This appendix describes functions that you can perform on the Service Processor of your KMA. The Service Processor on a Sun Fire X2100 M2 or Sun Fire X2200 M2 system is an Embedded Lights Out Manager (ELOM). The Service Processor on a Netra SPARC T4-1 system or Sun Fire X4170 M2 system is an Integrated Lights Out Manager (ILOM).
The following Server Processor procedures and topics are addressed:
Configuring ELOM – X2100 M2 or X2200 M2 Servers ("Configuring ELOM – X2100 M2 or X2200 M2 Servers")
Verifying ELOM and BIOS levels ("Verifying ELOM and BIOS Levels")
Upgrading the ELOM server firmware ("Upgrading the ELOM Server Firmware")
Launching the BIOS Setup Utility from the ELOM ("Launching the BIOS Setup Utility from the ELOM")
Configuring ILOM – Netra SPARC T4-1 and X4170 M2 Servers ("Configuring ILOM – Netra SPARC T4-1 and X4170 M2 Servers")
Verifying ILOM and BIOS levels ("Verifying ILOM and BIOS Levels - X4170 M2 Only")
Upgrading the ILOM 3.0 server firmware ("Upgrading the ILOM 3.0 Server Firmware")
Upgrading the ILOM 3.2 server firmware ("Upgrading the ILOM 3.2 Server Firmware")
Launching the BIOS Setup Utility from the ILOM ("Launching the BIOS Setup Utility from the ILOM - X4170 M2 Only")
ILOM security hardening ("ILOM Security Hardening")
Configuring the BIOS ("Configuring the BIOS - X4170 M2 Only")
Keyboard and monitor attachment to the KMA ("Keyboard and Monitor Attachment to the KMA").
The following sections discuss these procedures:
Sun Fire X2100 M2 or X2200 M2 server-based KMAs were manufactured for earlier KMS releases with the latest BIOS and ELOM firmware levels that were available at the time. When they were manufactured, some BIOS settings were defined in order to limit access to them. From time to time, newer Sun Fire server firmware is released and upgrades are recommended.
This appendix describes the procedures that should be used in conjunction with the firmware upgrades documented in Embedded Lights Out Manager (ELOM) Administration Guide for the Sun Fire™ X2200 M2 and Sun Fire X2100 M2 Servers.
KMAs have specific, non-default, BIOS settings that prevent changes to the BIOS that may compromise security. These settings are saved in the Complementary metal-oxide semiconductor (CMOS). In a default CMOS configuration, a remote user can use the ELOM to change BIOS settings and then boot the KMA from a network device. To minimize this security risk, access to the BIOS settings must be limited. Following the procedures in this document ensures that these settings are retained.
This appendix assumes familiarity with the Oracle Key Manager solution, in particular, the "Shutting Down the KMA" procedure, and with the ELOM web-based interface and the BIOS Setup Utility.
Embedded Lights Out Manager Administration Guide For the Sun Fire™ X2200 M2 and Sun Fire X2100 M2 Server
http://docs.oracle.com/cd/E19121-01/sf.x2200m2/819-6588-14/819-6588-14.pdf
Sun Fire™ X2200 M2 Server Product Notes
http://docs.oracle.com/cd/E19121-01/sf.x2200m2/819-6601-22/819-6601-22.pdf
Sun Fire™ X2100 M2 Server Product Notes
http://docs.oracle.com/cd/E19121-01/sf.x2100m2/819-6594-17/819-6594-17.pdf
ELOM for X2100 M2 and X2200 M2 servers contains a separate processor from the main server. As soon as power is applied—by plugging the server in to the power source—and after a one or two minute boot period, the ELOM provides a remote connection to the console.
Note: This section has some basic ELOM commands to configure the server. Refer to the Embedded Lights Out Manager Administration Guide, PN: 819-6588-xx, for more information. |
Connect to the KMA through the Embedded Lights Out Manager using either:
Network connection—LAN 1 NET MGT ELOM interface—(recommended). See "Using a Network Connection - ELOM".
Keyboard and monitor attached to the KMA. See "Keyboard and Monitor Attachment to the KMA".
Note: Pop-ups prevent windows from launching in the following procedures. Disable the popup blockers before continuing. |
If the window appears, but a console window does not, the Web browser or Java version is incompatible. Upgrade to the latest versions of the browser and Java.
To configure the ELOM for the key management appliance (KMA):
Obtain the IP address for LAN 1:
Important: Do not connect the power cord. Wait until instructed in Step 0
Using Table D-1 as a reference, connect all cables as required.
Table D-1 KMA Network Connections - Sun Fire X2100 M2 and X2200 M2 Servers
Port | Description |
---|---|
LAN 0 |
This is a required connection. This network is called the ”Management Network” and connects to the Oracle Key Manager (OKM), graphical user interface (GUI), to the KMAs in the cluster. This network can be local, remote, or a combination of both. Note – Customers are expected to provide the management network. |
LAN 1* |
This is the network connection for the ELOM. |
LAN 2 |
This is normally a required connection for the tape drives. This network is called the ”Service Network” and connects to the tape drives, either directly or through Ethernet switches to create the network. |
LAN 3 |
This is an optional connection with the Oracle Key Manager. This is the ”Aggregated Network” connection with NET 2 or LAN 2. Aggregation or IEEE 802.1AX-2008, is a networking term that describes the use of multiple network cables and ports in parallel to increase the link speed and redundancy for higher availability. |
Note: The ELOM IP address is most easily configured using a serial connection. Connect a DB9-to-DB9 serial null modem cable from a laptop PC serial port to the serial port on the server. This is a one time connection for the initial configuration. |
Connect a null modem, serial cable to the DB-9 connector (callout 7). Connect the other end to a laptop PC serial port.
1 - Power connector
2 - Ethernet connectors (2) Upper = Management Network (LAN 0) Lower = ELOM (LAN 1)
3 - System Identification LED
4 - Fault LED
5 - Power LED
6 - Ethernet connections (2) Left = Service Network (LAN 2) Right = Aggregated Network (LAN 3)
7 - Serial port (DB9, RS232)
8 - PCIe slots Top = SCA 6000 card (not shown) Bottom = Blank (empty)
9 - VGA connector
10 - USB 2.0 ports (4)
Start a HyperTerminal session on the laptop. This allows you to watch the boot process.
Verify the default settings are:
8-bits
No Parity
1 stop-bit
9600 baud rate
Disable both hardware (CTS/RTS) and software (XON/XOFF) flow control.
Connect the server power cord to the power source.
Important: Do not power-on the server. The ELOM starts as soon as power is connected, even if the server is powered-off. This is the reason for preparing and connecting the PC before applying power.
Once the boot completes, the ELOM login prompt will be displayed.
Press [Enter] a few times to get the ELOM login prompt.
Log in using:
Userid = root
Password = changeme
Using the following table as a reference, configure the ELOM IP address.
Enter the following commands.
Note: These commands are case sensitive. |
set /SP/AgentInfo DhcpConfigured=disable set /SP/AgentInfo IpAddress=ipaddress set /SP/AgentInfo NetMask=netmask set /SP/AgentInfo Gateway=gateway reset
An informational command you can use is: show /SP/SystemInfo/CtrlInfo.
Log off of the ELOM and exit.
Go to "Using a Network Connection - ELOM" to continue the installation.
Log in to the ELOM and verify the type of KMA you have and that the levels match the latest levels documented for your server type. The various ELOM Service Processor and BIOS firmware levels are documented in the Server Product Notes for each server type. ELOM and BIOS firmware are packaged together as ”server software.”
The firmware versions shown in Table D-2 can be used to determine what type of KMA server you're connected to using the ELOM. To check the firmware levels on the ELOM Web-based interface, select System Information
> Version
> SP Board Information
> Server Board Information.
Table D-2 ELOM/BIOS Firmware Levels
Server Type | Server Software | BIOS Level | ELOM Level | Product Notes |
---|---|---|---|---|
X2100 M2 |
1.8 |
3A21 |
3.24 |
Sun Fire X2100 M2 Product Notes |
X2200 M2 |
2.2.1 |
3D16 |
3.23 |
Sun Fire X2200 M2 Product Notes |
Note: Product Notes can be found on http://docs.oracle.com/cd/E19121-01/index.html and server software can be downloaded from the My Oracle Support site (http://support.oracle.com). |
If firmware levels are correct, then there is nothing to do. Proceed with the following instructions if the firmware is down level, an upgrade is recommended.
TIP: The firmware file you need for the upgrade can be found at the above URL in the remoteflash_x.y.zip
file, where x.y
refers to the Tools and Drives release number as documented in the appropriate Product Notes.
The following procedure takes about 10 minutes to complete and should be scheduled appropriately because the KMA being upgraded need to be disconnected from the cluster.
Login into the ELOM using the Web-based interface. You must have administrator privileges to perform the firmware upgrades.
To avoid trouble with Service Processors that may be in an error state begin by resetting the service processor.
Click on the ”Maintenance” tab, then the ”Reset SP” tab and then the ”Reset SP” button.
Log out and then log back into the ELOM Web-based interface. If necessary, the reset can be performed using the serial interface and CLI to the ELOM, then log back into the ELOM Web based interface.
Disable Session Time-out (System Information tab > Session Time-Out tab).
For new installs, or FRU situations, prior to QuickStart you should power down using the ELOM Web Interface's Remote Control tab,
Select the Remote Power Control tab and then choose the action to Graceful Shutdown. Save this choice to have the server shutdown.
For KMAs that have already been configured (QuickStart procedure), log into the OKM Console as an Operator and select the "Shutdown KMA" menu option to shutdown the KMA.
Follow the ELOM Administration Guide procedures for the Web-based interface for Firmware Upgrade and Select Option B in Step 4.
Do not use the CLI procedures documented in the ELOM Administration Guide as Option A is used by default and your BIOS settings will revert to defaults, exposing the KMA to BIOS related attacks.
Important:
The following has been extracted from the Server Product Notes. Failure to observe these warnings can corrupt the BIOS:
The SP/BIOS flash process includes a ”Update Successful” message when the SP flash process ends. This message signals the end of the SP flash activity only. At this point in the process the BIOS is not flashed, and interrupting the process might corrupt the BIOS.
To avoid corrupting the BIOS review the flash sequence below:
SP begins the flash process.
SP completes the flash process.
CLI returns an Update Successful message.
The system reboots and the BIOS begins the flash process.
Logout from the ELOM and log back in and verify that the SP and BIOS firmware levels are at the correct level (System Information tab > Version tab).
BIOS settings revert to default values when the ELOM firmware is upgraded. You should limit access to the KMA by launching the BIOS Setup Utility and changing some of the BIOS settings. See "Launching the BIOS Setup Utility from the ELOM" and "ILOM Configuration and Security Hardening".
Log into the ELOM web-based interface and navigate as follows:
Remote Control tab > Remote Power Control tab > Boot option: BIOS Setup
Save this choice to have the server booted. During the boot, the normal boot message appears on the console followed by the launch of the BIOS Setup Utility. Proceed to "Configuring the BIOS - X4170 M2 Only" to verify and update BIOS settings.
If the ability to change the supervisor password is displayed, as shown below, then the BIOS default settings are in effect and you should follow the troubleshooting procedure below.
The following sections discuss these procedures:
Netra SPARC T4-1 and Sun Fire X4170 M2 server-based KMAs have been manufactured with the latest ILOM firmware level that was available at the time. From time to time, newer Sun Fire server firmware is released and upgrades are recommended.
Note: X4170 M2 KMAs run ILOM 3.0 or later, while Netra SPARC T4-1 KMAs run ILOM 3.2 or later. ILOM 3.2 is included in server firmware 8.3 or later. You can view the current server firmware from the ILOM.Check the server firmware level an OKM 3.0 KMA when it is first delivered. If it is not at 8.3 or later, upgrade it to 8.3 before powering up the system. |
This information describes the procedures that should be used in conjunction with the firmware upgrade procedures documented in:
For the X4170 M2 server: Oracle Integrated Lights Out Manager (ILOM) 3.0 Maintenance and Diagnostics – CLI and Web Guide.
For the Netra SPARC T4-1 server: Oracle ILOM Administrator's Guide for Configuration and Maintenance Firmware Release 3.2
The KMA has specific, non-default, BIOS settings that prevent changes to the BIOS that may compromise security. These settings are saved in the CMOS. In a default CMOS configuration, a remote user can use the ILOM to change BIOS settings and then boot the KMA from a network device. To minimize this security risk, access to the BIOS settings must be limited. Following the procedures in this document will ensure that these settings are retained.
Note: Netra SPARC T4-1 servers do not include a BIOS; there are no BIOS procedures for users to follow. |
This appendix assumes familiarity with the Oracle Key Manager solution, in particular, the "Shutting Down the KMA" procedure, and with the ILOM web-based interface and the BIOS Setup Utility.
These documents pertain to ILOM versions required for the Netra SPARC T4-1 server (ILOM 3.2) or the Sun Fire X4170 M2 server (ILOM 3.0).
Oracle Integrated Lights Out Manager (ILOM) 3.0 Maintenance and Diagnostics – CLI and Web Guide
Oracle ILOM Administrator's Guide for Configuration and Maintenance Firmware Release 3.2
http://docs.oracle.com/cd/E37444_01/pdf/E37446.pdf
Oracle ILOM User's Guide for System Monitoring and Diagnostics Firmware Release 3.2.1
http://docs.oracle.com/cd/E37444_01/pdf/E37447.pdf
Oracle ILOM Quick Reference for CLI Commands Firmware Release 3.2.1
Oracle ILOM Feature Updates and Release Notes Firmware Release 3.2
http://docs.oracle.com/cd/E37444_01/pdf/E37450.pdf
Oracle Netra SPARC T4-1 Server Product Notes
http://docs.oracle.com/cd/E23203_01/pdf/E23208.pdf
Oracle Netra SPARC T4-1 Server Installation Guide
Sun Fire™ X4170 M2 and X4270 M2 Servers Product Notes
http://docs.oracle.com/cd/E19762-01/E22382/E22382.pdf
Sun Fire™ X4170, X4270, and X4275 Servers Service Manual
http://docs.oracle.com/cd/E19477-01/820-5830-13/820-5830-13.pdf
ILOM for the Netra SPARC T4-1 and X4170 M2 servers contains a separate processor from the main server. As soon as power is applied—by plugging the server in to the power source—and after a one or two minute boot period, the ILOM provides a remote connection to the console.
Note: This section has some basic ILOM commands to configure the server. Refer to the Integrated Lights Out Manager Administration Guide, PN: 820-0280-12, for more information. |
Connect to the KMA through the Integrated Lights Out Manager using either:
Network connection—NET MGT ILOM interface—(recommended). See "Using a Network Connection - ILOM".
Keyboard and monitor attached to the KMA. See "Keyboard and Monitor Attachment to the KMA".
Note: Pop-ups prevent windows from launching in the following procedures. Disable the popup blockers before continuing. |
If the window appears, but a console window does not, the Web browser or Java version is incompatible. Upgrade to the latest versions of the browser and Java.
To configure the ILOM for the key management appliance (KMA):
Obtain the IP address for the ILOM.
Using the following table, connect all cables as required. Important: Do not connect the power cord. Wait until instructed in Step 6.
Table D-3 KMA Network Connections -- Netra SPARC T4-1 and Sun Fire X4170 M2 Servers
Port | Description |
---|---|
SER MGT |
The SER MGT RJ-45 port provides a serial connection to the ILOM. The ILOM IP address is most easily configured using this serial connection. |
NET MGT |
The NET MGT RJ-45 port provides an optional Ethernet connection to the ILOM. This port is not available until you configure the ILOM IP address. |
NET 0 |
The NET 0 RJ-45 port is a required connection to the Management Network. This network connects the server to the Oracle Key Manager GUI as well as to other KMAs in the cluster. The Management Network can be local, remote, or a combination of both. Note – Customers are expected to provide the management network. |
NET 2 |
The NET 2 RJ-45 port is a required connection to the Service Network. This network connects the server to the tape drives, either directly or through Ethernet switches, to create the network. |
NET 3 |
The NET 3 RJ-45 port is an optional connection to the Aggregated Network and provides aggregation with NET 2. Aggregation, or IEEE 802.1AX-2008, is a networking term that describes using multiple network cables and ports in parallel to increase the link speed and redundancy for higher availability. |
Connect a null modem, serial cable to the SER MGT port (callout 2 for the Sun Fire X4170 M2 server, callout 10 for the Netra SPARC T4-1 server). Connect the other end to a laptop PC serial port.
1 - AC Power connectors
2 - Serial Management (SER MGT) RJ-45 serial port
3 - Service processor (NET MGT) port (also known as the ILOM and corresponds to LAN1 on the SunFire X2100 or X2200 servers)
4 - Ethernet ports (0, 1, 2, 3), labeled Net0 through Net3, from left to right
5 - USB ports (0, 1)
6 - Video connector (VGA)
1 - Power supplies (PS1 - PS0 top to bottom) (AC supplies shown)
2 - Power supply status LEDs:
OK (output): green
Service Action Required: amber
AC or DC (input power): green
3 - Alarm port
4 - Expansion slot 0 (PCIe 2.0 x8 or XAUI)
5 - Expansion slot 3 (PCIe 2.0 x8)
6 - Expansion slot 1 (PCIe 2.0 x8 or XAUI)
7 - Expansion slot 4 (PCIe 2.0 x8)
8 - Expansion slot 2 (PCIe 2.0 x8)
9 - Service LEDs:
Locator LED/Locator button: white
Service Action Required LED: amber
Main Power/OK LED: green
10 - SER MGT RJ-45 serial port
11 - NET MGT RJ-45 network port
12 - Network 10/100/1000 ports (NET0 to NET3) for host
13 - Physical Presence button access hole
14 - USB 2.0 ports (USB 0, USB 1)
15 - Video connector (HD-15)
16 - Grounding studs
Note: A connection to the NET MGT interface is required to initially configure the server. |
Start a HyperTerminal session on the laptop. This allows you to watch the boot process.
Verify the default settings are:
8-bits
No Parity
1 stop-bit
9600 baud rate
Disable both hardware (CTS/RTS) and software (XON/XOFF) flow control
Connect the server power cord to the power source.
Important: Do not power-on the server.
The ILOM starts as soon as power is connected, even if the server is powered-off. This is the reason for preparing and connecting the PC before applying power.
Once the boot completes, the ILOM login prompt will be displayed.
Press [Enter] a few times to get the ILOM login prompt.
Log in using:
Userid = root
Password = changeme
Using Figure D-4, "ILOM Initial Configuration Settings" as a reference, configure the ILOM IP address.
Enter the following commands.
Note: These commands are case sensitive. |
show /SP/networkset /SP/network/ pendingipdiscovery=staticset /SP/network/ pendingipaddress=ipaddressset /SP/network/ pendingipnetmask=netmaskset /SP/network/ pendingipgateway=gatewayset /SP/network/ commitpending=true
On a Netra SPARC T4-1 server, enter the following commands to set the auto-boot property:
Note: In the following example, there is a space after the question mark but not before it. These commands are case sensitive. |
show /HOST/bootmodeset /HOST/bootmode script="setenv auto-boot? true"show /HOST/bootmode
Log off of the ILOM and exit.
Go to "Using a Network Connection - ILOM" to continue the installation.
Log into the ILOM and verify the type of KMA you have and the levels match the latest levels documented for your server type. These firmware versions can be used to determine what type of KMA server you're connected to through the ILOM. To check the firmware levels on the ILOM Web Based Interface, select System Information > Overview.
Note: Netra SPARC T4-1 servers do not have a BIOS; there are no BIOS procedures for users to follow. |
The expected ILOM and BIOS firmware levels vary across OKM releases, as shown in the following table.
Table D-4 ILOM/BIOS Firmware Levels
Server Firmware | ILOM Firmware Level | BIOS Firmware Level | OKM Release |
---|---|---|---|
8.3.0.c (Netra SPARC T4-1) 1.7.1 (X4170 M2) |
3.2.1.1.c (Netra SPARC T4-1) 3.1.2.20.a (X4170 M2) |
NA 08.14.01.03 (X4170 M2 only) |
3.0 |
1.6.1 |
3.0.16.10.d |
08.12.01.04 |
2.5.x |
1.3 |
3.0.14.11.a |
08.06.01.08 |
2.3.1, 2.4, 2.5 |
1.2 |
3.0.9.27 |
08.04.01.10 |
2.3 |
If the ILOM and BIOS firmware levels are correct (for example, those for server firmware 1.6.1 with OKM 2.5.x), then you do not have to do anything. If not, proceed with the following instructions if the firmware is down level and you need to upgrade.
Follow this procedure to download both Netra SPARC T4-1 and Sun Fire X4170 M2 firmware from My Oracle Support:
Go to My Oracle Support at: http://support.oracle.com and sign in.
Click the Patches & Updates tab.
Click Product or Family (Advanced).
In the Start Typing... field, type in the product information (for example, ”Netra” or "X4170"), and click Search to see the latest firmware for each release.
The firmware distribution is packaged as a .zip file. After you download this file, extract it and then extract the firmware package.zip file that it contains (if any). The firmware package is in a .pkg file. You upload this file during the upgrade procedure outlined below.
The following procedure takes about 10 minutes to complete and should be scheduled appropriately since the KMA being upgraded will be disconnected from the cluster.
Log into the ILOM using the Web based interface. You must have administrator privileges to perform the firmware upgrades.
To avoid trouble with service processors that may be in an error state begin by resetting the service processor.
Click on the ”Maintenance” tab, then the ”Reset SP” tab and then the ”Reset SP” button.
Log out and then log back into the ILOM Web based interface. If necessary, the reset can be performed using the serial interface and CLI to the ILOM, then log back into the ILOM Web based interface.
Set the Session Time-out value to 3 hours (System Information tab, then Session Timeout tab).
Shut down the server.
For new installs, or FRU situations, prior to QuickStart you should power down using the ILOM Web Interface's Remote Control tab, select the Remote Power Control tab and then choose the Graceful Shutdown and Power Off action. Save this choice to have the server shut down.
For KMAs that have already been configured (QuickStart procedure), log into the OKM Console as an Operator and select the ”Shutdown KMA” menu option to shut down the KMA.
Follow the procedures in the ”Updating Firmware” chapter of the Oracle Integrated Lights Out Manager (ILOM) 3.0 Maintenance and Diagnostics – CLI and Web Guide. On Step 6, set the ”Preserve Configuration” option to retain the network configuration and other ILOM settings, and clear the ”Delay BIOS upgrade until next server poweroff” option.
Log out of the ILOM and log back in. Verify that the SP and BIOS firmware levels are at the correct level (System Information tab, then Overview tab). If the BIOS level is still shown at the previous level, shut down the KMA as described in Step 4, and then power it up again by choosing the Power On action from the Remote Power Control tab.
Select the BIOS firmware level again (System Information tab > Overview tab).
BIOS settings revert to default values when the ILOM firmware is upgraded. You should limit access to the KMA by launching the BIOS Setup Utility and changing some of the BIOS settings. See "Launching the BIOS Setup Utility from the ILOM - X4170 M2 Only" and "ILOM Configuration and Security Hardening".
The firmware update process takes several minutes to complete. During this time, do not perform any other ILOM tasks. When the firmware update process completes, the system will reboot.
Be sure you have met the initial requirements for the upgrade. Refer to ”Before You Begin the Firmware Update” in the Oracle ILOM Administrator's Guide for Configuration and Maintenance.
Log into the ILOM using the Web based interface. You must have administrator privileges to perform the firmware upgrades.
To avoid trouble with service processors that may be in an error state begin by resetting the service processor.
Click ILOM Administration > Maintenance > Reset SP and then click the Reset SP button.
Log out and then log back into the ILOM Web based interface. If necessary, the reset can be performed using the serial interface and CLI to the ILOM, then log back into the ILOM Web based interface.
Set the Session Time-out value to 3 hours (System Information tab, then Session Timeout tab).
Shut down the server.
For new installs, or FRU situations, prior to QuickStart you should power down using the ILOM Web Interface's Remote Control tab, select the Remote Power Control tab and then choose the Graceful Shutdown and Power Off action. Save this choice to have the server shut down.
For KMAs that have already been configured (QuickStart procedure), log into the OKM Console as an Operator and select the ”Shutdown KMA” menu option to shut down the KMA.
Note: The process for upgrading the firmware is discussed in detail in ”Update the Server SP or CMM Firmware Image” in the Oracle ILOM Administrator's Guide for Configuration and Maintenance. |
Click ILOM Administration > Maintenance > Firmware Upgrade.
Click the Enter Firmware Upgrade Mode button, then click OK in the upgrade confirmation dialog box to proceed.
In the Firmware Upgrade page, either click Browse to specify the firmware to upload or enter a URL to upload the firmware.
Click Upload.
In the Firmware Verification page, enable the Preserve Configuration option.
Click Start.
Click OK to proceed through a series of prompts. The Update Status page is displayed.
The system automatically reboots when the Update Status is 100 percent complete.
If you want to verify that the updated firmware has been installed, click System Information > Firmware.
Note: Netra SPARC T4-1 servers do not include a BIOS; there are no BIOS procedures for users to follow. |
Log into the ILOM web-based interface. Follow (or navigate) to:
Remote Control > Redirection
and click Launch Redirection to launch the Remote Console.
Follow (or navigate) to
Remote Control > Remote Power Control
select Power Up, and click SAVE to reboot the system.
In the Remote Console, monitor normal boot messages. When the American Megatrends screen appears, press the F2 key to launch the BIOS Setup Utility.
Use "ILOM Security Hardening" when you want to harden the ILOM. The table below is organized as displayed in the ILOM Web Interface using ”:” to delimit the tab names presented by the ILOM web interface.
To further secure the KMA, customers may choose to update some of the ILOM settings. Table D-5 lists each navigational point in the ILOM web-based interface and identifies any recommended changes in that screen. Table D-6 shows additional considerations for security hardening.
Table D-5 ILOM Configuration and Security Hardening
Navigational Point | Recommended Changes |
---|---|
System Information: Overview |
Nothing is prescribed as this is not a configuration screen. |
System Information: Components |
Nothing is prescribed as this is not a configuration screen. |
System Information: Fault Management |
Nothing is prescribed as this is not a configuration screen. |
System Information: Identification Information |
SP System Identifier – assign a meaningful name per customer policy. SP Contact – customer contact information SP Location – physical rack, or other, used to locate the server. The ”Physical Presence Check” should be enabled (default setting). |
System Information: Banner Messages |
Changing the banner settings to contain the product name is recommended so that users of the ILOM are aware that the key management appliance is not a generic Sun Fire X4170 M2 server. Add a connect message, for example: ”Oracle Key Manager ILOM Connect” Add a login message, for example: ”Oracle Key Manager ILOM” |
System Information: Session Timeout |
Nothing is prescribed as this setting is for the current session only. |
System Information: Versions |
Nothing is prescribed as this is not a configuration screen. |
System Monitoring: Sensor Readings, Indicators and Event Logs |
Nothing is prescribed as these are not configuration screens. |
Power Management: Consumption |
No specific changes are recommended for KMAs. |
Power Management: Limit |
The OKM has only been tested using the default power policy, so no specific changes are recommended for KMAs. |
Power Management: Allocation |
Nothing is prescribed as this is not a configuration screen. |
Power Management: History |
Nothing is prescribed as this is not a configuration screen. |
Storage |
Nothing is prescribed as this is not a configuration screen, the KMAs do not ship with RAID controllers. |
Configuration: System Management Access: Web Server |
No specific changes are recommended for KMAs, although a security best practice is to change the default port number for HTTPS. |
Configuration: System Management Access: SSL Certificates |
The ILOM uses a default certificate but supports loading an alternate certificate with its corresponding private key for stronger authentication. |
Configuration: System Management Access: SNMP Management |
For ”Settings” the use of SNMPv3 protocol is recommended (v1 and v2c can be disabled) and ”Set Requests” can be disabled to prevent configuration changes from happening via SNMP. Refer to the Oracle Integrated Lights Out Manager Management Protocols Reference Guide for details. |
Configuration: System Management Access: SSH Server Settings |
No specific changes are recommended for KMAs. |
Configuration: System Management Access: IPMI |
This service should be disabled if there are no plans to use IPMI. Leaving this interface open exposes the KMA to reboots, that is, denial of service, from attackers knowledgeable of IPMI. |
Configuration: System Management Access: CLI |
Configure the session timeout as the default allows CLI sessions to remain open indefinitely. |
Configuration: System Management Access: WS-Man |
This service can be disabled if there are no plans to use WS-Management and CIM. Leaving this interface open exposes the KMA to attackers knowledgeable of the WS-Management protocol. |
Configuration: Alert Management |
No KMA specific changes are prescribed. |
Configuration: Network |
No KMA specific changes are prescribed. Note: The OKM has not been tested using ILOM sideband management. Configuration for sideband management is described in the Oracle ILOM 3.0 Supplement for X4170 M2 and X4270 M2 Servers. |
Configuration: DNS |
No KMA specific changes are prescribed. Auto DNS using DHCP may be disabled if there are no plans to use it. |
Configuration: Serial Port |
No KMA specific changes are prescribed. |
Configuration: Clock |
The ILOM SP clock is not synchronized with the host clock on a Sun Fire X4170 M2 server. So that ILOM events can be correlated with server events, the ILOM date and time should be set manually to UTC/GMT time or configured to synchronize with external NTP servers, preferably the same NTP servers to be used for the KMA server during QuickStart. Refer to the Oracle Key Manager Administrator Guide. |
Configuration: Timezone |
The ILOM timezone should be ”GMT”. |
Configuration: Syslog |
ILOM syslog forwarding pertains to the forwarding of ILOM alerts and not to the syslog events of the KMA server. The KMA, that is, the server in the ILOM documentation, syslog facility is not configurable. However, KMA syslog events may be viewed when examining a KMA system dump. Refer to the Oracle Key Manager Administrator Guide, for information on retrieving KMA system dumps. |
Configuration: SMTP Client |
No KMA specific changes are prescribed. |
Configuration: Policy |
Both Policies should use the defaults, disabled. |
User Management: Active Sessions |
No KMA specific changes are prescribed, not a configuration screen. |
User Management: User Accounts |
Use of user accounts and roles is recommended over just the default root account. Refer to the ”User Account Management” section in the Oracle ILOM 3.0 Concepts Guide. |
User Management: LDAP, LDAP/SSL, RADIUS, Active Directory |
No KMA specific changes are prescribed. These services can all remain disabled. |
Remote Control: Redirection |
Launch Remote Console – This will be the typical means for accessing the KMA console. Once the console launches the default Devices, Keyboard and Video settings should be used. Storage Redirection - No KMA specific usage recommendations are prescribed. |
Remote Control: KVMS |
KVMS Settings – use the default settings Host Lock Settings – Leave this disabled. |
Remote Control: Remote Power Control |
Reset - Whenever possible it is preferable to use the corresponding OKM Console option to reboot the KMA as this provides an OKM audit entry Immediate Power Off – Avoid this whenever possible. Graceful Shutdown and Power Off - Whenever possible it is preferable to use the corresponding OKM Console options to shutdown the KMA as this provides an OKM audit entry. Power On – as needed Power Cycle – As needed. In some cases a Power Cycle is necessary for recovery of the KMA's SCA 6000 card. |
Remote Control: Diagnostics |
Run Diagnostics On Boot – use the default(disabled) unless trouble shooting server hardware problems. Generate NMI – unnecessary but should have no noticeable affect on the KMA. |
Remote Control: Host Control |
The setting for ”Next Boot Device” should be ”Default (Use BIOS Settings)”. Other settings are not recommended for the KMA. |
Maintenance: Firmware Upgrade |
ILOM firmware should be kept up to date and updated as described in the Oracle ILOM 3.0 Concepts Guide, Oracle ILOM 3.0 Getting Started Guide, Oracle ILOM 3.0 CLI Procedures Guide or Oracle ILOM 3.0 Web Interface Procedures Guide. The KMA should be shut down prior to upgrading ILOM firmware as a precaution. Customers should establish a policy for verifying ILOM firmware on a regular basis and upgrading during system maintenance windows. |
Maintenance: Backup/Restore |
ILOM 3.0 supports backup and restore of the ILOM configuration. A good best practice is to configure the ILOMs on all KMAs with similar settings and to create a backup once a suitable configuration has been obtained. Refer to the ”Configuration Management Tasks” section in the Oracle ILOM 3.0 Concepts Guide. |
Maintenance: Reset SP |
Nothing is prescribed as this is not a configuration screen. |
Maintenance: Configuration Management |
Only use this as necessary to reset the ILOM to defaults. Refer to the ”Reset to Defaults Feature” section in the Oracle ILOM 3.0 Concepts Guide. |
Maintenance: Snapshot |
Use the Snapshot facility as requested by Oracle service. |
Table D-6 Other ILOM Considerations
Navigational Point | Consideration |
---|---|
SSL v2, SSL v3 and TLS 1.0 |
It is currently not possible to disable use of SSLv2 so security scanning tools will report this vulnerability. |
Monitoring |
The ILOM has a variety of monitoring features. It is recommended that users consider the most appropriate facility for monitoring alerts originating from the KMA's ILOM service processor. Refer to the System Monitoring and Alert Management section in the Oracle ILOM 3.0 Concepts Guide. ILOM System Monitoring in conjunction with the KMA's SNMP audit events are recommended for staying abreast of hardware and software events that may affect KMA availability. |
BIOS Upgrades |
BIOS firmware is upgraded whenever ILOM SP firmware is upgraded. This applies to Sun Fire X4170 M2 servers only. Refer to the Sun Fire X4170 M2 Server Service Manual. |
Interoperability with Oracle Management Tools and 3rd Party Tools |
Both the Sun Fire 4170 M2 Installation Guide section on ”Managing Your Server” and the ”Overview” section in Oracle ILOM 3.0 Concepts Guide mention integration with Oracle and 3rd party management tools. The following disclaimers are noted: The OKM has not been integrated with Oracle Enterprise Manager Ops Center, a.k.a. Sun xVM Ops Center, although ILOM firmware upgrades and system monitoring could likely be performed via this tool. Interoperability testing with Sun Management Center has not been performed. The Sun Server Hardware Management Pack is not supported nor is it pre-installed on the KMA. Consequently, the components provided through this tool are not available for system monitoring. This tool is also referenced in Oracle ILOM 3.0 Supplement for X4170 M2 and X4270 M2 Servers. Sun Installation Assistant – The X4170 M2 server is not supported, nor tested, so may not be used as a tool for updating ILOM or BIOS firmware on KMAs. 3rd Party Tools listed at http://www.sun.com/systemmanagement/tools.jsp have not been tested with OKM. |
ILOM Troubleshooting |
Remote Console Hang – Should the remote console become non-responsive to keyboard input first try to Reset the SP. If this does not work, then a reboot of the Server can clear this condition. If you suspect ILOM configuration changes are causing problems, then ILOM settings can be restored to default values using the instructions in the Sun Fire X4170 M2 Server Service Manual, refer to ”Troubleshooting the Server and Restoring ILOM Defaults”. |
Note: Netra SPARC T4-1 servers do not include a BIOS; there are no BIOS procedures for users to follow. |
You should ensure that the BIOS has specific settings defined in order to limit access to the KMA. Launch the BIOS Setup Utility and check these settings:
When you deploy a KMA that is a Sun Fire X4170 M2 server
Whenever you upgrade the ELOM or ILOM firmware on the KMA.
NoteNetra SPARC T4-1 servers do not include a BIOS; there are no BIOS procedures for users to follow.: |
If you need to configure the BIOS for a KMA, perform the procedure below. For more information, refer to the Sun Fire X4170 M2 Server Service Manual, the Sun Fire X2100 M2 Server Product Notes, or the Sun Fire X2200 M2 Server Product Notes as appropriate for the server type of the KMA.
When you launch the BIOS Setup Utility, a password prompt appears if you have a password already defined.
If this prompt appears, you should enter the BIOS password if known.
If you do not know the password, you can simply press the Enter key to enter the BIOS Setup Utility with limited privileges.
If this prompt does not appear, then you see the Main menu of the BIOS Setup Utility.
Verify BIOS settings as follows:
BIOS password: If prompted the password should be ”changeme”. If not prompted for a password, then a password has not been set.
Confirm these items:
If these are all correct, perform Step 2 and Step 11 through Step 14.
Navigate to the Main menu.
Set the BIOS supervisor password. Navigate to the Security menu.
Navigate to the Security menu.
If you did not enter a password at the password prompt, then the "Change Supervisor password" field does not appear.
Navigate to the Boot menu.
Select the ”Boot Device Priority” using the up and down arrow keys, then press enter.
For the KMA's single disk device, such as:
HDD:P0-SEAGATE ST95000NSSUN500G102.
All other devices listed should be individually selected using arrow keys and disabled.
Navigate to the Boot menu.
Select ”Option ROM Enable” using the up and down arrow keys and hit enter.
Select each ”Net Option ROM” device (there are 4 numbered Net0 to Net3) using the up and down arrow keys and press enter.
Disable the ability to boot from this device by selecting ”Disable” and pressing enter.
Optional: Disable PCI-E Option ROM for each of the 3 PCI-E slots to mitigate possibility of booting from PCI-E devices. The KMA does not ship with any PCI-E devices that support booting so there is marginal benefit from making this change.
Save the BIOS changes.
Navigate to the Exit menu.
Verify that the system boots correctly and that the supervisor password works for reentering the BIOS Setup Utility.
Go to ”Using a Network Connection” to continue the installation.
Refer to the Sun Fire X2100 M2 Server Product Notes, the Sun Fire X2200 M2 Server Product Notes for the ILOM, or the Sun Fire X4170 M2 and X4270 M2 Servers Installation Guide as appropriate for the server type of the KMA.
Note: A connection to the LAN 1 NET MGT interface is required to initially configure the servers. Never use the manual procedure for clearing CMOS NVRAM after a KMA has been Quick Started because it resets the clock. |
An alternate method to a network connection is to use a keyboard and monitor. The following graphics show these connections:
Figure D-5 — X2100 M2/X2200 M2
Figure D-6 — X4170 M2
Figure D-7 — Netra SPARC T4-1
Follow the same procedure as described in "Using a Network Connection - ELOM" or "Using a Network Connection - ILOM", depending on the server you use.