Management
of Unwanted Services and Open Ports
All Oracle ILOM services can be optionally disabled, which
results in the closing of the respective open network ports for
those services. While most services are enabled by default, you
might want to disable some features or change default settings to make
the Oracle ILOM environment more secure. Any Oracle ILOM service
can be disabled, but will result in the loss of features. As a general
rule, enable only those services that are absolutely necessary in
the deployed environment. The loss of features must be weighed against
the security benefit of having fewer network services enabled.
The following table describes the impact of enabling or disabling
each service.
Table 6 Impact of Services When Enabled or Disabled
|
|
|
HTTP |
A non-encrypted protocol
for accessing the Oracle ILOM web interface |
Enabling this service provides
faster performance than encrypted HTTP (HTTPS). However, using this
protocol might result in sensitive information being sent over the
Internet without encryption. |
HTTPS |
An encrypted protocol for accessing
the Oracle ILOM web interface |
Enabling this service provides secure communication between a web browser and Oracle ILOM.
However, because it requires having an open network port on
Oracle ILOM, there is an increase in vulnerability to an attack,
such as Denial of Service.
Note -
If you need to disable the HTTPS service and your system
supports the Oracle ILOM Remote System Console Plus,
disabling the HTTPS service (port 443) is not enough. For
systems supporting the Oracle ILOM Remote System Console
Plus, both the HTTPS and KVMS services must be disabled. For
systems supporting the Oracle ILOM Remote System Console,
you can disable the HTTPS service (port 443) only.
|
Servicetag |
An Oracle discovery protocol used
to identify servers and facilitate service requests |
The Servicetag property is enabled by default and is
configurable from the Oracle ILOM CLI. Disabling this service makes
it impossible for Oracle Enterprise Manager Ops Center to discover
Oracle ILOM, and prevents integration into other Oracle automatic
service solutions.
Note -
Sensitive Data Warning:
When enabled, the Servicetag service uses the HTTP protocol
by default, which is a clear text protocol that does not
encrypt sensitive data. To encrypt sensitive data when using
the Oracle ILOM Servicetag service, configure the Servicetag
CLI property with a passphrase and use HTTPS as a
communication method.
|
IPMI |
A standard management protocol |
Disabling this service might
prevent Oracle Enterprise Manager Ops Center, as well as some Oracle
management connectors to third-party software, from managing the
system. |
SNMP |
A standard management protocol for monitoring
the health of Oracle ILOM and monitoring received trap notifications |
Disabling this service might prevent
Oracle Enterprise Manager Ops Center, as well as some Oracle management
connectors to third-party software, from managing the system. |
KVMS |
A set of protocols for providing remote
keyboard, video, mouse, and storage |
Disabling this service makes
the host console and remote storage functionality unavailable, preventing
their use of the Oracle ILOM Remote System Console (or Oracle ILOM
Remote System Console Plus) and CLI Storage Redirection applications. |
SSH |
A secure protocol for accessing a
remote shell |
Disabling this service disallows
command-line access over the network and might prevent Oracle Enterprise
Manager Ops Center from discovering Oracle ILOM. |
SSO |
A single sign-on feature that reduces
the number of times a user has to enter a user name and password |
Disabling this service prevents launching
KVMS without having to re-enter a password and allows drill-down
from a chassis monitoring module (CMM) to a blade SP without having
to re-enter a password. |
|
For information about enabling and disabling individual network
services, see the following topic Configuring Services and Network Ports.