In order to use TLS encryption when accessing a Oracle ILOM SP over a remote network connection, a client-side trusted certificate must be available on the host for the Oracle ILOM SP you will be accessing. Note the following:

• Ensure that you've installed the latest TLS and OpenSSL patches for your operating system (Oracle requires TLS 1.2 support at a minimum).

• Oracle Hardware Management Pack commands that perform SSL certificate validation for a remote network connection to a service processor look for client-side certificates in certain directories. For Oracle Solaris 11.4, a hashed symbolic link to the installed certificate should be in /etc/openssl/certs.

  If your certificate hashed symbolic link is in some other directory, you will need to include a command line argument (as described in Command Options for Accessing Oracle ILOM Over a Remote Network Connection) that specifies the directory when issuing Oracle Hardware Management Pack commands that perform client-side SSL certificate validation.

To obtain a client-side trusted certificate from a service processor and prepare it for validation, do the following:

1. Obtain a PEM format certificate from the target Oracle ILOM SP. You can use one of the following methods:

   • This can be done at first login to the Oracle ILOM SP using a browser. The browser will prompt you for a security exception at which point you can view and export the certificate in PEM format (.pem) to a directory. For Oracle Solaris 11.4, the default system certificate directory is /etc/certs/CA.

   • Or, if you've already accepted the certificate from a previous browser login, you can export if from the browser's stored servers certificates and export it in PEM format (.pem) to a directory. For Oracle Solaris 11.4, the default system certificate directory is /etc/certs/CA.

   • You can also run an OpenSSL command from the host to obtain the certificate. For example:

     # echo | openssl s_client -connect sp_ip:623 | sed -n "/--BEGIN/,/--END/ p" > path_to_cert/certname.pem

     Where sp_ip is the host name or IP address of the SP, path_to_cert is the directory path to where the certificate will be copied, and certname is the file name for the PEM format certificate. For Oracle Solaris 11.4, the default system certificate directory is /etc/certs/CA.

     Note:

     To avoid the possibility of a man-in-the-middle attack, execute this command using a trusted channel or verified using an independent second channel.

   • Or, you can set up your own certification authority and sign a certificate to upload to Oracle ILOM. If you choose to create your own custom certificates, refer to the Oracle ILOM documentation for details.

2. Change ownership of the certificate file you downloaded to root:root and file permissions to -rw-r--r-- (numeric value 644).

3. Create a hash link of your downloaded certificate. This can be done by restarting the ca-certificates service. For example:

   # /usr/sbin/svcadm restart /system/ca-certificates

   The service adds the certificate to the /etc/certs/ca-certificates.crt file and adds a hashed symbolic link in the /etc/openssl/certs directory. Refer to your Oracle Solaris documentation for more details.

4. Ensure that the service processor Common Name (for example, ORACLESP-1000NML000) has been added to the domain name system (DNS) for your network. This name should match the Common Name found in the certificate file.