Skip Headers
Oracle® Key Manager 3 Administration Guide
Release 3.0
E41579-02
  Go To Table Of Contents
Contents
Go To Index
Index

Previous
Previous
 
Next
Next
 

D Service Processor Procedures

This appendix describes functions that you can perform on the Service Processor of your KMA. The Service Processor on a Sun Fire X2100 M2 or Sun Fire X2200 M2 system is an Embedded Lights Out Manager (ELOM). The Service Processor on a Netra SPARC T4-1 system or Sun Fire X4170 M2 system is an Integrated Lights Out Manager (ILOM).

The following Server Processor procedures and topics are addressed:

ELOM Procedures

The following sections discuss these procedures:

ELOM Upgrade Overview

Sun Fire X2100 M2 or X2200 M2 server-based KMAs were manufactured for earlier KMS releases with the latest BIOS and ELOM firmware levels that were available at the time. When they were manufactured, some BIOS settings were defined in order to limit access to them. From time to time, newer Sun Fire server firmware is released and upgrades are recommended.

This appendix describes the procedures that should be used in conjunction with the firmware upgrades documented in Embedded Lights Out Manager (ELOM) Administration Guide for the Sun Fire™ X2200 M2 and Sun Fire X2100 M2 Servers.

KMAs have specific, non-default, BIOS settings that prevent changes to the BIOS that may compromise security. These settings are saved in the Complementary metal-oxide semiconductor (CMOS). In a default CMOS configuration, a remote user can use the ELOM to change BIOS settings and then boot the KMA from a network device. To minimize this security risk, access to the BIOS settings must be limited. Following the procedures in this document ensures that these settings are retained.

This appendix assumes familiarity with the Oracle Key Manager solution, in particular, the "Shutting Down the KMA" procedure, and with the ELOM web-based interface and the BIOS Setup Utility.

Related Documentation

Embedded Lights Out Manager Administration Guide For the Sun Fire™ X2200 M2 and Sun Fire X2100 M2 Server

http://docs.oracle.com/cd/E19121-01/sf.x2200m2/819-6588-14/819-6588-14.pdf

Sun Fire™ X2200 M2 Server Product Notes

http://docs.oracle.com/cd/E19121-01/sf.x2200m2/819-6601-22/819-6601-22.pdf

Sun Fire™ X2100 M2 Server Product Notes

http://docs.oracle.com/cd/E19121-01/sf.x2100m2/819-6594-17/819-6594-17.pdf

Configuring ELOM – X2100 M2 or X2200 M2 Servers

ELOM for X2100 M2 and X2200 M2 servers contains a separate processor from the main server. As soon as power is applied—by plugging the server in to the power source—and after a one or two minute boot period, the ELOM provides a remote connection to the console.


Note:

This section has some basic ELOM commands to configure the server. Refer to the Embedded Lights Out Manager Administration Guide, PN: 819-6588-xx, for more information.

Connect to the KMA through the Embedded Lights Out Manager using either:


Note:

Pop-ups prevent windows from launching in the following procedures. Disable the popup blockers before continuing.

If the window appears, but a console window does not, the Web browser or Java version is incompatible. Upgrade to the latest versions of the browser and Java.

ELOM Configuration Process

To configure the ELOM for the key management appliance (KMA):

  1. Obtain the IP address for LAN 1:

    Important: Do not connect the power cord. Wait until instructed in Step 0

  2. Using Table D-1 as a reference, connect all cables as required.

    Table D-1 KMA Network Connections - Sun Fire X2100 M2 and X2200 M2 Servers

    Port Description

    LAN 0

    This is a required connection.

    This network is called the Management Network and connects to the Oracle Key Manager (OKM), graphical user interface (GUI), to the KMAs in the cluster. This network can be local, remote, or a combination of both.

    Note – Customers are expected to provide the management network.

    LAN 1*

    This is the network connection for the ELOM.

    LAN 2

    This is normally a required connection for the tape drives.

    This network is called the ”Service Network” and connects to the tape drives, either directly or through Ethernet switches to create the network.

    LAN 3

    This is an optional connection with the Oracle Key Manager.

    This is the ”Aggregated Network connection with NET 2 or LAN 2.

    Aggregation or IEEE 802.1AX-2008, is a networking term that describes the use of multiple network cables and ports in parallel to increase the link speed and redundancy for higher availability.



    Note:

    The ELOM IP address is most easily configured using a serial connection. Connect a DB9-to-DB9 serial null modem cable from a laptop PC serial port to the serial port on the server. This is a one time connection for the initial configuration.

  3. Connect a null modem, serial cable to the DB-9 connector (callout 7). Connect the other end to a laptop PC serial port.

    Figure D-1 X2100 M2/X2200 M2 Appliance - Rear Panel

    Surrounding text describes Figure D-1 .

    1 - Power connector

    2 - Ethernet connectors (2) Upper = Management Network (LAN 0) Lower = ELOM (LAN 1)

    3 - System Identification LED

    4 - Fault LED

    5 - Power LED

    6 - Ethernet connections (2) Left = Service Network (LAN 2) Right = Aggregated Network (LAN 3)

    7 - Serial port (DB9, RS232)

    8 - PCIe slots Top = SCA 6000 card (not shown) Bottom = Blank (empty)

    9 - VGA connector

    10 - USB 2.0 ports (4)

  4. Start a HyperTerminal session on the laptop. This allows you to watch the boot process.

  5. Verify the default settings are:

    • 8-bits

    • No Parity

    • 1 stop-bit

    • 9600 baud rate

  6. Disable both hardware (CTS/RTS) and software (XON/XOFF) flow control.

  7. Connect the server power cord to the power source.

    Important: Do not power-on the server. The ELOM starts as soon as power is connected, even if the server is powered-off. This is the reason for preparing and connecting the PC before applying power.

  8. Once the boot completes, the ELOM login prompt will be displayed.

    1. Press [Enter] a few times to get the ELOM login prompt.

    2. Log in using:

    • Userid = root

    • Password = changeme

  9. Using the following table as a reference, configure the ELOM IP address.

    Surrounding text describes t105_120.jpg.
  10. Enter the following commands.


    Note:

    These commands are case sensitive.

    set /SP/AgentInfo DhcpConfigured=disable set /SP/AgentInfo IpAddress=ipaddress set /SP/AgentInfo NetMask=netmask set /SP/AgentInfo Gateway=gateway reset
    

    An informational command you can use is: show /SP/SystemInfo/CtrlInfo.

  11. Log off of the ELOM and exit.

  12. Go to "Using a Network Connection - ELOM" to continue the installation.

Verifying ELOM and BIOS Levels

Log in to the ELOM and verify the type of KMA you have and that the levels match the latest levels documented for your server type. The various ELOM Service Processor and BIOS firmware levels are documented in the Server Product Notes for each server type. ELOM and BIOS firmware are packaged together as ”server software.”

The firmware versions shown in Table D-2 can be used to determine what type of KMA server you're connected to using the ELOM. To check the firmware levels on the ELOM Web-based interface, select System Information > Version > SP Board Information > Server Board Information.

Table D-2 ELOM/BIOS Firmware Levels

Server Type Server Software BIOS Level ELOM Level Product Notes

X2100 M2

1.8

3A21

3.24

Sun Fire X2100 M2 Product Notes

X2200 M2

2.2.1

3D16

3.23

Sun Fire X2200 M2 Product Notes

Note: Product Notes can be found on http://docs.oracle.com/cd/E19121-01/index.html and server software can be downloaded from the My Oracle Support site (http://support.oracle.com).


If firmware levels are correct, then there is nothing to do. Proceed with the following instructions if the firmware is down level, an upgrade is recommended.

TIP: The firmware file you need for the upgrade can be found at the above URL in the remoteflash_x.y.zip file, where x.y refers to the Tools and Drives release number as documented in the appropriate Product Notes.

Upgrading the ELOM Server Firmware

The following procedure takes about 10 minutes to complete and should be scheduled appropriately because the KMA being upgraded need to be disconnected from the cluster.

  1. Login into the ELOM using the Web-based interface. You must have administrator privileges to perform the firmware upgrades.

  2. To avoid trouble with Service Processors that may be in an error state begin by resetting the service processor.

    1. Click on the ”Maintenance” tab, then the ”Reset SP” tab and then the ”Reset SP” button.

    2. Log out and then log back into the ELOM Web-based interface. If necessary, the reset can be performed using the serial interface and CLI to the ELOM, then log back into the ELOM Web based interface.

  3. Disable Session Time-out (System Information tab > Session Time-Out tab).

  4. For new installs, or FRU situations, prior to QuickStart you should power down using the ELOM Web Interface's Remote Control tab,

  5. Select the Remote Power Control tab and then choose the action to Graceful Shutdown. Save this choice to have the server shutdown.

  6. For KMAs that have already been configured (QuickStart procedure), log into the OKM Console as an Operator and select the "Shutdown KMA" menu option to shutdown the KMA.

    Follow the ELOM Administration Guide procedures for the Web-based interface for Firmware Upgrade and Select Option B in Step 4.

    Do not use the CLI procedures documented in the ELOM Administration Guide as Option A is used by default and your BIOS settings will revert to defaults, exposing the KMA to BIOS related attacks.

    Important:

    The following has been extracted from the Server Product Notes. Failure to observe these warnings can corrupt the BIOS:

    The SP/BIOS flash process includes a ”Update Successful” message when the SP flash process ends. This message signals the end of the SP flash activity only. At this point in the process the BIOS is not flashed, and interrupting the process might corrupt the BIOS.

    To avoid corrupting the BIOS review the flash sequence below:

    • SP begins the flash process.

    • SP completes the flash process.

    • CLI returns an Update Successful message.

    • The system reboots and the BIOS begins the flash process.

  7. Logout from the ELOM and log back in and verify that the SP and BIOS firmware levels are at the correct level (System Information tab > Version tab).

    BIOS settings revert to default values when the ELOM firmware is upgraded. You should limit access to the KMA by launching the BIOS Setup Utility and changing some of the BIOS settings. See "Launching the BIOS Setup Utility from the ELOM" and "ILOM Configuration and Security Hardening".

Launching the BIOS Setup Utility from the ELOM

  1. Log into the ELOM web-based interface and navigate as follows:

    Remote Control tab > Remote Power Control tab >  
    Boot option: BIOS Setup  
    
  2. Save this choice to have the server booted. During the boot, the normal boot message appears on the console followed by the launch of the BIOS Setup Utility. Proceed to "Configuring the BIOS - X4170 M2 Only" to verify and update BIOS settings.

Surrounding text describes t105_046.jpg.
Surrounding text describes t105_047.jpg.

If the ability to change the supervisor password is displayed, as shown below, then the BIOS default settings are in effect and you should follow the troubleshooting procedure below.

Surrounding text describes t105_048.jpg.

ILOM Procedures

The following sections discuss these procedures:

ILOM Upgrade Overview

Netra SPARC T4-1 and Sun Fire X4170 M2 server-based KMAs have been manufactured with the latest ILOM firmware level that was available at the time. From time to time, newer Sun Fire server firmware is released and upgrades are recommended.


Note:

X4170 M2 KMAs run ILOM 3.0 or later, while Netra SPARC T4-1 KMAs run ILOM 3.2 or later. ILOM 3.2 is included in server firmware 8.3 or later. You can view the current server firmware from the ILOM.Check the server firmware level an OKM 3.0 KMA when it is first delivered. If it is not at 8.3 or later, upgrade it to 8.3 before powering up the system.

This information describes the procedures that should be used in conjunction with the firmware upgrade procedures documented in:

  • For the X4170 M2 server: Oracle Integrated Lights Out Manager (ILOM) 3.0 Maintenance and Diagnostics – CLI and Web Guide.

  • For the Netra SPARC T4-1 server: Oracle ILOM Administrator's Guide for Configuration and Maintenance Firmware Release 3.2

The KMA has specific, non-default, BIOS settings that prevent changes to the BIOS that may compromise security. These settings are saved in the CMOS. In a default CMOS configuration, a remote user can use the ILOM to change BIOS settings and then boot the KMA from a network device. To minimize this security risk, access to the BIOS settings must be limited. Following the procedures in this document will ensure that these settings are retained.


Note:

Netra SPARC T4-1 servers do not include a BIOS; there are no BIOS procedures for users to follow.

This appendix assumes familiarity with the Oracle Key Manager solution, in particular, the "Shutting Down the KMA" procedure, and with the ILOM web-based interface and the BIOS Setup Utility.

Related Documentation

These documents pertain to ILOM versions required for the Netra SPARC T4-1 server (ILOM 3.2) or the Sun Fire X4170 M2 server (ILOM 3.0).

ILOM 3.0

Oracle Integrated Lights Out Manager (ILOM) 3.0 Maintenance and Diagnostics – CLI and Web Guide

http://docs.oracle.com/cd/E19860-01/E21449/E21449.pdf

ILOM 3.2

Oracle ILOM Administrator's Guide for Configuration and Maintenance Firmware Release 3.2

http://docs.oracle.com/cd/E37444_01/pdf/E37446.pdf

Oracle ILOM User's Guide for System Monitoring and Diagnostics Firmware Release 3.2.1

http://docs.oracle.com/cd/E37444_01/pdf/E37447.pdf

Oracle ILOM Quick Reference for CLI Commands Firmware Release 3.2.1

http://docs.oracle.com/cd/E37444_01/pdf/E37448.pdf

Netra SPARC T4-1

Oracle ILOM Feature Updates and Release Notes Firmware Release 3.2

http://docs.oracle.com/cd/E37444_01/pdf/E37450.pdf

Oracle Netra SPARC T4-1 Server Product Notes

http://docs.oracle.com/cd/E23203_01/pdf/E23208.pdf

Oracle Netra SPARC T4-1 Server Installation Guide

http://docs.oracle.com/cd/E23203_01/pdf/E23205.pdf

Sun Fire X4170 M2

Sun Fire™ X4170 M2 and X4270 M2 Servers Product Notes

http://docs.oracle.com/cd/E19762-01/E22382/E22382.pdf

Sun Fire™ X4170, X4270, and X4275 Servers Service Manual

http://docs.oracle.com/cd/E19477-01/820-5830-13/820-5830-13.pdf

Configuring ILOM – Netra SPARC T4-1 and X4170 M2 Servers

ILOM for the Netra SPARC T4-1 and X4170 M2 servers contains a separate processor from the main server. As soon as power is applied—by plugging the server in to the power source—and after a one or two minute boot period, the ILOM provides a remote connection to the console.


Note:

This section has some basic ILOM commands to configure the server. Refer to the Integrated Lights Out Manager Administration Guide, PN: 820-0280-12, for more information.

Connect to the KMA through the Integrated Lights Out Manager using either:

If the window appears, but a console window does not, the Web browser or Java version is incompatible. Upgrade to the latest versions of the browser and Java.

ILOM Configuration Process

To configure the ILOM for the key management appliance (KMA):

  1. Obtain the IP address for the ILOM.

  2. Using the following table, connect all cables as required. Important: Do not connect the power cord. Wait until instructed in Step 6.

    Table D-3 KMA Network Connections -- Netra SPARC T4-1 and Sun Fire X4170 M2 Servers

    Port Description

    SER MGT

    The SER MGT RJ-45 port provides a serial connection to the ILOM. The ILOM IP address is most easily configured using this serial connection.

    NET MGT

    The NET MGT RJ-45 port provides an optional Ethernet connection to the ILOM. This port is not available until you configure the ILOM IP address.

    NET 0

    The NET 0 RJ-45 port is a required connection to the Management Network. This network connects the server to the Oracle Key Manager GUI as well as to other KMAs in the cluster. The Management Network can be local, remote, or a combination of both.

    Note – Customers are expected to provide the management network.

    NET 2

    The NET 2 RJ-45 port is a required connection to the Service Network. This network connects the server to the tape drives, either directly or through Ethernet switches, to create the network.

    NET 3

    The NET 3 RJ-45 port is an optional connection to the Aggregated Network and provides aggregation with NET 2. Aggregation, or IEEE 802.1AX-2008, is a networking term that describes using multiple network cables and ports in parallel to increase the link speed and redundancy for higher availability.


  3. Connect a null modem, serial cable to the SER MGT port (callout 2 for the Sun Fire X4170 M2 server, callout 10 for the Netra SPARC T4-1 server). Connect the other end to a laptop PC serial port.

    Figure D-2 X4170 M2 Server Rear Panel

    Surrounding text describes Figure D-2 .

    1 - AC Power connectors

    2 - Serial Management (SER MGT) RJ-45 serial port

    3 - Service processor (NET MGT) port (also known as the ILOM and corresponds to LAN1 on the SunFire X2100 or X2200 servers)

    4 - Ethernet ports (0, 1, 2, 3), labeled Net0 through Net3, from left to right

    5 - USB ports (0, 1)

    6 - Video connector (VGA)

    Figure D-3 Netra SPARC T4-1 Server Rear Panel

    Surrounding text describes Figure D-3 .

    1 - Power supplies (PS1 - PS0 top to bottom) (AC supplies shown)

    2 - Power supply status LEDs:

    • OK (output): green

    • Service Action Required: amber

    • AC or DC (input power): green

    3 - Alarm port

    4 - Expansion slot 0 (PCIe 2.0 x8 or XAUI)

    5 - Expansion slot 3 (PCIe 2.0 x8)

    6 - Expansion slot 1 (PCIe 2.0 x8 or XAUI)

    7 - Expansion slot 4 (PCIe 2.0 x8)

    8 - Expansion slot 2 (PCIe 2.0 x8)

    9 - Service LEDs:

    • Locator LED/Locator button: white

    • Service Action Required LED: amber

    • Main Power/OK LED: green

    10 - SER MGT RJ-45 serial port

    11 - NET MGT RJ-45 network port

    12 - Network 10/100/1000 ports (NET0 to NET3) for host

    13 - Physical Presence button access hole

    14 - USB 2.0 ports (USB 0, USB 1)

    15 - Video connector (HD-15)

    16 - Grounding studs


    Note:

    A connection to the NET MGT interface is required to initially configure the server.

  4. Start a HyperTerminal session on the laptop. This allows you to watch the boot process.

  5. Verify the default settings are:

    • 8-bits

    • No Parity

    • 1 stop-bit

    • 9600 baud rate

    • Disable both hardware (CTS/RTS) and software (XON/XOFF) flow control

  6. Connect the server power cord to the power source.

    Important: Do not power-on the server.

    The ILOM starts as soon as power is connected, even if the server is powered-off. This is the reason for preparing and connecting the PC before applying power.

  7. Once the boot completes, the ILOM login prompt will be displayed.

    1. Press [Enter] a few times to get the ILOM login prompt.

    2. Log in using:

    • Userid = root

    • Password = changeme

  8. Using Figure D-4, "ILOM Initial Configuration Settings" as a reference, configure the ILOM IP address.

    Figure D-4 ILOM Initial Configuration Settings

    Surrounding text describes Figure D-4 .
  9. Enter the following commands.


    Note:

    These commands are case sensitive.

    show /SP/networkset /SP/network/ pendingipdiscovery=staticset /SP/network/ pendingipaddress=ipaddressset /SP/network/ pendingipnetmask=netmaskset /SP/network/ pendingipgateway=gatewayset /SP/network/ commitpending=true
    
  10. On a Netra SPARC T4-1 server, enter the following commands to set the auto-boot property:


    Note:

    In the following example, there is a space after the question mark but not before it. These commands are case sensitive.

    show /HOST/bootmodeset /HOST/bootmode script="setenv auto-boot? true"show /HOST/bootmode
    
  11. Log off of the ILOM and exit.

  12. Go to "Using a Network Connection - ILOM" to continue the installation.

Verifying ILOM and BIOS Levels - X4170 M2 Only

Log into the ILOM and verify the type of KMA you have and the levels match the latest levels documented for your server type. These firmware versions can be used to determine what type of KMA server you're connected to through the ILOM. To check the firmware levels on the ILOM Web Based Interface, select System Information > Overview.


Note:

Netra SPARC T4-1 servers do not have a BIOS; there are no BIOS procedures for users to follow.

The expected ILOM and BIOS firmware levels vary across OKM releases, as shown in the following table.

Table D-4 ILOM/BIOS Firmware Levels

Server Firmware ILOM Firmware Level BIOS Firmware Level OKM Release

8.3.0.c (Netra SPARC T4-1) 1.7.1 (X4170 M2)

3.2.1.1.c (Netra SPARC T4-1) 3.1.2.20.a (X4170 M2)

NA 08.14.01.03 (X4170 M2 only)

3.0

1.6.1

3.0.16.10.d

08.12.01.04

2.5.x

1.3

3.0.14.11.a

08.06.01.08

2.3.1, 2.4, 2.5

1.2

3.0.9.27

08.04.01.10

2.3


If the ILOM and BIOS firmware levels are correct (for example, those for server firmware 1.6.1 with OKM 2.5.x), then you do not have to do anything. If not, proceed with the following instructions if the firmware is down level and you need to upgrade.

Follow this procedure to download both Netra SPARC T4-1 and Sun Fire X4170 M2 firmware from My Oracle Support:

  1. Go to My Oracle Support at: http://support.oracle.com and sign in.

  2. Click the Patches & Updates tab.

  3. Click Product or Family (Advanced).

  4. In the Start Typing... field, type in the product information (for example, ”Netra” or "X4170"), and click Search to see the latest firmware for each release.

The firmware distribution is packaged as a .zip file. After you download this file, extract it and then extract the firmware package.zip file that it contains (if any). The firmware package is in a .pkg file. You upload this file during the upgrade procedure outlined below.

Upgrading the ILOM 3.0 Server Firmware

The following procedure takes about 10 minutes to complete and should be scheduled appropriately since the KMA being upgraded will be disconnected from the cluster.

  1. Log into the ILOM using the Web based interface. You must have administrator privileges to perform the firmware upgrades.

  2. To avoid trouble with service processors that may be in an error state begin by resetting the service processor.

    1. Click on the ”Maintenance” tab, then the ”Reset SP” tab and then the ”Reset SP” button.

    2. Log out and then log back into the ILOM Web based interface. If necessary, the reset can be performed using the serial interface and CLI to the ILOM, then log back into the ILOM Web based interface.

  3. Set the Session Time-out value to 3 hours (System Information tab, then Session Timeout tab).

  4. Shut down the server.

    1. For new installs, or FRU situations, prior to QuickStart you should power down using the ILOM Web Interface's Remote Control tab, select the Remote Power Control tab and then choose the Graceful Shutdown and Power Off action. Save this choice to have the server shut down.

    2. For KMAs that have already been configured (QuickStart procedure), log into the OKM Console as an Operator and select the ”Shutdown KMA” menu option to shut down the KMA.

  5. Follow the procedures in the ”Updating Firmware” chapter of the Oracle Integrated Lights Out Manager (ILOM) 3.0 Maintenance and Diagnostics – CLI and Web Guide. On Step 6, set the ”Preserve Configuration” option to retain the network configuration and other ILOM settings, and clear the ”Delay BIOS upgrade until next server poweroff” option.

  6. Log out of the ILOM and log back in. Verify that the SP and BIOS firmware levels are at the correct level (System Information tab, then Overview tab). If the BIOS level is still shown at the previous level, shut down the KMA as described in Step 4, and then power it up again by choosing the Power On action from the Remote Power Control tab.

  7. Select the BIOS firmware level again (System Information tab > Overview tab).

    BIOS settings revert to default values when the ILOM firmware is upgraded. You should limit access to the KMA by launching the BIOS Setup Utility and changing some of the BIOS settings. See "Launching the BIOS Setup Utility from the ILOM - X4170 M2 Only" and "ILOM Configuration and Security Hardening".

Upgrading the ILOM 3.2 Server Firmware

The firmware update process takes several minutes to complete. During this time, do not perform any other ILOM tasks. When the firmware update process completes, the system will reboot.

Be sure you have met the initial requirements for the upgrade. Refer to ”Before You Begin the Firmware Update” in the Oracle ILOM Administrator's Guide for Configuration and Maintenance.

  1. Log into the ILOM using the Web based interface. You must have administrator privileges to perform the firmware upgrades.

  2. To avoid trouble with service processors that may be in an error state begin by resetting the service processor.

    1. Click ILOM Administration > Maintenance > Reset SP and then click the Reset SP button.

    2. Log out and then log back into the ILOM Web based interface. If necessary, the reset can be performed using the serial interface and CLI to the ILOM, then log back into the ILOM Web based interface.

  3. Set the Session Time-out value to 3 hours (System Information tab, then Session Timeout tab).

  4. Shut down the server.

    For new installs, or FRU situations, prior to QuickStart you should power down using the ILOM Web Interface's Remote Control tab, select the Remote Power Control tab and then choose the Graceful Shutdown and Power Off action. Save this choice to have the server shut down.

    For KMAs that have already been configured (QuickStart procedure), log into the OKM Console as an Operator and select the ”Shutdown KMA” menu option to shut down the KMA.


    Note:

    The process for upgrading the firmware is discussed in detail in ”Update the Server SP or CMM Firmware Image” in the Oracle ILOM Administrator's Guide for Configuration and Maintenance.

  5. Click ILOM Administration > Maintenance > Firmware Upgrade.

  6. Click the Enter Firmware Upgrade Mode button, then click OK in the upgrade confirmation dialog box to proceed.

  7. In the Firmware Upgrade page, either click Browse to specify the firmware to upload or enter a URL to upload the firmware.

  8. Click Upload.

  9. In the Firmware Verification page, enable the Preserve Configuration option.

  10. Click Start.

  11. Click OK to proceed through a series of prompts. The Update Status page is displayed.

    The system automatically reboots when the Update Status is 100 percent complete.

  12. If you want to verify that the updated firmware has been installed, click System Information > Firmware.

Launching the BIOS Setup Utility from the ILOM - X4170 M2 Only


Note:

Netra SPARC T4-1 servers do not include a BIOS; there are no BIOS procedures for users to follow.

  1. Log into the ILOM web-based interface. Follow (or navigate) to:

    Remote Control > Redirection 
    

    and click Launch Redirection to launch the Remote Console.

  2. Follow (or navigate) to

    Remote Control > Remote Power Control 
    

    select Power Up, and click SAVE to reboot the system.

  3. In the Remote Console, monitor normal boot messages. When the American Megatrends screen appears, press the F2 key to launch the BIOS Setup Utility.

    Use "ILOM Security Hardening" when you want to harden the ILOM. The table below is organized as displayed in the ILOM Web Interface using ”:” to delimit the tab names presented by the ILOM web interface.

ILOM Security Hardening

To further secure the KMA, customers may choose to update some of the ILOM settings. Table D-5 lists each navigational point in the ILOM web-based interface and identifies any recommended changes in that screen. Table D-6 shows additional considerations for security hardening.

Table D-5 ILOM Configuration and Security Hardening

Navigational Point Recommended Changes

System Information: Overview

Nothing is prescribed as this is not a configuration screen.

System Information: Components

Nothing is prescribed as this is not a configuration screen.

System Information: Fault Management

Nothing is prescribed as this is not a configuration screen.

System Information: Identification Information

SP System Identifier – assign a meaningful name per customer policy.

SP Contact – customer contact information

SP Location – physical rack, or other, used to locate the server.

The ”Physical Presence Check” should be enabled (default setting).

System Information: Banner Messages

Changing the banner settings to contain the product name is recommended so that users of the ILOM are aware that the key management appliance is not a generic Sun Fire X4170 M2 server.

Add a connect message, for example:

”Oracle Key Manager ILOM Connect”

Add a login message, for example:

”Oracle Key Manager ILOM”

System Information: Session Timeout

Nothing is prescribed as this setting is for the current session only.

System Information: Versions

Nothing is prescribed as this is not a configuration screen.

System Monitoring: Sensor Readings, Indicators and Event Logs

Nothing is prescribed as these are not configuration screens.

Power Management: Consumption

No specific changes are recommended for KMAs.

Power Management: Limit

The OKM has only been tested using the default power policy, so no specific changes are recommended for KMAs.

Power Management: Allocation

Nothing is prescribed as this is not a configuration screen.

Power Management: History

Nothing is prescribed as this is not a configuration screen.

Storage

Nothing is prescribed as this is not a configuration screen, the KMAs do not ship with RAID controllers.

Configuration: System Management Access: Web Server

No specific changes are recommended for KMAs, although a security best practice is to change the default port number for HTTPS.

Configuration: System Management Access: SSL Certificates

The ILOM uses a default certificate but supports loading an alternate certificate with its corresponding private key for stronger authentication.

Configuration: System Management Access: SNMP Management

For ”Settings” the use of SNMPv3 protocol is recommended (v1 and v2c can be disabled) and ”Set Requests” can be disabled to prevent configuration changes from happening via SNMP.

Refer to the Oracle Integrated Lights Out Manager Management Protocols Reference Guide for details.

Configuration: System Management Access: SSH Server Settings

No specific changes are recommended for KMAs.

Configuration: System Management Access: IPMI

This service should be disabled if there are no plans to use IPMI. Leaving this interface open exposes the KMA to reboots, that is, denial of service, from attackers knowledgeable of IPMI.

Configuration: System Management Access: CLI

Configure the session timeout as the default allows CLI sessions to remain open indefinitely.

Configuration: System Management Access: WS-Man

This service can be disabled if there are no plans to use WS-Management and CIM. Leaving this interface open exposes the KMA to attackers knowledgeable of the WS-Management protocol.

Configuration: Alert Management

No KMA specific changes are prescribed.

Configuration: Network

No KMA specific changes are prescribed.

Note: The OKM has not been tested using ILOM sideband management. Configuration for sideband management is described in the Oracle ILOM 3.0 Supplement for X4170 M2 and X4270 M2 Servers.

Configuration: DNS

No KMA specific changes are prescribed.

Auto DNS using DHCP may be disabled if there are no plans to use it.

Configuration: Serial Port

No KMA specific changes are prescribed.

Configuration: Clock

The ILOM SP clock is not synchronized with the host clock on a Sun Fire X4170 M2 server. So that ILOM events can be correlated with server events, the ILOM date and time should be set manually to UTC/GMT time or configured to synchronize with external NTP servers, preferably the same NTP servers to be used for the KMA server during QuickStart. Refer to the Oracle Key Manager Administrator Guide.

Configuration: Timezone

The ILOM timezone should be ”GMT”.

Configuration: Syslog

ILOM syslog forwarding pertains to the forwarding of ILOM alerts and not to the syslog events of the KMA server. The KMA, that is, the server in the ILOM documentation, syslog facility is not configurable. However, KMA syslog events may be viewed when examining a KMA system dump. Refer to the Oracle Key Manager Administrator Guide, for information on retrieving KMA system dumps.

Configuration: SMTP Client

No KMA specific changes are prescribed.

Configuration: Policy

Both Policies should use the defaults, disabled.

User Management: Active Sessions

No KMA specific changes are prescribed, not a configuration screen.

User Management: User Accounts

Use of user accounts and roles is recommended over just the default root account. Refer to the ”User Account Management” section in the Oracle ILOM 3.0 Concepts Guide.

User Management: LDAP, LDAP/SSL, RADIUS, Active Directory

No KMA specific changes are prescribed. These services can all remain disabled.

Remote Control: Redirection

Launch Remote Console – This will be the typical means for accessing the KMA console. Once the console launches the default Devices, Keyboard and Video settings should be used. Storage Redirection - No KMA specific usage recommendations are prescribed.

Remote Control: KVMS

KVMS Settings – use the default settings

Host Lock Settings – Leave this disabled.

Remote Control:

Remote Power Control

Reset - Whenever possible it is preferable to use the corresponding OKM Console option to reboot the KMA as this provides an OKM audit entry

Immediate Power Off – Avoid this whenever possible.

Graceful Shutdown and Power Off - Whenever possible it is preferable to use the corresponding OKM Console options to shutdown the KMA as this provides an OKM audit entry.

Power On – as needed

Power Cycle – As needed. In some cases a Power Cycle is necessary for recovery of the KMA's SCA 6000 card.

Remote Control:

Diagnostics

Run Diagnostics On Boot – use the default(disabled) unless trouble shooting server hardware problems.

Generate NMI – unnecessary but should have no noticeable affect on the KMA.

Remote Control:

Host Control

The setting for ”Next Boot Device” should be ”Default (Use BIOS Settings)”. Other settings are not recommended for the KMA.

Maintenance:

Firmware Upgrade

ILOM firmware should be kept up to date and updated as described in the Oracle ILOM 3.0 Concepts Guide, Oracle ILOM 3.0 Getting Started Guide, Oracle ILOM 3.0 CLI Procedures Guide or Oracle ILOM 3.0 Web Interface Procedures Guide. The KMA should be shut down prior to upgrading ILOM firmware as a precaution.

Customers should establish a policy for verifying ILOM firmware on a regular basis and upgrading during system maintenance windows.

Maintenance:

Backup/Restore

ILOM 3.0 supports backup and restore of the ILOM configuration. A good best practice is to configure the ILOMs on all KMAs with similar settings and to create a backup once a suitable configuration has been obtained. Refer to the ”Configuration Management Tasks” section in the Oracle ILOM 3.0 Concepts Guide.

Maintenance:

Reset SP

Nothing is prescribed as this is not a configuration screen.

Maintenance:

Configuration Management

Only use this as necessary to reset the ILOM to defaults. Refer to the ”Reset to Defaults Feature” section in the Oracle ILOM 3.0 Concepts Guide.

Maintenance:

Snapshot

Use the Snapshot facility as requested by Oracle service.


Table D-6 Other ILOM Considerations

Navigational Point Consideration

SSL v2, SSL v3 and TLS 1.0

It is currently not possible to disable use of SSLv2 so security scanning tools will report this vulnerability.

Monitoring

The ILOM has a variety of monitoring features. It is recommended that users consider the most appropriate facility for monitoring alerts originating from the KMA's ILOM service processor. Refer to the System Monitoring and Alert Management section in the Oracle ILOM 3.0 Concepts Guide. ILOM System Monitoring in conjunction with the KMA's SNMP audit events are recommended for staying abreast of hardware and software events that may affect KMA availability.

BIOS Upgrades

BIOS firmware is upgraded whenever ILOM SP firmware is upgraded. This applies to Sun Fire X4170 M2 servers only. Refer to the Sun Fire X4170 M2 Server Service Manual.

Interoperability with Oracle Management Tools and 3rd Party Tools

Both the Sun Fire 4170 M2 Installation Guide section on ”Managing Your Server” and the ”Overview” section in Oracle ILOM 3.0 Concepts Guide mention integration with Oracle and 3rd party management tools. The following disclaimers are noted:

The OKM has not been integrated with Oracle Enterprise Manager Ops Center, a.k.a. Sun xVM Ops Center, although ILOM firmware upgrades and system monitoring could likely be performed via this tool.

Interoperability testing with Sun Management Center has not been performed. The Sun Server Hardware Management Pack is not supported nor is it pre-installed on the KMA. Consequently, the components provided through this tool are not available for system monitoring. This tool is also referenced in Oracle ILOM 3.0 Supplement for X4170 M2 and X4270 M2 Servers.

Sun Installation Assistant – The X4170 M2 server is not supported, nor tested, so may not be used as a tool for updating ILOM or BIOS firmware on KMAs.

3rd Party Tools listed at http://www.sun.com/systemmanagement/tools.jsp have not been tested with OKM.

ILOM Troubleshooting

Remote Console Hang – Should the remote console become non-responsive to keyboard input first try to Reset the SP. If this does not work, then a reboot of the Server can clear this condition.

If you suspect ILOM configuration changes are causing problems, then ILOM settings can be restored to default values using the instructions in the Sun Fire X4170 M2 Server Service Manual, refer to ”Troubleshooting the Server and Restoring ILOM Defaults”.


Configuring the BIOS - X4170 M2 Only


Note:

Netra SPARC T4-1 servers do not include a BIOS; there are no BIOS procedures for users to follow.

You should ensure that the BIOS has specific settings defined in order to limit access to the KMA. Launch the BIOS Setup Utility and check these settings:

  • When you deploy a KMA that is a Sun Fire X4170 M2 server

  • Whenever you upgrade the ELOM or ILOM firmware on the KMA.


NoteNetra SPARC T4-1 servers do not include a BIOS; there are no BIOS procedures for users to follow.:


If you need to configure the BIOS for a KMA, perform the procedure below. For more information, refer to the Sun Fire X4170 M2 Server Service Manual, the Sun Fire X2100 M2 Server Product Notes, or the Sun Fire X2200 M2 Server Product Notes as appropriate for the server type of the KMA.

When you launch the BIOS Setup Utility, a password prompt appears if you have a password already defined.

Surrounding text describes t105_046.jpg.
  1. If this prompt appears, you should enter the BIOS password if known.

  2. If you do not know the password, you can simply press the Enter key to enter the BIOS Setup Utility with limited privileges.

    If this prompt does not appear, then you see the Main menu of the BIOS Setup Utility.

    Verify BIOS settings as follows:

    • BIOS password: If prompted the password should be ”changeme”. If not prompted for a password, then a password has not been set.

    • Confirm these items:

      • UTC time, Step 1 below.

      • User access, Step 3 below.

      • Boot order, Step 4 below.

      • Boot device priority, Step 5 below.

      • Network boot settings, Step 6 through Step 9.

If these are all correct, perform Step 2 and Step 11 through Step 14.

  1. Navigate to the Main menu.

  2. Set the BIOS supervisor password. Navigate to the Security menu.

  3. Navigate to the Security menu.

    If you did not enter a password at the password prompt, then the "Change Supervisor password" field does not appear.

    Surrounding text describes t105_047.jpg.
  4. Navigate to the Boot menu.

  5. Select the ”Boot Device Priority” using the up and down arrow keys, then press enter.

    For the KMA's single disk device, such as:

    HDD:P0-SEAGATE ST95000NSSUN500G102.  
    

    All other devices listed should be individually selected using arrow keys and disabled.

  6. Navigate to the Boot menu.

  7. Select ”Option ROM Enable” using the up and down arrow keys and hit enter.

  8. Select each ”Net Option ROM” device (there are 4 numbered Net0 to Net3) using the up and down arrow keys and press enter.

  9. Disable the ability to boot from this device by selecting ”Disable” and pressing enter.

  10. Optional: Disable PCI-E Option ROM for each of the 3 PCI-E slots to mitigate possibility of booting from PCI-E devices. The KMA does not ship with any PCI-E devices that support booting so there is marginal benefit from making this change.

  11. Save the BIOS changes.

  12. Navigate to the Exit menu.

  13. Verify that the system boots correctly and that the supervisor password works for reentering the BIOS Setup Utility.

  14. Go to ”Using a Network Connection” to continue the installation.

    Refer to the Sun Fire X2100 M2 Server Product Notes, the Sun Fire X2200 M2 Server Product Notes for the ILOM, or the Sun Fire X4170 M2 and X4270 M2 Servers Installation Guide as appropriate for the server type of the KMA.


    Note:

    A connection to the LAN 1 NET MGT interface is required to initially configure the servers. Never use the manual procedure for clearing CMOS NVRAM after a KMA has been Quick Started because it resets the clock.

Keyboard and Monitor Attachment to the KMA

An alternate method to a network connection is to use a keyboard and monitor. The following graphics show these connections:

Follow the same procedure as described in "Using a Network Connection - ELOM" or "Using a Network Connection - ILOM", depending on the server you use.

Figure D-5 X2100 M2/ X2200 M2 — Rear Panel Connections

Surrounding text describes Figure D-5 .

Figure D-6 X4170 M2 — Rear Panel Connections

Surrounding text describes Figure D-6 .

Figure D-7 Netra SPARC T4-1 — Rear Panel Connections

Surrounding text describes Figure D-7 .