Its official I would like to sincerely thank Tim Gorman for nominating me to receive the Oracle ACE Associate award! I am honored to be part of the Oracle ACE community
Nabil Nawaz Oracle ACE profile
Thursday, January 15, 2015
OEM 12c Cloud Control Reset the Weblogic and Nodemanager password
Have you ever encountered a situation where you lost the nodemanager and weblogic password for your Oracle Enterprise Manager OEM12c environment? It is quite common especially if you start to support a new environment and the DBA may only know the sysman password but not the others and you may need these account passwords once you decide to patch OEM12c.
Please refer to this useful Oracle Support note that has detailed steps to do this.
These steps are detailed and long, please ensure you follow them carefully otherwise you may have issues in starting your OMS again.
12c Cloud Control: Steps for Modifying the Password for Weblogic and Nodemanager User Accounts in the Enterprise Manager Installation (Doc ID 1450798.1)
*****************************************************************************************************************
Changing the Weblogic Password When Existing Password is Unknown
1. Stop the OMS, Agent on the OMS machine and set the necessary environment variables:
Stop the OMS:
$ cd <OMS_HOME>/bin
$ emctl stop oms -all
Ensure the OMS has stopped completely and there is no java process running from OMS base location:
$ ps -ef | grep java
If any processes are listed, then kill them using: kill -9 <pid> command, after ensuring that the process is running from the OMS base installation.
Stop the Agent on the OMS machine:
$ cd <AGENT_HOME>/bin>
$ emctl stop agent
Set the necessary environment variables for the WLS domain:
$ export DOMAIN_HOME=<EM_INSTANCE_BASE>/user_projects/domains/GCDomain/bin
$ . ./setDomainEnv.sh
Note that you need to replace <EM_INSTANCE_BASE> with the full path to the gc_inst directory.
Note: In case of a multi-OMS setup, all the OMS and the corresponding monitoring agent must be stopped.
2. Rename the existing DefaultAuthenticatorInit.ldift file in the domain directory and create a new file:
$ cd $DOMAIN_HOME/security
$ mv DefaultAuthenticatorInit.ldift DefaultAuthenticatorInit.ldift_old
$ java weblogic.security.utils.AdminAccount weblogic <new_password> .
Note:
- Replace <new_password> with the new password that you wish to set for the weblogic user.
- The character '.' is mandatory at the end of above command.
- In case of a multi-OMS setup, the above step need to be performed on each OMS server and ensure that the same password is provided for the weblogic user on all the OMS machines.
3. Rename the ldap directory for the AdminServer and Managed Server:
$ cd $DOMAIN_HOME/servers/EMGC_ADMINSERVER/data
$ mv ldap ldap_old
$ cd $DOMAIN_HOME/servers/EMGC_OMS1/data
$ mv ldap ldap_old
In case of a multi-OMS setup, the ldap directory needs to be renamed only for the managed server
4. Rename the .lok file in tmp directory of Admin Server and Managed Server, if it exists:
$ cd $DOMAIN_HOME/servers/EMGC_ADMINSERVER/tmp
$ mv EMGC_ADMINSERVER.lok EMGC_ADMINSERVER.lok_old
$ cd $DOMAIN_HOME/servers/EMGC_OMS1/tmp
$ mv EMGC_OMS1.lok EMGC_OMS1.lok_old
In case of a multi-OMS setup, the tmp/*.lok file needs to be renamed only for the managed server.
5. Edit the Admin Server's $DOMAIN_HOME/servers/EMGC_ADMINSERVER/security/boot.properties file and specify the new password entered in step 2 in clear text, for the password field:
password=<new_password_in_clear_text>
username={AES}g6mxfhlx/JtaVKgqx9/pYb8bWaxitVXzbLMzwo9tOIs\=
For example:
password=oracle123
username={AES}g6mxfhlx/JtaVKgqx9/pYb8bWaxitVXzbLMzwo9tOIs\=
6. Modify the Managed Server's $DOMAIN_HOME/servers/EMGC_OMS1/data/nodemanager/boot.properties and specify the new password entered in step 2 in clear text, for the password field:
TrustKeyStore=DemoTrust
password=<new_password_in_clear_text>
username={AES}g6mxfhlx/JtaVKgqx9/pYb8bWaxitVXzbLMzwo9tOIs\=
For example:
TrustKeyStore=DemoTrust
password=oracle123
username={AES}g6mxfhlx/JtaVKgqx9/pYb8bWaxitVXzbLMzwo9tOIs\=
In case of a multi-OMS setup, the above step need to be performed on each OMS server.
7. As part of the 12c OMS installation, two weblogic users named: OracleSystemUser and weblogic_mntr are created. When the weblogic password is modified manually, these users are removed and it is important that these users are re-created manually by following the below steps:
In a terminal session, start the Admin server:
$ $DOMAIN_HOME/startWebLogic.sh
Wait till the status of Admin server is reported as 'RUNNING'. This session should be kept open till the below steps are completed.
Access the Admin Server Console using the URL: https://<omsmachine.domain>:<port>/console
(Default admin server console port is 7101). For the exact URL, refer to the details in the <OMS_HOME>/install/setupinfo.txt file.
Login with the weblogic user and provide the new password that was entered in Step 2.
In the Admin Server Console, navigate to Security Realms -> myrealm -> Users and Groups -> Groups.
Click on the 'New' button and enter the below details:
Name: OracleSystemGroup
Description: Oracle application software system group
Provider: <leave the default value: DefaultAuthenticator>
Click OK
Navigate to Security Realms -> myrealm -> Users and Groups -> Users. Click on the 'New' button and enter:
User: OracleSystemUser
Description: Oracle application software system user
Password: <provide same password as weblogic user>
Click OK.
Click on the username 'OracleSystemUser' and then click on 'Groups'. Select the previously created 'OracleSystemGroup' and click 'Save'.
In the Security Realms -> myrealm -> Users and Groups -> Users, click on the 'New' button again and enter:
User: weblogic_mntr
Description: Oracle application weblogic mntr user
Password: <provide same password as weblogic user>
Click OK.
Click on the username 'weblogic_mntr' and then click on 'Groups'. Select 'Administrators' and click 'Save'.
If the Admin Server Username specified during OEM installation is other than 'weblogic' (AS_USERNAME in emgc.properties) , then need to create a user with that username also and assign 'Administrator' group to it.
The password for nodemanager is needed in the the next step 9 when the new weblogic password is saved in the credential store. If the password for nodemanager account is also not known, then set a new password using the steps in the section: Changing the Nodemanager Password, at the end of this document and then continue with the steps below.
Navigate to GCDomain -> Security -> Embedded LDAP page, choose the 'Lock and Edit' option and select the flag 'Refresh Replica At Startup'.
Click 'Save' and then click on 'Activate Changes'.
Note: This step is needed to ensure that the LDAP data for the managed servers gets properly synchronized on startup.
Stop the Admin server by executing 'Ctrl+c' in the terminal session from which the Admin server was started at the beginning of this step.
9. Run the below command to save the new password to the EM Credential store:
cd <OMS_ORACLE_HOME>/bin
emctl secure create_admin_creds_wallet -admin_pwd <weblogic_pwd> -nodemgr_pwd <node_manager_pwd>
In case of multi-OMS setup the above step needs to be performed on each OMS server.
10. Start the OMS:
cd <OMS_HOME>/bin
emctl start oms
11. Login to Admin server console with username weblogic and the new password. Navigate to GCDomain -> Security -> Embedded LDAP page. Toggle the 'Lock and Edit option and unset the flag 'Refresh Replica At Startup'.
Click 'Save' and then click on 'Activate Changes'.
Note: The flag was used only for synchronizing the LDAP data in the managed servers at the time of startup after the password change but once this is accomplished, the option needs to be turned off as it imposes a cost on the startup operation.
12. Restart the OMS
cd <OMS_ORACLE_HOME>/bin
emctl stop oms -all
emctl start oms
13. EMGC_GCDomain is a monitored target in Enterprise Manager and the monitoring credentials of this target needs to be updated so as to continue monitoring this target:
Start the Agent on OMS Host
cd <AGENT_HOME>/bin
emctl start agent
Execute the below command to update the new password in monitoring configuration of weblogic target:
cd <OMS_HOME>/bin
emcli login -username=sysman
emcli modify_target -name="/EMGC_GCDomain/GCDomain" -type="weblogic_domain" -credentials="UserName:weblogic_mntr;password:<new password set in the admin server console>;" -on_agent
Note:
- You need to provide the user name as weblogic_mntr and its corresponding password as set in the Admin server console.
- The Monitoring password should be updated only after starting the Agent.
Back to Top
*****************************************************************************************************************
Changing the Weblogic Password When Existing Password is known
1. Access the Admin server console with the URL https://<omsmachine.domain>:<port>/console
(Default admin server console port is 7101). For the exact URL, refer to the details in the <OMS_HOME>/install/setupinfo.txt file.
2. Login to Admin server console as user weblogic and provide its password.
3. Navigate to Security Realms->myrealm->Users and Groups->choose weblogic->Passwords
weblogic_pwd
Provide the new password and save it.
5. The password for nodemanager is needed in the the below step 11 when the new weblogic password is saved in the credential store. If the password for nodemanager account also needs to be changed, then set a new password using the steps in the section: Changing the Nodemanager Password, at the end of this document and then continue with the steps below.
6. Click on 'Activate Changes' in the left panel.
7. Stop the OMS:
cd <OMS_HOME>/bin
emctl stop oms -all
8. Stop the Agent on OMS Host
cd <AGENT_HOME>/bin
emctl stop agent
9. Edit the Admin Server's $DOMAIN_HOME/servers/EMGC_ADMINSERVER/security/boot.properties file and specify the new password entered in the Admin server console in clear text, for the password field:
password=<new_password_in_clear_text>
username={AES}g6mxfhlx/JtaVKgqx9/pYb8bWaxitVXzbLMzwo9tOIs\=
For example:
password=oracle123
username={AES}g6mxfhlx/JtaVKgqx9/pYb8bWaxitVXzbLMzwo9tOIs\=
10. Modify the Managed Server's $DOMAIN_HOME/servers/EMGC_OMS1/data/nodemanager/boot.properties and specify the new password entered in step 2 in clear text, for the password field:
TrustKeyStore=DemoTrust
password=<new_password_in_clear_text>
username={AES}g6mxfhlx/JtaVKgqx9/pYb8bWaxitVXzbLMzwo9tOIs\=
For example:
TrustKeyStore=DemoTrust
password=oracle123
username={AES}g6mxfhlx/JtaVKgqx9/pYb8bWaxitVXzbLMzwo9tOIs\=
In case of a multi-OMS setup, the above step need to be performed on each OMS server.
11. Execute the below command to save the new passwords to the EM Credential store:
cd <OMS_ORACLE_HOME>/bin
emctl secure create_admin_creds_wallet -admin_pwd <weblogic_pwd> -nodemgr_pwd <node_manager_pwd>
In case of multi-OMS setup the above step needs to be performed on each OMS server.
12. Start the OMS:
cd <OMS_HOME>/bin
emctl start oms
13. EMGC_GCDomain is a monitored target in Enterprise Manager and the monitoring credentials of this target needs to be updated so as to continue monitoring this target:
Start the Agent on OMS Host
cd <AGENT_HOME>/bin
emctl start agent
Execute the below command to update the new password in monitoring configuration of weblogic target:
cd <OMS_HOME>/bin
emcli login -username=sysman
emcli modify_target -name="/EMGC_GCDomain/GCDomain" -type="weblogic_domain" -credentials="UserName:weblogic_mntr;password:<new password set in the admin server console>;" -on_agent
Note:
- You need to provide the user name as weblogic_mntr and its corresponding password as set in the Admin server console.
- The Monitoring password should be updated only after starting the Agent.
Back to Top
*********************************************************************************
Changing the Nodemanager Password
The nodemanager password can be modified by logging into the Admin server console as the weblogic user. If the password for the weblogic user is unknown, then follow the steps in the section: Changing the Weblogic Password When Existing Password is Unknown
1. Access the Admin Server Console using the URL: https://<omsmachine.domain>:<port>/console
(Default admin server console port is 7101). For the exact URL, refer to the details in the <OMS_HOME>/install/setupinfo.txt file.
2. Login with the weblogic user and navigate to GCDomain->Security-> expand the Advanced section:
nm_password
Enter the new password in the 'NodeManager Password' and 'Confirm NodeManager Password' fields and click on 'save' button. Click on 'Activate Changes' in the left panel.
NM_PASSWORD_2
3. On the OMS machine, edit the nm_password.properties file under <EM_INSTANCE_BASE/user_projects/domains/GCDomain/config/nodemanager and modify:
hashed=y4x2gnOpFlH9x9HUatIOVlV7nnU\=
TO
password=<new_nodemanager_password>
username=nodemanager
Provide the new password for the nodemanager in cleartext.Ensure there is no 'space' character at the end of each line.
In case of multi-OMS setup the above step needs to be performed on each OMS server.
4.If you are only changing the nodemanager password and not weblogic password, then execute the below commands to save the new passwords to the EM Credential store.If weblogic password is also being changed, then skip this and continue with the rest of steps for changing the weblogic password :
cd <OMS_ORACLE_HOME>/bin
emctl secure create_admin_creds_wallet -admin_pwd <weblogic_pwd> -nodemgr_pwd <node_manager_pwd>
Restart OMS
<OMS_HOME>/bin>./emctl stop oms -all
<OMS_HOME>/bin>./emctl start oms
In case of multi-OMS setup the above step needs to be performed on each OMS server.
Please refer to this useful Oracle Support note that has detailed steps to do this.
These steps are detailed and long, please ensure you follow them carefully otherwise you may have issues in starting your OMS again.
12c Cloud Control: Steps for Modifying the Password for Weblogic and Nodemanager User Accounts in the Enterprise Manager Installation (Doc ID 1450798.1)
*****************************************************************************************************************
Changing the Weblogic Password When Existing Password is Unknown
1. Stop the OMS, Agent on the OMS machine and set the necessary environment variables:
Stop the OMS:
$ cd <OMS_HOME>/bin
$ emctl stop oms -all
Ensure the OMS has stopped completely and there is no java process running from OMS base location:
$ ps -ef | grep java
If any processes are listed, then kill them using: kill -9 <pid> command, after ensuring that the process is running from the OMS base installation.
Stop the Agent on the OMS machine:
$ cd <AGENT_HOME>/bin>
$ emctl stop agent
Set the necessary environment variables for the WLS domain:
$ export DOMAIN_HOME=<EM_INSTANCE_BASE>/user_projects/domains/GCDomain/bin
$ . ./setDomainEnv.sh
Note that you need to replace <EM_INSTANCE_BASE> with the full path to the gc_inst directory.
Note: In case of a multi-OMS setup, all the OMS and the corresponding monitoring agent must be stopped.
2. Rename the existing DefaultAuthenticatorInit.ldift file in the domain directory and create a new file:
$ cd $DOMAIN_HOME/security
$ mv DefaultAuthenticatorInit.ldift DefaultAuthenticatorInit.ldift_old
$ java weblogic.security.utils.AdminAccount weblogic <new_password> .
Note:
- Replace <new_password> with the new password that you wish to set for the weblogic user.
- The character '.' is mandatory at the end of above command.
- In case of a multi-OMS setup, the above step need to be performed on each OMS server and ensure that the same password is provided for the weblogic user on all the OMS machines.
3. Rename the ldap directory for the AdminServer and Managed Server:
$ cd $DOMAIN_HOME/servers/EMGC_ADMINSERVER/data
$ mv ldap ldap_old
$ cd $DOMAIN_HOME/servers/EMGC_OMS1/data
$ mv ldap ldap_old
In case of a multi-OMS setup, the ldap directory needs to be renamed only for the managed server
4. Rename the .lok file in tmp directory of Admin Server and Managed Server, if it exists:
$ cd $DOMAIN_HOME/servers/EMGC_ADMINSERVER/tmp
$ mv EMGC_ADMINSERVER.lok EMGC_ADMINSERVER.lok_old
$ cd $DOMAIN_HOME/servers/EMGC_OMS1/tmp
$ mv EMGC_OMS1.lok EMGC_OMS1.lok_old
In case of a multi-OMS setup, the tmp/*.lok file needs to be renamed only for the managed server.
5. Edit the Admin Server's $DOMAIN_HOME/servers/EMGC_ADMINSERVER/security/boot.properties file and specify the new password entered in step 2 in clear text, for the password field:
password=<new_password_in_clear_text>
username={AES}g6mxfhlx/JtaVKgqx9/pYb8bWaxitVXzbLMzwo9tOIs\=
For example:
password=oracle123
username={AES}g6mxfhlx/JtaVKgqx9/pYb8bWaxitVXzbLMzwo9tOIs\=
6. Modify the Managed Server's $DOMAIN_HOME/servers/EMGC_OMS1/data/nodemanager/boot.properties and specify the new password entered in step 2 in clear text, for the password field:
TrustKeyStore=DemoTrust
password=<new_password_in_clear_text>
username={AES}g6mxfhlx/JtaVKgqx9/pYb8bWaxitVXzbLMzwo9tOIs\=
For example:
TrustKeyStore=DemoTrust
password=oracle123
username={AES}g6mxfhlx/JtaVKgqx9/pYb8bWaxitVXzbLMzwo9tOIs\=
In case of a multi-OMS setup, the above step need to be performed on each OMS server.
7. As part of the 12c OMS installation, two weblogic users named: OracleSystemUser and weblogic_mntr are created. When the weblogic password is modified manually, these users are removed and it is important that these users are re-created manually by following the below steps:
In a terminal session, start the Admin server:
$ $DOMAIN_HOME/startWebLogic.sh
Wait till the status of Admin server is reported as 'RUNNING'. This session should be kept open till the below steps are completed.
Access the Admin Server Console using the URL: https://<omsmachine.domain>:<port>/console
(Default admin server console port is 7101). For the exact URL, refer to the details in the <OMS_HOME>/install/setupinfo.txt file.
Login with the weblogic user and provide the new password that was entered in Step 2.
In the Admin Server Console, navigate to Security Realms -> myrealm -> Users and Groups -> Groups.
Click on the 'New' button and enter the below details:
Name: OracleSystemGroup
Description: Oracle application software system group
Provider: <leave the default value: DefaultAuthenticator>
Click OK
Navigate to Security Realms -> myrealm -> Users and Groups -> Users. Click on the 'New' button and enter:
User: OracleSystemUser
Description: Oracle application software system user
Password: <provide same password as weblogic user>
Click OK.
Click on the username 'OracleSystemUser' and then click on 'Groups'. Select the previously created 'OracleSystemGroup' and click 'Save'.
In the Security Realms -> myrealm -> Users and Groups -> Users, click on the 'New' button again and enter:
User: weblogic_mntr
Description: Oracle application weblogic mntr user
Password: <provide same password as weblogic user>
Click OK.
Click on the username 'weblogic_mntr' and then click on 'Groups'. Select 'Administrators' and click 'Save'.
If the Admin Server Username specified during OEM installation is other than 'weblogic' (AS_USERNAME in emgc.properties) , then need to create a user with that username also and assign 'Administrator' group to it.
The password for nodemanager is needed in the the next step 9 when the new weblogic password is saved in the credential store. If the password for nodemanager account is also not known, then set a new password using the steps in the section: Changing the Nodemanager Password, at the end of this document and then continue with the steps below.
Navigate to GCDomain -> Security -> Embedded LDAP page, choose the 'Lock and Edit' option and select the flag 'Refresh Replica At Startup'.
Click 'Save' and then click on 'Activate Changes'.
Note: This step is needed to ensure that the LDAP data for the managed servers gets properly synchronized on startup.
Stop the Admin server by executing 'Ctrl+c' in the terminal session from which the Admin server was started at the beginning of this step.
9. Run the below command to save the new password to the EM Credential store:
cd <OMS_ORACLE_HOME>/bin
emctl secure create_admin_creds_wallet -admin_pwd <weblogic_pwd> -nodemgr_pwd <node_manager_pwd>
In case of multi-OMS setup the above step needs to be performed on each OMS server.
10. Start the OMS:
cd <OMS_HOME>/bin
emctl start oms
11. Login to Admin server console with username weblogic and the new password. Navigate to GCDomain -> Security -> Embedded LDAP page. Toggle the 'Lock and Edit option and unset the flag 'Refresh Replica At Startup'.
Click 'Save' and then click on 'Activate Changes'.
Note: The flag was used only for synchronizing the LDAP data in the managed servers at the time of startup after the password change but once this is accomplished, the option needs to be turned off as it imposes a cost on the startup operation.
12. Restart the OMS
cd <OMS_ORACLE_HOME>/bin
emctl stop oms -all
emctl start oms
13. EMGC_GCDomain is a monitored target in Enterprise Manager and the monitoring credentials of this target needs to be updated so as to continue monitoring this target:
Start the Agent on OMS Host
cd <AGENT_HOME>/bin
emctl start agent
Execute the below command to update the new password in monitoring configuration of weblogic target:
cd <OMS_HOME>/bin
emcli login -username=sysman
emcli modify_target -name="/EMGC_GCDomain/GCDomain" -type="weblogic_domain" -credentials="UserName:weblogic_mntr;password:<new password set in the admin server console>;" -on_agent
Note:
- You need to provide the user name as weblogic_mntr and its corresponding password as set in the Admin server console.
- The Monitoring password should be updated only after starting the Agent.
Back to Top
*****************************************************************************************************************
Changing the Weblogic Password When Existing Password is known
1. Access the Admin server console with the URL https://<omsmachine.domain>:<port>/console
(Default admin server console port is 7101). For the exact URL, refer to the details in the <OMS_HOME>/install/setupinfo.txt file.
2. Login to Admin server console as user weblogic and provide its password.
3. Navigate to Security Realms->myrealm->Users and Groups->choose weblogic->Passwords
weblogic_pwd
Provide the new password and save it.
5. The password for nodemanager is needed in the the below step 11 when the new weblogic password is saved in the credential store. If the password for nodemanager account also needs to be changed, then set a new password using the steps in the section: Changing the Nodemanager Password, at the end of this document and then continue with the steps below.
6. Click on 'Activate Changes' in the left panel.
7. Stop the OMS:
cd <OMS_HOME>/bin
emctl stop oms -all
8. Stop the Agent on OMS Host
cd <AGENT_HOME>/bin
emctl stop agent
9. Edit the Admin Server's $DOMAIN_HOME/servers/EMGC_ADMINSERVER/security/boot.properties file and specify the new password entered in the Admin server console in clear text, for the password field:
password=<new_password_in_clear_text>
username={AES}g6mxfhlx/JtaVKgqx9/pYb8bWaxitVXzbLMzwo9tOIs\=
For example:
password=oracle123
username={AES}g6mxfhlx/JtaVKgqx9/pYb8bWaxitVXzbLMzwo9tOIs\=
10. Modify the Managed Server's $DOMAIN_HOME/servers/EMGC_OMS1/data/nodemanager/boot.properties and specify the new password entered in step 2 in clear text, for the password field:
TrustKeyStore=DemoTrust
password=<new_password_in_clear_text>
username={AES}g6mxfhlx/JtaVKgqx9/pYb8bWaxitVXzbLMzwo9tOIs\=
For example:
TrustKeyStore=DemoTrust
password=oracle123
username={AES}g6mxfhlx/JtaVKgqx9/pYb8bWaxitVXzbLMzwo9tOIs\=
In case of a multi-OMS setup, the above step need to be performed on each OMS server.
11. Execute the below command to save the new passwords to the EM Credential store:
cd <OMS_ORACLE_HOME>/bin
emctl secure create_admin_creds_wallet -admin_pwd <weblogic_pwd> -nodemgr_pwd <node_manager_pwd>
In case of multi-OMS setup the above step needs to be performed on each OMS server.
12. Start the OMS:
cd <OMS_HOME>/bin
emctl start oms
13. EMGC_GCDomain is a monitored target in Enterprise Manager and the monitoring credentials of this target needs to be updated so as to continue monitoring this target:
Start the Agent on OMS Host
cd <AGENT_HOME>/bin
emctl start agent
Execute the below command to update the new password in monitoring configuration of weblogic target:
cd <OMS_HOME>/bin
emcli login -username=sysman
emcli modify_target -name="/EMGC_GCDomain/GCDomain" -type="weblogic_domain" -credentials="UserName:weblogic_mntr;password:<new password set in the admin server console>;" -on_agent
Note:
- You need to provide the user name as weblogic_mntr and its corresponding password as set in the Admin server console.
- The Monitoring password should be updated only after starting the Agent.
Back to Top
*********************************************************************************
Changing the Nodemanager Password
The nodemanager password can be modified by logging into the Admin server console as the weblogic user. If the password for the weblogic user is unknown, then follow the steps in the section: Changing the Weblogic Password When Existing Password is Unknown
1. Access the Admin Server Console using the URL: https://<omsmachine.domain>:<port>/console
(Default admin server console port is 7101). For the exact URL, refer to the details in the <OMS_HOME>/install/setupinfo.txt file.
2. Login with the weblogic user and navigate to GCDomain->Security-> expand the Advanced section:
nm_password
Enter the new password in the 'NodeManager Password' and 'Confirm NodeManager Password' fields and click on 'save' button. Click on 'Activate Changes' in the left panel.
NM_PASSWORD_2
3. On the OMS machine, edit the nm_password.properties file under <EM_INSTANCE_BASE/user_projects/domains/GCDomain/config/nodemanager and modify:
hashed=y4x2gnOpFlH9x9HUatIOVlV7nnU\=
TO
password=<new_nodemanager_password>
username=nodemanager
Provide the new password for the nodemanager in cleartext.Ensure there is no 'space' character at the end of each line.
In case of multi-OMS setup the above step needs to be performed on each OMS server.
4.If you are only changing the nodemanager password and not weblogic password, then execute the below commands to save the new passwords to the EM Credential store.If weblogic password is also being changed, then skip this and continue with the rest of steps for changing the weblogic password :
cd <OMS_ORACLE_HOME>/bin
emctl secure create_admin_creds_wallet -admin_pwd <weblogic_pwd> -nodemgr_pwd <node_manager_pwd>
Restart OMS
<OMS_HOME>/bin>./emctl stop oms -all
<OMS_HOME>/bin>./emctl start oms
In case of multi-OMS setup the above step needs to be performed on each OMS server.
Tuesday, October 21, 2014
Oracle ASR snmp notification solution for Database Compute Nodes
Oracle ASR - Automatic Service
Request is a secure automatic service request generation and priority service
request handling for hardware faults on Oracle engineered systems such as
Exadata and the ZFS storage appliance. When a hardware fault is detected,
Oracle Auto Service Request opens a service request with Oracle automatically
and transports electronic fault telemetry to help
expedite
the diagnostic process. Oracle Support is notified promptly and parts are
dispatched upon receipt of the service request if required.
I was
working on setting up ASR on a couple of Exadata systems for a client and
noticed the asrexachk script did
not get any snmp notification from the Database compute nodes. The asrexachk script is designed to check and test ASR
configurations to make sure that the Engineered Systems can communicate to the
ASR Manager server.
Oracle
Support suggested that the correct route on the Exadata compute nodes may not
be taken by snmp to send a message via the UDP protocol on port 162 and that a
manual static route may need to be added to the Exadata database compute nodes,
The
following commands were given as a solution to run on all database compute
nodes.
First you
need to get the gateway IP address from the server.
$ grep -i gateway /etc/sysconfig/network-scripts/ifcfg-eth0
GATEWAY=<GATEWAY IP Address>
Then you can add the static route.
$ /sbin/route add -host <ASR Manager Server IP Address> gw <GATEWAY IP Address>
Run the tcpdump command from the ASR Manager server to see what notifications are sent in. You will see after the above route changes snmp trap notifications will start to come in from the DB nodes when an test notification is generated from the DB compute nodes.
[root@ASRMANAGER ~]# tcpdump -ni eth1
udp port 162
tcpdump: verbose
output suppressed, use -v or -vv for full protocol decode
listening on
eth1, link-type EN10MB (Ethernet), capture size 96 bytes
22:06:28.712136
IP <DB node IP address>.33020 > <ASR Manager Server IP Address>.snmptrap:
Trap(24) .1.3.6.1.6.3 10.43.47.133 coldStart 0 <--- SNMP
TRAP DB NODE
22:08:36.931920
IP <DB node IP address>.12984 > <ASR Manager Server IP Address>.snmptrap:
V2Trap(286) .1.3.6.1.2.1.1.3.0=206723517 [|snmp] <--- DB NODE
ASR SNMP TRAP
From the Database compute nodes you can run the snmptrap command to send to the ASR Manager server and you will see the above message.
[root@EXANODE1 ~]# snmptrap -v 1 -c public <ASR
Manager Server IP Address> .1.3.6.1.6.3 "" 0 0 coldStart.0
From the Database compute nodes you can run the exadata_mon_hw_asr.pl command to send to the ASR Manager server and you will see the above message.
[root@EXANODE1 ~]#
/opt/oracle.cellos/compmon/exadata_mon_hw_asr.pl -validate_snmp_subscriber
-type asr
Sending test trap
from <DB NODE 1 IP ADDRESS> to destination - <ASR Manager Server IP
Address>:162
Then
an email is sent as follows and it comes from no.reply@oracle.com and is with the subject - Oracle ASR: *Test* Service Request.
Serial#: XXXXXXXXX
Service Request test-create was successful.
Please use My Oracle Support https://support.oracle.com for assistance.
The below table is a reference guide for the ports requirements for the ASR Manager server and also the source, destination, protocol and description information.
Monday, October 13, 2014
Enterprise Manager 12c No Special Characters for SYSMAN account
While doing an upgrade of Oracle Enterprise Manager 12c from 12.1.0.1 to 12.1.0.4 I encountered an error which caused the upgrade to fail. Please keep in mind you cannot do a direct path upgrade from EM 12.1.0.1 to 12.1.0.4 you will first need to apply Bundle Patch (BP1) to the 12.1.0.1 binaries and then you can upgrade from 12.1.0.1 BP1 --> 12.1.0.2 or 12.1.0.3 and then finally you can upgrade to 12.1.0.4.
From the upgrade logs the error stack is below.
INFO: oracle.sysman.top.oms:MDS Schema Creation status: FAILURE
SEVERE: oracle.sysman.top.oms:MDS Schema Creation is failed
INFO: oracle.sysman.top.oms:_______________________________________________________________________
INFO: oracle.sysman.top.oms:Starting opss Schema Creation.
INFO: oracle.sysman.top.oms:Failed to create OPSS schema
INFO: oracle.sysman.top.oms:_______________________________________________________________________
INFO: oracle.sysman.top.oms:Starting APM Schema Creation.
INFO: oracle.sysman.top.oms:APM Component is already created
INFO: oracle.sysman.top.oms:The plug-in MDS Schema Configuration has failed its perform method
Cannot change password for sysman_mds java.sql.SQLSyntaxErrorException: ORA-00922: missing or invalid option
ERROR:MDS java.sql.SQLSyntaxErrorException: ORA-00922: missing or invalid option
java.sql.SQLSyntaxErrorException: ORA-00922: missing or invalid option
The Upgrade basically failed due to special character(s) in the SYSMAN password. Please make sure you do not have any special characters in the SYSMAN password such as *,#,!, etc Just use a good combination of alpha and number characters.
Since the upgrade failed I had to fallback and do the following to restart the upgrade all over again for this issue.
1.) Restore the database, inventory and OMS Middleware Home from backup.
2.) Startup database and listener
3.) Start the OMS
4.) Change the SYSMAN password that doesn't use special character(s), procedure below.
<OMS_HOME>/bin/emctl config oms -change_repos_pwd
Please note changing the SYSMAN password will change it on both the OMS and on the repository database.
From the upgrade logs the error stack is below.
INFO: oracle.sysman.top.oms:MDS Schema Creation status: FAILURE
SEVERE: oracle.sysman.top.oms:MDS Schema Creation is failed
INFO: oracle.sysman.top.oms:_______________________________________________________________________
INFO: oracle.sysman.top.oms:Starting opss Schema Creation.
INFO: oracle.sysman.top.oms:Failed to create OPSS schema
INFO: oracle.sysman.top.oms:_______________________________________________________________________
INFO: oracle.sysman.top.oms:Starting APM Schema Creation.
INFO: oracle.sysman.top.oms:APM Component is already created
INFO: oracle.sysman.top.oms:The plug-in MDS Schema Configuration has failed its perform method
Cannot change password for sysman_mds java.sql.SQLSyntaxErrorException: ORA-00922: missing or invalid option
ERROR:MDS java.sql.SQLSyntaxErrorException: ORA-00922: missing or invalid option
java.sql.SQLSyntaxErrorException: ORA-00922: missing or invalid option
The Upgrade basically failed due to special character(s) in the SYSMAN password. Please make sure you do not have any special characters in the SYSMAN password such as *,#,!, etc Just use a good combination of alpha and number characters.
Since the upgrade failed I had to fallback and do the following to restart the upgrade all over again for this issue.
1.) Restore the database, inventory and OMS Middleware Home from backup.
2.) Startup database and listener
3.) Start the OMS
4.) Change the SYSMAN password that doesn't use special character(s), procedure below.
<OMS_HOME>/bin/emctl config oms -change_repos_pwd
Please note changing the SYSMAN password will change it on both the OMS and on the repository database.
Enterprise Manager 12c Patching changes
Starting with Enterprise Manager 12.1.0.4.3 (PS3) all OMS bundle patches and plugins will be released as a single OMS-side "System" patch. The patch will be installed using the OPatchauto installation method. The EM 12.1.0.4.0 Agent and Agent-side Plug-in Bundle patches will continue to use Opatch.
More details at MOS: Enterprise Manager 12.1.0.4.0 (PS3) Master Bundle Patch List for Agent and Plug-ins (OMS and Agent side) (Doc ID 1900943.1)
More details at MOS: Enterprise Manager 12.1.0.4.0 (PS3) Master Bundle Patch List for Agent and Plug-ins (OMS and Agent side) (Doc ID 1900943.1)
Wednesday, October 1, 2014
Bash security alert on Exadata/Oracle Linux
There is a new security issue named "Bash
Shell Shock" also documented as CVE-2014-6271/CVE-2014-7169.
Shellshock is the nickname
for a flaw in Bourne Shell, or Bash, which is commonly used on Oracle
Enterprise Linux (OEL). The Bash Shell Shock vulnerability allows remote attackers to write to files or
possibly have unknown other impact.
On database nodes,
obtain and update updated bash package using the following version, or later:
bash-3.2-33.el5_11.4.x86_64
This package may be
obtained via public-yum.oracle.com.
To install this package
on DB nodes, the exadata-sun-computenode-exact RPM must be removed first. If
using Exadata DB server image version 11.2.3.3.0 or later, first run this
command: rpm -e exadata-sun-computenode-exact
Then, use this command
on all releases to install the updated rpm.
rpm -Uvh <new bash
rpm>
To install this package
on storage cells (supported as an exception for this CVE only), install using
"rpm -Uvh --nodeps <path to bash rpm>"
Stay up to date by regularly
check My Oracle Support(MOS) Note for the latest security finding.
Responses to common
Exadata security scan findings (Doc ID 1405320.1)
The following command can be used to see if you
are affected by the issue, if the command returns vulnerable then you are at
risk.
[root@localhost ~]# env 'x=() { :;}; echo
vulnerable' 'BASH_FUNC_x()=() { :;}; e
cho
vulnerable' bash -c "echo this is a test"
vulnerable
bash: BASH_FUNC_x(): line 0: syntax error near
unexpected token `)'
bash: BASH_FUNC_x(): line 0: `BASH_FUNC_x() () {
:;}; echo vulnerable'
bash: error importing function definition for
`BASH_FUNC_x'
this is a test
Below I have included the before and after
results of removing the Shell shock issue from a OEL server.
[root@localhost ~]# yum update bash
Loaded plugins: downloadonly, security
public_ol6_UEKR3_latest
| 1.2 kB 00:00
public_ol6_latest
| 1.4 kB
00:00
public_ol6_latest/primary
| 41 MB 00:37
public_ol6_latest
26205/26205
Setting up Update Process
Resolving Dependencies
--> Running transaction check
---> Package bash.x86_64 0:4.1.2-15.el6_4
will be updated
---> Package bash.x86_64 0:4.1.2-15.el6_5.2
will be an update
--> Finished Dependency Resolution
Dependencies Resolved
=====================================================================================================================================
Package
Arch
Version
Repository
Size
=====================================================================================================================================
Updating:
bash
x86_64
4.1.2-15.el6_5.2
public_ol6_latest
905 k
Transaction Summary
=====================================================================================================================================
Upgrade 1 Package(s)
Total download size: 905 k
Is this ok [y/N]: y
Downloading Packages:
bash-4.1.2-15.el6_5.2.x86_64.rpm
| 905 kB 00:00
Running rpm_check_debug
Running Transaction Test
Transaction Test Succeeded
Running Transaction
Updating :
bash-4.1.2-15.el6_5.2.x86_64
1/2
Cleanup :
bash-4.1.2-15.el6_4.x86_64
2/2
Verifying :
bash-4.1.2-15.el6_5.2.x86_64
1/2
Verifying :
bash-4.1.2-15.el6_4.x86_64
2/2
Updated:
bash.x86_64 0:4.1.2-15.el6_5.2
Complete!
[root@localhost ~]# env 'x=() { :;}; echo
vulnerable' 'BASH_FUNC_x()=() { :;}; echo vulnerable' bash -c "echo this is a test"
bash: warning: x: ignoring function definition
attempt
bash: error importing function definition for
`BASH_FUNC_x'
this is a test
[root@localhost ~]#
Wednesday, August 20, 2014
Speaking tomorrow at the St. Louis Oracle Users Group (SLOUG) about Database as a Service (DBaaS)
I will be speaking tomorrow at the St. Louis Oracle Users
Group (SLOUG) about Database as a Service (DBaaS) . Easily with just a click a
user can request a database. Learn how to deploy a Single and RAC 12c Database
within minutes from OEM 12c from start to finish.
Now you can automate from the cloud OEM12c creating a
clone of a production database delivered with Data Masking and
Security/Encryption with TDE!
Aug 21, 2014 @1PM Central Time.
Oracle Office St. Louis
424
South Woods Mill Road, suite 200
Chesterfield,
MO 63017
Subscribe to:
Posts (Atom)