SPARC and Netra SPARC T4 Series Servers Security
Understanding Security Principles
Use the following notes before and during the installation and configuration of a server and related equipment.
Physical hardware can be secured fairly simply: limit access to the hardware and record serial numbers.
Restrict access
Install servers and related equipment in a locked, restricted access room.
If equipment is installed in a rack with a locking door, always lock the rack door until you have to service the components within the rack.
Hot-plug or hot-swap devices are removed easily and especially require restricted accessibility.
Store spare field-replaceable units (FRUs) or customer-replaceable units (CRUs) in a locked cabinet. Restrict access to the locked cabinet to authorized personnel.
Record serial numbers
Security-mark all significant items of computer hardware such as FRUs. Use special ultraviolet pens or embossed labels.
Keep a record of the serial numbers of all your hardware.
Keep hardware activation keys and licenses in a secure location that is easily accessible to the system manager in system emergencies. The printed documents might be your only proof of ownership.
Most hardware security is implemented through software measures.
When a new system is installed, change all default passwords. Most types of equipment use default passwords, such as changeme, that are widely known and would allow unauthorized access to the equipment. Also, devices such as network switches can have multiple user accounts by default. Be sure to change all account passwords.
Limit use of the root superuser account. Oracle Integrated Lights Out Manager (Oracle ILOM) accounts such as ilom-operator and ilom-admin should be used instead whenever possible.
Use a dedicated network for service processors to separate them from the general network.
Protect access to USB consoles. Devices such as system controllers, power distribution units (PDUs), and network switches can have USB connections, which can provide more powerful access than SSH connections.
Refer to the documentation that came with your software to enable any security features available for the software.
A server can boot securely with WAN Boot or iSCSI Boot.
For an Oracle Solaris 10 release, refer to the Oracle Solaris Installation Guide: Network-Based Installations book
For an Oracle Solaris 11 release, refer to the Installing Oracle Solaris 11 Systems book for WAN Boot information and the System Administration Guide: Basic Administration book for iSCSI boot information.
The Oracle Solaris Security Guidelines document provides information on:
How to harden Oracle Solaris
How to use Oracle Solaris security features when configuring your systems
How to operate securely when you add applications and users to a system
How to protect network-based applications
Oracle Solaris Security Guidelines documents can be found at:
Ordinary user accounts cannot edit the OpenBoot PROM (OBP) or other Oracle firmware. The Oracle Solaris Operating System uses a controlled firmware update process to prevent unauthorized firmware modifications. Only the superuser can use the update process.
For information for setting OBP security variables, refer to the OpenBoot 4.x Command Reference Manual at:
Oracle Integrated Lights Out Manager (Oracle ILOM) is system management firmware that is preinstalled on some SPARC and Netra SPARC servers. Oracle ILOM enables you to actively manage and monitor components installed in your system. The way you use Oracle ILOM affects the security of your system.To understand more about using this firmware when setting up passwords, managing users, and applying security-related features, including Secure Shell (SSH), Secure Socket Layer (SSL), and RADIUS authentication, refer to Oracle ILOM documentation: