4.1 Securing the Hardware

After installation of Oracle Exadata Database Machine, the hardware should be secured.

Hardware can be secured by restricting access to the hardware and recording the serial numbers. Oracle recommends the following practices to restrict access:

• Install Oracle Exadata Database Machine and related equipment in a locked, restricted-access room.

• Lock the rack door unless service is required on components within the rack.

• Restrict access to hot-pluggable or hot-swappable devices because the components can be easily removed by design. See

• Store spare field-replaceable units (FRUs) or customer-replaceable units (CRUs) in a locked cabinet. Restrict access to the locked cabinet to authorized personnel.

• Limit SSH listener ports to the management and private networks.

• Use SSH protocol 2 (SSH-2) and FIPS 140-2 approved ciphers.

• Limit SSH allowed authentication mechanisms. Inherently insecure methods are disabled.

• Mark all significant items of computer hardware, such as FRUs.

• Keep hardware activation keys and licenses in a secure location that is easily accessible to the system managers in the case of a system emergency.

• Record the serial numbers of the components in Oracle Exadata Database Machine, and keep a record in a secure place. All components in Oracle Exadata Database Machine have a serial number.

• Getting the Rack Serial Number
  Use the ipmitool utility to get the serial number for the rack.
• Getting the Serial Numbers for Rack Components
  The CheckHWnFWProfile command can be used to display the serial number of most of the system components.
• Getting the Rack Serial Number for a Cisco 9336C or 9348 Switch
  Use the show license host-id command on the switch to get the serial number.
• Getting the Rack Serial Number for a Sun Datacenter InfiniBand Switch 36
  Use the showfruinfo command on the switch to get the serial number.
• Getting the Serial Number for a Cisco 4948 Ethernet Switch
  Use the sh inventory command on the switch to get the serial number.

4.1.1 Getting the Rack Serial Number

Use the ipmitool utility to get the serial number for the rack.

When interacting with Oracle Support Services, the CSI number for a rack is based on the rack serial number.

1. Log in to one of the servers in the rack as the root user.
2. Use ipmitool to get the serial number for the rack.

   # ipmitool sunoem cli "show /SP system_identifier"
   Connected. Use ^D to exit.
   -> show /SP system_identifier
   
    /SP
       Properties:
           system_identifier = Exadata Database Machine X2-8xxxxAKyyyy
   
   
   -> Session closed
   Disconnected

4.1.2 Getting the Serial Numbers for Rack Components

The CheckHWnFWProfile command can be used to display the serial number of most of the system components.

1. Log in to one of the servers in the rack as the root user.
2. On each server in the rack, use CheckHWnFWProfile with the -S option to display the serial number of the components for that server.

   # /opt/oracle.SupportTools/CheckHWnFWProfile -S > /tmp/CheckHWnFWProfile_hostname.txt

   The result is specific to each server, so the command must be performed on every node. The following is a partial example of the output:

   Server_Model=ORACLE_SERVER_X8-2L
   ====START SERIAL NUMBERS====
   ==Motherboard, from dmidecode==
   --System serial--
   1904XCA000
   --Motherboard serial--
   469996N+0000RD01RN
   --Chassis serial--
   1900XCA000
   --Rack serial--
   AK00400000
   ==Infiniband HCA==
   ID:      CX354A - ConnectX-3 QSFP
   PN:      7046442
   EC:      XX
   SN:      465000K-1800000000
   V0:      PCIe Gen3 x8
   ==Motherboard, RAM etc from ipmitool==
   FRU Device Description : Builtin FRU Device (LUN 0 ID 0)
   ...
    Product Name          : ILOM
    Product Version       : 4.0.4.38.a
   
   FRU Device Description : BMC
   ...
    Product Name          : ILOM
     Product Version       : 4.0.4.38.a
   
   FRU Device Description : /SYS (LUN 0 ID 3)
   ...
    Product Part Number   : 8200669
    Product Serial        : 1900XCA000
   
   FRU Device Description : DBP (LUN 0 ID 210)
    
    Board Part Number     : 7341141
    Board Extra           : Rev 09
   
   FRU Device Description : HDD0 (LUN 0 ID 47)
    Device not present (Requested sensor, data, or record not found)
   
   FRU Device Description : HDD1 (LUN 0 ID 48)
    Device not present (Requested sensor, data, or record not found)
   
   ...
   
   FRU Device Description : MB (LUN 0 ID 4)
    Board Mfg Date        : Sun Jan 20 16:57:00 2019
    Board Mfg             : Oracle Corporation
   ...
   
   FRU Device Description : MB/BIOS (LUN 0 ID 5)
   ...
   
   FRU Device Description : MB/CPLD (LUN 0 ID 8)
    Product Manufacturer  : Oracle Corporation
    Product Name          : Power Control FPGA
    Product Version       : FW:3.9
   
   FRU Device Description : M2R0/SSD0 (LUN 0 ID 211)
    Device not present (Requested sensor, data, or record not found)
   
   FRU Device Description : M2R1/SSD0 (LUN 0 ID 212)
    Device not present (Requested sensor, data, or record not found)
   
   FRU Device Description : MB/NET0 (LUN 0 ID 43)
    Product Manufacturer  : INTEL
    Product Name          : 1G Ethernet Controller
   ...
   
   FRU Device Description : MB/P0 (LUN 0 ID 16)
    Product Manufacturer  : Intel
    Product Name          : Intel(R) Xeon(R) Gold 5218 CPU @ 2.30GHz
   ...
   
   FRU Device Description : MB/P0/D0 (LUN 0 ID 24)
    Product Manufacturer  : Samsung
    Product Name          : 16384MB DDR4 SDRAM DIMM
   ...
   
   FRU Device Description : MB/P0/D1 (LUN 0 ID 25)
    Device not present (Requested sensor, data, or record not found)
   
   FRU Device Description : MB/P0/D2 (LUN 0 ID 26)
    Product Manufacturer  : Samsung
    Product Name          : 16384MB DDR4 SDRAM DIMM
   ...
   
   
   FRU Device Description : MB/P1 (LUN 0 ID 17)
    Product Manufacturer  : Intel
    Product Name          : Intel(R) Xeon(R) Gold 5218 CPU @ 2.30GHz
   ...
   
   FRU Device Description : MB/P1/D0 (LUN 0 ID 36)
    Product Manufacturer  : Samsung
    Product Name          : 16384MB DDR4 SDRAM DIMM
   ...
   FRU Device Description : PS0 (LUN 0 ID 63)
   ...
   FRU Device Description : PS1 (LUN 0 ID 64)
   ...
   FRU Device Description : SP/NET0 (LUN 0 ID 1)
   ...
   FRU Device Description : SP/NET1 (LUN 0 ID 2)
   ...
   FRU Device Description : /UUID (LUN 0 ID 6)
   ...
   FRU Device Description : TOP_LEVEL_CH (LUN 0 ID 251)
    Chassis Type          : Rack Mount Chassis
    Chassis Part Number   : 8200669
    Chassis Serial        : 1900XCA0000
    Chassis Extra         : chassis_name:ORACLE SERVER X8-2L
   
   FRU Device Description : TOP_LEVEL_PROD (LUN 0 ID 250)
    Product Manufacturer  : Oracle Corporation
    Product Name          : Exadata X8-2
    Product Part Number   : Exadata X8-2
    Product Serial        : AK00430000
   
   ====END SERIAL NUMBERS====
   

4.1.3 Getting the Rack Serial Number for a Cisco 9336C or 9348 Switch

Use the show license host-id command on the switch to get the serial number.

1. Connect to the switch from a server with SSH equivalency configured, or log in as the admin user.
2. Obtain the serial number for the switch by entering the show license host-id command.

   The host ID is also referred to as the device serial number.

   # switch# show license host-id
   License hostid: VDH=FLA12345678

   Use the entire ID that appears after the equal sign (=). In this example, the host ID is FLA12345678.

4.1.4 Getting the Rack Serial Number for a Sun Datacenter InfiniBand Switch 36

Use the showfruinfo command on the switch to get the serial number.

1. Log in to the switch as root.

   $ ssh root@switch_name

2. Use the showfruinfo command to view the serial number for the switch.

   root@ib-switch-> showfruinfo 
   Sun_Man1R:
   UNIX_Timestamp32 : Fri Mar 19 16:29:59 2010
   Sun_Fru_Description : ASSY,NM2-GW
   Vendor_ID_Code : 11 E1
   Vendor_ID_Code_Source : 01
   Vendor_Name_And_Site_Location : 4577 CELESTICA CORP. SAN JOSE CA US
   Sun_Part_Number : 5111402
   Sun_Serial_Number : 0110SJC-1010NG0040
   Serial_Number_Format : 4V3F1-2Y2W2X4S
   Initial_HW_Dash_Level : 03
   Initial_HW_Rev_Level : 50
   Sun_Fru_Shortname : NM2 gateway
   Sun_Hazard_Class_Code : Y
   Sun_SpecPartNo : 885-1655-01 
   Sun_FRU_LabelR:
   Sun_Serial_Number : AK000XXXX2
   FRU_Part_Dash_Number : 541-4188-01

4.1.5 Getting the Serial Number for a Cisco 4948 Ethernet Switch

Use the sh inventory command on the switch to get the serial number.

1. Log in to the Cisco Ethernet switch.
2. Obtain the serial number for the switch and its components by entering the sh inventory command.

   # Switch# sh inventory
   NAME: "Switch System", DESCR: "Cisco Systems, Inc. WS-C4948 1 slot switch "
   PID:                   , VID:      , SN: FOX0000G0B6
   NAME:  "Linecard(slot 1)", DESCR: "10/100/1000BaseT (RJ45), 1000BaseX (SFP) 
    Supervisor with 48 10/100/1000BASE-T ports and 4 1000BASE-"
   PID: WS-C4948          , VID: V09  , SN: FOX0000G0B6
   NAME: "Power Supply 1", DESCR: "Power Supply ( AC 300W )"
   PID: PWR-C49-300AC     , VID:      , SN: QCS0000B1XR
   NAME: "Power Supply 2", DESCR: "Power Supply ( AC 300W )"
   PID: PWR-C49-300AC     , VID:      , SN: QCS0000B1X5