Oracle^® ILOM Security Guide For Firmware Releases 3.x and 4.x

Use IPMI TLS Service for Enhanced Authentication and Packet Encryption

Although Oracle ILOM supports both IPMI v1.5 and v2.0 for remote management, system administrators should always use the IPMI TLS service and the - I orcltls interface to securely manage Oracle servers. For further information about how to securely configure and establish an IMPI TLS management session with Oracle ILOM, see the following information.

Before You Begin

• For enhanced security, use only the TLS service and the - I orcltls interface for all IPMI management sessions. For additional IPMI security guidelines, see Oracle ILOM IPMI Security Guidelines.

  ---

  Note -  The TLS service and interface from Oracle is supported in Oracle ILOM as of firmware version 3.2.8.

  ---

• The Admin (a) role is required to modify IPMI properties in Oracle ILOM.

• To use the TLS IPMItool interface, IPMItool users must use IPMItool v1.8.15.0 or later, which is available for download from Oracle Hardware Management Pack (version v2.4 for Linux or version 4.0 for Solaris).

  ---

  Note -  Before using IPMItool, you need to set up users with the appropriate roles and privileges (such as Administrator or Operator) for the management functions you want to perform. For more information about setting up user accounts, see Setting Up and Maintaining User Accounts in Oracle ILOM Administrator’s Guide for Configuration and Maintenance Firmware Release 4.0.x.

  ---

To implement a more secure IPMI TLS management session with Oracle ILOM, perform these steps:

1. Disable the IPMI v2.0 Session Property in Oracle ILOM.

   For instance:

   1. In the Oracle ILOM web interface: click ILOM Administration-> Management Access -> IPMI.
   2. In the IPMI page, disable the IPMI v2.0 Sessions check box, and then click Save.

   For Oracle ILOM CLI instructions, see Set the IPMI State and Session Properties (CLI) in Oracle ILOM Protocol Management Reference for SNMP and IPMI Firmware Release 3.2.x

2. Download the TLS version of the IPMItool from the Oracle Hardware Management Pack (version 2.4 for Linux or version 4.0 for Oracle Solaris).

   For further download instructions, see IPMI TLS Service and Interface in Oracle ILOM Protocol Management Reference SNMP and IPMI Firmware Release 4.0.x.

3. From the Oracle ILOM CLI, access the TLS IPMItool interface by typing:

   ipmitool -I orcltls

   Note that in cases where the -I option is not specified, the IPMItool utility will negotiate to the most secure interface available (in the following order):

   • TLS 1.2 (orcltls interface)

   • TLS 1.1 (orcltls interface)

   • TLS 1.0 (orcltls interface)

   For additional information about how to use the orcltls interface to manage and configure IPMI-enabled devices, refer to following information:

   • IPMI TLS Service and Interface in Oracle ILOM Protocol Management Reference SNMP and IPMI Firmware Release 4.0.x.

   • Performing System Management Tasks (IPMItool) in Oracle ILOM Protocol Management Reference SNMP and IPMI Firmware Release 4.0.x

   • IPMItool Options and Command Summary in Oracle ILOM Protocol Management Reference SNMP and IPMI Firmware Release 4.0.x

Related Information

• Oracle ILOM IPMI Security Guidelines

• IPMI 2.0 Authentication Cypher Suite Support

Oracle ILOM IPMI Security Guidelines

To ensure that established IPMI system management sessions are secure and not vulnerable to cyber attacks, system administrators should:

• Never establish IPMI remote management sessions using IPMI v2.0 (-I lanplus IPMItool interface) or IPMI version 1.5 (-I lan IPMItool interface). You should explicitly use the IPMI TLS service and orcltls interface as of Oracle ILOM firmware version 3.2.8 and later.

  ---

  Note -  The RAKP protocol support in the IPMI 2.0 specification requires sending a password hash to the client, which makes it easier for remote attackers to obtain access via a brute-force attack. For additional details about this vulnerability, see the published vulnerability summaries for CVE 2013-4037 and CVE 2013-4786 on the National Vulnerability Database web site.

  ---

  ---

  Note -  The Oracle ILOM IPMI Session property for version 1.5 is disabled by default as of Oracle ILOM firmware 3.2.4. The Oracle ILOM IPMI Session property for v2.0 is enabled by default. For additional information about IPMI v2.0 support in Oracle ILOM, see Deprecation Notice for IPMI 2.0 Management Service in Oracle ILOM Feature Updates and Release Notes Firmware Release 3.2.x,

  ---

• Change your IPMI password on a regular basis. Ensure the lifecyle of Oracle ILOM user accounts are managed appropriately.

  For further details, see Securing Oracle ILOM User Access.

• Restrict network access from the outside world. Use the dedicated Ethernet management channel to communicate with Oracle ILOM.

  For further details, see Securing the Physical Management Connection.

• Work with your IT Security Officer to build a set of best practices and policies around server management and IPMI security.

IPMI 2.0 Authentication Cypher Suite Support

The authentication, confidentiality, and integrity checks in IPMI version 2.0 are supported through cipher suites. These cipher suites use the RMCP+ Authenticated Key-Exchange Protocol as described in the IPMI 2.0 specification.

Oracle ILOM supports the following cipher suite key algorithms for establishing secure IPMI 2.0 sessions between the client and the server.

• Cipher Suite 2 – Cipher suite 2 uses both authentication and integrity algorithms.

• Cipher Suite 3 – Cipher suite 3 uses all three algorithms for authentication, confidentiality, and integrity.

  ---

  Note - To ensure all IPMI 2.0 traffic is encrypted, Oracle ILOM does not implement support for IPMI 2.0 Cipher Type 0 (unencrypted mode of operation).

  ---