Go to main content

Oracle® ILOM Security Guide For Firmware Releases 3.x and 4.x

Exit Print View

Updated: May 2019
 
 

Management of Unwanted Services and Open Ports

All Oracle ILOM services can be optionally disabled, which results in the closing of the respective open network ports for those services. While most services are enabled by default, you might want to disable some features or change default settings to make the Oracle ILOM environment more secure. Any Oracle ILOM service can be disabled, but will result in the loss of features. As a general rule, enable only those services that are absolutely necessary in the deployed environment. The loss of features must be weighed against the security benefit of having fewer network services enabled.

The following table describes the impact of enabling or disabling each service.

Table 6  Impact of Services When Enabled or Disabled
Service
Description
Result of Enabling/Disabling
HTTP
A non-encrypted protocol for accessing the Oracle ILOM web interface
Enabling this service provides faster performance than encrypted HTTP (HTTPS). However, using this protocol might result in sensitive information being sent over the Internet without encryption.
HTTPS
An encrypted protocol for accessing the Oracle ILOM web interface
Enabling this service provides secure communication between a web browser and Oracle ILOM. However, because it requires having an open network port on Oracle ILOM, there is an increase in vulnerability to an attack, such as Denial of Service.

Note -  If you need to disable the HTTPS service and your system supports the Oracle ILOM Remote System Console Plus, disabling the HTTPS service (port 443) is not enough. For systems supporting the Oracle ILOM Remote System Console Plus, both the HTTPS and KVMS services must be disabled. For systems supporting the Oracle ILOM Remote System Console, you can disable the HTTPS service (port 443) only.

Servicetag
An Oracle discovery protocol used to identify servers and facilitate service requests
The Servicetag property is enabled by default and is configurable from the Oracle ILOM CLI.
Disabling this service makes it impossible for Oracle Enterprise Manager Ops Center to discover Oracle ILOM, and prevents integration into other Oracle automatic service solutions.

Note -  Sensitive Data Warning: When enabled, the Servicetag service uses the HTTP protocol by default, which is a clear text protocol that does not encrypt sensitive data. To encrypt sensitive data when using the Oracle ILOM Servicetag service, configure the Servicetag CLI property with a passphrase and use HTTPS as a communication method.

IPMI
A standard management protocol
Disabling this service might prevent Oracle Enterprise Manager Ops Center, as well as some Oracle management connectors to third-party software, from managing the system.
SNMP
A standard management protocol for monitoring the health of Oracle ILOM and monitoring received trap notifications
Disabling this service might prevent Oracle Enterprise Manager Ops Center, as well as some Oracle management connectors to third-party software, from managing the system.
KVMS
A set of protocols for providing remote keyboard, video, mouse, and storage
Disabling this service makes the host console and remote storage functionality unavailable, preventing their use of the Oracle ILOM Remote System Console (or Oracle ILOM Remote System Console Plus) and CLI Storage Redirection applications.
SSH
A secure protocol for accessing a remote shell
Disabling this service disallows command-line access over the network and might prevent Oracle Enterprise Manager Ops Center from discovering Oracle ILOM.
SSO
A single sign-on feature that reduces the number of times a user has to enter a user name and password
Disabling this service prevents launching KVMS without having to re-enter a password and allows drill-down from a chassis monitoring module (CMM) to a blade SP without having to re-enter a password.

For information about enabling and disabling individual network services, see the following topic Configuring Services and Network Ports.