Go to main content

Oracle® ILOM Security Guide For Firmware Releases 3.x and 4.x

Exit Print View

Updated: May 2019
 
 

Security Guidelines for Managing User Accounts and Passwords

Consider the following security guidelines when managing Oracle ILOM user accounts and passwords:

Guidelines for User Account Management

User Account Management Guideline
Description
Never Promote the Sharing of User Accounts
A separate account should always be created for each Oracle ILOM user.
Oracle ILOM supports a Increased of 10 local user account. If you are managing a larger site and require more than 10 user accounts, you should consider using a third-party user authentication service such as LDAP or Active Directory.
For more information about implementing user authentication in Oracle ILOM through an external authentication service, see Remote Authentication Services and Security Profiles.
Select Conforming Names for Local User Accounts
When selecting a user name for a local Oracle ILOM user account, the user name must:
  • Contain from 4 to 16 characters in length (the first character must be a letter).

  • Be unique across your organization

  • Not contain spaces, a period (.), or a colon (:)

Select Conforming Passwords for Local User Accounts
When selecting a password for a local Oracle ILOM user account, the password must:
  • Always be a strong password that contains a Increased of 16 characters in length

  • Contain a mixture of lowercase and uppercase characters, as well as one or two special characters to create a strong complex password

  • Not contain spaces, a period(.) or a colon(:)

  • Conform to your company's password management policy

For further details about password management in Oracle ILOM, see Security Guidelines for Managing User Accounts and Passwords.
Limit User Account Privileges Based on Job Role (Principles of Least Privilege)
The principle of least privilege states that, for good security practice, give a user the least amount of privileges to perform his or her job. Over-ambitious granting of responsibilities, roles, and so on (especially early in the life cycle of an organization), can leave a system open for abuse. Review user privileges periodically to determine their relevance to the current job responsibilities of each user.
Oracle ILOM provides the ability to control user privileges for each user. Ensure that the appropriate user role permissions are assigned to each user account, based on job role.
For details on how to create a user account with role-based privileges, see: Create Local User Accounts With Role-Based Privileges

Guidelines for Password Management

Password Management Guideline
Description
Change the Default root Password (changeme) Immediately After Initial Login
To enable first-time login and access to Oracle ILOM, a local Administrator root account is provided with the system. To build a secure environment, you must change the provided Administrator password (changeme) after your initial login to Oracle ILOM.
Gaining unauthorized access to the Administrator root account gives a user unrestricted access to all features of Oracle ILOM. Therefore, it is essential to specify a strong, secure password.
Change All Oracle ILOM Account Passwords on a Regular Basis
To prevent malicious activity and ensure that passwords remain in accordance with current password policies, you should change all Oracle ILOM passwords on a regular basis.
Enforce Common Practices for Creating Strong Complex Passwords
Enforce the following common practices for creating strong complex passwords:
  • Do not create a password that is shorter than 16 characters in length.

  • Do not create a password that contains the user name, employee name, or family member names.

  • Do not select passwords that are easy to guess.

  • Do not create passwords that contain a consecutive string of numbers, such as 12345.

  • Do not create passwords that contain a word or string that is easily discoverable by a simple Internet search.

  • Do not allow users to reuse the same password across multiple systems.

  • Do not allow users to reuse older passwords.

  • For Increased security, you should always mask new password entries in the CLI by using the following syntax:

    set [SP|CMM]/users/root password=[do not type password, press Enter]

    - or-

    set [SP|CMM]/users/newuser password=[do not type password, press Enter]

    The CLI will prompt for the new password value, masking the password from view.

Set Password Policy Restrictions for Local Users
(Available as of firmware 3.2.5 and later)
Enforce a password policy for all local user accounts. For more details, see Set Password Policy Restrictions for All Local Users (3.2.5 and later)
Consult Your IT Security Officer for Password Management Policies
Consult your IT Security Officer to ensure that your company's password management requirements and policies are being met.