After the initial installation and setup of the Sun Flash Accelerator F80 PCIe Card, use Oracle hardware and software security features to continue controlling hardware and tracking system assets.
The following sections are included:
Use serial numbers to track inventory. Oracle embeds serial numbers in firmware on option cards and system motherboards. You can read these serial numbers through local area network connections.
You can also use wireless radio frequency identification (RFID) readers to further simplify asset tracking. Refer to an Oracle white paper, How to Track Your Oracle Sun System Assets by Using RFID.
Keep firmware versions current on your equipment.
Check regularly for updates.
All operating systems in general, and Oracle Solaris in particular, require you to log in with root credentials to administer the cards and to upgrade the drivers or firmware.
Always install the latest released version of the firmware.
Keep your software versions current on your equipment.
Software updates for Oracle Solaris drivers are available through Oracle Solaris patches and updates.
Software updates for drivers for other operating systems may be available from http://www.avagotech.com.
Refer to the product notes provided with your Sun Flash Accelerator F80 PCIe Card for late-breaking news, information about software update requirements, or other security information.
Always install the latest released version of the software.
Install any necessary security patches for your software.
Devices also contain firmware and might require firmware updates.
Inspect and maintain your log files on a regular schedule.
Review logs for possible incidents and archive them in accordance with a security policy.
Periodically retire log files when they exceed a reasonable size. Maintain copies of the retired files for possible future reference or statistical analysis.
The software and firmware modules are:
WarpDrive Controller Firmware Security
MegaRAID Storage Manager (MSM) is a software application that provides a graphical user interface to configure and interact with the WarpDrive firmware through the driver. MSM also monitors, and maintains storage configurations on the LSI® MegaRAID, SAS, and WarpDrive controllers.
The security considerations for MSM modules in a Sun Flash Accelerator F80 PCIe Card are:
MegaRAID Storage Manager compatibilty: Linux 64 bit, Solaris X86.
Refer to the user guide provided by LSI, online help built-in with MSM and the readme file provided with installer. Go to http://www.avagotech.com.
Users are required to authenticate before any access is allowed.
If a user is authenticated as root, all hardware access is allowed.
If authenticated as user, view only privilege is allowed.
Normally, log files have write permission, binary files have execution permission, and other files are read-only.
Only one user has administrative privilege at a time. Other users have view only privilege. A Java inbuilt random number generator is used to generate a session ID at the time of client-server authentication.
The client and the server are implemented in Java. The client and server use TCP/IP to communicate with each other. The server communicates with the library using JNI.
MSM interacts with the Internet but does not support IPv6.
MSM uses SSL to communicate between client and server.
The firewall settings of your system depend upon the type of installation performed.
Under all installations except local, the firewall will need to be configured to control access to the MSM Client and Server.
The local installation will use the localhost IP.
Root user access is needed to configure/modify settings. To limit access to potential attackers, follow these guidelines.
Choose a secure password.
Use different passwords for all systems that are running MSM components, both client and server.
Optionally, LDAP can be used to authenticate access to the servers.
The MegaRAID Storage Manager (MSM) can be installed in the following ways:
Complete: All components are installed.
Client: Only components required to remotely view and configure servers are installed. Ports 3071 and 5571 need to be opened.
Server: Only components required for remote server management are installed.
Besides a unicast address, the MSM server also uses the multicast IP address 229.111.112.12 as well as TCP/UDP ports 3071 and 5571.
For SNMP, ports 161 and 162 need to be opened. If LDAP is configured, port 389 needs to be opened.
StandAlone: Only components required for local server management are installed.
Local: Only components required for local server configuration are installed.
Diagnostic Services is a service daemon application that listens for WarpDrive associated trigger events issued by the driver. Diagnostic Services collects diagnostic information from the WarpDrive when a reported event occurs, or when requested by a user.
The security considerations for Diagnostic Services modules in a Sun Flash Accelerator F80 PCIe Card are:
The Diagnostic Services daemon uses the storelib library API to configure trigger events of interest and to get event notification.
Diagnostic Services event and log information is obtained exclusively via the storelib library API and saved in log files.
Diagnostic Services uses UDP port 162.
A sample user event script file is installed by default but not used unless it is configured for debugging purposes.
Diagnostic Services configuration and log files are read-only for everyone and have write permission for root user. Binary files are read-only for everyone, but have write and execution permission for a root user.
Diagnostic Services, if configured, may send SNMP trap messages when events occur. A pipe is used internally for monitoring.
The Linux Diagnostic Driver is the MPT2SAS SAS2 6 Gb driver that can automatically post a Host Trace Buffer (2MB) at startup, implement diagnostic service triggers, and support multiple functions using the management interface application. Based on the trigger attributes, the driver monitors errors, and adds a new diagnostic service event for future reference.
The security considerations for the Linux Diagnostic Driver in a Sun Flash Accelerator F80 PCIe Card are:
The Linux Diagnostic Driver runs in kernel space. If the OS is virtualized, the driver runs in the parent.
The Linux Diagnostic Driver captures the trace buffer from the firmware when a set of triggering events occurs. These trigger events are specified by the system administator and are fed to the driver through the Sysfs interface in the kernel.
Only a user root with permission can write to the Linux Diagnostic Driver Sysfs attribute files.
Linux Diagnostic Driver SAS2 generation products support EEDP (End-to-end data protection).
The Linux Diagnostic Driver is between the hardware, firmware, and the operating system mid-layer. The Linux Diagnostic Driver uses established industry SAS2 and SATA protocols and LSI message-passing technology on the bottom end, and OS calls on the top end to handle storage data flow.
The Linux Diagnostic Driver source is Open Source, and vetted by the Linux kernel community.
The Linux Diagnostic Driver has full access to all the hardware it is managing, as well as access to all the kernel structures needed for it to function. The Linux Diagnostic Driver has full access to all the kernel interfaces used to manage SCSI IOs.
The SNMP agent enables you to manage and monitor LSI SAS controllers using Simple Network Management Protocol (SNMP). The controller family supported by SNMP is LSI MR, IR, IR2, and WarpDrive. You can use a MIB browser, or create your own to monitor and configure the topology exposed by the LSI SNMP agent.
The security considerations for SNMP modules in a Sun Flash Accelerator F80 PCIe Card are:
The SNMP subagent uses Simple Network Management Protocol to provide information of the monitoring system to an SNMP client.
The SNMP client could be any MIB Browser that supports SNMPv1.
The MR/IR SNMP sub-agent retrieves information from storelib libraries using the storelib API. Storelib makes IOCTLs (input-output control) to the driver to get that information.
SNMP log files have write permission, binary files have execution permission, other files are read-only.
Authentication using a Net-SNMP supported authentication mechanism is required for any SNMP access.
The WarpDrive Controller firmware runs on the WarpDrive controller board. It offers a 6 Gbps or legacy 3 Gbps transfer rate to SATA solid state drives (DFFs) connected to the WarpDrive controller board. Host connectivity to the WarpDrive controller is supported through a PCIe 2.0 connection.
The security considerations for WarpDrive Controller firmware in a Sun Flash Accelerator F80 PCIe Card are:
WarpDrive Controller firmware executes on the processor located on the controller board.
The WarpDrive OS drivers are above the Warp Drive Controller firmware and communicate through PCIe, using the MPI (message passing interface).
The Warp Drive Controller firmware interacts with the SSD drive modules below it, using the SAS/SATA interface.
Only Warp Drive Controller firmware images with the correct signature and checksum are allowed to be uploaded to the board.
The SSDFW firmware module provides firmware for the SF-2500 Flash Storage Processor family.
The security considerations for SSDFW modules in a Sun Flash Accelerator F80 PCIe Card are:
The SSDFW firmware module connects to the NAND Flash interface on one side and the SATA AHCI interface on the other side.
The host side communication connects through the SATA interface, defined in the Serial ATA specification and the ATA Command Set (ACS-2) Specification.
The SSDFW firmware module admin permission is by default.
Log files are encrypted. Logging is supported via a serial port.
The SSDFW module is embedded firmware residing in the SF-2500 Flash Storage Processor ASIC.
The SSDFW firmware module stores system data (such as a drive state) and user data and places it in non-volatile NAND media. All system data is encrypted with a drive unique key.
System and user passwords are used to obtain privileges.
The SSDFW firmware is embedded within the LSI-ASD sub-system.
AES-128 or AES-256 is used to encrypt data (plaintext). A SHA engine authenticates the firmware. Keys and counter values are encrypted before being stored into flash memory.
DDCLI is a user application. DDCLI is a standalone CLI that allows you to monitor any WarpDrive connected to the system. Important information on various components of WarpDrive can be retrieved using the ddcli utility.
The security considerations for the DDCLI application in a Sun Flash Accelerator F80 PCIe Card are:
DDCLI is initially shipped without executable permission. The root user will need to add this permission.
The file, ddcli, will need its permissions changed so that it can be executed. To minimize security issues, set the permissions to 0744. It should be owned by root. This will allow everyone to see it, but only root users can execute it.
A library that supports MPT (message processing technology) APIs is statically linked with DDCLI. That library sends an IOCTL to the driver to get the required information.
The DDCLI application is a binary file with executable permission.