1. Oracle ILOM Security Guide For Firmware Release 5.1.x
  2. Oracle ILOM Deployment Practices for Increasing Security
  3. Configuring Oracle ILOM Interfaces for Increased Security
  4. Configure the Web Interface for Increased Security
  5. Improve Security by Using a Trusted SSL Certificate and Private Key
  6. Regenerate Self-Signed Default SSL Certificate Issued By Oracle

Regenerate Self-Signed Default SSL Certificate Issued By Oracle

As of firmware version 3.2.8, each Oracle ILOM ships with a unique self-signed Default SSL Certificate. The Default SSL Certificate is used by Oracle ILOM whenever a Custom SSL Certificate is not configured.

The unique Default SSL Certificate is initially generated at the factory with a unique host certificate fingerprint value. Oracle ILOM automatically regenerates a new version of the Default SSL Certificate and fingerprint whenever its configuration properties are reset to defaults. System administrators, at any time, can choose to replace the existing Default SSL Certificate and fingerprint with a newer version. For instructions for regenerating the Default SSL Certificate and fingerprint in Oracle ILOM, see the following information.

Before You Begin

  • Admin (a) role is required to regenerate the Default SSL Certificate.
  • By default, the Oracle ILOM Default SSL Certificate is generated with a 3072 bit key size. Optionally, you can change default key size (3072) to either 2048 or 4096.
  • All Oracle ILOM web interface and KVMS console user connections are immediately disconnected upon regenerating a new Default SSL Certificate.
  • When the Default (self-signed) SSL Certificate is used in Oracle ILOM, additional certificate checks will take place to protect Oracle ILOM from man-in-the-middle attacks. For instance:
    • Oracle ILOM remote KVMS console users will be prompted to manually validate the self-signed SSL certificate prior to gaining access to the Oracle ILOM Remote System Console / Remote System Console Plus. To manually validate the self-signed SSL certificate, the user must ensure that the host fingerprint value on the Check Certificate Warning dialog box matches the host fingerprint value issued by Oracle. For additional information about validating the host fingerprint value assigned to the self-signed Default SSL Certificate, see Resolving Warning Messages for Self-Signed SSL Certificate .

      Note:

      The host fingerprint value issued by Oracle appears on the Management Access > SSL Certificate web page and the Default Certificate CLI target (SP/services/https/ssl/default_cert)
    • A Video Redirection Error dialog box appears when a change to the original Default SSL Certificate and fingerprint is detected. In this case, the user can either edit the local host fingerprint file with the last fingerprint value issued by Oracle or remove the host fingerprint file from the local user directory. Otherwise, the user will be prevented from gaining access to the Oracle ILOM Remote System Console / Remote System Console Plus. For additional information for resolving the Video Redirection Error, see, Resolving Warning Messages for Self-Signed SSL Certificate

      Note:

      The Certificate Checks described above will not occur when a custom signed SSL Certificate is configured in Oracle ILOM. For instructions on how to obtain and upload a custom signed SSL Certificate, see these topics: Obtain a Custom SSL Certificate and Private Key Using OpenSSL Toolkit and Upload a Custom SSL Certificate and Private Key to Oracle ILOM.

To regenerate the Default (self-signed) SSL Certificate in Oracle ILOM, follow these steps:

  1. In the Oracle ILOM web interface, click ILOM Administration > Management Access > SSL Certificate.

    The SSL Certificate page appears.

  2. In the Default Certificate section of the SSL Certificate page, perform the following steps:
    1. (Optional) To modify the Default SSL Certificate Key Size (3072), click the Key Size list box and select the appropriate key size.
    2. To regenerate the Default SSL Certificate and the host fingerprint value, click Create.

      A message appears confirming that you want to regenerate a new Default SSL Certificate and fingerprint.

  3. In the Confirmation Message dialog box, click OK to proceed.
  4. View the Create SSL Certificate Results field to track the creation status.

    For instance, one or more of the following status messages might appear:

    • Running — This status message appears when Oracle ILOM is in the process of creating a new Default SSL Certificate and fingerprint.

      Upon creating the new Default SSL Certificate and fingerprint, all Oracle ILOM web interface and KVMS console user connections will be disconnected. KVMS and web interface users can immediately log in to Oracle ILOM after being disconnected.

    • New Cert Has Been Created — This status message appears after a new Default SSL Certificate was generated by a user.

    • Certificate Creation Failed —This status message appears when Oracle ILOM was unable to process the request to create a new Default SSL Certificate and fingerprint.

    • (None) — This status message appears when the last Default SSL Certificate was generated by Oracle ILOM, or when a user changed the Default SSL Certificate key size in the ILOM CLI but did not regenerate the Default SSL Certificate.

Related Information