Sun Microsystems, Inc.  Sun System Handbook - ISO 4.1 October 2012 Internal/Partner Edition
   Home | Current Systems | Former STK Products | EOL Systems | Components | General Info | Search | Feedback

Asset ID: 1-71-1007592.1
Update Date:2012-07-30
Keywords:

Solution Type  Technical Instruction Sure

Solution  1007592.1 :   Protecting OpenBoot[TM] by Setting Security Parameters  


Related Items
  • Sun Fire V240 Server
  •  
  • Sun Fire V440 Server
  •  
  • Sun Fire V480 Server
  •  
  • Sun Fire V490 Server
  •  
  • Sun Fire V880 Server
  •  
  • Sun Fire V890 Server
  •  
Related Categories
  • PLA-Support>Sun Systems>SPARC>Usx/Blade/Netra>SN-SPARC: USx
  •  
  • .Old GCS Categories>Sun Microsystems>Servers>Entry-Level Servers
  •  

PreviouslyPublishedAs
210504


Description
This document describes the procedure used to password protect a system's OpenBoot[TM] (OBP).

It is always recommended that all systems have their OBP protected. This is to make sure that non-authorized personnel cannot boot the system from any external device (hard disk, or CD-ROM) and get complete control over the system.

There are three levels of security in OBP as explained below. The default is 'none'.

none No password required. All OpenBoot settings can be changed, and any OBP command executed.
command All commands except 'boot' and 'go' require the password.
full All OBP commands except 'go' require password.


Steps to Follow
The following steps are to be used in setting up OpenBoot:

Setting the OpenBoot Password:

1. From Solaris[TM] Prompt:

# eeprom security-password
Changing PROM password:
New password:********
Retype new password:********
# 

2. From OpenBoot Prompt:

ok password
ok New password (only first 8 chars are used):********
ok Retype new password:********

Setting OpenBoot Security Level:

1. From Solaris Prompt:

The following line sets the security level to 'full'

# eeprom security-mode=full

2. From OpenBoot Prompt:

The following line sets security level to 'command'

ok setenv security-mode command

Resetting OpenBoot Number of Incorrect Password Attempts:

The security-#badlogins OBP parameter records the number of failed security password attempts.

When changing other OBP security parameters, it is good practice to reset the value of the parameter security-#badlogins to zero - if it wasn't already initialized -, so that the number of incorrect security password attempts can be detected.

1. From Solaris Prompt:

The following line resets the OBP parameter security-#badlogins

# eeprom security-#badlogins=0

2. From OpenBoot Prompt:

The following line resets the OBP parameter security-#badlogins

ok setenv security-#badlogins 0

Warning:

  • If the OBP password is forgotten and security mode is set to 'full', it can only be changed with 'eeprom' command from Solaris prompt with user root.
  • If both OBP and root passwords are forgotten and security mode is 'full', the system PROM must be replaced, because you cannot boot from CD-ROM to recover the root password without the OBP password.

NOTE:

SPARC (R)
Information in this document is applicable for SPARC based systems, because they implement firmware password protection with eeprom using the security-mode, security-password and security-#badlogins properties.

IA
In IA based systems (where Solaris x86 can run), OBP security parameters have no special meaning or behavior.
EEPROM storage is simulated using a file residing in the platform specific boot area. The /platform/platform-name/boot/solaris/bootenv.rc file simulates EEPROM storage. Because IA based systems typically implement password protection in the system BIOS, there is no support for password protection in the eeprom program. While it is possible to set the security-mode, security-password, and security-#badlogins properties on IA based systems, these properties have no special meaning or behavior on IA based systems.



Product
N/A

OBP, security, password, OK, NVRAM
Previously Published As
77383

Change History
The product statement requires products that apply to this article and will be found in a product based search. Please place specific versions of the product according to the product nomenclature database swordfish( http://krep.emea.sun.com/stats/swordfish/) to resolve this issue.
Date: 2004-09-13
User Name: 7058
Action: Approved
Comment: Fixed &andquot problem.
Doc OK to publish.
Version: 9
Date: 2004-09-10
User Name: 7058
Action: Accept
Comment:
Version: 0
Date: 2004-09-10


Attachments
This solution has no attachment
  Copyright © 2012 Sun Microsystems, Inc.  All rights reserved.
 Feedback