Database Reference
In-Depth Information
To “
unexpire
” an account you simply have to renew its password. However, if you are logged on to the target as
SYS and you then change the DBSNMP password value to a new one, then the value will be out of sync. So it will be
useful to be able to renew the DBSNMP password value to be the same value, so that the password becomes usable,
i.e., unexpired, but does not become out of sync. But how to do this if you don't know the plaintext password? This is
a classic issue with centralized management systems; how do you keep the passwords synchronized while keeping
security at a satisfactory level? The solution to this issue is to ALTER the DBSNMP password to its current value using
“by values” thus unexpiring it but keeping the value synchronized.
You will know that the account password is expired by the
account_status
column in
dba_users
AKA
ASTATUS
in
SYS.USER$
. If that value is anything other than 0 (0 = Open) then that is why your EM console can't connect to the
target.
To unexpire the password for DBSNMP without knowing the original value, use this command:
ALTER USER DBSNMP IDENTIFIED BY VALUES '[HASH FROM SYS.USER$]';
Then the target will come back up on the EM console.
It is worth considering removing the default profile from DBSNMP to avoid accidental or deliberate malicious
lockouts. It would not be difficult for an attacker to lock out all DBSNMP acccounts in a network, thus removing all EM
connectivity. A new profile without lockout can be applied to DBSNMP, thus avoiding this issue.
Securing Network Communications
The EM system consists of a target DB connected via DBSNMP agent, which sends via http(s) to OMS (Oracle Management
Service), which inputs into the OMR (repository), which can then be queried and reported on by the EM web pages. SSL is
not required in order to encrypt over the network (see Figure
18-2
).
Target
OMS
Agent
OMR
EM
Target
Agent
Figure 18-2.
Enterprise Manager 12c network architecture
The network communications in the previous diagram should be encrypted through HTTPS. Let's investigate
that further.
