Enable FIPS Mode at Deployment
Note - FIPS compliance mode in Oracle ILOM is
represented by State and Status properties. The State property represents
the configured mode in Oracle ILOM and the Status property represents
the operational mode in Oracle ILOM. When the FIPS State property
is changed, the change does not affect the operational mode (FIPS Status
property) until the next Oracle ILOM reboot.
Before You Begin
The FIPS State and
Status properties are shipped disabled by default.
When FIPS is enabled (configured and operational) some features in Oracle ILOM are not
supported. For a list of unsupported features when FIPS is enabled, see
Figure 3, Table 3, Unsupported Features in Oracle ILOM When FIPS Mode Is Enabled.
The Admin (a) role is required to modify the FIPS
State property.
The configurable property for FIPS compliance is available in Oracle ILOM as of firmware 3.2.4
or later. Prior to firmware release 3.2.4, Oracle ILOM does not provide
a configurable property for FIPS compliance.
All user-defined configuration settings are reset
to their factory defaults upon modifying the FIPS mode State and
Status properties in Oracle ILOM.
- In
the Oracle ILOM web interface click ILOM Administration -> Management Access
-> FIPS.
- In the FIPS page, perform the
following:
- Select the FIPS State
check box to enable the configured FIPS property.
- Click Save to apply the change.
For additional configuration details, click the More details....
link on the FIPS web page.
- To change the FIPS operational
mode status in Oracle ILOM, perform the following steps to reboot
Oracle ILOM.
- In the web interface,
click ILOM Administration -> Maintenance -> SP Reset.
- In the SP Reset page, click the
SP Reset button.
Upon rebooting Oracle ILOM, the following occurs:
The last configured
FIPS State (enabled) is applied on the system.
Any user-defined configuration settings previously
configured in Oracle ILOM are reset to their factory default values.
The FIPS Status property is updated to reflect the
current enabled operational state in Oracle ILOM.
For a complete list and description of the FIPS Status messages,
click the More details link on the FIPS page.
A FIPS shield icon appears in the masthead area
of the web interface.
All non-supported FIPS features are either disabled
or removed from the CLI and web interface.
For a complete list and description of non-supported FIPS
features, click the More details link on the
FIPS page.
Unupported Features When FIPS Mode Is Enabled
Upon enabling FIPS compliance in Oracle ILOM, the following
non-compliant FIPS 140-2 features in Oracle ILOM are not supported.
Table 3 Unsupported Features in Oracle ILOM When FIPS Mode Is Enabled
|
|
IPMI 1.5 |
When FIPS mode is enabled and running on the system, the IPMI v1.5 configuration property is
removed from the Oracle ILOM CLI and web interface. IPMI TLS
service and the IPMI v2.0 service support both FIPS complaint
and non-compliant modes. |
Firmware Compatibility for Oracle
ILOM System Remote Console |
FIPS mode in Oracle ILOM
prevents the earlier firmware versions of Oracle ILOM Remote System
Console to be compatible with the later Oracle ILOM remote System Console
firmware versions.
For instance, the Oracle ILOM Remote System Console client
firmware version 3.2.4 is backward compatible with the Oracle ILOM
Remote System Console firmware version 3.2.3 and earlier. However
the Oracle ILOM Remote System Console client firmware version 3.2.2
and earlier are not forward compatible with the Oracle ILOM Remote System
Console firmware version 3.2.4 and later.
Note - This firmware compatibility limitation does not apply
to the Oracle ILOM Remote System Console Plus. The Oracle ILOM Remote
System Console Plus is provided on newer service processor systems
such as SPARC T5 and later systems, and or Oracle Server x4-4, x4-8
and later systems. The Oracle ILOM Remote System Console is provided
on older service processor systems such as SPARC T3 and T4 and Sun
Server x4-2/2L/2B and earlier systems. |
Lightweight Directory Access Protocol
(LDAP) |
When FIPS mode is enabled
and running on the system, the LDAP configuration properties in
Oracle ILOM are automatically removed from the Oracle ILOM CLI and web
interface.
Note - The following remote authentication services are supported
in both FIPS compliant and non-compliant modes: Active Directory
and LDAP/SSL. |
Remote Authentication Dial-In
User Service (RADIUS) |
When FIPS mode is enabled
and running on the system, the RADIUS configuration properties in
Oracle ILOM are automatically removed from the Oracle ILOM CLI and web
interface.
Note - The following remote authentication services are supported
in both FIPS compliant and non-compliant modes: Active Directory
and LDAP/SSL. |
Simple Network Management Protocol (SNMP) DES
and MD5 |
When FIPS mode is enabled and running
on the system, the SNMP configuration properties for DES Privacy
Protocol and MD5 Authentication Protocol are not supported in the
Oracle ILOM CLI or web interface. |
|