Go to main content

Oracle® ILOM Protocol Management Reference for SNMP and IPMI Firmware Release 3.2.x

Exit Print View

Updated: January 2017
 
 

IPMI TLS Service and Interface

IPMI TLS is an Oracle improvement to IPMI security which requires a special version of the ipmitool client that supports TLS sessions. The IPMItool command option to access the TLS interface is:

impitool -I orcltls

Note that in cases where the -I option is not specified, the IPMItool utility will negotiate to the most secure interface available (in the following order):

  • TLS 1.2 (orcltls interface)

  • TLS 1.1 (orcltls interface)

  • TLS 1.0 (orcltls interface)

  • IPMI 2.0 (lanplus interface)

  • IPMI 1.5 (lan interface)

TLS Session Feature Summary

Feature
Description
Secure Communication Protocol Data Transmission
A secure TLS/TCP socket connection is used (over Ethernet and LAN over USB) to transmit and receive data between the IPMI client the server SP.
Negotiation of Highest Cipher Suite
IPMI/TLS client sessions negotiate to highest cipher suite supported on the server SP.
Authentication
Uses local SP authorization to validate user credentials and to set client session privileges.

Note -  LDAP, Active Directory, and RADIUS user authorization is currently not supported as of firmware Oracle ILOM 3.2.8.

Audit Log of IPMI Login Events
The Audit Log captures all IPMI login events (successful and failed attempts).
SSL Certificate Validation
Automatically validates the SSL client certificate against a list of trusted certificates stored in the user specified directory (ipmitool --cert-dir option).
Note that when the IPMI TLS interface (orcltls) is unable to validate the client certificate, the user is prompted to cross-check the certificate's authentic fingerprint with the SSL certificate authentic fingerprints stored in the local SP directory (/SP/services/https/ssl). If a match is not found, the user should respond No. Otherwise, if a match is found, the user should respond Yes to proceed.
For information about how to disable the check option for certificate validation when the orcltls interface is specified see, Disable Default TLS Behavior for SSL Certificate Check.
For information about uploading and managing SSL certificates on the server SP, see SSL Certificate and Private Key Configuration Properties for HTTPS Web Server in Oracle ILOM Administrator’s Guide for Configuration and Maintenance Firmware Release 3.2.x.

TLS IPMItool Interface Download Requirement

Prior to executing Oracle ILOM commands from the TLS ipmitool interface, you must download the Oracle TLS components (OS compliant driver and the orcltls IPMItool interface) from Oracle Hardware Management Pack. For instance, to download the Oracle TLS components from Oracle Hardware Management Pack, follow this process:

  1. On the managed device, download Oracle Hardware Management Pack (v2.4 or later for Linux or v4.0 or later for Oracle Solaris) from My Oracle Support.

    Note -  The Oracle TLS components (OS compliant driver and the orcltls IPMItool interface) are not available for download from the Oracle Hardware Management Pack for Windows.

  2. Launch the installer for the Hardware Management Component GUI by following the instructions in the Oracle Hardware Management Pack Installation Guide.

    The Oracle Hardware Management Pack documentation is available for download at: http://docs.oracle.com/en/servers/management.htmlhttp://docs.oracle.com/en/servers/management.html

  3. After launching the installer for the Hardware Management Component GUI, choose the Custom Install.

  4. In the Custom Install Set menu, choose IPMItool.

  5. Continue to follow the instructions in the Oracle Hardware Management Pack Installation Guide to complete the installation.

Copyright © 2014, 2017, Oracle and/or its affiliates. All rights reserved. 
Previous
Next