OEM12c Password Change for SYSMAN

and Weblogic administration accounts

Having recently created an OEM12c virtual box install for a proof of concept (POC) at a customer site,
another opportunity arose to reuse the same virtual machine. Alas the SYSMAN and WEBLOGIC
administration passwords were unknown and required to be reset before reuse. Initially it was
considered that this would be an easy task and it referenced some metalink published notes to
complete the operation. However these notes and other published material were found to be missing
some of the more critical steps, they were found to be lacking also in clarity and detail leading to a
complex and error prone process that had to be retried many times. The purpose of this document is to
give a clear step by step process to an administrator in a similar position that covers all the steps and
not just some of the steps in detail with examples to follow.
OEM12c SYSMAN Password Reset
The SYSMAN account and password for DB Console and for EM 12c is the highest privilege account in
OEM (Oracle Enterprise Manager). The metalink note that can be used for reference on the process to
reset the SYSMAN account is;
12C Cloud Control: Steps to Modify the SYSMAN Password at OMS and Repository [1365930.1]
The only pre-requisite is to know the SYS oracle database password for the OEM repository. This can be
reset in SQLPLUS if required. After becoming the operating system owner for the oracle database and
setting the environment to the database a simple command;
# sqlplus / as sysdba
This allows the administrator to connect as sys being os authenticated due to the group operating
system privileges. To set an actual password if unknown then a simple command;
SQLPLUS> alter user identified by xyz;
Please take care of doing this if the database is not personally owned or if data guard or RAC etc is
involved as changing the sys password can have implications in other areas.
Unlike in OEM 11g, It is just a little easier to change the SYSMAN password because it is not necessary to
do the change in two steps. You use emctl to change the SYSMAN password for the OMS infrastructure
and the database account at the same time. Thats also why you are required to specify the SYS
password when using emctl. Firstly ensure your environment is set before going further the
OMS_HOME should be set to /u01/app/oracle/product/11.2.0/em12c/oms or where the OMS is being
executed from. The PATH should also have $OMS_HOME/bin added to it also to allow commands to be
run from any directory. In Linux this is accomplished with export commands such as;
#export PATH=${PATH}:.:${OMS_HOME}/bin:
1. After the environment is set simply stop all OMSs from the operating system
#emctl stop oms
2. To change the SYSMAN password
#emctl config oms -change_repos_pwd -use_sys_pwd -sys_pwd
<YOUR_SYS_DATABASE_PASSWORD> -new_pwd <YOUR_NEW_SYSMAN_PASSWORD>
3. Finally stop the Admin server and then restart all OMS
#emctl stop oms all
#emctl start oms
An example output:












Steps for Modifying the Password for Weblogic and Node manager
User Accounts in Oracle Enterprise Manager 12c
This section of the document provides detailed steps to reset/change the password for weblogic and
nodemanager user accounts in the 12c Enterprise Manager Cloud Control installation. This is based
upon the metalink oracle document 1450798.1 which was initially followed but found to be hard to
follow and more importantly get right! The note has been adapted here with clarifications to help other
administrators wishing to implement a similar change.
Note:

- The note firstly recommends taking a backup of the entire <MW_HOME> directory and all its sub-
directories before performing the steps listed in this document. It is felt that this needs to be stressed
# emctl config oms -change_repos_pwd -use_sys_pwd -sys_pwd Welcome1 -new_pwd Welcome1

Oracle Enterprise Manager Cloud Control 12c Release 12.1.0.1.0
Copyright (c) 1996, 2011 Oracle Corporation. ALL rights reserved.
Changing passwords IN backend ...
Passwords changed IN backend successfully.
Updating repository password IN Credential Store...
Successfully updated Repository password IN Credential Store.
Restart ALL the OMSs USING 'emctl stop oms -all' AND 'emctl start oms'.
Successfully changed repository password.

further and it should be ensured that all relevant operating system and database files are backed up.
This was achieved by using the Linux tar command as below.

#cd /u01/app/oracle/product/11.2.0/gc_inst
#tar cvf user_project.tar ./user_projects
#gzip user_project.tar

It should also be noted that the steps in this note as well as changing operating system level files also
change the credential store used by oem12c. Due to this it should also be recommended to backup the
repository database as well as the entire operating system relevant volume. Any small mistake could
lead to issues and a restore required so significant care is required.
- The steps listed in the document are also similar to the ones in the WLS (Weblogic Server) document
Note 1082299.1: How to Change the WebLogic Server Administrator Password, but they were modified
and extended to suit the 12c Enterprise Manager installation with a lot of required additional steps.

- The steps in this document should be followed carefully and in the same order as listed, so as to avoid
any manual errors and miss-configurations. If anything is not clear or cant be tested then Oracle
support should be firstly involved to ensure correctness.

- Some additional steps are required for the Oracle enterprise Manager 12c BI publisher after changing
the weblogic password, if BI Publisher is integrated with the Enterprise Manager. This is considered out
of scope for this document.
For this POC environment it was very lucky as it was a virtual machine. It meant that if large mistakes
were made to define and test the process the machine could just be restored costing only time. As with
any complex administration task care required needs to be taken.
Introduction
During the 12c OMS installation, a 10.3.5 WLS (Weblogic server) is also installed and the initial
passwords for the weblogic and nodemanager accounts are set depending upon the installation type
chosen:
If a simple installation type was chosen, then the same password is set for all accounts: Weblogic, node
manager, sysman users and the Agent registration. This is by default the simple installation is
completed.
If an advanced installation type was chosen, then the user is provided with an option to enter respective
passwords for the weblogic and nodemanager accounts.
The weblogic account is used for creation and administration of the WebLogic domain GCDomain and
other associated components such as the admin server, the managed server, and the node manager.
The nodemanager account is used to connect to the node manager process which can then be used to
start / stop the admin server or the managed server.
Changing the Weblogic Password When Existing Password is Unknown
1. Firstly Stop the OMS, Agent on the OMS machine and set the necessary environment variables, these
being the binary home and path variables:
Stop the OMS: The OMS home in this case was: /u01/app/oracle/product/11.2.0/em12c
# cd <OMS_HOME>/bin
# emctl stop oms -all
Stop the Agent on the OMS machine: The AGENT home in this case was:
/u01/app/oracle/product/11.2.0/agent/core/12.1.0.3.0
# cd <AGENT_HOME>/bin>
# emctl stop agent
After the above is completed then also ensure the OMS has stopped completely and there is no java
processes running from OMS base location as the oracle user:
# ps -ef | grep java or #ps eaf | grep web
If any processes are listed, then kill them using: kill -9 <pid> command only after ensuring that the
process is running from the OMS base installation.
Now set the necessary environment variables for the (Weblogic system) WLS domain this is achieved
with the script setDomainEnv.sh. For this installation the file was located in
/u01/app/oracle/product/11.2.0/gc_inst/user_projects/domains/GCDomain/bin
# . ./setDomainEnv.sh
Note:
- In case of a multi-OMS setup, all the OMS on all machines and the corresponding monitoring
agents must be stopped.

2. Next rename the existing DefaultAuthenticatorInit.ldift file in the domain directory and create a new
file with the java command below. For this installation the file was located in
/u01/app/oracle/product/11.2.0/gc_inst/user_projects/domains/GCDomain/security
Note:
- The below example has ${DOMAIN_HOME} set to
/u01/app/oracle/product/11.2.0/gc_inst/user_projects/domains/GCDomain
-
#cd ${DOMAIN_HOME}/security
#mv DefaultAuthenticatorInit.ldift DefaultAuthenticatorInit.ldift_old
#java weblogic.security.utils.AdminAccount weblogic <new_password> .
Note:
- Replace <new_password> with the new password that you wish to set for the weblogic user.
- The character '.' is mandatory at the end of above command. A new DefaultAuthenticatorInit
file will be created and the . Is the current directory where it will be written.

- In case of a multi-OMS setup, the above step need to be performed on each OMS server and
ensure that the same password is provided for the weblogic user on all the OMS machines.

3. Now rename the ldap directory for the AdminServer (EMGC_ADMINSERVER) and the Managed
Server(EMGC_OMS1). For this installation this was located in
/u01/app/oracle/product/11.2.0/gc_inst/user_projects/domains/GCDomain/servers
# cd ${DOMAIN_HOME}/servers/EMGC_ADMINSERVER/data
# mv ldap ldap_old

#cd ${DOMAIN_HOME}/servers/EMGC_OMS1/data
# mv ldap ldap_old
In the case of a multi-OMS setup, the ldap directory needs to be renamed only for the managed server
however it is safer to do all on each OMS as they get recreated later.
4. If any lock files exist then rename them. The .lok file will exist in tmp directory of the Admin
Server and the Managed Server. For this installation there were no files found however the
directories were:
/u01/app/oracle/product/11.2.0/gc_inst/user_projects/domains/GCDomain/servers/EMGC_AD
MINSERVER/tmp and
/u01/app/oracle/product/11.2.0/gc_inst/user_projects/domains/GCDomain/servers/EMGC_O
MS1/tmp
# cd ${DOMAIN_HOME}/servers/EMGC_ADMINSERVER/tmp
# mv EMGC_ADMINSERVER.lok EMGC_ADMINSERVER.lok_old
# cd ${DOMAIN_HOME}/servers/EMGC_OMS1/tmp
# mv EMGC_OMS1.lok EMGC_OMS1.lok_old
Again in case of a multi-OMS setup, the tmp/*.lok file(s) needs to be renamed only for the managed
server. However check all locations in each OMS to be sure as this will prevent restarts later.
5. Next edit the Admin Server's boot properties file in
/u01/app/oracle/product/11.2.0/gc_inst/user_projects/domains/GCDomain/servers/EMGC_AD
MINSERVER/security directory
($DOMAIN_HOME/servers/EMGC_ADMINSERVER/security/boot.properties) file and specify the
new password entered in step 2 in clear text, for the password field ONLY.
Note:
- The password is the only entry required to be changed. The username is left as encrypted as it
remains Weblogic.
The file looks similar to the below: (Before hand both the password and username will be set to hash
values, you remove the hash value for the password and replace with the chosen clear text password for
the Weblogic admin user.



6. After this modify the Managed Servers boot properties file in,
${DOMAIN_HOME}/servers/EMGC_OMS1/data/nodemanager/boot.properties and as above
use the password entered into Step 2 in clear text for the password field. As above it is ONLY
the password field that needs to be adjusted, leave all other entries the same. For this
installation the file was located in:
/u01/app/oracle/product/11.2.0/gc_inst/user_projects/domains/GCDomain/servers/EMGC_O
MS1/data/nodemanager/boot.properties.



In case of a multi-OMS setup, the above step also needs to be performed on each OMS server.
7. As part of the OEM 12c OMS installation, two weblogic users named: OracleSystemUser and
weblogic_mntr are created by the installer and a Weblogic group OracleSystemGroup. When the
weblogic password is modified manually, these users are actually removed and it is critical that these
users are re-created manually by following the below manual steps in the Weblogic console:
In a terminal session, firstly start the Admin server:
# ${DOMAIN_HOME}/startWebLogic.sh

This was located in /u01/app/oracle/product/11.2.0/gc_inst/user_projects/domains/GCDomain and is
also found in the ${DOMAIN_HOME}/bin directory. It is simply run with a ./startWebLogic.sh by the
oracle user. As the server starts a lot of information will scroll on the screen, however please wait until
the status of Admin server is reported as 'RUNNING'. This session should be kept open till the below
password=<new_password_in_clear_text>
username={AES}g6mxfhlx/JtaVKgqx9/pYb8bWaxitVXzbLMzwo9tOIs\=
TrustKeyStore=DemoTrust
password=<new_password_in_clear_text>
username={AES}g6mxfhlx/JtaVKgqx9/pYb8bWaxitVXzbLMzwo9tOIs\=

steps are completed.

Access the Admin Server Console using the URL: https://<omsmachine.domain>:<port>/console
(Default admin server console port is 7101). For the exact URL, refer to the details in the
${OMS_HOME}/install/setupinfo.txt file. For this installation it was:
https://oel61b.au.oracle.com:7103/console/login/LoginForm.jsp
Login with the weblogic user and provide the new password that was entered in Step 2.
In the Admin Server Console, navigate to Security Realms -> myrealm -> Users and Groups -> Groups.
Click on the 'New' button and enter the below details:
Name: OracleSystemGroup
Description: Oracle application software system group
Provider: <leave the default value: DefaultAuthenticator>
Click OK
Navigate to Security Realms -> myrealm -> Users and Groups -> Users. Click on the 'New' button and
enter:
User: OracleSystemUser
Description: Oracle application software system user
Password: <provide same password as weblogic user>
Click OK.

Click on the username 'OracleSystemUser' and then click on 'Groups'. Select the previously created
'OracleSystemGroup' and click 'Save'.
Note:
As per the screen shot below when entering the group page for a particular user the available groups
are shown in the top selection box labeled Parent Groups. After selecting the group it is required to click
the single arrow on the right of the available box to move the group from the available section to the
chosen section underneath. Then the save button can be pressed to commit the change of group
selection.

In the Security Realms -> myrealm -> Users and Groups -> Users, click on the 'New' button again and
enter:
User: weblogic_mntr
Description: Oracle application weblogic mntr user
Password: <provide same password as weblogic user>
Click OK.
Click on the username 'weblogic_mntr' and then click on 'Groups'. Select 'Administrators' and click
'Save'.



If the Admin Server Username specified during OEM installation is other than 'weblogic' (AS_USERNAME
in emgc.properties), then need to create a user with that username also and assign 'Administrator'
group to it.
The password for nodemanager is needed in the the next step 9 when the new weblogic password is
saved in the credential store. If the password for nodemanager account is also not known, then set a
new password using the steps in the section below:
Changing the Nodemanager Password
The nodemanager password can be modified by logging into the Admin server console as the weblogic
user.
1. Firstly Access the Admin Server Console using the URL:
https://<omsmachine.domain>:<port>/console
(Default admin server console port is 7101). For the exact URL, refer to the details in the
${OMS_HOME}/install/setupinfo.txt file.
2. Login with the weblogic user and navigate to GCDomain->Security-> expand the Advanced section:
As per the instructions before you can make a change you have to click the lock and edit if not already
in edit configuration mode within the console.

Enter the new password in the 'NodeManager Password' and 'Confirm NodeManager Password' fields
and click on 'save' button. Click on 'Activate Changes' in the left panel.

3. On the OMS machine, edit the nm_password.properties file under
<EM_INSTANCE_BASE/user_projects/domains/GCDomain/config/nodemanager and modify as below:
For this install the location was:
/u01/app/oracle/product/11.2.0/gc_inst/user_projects/domains/GCDomain/config/nodemanager
The file will have only one entry contained to start with which will be similar to the following:


It is required to provide the new password for the node manager in clear text. Ensure there is no 'space'
character at the end of each line. In case of multi-OMS setup the above step needs to be performed on
each OMS server.
The file will now look like the below with the new entries. Obviously the password will be dependent
on the value set earlier and not the actual below xxxxxx. It is really important that the password= entry
and username entries are ADDED to the bottom of the file as below and nothing else is removed or
changed.



#
#Sun Sep 15 23:09:09 EST 2013-11-20
hashed={Algorithm\=SHA-256}Tb0MrGyvTAiQLWU2vq01WjqSJTXtBiHbsiyHxZ6aHL8\=
#
#Sun Sep 15 23:09:09 EST 2013-11-20
hashed={Algorithm\=SHA-256}Tb0MrGyvTAiQLWU2vq01WjqSJTXtBiHbsiyHxZ6aHL8\=
password=xxxxxx
username=nodemanager

Back in the Weblogic Admin console, navigate to GCDomain -> Security -> Embedded LDAP page, choose
the 'Lock and Edit' option and select the flag 'Refresh Replica At Startup'.

Then click 'Save' and then click on 'Activate Changes'.
Note:
- This step is needed to ensure that the LDAP data for the managed servers gets properly
synchronized on startup.
Finally stop the Admin server by executing 'Ctrl+c' in the terminal session from which the Admin server
was started at the beginning of this step.
9. Run the below command to save the new password to the EM Credential store:
Before executing please ensure that the OMS_HOME is defined and also added to the PATH
environment variable. For example as below;
#export OMS_HOME=/u01/app/oracle/product/11.2.0/em12c/oms
#export PATH=$OMS_HOME/bin:$PATH:.:

#cd ${OMS_HOME}/bin
emctl secure create_admin_creds_wallet -admin_pwd <weblogic_pwd> -nodemgr_pwd
<node_manager_pwd>
In the case of a multi-OMS setup the above step needs to be performed on each OMS server.
10. Now, Start the OMS:
#cd ${OMS_HOME}/bin
#emctl start oms
11. Login back into the Weblogic Admin server console with username weblogic and the new password.
Navigate to GCDomain -> Security -> Embedded LDAP page. Toggle off the 'Lock and Edit option and
unset the flag 'Refresh Replica At Startup'.
Click 'Save' and then click on 'Activate Changes'.
Note:
- The flag was used only for synchronizing the LDAP data in the managed servers at the time of startup
after the password change but once this is accomplished, the option needs to be turned off as it
imposes a cost on the startup operation. This was set in step 8 just before stopping the Weblogic server
earlier.
12. Now, restart the OMS as normally, this implements the above switch off step.
#cd ${OMS_HOME}/bin
#emctl stop oms -all
#emctl start oms
13. The EMGC_GCDomain is a monitored target inside Enterprise Manager and the monitoring
credentials of this target needs to be updated so as to continue monitoring this target:
To do this firstly ensure the agent is running on the OMS Host
#export AGENT_HOME=/u01/app/oracle/product/11.2.0/agent/core/12.1.0.3.0
#cd ${AGENT_HOME}/bin
#emctl start agent

Note:
- Emcli command line tool is used after starting the agent to update the password in a script.
- You need to provide the user name as weblogic_mntr and its corresponding password as set in the
Admin server console to the emcli code. As below care is required with reserved characters.
- The Monitoring password should be updated only after starting the Agent.
EMCLI:

To find out the whole current state of the targets in the oem12c implementation without entering the
console the command line emcli interface was used.

Firstly the environment needs to be set with the OMS_HOME defined as earlier. Next the
OMS_HOME/bin is added to the PATH to ensure that commands are available for all locations in the
operating system. For example as;

#export OMS_HOME=/u01/app/oracle/product/11.2.0/em12c/oms
#export PATH=$OMS_HOME/bin:$PATH:.:

To use emcli the first command in the session required is a login command. To do this a privileged
account username and password are required. In this case sysman is utilized.

#emcli login username=sysman password=Welcome1
Note:
- The emcli session will remain open until a logoff is issued or session terminated.
Next the emcli command get_targets is issued. This gets a full list of targets, there internal name and
the target type.
#emcli get_targets
The screen shot below shows the sample output at this time with the targets in a down state due to
incorrect password.

Note:
- When modifying the password take care with reserved special characters from the operating
system. As this goes into emcli as a password escaping them can affect the final value. In this
case the ! was chosen as part of the password. This was an operating system reserved
character in the bash Linux shell. To get around this easily the required steps were placed into a
Korn shell script which does not have this limitation due to a different operating shell type. The
script could then be easily executed without error. The script is shown below for reference and
once executed in the test environment all targets were then shown as status UP.












After executing the above it will take a few minutes for the targets state to update in the console. If
emcli can be logged into again then the emcli get_targets command can be re-executed several times
until the status changes like below showing instead of DOWN to UP. This can also be viewed in the
console summary page in OEM12c if desired.

#!/bin/ksh
#
#Oracle OEM EMCLI script to modify target properties for Weblogic change in passwords for
#Application targets.
#
#First Set Environment Correctly.
#
export OMS_HOME=/u01/app/oracle/product/11.2.0/em12c/oms
export PATH=$OMS_HOME/bin:$PATH:.:
#
#Next login to emcli (NOTE: change password as needed below)
#
emcli login username=sysman password=Welcome1
#
#After Login, can now modify all required targets. List obtained from emcli get_target output
#Each emcli command is 1 line.
#
emcli modify_target name=/EMGC_GCDomain/GCDomain type=weblogic_domain
credentials=Username:weblogic_mntr;password:Webl0gic!; on_agent
#
#Finally logoff emcli
#
emcli logoff
#EOF
About the Author:
Andy Baker is an Oracle Database administrator with over 18 years of experience. This experience covers
Banking, Oil and Gas, Insurance and Telecoms for many major global organizations working all over the
world. A large amount of time was spent working in Oracle global support specializing in backup and
recovery. Today Andy works for Oracle Consulting Services as a Senior Principal consultant and is based
in Melbourne Australia.

Please feel free to contact Andy for further information or to discuss anything of interest in relation to
Oracle Database Administration or this paper.