1. Oracle Hardware Management Pack 2.4 Server CLI Tools User's Guide
  2. Using ilomconfig to Configure Oracle ILOM
  3. ilomconfig Command Overview
  4. ilomconfig and Service Processor Access
  5. Obtaining SSL Certificates for TLS Access

Obtaining SSL Certificates for TLS Access

In order to use TLS encryption when accessing a Oracle ILOM SP over a remote network connection, a client-side trusted certificate must be available on the host for the Oracle ILOM SP you will be accessing. Note the following:

  • Ensure that you've installed the latest TLS and OpenSSL patches for your operating system (Oracle requires TLS 1.2 support at a minimum).

  • Oracle Hardware Management Pack commands that perform SSL certificate validation for a remote network connection to a service processor look for hashed symbolic links to client-side trusted certificates in certain directories, depending on the operating system.

    • For Linux, the expected directory for certificate hashed links is /etc/ssl/certs.

    • For Oracle Solaris, the expected directory for certificate hashed links is /etc/openssl/certs.

    If you opt to install certificates in some other directory, you will need to include a command line argument (as described in Command Options for Accessing Oracle ILOM Over a Remote Network Connection) that specifies the certificate directory when issuing Oracle Hardware Management Pack commands that perform client-side SSL certificate validation.

To obtain a client-side trusted certificate from a service processor and prepare it for validation, do the following:

  1. Obtain a PEM format certificate from the target Oracle ILOM SP. You can use one of the following methods:

    • Use a web browser to log in to the Oracle ILOM SP. If this is the first time logging in to the SP, the browser will prompt you for a security exception at which point you can view and export the certificate in PEM format (.pem) to a directory.

      If you've already accepted the certificate from a previous browser login, you can export it from the browser's stored servers certificates and export it in PEM format (.pem) to a directory.

    • You can also run an OpenSSL command from the host to obtain the certificate. For example:

      # echo | openssl s_client -connect sp_ip:623 | sed -n "/--BEGIN/,/--END/ p" > path_to_cert/certname.pem

      Where sp_ip is the host name or IP address of the SP, path_to_cert is the directory path to where the certificate will be copied, and certname is the file name for the PEM format certificate.

      Note:

      To avoid the possibility of a man-in-the-middle attack, execute this command using a trusted channel or verified using an independent second channel.

    • Or, set up your own certification authority and sign a certificate to upload to Oracle ILOM. If you choose to create your own custom certificates, refer to the Oracle ILOM documentation for details.

  2. Change ownership of the certificate file you downloaded to root:root and file permissions to -rw-r--r-- (numeric value 644).

  3. Create a hash symbolic link of your downloaded certificate.

    • For Red Hat and Oracle Linux 6 and 7, there is a script called cacertdir_rehash which is part of the authconfig package. You can use this script to create your hash symbolic link in the certificate directory. For example:

      # /usr/sbin/cacertdir_rehash /etc/ssl/certs

      Refer to the Red Hat and Oracle Linux documentation for more details.

    • For SLES Linux 12, there is a script called c_rehash which is part of the OpenSSL package. You can use this script to create your hash symbolic link in the certificate directory. For example:

      # /usr/bin/c_rehash /etc/ssl/certs

      Refer to the SLES Linux documentation for more details.

    • For Oracle Solaris 11, rehash the certificate directory (this will also create the hash symbolic link in the /etc/openssl/certs directory). For example:

      # /usr/sbin/svcadm refresh svc:/system/ca-certificates:default

      Refer to the Oracle Solaris 11 documentation for more details.

    • For Oracle Solaris 10, if you have installed the required patches the /etc/openssl directory should be present. Follow these steps to prepare the directory, hash the certificate and create the symbolic link:

      1. Create the certs directory under /etc/openssl if it does not already exist. Type:

        # mkdir -p /etc/openssl/certs

      2. Set the group ownership for the directory. Type:

        # chgrp sys /etc/openssl/certs

      3. Set permissions for the directory. Type:

        # chmod 0755 /etc/openssl/certs

      4. Create the hash name for your certificate. Type:

        # hashname=`openssl x509 -hash -noout -in path_to_cert/certname.pem`

        Where path_to_cert is the directory path to your downloaded certificate and certname is the file name for the PEM format certificate.

      5. Create the symbolic link for your certificate. Type:

        # ln -s "path_to_cert/certname.pem" "/etc/openssl/certs/$hashname.0"

        Note:

        The extension .0 is an example, if there is another certificate using the .0 extension, use the next available number for your extension.

        Refer to the Oracle Solaris 10 and OpenSSL documentation for more details.

  4. Ensure that the service processor Common Name (for example, ORACLESP-1000NML000) has been added to the domain name system (DNS) for your network. This name should match the Common Name found in the certificate file.

Parent topic: ilomconfig and Service Processor Access