C H A P T E R 2 |
Access Control |
Access control is a way of granting access to the system functions or components only to those users who have been authenticated by the system and who have appropriate privileges. Access control depends on the proper configuration of the general security services provided by the server.
This chapter contains these sections:
The Service Processor is an appliance. In an appliance model, users or management agents can access the Service Processor and its components only through authorized user interfaces. Users and agents cannot access any of the underlying operating system interfaces, and users cannot install individual software components on the Service Processor.
These sections provide details on access control:
There are two entities that can be logged in to on the system, a Service Processor and an Oracle Solaris domain.
You initially log in to the Service Processor using a serial connection from a terminal device. A terminal device can be an ASCII terminal, a workstation, or a PC. For details on serial port connections, see the Installation Guide for your server or the SPARC Enterprise M3000/M4000/M5000/M8000/M9000 Servers XSCF User’s Guide.
A unique login account with the user name of default exists on the Service Processor. This account is unique in the following ways:
After initial configuration, you can log in to the Service Processor using a serial connection or an Ethernet connection. You can redirect the XSCF console to a domain and get an Oracle Solaris console. You can also log in to a domain directly using an Ethernet connection to access the Oracle Solaris OS.
When a user logs in, the user establishes a session. Authentication and user privileges are valid only for that session. When the user logs out, that session ends. To log back in, the user must be authenticated once again, and will have the privileges in effect during the new session. See Privileges for information on privileges.
After multiple XSCF login failures, no further login attempts are allowed for a certain amount of time. To set the lockout period, use the setloginlockout(8) command. To view the lockout period, use the showloginlockout(8) command. For more information, see the setloginlockout(8) and showloginlockout(8) man pages.
A user account is a record of an individual user that can be verified through a user name and password.
When you initially log in to the system, add at least one user account with a minimum of one privilege, useradm. This user with useradm privileges can then create the rest of the user accounts. For a secure log in method, enable SSH service. See To Enable or Disable the Service Processor SSH Service and to To Generate a Host Public Key for SSH Service for more information.
Note - You cannot use the following user account names, as they are reserved for system use: root, bin, daemon, adm, operator, nobody, sshd, rpc, rpcuser, ldap, apache, ntp, admin, and default. |
XSCF supports multiple user accounts for log in to the Service Processor. The user accounts are assigned privileges; each privilege allows the user to execute certain XSCF commands. By specifying privileges for each user, you can control which operations each XSCF user is allowed to perform. On its own, a user account has no privileges. To obtain permission to run XSCF commands and access system components, a user must have privileges.
You can set up the Service Processor to use an LDAP server for authentication instead. To use LDAP, the Service Processor must be set up as an LDAP client. For information about setting up the Service Processor to use the LDAP service, see LDAP Service. If you are using an LDAP server for authentication, the user name must not be in use, either locally or in LDAP.
User passwords are authenticated locally by default unless you are using an LDAP server for authentication.
Site-wide policies, such as password nomenclature or expiration dates, make passwords more difficult to guess. You can configure a password policy for the system using the setpasswordpolicy command. The setpasswordpolicy command describes the default values for a password policy.
If you have lost password access to your system, use the procedure To Log in Initially to the XSCF Console.
Privileges allow a user to perform a specific set of actions on a specific set of components. Those components can be physical components, domains, or physical components within a domain.
The system provides the predefined privileges shown in TABLE 2-1. These are the only privileges allowed in the server. You cannot define additional privileges.
The domainadm, domainmgr, and domainop privileges must include the domain number, numbers, or range of numbers to associate with a particular user account.
A user can have multiple privileges, and a user can have privileges on multiple domains.
User privileges are authenticated locally by default. You can set up the Service Processor to use an LDAP server for authentication instead. For information about setting up the Service Processor to use the LDAP service, see LDAP Service.
If no privileges are specified for a user, no local privilege data will exist for that user; however, the user’s privileges can be looked up in LDAP, if LDAP is being used. If a user’s privileges are set to none, that user does not have any privileges, regardless of privilege data in LDAP.
The Service Processor firmware can only be updated as an entire image, known as an XCP image. The image includes the XSCF firmware, OpenBoot PROM firmware, POST firmware, and miscellaneous files. Only valid images authorized by Oracle or Fujitsu can be installed.
The XCP image is installed in the Service Processor flash memory. You need platadm or fieldeng privilege to update an XCP image. More information on updating an XCP image is contained in the SPARC Enterprise M3000/M4000/M5000/M8000/M9000 Servers XSCF User’s Guide.
To save and restore XSCF configuration information, use the dumpconfig(8) and restoreconfig(8) commands in the XSCF shell. The commands permit you to specify the location where the information is to be stored and retrieved. For more information, see the SPARC Enterprise M3000/M4000/M5000/M8000/M9000 Servers XSCF User’s Guide and the dumpconfig(8) and restoreconfig(8) man pages.
Note - The XCP 1080 firmware is the first XCP release to support the dumpconfig(8) and restoreconfig(8) commands. |
This section describes these procedures:
To Log in Initially to the XSCF Console |
This procedure can be used for initial login or for lost password access.
1. Log in to the XSCF console with the default login name from a terminal device connected to the Service Processor. You must have physical access to the system.
You are prompted to toggle the Operator Panel MODE switch (keyswitch) on the front of the system. The location of the MODE switch on an entry-level server is shown in FIGURE 2-1. The location of the MODE switch on a midrange server is shown in FIGURE 2-2. And the MODE switch on a high-end server is mounted horizontally rather than vertically, as shown in FIGURE 2-3. The MODE switch has two positions: Service and Locked.
Note - In the following illustrations, the three LEDs appear first, followed by the POWER button, then the MODE switch. |
FIGURE 2-1 Location of the Operator Panel MODE Switch on an Entry-Level Server
FIGURE 2-2 Location of the Operator Panel MODE Switch on a Midrange Server
FIGURE 2-3 Operator Panel on a High-end Server
You must toggle the MODE switch within one minute of the login prompt or the login process times out.
2. Toggle the MODE switch using one of two methods, as follows:
When the toggling is successful, you are logged in to the Service Processor shell as the account default.
As this account has useradm and platadm privileges. you can now configure the Service Processor or reset passwords.
When the shell session ends, the default account is disabled. When an account is disabled, it cannot be used to log in at the console. It will then not be possible to login using this account again except by following this same procedure.
Note - You can use the setupplatform(8) command rather than the following procedures to perform Service Processor installation tasks. For more information, see the setupplatform(8) man page. |
To Configure an XSCF Password Policy |
1. Log in to the XSCF console with useradm privileges.
2. Type the setpasswordpolicy command:
where option can be one or more of the options described in the setpasswordpolicy(8) man page.
Note - The password policy applies only to users added after the setpasswordpolicy(8) command has been executed. |
3. Verify that the operation succeeded by typing the showpasswordpolicy command.
To Add an XSCF User Account |
When you add a new user account, the account has no password, and cannot be used for logging in until the password is set or Secure Shell public key authentication is enabled for the user.
1. Log in to the XSCF console with useradm privileges.
where user is the user name you want to add. (See the adduser(8) man page for rules about the user name.) If you do not specify a User ID (UID) number with the -u UID option, one is automatically assigned, starting from 100.
3. Verify that the operation succeeded by typing the showuser command.
To Create a Password for an XSCF User |
Any XSCF user can set his or her own password. Only a user with useradm privileges can set another user’s password.
1. Log in to the XSCF console with useradm privileges.
See the password(8) man page for rules about passwords. When typed without an argument, password sets the current user’s password. To set someone else’s password, include that person’s user name, for example:
where user is the user name you want to set the password for. You are prompted to enter, and then reenter, the password.
To Assign Privileges to an XSCF User |
1. Log in to the XSCF console with useradm privileges.
2. Type the setprivileges command:
where user is the user name to assign privileges for, and privileges is one or more privileges, separated by a space, to assign to this user. The domainadm, domainmgr, and domainop privileges must include the domain number, numbers, or range of numbers to associate with a particular user account; for example,
Valid privileges are listed in TABLE 2-1.
To Display the Version of Installed Firmware |
1. Log in to the XSCF console with platadm or fieldeng privileges.
The XCP version number is displayed. Command output example is:
For additional information on this chapter’s topics, see:
Copyright © 2011, Oracle and/or its affiliates. All rights reserved.