This section describes security for the Oracle ZFS Storage Appliance administrative model.
This section describes Oracle ZFS Storage Appliance remote access security.
Browser User Interface
The Browser User Interface (BUI) is used for general administration of the appliance. You can use the BUI Services Screens to view and modify the remote access services and settings.
Administration is conducted over an HTTP secure (HTTPS) browser session. HTTPS sessions are encrypted with a self-signed certificate that is uniquely generated for each Oracle ZFS Storage Appliance at initial installation time. HTTPS sessions have a user-definable default session timeout of 15 minutes.
Command Line Interface
The Command Line Interface (CLI) can be used to perform most of the same administrative actions that can be performed in the BUI.
Secure Shell (SSH) lets users log in to the Oracle ZFS Storage Appliance over a Secure Sockets Layer (SSL) connection to the CLI. SSH can also be used as a means of executing automated scripts from a remote host, such as for retrieving daily logs or analytics statistics.
Administrative access is limited to the root user, local administrators defined with the relevant privileges, and those authorized through identity servers such as Lightweight Directory Access Protocol (LDAP) and Network Information Service (NIS).
In addition, the appliance can use Kerberos to authenticate users for administrative login using the BUI, CLI, and RESTful API, and for access to services, including NFS, HTTP, FTP, SFTP, and SSH. Kerberos can also be used to set security for individual shares that use the NFS protocol as described in NFS Authentication and Encryption Options.
The Oracle ZFS Storage Appliance RESTful API can be used to manage the Oracle ZFS Storage Appliance. The RESTful architecture is based on a layered client-server model that lets services be transparently redirected through standard hubs, routers, and other network systems without client configuration.
The Oracle ZFS Storage Appliance RESTful API uses the same authentication credentials as the BUI and CLI. All requests from external clients are individually authenticated using the appliance credentials and are conducted over an HTTPS connection on port 215. The RESTful API supports HTTPS sessions that have a user-definable default timeout of 15 minutes.
For information on managing the Oracle ZFS Storage Appliance with the RESTful API, see the Oracle ZFS Storage Appliance RESTful API Guide.
To take advantage of the latest security improvements, Oracle recommends keeping the system software up to date.
System updates are applied as whole binary replacements of the system software. Before the update, a snapshot is taken of the running system pool. This lets an administrator roll back to the previous version if needed.
A deferred update is a feature or piece of functionality that is part of a system update but is not activated when the system update is performed. The administrator decides when or if to apply deferred updates. Updates not applied during a system update are still available during successive system updates. You cannot select individual updates to apply; when you choose to apply deferred updates, you can apply all or none of the updates. After you apply an update, you cannot roll back to an earlier system software version.
If your system is registered for Phone Home support and it suffers a major fault, your system status is sent to My Oracle Support, where it is examined by engineering support personnel and a support bundle can be created. The system status information that is sent to My Oracle Support contains no user data; only configuration information is sent.
System configurations can be saved locally for later restoration. These backups contain no user data; only configuration settings are saved.