EM12c: How to Retrieve Passwords from the Named Credentials

In my previous post, I have showed how to list all named credentials in Enterprise Manager Cloud Control. As you see, it was not possible using regular user interface, so we connected to the repository database to get the information. Now let’s keep digging and see if we can retrieve “encrypted information” saved in named credentials.

The username, password and role information of named credentials are stored in em_nc_cred_columns table. When we examine it, we can see that there’s one-to-many relation with em_nc_creds using target_guid column, and the sensitive information are stored in cred_attr_value column. That column is encrypted using em_crypto package. The encryption algrotim uses a secret key which is stored in “Admin Credentials Wallet” and a salt (random data for additional security). The wallet file is located in $MIDDLEWARE_HOME/gc_inst/em/EMGC_OMS1/sysman/config/adminCredsWallet/cwallet.sso) and the salt data can be found in cred_salt column of the em_nc_cred_columns table. Here’s what it looks like:

encrypted_credentials

To decrypt the information, we need to call the decrypt in em_crypto package, but if we call it without opening the wallet, we get the following error:

EM12c: Using Metric Extensions to Generate Composite Alerts

There was a question on OTN forums about how to generate alerts based on two different metrics. The user wants to get alert only if the warning threshold is over 80% “AND” there is less then 20Gb of free space of a tablespace. So he doesn’t want to get alert if the tablespace is over %80 full but still has 100GB free space. Of course, he can set different thresholds for each tablespace: He can set percentage threshold for small tablespaces and set free space threshold for bigger ones. I do not know how many databases he monitors but if he’s managing lots of DBs, this could be a time consuming task.

So how can we solve it? EM12c doesn’t let you generate an alert based on two different metrics. For these situations, you can create metric extensions. All you need is to query mgmt$alert_current and see if two alerts occurred for same target. Examine the following SQL:

Enterprise Management Agent Host Credentials for PAM and LDAP

We use LDAP users to install oracle software. In my humble opinion, it’s not a good approach because if the server can not communicate with LDAP service, Oracle gets errors when spawning new processes. We have already started to switch our oracle users from LDAP authentication to local users, but this is not the subject of this blog post. Using LDAP for authentication, also affects Enterprise Manager agents. When I try to create a named credential, EM agent can not verify the user/password, although I used the same user/password information to deploy the agents 🙂

pamerror

Here’s the log generated by the agent:

Tips and Tricks for Installing Ops Center 12c R2 (PSU2)

In one of my old posts, I wrote a step by step guide to install Ops Center on Linux. I still get questions about installation, mostly about installing repository Database. So I have downloaded latest patch set version if anything has changed about installation, and decided to write tips and tricks to help Ops Center users. If you have read my previous blog, or you are already an Ops Center user, you may remember that Ops Center can create required Oracle users, and install Oracle Database by itself. You can see the Ops Center web site, that you need to follow My Oracle Support Document 1450669.1 to download to obtain Oracle Database 11g for Ops Center, and the MoS document says, you need to download 11.2.0.3 files and put them into “/var/tmp/downloads” folder. I don’t know if these RPMs are still valid, the latest Ops Center seem to support 11.2.0.4. So I recommend you to download Oracle 11.2.0.4 (patch 13390677). You need to put the zips files into /var/tmp/downloads folder. After you copied files, the creation of users and setting up local repository database is totally automated by the Ops Center installer.

I always think that Ops Center is a very smart installer, and it can handle almost everything. On the other hand, instead of dealing errors/warnings while installing, I recommend you to use OCDoctor, a small utility to check prerequisites. Download the latest OCDoctor zip file, extract it and run it: