Re: OEM O/S Credentials Question

The best way I have found is to have the SA's create a service account and create a credential in EM that uses that service account to execute server side commands via the agent. Use sudo if you need to execute the commands as another user (i.e. oracle).

Let the SA's own the password for the service account but give them access to EM so when they change the password for the service account, they can update EM as well. This is usually best done by giving them an EMCLI installation and showing them how they can script a password change in EM. That way, they can automate the credential password change in EM and you never have to be involved.

This way you never have to know the password of the service account making the SA's happy and you always have access to execute server side commands via the agents without having to maintain passwords.

Seth Miller

On Thu, Nov 21, 2013 at 12:19 PM, Scott Canaan <srcdco_at_rit.edu> wrote:

> This is a follow up to my last question about discovery in OEM. We are
> running into a problem with trying to use the oracle O/S user as the SA’s
> have it configured to change the password every 20 minutes. When we asked
> to have the oracle user unlocked with a stable password, they balked. So
> my question to you is what O/S user do you use for your credentials? How
> do you deal with the SA’s when they complain about “security issues”?
>
>
>
> Thank you,
>
>
>
> Scott Canaan ’88 (srcdco_at_rit.edu)
>
> (585) 475-7886 – work (585) 339-8659 – cell
>
> “Life is like a sewer, what you get out of it depends on what you put into
> it.” – Tom Lehrer
>
>
>

--
http://www.freelists.org/webpage/oracle-l