Privileged credentials are the root account details used to perform privileged actions like executing root scripts.
Now we demonstrate how to setup Privilege Delegation through SUDO.
Read more of this content when you subscribe today.
This post demonstrates the installation of Oracle Enterprise Manager Cloud Control 13c Release 3 (13.3.0.0) on Oracle Linux 7 (x86_64).
Read more of this content when you subscribe today.
URL : https://oemnode1:7803/em
username: sysman
Password: you specified during your installation
[oracle@oemnode1 scripts]$ . oraenv ORACLE_SID = [OEMREP] ? AGENT [oracle@oemnode1 scripts]$ emctl status agent Oracle Enterprise Manager Cloud Control 13c Release 3 Copyright (c) 1996, 2018 Oracle Corporation. All rights reserved. --------------------------------------------------------------- Agent Version : 13.3.0.0.0 OMS Version : 13.3.0.0.0 Protocol Version : 12.1.0.1.0 Agent Home : /u01/app/oracle/Product/Agent/agent_inst Agent Log Directory : /u01/app/oracle/Product/Agent/agent_inst/sysman/log Agent Binaries : /u01/app/oracle/Product/Agent/agent_13.3.0.0.0 Core JAR Location : /u01/app/oracle/Product/Agent/agent_13.3.0.0.0/jlib Agent Process ID : 6463 Parent Process ID : 6403 Agent URL : https://oemnode1:3872/emd/main/ Local Agent URL in NAT : https://oemnode1:3872/emd/main/ Repository URL : https://oemnode1:4903/empbs/upload Started at : 2020-03-27 23:43:12 Started by user : oracle Operating System : Linux version 4.14.35-1902.10.7.el7uek.x86_64 (amd64) Number of Targets : 33 Last Reload : (none) Last successful upload : 2020-03-28 00:14:07 Last attempted upload : 2020-03-28 00:14:07 Total Megabytes of XML files uploaded so far : 1.72 Number of XML files pending upload : 0 Size of XML files pending upload(MB) : 0 Available disk space on upload filesystem : 13.15% Collection Status : Collections enabled Heartbeat Status : Ok Last attempted heartbeat to OMS : 2020-03-28 00:13:52 Last successful heartbeat to OMS : 2020-03-28 00:13:52 Next scheduled heartbeat to OMS : 2020-03-28 00:14:52 Agent is Running and Ready
[oracle@oemnode1 ~]$ . oraenv ORACLE_SID = [OMS] ? OMS [oracle@oemnode1 ~]$ emctl status oms -bip_only Oracle Enterprise Manager Cloud Control 13c Release 3 Copyright (c) 1996, 2018 Oracle Corporation. All rights reserved. BI Publisher Server is Up [oracle@oemnode1 ~]$ emctl status oms -details Oracle Enterprise Manager Cloud Control 13c Release 3 Copyright (c) 1996, 2018 Oracle Corporation. All rights reserved. Enter Enterprise Manager Root (SYSMAN) Password : Console Server Host : oemnode1 HTTP Console Port : 7788 HTTPS Console Port : 7803 HTTP Upload Port : 4889 HTTPS Upload Port : 4903 EM Instance Home : /u01/app/oracle/Product/gc_inst/em/EMGC_OMS1 OMS Log Directory Location : /u01/app/oracle/Product/gc_inst/em/EMGC_OMS1/sysman/log OMS is not configured with SLB or virtual hostname Agent Upload is locked. OMS Console is locked. Active CA ID: 1 Console URL: https://oemnode1:7803/em Upload URL: https://oemnode1:4903/empbs/upload WLS Domain Information Domain Name : GCDomain Admin Server Host : oemnode1 Admin Server HTTPS Port: 7102 Admin Server is RUNNING Oracle Management Server Information Managed Server Instance Name: EMGC_OMS1 Oracle Management Server Instance Host: oemnode1 WebTier is Up Oracle Management Server is Up JVMD Engine is Up BI Publisher Server Information BI Publisher Managed Server Name: BIP BI Publisher Server is Up BI Publisher HTTP Managed Server Port : 9701 BI Publisher HTTPS Managed Server Port : 9803 BI Publisher HTTP OHS Port : 9788 BI Publisher HTTPS OHS Port : 9851 BI Publisher is locked. BI Publisher Server named 'BIP' running at URL: https://oemnode1:9851/xmlpserver/servlet/home BI Publisher Server Logs: /u01/app/oracle/Product/gc_inst/user_projects/domains/GCDomain/servers/BIP/logs/ BI Publisher Log : /u01/app/oracle/Product/gc_inst/user_projects/domains/GCDomain/servers/BIP/logs/bipublisher/bipublisher.log [oracle@oemnode1 ~]$
[oracle@oemnode1 ~]$ emctl stop oms Oracle Enterprise Manager Cloud Control 13c Release 3 Copyright (c) 1996, 2018 Oracle Corporation. All rights reserved. Stopping Oracle Management Server... Oracle Management Server Successfully Stopped Oracle Management Server is Down JVMD Engine is Down [oracle@oemnode1 ~]$ emctl status oms Oracle Enterprise Manager Cloud Control 13c Release 3 Copyright (c) 1996, 2018 Oracle Corporation. All rights reserved. WebTier is Up Oracle Management Server is Down JVMD Engine is Down BI Publisher Server is Up [oracle@oemnode1 ~]$
[oracle@oemnode1 ~]$ emctl stop oms -all Oracle Enterprise Manager Cloud Control 13c Release 3 Copyright (c) 1996, 2018 Oracle Corporation. All rights reserved. Stopping Oracle Management Server... WebTier Successfully Stopped Oracle Management Server Successfully Stopped Oracle Management Server is Down JVMD Engine is Down Stopping BI Publisher Server... BI Publisher Server Successfully Stopped AdminServer Successfully Stopped BI Publisher Server is Down [oracle@oemnode1 ~]$
[oracle@oemnode1 ~]$ emctl status oms Oracle Enterprise Manager Cloud Control 13c Release 3 Copyright (c) 1996, 2018 Oracle Corporation. All rights reserved. WebTier is Up Oracle Management Server is Up JVMD Engine is Up BI Publisher Server is Up [oracle@oemnode1 ~]$
[oracle@oemnode1 ~]$ emctl status oms -details Oracle Enterprise Manager Cloud Control 13c Release 3 Copyright (c) 1996, 2018 Oracle Corporation. All rights reserved. Enter Enterprise Manager Root (SYSMAN) Password : Console Server Host : oemnode1 HTTP Console Port : 7788 HTTPS Console Port : 7803 HTTP Upload Port : 4889 HTTPS Upload Port : 4903 EM Instance Home : /u01/app/oracle/Product/gc_inst/em/EMGC_OMS1 OMS Log Directory Location : /u01/app/oracle/Product/gc_inst/em/EMGC_OMS1/sysman/log OMS is not configured with SLB or virtual hostname Agent Upload is locked. OMS Console is locked. Active CA ID: 1 Console URL: https://oemnode1:7803/em Upload URL: https://oemnode1:4903/empbs/upload WLS Domain Information Domain Name : GCDomain Admin Server Host : oemnode1 Admin Server HTTPS Port: 7102 Admin Server is RUNNING Oracle Management Server Information Managed Server Instance Name: EMGC_OMS1 Oracle Management Server Instance Host: oemnode1 WebTier is Up Oracle Management Server is Up JVMD Engine is Up BI Publisher Server Information BI Publisher Managed Server Name: BIP BI Publisher Server is Up BI Publisher HTTP Managed Server Port : 9701 BI Publisher HTTPS Managed Server Port : 9803 BI Publisher HTTP OHS Port : 9788 BI Publisher HTTPS OHS Port : 9851 BI Publisher is locked. BI Publisher Server named 'BIP' running at URL: https://oemnode1:9851/xmlpserver/servlet/home BI Publisher Server Logs: /u01/app/oracle/Product/gc_inst/user_projects/domains/GCDomain/servers/BIP/logs/ BI Publisher Log : /u01/app/oracle/Product/gc_inst/user_projects/domains/GCDomain/servers/BIP/logs/bipublisher/bipublisher.log
[oracle@oemnode1 ~]$ emctl stop agent
[oracle@oemnode1 ~]$ emctl start agent
[oracle@oemnode1 ~]$ emctl status agent
When starting up 13cR3 OMS server, the command hangs forever.
[oracle@oemnode1 ~]$ emctl start oms Oracle Enterprise Manager Cloud Control 13c Release 3 Copyright (c) 1996, 2018 Oracle Corporation. All rights reserved. Starting Oracle Management Server...
Read more of this content when you subscribe today.
While installing OEM 13c, the following warning might occur from checking OEM repository database:
“Oracle strongly recommends that you disable the password verification function in your database before proceeding any further”
Let’s check and disable password verification function if any.
SQL>select username, profile from dba_users where username like 'SYSMAN%';
USERNAME PROFILE
------------------------------ ------------------------------
SYSMAN_TYPES DEFAULT
SYSMAN_RO MGMT_INTERNAL_USER_PROFILE
SYSMAN_OPSS MGMT_INTERNAL_USER_PROFILE
SYSMAN_STB MGMT_INTERNAL_USER_PROFILE
SYSMAN_BIPLATFORM MGMT_INTERNAL_USER_PROFILE
SYSMAN MGMT_INTERNAL_USER_PROFILE
SYSMAN_MDS MGMT_INTERNAL_USER_PROFILE
7 rows selected.
SQL> select PROFILE,RESOURCE_NAME,LIMIT from dba_profiles
where PROFILE in ('DEFAULT','MGMT_INTERNAL_USER_PROFILE')
and RESOURCE_NAME='PASSWORD_VERIFY_FUNCTION';
PROFILE RESOURCE_NAME LIMIT
-------------------------- ------------------------ ---------------------
DEFAULT PASSWORD_VERIFY_FUNCTION NULL
MGMT_INTERNAL_USER_PROFILE PASSWORD_VERIFY_FUNCTION GMT_INTERNAL_PASS_VERIFY
SQL>
SQL> alter profile MGMT_INTERNAL_USER_PROFILE limit
PASSWORD_VERIFY_FUNCTION null;
Profile altered.
SQL> select PROFILE,RESOURCE_NAME,LIMIT
from dba_profiles
where PROFILE in ('DEFAULT','MGMT_INTERNAL_USER_PROFILE')
and RESOURCE_NAME='PASSWORD_VERIFY_FUNCTION';
PROFILE RESOURCE_NAME LIMIT
-------------------------- ------------------------ ------------------
DEFAULT PASSWORD_VERIFY_FUNCTION NULL
MGMT_INTERNAL_USER_PROFILE PASSWORD_VERIFY_FUNCTION NULL
SQL>
In order to create a named credential, you need to know:
Now we start to create a named credential for cluster database ( RACTEST ) user ( JAMES).
1) To get TARGET_TYPE from TARGET_NAME. Normally we know a couple of target_type from daily emcli practice.
$ emcli get_targets -targets="RACTEST:%" Status ID Status Target Type Target Name 1 Up rac_database RACTETS
2) To get the credential types (and their attributes) associated with “rac_database”.
$ emcli show_credential_type_info -target_type=rac_database
Target Type Cred Type Name Cred Type Column Name Key Column
rac_database DBCreds DBPassword No
DBRole No
DBUserName Yes
DBHostCreds HostPassword No
HostUserName Yes
DBKerberosCreds DBKerberosPassword No
DBKerberosUserName Yes
DBPkiCreds DBPkiUserWallet Yes
DBPkiUserWalletPassword No
DBPkiUserWalletType No
HostSSHCreds SSH_PUB_KEY No
SSH_PVT_KEY No
USERNAME Yes
We can see target type rac_database has four credential types. we will use credential type DBCreds in the following steps.
3) Create named credential for JAMES user of the RAC database.
$emcli create_named_credential -auth_target_type=rac_database \ -cred_scope=Instance -target_type=rac_database \ -target_name=RACTEST -cred_type=DBCreds -cred_name=NC_RACTEST_JAMES \ -attributes="DBUserName:JAMES;DBPassword:yourpasswd" -test Credential NC_RACTEST_JAMES created.
Here “-test” to test the credential before saving.
If you want to create a global named credential, just remove “cred_scope, target_type, target_name” parameters.
$emcli create_named_credential -auth_target_type=rac_database \ -cred_type=DBCreds -cred_name=NC_G_RACTEST_JAMES \ -attributes="DBUserName:JAMES;DBPassword:yourpasswd" Credential NC_G_RACTEST_JAMES created.
4) Test a named credential.
a) Instance named credential.
$ emcli test_named_credential -cred_names=NC_RACTEST_JAMES Credentials "NC_RACTEST_JAMES:SYSMAN" tested successfully
b) Global named credential. target_name and target_type are required for testing global named credential.
$ emcli test_named_credential -cred_names=NC_G_RACTEST_JAMES -target_name=RACTEST -target_type=rac_database Credentials "NC_G_RACTEST_JAMES:SYSMAN" tested successfully
c) Global named credential can be used for both rac cluster database or its instances, while instance credential can only work for the attached target.
$ emcli test_named_credential -cred_names=NC_G_RACTEST_JAMES \
-target_name=RACTEST_RACTEST1 -target_type=oracle_database
Credentials "NC_G_RACTEST_JAMES:SYSMAN" tested successfully
$ emcli test_named_credential -cred_names=NC_RACTEST_JAMES \
-target_name=RACTEST_RACTEST1 -target_type=oracle_database
Error: target_name and target_type options should be provided
only for Global credentials.
5) Modify named credentials. Here we assume user JAMES password has been changed, so the named credentials have to be modified accordingly.
— Global Named Credential.
$ emcli modify_named_credential -cred_name=NC_G_RACTEST_JAMES \
-attributes="DBUserName:JAMES;DBPassword:NewPasswd"
Credential updated.
$ emcli test_named_credential -cred_names=NC_G_RACTEST_JAMES
-target_name=RACTEST -target_type=rac_database
Credentials "NC_G_RACTEST_JAMES:SYSMAN" tested successfully
— Instance Named Credential
$ emcli modify_named_credential -cred_name=NC_RACTEST_JAMES -attributes="DBUserName:JAMES;DBPassword:NewPasswd" Credential updated. $ emcli test_named_credential -cred_names=NC_RACTEST_JAMES Credentials "NC_RACTEST_JAMES:SYSMAN" tested successfully
6) List named credentials.
$emcli list_named_credentials Credential Name Credential Owner Authenticating target type. Cred Type Name Target Name Target Username NC_G_RACTEST_JAMES SYSMAN oracle_database DBCreds JAMES NC_RACTEST_JAMES SYSMAN oracle_database DBCreds RACTEST JAMES ... .. .
7) Displays named credential details.
$ emcli get_named_credential -cred_name=NC_G_RACTEST_JAMES
Credential Name:NC_G_RACTEST_JAMES
Credential Owner:SYSMAN
Credential Type:DBCreds
Credential Target Type:oracle_database
Credential Username:JAMES
Credential Scope:global
Credential Guid:996809C30D3F08A6E0530BAB050AEA55
Credential Stripe:TARGETS
Credential Columns:
DBPassword=******
DBRole=normal
DBUserName=JAMES
$ emcli get_named_credential -cred_name=NC_RACTEST_JAMES
Credential Name:NC_RACTEST_JAMES
Credential Owner:SYSMAN
Credential Type:DBCreds
Credential Target Type:oracle_database
Credential Username:JAMES
Credential Scope:instance
Credential Guid:9967E027F13E4CC2E0530BAB050A9877
Credential Stripe:TARGETS
Instance Target Name:RACTEST
Instance Target Type:rac_database
Credential Columns:
DBPassword=******
DBRole=normal
DBUserName=JAMES
8)Deletes an existing named credential.
$ emcli delete_named_credential -cred_name=NC_G_RACTEST_JAMES
Credential deleted.
$ emcli delete_named_credential -cred_name=NC_RACTEST_JAMES \
-cred_owner=sysman
Credential deleted.
9)Help.
$emcli help create_named_credential
$ emcli help get_named_credential
Make DBA Life Easy 