Thursday, January 15, 2015

OEM 12c Cloud Control Reset the Weblogic and Nodemanager password

Have you ever encountered a situation where you lost the nodemanager and weblogic password for your Oracle Enterprise Manager OEM12c environment? It is quite common especially if you start to support a new environment and the DBA may only know the sysman password but not the others and you may need these account passwords once you decide to patch OEM12c.


Please refer to this useful Oracle Support note that has detailed steps to do this.


These steps are detailed and long, please ensure you follow them carefully otherwise you may have issues in starting your OMS again.

12c Cloud Control: Steps for Modifying the Password for Weblogic and Nodemanager User Accounts in the Enterprise Manager Installation (Doc ID 1450798.1)

*****************************************************************************************************************
Changing the Weblogic Password When Existing Password is Unknown

1. Stop the OMS, Agent on the OMS machine and set the necessary environment variables:

Stop the OMS:
$ cd <OMS_HOME>/bin
$ emctl stop oms -all

Ensure the OMS has stopped completely and there is no java process running from OMS base location:

$ ps -ef | grep java

If any processes are listed, then kill them using: kill -9 <pid> command, after ensuring that the process is running from the OMS base installation.

Stop the Agent on the OMS machine:
$ cd <AGENT_HOME>/bin>
$ emctl stop agent

Set the necessary environment variables for the WLS domain:
$ export DOMAIN_HOME=<EM_INSTANCE_BASE>/user_projects/domains/GCDomain/bin
$ . ./setDomainEnv.sh

Note that you need to replace <EM_INSTANCE_BASE> with the full path to the gc_inst directory.

Note: In case of a multi-OMS setup, all the OMS and the corresponding monitoring agent must be stopped.
 2. Rename the existing DefaultAuthenticatorInit.ldift file in the domain directory and create a new file:

$ cd $DOMAIN_HOME/security
$ mv DefaultAuthenticatorInit.ldift DefaultAuthenticatorInit.ldift_old
$ java weblogic.security.utils.AdminAccount weblogic <new_password> .


Note:

-  Replace <new_password> with the new password that you wish to set for the weblogic user.
-  The character '.' is mandatory at the end of above command.
-  In case of a multi-OMS setup, the above step need to be performed on each OMS server and ensure that the same password is provided for the weblogic user on all the OMS machines.

3. Rename the ldap directory for the AdminServer and Managed Server:

$ cd $DOMAIN_HOME/servers/EMGC_ADMINSERVER/data
$ mv ldap ldap_old

$ cd $DOMAIN_HOME/servers/EMGC_OMS1/data
$ mv ldap ldap_old

In case of a multi-OMS setup, the ldap directory needs to be renamed only for the managed server

4. Rename the .lok file in tmp directory of Admin Server and Managed Server, if it exists:

$ cd $DOMAIN_HOME/servers/EMGC_ADMINSERVER/tmp
$ mv EMGC_ADMINSERVER.lok EMGC_ADMINSERVER.lok_old

$ cd $DOMAIN_HOME/servers/EMGC_OMS1/tmp
$ mv EMGC_OMS1.lok EMGC_OMS1.lok_old

In case of a multi-OMS setup, the tmp/*.lok file needs to be renamed only for the managed server.

5. Edit the Admin Server's $DOMAIN_HOME/servers/EMGC_ADMINSERVER/security/boot.properties file and specify the new password entered in step 2 in clear text, for the password field:

password=<new_password_in_clear_text>
username={AES}g6mxfhlx/JtaVKgqx9/pYb8bWaxitVXzbLMzwo9tOIs\=
For example:

password=oracle123
username={AES}g6mxfhlx/JtaVKgqx9/pYb8bWaxitVXzbLMzwo9tOIs\=

6. Modify the Managed Server's $DOMAIN_HOME/servers/EMGC_OMS1/data/nodemanager/boot.properties and specify the new password entered in step 2 in clear text, for the password field:

TrustKeyStore=DemoTrust
password=<new_password_in_clear_text>
username={AES}g6mxfhlx/JtaVKgqx9/pYb8bWaxitVXzbLMzwo9tOIs\=
For example:

TrustKeyStore=DemoTrust
password=oracle123
username={AES}g6mxfhlx/JtaVKgqx9/pYb8bWaxitVXzbLMzwo9tOIs\=

In case of a multi-OMS setup, the above step need to be performed on each OMS server.

7. As part of the 12c OMS installation, two weblogic users named: OracleSystemUser and weblogic_mntr are created.  When the weblogic password is modified manually, these users are removed and it is important that these users are re-created manually by following the below steps:

In a terminal session, start the Admin server:
$ $DOMAIN_HOME/startWebLogic.sh

Wait till the status of Admin server is reported as 'RUNNING'. This session should be kept open till the below steps are completed.

Access the Admin Server Console using the URL:  https://<omsmachine.domain>:<port>/console
(Default admin server console port is 7101). For the exact URL, refer to the details in the <OMS_HOME>/install/setupinfo.txt file.

Login with the weblogic user and provide the new password that was entered in Step 2.
In the Admin Server Console, navigate to Security Realms -> myrealm -> Users and Groups -> Groups.

Click on the 'New' button and enter the below details:
Name: OracleSystemGroup
Description: Oracle application software system group
Provider: <leave the default value: DefaultAuthenticator>
Click OK

Navigate to Security Realms -> myrealm -> Users and Groups -> Users. Click on the 'New' button and enter:
User: OracleSystemUser
Description: Oracle application software system user
Password: <provide same password as weblogic user>
Click OK.

Click on the username 'OracleSystemUser' and then click on 'Groups'. Select the previously created 'OracleSystemGroup' and click 'Save'.

In the Security Realms -> myrealm -> Users and Groups -> Users, click on the 'New' button again and enter:
User: weblogic_mntr
Description: Oracle application weblogic mntr user
Password: <provide same password as weblogic user>
Click OK.

Click on the username 'weblogic_mntr' and then click on 'Groups'. Select 'Administrators' and click 'Save'.

If the Admin Server Username specified during OEM installation is other than 'weblogic' (AS_USERNAME in emgc.properties) , then need to create a user with that username also and assign 'Administrator' group to it.

The password for nodemanager is needed in the the next step 9 when the new weblogic password is saved in the credential store. If the password for nodemanager account is also not known, then set a new password using the steps in the section: Changing the Nodemanager Password, at the end of this document and then continue with the steps below.

Navigate to GCDomain -> Security -> Embedded LDAP page, choose the 'Lock and Edit' option and select the flag 'Refresh Replica At Startup'.
Click 'Save' and then click on 'Activate Changes'.

Note: This step is needed to ensure that the LDAP data for the managed servers gets properly synchronized on startup.

Stop the Admin server by executing 'Ctrl+c' in the terminal session from which the Admin server was started at the beginning of this step.
 9. Run the below command to save the new password to the EM Credential store:

cd <OMS_ORACLE_HOME>/bin
emctl secure create_admin_creds_wallet -admin_pwd <weblogic_pwd> -nodemgr_pwd <node_manager_pwd>

In case of multi-OMS setup the above step needs to be performed on each OMS server.

10. Start the OMS:

cd <OMS_HOME>/bin
emctl start oms

11. Login to Admin server console with username weblogic and the new password. Navigate to GCDomain -> Security -> Embedded LDAP page. Toggle the 'Lock and Edit option and unset the flag 'Refresh Replica At Startup'.
Click 'Save' and then click on 'Activate Changes'.


Note: The flag was used only for synchronizing the LDAP data in the managed servers at the time of startup after the password change but once this is accomplished, the option needs to be turned off as it imposes a cost on the startup operation.
12. Restart the OMS

cd <OMS_ORACLE_HOME>/bin
emctl stop oms -all
emctl start oms

13. EMGC_GCDomain is a monitored target in Enterprise Manager and the monitoring credentials of this target needs to be updated so as to continue monitoring this target:

Start the Agent on OMS Host
cd <AGENT_HOME>/bin
emctl start agent

Execute the below command to update the new password in monitoring configuration of weblogic target:
cd <OMS_HOME>/bin

emcli login -username=sysman
emcli modify_target -name="/EMGC_GCDomain/GCDomain" -type="weblogic_domain" -credentials="UserName:weblogic_mntr;password:<new password set in the admin server console>;" -on_agent

Note:

-  You need to provide the user name as weblogic_mntr and its corresponding password as set in the Admin server console.
-  The Monitoring password should be updated only after starting the Agent.




Back to Top

*****************************************************************************************************************

Changing the Weblogic Password When Existing Password is known

1. Access the Admin server console with the URL https://<omsmachine.domain>:<port>/console
(Default admin server console port is 7101). For the exact URL, refer to the details in the <OMS_HOME>/install/setupinfo.txt file.

2. Login to Admin server console as user weblogic and provide its password.

3. Navigate to Security Realms->myrealm->Users and Groups->choose weblogic->Passwords



weblogic_pwd



Provide the new password and save it.

5. The password for nodemanager is needed in the the below step 11 when the new weblogic password is saved in the credential store. If the password for nodemanager account also needs to be changed, then set a new password using the steps in the section: Changing the Nodemanager Password, at the end of this document and then continue with the steps below.

6. Click on 'Activate Changes' in the left panel.

7. Stop the OMS:

cd <OMS_HOME>/bin
emctl stop oms -all

8. Stop the Agent on OMS Host

cd <AGENT_HOME>/bin
emctl stop agent

9. Edit the Admin Server's $DOMAIN_HOME/servers/EMGC_ADMINSERVER/security/boot.properties file and specify the new password entered in the Admin server console in clear text, for the password field:

password=<new_password_in_clear_text>
username={AES}g6mxfhlx/JtaVKgqx9/pYb8bWaxitVXzbLMzwo9tOIs\=
For example:

password=oracle123
username={AES}g6mxfhlx/JtaVKgqx9/pYb8bWaxitVXzbLMzwo9tOIs\=

10. Modify the Managed Server's $DOMAIN_HOME/servers/EMGC_OMS1/data/nodemanager/boot.properties and specify the new password entered in step 2 in clear text, for the password field:

TrustKeyStore=DemoTrust
password=<new_password_in_clear_text>
username={AES}g6mxfhlx/JtaVKgqx9/pYb8bWaxitVXzbLMzwo9tOIs\=
For example:

TrustKeyStore=DemoTrust
password=oracle123
username={AES}g6mxfhlx/JtaVKgqx9/pYb8bWaxitVXzbLMzwo9tOIs\=

In case of a multi-OMS setup, the above step need to be performed on each OMS server.

11. Execute the below command to save the new passwords to the EM Credential store:

cd <OMS_ORACLE_HOME>/bin
emctl secure create_admin_creds_wallet -admin_pwd <weblogic_pwd> -nodemgr_pwd <node_manager_pwd>

In case of multi-OMS setup the above step needs to be performed on each OMS server.

12. Start the OMS:

cd <OMS_HOME>/bin
emctl start oms

13. EMGC_GCDomain is a monitored target in Enterprise Manager and the monitoring credentials of this target needs to be updated so as to continue monitoring this target:

Start the Agent on OMS Host
cd <AGENT_HOME>/bin
emctl start agent

Execute the below command to update the new password in monitoring configuration of weblogic target:
cd <OMS_HOME>/bin

emcli login -username=sysman
emcli modify_target -name="/EMGC_GCDomain/GCDomain" -type="weblogic_domain" -credentials="UserName:weblogic_mntr;password:<new password set in the admin server console>;" -on_agent

Note:

-  You need to provide the user name as weblogic_mntr and its corresponding password as set in the Admin server console.
-  The Monitoring password should be updated only after starting the Agent.
Back to Top

*********************************************************************************

Changing the Nodemanager Password

The nodemanager password can be modified by logging into the Admin server console as the weblogic user. If the password for the weblogic user is unknown, then follow the steps in the section: Changing the Weblogic Password When Existing Password is Unknown

1. Access the Admin Server Console using the URL:  https://<omsmachine.domain>:<port>/console

(Default admin server console port is 7101). For the exact URL, refer to the details in the <OMS_HOME>/install/setupinfo.txt file.

2. Login with the weblogic user and navigate to GCDomain->Security-> expand the Advanced section:

 nm_password



Enter the new password in the 'NodeManager Password' and 'Confirm NodeManager Password' fields and click on 'save' button. Click on 'Activate Changes' in the left panel.

NM_PASSWORD_2

3. On the OMS machine, edit the nm_password.properties file under <EM_INSTANCE_BASE/user_projects/domains/GCDomain/config/nodemanager and modify:

hashed=y4x2gnOpFlH9x9HUatIOVlV7nnU\=

TO

password=<new_nodemanager_password>
username=nodemanager

Provide the new password for the nodemanager in cleartext.Ensure there is no 'space' character at the end of each line.
In case of multi-OMS setup the above step needs to be performed on each OMS server.

4.If you are only changing the nodemanager password and not weblogic password, then execute the below commands to save the new passwords to the EM Credential store.If weblogic password is also being changed, then skip this and continue with the rest of steps for changing the weblogic password :

cd <OMS_ORACLE_HOME>/bin
emctl secure create_admin_creds_wallet -admin_pwd <weblogic_pwd> -nodemgr_pwd <node_manager_pwd>

Restart OMS
<OMS_HOME>/bin>./emctl stop oms -all
<OMS_HOME>/bin>./emctl start oms

In case of multi-OMS setup the above step needs to be performed on each OMS server.

1 comment:

  1. Yes I faced the situation losing the nodemanager and weblogic password for my Oracle Enterprise Manager OEM12c.thank you for your great post on how to dealt with.

    ReplyDelete