Modifying Default Management Access Configuration Properties

Table 4-5 Web Server Configuration Properties

User Interface Configurable Target and User Role: CLI: `/`SP`/`services`/`web Web: ILOM Administration > Management Access > Web Server User Role: admin (`a`) (required for all property modifications)
Service State `(serverstate=)`	Enabled, HTTP Redirection Enabled	Enabled, HTTP Redirection Enabled (default) \| Enabled, HTTP Redirection Disabled \| Disabled Enabled, HTTP Redirection Enabled (default) — Set this setting to: 1) enable HTTPS web server connections, and 2) automatically redirect HTTP requests to HTTPS Enabled, HTTP Redirection Disabled — Set this setting to: 1) enable HTTPS web server connections, and 2) disable HTTP redirection requests to HTTPS. Disabled — Set this setting to disable the Service State for the Oracle ILOM web server. When disabled, all HTTPS web server connections are disabled, as well as all HTTP redirection requests to HTTPS. Requirement: An SSL certificate is required for enabled HTTPS connections. You can choose to use the Oracle ILOM provided SSL certificate or upload a custom SSL certificate and a matching private key using the Management Access > SSL Certificate tab. CLI Syntax for Secure Redirect and Service State: `set SP/services/web secureredirect=disabled\|enabledservicestate=disabled\|enabled`
HTTP Port `(http_port=)`	80	80 \| User_defined When the Service State property is set to "Enabled, HTTP Redirection Enabled", Oracle ILOM communicates, by default, using HTTP over TCP port 80. If necessary, the default HTTP port number (80) can be modified. CLI Syntax for HTTP Port: `set SP/services/web http_port=<n>`
HTTPS Port `(https_port=)`	443	443 \| User_defined When the Service Sate property is set to either "Enabled, HTTP Redirection Enabled" or "Enabled, HTTP Redirection Disabled", Oracle ILOM communicates, by default, using HTTPS over TCP port 443. If necessary, the default HTTPS port number (443) can be modified. Requirement: The Oracle ILOM web server HTTP and HTTPS ports must be different. CLI Syntax for HTTPS Port: `set SP/services/web https_port=<n>`
TLS Minimum Version (`minimum_tls_version=`)	min	1.2 \| 1.3 \| min (default) Specifies the minimum protocol version for Transport Layer Security (TLS), which provides communication security over the Internet. 1.2 — TLSv1.2 is the minimum version. 1.3 — TLSv1.3 is the minimum version. min — The lowest TLS version presently supported is the minimum version (default). Guidelines: If the minimum and maximum versions are set to the same value, other TLS versions are effectively disabled. You cannot set a minimum value that is greater than the maximum value. The `min` option provides flexibility for future upgrades. Note. Unlike the deprecated TLS property, it is not possible to disable web server connections using this property. CLI Syntax for TLS Minimum Version `set /SP/services/web minimum_tls_version= 1.2 \| 1.3 \| min`
TLS Maximum Version (`maximum_tls_version=`)	max	1.2 \| 1.3 \| max (default) Specifies the maximum protocol version for TLS, which provides communication security over the Internet. 1.2 — TLSv1.2 is the maximum version. 1.3 — TLSv1.3 is the maximum version. max — The highest TLS version presently supported is the maximum version (default). Guidelines: If the minimum and maximum versions are set to the same value, other TLS versions are effectively disabled. You cannot set a maximum value that is less than the minimum value. The `max` option provides flexibility for future upgrades. Note. Unlike the deprecated TLS property, it is not possible to disable web server connections using this property. CLI Syntax for TLS Maximum Version `set /SP/services/web maximum_tls_version= 1.2 \| 1.3 \| max`
Session Timeout (`sessiontimeout=`)	15 seconds	15 seconds \| User_defined The Session Timeout property controls the amount of time before Oracle ILOM terminates an inactive web client session. The default Session Timeout is 15 seconds. The maximum Session Timeout is 12 hours (720 minutes). Note. The session timeout property in the Oracle ILOM web interface can be set in any combination of hours or minutes. The Oracle ILOM CLI session timeout property must be specified in minutes. CLI Syntax for Session Timeout: `set /SP/services/web sessiontimeout=<n>`
Session Duration ( sessionduration=)	24 Hours (14400 Minutes)	24 Hours (default) \| User_defined The Session Duration property controls the amount of time that the client browser is allowed to keep the session cookie. The default Session Duration is 24 hours. The maximum Session Duration is 240 hours (14400 minutes). Note. The session duration property in the Oracle ILOM web interface can be set in any combination of hours or minutes. The Oracle ILOM CLI session timeout property must be specified in minutes. CLI Syntax for Session Duration: `set /SP/services/web sessionduration=<n>` Note. Setting the Session Duration to zero (0) in the Oracle ILOM CLI disables the Session Duration feature.
Allowed Services (`allowedservices=`)	N/A	Browser and REST (default) \| Browser \| REST The Allowed Services property controls which web services are allowed to communicate with Oracle ILOM. The Browser and REST services are enabled by default. CLI Syntax for Allowed Services: `set /SP/services/web allowedservices=<browser\|rest\|browser,rest\|rest,browser>`
Save	N/A	Web interface – To apply changes made to properties within the Web Server Settings page, you must click Save.

User Interface Configurable Target and User Role:

CLI: /SP/services/web
Web: ILOM Administration > Management Access > Web Server
User Role: admin (a) (required for all property modifications)

Property Default Value Description

Service State

(serverstate=)

Enabled, HTTP Redirection Enabled

Enabled, HTTP Redirection Enabled (default) | Enabled, HTTP Redirection Disabled | Disabled

Enabled, HTTP Redirection Enabled (default) — Set this setting to: 1) enable HTTPS web server connections, and 2) automatically redirect HTTP requests to HTTPS
Enabled, HTTP Redirection Disabled — Set this setting to: 1) enable HTTPS web server connections, and 2) disable HTTP redirection requests to HTTPS.
Disabled — Set this setting to disable the Service State for the Oracle ILOM web server. When disabled, all HTTPS web server connections are disabled, as well as all HTTP redirection requests to HTTPS.

Requirement: An SSL certificate is required for enabled HTTPS connections. You can choose to use the Oracle ILOM provided SSL certificate or upload a custom SSL certificate and a matching private key using the Management Access > SSL Certificate tab.

CLI Syntax for Secure Redirect and Service State:

set SP/services/web secureredirect=disabled|enabledservicestate=disabled|enabled

HTTP Port

(http_port=)

80

80 | User_defined

When the Service State property is set to "Enabled, HTTP Redirection Enabled", Oracle ILOM communicates, by default, using HTTP over TCP port 80. If necessary, the default HTTP port number (80) can be modified.

CLI Syntax for HTTP Port:

set SP/services/web http_port=<n>

HTTPS Port

(https_port=)

443

443 | User_defined

When the Service Sate property is set to either "Enabled, HTTP Redirection Enabled" or "Enabled, HTTP Redirection Disabled", Oracle ILOM communicates, by default, using HTTPS over TCP port 443. If necessary, the default HTTPS port number (443) can be modified.

Requirement: The Oracle ILOM web server HTTP and HTTPS ports must be different.

CLI Syntax for HTTPS Port:

set SP/services/web https_port=<n>

TLS Minimum Version

(minimum_tls_version=)

min

1.2 | 1.3 | min (default)

Specifies the minimum protocol version for Transport Layer Security (TLS), which provides communication security over the Internet.

1.2 — TLSv1.2 is the minimum version.

1.3 — TLSv1.3 is the minimum version.

min — The lowest TLS version presently supported is the minimum version (default).

Guidelines:

If the minimum and maximum versions are set to the same value, other TLS versions are effectively disabled.
You cannot set a minimum value that is greater than the maximum value.
The min option provides flexibility for future upgrades.

Note. Unlike the deprecated TLS property, it is not possible to disable web server connections using this property.

CLI Syntax for TLS Minimum Version

set /SP/services/web minimum_tls_version= 1.2 | 1.3 | min

TLS Maximum Version

(maximum_tls_version=)

max

1.2 | 1.3 | max (default)

Specifies the maximum protocol version for TLS, which provides communication security over the Internet.

1.2 — TLSv1.2 is the maximum version.

1.3 — TLSv1.3 is the maximum version.

max — The highest TLS version presently supported is the maximum version (default).

Guidelines:

If the minimum and maximum versions are set to the same value, other TLS versions are effectively disabled.
You cannot set a maximum value that is less than the minimum value.
The max option provides flexibility for future upgrades.

Note. Unlike the deprecated TLS property, it is not possible to disable web server connections using this property.

CLI Syntax for TLS Maximum Version

set /SP/services/web maximum_tls_version= 1.2 | 1.3 | max

Session Timeout

(sessiontimeout=)

15 seconds

15 seconds | User_defined

The Session Timeout property controls the amount of time before Oracle ILOM terminates an inactive web client session. The default Session Timeout is 15 seconds. The maximum Session Timeout is 12 hours (720 minutes).

Note. The session timeout property in the Oracle ILOM web interface can be set in any combination of hours or minutes. The Oracle ILOM CLI session timeout property must be specified in minutes.

CLI Syntax for Session Timeout:

set /SP/services/web sessiontimeout=<n>

Session Duration

( sessionduration=)

24 Hours (14400 Minutes)

24 Hours (default) | User_defined

The Session Duration property controls the amount of time that the client browser is allowed to keep the session cookie. The default Session Duration is 24 hours. The maximum Session Duration is 240 hours (14400 minutes).

Note. The session duration property in the Oracle ILOM web interface can be set in any combination of hours or minutes. The Oracle ILOM CLI session timeout property must be specified in minutes.

CLI Syntax for Session Duration:

set /SP/services/web sessionduration=<n>

Note. Setting the Session Duration to zero (0) in the Oracle ILOM CLI disables the Session Duration feature.

Allowed Services

(allowedservices=)

N/A

Browser and REST (default) | Browser | REST

The Allowed Services property controls which web services are allowed to communicate with Oracle ILOM. The Browser and REST services are enabled by default.

CLI Syntax for Allowed Services:

set /SP/services/web allowedservices=<browser|rest|browser,rest|rest,browser>

Save

N/A

Web interface – To apply changes made to properties within the Web Server Settings page, you must click Save.

Table 4-6 SSL Certificate and Private Key Configuration Properties for HTTPS Web Server

User Interface Configurable Target, User Role, SSL Certificate Requirement: CLI: `/`SP`/services/web/ssl` Web: ILOM Administration > Management Access > SSL Certificate > SSL Certificate Upload User Role: admin(a) (required for all property modifications) Requirement: A valid custom SSL configuration requires the uploading of both the custom certificate and a custom private key.
Certificate File Status (`certstatus=`)	Using Default (No custom certificate or private key loaded)	Default_Certificate \| Custom_Certificate The Certificate Status property is a read-only property. This property indicates which of the following types of SSL certificates is currently in use by the HTTPS web server: Self-signed default SSL certificate and key provided with Oracle ILOM - or - Custom trusted SSL certificate and private key provided by a trusted Certificate Authority Note – When the default SSL certificate is in use, users connecting to the Oracle ILOM web interface for the first time are notified of the default self-signed certificate and are prompted to accept its use. Users should always verify that the certificate fingerprint appearing in the warning message matches the certificate fingerprint issued by Oracle. For more information about validating the self-signed Default SSL certificate, see Resolving Warning Messages for Self-Signed SSL Certificate The default self-signed SSL certificate ensures that all communication between a web browser client and the Oracle ILOM SP is fully encrypted. CLI Syntax to Show Certificate Status: `show /SP/web/ssl`
Default SSL Certificate Key Size (/default_cert `generate_new_cert_keysize =`)	3072	2048 \| 3072 (default) \| 4096 Note.The Default SSL Certificate Key Size is available for configuration as of Oracle ILOM firmware version 3.2.8. By default, the Oracle ILOM Default SSL Certificate is generated with a 3072 bit key size. Optionally, you can change default key size (3072) to either 2048 or 4096. Web interface – Click the Create Default Certificate Key Size list box and select the appropriate key size. Oracle ILOM will use the newly assigned key size the next time the Default SSL Certificate is generated. Note. When the Oracle ILOM properties are reset to defaults, a new Oracle ILOM self-signed SSL Default Certificate is automatically generated. CLI Syntax to Change Default SSL Certificate Key Size: `set /SP/web/ssl/default_cert generate_new_cert_keysize=[2048\|3072\|4096]` The newly assigned key size applies the next time the Default SSL Certificate is generated.
Create Default SSL Certificate (default_cert `generate_new_cert_action =`)	N/A	Each Oracle ILOM SP ships with a unique self-signed Default SSL Certificate. The Default SSL Certificate is used by Oracle ILOM whenever a custom SSL Certificate is not configured. When necessary, system administrators can choose to regenerate a new self-signed Default SSL Certificate. Each generated self-signed Default SSL Certificate has a unique fingerprint value. To verify that the Default SSL Certificate is valid, ensure that the fingerprint value shown on the self-signed Default SSL Certificate warning message matches the certificate fingerprint value issued by Oracle ILOM. For more information about validating the self-signed Default SSL certificate, see Resolving Warning Messages for Self-Signed SSL Certificate Note. The SSL Certificate fingerprint value issued by Oracle ILOM appears on the Oracle ILOM SSL Certificate web page (ILOM Administration > Management Access > SSL Certificates) and the Oracle ILOM SSL Certificate CLI target (`show /SP/services/web/ssl/default_cert fingerprint`). Note.Oracle ILOM automatically regenerates a self-signed Default SSL Certificate when the Oracle ILOM properties are reset to defaults. Web interface – To regenerate a new self-signed Default SSL Certificate from the web interface, click the Create button in the Default Certificate section of the Management Access > SSL Certificate page. CLI Syntax to Create Default SSL Certificate `set /SP/web/ssl/default_cert generate_new_cert_action =true` When a new self-signed Default Certificate is generated, the Oracle ILOM web and KVMS console user connections are lost. When this occurs, log in to Oracle ILOM to confirm that a new Default SSL Certificate and fingerprint was generated. For detailed instructions for regenerating a Default SSL Certificate, see Regenerate Self-Signed Default SSL Certificate Issued By Oracle in Oracle ILOM Security Guide For Firmware Release 5.1.x.
Custom Certificate Load `(/custom_certificate)`	N/A	Web interface – Click the Load Certificate button to upload the Custom Certificate file that is designated in the File Transfer Method properties. Note. A valid custom certificate configuration requires the uploading of a custom certificate and a custom private key. Only then will the custom SSL certificate configuration apply and be persistent across system reboots and Backup and Restore operations. CLI Syntax to Load Custom Certificate: `load_uri=file_transfer_method://host_address/file_path/custom_certificate_file name` Where file_transfer_method can include: Browser\|TFTP\|FTP\|SCP\|HTTP \|HTTPS\|Paste For a detailed description of each file transfer method (excluding Paste), see Supported File Transfer Methods For additional information about using a custom signed SSL Certificate in Oracle ILOM, see Improve Security by Using a Trusted SSL Certificate and Private Key in Oracle ILOM Security Guide For Firmware Release 5.1.x. Note.Oracle ILOMgenerates a warning message when a custom certificate and private key are not properly configured. For further details, see Resolving Warning Messages for Custom Certification Authority (CA) SSL Certificate Note.When using a certificate chain, ensure that the certificates in the certificate chain file are in the correct order. For more details, see "Certificate Chain Order" under Upload a Custom SSL Certificate and Private Key to Oracle ILOM in Oracle ILOM Security Guide For Firmware Release 5.1.x.
Custom Certificate Remove (`/custom_certificate clear_action=true`)	N/A	Web interface – Click the Remove Certificate Button to remove the Custom SSL Certificate file presently stored in Oracle ILOM. When prompted, click Yes to delete or No to cancel action. CLI Syntax to Remove Certificate: `set /SP/services/web/ssl/custom_certificate clear_action=true` When prompted, type `y` to delete or `n` to cancel action.
Custom Private Key `(/custom_key)`	N/A	Web interface – Click the Load Custom Private Key button to upload the Custom Private Key file that is designated in the File Transfer Method properties. Note. A valid custom certificate configuration requires the uploading of a custom certificate and a custom private key. Only then will the custom SSL certificate configuration apply and be persistent across system reboots and Backup and Restore operations. CLI Syntax to Load Custom Private Key: `load_uri=file_transfer_method://host_address/file_path/custom_key_file name` Where file_transfer_method can include: Browser\|TFTP\|FTP\|SCP\|HTTP \|HTTPS\|PasteFor a detailed description of each file transfer method (excluding Paste), see Supported File Transfer Methods. For additional information about using a custom signed SSL Certificate in Oracle ILOM, see Improve Security by Using a Trusted SSL Certificate and Private Key in Oracle ILOM Security Guide For Firmware Release 5.1.x.
Custom Private Key Remove (`/custom_key clear_action=true`)	N/A	Web interface – Click the Remove Custom Private Key button to remove the Custom Private Key file presently stored in Oracle ILOM. When prompted, click Yes to delete or No to cancel the action. CLI Syntax to Remove Certificate Private Key: `set /SP/services/web/ssl/custom_key clear_action=true` When prompted, type `y` to delete or `n` to cancel the action.

User Interface Configurable Target, User Role, SSL Certificate Requirement:

CLI: /SP/services/web/ssl
Web: ILOM Administration > Management Access > SSL Certificate > SSL Certificate Upload
User Role: admin(a) (required for all property modifications)
Requirement: A valid custom SSL configuration requires the uploading of both the custom certificate and a custom private key.

Property Default Value Description

Certificate File Status

(certstatus=)

Using Default (No custom certificate or private key loaded)

Default_Certificate | Custom_Certificate

The Certificate Status property is a read-only property. This property indicates which of the following types of SSL certificates is currently in use by the HTTPS web server:

Self-signed default SSL certificate and key provided with Oracle ILOM
- or -
Custom trusted SSL certificate and private key provided by a trusted Certificate Authority

Note – When the default SSL certificate is in use, users connecting to the Oracle ILOM web interface for the first time are notified of the default self-signed certificate and are prompted to accept its use. Users should always verify that the certificate fingerprint appearing in the warning message matches the certificate fingerprint issued by Oracle. For more information about validating the self-signed Default SSL certificate, see Resolving Warning Messages for Self-Signed SSL Certificate

The default self-signed SSL certificate ensures that all communication between a web browser client and the Oracle ILOM SP is fully encrypted.

CLI Syntax to Show Certificate Status:

show /SP/web/ssl

Default SSL Certificate Key Size

(/default_cert generate_new_cert_keysize =)

3072

2048 | 3072 (default) | 4096

Note.The Default SSL Certificate Key Size is available for configuration as of Oracle ILOM firmware version 3.2.8.

By default, the Oracle ILOM Default SSL Certificate is generated with a 3072 bit key size. Optionally, you can change default key size (3072) to either 2048 or 4096.

Web interface – Click the Create Default Certificate Key Size list box and select the appropriate key size. Oracle ILOM will use the newly assigned key size the next time the Default SSL Certificate is generated.

Note. When the Oracle ILOM properties are reset to defaults, a new Oracle ILOM self-signed SSL Default Certificate is automatically generated.

CLI Syntax to Change Default SSL Certificate Key Size:

set /SP/web/ssl/default_cert generate_new_cert_keysize=[2048|3072|4096]

The newly assigned key size applies the next time the Default SSL Certificate is generated.

Create Default SSL Certificate

(default_cert generate_new_cert_action =)

N/A

Each Oracle ILOM SP ships with a unique self-signed Default SSL Certificate. The Default SSL Certificate is used by Oracle ILOM whenever a custom SSL Certificate is not configured.

When necessary, system administrators can choose to regenerate a new self-signed Default SSL Certificate. Each generated self-signed Default SSL Certificate has a unique fingerprint value. To verify that the Default SSL Certificate is valid, ensure that the fingerprint value shown on the self-signed Default SSL Certificate warning message matches the certificate fingerprint value issued by Oracle ILOM. For more information about validating the self-signed Default SSL certificate, see Resolving Warning Messages for Self-Signed SSL Certificate

Note. The SSL Certificate fingerprint value issued by Oracle ILOM appears on the Oracle ILOM SSL Certificate web page (ILOM Administration > Management Access > SSL Certificates) and the Oracle ILOM SSL Certificate CLI target (show /SP/services/web/ssl/default_cert fingerprint).

Note.Oracle ILOM automatically regenerates a self-signed Default SSL Certificate when the Oracle ILOM properties are reset to defaults.

Web interface – To regenerate a new self-signed Default SSL Certificate from the web interface, click the Create button in the Default Certificate section of the Management Access > SSL Certificate page.

CLI Syntax to Create Default SSL Certificate

set /SP/web/ssl/default_cert generate_new_cert_action =true

When a new self-signed Default Certificate is generated, the Oracle ILOM web and KVMS console user connections are lost. When this occurs, log in to Oracle ILOM to confirm that a new Default SSL Certificate and fingerprint was generated.

For detailed instructions for regenerating a Default SSL Certificate, see Regenerate Self-Signed Default SSL Certificate Issued By Oracle in Oracle ILOM Security Guide For Firmware Release 5.1.x.

Custom Certificate Load

(/custom_certificate)

N/A

Web interface – Click the Load Certificate button to upload the Custom Certificate file that is designated in the File Transfer Method properties.

Note. A valid custom certificate configuration requires the uploading of a custom certificate and a custom private key. Only then will the custom SSL certificate configuration apply and be persistent across system reboots and Backup and Restore operations.

CLI Syntax to Load Custom Certificate:

load_uri=file_transfer_method://host_address/file_path/custom_certificate_file name

For a detailed description of each file transfer method (excluding Paste), see Supported File Transfer Methods

For additional information about using a custom signed SSL Certificate in Oracle ILOM, see Improve Security by Using a Trusted SSL Certificate and Private Key in Oracle ILOM Security Guide For Firmware Release 5.1.x.

Note.Oracle ILOMgenerates a warning message when a custom certificate and private key are not properly configured. For further details, see Resolving Warning Messages for Custom Certification Authority (CA) SSL Certificate

Note.When using a certificate chain, ensure that the certificates in the certificate chain file are in the correct order. For more details, see "Certificate Chain Order" under Upload a Custom SSL Certificate and Private Key to Oracle ILOM in Oracle ILOM Security Guide For Firmware Release 5.1.x.

Custom Certificate Remove

(/custom_certificate clear_action=true)

N/A

Web interface – Click the Remove Certificate Button to remove the Custom SSL Certificate file presently stored in Oracle ILOM. When prompted, click Yes to delete or No to cancel action.

CLI Syntax to Remove Certificate:

set /SP/services/web/ssl/custom_certificate clear_action=true

When prompted, type y to delete or n to cancel action.

Custom Private Key

(/custom_key)

N/A

Web interface – Click the Load Custom Private Key button to upload the Custom Private Key file that is designated in the File Transfer Method properties.

Note. A valid custom certificate configuration requires the uploading of a custom certificate and a custom private key. Only then will the custom SSL certificate configuration apply and be persistent across system reboots and Backup and Restore operations.

CLI Syntax to Load Custom Private Key:

load_uri=file_transfer_method://host_address/file_path/custom_key_file name

For additional information about using a custom signed SSL Certificate in Oracle ILOM, see Improve Security by Using a Trusted SSL Certificate and Private Key in Oracle ILOM Security Guide For Firmware Release 5.1.x.

Custom Private Key Remove

(/custom_key clear_action=true)

N/A

Web interface – Click the Remove Custom Private Key button to remove the Custom Private Key file presently stored in Oracle ILOM. When prompted, click Yes to delete or No to cancel the action.

CLI Syntax to Remove Certificate Private Key:

set /SP/services/web/ssl/custom_key clear_action=true

When prompted, type y to delete or n to cancel the action.

Table 4-7 SSH Server Configuration Properties

User Interface Configurable Target and User Role: CLI: `/`SP`/services/ssh` Web: ILOM Administration > Management Access > SSH Server > SSH Server Settings User Role: admin (`a`) (required for all property modifications)
Property	Default Value	Description
State (`state=`)	Enabled	Enabled (default) \| Disabled The SSH Server State property is enabled by default. When the SSH Server State property is enabled, the SSH server uses server-side keys to permit remote clients to securely connect to the Oracle ILOM SP using a command-line interface. When the SSH Server State property is disabled or restarted, all CLI SP sessions running over SSH are automatically terminated. Note. Oracle ILOM automatically generates the SSH server-side keys on the first boot of a factory default system. Web interface: Changes to the SSH Server State in the web interface do not take affect in Oracle ILOM until you click Save. Note. Changes to the SSH Server State property do not require you to restart the SSH server. CLI Syntax for SSH Server State: `set /SP/services/ssh state=enabled\|disabled`
Restart Button (`restart_sshd_action=`)	N/A	True \| False Restarting the SSH server will automatically: (1) terminate all connected SP CLI sessions, as well as (2) activate newly pending server-side key(s). CLI Syntax for Restart: `set /SP/services/ssh restart_sshd_action=true`
Generate RSA Key Button (`generate_new_key_type=rsa generate_new_key_action= true`)	N/A	Provides the ability to generate a new RSA SSH key. CLI Syntax for Generate RSA Key: `set /SP/services/ssh generate_new_key_type=rsa generate_new_key_action=true`

Table 4-8 Server Certificate Configuration Properties for Outgoing HTTPS Connections

User Interface Configurable Target, User Role, Server Certificate Requirement: CLI: `/`SP`/`preferences`/`servercerts Web: ILOM Administration > Management Access > Server Certificate User Role: admin(a) (required for all property modifications) Requirement: The SSL server certificate files must be in PEM (Privacy Enhanced Mail) format, and they must not be encrypted with a passphrase. When uploading an SSL server certificate, the SSL certificate and key set must match.
Property	Default Value	Description
Strict Certificate Mode (`strictcertmode=`)	Disabled	Enabled \| Disabled (default) The Strict Certificate Mode property controls whether Oracle ILOM checks the validity of the SSL server certificate when uploading the SSL server certificate to the server SP. When disabled (default), Oracle ILOM is prevented from checking the validity of the SSL certificates. When enabled, Oracle ILOM checks the validity of the SSL server certificate when operations such as the following are performed: 1) Backing up or restoring of BIOS configuration, 2) Downloading of the firmware image, 3) Updating the firmware image, 4) Downloading of SSL certificates (SSL certificates are only subject to certificate verification when Strict Certificate Mode is enabled), 5) Downloading of SSH keys and 6) Backing up or restoring Oracle ILOM configuration. Note.In cases where Oracle ILOM is not able to validate the authenticity of the SSL server certificate, an error message appears indicating the reason why the operation failed. Web interface – Select the Strict Certificate Mode check box to enable this feature or clear the check box to disable this feature. CLI Syntax to Remove Certificate: `set /SP/preferences/servercerts strictcertmode= enabled \| disabled`
Add SSL Certificates `(/load_uri=)` - or - Delete SSL Certificates `(/# clear_action=true`)	N/A	System administrators can store up to five trusted SSL server certificates. Oracle ILOM uses these certificates to prevent man-in-the-middle-attacks when uploading and downloading data to and from the Oracle ILOM SP using HTTPS. Web interface –To add or remove a certificate, click the More Details ... link at the top of the Server Certificates page for instructions. CLI Syntax to Load SSL Server Certificate `load_uri=file_transfer_method://host_address/file_path/PEM file name` Where file_transfer_method can include: Browser\|TFTP\|FTP\|SCP\|HTTP \|HTTPS\|PasteFor a detailed description of each file transfer method (excluding Paste), see Supported File Transfer Methods. CLI Syntax to Delete SSL Server Certificate `set /SP/preferences/servercerts/<1-5> clear_action=true` Are you sure you want to clear /SP/preferences/servercerts/# (y/n)? Type: `y` For additional information about using SSL Certificates in Oracle ILOM, see Improve Security by Using a Trusted SSL Certificate and Private Key in Oracle ILOM Security Guide For Firmware Release 5.1.x.
Save	N/A	Web interface – Click Save to save the changes made to the Server Certificate page.

Table 4-9 SNMP Configuration Properties

User Interface Configurable Target, User Role, and SNMP Requirement: CLI: `/`SP`/services/snmp` Web: ILOM Administration > Management Access > SNMP > SNMP Management User Role: admin (`a`) (required for all property modifications) Requirement: User accounts are required for SNMP v3 services .Note.SNMP set operations and writeable SNMP MIBs are no longer supported in Oracle ILOM as of firmware version 4.0.x.
Property	Default Value	Description
State (`state=`)	Enabled	Enabled (default) \| Disabled The SNMP State property is enabled by default. When this property is enabled, and the properties for one or more user accounts or communities for SNMP are configured, the SNMP management service in Oracle ILOM is available for use. When the SNMP State property is disabled, the SNMP port is blocked, prohibiting all SNMP communication between Oracle ILOM and the network. CLI Syntax for SNMP State: `set /SP/services/snmp state=enabled\|disabled`
Port (`port=`)	161	161 \| User_specified Oracle ILOM, by default, uses UDP port 161 to transmit SNMP communication between an Oracle ILOM SP and the network. If necessary, the default port property number can be changed. CLI Syntax for SNMP Port: `set /SP/services/snmp port=n`
Engine ID (engineid=)	Auto-set by SNMP agent	The Engine ID property is automatically set by the Oracle ILOM SNMP agent. This ID is unique to each Oracle ILOM SNMP enabled-system. Although the Engine ID is configurable, the ID should always remain unique across the data center for each Oracle ILOM system. Only experienced SNMP users who are familiar with SNMP v3 security should modify the SNMP Engine ID property.
Protocols (v3)	v3 Enabled	Enabled (default) \| Disabled SNMP v3 is enabled by default, but requires creating one or more SNMP users prior to use. There are no preconfigured SNMPv3 users. SNMPv3 uses encryption to provide a secure channel and the use of SNMP v3 user names and passwords that are stored securely on the SNMP management station. SNMP v3 is configurable property for monitoring the health of a system. SNMP v2c is a non-configurable property that is only supported for trap alert notifications. CLI Syntax to Modify Default Protocol: `set /SP/services/snmp v3=enabled\|disabled`
Save	N/A	Web interface – To apply changes made to properties within the SNMP Management page, you must click Save.
SNMP Users (`/users`)	N/A	Username \| Authentication Password \| Permission \| Authentication Protocol \| Privacy Protocol SNMP Users apply only to SNMP v3 to control user access and authorization levels in Oracle ILOM. When the Protocol property for SNMP v3 is enabled, the properties for SNMP users are configurable in Oracle ILOM. The following rules apply when configuring SNMP users: User name – The SNMP user name can contain up to 32 characters in length and include any combination of alphanumeric characters (uppercase letters, lowercase letters, and numbers). The SNMP user name must not contain spaces. Authentication or privacy password – The Authentication password can contain 8 to 12 characters in length and include any combination of alphanumeric characters (uppercase letters, lowercase letters, and numbers). Privacy password – Enter the privacy password (required only if you selected @ DES or AES). The password is case-sensitive and must contain 8 characters in length with no colons or spaces. Save (web interface only – All changes made within the SNMP Add SNMP User dialog must be saved. CLI Syntax to Create SNMP Users: `create /SP/services/snmp/users/[new_username] authenticationprotocol=[MD5\|SHA] authenticationpassword=[changeme] permission=[ro\|rw] privacyprotocol=[AES\|DES\|none] privacypassword=[user_password]` `show /SP/services/snmp/users` `delete /SP/services/snmp/username` Note. Authentication Protocol MD5 and DES Privacy Protocol are not supported when FIPS compliance mode is enabled in Oracle ILOM.
MIBs Download (`/mibs dump_uri=`)	N/A	Oracle ILOM provides the ability to download SUN SNMP MIBs directly from the server SP.

Table 4-10 IPMI Service Configuration Properties

User Interface Configurable Target: CLI: `/`SP`/services/ipmi` Web: ILOM Administration > Management Access > IPMI > IPMI Settings User Roles: admin (`a`) – Required for IPMI specification configuration property modifications Administrator or Operator – Required when using IPMI service (IPMItool) from the Oracle ILOM CLI.
State (`state=`)	Enabled	Enabled (default) \| Disabled As of Oracle ILOM firmware version 3.2.8, the State property for IPMI TLS service is enabled by default. When the IPMI State property is enabled, Oracle ILOM permits remote IPMItool clients to securely connect to the Oracle ILOM SP using a command-line interface. When the IPMI State property is disabled, all IPMItool clients connected to the SP through the Oracle ILOM CLI are automatically terminated. Web interface: Changes to the IPMI State in the web interface do not take affect in Oracle ILOM until you click Save. CLI Syntax for IPMI State: `set /SP/services/ipmi state=enabled\|disabled`
v2.0 Sessions (`v2_0_sessions=`)	Disabled	Disabled (default) \| Enabled The v2.0 Sessions check box controls whether Oracle ILOM permits IPMI v2.0 connections. Web interface: Select the v2.0 Sessions check box to permit IPMI v2.0 connections with Oracle ILOM. When IPMI 2.0 sessions are enabled, users of IPMItool specify the -I lanplus option. Note. IPMI v2.0 Sessions use standard IPMI protocol and work with any IPMI client. - or - Clear the v2.0 Sessions check box to prevent (block) IPMI v2.0 sessions with Oracle ILOM. Note. Changes to the IPMI State in the web interface do not take affect in Oracle ILOM until you click Save. CLI Syntax for v2.0 Sessions: `set /SP/services/ipmi v2_0_sessions=enabled\|disabled`
TLS Sessions (`tls_sessions=`)	Enabled	Enabled (default) \| Disabled As of Oracle ILOM firmware version 3.2.8, the TLS sessions (`tls_sessions`) property is enabled by default. To disable TLS sessions, you must disable the IPMI State property. For increased security, always use the TLS service and interface. Note. IPMI TLS is an Oracle improvement to IPMI security which requires a special version of the ipmitool client that supports TLS sessions To access the IPMI TLS interface, IPMItool users can either specify the `-I orcltls` option or not specify an option and IPMItool will automatically detect the most secure interface available. For more information about using the TLS service and interface, see the following information: IPMI TLS Service and Interface Configure IPMI Management Access for Increased Security
`restricted_host_mode=` (CLI only)	Disabled	Enabled \| Disabled (default) As of Oracle ILOM firmware version 5.1.3, the property `restricted_host_mode` is disabled by default. When enabled, it allows a limited set of IPMI commands from the host server over the Keyboard Controller Style (KCS) interface, which is especially beneficial to the Oracle Exadata Cloud Service platform. For a list of the IPMI commands allowed in restricted mode, contact your Oracle service representative.

User Interface Configurable Target:

CLI: /SP/services/ipmi
Web: ILOM Administration > Management Access > IPMI > IPMI Settings

User Roles:

admin (a) – Required for IPMI specification configuration property modifications
Administrator or Operator – Required when using IPMI service (IPMItool) from the Oracle ILOM CLI.

Property Default Value Description

State

(state=)

Enabled

Enabled (default) | Disabled

As of Oracle ILOM firmware version 3.2.8, the State property for IPMI TLS service is enabled by default.

When the IPMI State property is enabled, Oracle ILOM permits remote IPMItool clients to securely connect to the Oracle ILOM SP using a command-line interface.

When the IPMI State property is disabled, all IPMItool clients connected to the SP through the Oracle ILOM CLI are automatically terminated.

Web interface: Changes to the IPMI State in the web interface do not take affect in Oracle ILOM until you click Save.

CLI Syntax for IPMI State:

set /SP/services/ipmi state=enabled|disabled

v2.0 Sessions

(v2_0_sessions=)

Disabled

Disabled (default) | Enabled

The v2.0 Sessions check box controls whether Oracle ILOM permits IPMI v2.0 connections.

Web interface: Select the v2.0 Sessions check box to permit IPMI v2.0 connections with Oracle ILOM. When IPMI 2.0 sessions are enabled, users of IPMItool specify the -I lanplus option.

Note. IPMI v2.0 Sessions use standard IPMI protocol and work with any IPMI client.

- or -

Clear the v2.0 Sessions check box to prevent (block) IPMI v2.0 sessions with Oracle ILOM.

Note. Changes to the IPMI State in the web interface do not take affect in Oracle ILOM until you click Save.

CLI Syntax for v2.0 Sessions:

set /SP/services/ipmi v2_0_sessions=enabled|disabled

TLS Sessions

(tls_sessions=)

Enabled

Enabled (default) | Disabled

As of Oracle ILOM firmware version 3.2.8, the TLS sessions (tls_sessions) property is enabled by default. To disable TLS sessions, you must disable the IPMI State property.

For increased security, always use the TLS service and interface.

Note. IPMI TLS is an Oracle improvement to IPMI security which requires a special version of the ipmitool client that supports TLS sessions

To access the IPMI TLS interface, IPMItool users can either specify the -I orcltls option or not specify an option and IPMItool will automatically detect the most secure interface available.

For more information about using the TLS service and interface, see the following information:

restricted_host_mode=

(CLI only)

Disabled

Enabled | Disabled (default)

As of Oracle ILOM firmware version 5.1.3, the property restricted_host_mode is disabled by default. When enabled, it allows a limited set of IPMI commands from the host server over the Keyboard Controller Style (KCS) interface, which is especially beneficial to the Oracle Exadata Cloud Service platform. For a list of the IPMI commands allowed in restricted mode, contact your Oracle service representative.

Table 4-11 CLI Session Timeout and Custom Prompt Configuration Properties

User Interface Configurable Target: CLI: `/`SP`/cli` Web: ILOM Administration > Management Access> CLI User Roles: admin (`a`) – Required for IPMI specification configuration property modifications Administrator or Operator – Required when using IPMI service (IPMItool) from the Oracle ILOM CLI.
Session Timeout (`timeout=`)	Enabled (12 hours)	Enabled, minutes=n \| Disabled The CLI Session Timeout property determines how many minutes until an inactive CLI session is automatically logged out. As of Oracle ILOM firmware version 5.0.1, the CLI session timeout property is set by default to 12 hours (720 minutes). When necessary, you can modify the default CLI session timeout value by entering a value (in minutes) from 1 to 1440. Web interface: Changes to the CLI session timeout properties in the web interface do not take affect in Oracle ILOM until you click Save. CLI Syntax for CLI Session Timeout: `set /SP/cli timeout=enabled\|disabled` `minutes=` value
Custom Prompt (`prompt=`)	None (disabled)	None (default) \| ["Literal Text"] \| "<HOSTNAME>" \| "<IPADDRESS>" To help identify a standalone system or a system within a rack or chassis, Administrators can customize the standard CLI prompt (->) by prepending either literal text, replacement tokens ("<HOSTNAME>" "<IPADDRESS>"), or a combination of literal text and replacement tokens. The Custom Prompt maximum length is 252 characters. Web interface: Changes to the CLI Custom Prompt property in the web interface do not take affect in Oracle ILOM until you click Save. For further information, click the More details... link on the Management Access > CLI page. CLI Syntax for Custom CLI Prompt: Examples: `set /SP/cli prompt`="Literal_Text" `set /SP/cli prompt=` "<HOSTNAME>" `set /SP /cli prompt="<IPADDRESS>"` `set /SP/cli prompt=` ["Literal_Text"] `"<HOSTNAME>"` `set /SP/cli prompt=` ["Literal_Text"] `"<HOSTNAME>"` `"<IPADDRESS>"`

User Interface Configurable Target:

CLI: /SP/cli
Web: ILOM Administration > Management Access> CLI

User Roles:

admin (a) – Required for IPMI specification configuration property modifications
Administrator or Operator – Required when using IPMI service (IPMItool) from the Oracle ILOM CLI.

Property Default Value Description

Session Timeout

(timeout=)

Enabled (12 hours)

Enabled, minutes=n | Disabled

The CLI Session Timeout property determines how many minutes until an inactive CLI session is automatically logged out.

As of Oracle ILOM firmware version 5.0.1, the CLI session timeout property is set by default to 12 hours (720 minutes). When necessary, you can modify the default CLI session timeout value by entering a value (in minutes) from 1 to 1440.

Web interface: Changes to the CLI session timeout properties in the web interface do not take affect in Oracle ILOM until you click Save.

CLI Syntax for CLI Session Timeout:

set /SP/cli timeout=enabled|disabled minutes= value

Custom Prompt

(prompt=)

None (disabled)

None (default) | ["Literal Text"] | "<HOSTNAME>" | "<IPADDRESS>"

To help identify a standalone system or a system within a rack or chassis, Administrators can customize the standard CLI prompt (->) by prepending either literal text, replacement tokens ("<HOSTNAME>" "<IPADDRESS>"), or a combination of literal text and replacement tokens. The Custom Prompt maximum length is 252 characters.

Web interface: Changes to the CLI Custom Prompt property in the web interface do not take affect in Oracle ILOM until you click Save. For further information, click the More details... link on the Management Access > CLI page.

CLI Syntax for Custom CLI Prompt:

Examples:

set /SP/cli prompt="Literal_Text"
set /SP/cli prompt= "<HOSTNAME>"
set /SP /cli prompt="<IPADDRESS>"
set /SP/cli prompt= ["Literal_Text"] "<HOSTNAME>"
set /SP/cli prompt= ["Literal_Text"] "<HOSTNAME>" "<IPADDRESS>"

Table 4-12 Federal Information Processing Standards (FIBS 140-2) Configuration Properties

User Interface Configurable Target and User Role: CLI: `/SP/services/fips` Web: ILOM Administration > Management Access > FIPS User Role: admin (`a`) (required for property modification)
Status (`status=`)	Disabled	The Status is a read-only property that indicates the current status for the FIPS service in Oracle ILOM. Possible status values are: Disabled — The Status for Disabled appears on the Management Access > FIPS page when the following conditions are true: The FIPS operational mode on the system is disabled. The State property is set to disabled. The FIPS shield icon does not appear in the masthead area of the Oracle ILOM window. Enabled — The Status for Enabled appears on the Management Access > FIPS page when the following conditions are true: The FIPS operational mode on the system is enabled. The State property is set to enabled. The FIPS shield icon appears in the masthead area of the Oracle ILOM window. Disabled; enabled at next boot — The Status for Disabled; enabled at next boot appears on the Management Access > FIPS page when the following conditions are true: The FIPS operational mode on the system is disabled. The State property is set to enabled. The FIPS shield icon does not appear in the masthead area of the Oracle ILOM window. Enabled; disabled at next boot — The Status for Enabled; disabled at next boot appears on the Management Access > FIPS page when the following conditions are true: The FIPS operational mode on the system is enabled. The State property is set to disabled. The FIPS shield icon appears in the masthead area of the Oracle ILOM window. Related Information: Operating Oracle ILOM in FIPS Compliance Mode Unsupported Features When FIPS Mode Is Enabled
State (`state=disabled \|enabled`)	Disabled	Modify the FIPS State property, per the following instructions: To disable FIPS mode (default) — Select the State check box to disable FIPS compliant mode. To enable FIPS mode — Clear the State check box to enable FIPS compliant mode. Changes to the FIPS operational mode on the server will not take effect until the next Oracle ILOM reboot. At that time, the Oracle ILOM user-defined configurations settings are automatically reset to their factory default settings. CLI Syntax for FIPS Mode: `set /SP/services/fips state=enabled\|disabled` Related Information: Modify FIPS Mode FIPS Compliance Mode Effect on ILOM Configuration Properties

User Interface Configurable Target and User Role:

CLI: /SP/services/fips
Web: ILOM Administration > Management Access > FIPS
User Role: admin (a) (required for property modification)

Property Default Value Description

Status

(status=)

Disabled

The Status is a read-only property that indicates the current status for the FIPS service in Oracle ILOM. Possible status values are:

Disabled — The Status for Disabled appears on the Management Access > FIPS page when the following conditions are true:
1. The FIPS operational mode on the system is disabled.
2. The State property is set to disabled.
3. The FIPS shield icon does not appear in the masthead area of the Oracle ILOM window.
Enabled — The Status for Enabled appears on the Management Access > FIPS page when the following conditions are true:
1. The FIPS operational mode on the system is enabled.
2. The State property is set to enabled.
3. The FIPS shield icon appears in the masthead area of the Oracle ILOM window.
Disabled; enabled at next boot — The Status for Disabled; enabled at next boot appears on the Management Access > FIPS page when the following conditions are true:
1. The FIPS operational mode on the system is disabled.
2. The State property is set to enabled.
3. The FIPS shield icon does not appear in the masthead area of the Oracle ILOM window.
Enabled; disabled at next boot — The Status for Enabled; disabled at next boot appears on the Management Access > FIPS page when the following conditions are true:
1. The FIPS operational mode on the system is enabled.
2. The State property is set to disabled.
3. The FIPS shield icon appears in the masthead area of the Oracle ILOM window.

Related Information:

State

(state=disabled |enabled)

Disabled

Modify the FIPS State property, per the following instructions:

To disable FIPS mode (default) — Select the State check box to disable FIPS compliant mode.
To enable FIPS mode — Clear the State check box to enable FIPS compliant mode.

Changes to the FIPS operational mode on the server will not take effect until the next Oracle ILOM reboot. At that time, the Oracle ILOM user-defined configurations settings are automatically reset to their factory default settings.

CLI Syntax for FIPS Mode:

set /SP/services/fips state=enabled|disabled

Related Information:

Table 4-13 Servicetag Service Configuration Properties

User Interface Configurable Target and User Role: CLI: `/` SP/services User Role: admin (`a`) (required for all property modifications)
`servicetag=`	Enabled	\|Enabled (default) \| Disabled The `servicetag service` is enabled by default. When enabled, the Oracle discovery protocol is used to identify servers and facilitate service requests. Disabling this service makes it impossible for Oracle Enterprise Manager Ops Center to discover Oracle ILOM, and prevents integration into other Oracle automatic service solutions. Caution. The `servicetag` service uses HTTP by default as a communication method. To protect sensitive data, configure the `servicetag` property with a passphrase and use HTTPS as a communication method. Note.The `servicetag` property is only configurable from Oracle ILOM CLI. CLI Syntax for Servicetag: `set /SP/services/servicetag= disabled\|enabled`
`passphrase=`	user-defined	To encrypt `servicetag` data, set a value for the `servicetag passphrase` property. Note.The matching service tag value should be entered in the Oracle Service Solution program such as ASR or the original Java Service Tag program. CLI Syntax for Passphase: `set /SP/services/passphrase=<value>` The passphrase length must be between 5 and 16 characters.

User Interface Configurable Target and User Role:

CLI: / SP/services
User Role: admin (a) (required for all property modifications)

Property Default Value Description

servicetag=

Enabled

|Enabled (default) | Disabled

The servicetag service is enabled by default. When enabled, the Oracle discovery protocol is used to identify servers and facilitate service requests. Disabling this service makes it impossible for Oracle Enterprise Manager Ops Center to discover Oracle ILOM, and prevents integration into other Oracle automatic service solutions.

Caution. The servicetag service uses HTTP by default as a communication method. To protect sensitive data, configure the servicetag property with a passphrase and use HTTPS as a communication method.

Note.The servicetag property is only configurable from Oracle ILOM CLI.

CLI Syntax for Servicetag:

set /SP/services/servicetag= disabled|enabled

passphrase=

user-defined

To encrypt servicetag data, set a value for the servicetag passphrase property.

Note.The matching service tag value should be entered in the Oracle Service Solution program such as ASR or the original Java Service Tag program.

CLI Syntax for Passphase:

set /SP/services/passphrase=<value>

The passphrase length must be between 5 and 16 characters.