Downloading SNMP MIBs Using Oracle ILOM
Manage User Accounts Using SNMP
Before You Begin – User Accounts (SNMP)
Configuring Oracle ILOM User Accounts (SNMP)
Configuring Oracle ILOM for Active Directory (SNMP)
Manage DNS Name Server Settings (SNMP)
Configuring Oracle ILOM for LDAP (SNMP)
Configuring Oracle ILOM for LDAP/SSL (SNMP)
Configuring Oracle ILOM for RADIUS (SNMP)
Manage Component Information and Email Alerts (SNMP)
Before You Begin – Component Information (SNMP)
Viewing Component Information (SNMP)
Managing Clock Settings, Event Log, Syslog Receiver, and Alert Rules (SNMP)
Configuring SMTP Client for Email Alert Notifications (SNMP)
Configuring Email Alert Settings (SNMP)
Monitor and Manage System Power (SNMP)
Before You Begin – Power Management (SNMP)
Monitoring the Power Consumption Interfaces (SNMP)
Maintaining System Power Policy (SNMP)
Managing System Power Properties (SNMP)
Manage Oracle ILOM Firmware Updates (SNMP)
Update Oracle ILOM Firmware (SNMP)
Manage Oracle ILOM Backup and Restore Configurations (SNMP)
View and Configure Backup and Restore Properties (SNMP)
Manage SPARC Diagnostics, POST, and Boot Mode Operations (SNMP)
Before You Begin – Manage SPARC Hosts (SNMP)
Managing SPARC Diagnostic, POST, and Boot Mode Properties (SNMP)
Server Managment Using IPMI
Intelligent Platform Management Interface (IPMI)
Configuring the IPMI Service
Using IPMItool to Run ILOM CLI Commands
Performing System Management Tasks (IPMItool)
IPMItool Utility and Command Summary
Server Management Using WS-Management and CIM
WS-Management and CIM Overview
Configuring Support for WS-Management in Oracle ILOM
Supported DMTF SMASH Profiles, CIM Classes and CIM Indications
Oracle's Sun-Supported CIM Classes
Document Conventions for Oracle's Sun-Supported CIM Classes
Oracle_AssociatedIndicatorLED
Oracle_AssociatedSensor
Oracle_Chassis
Oracle_ComputerSystem
Oracle_ComputerSystemPackage
Oracle_Container
Oracle_ElementCapabilities
Oracle_ElementConformsToProfile
Oracle_EnabledLogicalElementCapabilities
Oracle_HWCompErrorOkIndication
Oracle_IndicatorLED
Oracle_InstCreation
Oracle_InstDeletion
Oracle_LogEntry
Oracle_LogManagesRecord
Oracle_Memory
Oracle_NumericSensor
Oracle_PhysicalAssetCapabilities
Oracle_PhysicalComponent
Oracle_PhysicalElementCapabilities
Oracle_PhysicalMemory
Oracle_PhysicalPackage
Oracle_Processor
Oracle_ProcessorChip
Oracle_Realizes
Oracle_RegisteredProfile
Oracle_RecordLog
Oracle_ReferencedProfile
Oracle_Sensor
Oracle_SpSystemComponent
Oracle_SystemDevice
Oracle_ThresholdIndication
Oracle_UseOfLog
SNMP Command Examples
snmpget Command
snmpwalk Command
snmpbulkwalk Command
snmptable Command
snmpset Command
snmptrapd Command
Feature Updates and Release Notes
Feature Enhancements as of Oracle ILOM 3.1
Feature Enhancements Summary
Updates to Oracle ILOM 3.1.x Firmware
Initial 3.1 Point Releases for Servers and Sun Blade 6000 CMM
Deprecation Notice for WS-Man as of Oracle ILOM 3.2.1
Oracle ILOM 3.1 Known Issues
Documentation Titles in Translated Documents
Glossary
Index
Configuring LDAP/SSL
System administrators can optionally configure Oracle ILOM to use the LDAP/SSL directory service
to authenticate Oracle ILOM users, as well as define user authorization levels for
using features within Oracle ILOM.
The property for the LDAP/SSL service state, in Oracle ILOM, is disabled by
default. To enable the LDAP/SSL service state and configure Oracle ILOM as an
LDAP/SSL client, see the following tables:
Table 23 Enabling LDAP/SSL Authentication
|
|
|
|
|
Disabled |
Disabled | EnabledTo configure Oracle ILOM to use the LDAP/SSL authentication and
authorization directory service, set the State property to enabled. When the State property
is set to disabled, Oracle ILOM is disabled from using the LDAP/SSL service
for user authentication and authorization levels. When the State property is enabled, and the
Strict Certificate Mode property is disabled, Oracle ILOM over a secure channel provides some
validation of the LDAP/SSL service certificate at the time of user authentication. When the
State property is enabled, and the Strict Certificate Mode property is enabled, Oracle
ILOM over a secure channel fully verifies the LDAP/SSL service certificate for digital
signatures at the time of user authentication. CLI State Syntax: set /SP|CMM/clients/ldapssl/ state=disabled|enabled |
|
None (server authorization) |
Administrator | Operator | Advanced | None (server authorization) To define
which features in Oracle ILOM are accessible to LDAP/SSL authenticated users, set the
default Roles property to one of the four property values accepted: Administrator (a|u|c|r|o),
Operator (c|r|o), Advanced (a|u|c|r|o|s), or None (server authorization). When the default Roles property is set
to an Oracle ILOM user role, authorization levels for using features within Oracle
ILOM are dictated by the user privileges granted by the Oracle ILOM user role.
For a description of privileges assigned, see the tables listed in the Related
Information section below for user role and user profile. When the default Roles property
is set to None (server authorization) and Oracle ILOM is configured to use LDAP/SSL
Groups, the authorization levels for using features within Oracle ILOM are dictated by
the LDAP/SSL Group. For further LDAP/SSL configuration details, see the table that describes
LDAP/SSL Groups listed in the Related Information section below. CLI Roles Syntax: set /SP|CMM/clients/ldapssl/ defaultrole=administrator|operator|a|u|c|r|o|s|none Related Information:
|
|
0.0.0.0 |
IP address| DNS host name (Active Directory
Server) To configure the network address for the LDAP/SSL server, populate the Address property
with the LDAP/SSL IP address or DNS host name. If a DNS host
name is used, then the DNS configuration properties in Oracle ILOM must be
properly configured and operational. CLI Address Syntax: set /SP|CMM/clients/ldapssl/ address=LDAP/SSL_server ip_address|active_directory_server_dns_host_name Related Information:
|
|
0 Auto-select |
0 Auto-select | Non-standard TCP portA standard TCP port is used
by Oracle ILOM to communicate with the LDAP/SSL server. When the Port Auto-select
property is enabled, the Port number is set to 0 by default. When the
Port Auto-select property is disabled, the Port number property in the web interface
becomes user-configurable. A configurable Port property is provided in the unlikely event of
Oracle ILOM needing to use a non-standard TCP port. CLI Port Syntax: set /SP|CMM/clients/ldapssl/ port=number |
|
4 seconds |
4 | user-specifiedThe Timeout
property is set to 4 seconds by default. If necessary, adjust this property
value to fine tune response time when the LDAP/SSL server is unreachable or
not responding. The Timeout property designates the number of seconds to wait for an
individual transaction to complete. The value does not represent the total time for
all transactions to complete since the number of transactions can differ depending on
the configuration. CLI Timeout Syntax: set /SP|CMM/clients/ldapssl/ timeout=number_of_seconds |
Strict Certificate Mode (strictcert mode=) |
Disabled |
Disabled | EnabledWhen enabled, Oracle ILOM fully verifies the
LDAP/SSL certificate signatures at the time of authentication over a secure channel. When disabled,
Oracle ILOM provides limited validation of the server certificate at time of authentication
over a secure channel.
| Caution - The LDAP/SSL server certificate must be uploaded to Oracle
ILOM prior to enabling the Strict Certificate Mode property.
|
CLI Strict Certificate Mode Syntax: set /SP|CMM/clients/ldapssl/ strictcertmode=disabled|enabled Related Information:
|
Optional User Mapping (/optionalUsermapping) |
Disabled |
Disabled |
Enabled The Optional User Mapping property is typically used when a uid was
not used as part of the user domain login name. Set the Optional
User Mapping property to enabled if there is a need to convert simple
user login names to domain names for user authentication.
State – When enabled, alternative attributes are configurable for user credential authentication.
Attribute Information – Enter the attribute login information using the accepted input format (&(objectclass=person)(uid=<USERNAME>)). The Attribute Information enables the LDAP/SSL query to search user domain names based on the attribute login information provided.
Searchbase – Set the Searchbase property to the Distinguished Name of the search base object or to a branch in the LDAP tree where Oracle ILOM should look for LDAP user accounts. Input format: OU={organization},DC={company},DC={com}
Bind DN – Set the Bind DN property to the Distinguished Name (DN) of a read-only proxy user on the LDAP server. Oracle ILOM must have read-only access to your LDAP server to search and authenticate users. Input format: OU={organization},DC={company},DC={com}
Bind Password – Set the Bind Password property to a password for the read-only proxy user.
CLI Optional User Mapping Syntax: set /SP|CMM/clients/ldapssl/optionalUsermapping/ attributeInfo=<string> searchbase=<string> binddn=cn=proxyuser, ou=organization _name, dc=company, dc=com bindpw=password |
|
None |
None | High | Medium
| Low | TraceTo specify the type of diagnostic information recorded in the Oracle
ILOM event log for LDAP/SSL events, set the Log Detail property to one
of the five property values accepted (none, high, medium, low or trace). CLI Log Detail Syntax: set /SP|CMM/clients/ldapssl/ logdetail=none|high|medium|low|trace |
Save
|
|
Web interface – To apply changes made to properties within the LDAP/SSL Settings page, you
must click Save. |
|
Table 24 Uploading or Removing an LDAP/SSL Certificate File
|
|
|
|
Certificate File Status (certstatus=) |
Read-only |
Certificate Present | Certificate Not PresentThe Certificate File Status
property indicates whether an LDAP/SSL certificate has been uploaded to Oracle ILOM. CLI Certificate Status Syntax: show /SP|CMM/clients/ldapssl/cert |
File Transfer
Method |
Browser (web interface only) |
Browser| TFTP| FTP| SCP| PasteFor a detailed description of each file transfer method,
see File Transfer Methods . |
Load Certificate (load_uri=) |
|
Web interface – Click the Load Certificate button to upload the LDAP/SSL
certificate file that is designated in the File Transfer Method property. CLI Load Certificate Syntax: load_uri=file_transfer_method://host_address/file_path/filename |
Remove Certificate (clear_action=true) |
|
Web interface – Click the Remove
Certificate button to remove the LDAP/SSL certificate file presently stored in Oracle ILOM.
When prompted, click Yes to continue the action or No to cancel the
action. CLI Remove Certificate Syntax: set /SP|CMM/clients/ldapssl/cert clear_action=true -or- reset /SP|CMM/clients/ldapssl/cert When prompted, type y to continue the action or n to cancel the
action. |
|
Table 25 Optionally Configuring LDAP/SSL Groups
|
|
|
Admin Groups (/admingroups/1|2|3|4|5) |
A system administrator can optionally configure Admin Group properties instead
of the Role properties in Oracle ILOM to provide user authorization. Oracle ILOM supports
the configuration of up to five Admin Groups. When Admin Group properties are
enabled in Oracle ILOM, a user's group membership is checked for any matching
groups defined in the admin table. If a match occurs, the user is
granted Administrator-level access. Note – Oracle ILOM grants a group member one or more authorization levels
based on the matching groups (operator, administrator, or custom) found in each configured group
table. CLI Admin Group Syntax: set /SP|CMM/clients/ldapssl/admingroups/n name=string Example Syntax: set /SP/clients/ldapssl/admingroups/1/ name=CN=spSuperAdmin,OU=Groups,DC=sales,DC=oracle,DC=com Set 'name' to 'CN=spSuperAdmin,OU=Groups,DC=sales,DC=oracle, DC=com' |
Operator Groups (/operatorgroups/1|2|3|4|5) |
A system administrator can optionally configure Operator Group properties instead of the
Role properties in Oracle ILOM to provide user authorization. Oracle ILOM supports the configuration
of up to five Operator Groups. When Operator Group properties are enabled in
Oracle ILOM, a user's group membership is checked for any matching groups defined in
the operator table. If a match occurs, the user is granted Operator-level access.
Note – Oracle ILOM grants a group member one or more authorization levels based on the
matching groups (operator, administrator, or custom) found in each configured group table. CLI Operator Group Syntax: set /SP|CMM/clients/ldapssl/operatorgroups/n name=string Example Syntax: set /SP/clients/ldapssl/operatorgroups/1 name=CN=spSuperOper,OU=Groups,DC=sales,DC=oracle,DC=com Set 'name' to 'CN=spSuperOper,OU=Groups,DC=sales,DC=oracle,DC= com'' |
Custom Groups (/customgroups/1|2|3|4|5) |
A
system administrator can optionally configure up to five Custom Groups properties in Oracle ILOM
to provide user authorization. Oracle ILOM uses the Custom Group properties to determine
the appropriate user roles to assign when authenticating users who are members of
a Custom Group When enabling the use of Custom Groups in Oracle ILOM,
both the Roles property and the Custom Groups property must be configured. For further
information about the configuration properties for Roles, see the Roles property in Enabling LDAP/SSL Authentication . Note – Oracle ILOM
grants a group member one or more authorization levels based on the matching
groups (operator, administrator, or custom) found in each configured group table. CLI Custom Groups Syntax: set /SP|CMM/clients/ldapssl/customgroups/n name=string roles=administrator|operator|a|u|c|r|o|s Example Syntax: set /SP/clients/ldapssl/customgroups/1 name=CN=spSuperOper,OU=Groups,DC=sales,DC=oracle,DC=com roles=au Set 'name' to 'CN=spSuperOper,OU=Groups,DC=sales,DC=oracle,DC= com'' roles' to 'au' Related Information:
|
Save |
Web interface – To apply
changes made to properties in the Admin, Operator, or Custom Group dialogs, you
must click Save. |
|
Table 26 Configuring LDAP/SSL User Domains
|
|
|
|
A system administrator can optionally configure up to
five User Domains. When one or more User Domains are defined, Oracle ILOM
uses these properties in sequence until it is able to authenticate the LDAP/SSL
user. Use the following possible values to populate the configuration properties for each User
Domain in Oracle ILOM.
UID format: uid=<USERNAME>,ou=people,dc=company,dc=com
DN format: CN=<USERNAME>,CN=Users,DC=domain,DC=company,DC=com
Note - You can use <USERNAME> as a literal. When
<USERNAME> is used as a literal Oracle ILOM replaces the <USERNAME> during user authentication
with the current login name entered.
You can optonally specify a specific
searchbase by appending the <BASE:string> property after the user domain configuration. For syntax details,
see Example 3 below. CLI User Domains Syntax: set /SP|CMM/clients/ldapssl/userdomains/n domain=string Example 1: domain=CN=<USERNAME> set /SP/clients/ldapssl/userdomains/1 domain=CN=<USERNAME>,OU=Groups,DC=sales,DC-oracle,DC=com Set 'domain' to 'CN=<USERNAME>,OU=Groups,DC=sales,DC=oracle,DC=com' Example 2: domain=CN=spSuperAdmin set /SP/clients/ldapssl/userdomains/1 domain=CN=spSuperAdmin,OU=Groups,DC=sales,DC=oracle,DC=com Set 'domain' to 'CN=spSuperAdmin,OU=Groups,DC=sales,DC=oracle, DC=com' Example 3: Searchbase syntax using <BASE:string> set /SP/clients/ldapssl/userdomains/1 domain=uid=<USERNAME>,ou=people,dc=oracle,dc=com<BASE:ou=doc,dc=oracle,dc=com> |
Save |
Web interface
– To apply changes made to properties in the LDAP/SSL User Domain dialog, you
must click Save. |
|
Table 27 Optionally Configuring LDAP/SSL Alternate Servers
|
|
|
Alternate Servers (/1|2|3|4|5) |
Oracle ILOM enables you to configure up to
five LDAP/SSL alternate servers. Alternate servers provide authentication redundancy, as well as a choice
of different LDAP/SSL servers to use when you need to isolate domains. Each LDAP/SSL
alternate server uses the same user authorization rules and requirements as the primary
LDAP/SSL server. For example, Oracle ILOM will use the configured user roles in
the Roles property to authenticate users. However, if the Roles property is not
configured, Oracle ILOM will query the authentication server for the appropriate authorization roles. Each alternate
server has its own properties for network address, port, certificate status, and commands
for uploading and removing a certificate. If an LDAP/SSL certificate is not supplied,
but is required, Oracle ILOM will use the top-level primary LDAP/SSL server certificate. CLI Alternate Servers Address and Port Syntax: set /SP|CMM/clients/ldapssl/alternateservers/n address=sting port=string CLI Alternate Server s Certificate Syntax: show /SP|CMM/clients/ldapssl/alternateservers/n/cert load_uri=file_transfer_method://host_address/file_path/filename set /SP|CMM/clients/ldapssl/alternateservers/n/cert clear_action=true |
Save |
Web interface
– To apply changes made to properties in the LDAP/SSL Alternate Servers dialog, you
must click Save. |
|
Table 28 Guidelines for Troubleshooting LDAP/SSL Authentication
Refer to the following guidelines when troubleshooting LDAP/SSL authentication and authorization
attempts in Oracle ILOM.
To test LDAP/SSL authentication and set the Oracle ILOM event log to trace LDAP/SSL events, follow these steps: 1: Set the LDAP/SSL Log Details property to trace. 2: Attempt an authentication to Oracle ILOM to generate events. 3: Review the Oracle ILOM event log file.
Ensure that the user groups and user domains configured on the LDAP/SSL server match the user groups and user domains configured in Oracle ILOM.
The Oracle ILOM LDAP/SSL Client does not manage clock settings. The clock settings in Oracle ILOM are configurable manually or through an NTP server. Note. When the clock setting in Oracle ILOM is configured using an NTP server, Oracle ILOM performs an ntpdate using the NTP server(s) before starting the NTP daemon.
|
|
|