OEM12c Password Change for SYSMAN

and Weblogic administration accounts

Having recently created an OEM12c virtual box install for a proof of concept (POC) at a customer site,

another opportunity arose to reuse the same virtual machine. Alas the SYSMAN and WEBLOGIC

administration passwords were unknown and required to be reset before reuse. Initially it was

considered that this would be an easy task and it referenced some metalink published notes to

complete the operation. However these notes and other published material were found to be missing

some of the more critical steps, they were found to be lacking also in clarity and detail leading to a

complex and error prone process that had to be retried many times. The purpose of this document is to

give a clear step by step process to an administrator in a similar position that covers all the steps and

not just some of the steps in detail with examples to follow.

OEM12c SYSMAN Password Reset

The SYSMAN account and password for DB Console and for EM 12c is the highest privilege account in

OEM (Oracle Enterprise Manager). The metalink note that can be used for reference on the process to

reset the SYSMAN account is;

12C Cloud Control: Steps to Modify the SYSMAN Password at OMS and Repository [1365930.1]

The only pre-requisite is to know the SYS oracle database password for the OEM repository. This can be

reset in SQLPLUS if required. After becoming the operating system owner for the oracle database and

setting the environment to the database a simple command;

# sqlplus / as sysdba

This allows the administrator to connect as sys being os authenticated due to the group operating

system privileges. To set an actual password if unknown then a simple command;

SQLPLUS> alter user identified by xyz;

Please take care of doing this if the database is not personally owned or if data guard or RAC etc is

involved as changing the sys password can have implications in other areas.

Unlike in OEM 11g, It is just a little easier to change the SYSMAN password because it is not necessary to

do the change in two steps. You use emctl to change the SYSMAN password for the OMS infrastructure

and the database account at the same time. Thats also why you are required to specify the SYS

password when using emctl. Firstly ensure your environment is set before going further the

OMS_HOME should be set to /u01/app/oracle/product/11.2.0/em12c/oms or where the OMS is being

executed from. The PATH should also have $OMS_HOME/bin added to it also to allow commands to be

run from any directory. In Linux this is accomplished with export commands such as;

#export PATH=${PATH}:.:${OMS_HOME}/bin:

1. After the environment is set simply stop all OMSs from the operating system

#emctl stop oms

2. To change the SYSMAN password

#emctl config oms -change_repos_pwd -use_sys_pwd -sys_pwd

-new_pwd

3. Finally stop the Admin server and then restart all OMS

#emctl stop oms all

#emctl start oms

An example output:

Steps for Modifying the Password for Weblogic and Node manager

User Accounts in Oracle Enterprise Manager 12c

This section of the document provides detailed steps to reset/change the password for weblogic and

nodemanager user accounts in the 12c Enterprise Manager Cloud Control installation. This is based

upon the metalink oracle document 1450798.1 which was initially followed but found to be hard to

follow and more importantly get right! The note has been adapted here with clarifications to help other

administrators wishing to implement a similar change.

Note: - The note firstly recommends taking a backup of the entire directory and all its sub-directories before performing the steps listed in this document. It is felt that this needs to be stressed

# emctl config oms -change_repos_pwd -use_sys_pwd -sys_pwd Welcome1 -new_pwd Welcome1

Oracle Enterprise Manager Cloud Control 12c Release 12.1.0.1.0

Copyright (c) 1996, 2011 Oracle Corporation. ALL rights reserved.

Changing passwords IN backend ...

Passwords changed IN backend successfully.

Updating repository password IN Credential Store...

Successfully updated Repository password IN Credential Store.

Restart ALL the OMSs USING 'emctl stop oms -all' AND 'emctl start oms'.

Successfully changed repository password.

further and it should be ensured that all relevant operating system and database files are backed up. This was achieved by using the Linux tar command as below. #cd /u01/app/oracle/product/11.2.0/gc_inst #tar cvf user_project.tar ./user_projects #gzip user_project.tar

It should also be noted that the steps in this note as well as changing operating system level files also

change the credential store used by oem12c. Due to this it should also be recommended to backup the

repository database as well as the entire operating system relevant volume. Any small mistake could

lead to issues and a restore required so significant care is required.

- The steps listed in the document are also similar to the ones in the WLS (Weblogic Server) document

Note 1082299.1: How to Change the WebLogic Server Administrator Password, but they were modified

and extended to suit the 12c Enterprise Manager installation with a lot of required additional steps.

- The steps in this document should be followed carefully and in the same order as listed, so as to avoid

any manual errors and miss-configurations. If anything is not clear or cant be tested then Oracle

support should be firstly involved to ensure correctness.

- Some additional steps are required for the Oracle enterprise Manager 12c BI publisher after changing

the weblogic password, if BI Publisher is integrated with the Enterprise Manager. This is considered out

of scope for this document.

For this POC environment it was very lucky as it was a virtual machine. It meant that if large mistakes

were made to define and test the process the machine could just be restored costing only time. As with

any complex administration task care required needs to be taken.

Introduction

During the 12c OMS installation, a 10.3.5 WLS (Weblogic server) is also installed and the initial

passwords for the weblogic and nodemanager accounts are set depending upon the installation type

chosen:

If a simple installation type was chosen, then the same password is set for all accounts: Weblogic, node

manager, sysman users and the Agent registration. This is by default the simple installation is

completed.

If an advanced installation type was chosen, then the user is provided with an option to enter respective

passwords for the weblogic and nodemanager accounts.

The weblogic account is used for creation and administration of the WebLogic domain GCDomain and

other associated components such as the admin server, the managed server, and the node manager.

The nodemanager account is used to connect to the node manager process which can then be used to

start / stop the admin server or the managed server.

Changing the Weblogic Password When Existing Password is Unknown

1. Firstly Stop the OMS, Agent on the OMS machine and set the necessary environment variables, these

being the binary home and path variables:

Stop the OMS: The OMS home in this case was: /u01/app/oracle/product/11.2.0/em12c

# cd /bin

# emctl stop oms -all

Stop the Agent on the OMS machine: The AGENT home in this case was:

/u01/app/oracle/product/11.2.0/agent/core/12.1.0.3.0

# cd /bin>

# emctl stop agent

After the above is completed then also ensure the OMS has stopped completely and there is no java

processes running from OMS base location as the oracle user:

# ps -ef | grep java or #ps eaf | grep web

If any processes are listed, then kill them using: kill -9 command only after ensuring that the

process is running from the OMS base installation.

Now set the necessary environment variables for the (Weblogic system) WLS domain this is achieved

with the script setDomainEnv.sh. For this installation the file was located in

/u01/app/oracle/product/11.2.0/gc_inst/user_projects/domains/GCDomain/bin

# . ./setDomainEnv.sh

Note: - In case of a multi-OMS setup, all the OMS on all machines and the corresponding monitoring

agents must be stopped.

2. Next rename the existing DefaultAuthenticatorInit.ldift file in the domain directory and create a new

file with the java command below. For this installation the file was located in

/u01/app/oracle/product/11.2.0/gc_inst/user_projects/domains/GCDomain/security

Note:

- The below example has ${DOMAIN_HOME} set to

/u01/app/oracle/product/11.2.0/gc_inst/user_projects/domains/GCDomain

-

#cd ${DOMAIN_HOME}/security

#mv DefaultAuthenticatorInit.ldift DefaultAuthenticatorInit.ldift_old

#java weblogic.security.utils.AdminAccount weblogic .

Note: - Replace with the new password that you wish to set for the weblogic user. - The character '.' is mandatory at the end of above command. A new DefaultAuthenticatorInit file will be created and the . Is the current directory where it will be written. - In case of a multi-OMS setup, the above step need to be performed on each OMS server and ensure that the same password is provided for the weblogic user on all the OMS machines. 3. Now rename the ldap directory for the AdminServer (EMGC_ADMINSERVER) and the Managed

Server(EMGC_OMS1). For this installation this was located in

/u01/app/oracle/product/11.2.0/gc_inst/user_projects/domains/GCDomain/servers

# cd ${DOMAIN_HOME}/servers/EMGC_ADMINSERVER/data

# mv ldap ldap_old

#cd ${DOMAIN_HOME}/servers/EMGC_OMS1/data

# mv ldap ldap_old

In the case of a multi-OMS setup, the ldap directory needs to be renamed only for the managed server

however it is safer to do all on each OMS as they get recreated later.

4. If any lock files exist then rename them. The .lok file will exist in tmp directory of the Admin

Server and the Managed Server. For this installation there were no files found however the

directories were:

/u01/app/oracle/product/11.2.0/gc_inst/user_projects/domains/GCDomain/servers/EMGC_AD

MINSERVER/tmp and

/u01/app/oracle/product/11.2.0/gc_inst/user_projects/domains/GCDomain/servers/EMGC_O

MS1/tmp

# cd ${DOMAIN_HOME}/servers/EMGC_ADMINSERVER/tmp

# mv EMGC_ADMINSERVER.lok EMGC_ADMINSERVER.lok_old

# cd ${DOMAIN_HOME}/servers/EMGC_OMS1/tmp

# mv EMGC_OMS1.lok EMGC_OMS1.lok_old

Again in case of a multi-OMS setup, the tmp/*.lok file(s) needs to be renamed only for the managed

server. However check all locations in each OMS to be sure as this will prevent restarts later.

5. Next edit the Admin Server's boot properties file in

/u01/app/oracle/product/11.2.0/gc_inst/user_projects/domains/GCDomain/servers/EMGC_AD

MINSERVER/security directory

($DOMAIN_HOME/servers/EMGC_ADMINSERVER/security/boot.properties) file and specify the

new password entered in step 2 in clear text, for the password field ONLY.

Note:

- The password is the only entry required to be changed. The username is left as encrypted as it

remains Weblogic.

The file looks similar to the below: (Before hand both the password and username will be set to hash

values, you remove the hash value for the password and replace with the chosen clear text password for

the Weblogic admin user.

6. After this modify the Managed Servers boot properties file in,

${DOMAIN_HOME}/servers/EMGC_OMS1/data/nodemanager/boot.properties and as above

use the password entered into Step 2 in clear text for the password field. As above it is ONLY

the password field that needs to be adjusted, leave all other entries the same. For this

installation the file was located in:

/u01/app/oracle/product/11.2.0/gc_inst/user_projects/domains/GCDomain/servers/EMGC_O

MS1/data/nodemanager/boot.properties.

In case of a multi-OMS setup, the above step also needs to be performed on each OMS server.

7. As part of the OEM 12c OMS installation, two weblogic users named: OracleSystemUser and

weblogic_mntr are created by the installer and a Weblogic group OracleSystemGroup. When the

weblogic password is modified manually, these users are actually removed and it is critical that these

users are re-created manually by following the below manual steps in the Weblogic console:

In a terminal session, firstly start the Admin server:

# ${DOMAIN_HOME}/startWebLogic.sh

This was located in /u01/app/oracle/product/11.2.0/gc_inst/user_projects/domains/GCDomain and is

also found in the ${DOMAIN_HOME}/bin directory. It is simply run with a ./startWebLogic.sh by the

oracle user. As the server starts a lot of information will scroll on the screen, however please wait until

the status of Admin server is reported as 'RUNNING'. This session should be kept open till the below

password=

username={AES}g6mxfhlx/JtaVKgqx9/pYb8bWaxitVXzbLMzwo9tOIs\=

TrustKeyStore=DemoTrust

password=

username={AES}g6mxfhlx/JtaVKgqx9/pYb8bWaxitVXzbLMzwo9tOIs\=

steps are completed.

Access the Admin Server Console using the URL: https://:/console

(Default admin server console port is 7101). For the exact URL, refer to the details in the

${OMS_HOME}/install/setupinfo.txt file. For this installation it was:

https://oel61b.au.oracle.com:7103/console/login/LoginForm.jsp

Login with the weblogic user and provide the new password that was entered in Step 2.

In the Admin Server Console, navigate to Security Realms -> myrealm -> Users and Groups -> Groups.

Click on the 'New' button and enter the below details:

Name: OracleSystemGroup

Description: Oracle application software system group

Provider:

Click OK

Navigate to Security Realms -> myrealm -> Users and Groups -> Users. Click on the 'New' button and

enter:

User: OracleSystemUser

Description: Oracle application software system user

Password:

Click OK.

Click on the username 'OracleSystemUser' and then click on 'Groups'. Select the previously created

'OracleSystemGroup' and click 'Save'.

Note:

As per the screen shot below when entering the group page for a particular user the available groups

are shown in the top selection box labeled Parent Groups. After selecting the group it is required to click

the single arrow on the right of the available box to move the group from the available section to the

chosen section underneath. Then the save button can be pressed to commit the change of group

selection.

In the Security Realms -> myrealm -> Users and Groups -> Users, click on the 'New' button again and

enter:

User: weblogic_mntr

Description: Oracle application weblogic mntr user

Password:

Click OK.

Click on the username 'weblogic_mntr' and then click on 'Groups'. Select 'Administrators' and click

'Save'.

If the Admin Server Username specified during OEM installation is other than 'weblogic' (AS_USERNAME

in emgc.properties), then need to create a user with that username also and assign 'Administrator'

group to it.

The password for nodemanager is needed in the the next step 9 when the new weblogic password is

saved in the credential store. If the password for nodemanager account is also not known, then set a

new password using the steps in the section below:

Changing the Nodemanager Password

The nodemanager password can be modified by logging into the Admin server console as the weblogic

user.

1. Firstly Access the Admin Server Console using the URL:

https://:/console

(Default admin server console port is 7101). For the exact URL, refer to the details in the

${OMS_HOME}/install/setupinfo.txt file.

2. Login with the weblogic user and navigate to GCDomain->Security-> expand the Advanced section:

As per the instructions before you can make a change you have to click the lock and edit if not already

in edit configuration mode within the console.

Enter the new password in the 'NodeManager Password' and 'Confirm NodeManager Password' fields

and click on 'save' button. Click on 'Activate Changes' in the left panel.

3. On the OMS machine, edit the nm_password.properties file under

Back in the Weblogic Admin console, navigate to GCDomain -> Security -> Embedded LDAP page, choose

the 'Lock and Edit' option and select the flag 'Refresh Replica At Startup'.

Then click 'Save' and then click on 'Activate Changes'.

Note:

- This step is needed to ensure that the LDAP data for the managed servers gets properly

synchronized on startup.

Finally stop the Admin server by executing 'Ctrl+c' in the terminal session from which the Admin server

was started at the beginning of this step.

9. Run the below command to save the new password to the EM Credential store:

Before executing please ensure that the OMS_HOME is defined and also added to the PATH

environment variable. For example as below;

#export OMS_HOME=/u01/app/oracle/product/11.2.0/em12c/oms #export PATH=$OMS_HOME/bin:$PATH:.:

#cd ${OMS_HOME}/bin

emctl secure create_admin_creds_wallet -admin_pwd -nodemgr_pwd

In the case of a multi-OMS setup the above step needs to be performed on each OMS server.

10. Now, Start the OMS:

#cd ${OMS_HOME}/bin

#emctl start oms

11. Login back into the Weblogic Admin server console with username weblogic and the new password.

Navigate to GCDomain -> Security -> Embedded LDAP page. Toggle off the 'Lock and Edit option and

unset the flag 'Refresh Replica At Startup'.

Click 'Save' and then click on 'Activate Changes'.

Note:

- The flag was used only for synchronizing the LDAP data in the managed servers at the time of startup

after the password change but once this is accomplished, the option needs to be turned off as it

imposes a cost on the startup operation. This was set in step 8 just before stopping the Weblogic server

earlier.

12. Now, restart the OMS as normally, this implements the above switch off step.

#cd ${OMS_HOME}/bin

#emctl stop oms -all

#emctl start oms

13. The EMGC_GCDomain is a monitored target inside Enterprise Manager and the monitoring

credentials of this target needs to be updated so as to continue monitoring this target:

To do this firstly ensure the agent is running on the OMS Host

#export AGENT_HOME=/u01/app/oracle/product/11.2.0/agent/core/12.1.0.3.0 #cd ${AGENT_HOME}/bin #emctl start agent Note:

- Emcli command line tool is used after starting the agent to update the password in a script.

- You need to provide the user name as weblogic_mntr and its corresponding password as set in the

Admin server console to the emcli code. As below care is required with reserved characters.

- The Monitoring password should be updated only after starting the Agent.

EMCLI: To find out the whole current state of the targets in the oem12c implementation without entering the console the command line emcli interface was used. Firstly the environment needs to be set with the OMS_HOME defined as earlier. Next the OMS_HOME/bin is added to the PATH to ensure that commands are available for all locations in the operating system. For example as; #export OMS_HOME=/u01/app/oracle/product/11.2.0/em12c/oms #export PATH=$OMS_HOME/bin:$PATH:.: To use emcli the first command in the session required is a login command. To do this a privileged account username and password are required. In this case sysman is utilized. #emcli login username=sysman password=Welcome1

Note:

- The emcli session will remain open until a logoff is issued or session terminated.

Next the emcli command get_targets is issued. This gets a full list of targets, there internal name and

the target type.

#emcli get_targets

The screen shot below shows the sample output at this time with the targets in a down state due to

incorrect password.

Note:

- When modifying the password take care with reserved special characters from the operating

system. As this goes into emcli as a password escaping them can affect the final value. In this

case the ! was chosen as part of the password. This was an operating system reserved

character in the bash Linux shell. To get around this easily the required steps were placed into a

Korn shell script which does not have this limitation due to a different operating shell type. The

script could then be easily executed without error. The script is shown below for reference and

once executed in the test environment all targets were then shown as status UP.

After executing the above it will take a few minutes for the targets state to update in the console. If

emcli can be logged into again then the emcli get_targets command can be re-executed several times

until the status changes like below showing instead of DOWN to UP. This can also be viewed in the

console summary page in OEM12c if desired.

#!/bin/ksh # #Oracle OEM EMCLI script to modify target properties for Weblogic change in passwords for #Application targets. # #First Set Environment Correctly. # export OMS_HOME=/u01/app/oracle/product/11.2.0/em12c/oms export PATH=$OMS_HOME/bin:$PATH:.: # #Next login to emcli (NOTE: change password as needed below) # emcli login username=sysman password=Welcome1 # #After Login, can now modify all required targets. List obtained from emcli get_target output #Each emcli command is 1 line. # emcli modify_target name=/EMGC_GCDomain/GCDomain type=weblogic_domain credentials=Username:weblogic_mntr;password:Webl0gic!; on_agent # #Finally logoff emcli # emcli logoff #EOF

About the Author:

Andy Baker is an Oracle Database administrator with over 18 years of experience. This experience covers Banking, Oil and Gas, Insurance and Telecoms for many major global organizations working all over the world. A large amount of time was spent working in Oracle global support specializing in backup and recovery. Today Andy works for Oracle Consulting Services as a Senior Principal consultant and is based in Melbourne Australia. Please feel free to contact Andy for further information or to discuss anything of interest in relation to Oracle Database Administration or this paper.