Go to main content

Oracle® ILOM Security Guide For Firmware Releases 3.x and 4.x

Exit Print View

Updated: May 2019
 
 

Enable FIPS Mode at Deployment


Note - FIPS compliance mode in Oracle ILOM is represented by State and Status properties. The State property represents the configured mode in Oracle ILOM and the Status property represents the operational mode in Oracle ILOM. When the FIPS State property is changed, the change does not affect the operational mode (FIPS Status property) until the next Oracle ILOM reboot.

Before You Begin

  • The FIPS State and Status properties are shipped disabled by default.

  • When FIPS is enabled (configured and operational) some features in Oracle ILOM are not supported. For a list of unsupported features when FIPS is enabled, see Figure 3, Table 3, Un-supported Features in Oracle ILOM When FIPS Mode Is Enabled.

  • The Admin (a) role is required to modify the FIPS State property.

  • The configurable property for FIPS compliance is available in Oracle LOM as of firmware 3.2.4 or later. Prior to firmware release 3.2.4, Oracle ILOM does not provide a configurable property for FIPS compliance.

  • All user-defined configuration settings are reset to their factory defaults upon modifying the FIPS mode State and Status properties in Oracle ILOM.

  1. In the Oracle ILOM web interface click ILOM Administration -> Management Access -> FIPS.
  2. In the FIPS page, perform the following:
    1. Select the FIPS State check box to enable the configured FIPS property.
    2. Click Save to apply the change.

    For additional configuration details, click the More details.... link on the FIPS web page.

  3. To change the FIPS operational mode status in Oracle ILOM, perform the following steps to reboot Oracle ILOM.
    1. In the web interface, click ILOM Administration -> Maintenance -> SP Reset.
    2. In the SP Reset page, click the SP Reset button.

    Upon rebooting Oracle ILOM, the following occurs:

    • The last configured FIPS State (enabled) is applied on the system.

    • Any user-defined configuration settings previously configured in Oracle ILOM are reset to their factory default values.

    • The FIPS Status property is updated to reflect the current enabled operational state in Oracle ILOM.

      For a complete list and description of the FIPS Status messages, click the More details link on the FIPS page.

    • A FIPS shield icon appears in the masthead area of the web interface.

    • All non-supported FIPS features are either disabled or removed from the CLI and web interface.

      For a complete list and description of non-supported FIPS features, click the More details link on the FIPS page.

Related Information

Un-Supported Features When FIPS Mode Is Enabled

Upon enabling FIPS compliance in Oracle ILOM, the following non-compliant FIPS 140-2 features in Oracle ILOM are not supported.

Table 3  Un-supported Features in Oracle ILOM When FIPS Mode Is Enabled
Unsupported FIPS Mode Feature
Description
IPMI 1.5
When FIPS mode is enabled and running on the system, the IPMI v1.5 configuration property is removed from the Oracle ILOM CLI and web interface. IPMI TLS service and the IPMI v2.0 service support both FIPS complaint and non-compliant modes.
Firmware Compatibility for Oracle ILOM System Remote Console
FIPS mode in Oracle ILOM prevents the earlier firmware versions of Oracle ILOM Remote System Console to be compatible with the later Oracle ILOM remote System Console firmware versions.
For instance, the Oracle ILOM Remote System Console client firmware version 3.2.4 is backward compatible with the Oracle ILOM Remote System Console firmware version 3.2.3 and earlier. However the Oracle ILOM Remote System Console client firmware version 3.2.2 and earlier are not forward compatible with the Oracle ILOM Remote System Console firmware version 3.2.4 and later.

Note - This firmware compatibility limitation does not apply to the Oracle ILOM Remote System Console Plus. The Oracle ILOM Remote System Console Plus is provided on newer service processor systems such as SPARC T5 and later systems, and or Oracle Server x4-4, x4-8 and later systems. The Oracle ILOM Remote System Console is provided on older service processor systems such as SPARC T3 and T4 and Sun Server x4-2/2L/2B and earlier systems.

Lightweight Directory Access Protocol (LDAP)
When FIPS mode is enabled and running on the system, the LDAP configuration properties in Oracle ILOM are automatically removed from the Oracle ILOM CLI and web interface.

Note - The following remote authentication services are supported in both FIPS compliant and non-compliant modes: Active Directory and LDAP/SSL.

Remote Authentication Dial-In User Service (RADIUS)
When FIPS mode is enabled and running on the system, the RADIUS configuration properties in Oracle ILOM are automatically removed from the Oracle ILOM CLI and web interface.

Note - The following remote authentication services are supported in both FIPS compliant and non-compliant modes: Active Directory and LDAP/SSL.

Simple Network Management Protocol (SNMP) DES and MD5
When FIPS mode is enabled and running on the system, the SNMP configuration properties for DES Privacy Protocol and MD5 Authentication Protocol are not supported in the Oracle ILOM CLI or web interface.