Sun Microsystems, Inc.  Oracle System Handbook - ISO 7.0 May 2018 Internal/Partner Edition
   Home | Current Systems | Former STK Products | EOL Systems | Components | General Info | Search | Feedback

Asset ID: 1-77-2002410.1
Update Date:2015-12-18
Keywords:
Solution Type  Sun Alert Sure

Solution  2002410.1 :   Oracle ILOM FIPS Mode May Fail on SPARC M5-32/M6-32 Servers With Sun System Firmware 9.3.0.c or Later  

Related Items 
    

  • SPARC M5-32
    •  
  • Sun Software - Generic
    •  
  • SPARC M6-32
    •  
  • Sun Hardware - Generic
    •  
Related Categories 
    

  • PLA-Support>Sun Systems>Sun_Other>Sun Collections>SN-OTH: Sun Alert
    •  






In this Document


Description


Occurrence


Symptoms


Workaround


Patches


History


References


Applies to:  

SPARC M5-32
Sun Hardware - Generic
Sun Software - Generic
SPARC M6-32
SPARC
Information in this document applies to any platform.

_________________________________________



, 



Date of Workaround Release: 22-Apr-2015



Date of Resolved Release: 18-Dec-2015

_________________________________________



Description


SPARC M5-32/M6-32 Servers with Sun System Firmware 9.3.0.c or later offer an option to use ILOM Federal Information Processing Standards (FIPS) mode. Enabling FIPS mode will cause certain communications between Service Processors (SPs) and Service Processor Proxys (SPPs) that manage the M5/M6-32 system to be compromised, resulting in a number of failures being reported, including any attempts to change the Sun System firmware level.


Occurrence


This issue can occur on the following platforms:
 
 SPARC Platform:
 


    

  • SPARC M5-32 with Sun System Firmware 9.3.0.c (as delivered in patch 20034532) or 9.3.0.f (as delivered in patch 20229461)
    • 

  • SPARC M6-32 with Sun System Firmware 9.3.0.c (as delivered in patch 20034532) or 9.3.0.f (as delivered in patch 20229461)
    • 



 Note 1: This issue only occurs when ILOM FIPS mode is enabled. To determine if FIPS is enabled, execute the following ILOM command from the active SP:


    -> show /SP/services/fips state

    /SP/services/fips
      Properties:
         state = enabled



Note 2: To determine the firmware version on the system, execute the following ILOM command from the active SP:


    -> show /System system_fw_version

     /System
      Properties:
         system_fw_version = Sun System Firmware 9.3.0.f 2015/01/13 20:12


Symptoms


If the described issue occurs, errors similar to the following will be seen when the Sun System Firmware is updated while FIPS mode is enabled:


    -> load -source http://x.x.x.x

    2015-04-06 13:03:48 Download firmware package...
    2015-04-06 13:06:26 Check firmware package...
    ...
    2015-04-06 13:08:23 SP /SYS/SPP0 firmware update started ...
    2015-04-06 13:08:29 SP /SYS/SPP1 firmware update started ...
    2015-04-06 13:10:25 SP /SYS/SPP1 firmware update failed
    /SYS/SPP1 ERR fips_md.c(146): OpenSSL internal error, assertion failed: Digest update previous FIPS forbidden algorithm error ignored
    2015-04-06 13:10:33 SP /SYS/SPP2 firmware update failed
    /SYS/SPP2 ERR fips_md.c(146): OpenSSL internal error, assertion failed: Digest update previous FIPS forbidden algorithm error ignored
    2015-04-06 13:10:34 SP /SYS/SPP3 firmware update failed
    /SYS/SPP3 ERR fips_md.c(146): OpenSSL internal error, assertion failed: Digest update previous FIPS forbidden algorithm error ignored



Additional functionality may also be affected.


Workaround


To work around this issue, do the following:
 
 1. Gracefully power off all PDomains.
 
   For example:


   From the ILOM command shell:


    -> stop /System
    Are you sure you want to stop /System (y/n) ? y
    Stopping /System



2. Turn off FIPS mode.


   From the ILOM command shell, disable FIPS mode from the active SP:
 


    -> set /SP/services/fips/ state=disabled


 Note: To verify which is the active SP, do the following :


    -> show /SP/redundancy status


3. Reset the standby SP.


   From the active SP (assuming SP0 is active):


    -> reset /SYS/SP1


   If the first attempt fails, do a retry with:


    ->reset -f /SYS/SP1



4. Reset all the SPs:


    -> reset /SP



Note: Enabling or disabling FIPS mode will result in all configuration data to reset as well.
 
 This is an expected behavior so that the FIPS mode change takes effect on the next SP reboot.


For more details, see: "Oracle ILOM Administrator's Guide for Configuration and Maintenance Firmware Release 3.2.x", which can be found at:


https://docs.oracle.com/cd/E37444_01/html/E37446/index.html


This issue is addressed in the following releases:


SPARC Platform


    

  • For BugID 20808972 - Firmware 9.4.2.D (as delivered in Patch 20214652 or later)
    • 

  • For BugID 20793932 - Firmware 9.5.1.C (as delivered in Patch 21911668 or later)
    • 



Patches


<SUNPATCH:21911668>
<SUNPATCH:20214652> 


History


22-Apr-2015: Document released, status Workaround
18-Dec-2015: Updated for FW releases, issue is Resolved


Internal Section: Comments:
 
 Questions regarding this document should be addressed to
  sunalertpublication_us_grp@oracle.com and copy the
  responsible engineer listed below.
 
 Internal Contributor/Submitter:  marcel.widjaja@oracle.com
 Internal Eng Responsible Engineer: shankar.venkoba.rao@oracle.com
 Internal Services Knowledge Engineer: Jeff.folla@oracle.com
 Internal Eng Business Unit Group:  Systems RPE
 Internal Associated SRs: 
 Internal Pending Patches:
 Internal Resolution Patches:


References
 <BUG:20808972> - SSH CLIENT FAILS TO DRILL DOWN IN FIPS MODE UNDER CERTAIN CONDTIONS.
 <BUG:20793932> - FIPS CONFIGURATION MUST TAKE MULTI-SP SYSTEMS INTO ACCOUNT
 
 



Attachments

This solution has no attachment


















       

Copyright © 2018 Oracle, Inc.  All rights reserved.

 Feedback