Although Oracle ILOM supports both IPMI v1.5 and v2.0 for remote management, system administrators should always use the IPMI TLS service and the - I orcltls interface to securely manage Oracle servers. For further information about how to securely configure and establish an IMPI TLS management session with Oracle ILOM, see the following information.
Before You Begin
For enhanced security, use only the TLS service and the - I orcltls interface for all IPMI management sessions. For additional IPMI security guidelines, see Oracle ILOM IPMI Security Guidelines.
The Admin (a) role is required to modify IPMI properties in Oracle ILOM.
To use the TLS IPMItool interface, IPMItool users must use IPMItool v18.104.22.168 or later, which is available for download from Oracle Hardware Management Pack (version v2.4 for Linux or version 4.0 for Solaris).
To implement a more secure IPMI TLS management session with Oracle ILOM, perform these steps:
For Oracle ILOM CLI instructions, see Set the IPMI State and Session Properties (CLI) in Oracle ILOM Protocol Management Reference for SNMP and IPMI Firmware Release 3.2.x
For further download instructions, see IPMI TLS Service and Interface in Oracle ILOM Protocol Management Reference SNMP and IPMI Firmware Release 4.0.x.
ipmitool -I orcltls
Note that in cases where the -I option is not specified, the IPMItool utility will negotiate to the most secure interface available (in the following order):
TLS 1.2 (orcltls interface)
TLS 1.1 (orcltls interface)
TLS 1.0 (orcltls interface)
For additional information about how to use the orcltls interface to manage and configure IPMI-enabled devices, refer to following information:
To ensure that established IPMI system management sessions are secure and not vulnerable to cyber attacks, system administrators should:
Never establish IPMI remote management sessions using IPMI v2.0 (-I lanplus IPMItool interface) or IPMI version 1.5 (-I lan IPMItool interface). You should explicitly use the IPMI TLS service and orcltls interface as of Oracle ILOM firmware version 3.2.8 and later.
Change your IPMI password on a regular basis. Ensure the lifecyle of Oracle ILOM user accounts are managed appropriately.
For further details, see Securing Oracle ILOM User Access.
Restrict network access from the outside world. Use the dedicated Ethernet management channel to communicate with Oracle ILOM.
For further details, see Securing the Physical Management Connection.
Work with your IT Security Officer to build a set of best practices and policies around server management and IPMI security.
The authentication, confidentiality, and integrity checks in IPMI version 2.0 are supported through cipher suites. These cipher suites use the RMCP+ Authenticated Key-Exchange Protocol as described in the IPMI 2.0 specification.
Oracle ILOM supports the following cipher suite key algorithms for establishing secure IPMI 2.0 sessions between the client and the server.
Cipher Suite 2 – Cipher suite 2 uses both authentication and integrity algorithms.
Cipher Suite 3 – Cipher suite 3 uses all three algorithms for authentication, confidentiality, and integrity.