1. Oracle ILOM Security Guide For Firmware Release 5.1.x
  2. Oracle ILOM Deployment Practices for Increasing Security
  3. Securing Oracle ILOM User Access
  4. Security Guidelines for Managing User Accounts and Passwords
  5. Guidelines for Password Management

Guidelines for Password Management

Password Management Guideline Description

Change the Default root Password ( changeme) Immediately After Initial Login

To enable first-time login and access to Oracle ILOM, a local Administrator root account is provided with the system. To build a secure environment, you must change the provided Administrator password (changeme) after your initial login to Oracle ILOM.

Gaining unauthorized access to the Administrator root account gives a user unrestricted access to all features of Oracle ILOM. Therefore, it is essential to specify a strong, secure password.

Change All Oracle ILOM Account Passwords on a Regular Basis

To prevent malicious activity and ensure that passwords remain in accordance with current password policies, you should change all Oracle ILOM passwords on a regular basis.

Enforce Common Practices for Creating Strong Complex Passwords

Enforce the following common practices for creating strong complex passwords:

  • Do not create a password that is shorter than 16 characters in length.

  • Do not create a password that contains the user name, employee name, or family member names.

  • Do not select passwords that are easy to guess.

  • Do not create passwords that contain a consecutive string of numbers, such as 12345.

  • Do not create passwords that contain a word or string that is easily discoverable by a simple Internet search.

  • Do not allow users to reuse the same password across multiple systems.

  • Do not allow users to reuse older passwords.

  • For Increased security, you should always mask new password entries in the CLI by using the following syntax:

    set SP/users/root password=[do not type password, press Enter]

    - or-

    set SP/users/newuser password=[do not type password, press Enter]

    The CLI will prompt for the new password value, masking the password from view.

Set Password Policy Restrictions for Local Users

(Available as of firmware 3.2.5 and later)

Enforce a password policy for all local user accounts. For more details, see Set Password Policy Restrictions and Account Locking Properties for All Local Users

Consult Your IT Security Officer for Password Management Policies

Consult your IT Security Officer to ensure that your company's password management requirements and policies are being met.