Sun SPARC Enterprise(R) M3000/M4000/M5000/M8000/M9000 Servers: How To Clear a Domain Firmware Password from XSCF

Asset ID:	1-71-1505700.1
Update Date:	2017-09-29
Keywords:

Solution Type Technical Instruction Sure

Solution 1505700.1 : Sun SPARC Enterprise(R) M3000/M4000/M5000/M8000/M9000 Servers: How To Clear a Domain Firmware Password from XSCF

Applies to:

Sun SPARC Enterprise M4000 Server - Version All Versions to All Versions [Release All Releases]
Sun SPARC Enterprise M5000 Server - Version All Versions to All Versions [Release All Releases]
Sun SPARC Enterprise M3000 Server - Version All Versions to All Versions [Release All Releases]
Sun SPARC Enterprise M8000 Server - Version All Versions to All Versions [Release All Releases]
Sun SPARC Enterprise M9000-64 Server - Version All Versions to All Versions [Release All Releases]
Information in this document applies to any platform.
Lost or unknown firmware passwords ( obp ) need to be cleared.

Goal

Erase domain OBP level firmware password on Mx000.

Solution

The OBP (OpenBoot Prom) firmware password is used to protect OBP settings for OPL domains and prevent unauthorized modification.

More information about security-mode in OBP is available in Document ID 1012605.1.

When OBP security-mode is enabled and password is set, OBP will request firmware password when trying to enter ok prompt.

Example:

Sun SPARC Enterprise M4000 Server, using Domain console
Copyright 2008 Sun Microsystems, Inc. All rights reserved.
Copyright 2008 Sun Microsystems, Inc. and Fujitsu Limited. All rights reserved.
OpenBoot 4.24.10, 16384 MB memory installed, Serial #88449104.
Ethernet address 0:21:28:45:a0:50, Host ID: 8545a050.

Aborting auto-boot sequence.
Type boot , go (continue), or login (command mode)
>
>
>
> login
Firmware Password:

Clearing the firmware password can be performed through the XSCF by using the "setdomparam" command.
This will actually reset the OBP security-setting and no more password will be requested.

This is documented into the "SPARC Enterprise M3000/M4000/M5000/M8000/M9000 Servers XSCF Reference Manual for XCP Version 1101" that is available here.

In the below example, "setdomparam" command is used set "none" for the security-mode OpenBoot PROM environment variable for domain ID 0:

XSCF> setdomparam -d 0 security-mode
DomainIDs of domains that will be affected:00
OpenBoot PROM variable security-mode will be set to none.
Continue? [y|n]:y

Once complete the domain obp security-mode is set to "none" and obp will no longer request the password.

Please note that setdomparam command will not work when the domain is powered on:

XSCF> setdomparam -y -d 0 security-mode
This operation cannot be done for the domain which is powered on.
Try again after powering off the domain.

it will need a powered-off domain:

XSCF> poweroff -y -d 0
DomainIDs to power off:00
Continue? [y|n] :y
00 :Powering off
...
wait until all domain components are powered off
...
XSCF> showdomainstatus -a
DID Domain Status
00 Powered Off
01 -
XSCF> setdomparam -y -d 0 security-mode
DomainIDs of domains that will be affected:00
OpenBoot PROM variable security-mode will be set to none.
Continue? [y|n] :y

so when domain is booted you may run the following:

bash-3.2# eeprom security-mode
security-mode=full
bash-3.2# eeprom security-mode=none
bash-3.2# eeprom security-mode
security-mode=none

References

<NOTE:1012605.1> - How to secure the OpenBoot Prom console.

Attachments

This solution has no attachment