G Automating DBSNMP Password Management

You can automate password management for users (monitoring only) that discovered database instances in Enterprise Manager Cloud Control console via the Change the Password for the Database Monitoring User job type. Typically, this is the DBSNMP user.

When an Oracle database is installed, a DBSNMP user is provisioned out-of-the-box that is primarily used for monitoring that database from Enterprise Manager Cloud Control. The DBSNMP username and password are used both during discovery and for collecting metrics from the Enterprise Manager agent. DBSNMP is also used when collecting metrics that show up on the database home page in the Enterprise Manager console.

Password rotation is a normal part of the security policy for all users, and this typically applies to the DBSNMP user as well. This becomes a burden when dealing with hundreds or perhaps thousands of databases. This task usually involves changing the password for this database user and then updating all Enterprise Manager configurations that use this password for monitoring/administrating that database. Enterprise Manager can automate this task by allowing the Job system to perform this password change operation for DBSNMP, or any other dedicated database monitoring user within Enterprise Manager.

The Change the Password for the Database Monitoring User job type lets you schedule jobs on Oracle Database and Cluster Database instances, and when executed, updates the password of the monitoring ser (the user used to discover the database instance in Enterprise Manager, typically DBSNMP). A new password can be user-specified or auto-generated by Enterprise ManagerThe Change the Password for the Database Monitoring User job type lets you schedule jobs on Oracle Database and Cluster Database instances, and when executed updates the password of the Monitoring User (the user used to discover the database instance in Enterprise Manager, typically DBSNMP). A new password can be user specified or auto-generated by Enterprise Manager.

The user-defined password option typically makes sense for a one-time scheduled job since manually having to run this job periodically will not effectively change the password across job runs. Having Enterprise Manager auto-generate random passwords is more effective from a security standpoint.

IMPORTANT: The password change job should only be used for DBSNMP (or other monitoring users) configured with the Normal role and where Enterprise Manager is the only product/user attempting to access the actual database as this user. Once Enterprise Manager changes the password to a generated one, this auto-generated password will not be known to anyone but Enterprise Manager and its components, e.g., the agent. The password change job will not permit updating of a password for a SYSDBA or SYSOPER user. This job also does not support the update of the password of Enterprise Manager repository monitoring user or of a DataGuard standby instance. Also no Global scoped named credentials,if any are defined for the monitoring user, will be updated.

Note:

It is recommended that the Enterprise Manager user running this job be the user that initially discovered these database targets or else needs to have at least the following Enterprise Manager target privileges on the database/cluster.

• CONFIGURE_TARGET
• CONNECT_TARGET
• BLACKOUT_TARGET
• EDIT_CREDENTIAL (monitoring and any saved named credentials) This privilege is required because the job blacks out the targets and updates the credentials/monitoring configuration both on the target and in Enterprise Manager as well as updating any named credentials for this database user in Enterprise Manager.

Configuring and Scheduling the Job

1. From the Enterprise menu, choose Job and then Activity. On the Activity page, click Create Job. The Select Job Type dialog displays.

   
   
   
   
   

   Choose the Change the password of the Database Monitoring User job type and click Select.

2. Define the job by specifying the required attributes (Job Name, Description, etc.) as well as selecting list of targets on which to schedule/run the job.

   Note:

   Instead of selecting a list of targets, you could also create a dynamic group and select the group. When selecting a dynamic group, all instances of type Oracle Database and Cluster Database present in the group will have the monitoring user passwords updated when the job is executed.

   If there are a large number of targets being selected, it is recommended to specify a number reasonable for your environment (around 3) so that all of these jobs are not executed in parallel. Running large numbers of jobs in parallel will not only overload the job system, but also cause your targets to be in blackout concurrently.

   
   
   
   
   

3. Specify a New Password if you do not want Enterprise Manager to auto-generate a password as shown below.
   
   

   Auto-Generate New Password must be set to No. Enter the new password. If the new password and confirmation do not match, an inline error message will appear and you will not be able to submit the job.

   
   
   
   
   

   As mentioned previously, if no parameters are specified in the Parameters tab, then a new password will be generated. Auto-generated passwords are only known to and managed by Enterprise Manager.

4. Define a schedule for this job. This would typically be the interval after which the monitoring user password needs to be changed as per the password profile defined for the database.

   
   
   
   
   Click Submit.

Viewing the job run output (executions per target)

You can view the status/output of the password change job by clicking on the job name in the Job Activity table as shown below.