SPARC SuperCluster T4-4 Security Guide
Understanding Security Principles
Use the following notes before and during the installation and configuration of a server and related equipment.
Physical hardware can be secured fairly simply: limit access to the hardware and record serial numbers.
Restrict access
Install servers and related equipment in a locked, restricted access room.
If equipment is installed in a rack with a locking door, always lock the rack door until you have to service the components within the rack.
Hot-plug or hot-swap devices are removed easily and especially require restricted accessibility.
Store spare field-replaceable units (FRUs) or customer-replaceable units (CRUs) in a locked cabinet. Restrict access to the locked cabinet to authorized personnel.
Record serial numbers
Security-mark all significant items of computer hardware such as FRUs. Use special ultraviolet pens or embossed labels.
Keep a record of the serial numbers of all your hardware.
Keep hardware activation keys and licenses in a secure location that is easily accessible to the system manager in system emergencies. The printed documents might be your only proof of ownership.
Most hardware security is implemented through software measures.
When a new system is installed, change all default passwords. Most types of equipment use default passwords, such as changeme, that are widely known and would allow unauthorized access to the equipment. Also, devices such as network switches can have multiple user accounts by default. Be sure to change all account passwords.
Limit use of the root superuser account. Oracle Integrated Lights Out Manager (Oracle ILOM) accounts such as ilom-operator and ilom-admin should be used instead whenever possible.
Use a dedicated network for service processors to separate them from the general network.
During the Oracle Solaris installation process, you will be prompted to create a user account and password, as well as a root password for the system. As part of this process, the root user is a role that you assume. If you want to change the settings for this account, you can remove the root user account and give the root role to a less privileged user.
Protect access to USB consoles. Devices such as system controllers, power distribution units (PDUs), and network switches can have USB connections, which can provide more powerful access than SSH connections.
Refer to the documentation that came with your software to enable any security features available for the software.
A server can boot securely with WAN Boot or iSCSI Boot. For information, refer to the Oracle Solaris Installation Guide: Network-Based Installations book for your Oracle Solaris release.
The Oracle Solaris Security Guidelines document provides information on:
How to harden Oracle Solaris
How to use Oracle Solaris security features when configuring your systems
How to operate securely when you add applications and users to a system
How to protect network-based applications
Oracle Solaris Security Guidelines documents can be found at:
Ordinary user accounts cannot edit the OpenBoot PROM (OBP) or other Oracle firmware. The Oracle Solaris Operating System uses a controlled firmware update process to prevent unauthorized firmware modifications. Only the superuser can use the update process.
For information for setting OBP security variables, refer to the OpenBoot 4.x Command Reference Manual at:
Oracle Integrated Lights Out Manager (Oracle ILOM) is system management firmware that is preinstalled on some SPARC servers. Oracle ILOM enables you to actively manage and monitor components installed in your system. The way you use Oracle ILOM affects the security of your system.To understand more about using this firmware when setting up passwords, managing users, and applying security-related features, including Secure Shell (SSH), Secure Socket Layer (SSL), and RADIUS authentication, refer to Oracle ILOM documentation: