F Service Processor Procedures

This section describes functions that you can perform on the Service Processor of your KMA. The Service Processor on a Sun Fire X2200 M2 system is an Embedded Lights Out Manager (ELOM). The Service Processor on a SPARC T7-1, Netra SPARC T4-1 system or Sun Fire X4170 M2 system is an Integrated Lights Out Manager (ILOM).

ILOM Procedures
ELOM Procedures
Attach a Keyboard and Monitor to the KMA

ILOM Procedures

"ILOM Upgrade Overview"
"Configure ILOM – SPARC T7-1, Netra SPARC T4-1 and Sun Fire X4170 M2 Servers"
"Verify ILOM and OBP or BIOS Levels"
"Upgrade the ILOM Server Firmware"
"Configure OpenBoot Firmware - SPARC KMAs Only"
"Launch the BIOS Setup Utility from the ILOM - Sun Fire X4170 M2 Only"
"ILOM Security Hardening"
"Configure OpenBoot Firmware - SPARC KMAs Only"
"Configure the BIOS - Sun Fire Servers Only"

ILOM Upgrade Overview

SPARC T7-1, Netra SPARC T4-1 and Sun Fire X4170 M2 server-based KMAs have been manufactured with the latest ILOM firmware level that was available at the time. From time to time, newer Sun Fire server firmware is released and upgrades are recommended.

Note:

Sun Fire X4170 M2 KMAs run ILOM 3.1 or later, while SPARC T7-1 and Netra SPARC T4-1 KMAs run ILOM 3.2 or later. ILOM 3.2 is included in server firmware 8.3 or later. You can view the current server firmware from the ILOM.

This information describes the procedures that should be used with the firmware upgrade procedures documented in the following guides:

For the Sun Fire X4170 M2 server: Oracle Integrated Lights Out Manager (ILOM) 3.1 Configuration and Maintenance Guide.
For the SPARC T7-1 and Netra SPARC T4-1 servers: Oracle ILOM Administrator's Guide for Configuration and Maintenance Firmware Release 3.2

Oracle recommends configuring specific, non-default, OpenBoot/BIOS settings that prevent changes to the BIOS that may compromise security. These settings are saved in the CMOS. In a default CMOS configuration, a remote user can use the ILOM to change BIOS settings and then start the KMA from a network device. To minimize this security risk, access to the BIOS settings must be limited. Following the procedures in this document will ensure that these settings are retained.

Note:

SPARC T7-1 and Netra SPARC T4-1 servers do not include a BIOS; there are no BIOS procedures for users to follow. Follow the OBP procedures, instead.

This appendix assumes familiarity with the Oracle Key Manager solution, in particular, the "Shut Down the KMA" procedure with the ILOM web-based interface and the BIOS Setup Utility.

Configure ILOM – SPARC T7-1, Netra SPARC T4-1 and Sun Fire X4170 M2 Servers

ILOM for the SPARC T7-1, Netra SPARC T4-1, and Sun Fire X4170 M2 servers contains a separate processor from the main server. As soon as power is applied—by plugging the server in to the power source—and after a one or two minute boot period, the ILOM provides a remote connection to the console.

Note:

This section has some basic ILOM commands to configure the server. Refer to the Integrated Lights Out Manager Administration Guide for more information.

Connect to the KMA through the Integrated Lights Out Manager using:

Network connection—NET MGT ILOM interface—(recommended). See "Launch the QuickStart from the ILOM Web Interface".

If using a KMA 2x:

Connect using a Keyboard and monitor attached to the KMA. See "Attach a Keyboard and Monitor to the KMA".
Note:
Disable popup blockers before continuing.

If the window appears, but a console window does not, the Web browser or Java version is incompatible. Upgrade to the latest versions of the browser and Java.

Configure ILOM for the KMA

Obtain the IP address for the ILOM.

Using Table F-1 as a reference, connect all cables as required.

Caution:

Do not connect the power cord. Wait until instructed in Step 8.

Table F-1 KMA Network Connections -SPARC T7-1, Netra SPARC T4-1, and Sun Fire X4170 M2 Servers

Port	Connects To	Description
SER MGT	Service Rep Laptop	Serial connection to the ILOM. The ILOM IP address is most easily configured using this connection.
NET MGT	Service Rep Laptop	Optional Ethernet connection to the ILOM. This port is not available until you configure the ILOM IP address.
NET 0	Management Network	Required connection to the Management Network (a switch) and to other KMAs in the cluster. The Management Network can be local, remote, or a combination of both. Customers are expected to provide the management network.
NET 2	Service Network	Required connection to the Service Network. This network connects the server to encryption agents, such as tape drives, either directly, or through Ethernet switches.
NET 3	Aggregate Network	Optional connection to the Aggregated Network and provides aggregation with NET 2.

Connect a null modem serial cable to the SER MGT port (callout 2 for the Sun Fire X4170 M2 server, callout 10 for the Netra SPARC T4-1 server). Connect the other end to a laptop PC serial port.

Figure F-1 SPARC T7-1 Server - Rear Panel

Description of ''Figure F-1 SPARC T7-1 Server - Rear Panel''

Legend:
1. NET3 (aggregated service network port)
2. SER MGT (serial management port for configuring ILOM)
3. NET0 (management network port)
4. NET2 (service network port)
5. NET MGT (ILOM)
On a SPARC T7-1 or Netra SPARC T4-1 server, enter the following commands to set the auto-boot property:

Note:
In the following example, there is a space after the question mark but not before it. These commands are case sensitive.
```
show /HOST/bootmodeset /HOST/bootmode script="setenv auto-boot? true"show /HOST/bootmode
```
Log off of the ILOM and exit.

Note:
This setting will be updated again, as described below in "ILOM Security Hardening".

Go to "Launch the QuickStart from the ILOM Web Interface" to continue the installation.

Figure F-2 Netra SPARC T4-1 Server Rear Panel

Description of ''Figure F-2 Netra SPARC T4-1 Server Rear Panel''

1 - Power supplies (PS1–PS0, top to bottom) (AC supplies shown)

2 - Power supply status LEDs: Green = OK (output), Amber = Service Action Required, Green = AC or DC (input power)

3 - Alarm port

4 - Expansion slot 0 (PCIe 2.0 x8 or XAUI)

5 - Expansion slot 3 (PCIe 2.0 x8)

6 - Expansion slot 1 (PCIe 2.0 x8 or XAUI)

7 - Expansion slot 4 (PCIe 2.0 x8)

8 - Expansion slot 2 (PCIe 2.0 x8)

9 - Service LEDs:
- Locator LED/Locator button: white
- Service Action Required LED: amber
- Main Power/OK LED: green
10 - SER MGT RJ-45 serial port

11 - NET MGT RJ-45 network port

12 - Network 10/100/1000 ports (NET0 to NET3) for host

13 - Physical Presence button access hole

14 - USB 2.0 ports (USB 0, USB 1)

15 - Video connector (HD-15)

16 - Grounding studs

Figure F-3 Sun Fire X4170 M2 Server Rear Panel

Description of ''Figure F-3 Sun Fire X4170 M2 Server Rear Panel''

1 - AC Power connectors

2 - Serial Management (SER MGT) RJ-45 serial port

3 - Service processor (NET MGT) port (also known as the ILOM and corresponds to LAN1 on the Sun Fire X2100 or X2200 servers)

4 - Ethernet ports (0, 1, 2, 3), labeled Net0 through Net3, from left to right

5 - USB ports (0, 1)

6 - Video connector (VGA)

Note:
A connection to the NET MGT interface is required to initially configure the server.
Start a HyperTerminal session on the laptop. This allows you to watch the boot process.
Verify the default settings are:
- 8-bits
- No Parity
- 1 stop-bit
- 9600 baud rate
- Disable both hardware (CTS/RTS) and software (XON/XOFF) flow control
Connect the server power cord to the power source.

Important: Do not power-on the server.

The ILOM starts as soon as power is connected, even if the server is powered-off. This is the reason for preparing and connecting the PC before applying power.
Once the boot completes, the ILOM login prompt will be displayed.
1. Press [Enter] a few times to get the ILOM login prompt.
2. Log in as the system root user. See "ILOM Security Hardening" for details about this user.
Configure the ILOM IP address.

Enter the following commands.

Note:

These commands are case sensitive.

show /SP/networkset /SP/network/ pendingipdiscovery=staticset /SP/network/ pendingipaddress=ipaddressset /SP/network/ pendingipnetmask=netmaskset /SP/network/ pendingipgateway=gatewayset /SP/network/ commitpending=true

On a SPARC T7-1 or Netra SPARC T4-1 server, enter the following commands to set the auto-boot property:

Note:
In the following example, there is a space after the question mark but not before it. These commands are case sensitive.
```
show /HOST/bootmodeset /HOST/bootmode script="setenv auto-boot? true"show /HOST/bootmode
```
Log off of the ILOM and exit.

Note:
This setting will be updated again, as described below in "ILOM Security Hardening".
Go to "Launch the QuickStart from the ILOM Web Interface" to continue the installation.

Verify ILOM and OBP or BIOS Levels

Log in to the ILOM and verify the type of KMA you have and the levels match the latest levels documented for your server type. These firmware versions can be used to determine what type of KMA server you're connected to through the ILOM. To check the firmware levels on the ILOM Web Based Interface, select System Information > Firmware.

Note:

SPARC T7-1 and Netra SPARC T4-1 servers do not have a BIOS; there are no BIOS procedures for users to follow. Follow the OpenBoot procedures, instead.

The expected ILOM and OpenBoot or BIOS firmware levels vary across OKM releases, as shown in the following table.

Table F-2 Server Firmware Levels

Server	Server Firmware	ILOM Firmware	OpenBoot PROM/BIOS Firmware	OKM Release
SPARC T7-1	9.8.5.c	4.0.2.2.c	04.42.4	3.3.2
Netra SPARC T4-1	8.4.2.d	3.2.1.7.f	4.35.5.a	3.0, 3.0.2^Foot 1
Sun Fire X4170 M2	1.7.2	3.1.2.20.b	08.14.01.03 (Sun Fire X4170 M2 only)	2.x, 3.0.2^Foot 2
Sun Fire X4170 M2	1.6.1	3.0.16.10.d	08.12.01.04	2.5.x
Sun Fire X4170 M2	1.3	3.0.14.11.a	08.06.01.08	2.3.1, 2.4, 2.5
Sun Fire X4170 M2	1.2	3.0.9.27	08.04.01.10	2.3

^Footnote 1Oracle recommends that customers with OKM 3.0 KMAs upgrade these servers to server firmware 8.4.2.d. Clear the web browser cache before upgrading the server firmware.For OKM 3.0.2 KMAs or Netra SPARC T4-1 KMAs that have been upgraded to OKM 3.1, customers may choose to upgrade these servers to server firmware 8.8.3.b.

^Footnote 2Oracle requires that customers who want to migrate their OKM 2.x KMAs to OKM 3.0.2 must first upgrade their server firmware to 1.7.2.

If the ILOM and OpenBoot/BIOS firmware levels are correct (for example, those for server firmware 1.6.1 with OKM 2.5.x), then you do not have to do anything. If not, proceed with the following instructions if the firmware is down level and you need to upgrade.

Follow this procedure to download SPARC T7-1, Netra SPARC T4-1 and Sun Fire X4170 M2 firmware from My Oracle Support:

Go to My Oracle Support at: http://support.oracle.com and sign in.
Click the Patches & Updates tab.
Click Product or Family (Advanced).
In the Start Typing... field, type in the product information (for example, "Netra" or "X4170"), and click Search to see the latest firmware for each release.

The firmware distribution is packaged as a zip file. After you download this file, extract it and then extract the firmware package.zip file that it contains (if any). The firmware package is in a pkg file. You upload this file during the upgrade procedure outlined below.

Upgrade the ILOM Server Firmware

The firmware update process takes several minutes to complete. During this time, do not perform any other ILOM tasks. When the firmware update process completes, the system will reboot.

Be sure you have met the initial requirements for the upgrade. Refer to "Before You Begin the Firmware Update" in the Oracle ILOM Administrator's Guide for Configuration and Maintenance.

Log in to the ILOM using the Web based interface. You must have administrator privileges to perform the firmware upgrades.
To avoid trouble with service processors that may be in an error state begin by resetting the service processor.
1. Click ILOM Administration > Maintenance > Reset SP and then click Reset SP.
2. Log out and then log back into the ILOM Web based interface. If necessary, the reset can be performed using the serial interface and CLI to the ILOM, then log back into the ILOM Web based interface.
Set the Session Time-out value to 3 hours (System Information tab, then Session Timeout tab).
Shut down the server.

For new installs, or FRU situations, before QuickStart you should power down using the ILOM Web Interface's Remote Control tab, select the Remote Power Control tab and then choose the Graceful Shutdown and Power Off action. Save this choice to have the server shut down.

For KMAs that have already been configured (QuickStart procedure), log in to the OKM Console as an Operator and select the Shutdown KMA menu option to shut down the KMA.

Note:
The process for upgrading the firmware is discussed in detail in "Update the Server SP or CMM Firmware Image" in the Oracle ILOM Administrator's Guide for Configuration and Maintenance.
Click ILOM Administration > Maintenance > Firmware Upgrade.
Click Enter Firmware Upgrade Mode, then click OK.
In the Firmware Upgrade page, either click Browse to specify the firmware to upload or enter a URL to upload the firmware.
Click Upload.
In the Firmware Verification page, enable the Preserve Configuration option.
Click Start.
Click OK to proceed through a series of prompts. The Update Status page is displayed.

The system automatically reboots when the Update Status is 100 percent complete.
If you want to verify that the updated firmware has been installed, click System Information > Firmware.

Setting the boot Mode for OpenBoot from the ILOM - SPARC KMAs Only

The following procedure can be used to boot into the OpenBoot firmware so that it can be secured. Securing the OpenBoot firmware can mitigate an attack where the KMA could be booted using an alternate device.

Log in to the ILOM web-based interface. Follow (or navigate) to:

Remote Control > Redirection and click Launch Redirection to launch the Remote Host Console. The Remote Host Console will be used subsequently once the KMA boots into the OpenBoot firmware.
Navigate to Host Management > Boot Mode. In the Script text box enter "setenv auto-boot? false" and click SAVE.
Navigate to Host Management > Power Control. Select Power On and click SAVE to boot up the host.
Switch to the Remote Host Console window and monitor the boot process, where it should stop at the OpenBoot firmware prompt.
Proceed to "Configure OpenBoot Firmware - SPARC KMAs Only" to verify and update OBP settings.

Launch the BIOS Setup Utility from the ILOM - Sun Fire X4170 M2 Only

Note:

Netra SPARC T4-1 servers do not include a BIOS; there are no BIOS procedures for users to follow.

Log in to the ILOM web-based interface. Navigate to Remote Control > Redirection and click Launch Redirection to launch the Remote Host Console.
Navigate to Host Management >Host Control for next boot device. Select BIOS and then click Save.
Navigate to Host Management > Power Control. Select Power On and click SAVE. To reboot the system, Remote Control > Remote Power Control.
In the Remote Host Console, monitor the normal boot messages. When the American Megatrends screen appears, press the F2 key to launch the BIOS Setup Utility.
Proceed to "Configure the BIOS - Sun Fire Servers Only" to verify and update BIOS settings.

Use "ILOM Security Hardening" when you want to harden the ILOM. The table below is organized as displayed in the ILOM Web Interface using ":" to delimit the tab names presented by the ILOM web interface.

ILOM Security Hardening

The Oracle ILOM Security Guide should be followed for security hardening of the ILOM; see https://docs.oracle.com/cd/E37444_01/html/E37451/index.html.

To further secure the KMA, customers may choose to update some ILOM settings. Table F-3 and Table F-4 list each navigation point in the ILOM web-based interface and identify any recommended changes in that screen. Table F-4 shows additional considerations for security hardening.

Use of ILOM FIPS mode is recommended and supported, with or without use of the HMP feature of OKM. Use of HMP enables IPMI 2.0 which does expose the ILOM to some types of attacks, see https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4786.

Configure ILOM FIPS Mode - SPARC KMAs Only

To configure the ILOM to operate in FIPS mode use the following procedure. Be sure you can physically access the ILOM as network connectivity to the ILOM management port will be removed:

To verify Oracle ILOM Remote Host Console client firmware, as instructed in the ILOM FIPS information section of the Security Guide or the Administrator's Guide for Configuration and Maintenance Firmware, use Help > About from the Remote Host Console.

When connected to a T7-1 ILOM you see that it supports the newer Remote Host Console client firmware, such as the Plus version:
Log in to the ILOM web-based interface. Navigate to ILOM Administration > Configuration Management. Perform a backup of the current configuration. This is necessary since the subsequent step for enabling FIPS resets the configuration. The backup will then be used to restore your configuration. Save the password that you assign to the ILOM backup for use during the subsequent restore operation.
Enable FIPS mode by navigating to ILOM Administration > Management Access then the FIPS tab, enable FIPS and click SAVE.
Navigate to ILOM Administration > Maintenance and the Reset SP tab. Click the Reset SP button. You will now lose network connectivity to the ILOM management port. Use a physical console connection to reconfigure the ILOM management connection, as described in "Configure ILOM for the KMA".
Locate the ILOM backup file saved from the first step of this procedure. Use an editor to change the XML backup files' setting of the FIPS mode from "disabled" to "enabled". The restore operation will fail without this update.
Once ILOM network connectivity is configured, log in to the ILOM web-based interface. You should now see that FIPS mode enabled by observing the yellow "F" badge in the upper-right corner of the web interface.

Navigate to ILOM Administration > Configuration Management. Perform a restore of the configuration using the ILOM backup.
Verify configuration settings were properly restored.

Table F-3 ILOM Configuration and Security Hardening for ILOM 3.1, 3.2, and 4.0

Navigation Point	Recommended Changes
Remote Control: Redirection	Launch Remote Host Console - This is the typical means for accessing the KMA console. Select the "Use serial redirection" option before launching the Remote Host Console. Once the console launches, the default Devices, Keyboard, and Video settings should be used.
Remote Control: KVMS	KVMS Settings - Use the default settings. Host Lock Settings - Leave this disabled.
Remote Control: Host Storage Device (SPARC T7-1 only)	change the Mode setting to "Disabled" to prevent booting from NFS, SAMBA or supplying a Solaris Miniroot package.
Host Management: Power Control	Reset - Whenever possible, it is preferable to use the corresponding OKM console option to reboot the KMA as this provides an OKM audit event. Graceful Reset - Whenever possible, it is preferable to use the corresponding OKM console option to reboot the KMA as this provides an OKM audit event. Immediate Power Off - Whenever possible, it is preferable to use the corresponding OKM console option to shut down the KMA as this provides an OKM audit event. Graceful Shutdown and Power Off - Whenever possible, it is preferable to use the corresponding OKM console option to shut down the KMA as this provides an OKM audit event. Power On - As needed. Power Cycle - As needed. In some cases, a power cycle is necessary for recovery of the hardware security module.
Host Management: Host Control	Use the default settings. For SPARC T7-1 the DIMM sparing feature is irrelevant due to the DIMM configuration. For ILOM 3.1 (4170 KMAs) see "ILOM Security Hardening" where this setting is manipulated.
Host Management: Keyswitch (ILOM 3.2 only)	The Keyswitch setting may be changed to "Locked" to prevent unauthorized updates to flash devices.
Host Management: TPM (ILOM 3.2 only)	Not yet tested by OKM.
Host Management: Verified Boot (SPARC T7-1 only)	The Boot Policy may be changed to "Warning" to enable boot verification. See Securing Systems and Attached Devices in Oracle Solaris 11.3 `https://docs.oracle.com/cd/E53394_01/html/E54828` for more information. The following messages may appear on the console on each verified startup, if an SCA 6000 card or nCipher nShield Solo module is installed. These messages can be safely ignored: WARNING: Signature verification of module/kernel/drv/sparcv9/mca failed. WARNING: Signature verification of module /kernel/drv/sparcv9/mcactl failed. WARNING: Signature verification of module /kernel/drv/sparcv9/nfp failed.
Host Management: Diagnostics	Use the default settings.
Host Management: Host Domain (ILOM 3.2 only)	Auto Boot should be enabled. Boot Guests may be changed to disabled since OKM does not support hosting guest virtual machines.
Host Management: Host Boot Mode (ILOM 3.2 only)	See "Setting the boot Mode for OpenBoot from the ILOM - SPARC KMAs Only". Use the default settings.
System Management: Policy	Use the default settings.
System Management:Diagnostics (SPARC T7-1 only)	You may change the "HW Change" setting to "Min" to save some time during cold boots.
System Management: Miniroot - (SPARC T7-1 only)	Use the default setting,
Power Management	Use defaults for all items.
ILOM Administration: Identification	SP Hostname - assign an appropriate host name per customer policy SP System Identifier - assign a meaningful name per customer policy SP System Contact - customer contact information SP System Location - physical rack or other description of location of this server The "Physical Presence Check" should be enabled (default setting) Customer FRU Data: optional but can be used to record existence of a hardware security module in this KMA.
ILOM Administration:Logs	No specific recommendations.
ILOM Administration: Management Access: Web Server	No specific changes are recommended for KMAs, although a security best practice is to change the default port number for HTTPS. Disable use of SSLv2 and SSLv3.
ILOM Administration: Management Access: SSL Certificate	The ILOM uses a default certificate but supports loading an alternate certificate with its corresponding private key for stronger authentication.
ILOM Administration: Management Access: SNMP	For "Settings" the use of SNMPv3 protocol is recommended (v1 and v2c can be disabled) and "Set Requests" can be disabled to prevent configuration changes from happening through SNMP. Refer to the Oracle ILOM Protocol Management Reference SNMP and IPMI document for details.
ILOM Administration: Management Access: SSH Server	No specific changes are recommended for KMAs.
ILOM Administration: Management Access: IPMI	This service should be disabled if there are no plans to use IPMI. Leaving this interface open exposes the KMA to attackers knowledgeable of the WS-Management protocols. If "Configure the Hardware Management Pack (HMP)" will be enabled in OKM then IPMI must also be enabled.
ILOM Administration: Management Access: CLI	Configure the session timeout as the default allows CLI sessions to remain open indefinitely.
ILOM Administration:Management Access:WS-MAN (ILOM 3.1 only)	The State setting can be disabled.
ILOM Administration: Management Access: Banner Messages	Changing the banner setting to contain the product name is recommended so that users of the ILOM are aware that the key management appliance is not a generic SPARC T7-1, Netra SPARC T4-1 or Sun Fire X4170 M2 server. Add a connect message. For example: "Oracle Key Manager ILOM Connect" Add a login message. For example: "Oracle Key Manager ILOM"
ILOM Administration:Management Access:FIPS(ILOM 3.2 only)	See "Configure ILOM FIPS Mode - SPARC KMAs Only".
ILOM Administration: User Management: Active Sessions	No KMA-specific changes are prescribed.
ILOM Administration: User Management: User Accounts	Use of user accounts and roles is recommended over the default root account. Refer to the "Setting Up and Maintaining User Accounts" section in the Oracle ILOM Administrator's Guide for Configuration and Maintenance document.
ILOM Administration: User Management: LDAP, LDAP/SSL, RADIUS, Active Directory	No KMA-specific changes are prescribed. These services can all remain disabled.
ILOM Administration: Connectivity: Network	No KMA-specific changes are prescribed. If HMP will be enabled then see the section "HMP Prerequisites" for the Local Host Interconnect settings.
ILOM Administration: Connectivity: DNS	No KMA-specific changes are prescribed.
ILOM Administration: Connectivity: Serial Port	No KMA-specific changes are prescribed.
ILOM Administration:Configuration Management	Backups of the ILOM configuration are recommended following this hardening procedure and whenever the configuration is changed.
ILOM Administration:Notifications	No specific OKM recommendations other than if HMP will be enabled then see the section "HMP Prerequisites" for the Alerts settings.
ILOM Administration: Date and Time: Clock	The ILOM SP clock is not synchronized with the host clock on the server. So that ILOM events can be correlated with server events, the ILOM date and time should be set manually to UTC/GMT time or configured to synchronize with external NTP servers — preferably the same NTP servers used for the KMA server during or after QuickStart.
ILOM Administration: Date and Time: Timezone	The ILOM time zone should be "GMT".
ILOM Administration:Maintenance	No specific OKM guidelines.

Table F-4 Other ILOM Considerations

Navigation Point	Consideration
Monitoring	The ILOM has a variety of monitoring features. It is recommended that users consider the most appropriate facility for monitoring alerts originating from the KMA ILOM service processor. ILOM System Monitoring with the KMA SNMP audit events are recommended for staying abreast of hardware and software events that may affect KMA availability. Use of HMP is also recommended.
OpenBoot/BIOS Firmware Upgrades	OpenBoot/BIOS firmware is upgraded whenever ILOM SP firmware is upgraded.
Interoperability with Oracle Management Tools and Third Party Tools	The following disclaimers are noted: The OKM has not been integrated with Oracle Enterprise Manager Ops Center, also known as Sun xVM Ops Center, although ILOM firmware upgrades and system monitoring could likely be performed with this tool. Interoperability testing with Sun Management Center has not been performed with OKM 3 KMAs that have the Oracle Hardware Management Pack enabled. The Sun Installation Assistant may not be used as a tool for updating ILOM or BIOS firmware on KMAs. Third Party System Management Tools listed at the following URL have not been tested with OKM: `http://www.oracle.com/technetwork/documentation/sys-mgmt-networking-190072.html`
ILOM Troubleshooting	Remote Host Console Hang – Should the Remote Host Console become non-responsive to keyboard input first try to Reset the SP. If this does not work, then a reboot of the Server can clear this condition. If you suspect ILOM configuration changes are causing problems, then ILOM settings can be restored to default values. For instructions, see the following: SPARC T7-1 and Netra SPARC T4-1 KMAs: "Reset the Oracle ILOM Configuration to Factory Defaults" section of the Oracle ILOM Administrator's Guide for Configuration and Maintenance, Firmware Release 3.2. Sun Fire X4170 M2 KMAs: "Troubleshooting the Server and Restoring ILOM Defaults" section of the Sun Fire X4170 M2 Server Service Manual.

Configure OpenBoot Firmware - SPARC KMAs Only

You should ensure that the OpenBoot firmware has specific settings defined to secure firmware variables. Boot into the OpenBoot firmware and check these settings under the following conditions:

When you deploy a KMA that is a SPARC T7-1 or Netra T4-1 server
Whenever you upgrade the ILOM firmware on the KMA

If you need to configure the OpenBoot firmware for a KMA, perform the procedure below. For more information, refer to the SPARC T7 Series Security Guide section on "Restricting Access(OpenBoot)" or to the OpenBoot™ 4.x Command Reference Manual, and the section on "Setting Security Variables". When you boot into the OpenBoot firmware, a password prompt may appear if you have a password already defined.

To display variables:

ok printenv
Set a security password to restrict the set of operations that users are allowed to perform:

ok password

Caution:
It is important to remember your security password and to set the security password before setting the security mode. If you forget this password, you cannot use your system; you must then use an ILOM account with sufficient privileges to reset the NVRAM.

You will then be prompted to supply a secure password. The security password you assign must be between zero and eight characters. Any characters after the eighth are ignored. You do not have to reset the system; the security feature takes effect as soon as you type the command.
Specify the security mode to either "command" or "full". Full security is the most restrictive and will require the password for any operation, including each time the system boots. For this reason the "command" mode is recommended.

ok.setenv security-mode command

ok
It is recommended that you also specify the number of password attempts:

ok setenv security-#badlogins 10
Now boot the system and verify that it boots correctly:

ok boot
Log in to the ILOM web-based interface. Navigate to Host Management>Boot Mode. In the Script text box enter "setenv auto-boot? true" and click SAVE. This configures the host to automatically boot off the default boot device without entering OpenBoot firmware each time it is booted.
Go to "Configure ILOM for the KMA" to continue the installation.

Configure the BIOS - Sun Fire Servers Only

You should ensure that the BIOS has specific settings defined to limit access to the KMA. Launch the BIOS Setup Utility and check these settings:

When you deploy a KMA that is a Sun Fire X4170 M2 server
Whenever you upgrade the ELOM or ILOM firmware on the KMA.

If you need to configure the BIOS for a KMA, perform the procedure below. For more information, refer to the Sun Fire X4170 M2 Server Service Manual, the Sun Fire X2100 M2 Server Product Notes, or the Sun Fire X2200 M2 Server Product Notes as appropriate for the server type of the KMA.

Launch the BIOS Setup Utility. If the password prompt appears, enter the BIOS password. If you do not know the password, you press Enter to access the BIOS Setup Utility with limited privileges.
In the Main menu, verify the UTC time.
In the Main menu, set the BIOS supervisor password.
In the Security Menu, verify user access.
In the Boot Menu, verify boot order.
In the Boot menu, select the "Boot Device Priority" using the up and down arrow keys, then press enter.

Look for the name of the KMA's single disk device, such as: HDD:P0-SEAGATE ST95000NSSUN500G102.All other devices listed should be individually selected using arrow keys and disabled.
In the Boot menu, select "Option ROM Enable" using the up and down arrow keys and hit enter.
In the Boot menu, Select each "Net Option ROM" device (there are 4 numbered Net0 to Net3) using the up and down arrow keys and press enter.
In the Boot menu, disable the ability to boot from this device by selecting "Disable" and pressing enter.
Optional: Disable PCI-E Option ROM for each of the 3 PCI-E slots to mitigate possibility of booting from PCI-E devices. The KMA does not ship with any PCI-E devices that support booting so there is marginal benefit from making this change.
Save the BIOS changes.
Navigate to the Exit menu.
Verify that the system boots correctly and that the supervisor password works for reentering the BIOS Setup Utility.
Go to"Configure ILOM for the KMA" for Sun Fire X4170 M2 KMAs and "Configure ELOM – Sun Fire X2100 M2 or X2200 M2 Servers" for Sun Fire X2100 M2 and X2200 M2 KMAs to continue the installation.

Refer to the Sun Fire X2100 M2 Server Product Notes, the Sun Fire X2200 M2 Server Product Notes for the ILOM, or the Sun Fire X4170 M2 and X4270 M2 Servers Installation Guide as appropriate for the server type of the KMA.

Note:
A connection to the NET MGT interface is required to initially configure the servers. Never use the manual procedure for clearing CMOS NVRAM after a KMA has been Quick Started because it resets the clock.

ELOM Procedures

"Configure ELOM – Sun Fire X2100 M2 or X2200 M2 Servers"
"Verify ELOM and BIOS Levels"
"Upgrade the ELOM Server Firmware"
"Launch the BIOS Setup Utility from the ELOM"

ELOM Upgrade Overview

Sun Fire X2100 M2 or X2200 M2 server-based KMAs were manufactured for earlier KMS releases with the latest BIOS and ELOM firmware levels that were available at the time. When they were manufactured, some BIOS settings were defined to limit access to them.

Newer Sun Fire X2100 M2 and X2200 M2 server firmware may have been released after a particular Sun Fire X2x00 M2 server-based KMA was manufactured. Table F-6 lists the latest server firmware available for these servers. Ensure that these KMAs run the latest firmware.

Note:

Sun Fire X2100 M2 and X2200 M2 servers are no longer being manufactured and are in sustaining mode. Newer server firmware for these servers is no longer being released.

This appendix describes the procedures that should be used with the firmware upgrades documented in Embedded Lights Out Manager (ELOM) Administration Guide for the Sun Fire X2200 M2 and Sun Fire X2100 M2 Servers.

KMAs have specific, non-default, BIOS settings that prevent changes to the BIOS that may compromise security. These settings are saved in the Complementary metal-oxide semiconductor (CMOS). In a default CMOS configuration, a remote user can use the ELOM to change BIOS settings and then boot the KMA from a network device. To minimize this security risk, access to the BIOS settings must be limited. Following the procedures in this document ensures that these settings are retained.

This appendix assumes familiarity with the Oracle Key Manager solution, in particular, the "Shut Down the KMA" procedure, and with the ELOM web-based interface and the BIOS Setup Utility.

Configure ELOM – Sun Fire X2100 M2 or X2200 M2 Servers

ELOM for Sun Fire X2100 M2 and X2200 M2 servers contains a separate processor from the main server. As soon as power is applied—by plugging the server in to the power source—and after a one or two minute boot period, the ELOM provides a remote connection to the console.

Note:

This section has some basic ELOM commands to configure the server. Refer to the Embedded Lights Out Manager Administration Guide for more information.

Connect to the KMA through the Embedded Lights Out Manager using either:

Network connection—NET MGT ELOM interface—(recommended). See "Launch the QuickStart from the ELOM Web Interface"
Keyboard and monitor attached to the KMA. See "Attach a Keyboard and Monitor to the KMA"

Note:

Pop-ups prevent windows from launching in the following procedures. Disable the popup blockers before continuing.

If the window appears, but a console window does not, the Web browser or Java version is incompatible. Upgrade to the latest versions of the browser and Java.

To configure the ELOM for the key management appliance (KMA):

Obtain the IP address for LAN 1:

Caution:
Do not connect the power cord. Wait until instructed in Step 0

Using Table F-5 as a reference, connect all cables as required.

Table F-5 KMA Network Connections - Sun Fire X2100 M2 and Sun Fire X2200 M2 Servers

Port	Connects To	Description
LAN 0	OKM GUI	Management Network. This is a required connection. Connects to the OKM GUI and to other KMAs in the cluster. This network can be local, remote, or a combination of both. Customers are expected to provide the management network.
LAN 1	Service Representative Laptop	Network connection for the ELOM service processor. You can configure the ELOM IP address most easily using a serial connection. Connect a DB9-to-DB9 serial null modem cable from a laptop PC serial port to the serial port on the server. This is a one-time connection for the initial configuration.
LAN 2	Service Network	This is normally a required connection for the tape drives. The tape drives are connected either directly or through Ethernet switches.
LAN 3	Aggregate Network	This is an optional connection to the Aggregated Network and provides aggregation with LAN 2.

Connect a null modem serial cable to the DB-9 connector (callout 7). Connect the other end to a laptop PC serial port.

Figure F-4 Sun Fire X2100 M2/X2200 M2 Appliance - Rear Panel

Description of ''Figure F-4 Sun Fire X2100 M2/X2200 M2 Appliance - Rear Panel ''

1 - Power connector

2 - Ethernet connectors (2) Upper = Management Network (LAN 0) Lower = ELOM (LAN 1)

3 - System Identification LED

4 - Fault LED

5 - Power LED

6 - Ethernet connections (2) Left = Service Network (LAN 2) Right = Aggregated Network (LAN 3)

7 - Serial port (DB9, RS232)

8 - PCIe slots Top = SCA 6000 card (not shown) Bottom = Blank (empty)

9 - VGA connector

10 - USB 2.0 ports (4)
Start a HyperTerminal session on the laptop. This allows you to watch the boot process.
Verify the default settings are:
- 8-bits
- No Parity
- 1 stop-bit
- 9600 baud rate
Disable both hardware (CTS/RTS) and software (XON/XOFF) flow control.
Connect the server power cord to the power source.

Important: Do not power-on the server.The ELOM starts as soon as power is connected, even if the server is powered-off. This is the reason for preparing and connecting the PC before applying power.
Once the boot completes, the ELOM login prompt will be displayed.
1. Press [Enter] a few times to get the ELOM login prompt.
2. Log in using: Userid = root, Password = changeme
Configure the ELOM IP address.

Enter the following commands.

Note:

These commands are case sensitive.

set /SP/AgentInfo DhcpConfigured=disableset /SP/AgentInfo IpAddress=ipaddressset /SP/AgentInfo NetMask=netmaskset /SP/AgentInfo Gateway=gatewayreset

An informational command you can use is: show /SP/SystemInfo/CtrlInfo.

Log off of the ELOM and exit.
Go to "Launch the QuickStart from the ELOM Web Interface" to continue the installation.

Verify ELOM and BIOS Levels

Log in to the ELOM and verify the type of KMA you have and that the levels match the latest levels documented for your server type. The various ELOM Service Processor and BIOS firmware levels are documented in the Server Product Notes for each server type. ELOM and BIOS firmware are packaged together as "server software."

The firmware versions shown in Table F-6 can be used to determine what type of KMA server you're connected to using the ELOM. To check the firmware levels on the ELOM Web-based interface, select System Information > Version > SP Board Information > Server Board Information.

Table F-6 ELOM/BIOS Firmware Levels

Server Type	Server Software	BIOS Level	ELOM Level	Product Notes
Sun Fire X2100 M2	1.8	3A21	3.24	Sun Fire X2100 M2 Product Notes
Sun Fire X2200 M2	2.2.1	3D16	3.23	Sun Fire X2200 M2 Product Notes

Note:

You can find Product Notes for the Sun Fire X2100 M2 server at http://docs.oracle.com/cd/E19121-01/sf.x2100m2/index.html and for the Sun Fire X2200 M2 server at http://docs.oracle.com/cd/E19121-01/sf.x2200m2/index.html. You can download server software from the My Oracle Support site at: http://support.oracle.com.

If firmware levels are correct, then there is nothing to do. Proceed with the following instructions if the firmware is down level, an upgrade is recommended.

Note:

The firmware file you need for the upgrade can be found at the above URL in the remoteflash_x.y.zip file, where x.y refers to the Tools and Drives release number as documented in the appropriate Product Notes.

Upgrade the ELOM Server Firmware

The following procedure takes about 10 minutes to complete and should be scheduled appropriately because the KMA being upgraded need to be disconnected from the cluster.

Log in to the ELOM using the Web-based interface. You must have administrator privileges to perform the firmware upgrades.
To avoid trouble with Service Processors that may be in an error state begin by resetting the service processor.
1. Click the "Maintenance" tab, then the "Reset SP" tab and then the "Reset SP" button.
2. Log out and then log back into the ELOM Web-based interface. If necessary, the reset can be performed using the serial interface and CLI to the ELOM, then log back into the ELOM Web based interface.
Disable Session Time-out (System Information tab > Session Time-Out tab).
For new installs, or FRU situations, before QuickStart you should power down using the ELOM Web Interface's Remote Control tab,
Select the Remote Power Control tab and then choose the action to Graceful Shutdown. Save this choice to have the server shutdown.
For KMAs that have already been configured (QuickStart procedure), log in to the OKM Console as an Operator and select the Shutdown KMA menu option to shut down the KMA.

Follow the ELOM Administration Guide procedures for the Web-based interface for Firmware Upgrade and Select Option B in Step 4.

Do not use the CLI procedures documented in the ELOM Administration Guide as Option A is used by default and your BIOS settings will revert to defaults, exposing the KMA to BIOS related attacks.

Note:
The following information has been extracted from the Server Product Notes. Failure to observe these warnings can corrupt the BIOS:

The SP/BIOS flash process includes a "Update Successful" message when the SP flash process ends. This message signals the end of the SP flash activity only. At this point in the process the BIOS is not flashed, and interrupting the process might corrupt the BIOS.

To avoid corrupting the BIOS review the flash sequence below:
- SP begins the flash process.
- SP completes the flash process.
- CLI returns an Update Successful message.
- The system reboots and the BIOS begins the flash process.
Log out from the ELOM and log back in and verify that the SP and BIOS firmware levels are at the correct level (System Information tab > Version tab).

BIOS settings revert to default values when the ELOM firmware is upgraded. You should limit access to the KMA by launching the BIOS Setup Utility and changing some BIOS settings. See "Launch the BIOS Setup Utility from the ELOM" and "ILOM Security Hardening".

Launch the BIOS Setup Utility from the ELOM

Remote Control tab > Remote Power Control tab >  
Boot option: BIOS Setup

Save this choice to have the server booted. During the boot, the normal boot message appears on the console followed by the launch of the BIOS Setup Utility. Proceed to "Configure the BIOS - Sun Fire Servers Only" to verify and update BIOS settings.

If the ability to change the supervisor password is displayed, then the BIOS default settings are in effect and you should follow the troubleshooting procedure below.

Attach a Keyboard and Monitor to the KMA

On KMS 2.x KMAs, an alternate method to the network connection is to use a keyboard connected to one of the USB ports and a monitor connected to the VGA connector. Then, follow the same procedure as described in "Launch the QuickStart from the ELOM Web Interface" or "Launch the QuickStart from the ILOM Web Interface", depending on the server you use.

F Service Processor Procedures

ILOM Procedures

Related Documentation for ILOM

ILOM Upgrade Overview

Configure ILOM – SPARC T7-1, Netra SPARC T4-1 and Sun Fire X4170 M2 Servers

Configure ILOM for the KMA

Verify ILOM and OBP or BIOS Levels

Upgrade the ILOM Server Firmware

Setting the boot Mode for OpenBoot from the ILOM - SPARC KMAs Only

Launch the BIOS Setup Utility from the ILOM - Sun Fire X4170 M2 Only

ILOM Security Hardening

Configure ILOM FIPS Mode - SPARC KMAs Only

Configure OpenBoot Firmware - SPARC KMAs Only

Configure the BIOS - Sun Fire Servers Only

ELOM Procedures

ELOM Upgrade Overview

Related Documentation for ELOM

Configure ELOM – Sun Fire X2100 M2 or X2200 M2 Servers

Verify ELOM and BIOS Levels

Upgrade the ELOM Server Firmware

Launch the BIOS Setup Utility from the ELOM

Attach a Keyboard and Monitor to the KMA