1. Security Guide
  2. Secure Installation of the SL150

2 Secure Installation of the SL150

Make key configuration changes during installation to secure the library.

Set User Roles and Assign the Admin Password

User accounts should be limited to operator role level instead of granting all users the Admin role level. Proper use of the service user role should be practiced. Create, enable, or disable the service user role accounts as needed. Service roles have greater privilege than operator to the point of nearly the same authorization as the admin role.

At first power-on, a setup wizard automatically runs on the local operator panel to obtain basic configuration information. The installer uses a standard login account in the first step of the setup wizard routine. Initial setup includes administrator account username and password, network settings, and other basic settings. The library will not become operational until you complete the setup wizard and enter a new password for the admin account.

After completing the setup wizard powering on the library, you can make additional modifications to the library configuration through the browser user interface (BUI) for all library settings. Refer to the SL150 Library Guide for more information.

If a history of user activity is needed for investigative purposes, the "Activity Log" may be reviewed and exported for further analysis. The Activity Log on the user interface can show user logins, Host or UI initiated actions for traceability.

Configure the Firewall and Place the Library on a Secure Network

You should configure the firewall to allow traffic on ports used by the SL150 library (see SL150 Network Ports). Block any unused ports.

Although the library provides an internal firewall to protect itself, this should not be the only line of security to protect the library. It is recommended the library is in a physically secured data center on a secured network only allowing access from servers utilizing its functionality. These servers and applications running on them should also be secured.

All tape library products are designed and documented for use within a controlled server environment with no general network or user access. This provides the best functionality and protection from compromise, both from the internet in general and from the internal entity operating the library.

Enforce Password Management

Basic password management rules, such as password length, history, and complexity must be applied to all passwords. SL150 passwords must be between 8 to 128 characters and contain at least one numeric or special character. The default password must be changed during installation and may not be reused.

Note:

The number of characters shown masked in the GUI are not indicative of the exact number of entered characters.

Related Topics

SL150 Network Ports

Configure the firewall to allow traffic on these ports and block any unused ports.

Table 2-1 SL150 Network Ports

Port Type Description

22

TCP

SSH CLI access –inbound stateful

For development test and debug only, not available in the field

25

TCP

SMTP without authentication

67

DHCP

client - outbound

68

DHCP

client - inbound

80

HTTP

WebLogic port for remote user interface

123

NTP

Network Time Protocol (if enabled)

161

UDP

SNMP library agent requests - inbound stateful

162

UDP

SNMP library traps and inform notifications - outbound stateless for traps, outbound stateful for inform

465

TCP

SMTP with SSL or TLS authentication

443

HTTPS

WebLogic port for remote user interface for HTTPS

546

DHCPv6

IPv6 DHCP client - outbound

547

DHCPv6

IPv6 DHCP client - inbound

33200-33500

TRACEROUTE

Software development use

Valid port number selection for library use are either reserved or recommended per the above table list. Legitimate port numbers commence at the numeric number 1, as zero is not a legitimate port number.

When configuring SNMP, using SNMPv3 is strongly recommended over SNMPv2c for its confidentiality, integrity, and authentication capabilities.

From within the library User Interface, disable SNMP when not using this feature to further increase security robustness. By default, SNMP is disabled.

When configuring SMTP, using TLS authentication is strongly recommended over both SSL or the no-authentication option.

Clearing Customer Data on the Library

You can return the library to factory default state to clear any customer data.

If the customer needs to decommission a library, a procedure is provided which removes all customer configuration information and all log files, and returns the library to a factory default state. See the SL150 Library Guide for instructions.

Checklist for Secure Deployment of the SL150

Use this security checklist to help secure the library.

  1. Enforce password management for all user accounts.

  2. Enforce access controls, both physical proximity and through interfaces such as SCSI, UI, SNMP and so on.

  3. Restrict network access.

    1. A firewall should be implemented.

    2. The firewall must not be compromised.

    3. System access should be monitored.

    4. Network IP addresses should be checked.

    5. Services may have tools that need proper password or access controls monitored (for example, SDP-2 to allow automatic downloading of log information or other access)

  4. Contact your Oracle Services, Oracle Tape Library Engineering, or account representative if you come across vulnerability in Oracle Tape Libraries.

  5. SMTP should use TLS instead of lesser protocols like SSL or none.

  6. SNMP, when enabled, should be set up with V3 level instead of V2C or lesser capabilities.

  7. With version 3.50 firmware the library managed encryption (LME) port 2 may be configured to allow a private network to the OKM cluster. Refer to the user documentation for more information on the LME feature.