Modifying Default Management Access Configuration Properties
Network administrators can optionally accept or modify the default management access properties shipped with Oracle ILOM. To modify the default management access properties in Oracle ILOM, see the following tables:
Table 4-5 Web Server Configuration Properties
User
Interface Configurable Target and User Role:
|
||
---|---|---|
Property | Default Value | Description |
Service State
|
Enabled, HTTP Redirection Enabled |
Enabled, HTTP Redirection Enabled (default) | Enabled, HTTP Redirection Disabled | Disabled
Requirement: An SSL certificate is required for enabled HTTPS connections. You can choose to use the Oracle ILOM provided SSL certificate or upload a custom SSL certificate and a matching private key using the Management Access > SSL Certificate tab. CLI Syntax for Secure Redirect and Service State: set SP/services/web secureredirect=disabled|enabledservicestate=disabled|enabled |
HTTP Port
|
80 |
80 | User_defined When the Service State property is set to "Enabled, HTTP Redirection Enabled", Oracle ILOM communicates, by default, using HTTP over TCP port 80. If necessary, the default HTTP port number (80) can be modified. CLI Syntax for HTTP Port: set SP/services/web http_port=<n> |
HTTPS Port
|
443 |
443 | User_defined When the Service Sate property is set to either "Enabled, HTTP Redirection Enabled" or "Enabled, HTTP Redirection Disabled", Oracle ILOM communicates, by default, using HTTPS over TCP port 443. If necessary, the default HTTPS port number (443) can be modified. Requirement: The Oracle ILOM web server HTTP and HTTPS ports must be different. CLI Syntax for HTTPS Port: set SP/services/web https_port=<n> |
TLS Minimum Version ( |
min |
1.2 | 1.3 | min (default) Specifies the minimum protocol version for Transport Layer Security (TLS), which provides communication security over the Internet. 1.2 — TLSv1.2 is the minimum version. 1.3 — TLSv1.3 is the minimum version. min — The lowest TLS version presently supported is the minimum version (default). Guidelines:
Note. Unlike the deprecated TLS property, it is not possible to disable web server connections using this property. CLI Syntax for TLS Minimum Version set /SP/services/web minimum_tls_version= 1.2 | 1.3 | min |
TLS Maximum Version ( |
max |
1.2 | 1.3 | max (default) Specifies the maximum protocol version for TLS, which provides communication security over the Internet. 1.2 — TLSv1.2 is the maximum version. 1.3 — TLSv1.3 is the maximum version. max — The highest TLS version presently supported is the maximum version (default). Guidelines:
Note. Unlike the deprecated TLS property, it is not possible to disable web server connections using this property. CLI Syntax for TLS Maximum Version set /SP/services/web maximum_tls_version= 1.2 | 1.3 | max |
Session Timeout ( |
15 seconds |
15 seconds | User_defined The Session Timeout property controls the amount of time before Oracle ILOM terminates an inactive web client session. The default Session Timeout is 15 seconds. The maximum Session Timeout is 12 hours (720 minutes). Note. The session timeout property in the Oracle ILOM web interface can be set in any combination of hours or minutes. The Oracle ILOM CLI session timeout property must be specified in minutes. CLI Syntax for Session Timeout: set /SP/services/web sessiontimeout=<n> |
Session Duration ( sessionduration=) |
24 Hours (14400 Minutes) |
24 Hours (default) | User_defined The Session Duration property controls the amount of time that the client browser is allowed to keep the session cookie. The default Session Duration is 24 hours. The maximum Session Duration is 240 hours (14400 minutes). Note. The session duration property in the Oracle ILOM web interface can be set in any combination of hours or minutes. The Oracle ILOM CLI session timeout property must be specified in minutes. CLI Syntax for Session Duration: set /SP/services/web sessionduration=<n> Note. Setting the Session Duration to zero (0) in the Oracle ILOM CLI disables the Session Duration feature. |
Allowed Services ( |
N/A |
Browser and REST (default) | Browser | REST The Allowed Services property controls which web services are allowed to communicate with Oracle ILOM. The Browser and REST services are enabled by default. CLI Syntax for Allowed Services: set /SP/services/web allowedservices=<browser|rest|browser,rest|rest,browser> |
Save |
N/A |
Web interface – To apply changes made to properties within the Web Server Settings page, you must click Save. |
Table 4-6 SSL Certificate and Private Key Configuration Properties for HTTPS Web Server
User Interface Configurable Target, User Role, SSL Certificate
Requirement:
|
||
---|---|---|
Property | Default Value | Description |
Certificate File Status ( |
Using Default (No custom certificate or private key loaded) |
Default_Certificate | Custom_Certificate The Certificate Status property is a read-only property. This property indicates which of the following types of SSL certificates is currently in use by the HTTPS web server:
Note – When the default SSL certificate is in use, users connecting to the Oracle ILOM web interface for the first time are notified of the default self-signed certificate and are prompted to accept its use. Users should always verify that the certificate fingerprint appearing in the warning message matches the certificate fingerprint issued by Oracle. For more information about validating the self-signed Default SSL certificate, see Resolving Warning Messages for Self-Signed SSL Certificate The default self-signed SSL certificate ensures that all communication between a web browser client and the Oracle ILOM SP is fully encrypted. CLI Syntax to Show Certificate Status: show /SP/web/ssl |
Default SSL Certificate Key Size (/default_cert |
3072 |
2048 | 3072 (default) | 4096 Note.The Default SSL Certificate Key Size is available for configuration as of Oracle ILOM firmware version 3.2.8. By default, the Oracle ILOM Default SSL Certificate is generated with a 3072 bit key size. Optionally, you can change default key size (3072) to either 2048 or 4096. Web interface – Click the Create Default Certificate Key Size list box and select the appropriate key size. Oracle ILOM will use the newly assigned key size the next time the Default SSL Certificate is generated. Note. When the Oracle ILOM properties are reset to defaults, a new Oracle ILOM self-signed SSL Default Certificate is automatically generated. CLI Syntax to Change Default SSL Certificate Key Size: set /SP/web/ssl/default_cert generate_new_cert_keysize=[2048|3072|4096] The newly assigned key size applies the next time the Default SSL Certificate is generated. |
Create Default SSL Certificate (default_cert |
N/A |
Each Oracle ILOM SP ships with a unique self-signed Default SSL Certificate. The Default SSL Certificate is used by Oracle ILOM whenever a custom SSL Certificate is not configured. When necessary, system administrators can choose to regenerate a new self-signed Default SSL Certificate. Each generated self-signed Default SSL Certificate has a unique fingerprint value. To verify that the Default SSL Certificate is valid, ensure that the fingerprint value shown on the self-signed Default SSL Certificate warning message matches the certificate fingerprint value issued by Oracle ILOM. For more information about validating the self-signed Default SSL certificate, see Resolving Warning Messages for Self-Signed SSL Certificate Note. The SSL Certificate fingerprint value issued by
Oracle ILOM appears on the Oracle ILOM SSL Certificate web page (ILOM
Administration > Management Access > SSL Certificates) and the Oracle
ILOM SSL Certificate CLI target ( Note.Oracle ILOM automatically regenerates a self-signed Default SSL Certificate when the Oracle ILOM properties are reset to defaults. Web interface – To regenerate a new self-signed Default SSL Certificate from the web interface, click the Create button in the Default Certificate section of the Management Access > SSL Certificate page. CLI Syntax to Create Default SSL Certificate set /SP/web/ssl/default_cert generate_new_cert_action =true When a new self-signed Default Certificate is generated, the Oracle ILOM web and KVMS console user connections are lost. When this occurs, log in to Oracle ILOM to confirm that a new Default SSL Certificate and fingerprint was generated. For detailed instructions for regenerating a Default SSL Certificate, see Regenerate Self-Signed Default SSL Certificate Issued By Oracle in Oracle ILOM Security Guide For Firmware Release 5.1.x. |
Custom Certificate Load
|
N/A |
Web interface – Click the Load Certificate button to upload the Custom Certificate file that is designated in the File Transfer Method properties. Note. A valid custom certificate configuration requires the uploading of a custom certificate and a custom private key. Only then will the custom SSL certificate configuration apply and be persistent across system reboots and Backup and Restore operations. CLI Syntax to Load Custom Certificate: load_uri=file_transfer_method://host_address/file_path/custom_certificate_file name Where file_transfer_method can include: Browser|TFTP|FTP|SCP|HTTP |HTTPS|Paste For a detailed description of each file transfer method (excluding Paste), see Supported File Transfer Methods For additional information about using a custom signed SSL Certificate in Oracle ILOM, see Improve Security by Using a Trusted SSL Certificate and Private Key in Oracle ILOM Security Guide For Firmware Release 5.1.x. Note.Oracle ILOMgenerates a warning message when a custom certificate and private key are not properly configured. For further details, see Resolving Warning Messages for Custom Certification Authority (CA) SSL Certificate Note.When using a certificate chain, ensure that the certificates in the certificate chain file are in the correct order. For more details, see "Certificate Chain Order" under Upload a Custom SSL Certificate and Private Key to Oracle ILOM in Oracle ILOM Security Guide For Firmware Release 5.1.x. |
Custom Certificate Remove ( |
N/A |
Web interface – Click the Remove Certificate Button to remove the Custom SSL Certificate file presently stored in Oracle ILOM. When prompted, click Yes to delete or No to cancel action. CLI Syntax to Remove Certificate: set /SP/services/web/ssl/custom_certificate clear_action=true When prompted, type |
Custom Private Key
|
N/A |
Web interface – Click the Load Custom Private Key button to upload the Custom Private Key file that is designated in the File Transfer Method properties. Note. A valid custom certificate configuration requires the uploading of a custom certificate and a custom private key. Only then will the custom SSL certificate configuration apply and be persistent across system reboots and Backup and Restore operations. CLI Syntax to Load Custom Private Key: load_uri=file_transfer_method://host_address/file_path/custom_key_file name Where file_transfer_method can include: Browser|TFTP|FTP|SCP|HTTP |HTTPS|PasteFor a detailed description of each file transfer method (excluding Paste), see Supported File Transfer Methods. For additional information about using a custom signed SSL Certificate in Oracle ILOM, see Improve Security by Using a Trusted SSL Certificate and Private Key in Oracle ILOM Security Guide For Firmware Release 5.1.x. |
Custom Private Key Remove ( |
N/A |
Web interface – Click the Remove Custom Private Key button to remove the Custom Private Key file presently stored in Oracle ILOM. When prompted, click Yes to delete or No to cancel the action. CLI Syntax to Remove Certificate Private Key: set /SP/services/web/ssl/custom_key clear_action=true When prompted, type |
Table 4-7 SSH Server Configuration Properties
User
Interface Configurable Target and User Role:
|
||
---|---|---|
Property | Default Value | Description |
State ( |
Enabled |
Enabled (default) | Disabled The SSH Server State property is enabled by default. When the SSH Server State property is enabled, the SSH server uses server-side keys to permit remote clients to securely connect to the Oracle ILOM SP using a command-line interface. When the SSH Server State property is disabled or restarted, all CLI SP sessions running over SSH are automatically terminated. Note. Oracle ILOM automatically generates the SSH server-side keys on the first boot of a factory default system. Web interface: Changes to the SSH Server State in the web interface do not take affect in Oracle ILOM until you click Save. Note. Changes to the SSH Server State property do not require you to restart the SSH server. CLI Syntax for SSH Server State: set /SP/services/ssh state=enabled|disabled |
Restart Button ( |
N/A |
True | False Restarting the SSH server will automatically: (1) terminate all connected SP CLI sessions, as well as (2) activate newly pending server-side key(s). CLI Syntax for Restart: set /SP/services/ssh restart_sshd_action=true |
Generate RSA Key Button ( |
N/A |
Provides the ability to generate a new RSA SSH key. CLI Syntax for Generate RSA Key: set /SP/services/ssh generate_new_key_type=rsa generate_new_key_action=true |
Table 4-8 Server Certificate Configuration Properties for Outgoing HTTPS Connections
User Interface
Configurable Target, User Role, Server Certificate Requirement:
|
||
---|---|---|
Property | Default Value | Description |
Strict Certificate Mode ( |
Disabled |
Enabled | Disabled (default) The Strict Certificate Mode property controls whether Oracle ILOM checks the validity of the SSL server certificate when uploading the SSL server certificate to the server SP.
Web interface – Select the Strict Certificate Mode check box to enable this feature or clear the check box to disable this feature. CLI Syntax to Remove Certificate: set /SP/preferences/servercerts strictcertmode= enabled | disabled |
Add SSL Certificates
- or - Delete SSL Certificates
|
N/A |
System administrators can store up to five trusted SSL server certificates. Oracle ILOM uses these certificates to prevent man-in-the-middle-attacks when uploading and downloading data to and from the Oracle ILOM SP using HTTPS. Web interface –To add or remove a certificate, click the More Details ... link at the top of the Server Certificates page for instructions. CLI Syntax to Load SSL Server Certificate load_uri=file_transfer_method://host_address/file_path/PEM file name Where file_transfer_method can include: Browser|TFTP|FTP|SCP|HTTP |HTTPS|PasteFor a detailed description of each file transfer method (excluding Paste), see Supported File Transfer Methods. CLI Syntax to Delete SSL Server Certificate set /SP/preferences/servercerts/<1-5> clear_action=true Are you sure you want to clear /SP/preferences/servercerts/# (y/n)? Type: y For additional information about using SSL Certificates in Oracle ILOM, see Improve Security by Using a Trusted SSL Certificate and Private Key in Oracle ILOM Security Guide For Firmware Release 5.1.x. |
Save |
N/A |
Web interface – Click Save to save the changes made to the Server Certificate page. |
Table 4-9 SNMP Configuration Properties
User
Interface Configurable Target, User Role, and SNMP Requirement:
|
||
---|---|---|
Property | Default Value | Description |
State ( |
Enabled |
Enabled (default) | Disabled The SNMP State property is enabled by default. When this property is enabled, and the properties for one or more user accounts or communities for SNMP are configured, the SNMP management service in Oracle ILOM is available for use. When the SNMP State property is disabled, the SNMP port is blocked, prohibiting all SNMP communication between Oracle ILOM and the network. CLI Syntax for SNMP State: set /SP/services/snmp state=enabled|disabled |
Port ( |
161 |
161 | User_specified Oracle ILOM, by default, uses UDP port 161 to transmit SNMP communication between an Oracle ILOM SP and the network. If necessary, the default port property number can be changed. CLI Syntax for SNMP Port: set /SP/services/snmp port=n |
Engine ID (engineid=) |
Auto-set by SNMP agent |
The Engine ID property is automatically set by the Oracle ILOM SNMP agent. This ID is unique to each Oracle ILOM SNMP enabled-system. Although the Engine ID is configurable, the ID should always remain unique across the data center for each Oracle ILOM system. Only experienced SNMP users who are familiar with SNMP v3 security should modify the SNMP Engine ID property. |
Protocols (v3) |
v3 Enabled |
Enabled (default) | Disabled SNMP v3 is enabled by default, but requires creating one or more SNMP users prior to use. There are no preconfigured SNMPv3 users. SNMPv3 uses encryption to provide a secure channel and the use of SNMP v3 user names and passwords that are stored securely on the SNMP management station. SNMP v3 is configurable property for monitoring the health of a system. SNMP v2c is a non-configurable property that is only supported for trap alert notifications. CLI Syntax to Modify Default Protocol: set /SP/services/snmp v3=enabled|disabled |
Save |
N/A |
Web interface – To apply changes made to properties within the SNMP Management page, you must click Save. |
SNMP Users ( |
N/A |
Username | Authentication Password | Permission | Authentication Protocol | Privacy Protocol SNMP Users apply only to SNMP v3 to control user access and authorization levels in Oracle ILOM. When the Protocol property for SNMP v3 is enabled, the properties for SNMP users are configurable in Oracle ILOM. The following rules apply when configuring SNMP users:
CLI Syntax to Create SNMP Users: create /SP/services/snmp/users/[new_username] authenticationprotocol=[MD5|SHA] authenticationpassword=[changeme] permission=[ro|rw] privacyprotocol=[AES|DES|none] privacypassword=[user_password] show /SP/services/snmp/users delete /SP/services/snmp/username Note. Authentication Protocol MD5 and DES Privacy Protocol are not supported when FIPS compliance mode is enabled in Oracle ILOM. |
MIBs Download ( |
N/A |
Oracle ILOM provides the ability to download SUN SNMP MIBs directly from the server SP. |
Table 4-10 IPMI Service Configuration Properties
User
Interface Configurable Target:
|
||
---|---|---|
Property | Default Value | Description |
State ( |
Enabled |
Enabled (default) | Disabled As of Oracle ILOM firmware version 3.2.8, the State property for IPMI TLS service is enabled by default. When the IPMI State property is enabled, Oracle ILOM permits remote IPMItool clients to securely connect to the Oracle ILOM SP using a command-line interface. When the IPMI State property is disabled, all IPMItool clients connected to the SP through the Oracle ILOM CLI are automatically terminated. Web interface: Changes to the IPMI State in the web interface do not take affect in Oracle ILOM until you click Save. CLI Syntax for IPMI State: set /SP/services/ipmi state=enabled|disabled |
v2.0 Sessions ( |
Disabled |
Disabled (default) | Enabled The v2.0 Sessions check box controls whether Oracle ILOM permits IPMI v2.0 connections. Web interface: Select the v2.0 Sessions check box to permit IPMI v2.0 connections with Oracle ILOM. When IPMI 2.0 sessions are enabled, users of IPMItool specify the -I lanplus option. Note. IPMI v2.0 Sessions use standard IPMI protocol and work with any IPMI client. - or - Clear the v2.0 Sessions check box to prevent (block) IPMI v2.0 sessions with Oracle ILOM. Note. Changes to the IPMI State in the web interface do not take affect in Oracle ILOM until you click Save. CLI Syntax for v2.0 Sessions: set /SP/services/ipmi v2_0_sessions=enabled|disabled |
TLS Sessions ( |
Enabled |
Enabled (default) | Disabled As of Oracle ILOM firmware version 3.2.8, the TLS sessions
( For increased security, always use the TLS service and interface. Note. IPMI TLS is an Oracle improvement to IPMI security which requires a special version of the ipmitool client that supports TLS sessions To access the IPMI TLS interface, IPMItool users can either
specify the For more information about using the TLS service and interface, see the following information: |
(CLI only) |
Disabled |
Enabled | Disabled (default) As of Oracle ILOM firmware version 5.1.3, the property |
Table 4-11 CLI Session Timeout and Custom Prompt Configuration Properties
User
Interface Configurable Target:
|
||
---|---|---|
Property | Default Value | Description |
Session Timeout ( |
Enabled (12 hours) |
Enabled, minutes=n | Disabled The CLI Session Timeout property determines how many minutes until an inactive CLI session is automatically logged out. As of Oracle ILOM firmware version 5.0.1, the CLI session timeout property is set by default to 12 hours (720 minutes). When necessary, you can modify the default CLI session timeout value by entering a value (in minutes) from 1 to 1440. Web interface: Changes to the CLI session timeout properties in the web interface do not take affect in Oracle ILOM until you click Save. CLI Syntax for CLI Session Timeout: set /SP/cli timeout=enabled|disabled minutes= value |
Custom Prompt ( |
None (disabled) |
None (default) | ["Literal Text"] | "<HOSTNAME>" | "<IPADDRESS>" To help identify a standalone system or a system within a rack or chassis, Administrators can customize the standard CLI prompt (->) by prepending either literal text, replacement tokens ("<HOSTNAME>" "<IPADDRESS>"), or a combination of literal text and replacement tokens. The Custom Prompt maximum length is 252 characters. Web interface: Changes to the CLI Custom Prompt property in the web interface do not take affect in Oracle ILOM until you click Save. For further information, click the More details... link on the Management Access > CLI page. CLI Syntax for Custom CLI Prompt: Examples:
|
Table 4-12 Federal Information Processing Standards (FIBS 140-2) Configuration Properties
User Interface Configurable Target and User Role:
|
||
---|---|---|
Property | Default Value | Description |
Status ( |
Disabled |
The Status is a read-only property that indicates the current status for the FIPS service in Oracle ILOM. Possible status values are:
Related Information: |
State ( |
Disabled |
Modify the FIPS State property, per the following instructions:
Changes to the FIPS operational mode on the server will not take effect until the next Oracle ILOM reboot. At that time, the Oracle ILOM user-defined configurations settings are automatically reset to their factory default settings. CLI Syntax for FIPS Mode: set /SP/services/fips state=enabled|disabled Related Information: |
Table 4-13 Servicetag Service Configuration Properties
User
Interface Configurable Target and User Role:
|
||
---|---|---|
Property | Default Value | Description |
|
Enabled |
|Enabled (default) | Disabled The Caution. The Note.The CLI Syntax for Servicetag: set /SP/services/servicetag= disabled|enabled |
|
user-defined |
To encrypt Note.The matching service tag value should be entered in the Oracle Service Solution program such as ASR or the original Java Service Tag program. CLI Syntax for Passphase: set /SP/services/passphrase=<value> The passphrase length must be between 5 and 16 characters. |