|
|
| Line 1: |
Line 1: |
| − | ==Background==
| + | http://www.idevelopment.info/data/Oracle/DBA_tips/Database_Administration/DBA_26.shtml |
| − | As you may know, Oracle Intelligent Agent communicates with Oracle Enterprise Manager to pass on information about components such as the database, the listener, and the server itself. To get data about the database, it needs to connect to the database using some userid. By default, the userid used is DBSNMP.
| |
| | | | |
| − | When the database is created, the password of dbsnmp is also set to dbsnmp. This user has some powerful privileges, such as UNLIMITED TABLESPACE, SELECT ANY DICTIONARY (which allows the user to select from dynamic performance views and data dictionary views), and ANALYZE ANY DICTIONARY (which allows analyze of the system objects). Many intruders use this user and password for back-door entry into the database. Needless to say, this is a huge security hole.
| + | http://www.oracle.com/technology/pub/articles/project_lockdown/phase1.html#1.9 |
| − | | |
| − | ==Strategy==
| |
| − | You have to change the password of this user to something other than dbsnmp. However, you can't just change the password at the database level, because that password is also stored in the agent configuration files. You need to update the configuration files to use the new password as well. Here's the procedure for Oracle Database 10g.
| |
| − | First change the password of the user DBSNMP to something else, e.g. TopSecret:
| |
| − | SQL> alter user dbsnmp identified by topsecret;
| |
| − | Go to the directory where the Oracle Agent Home is installed (not ORACLE_HOME), e.g. /u01/app/oracle/10.1/gridc.
| |
| − | Go to directory <hostname>/sysman/emd , where <hostname> is the name of the host or server. For instance, if the name of the server is prolin1, then the directory should be prolin1/sysman/emd.
| |
| − | Here you will find a file named targets.xml. Copy it under a new name (e.g. targets.xml.old).
| |
| − | Open the file targets.xml and search for the word "dbsnmp"; it should be similar to
| |
| − | <Target TYPE="oracle_database" NAME="PROPRD1_prolin1">
| |
| − | <Property NAME="MachineName" VALUE="192.168.101"/>
| |
| − | <Property NAME="OracleHome" VALUE="/u01/app/oracle/10.1/db1"/>
| |
| − | <Property NAME="Port" VALUE="1521"/>
| |
| − | <Property NAME="Role" VALUE="NORMAL"/>
| |
| − | <Property NAME="SID" VALUE="PROPRD1"/>
| |
| − | <Property NAME="ServiceName" VALUE="PROPRD"/>
| |
| − | <Property NAME="UserName" VALUE="dbsnmp"/>
| |
| − | <Property NAME="password" VALUE="3797cf30e7c4a9c6" ENCRYPTED="TRUE"/>
| |
| − | <CompositeMembership>
| |
| − | <MemberOf TYPE="rac_database" NAME="PROPRD" ASSOCIATION="cluster_member"/>
| |
| − | </CompositeMembership>
| |
| − | </Target>
| |
| − | | |
| − | Note the line:
| |
| − | <Property NAME="password" VALUE="3797cf30e7c4a9c6" ENCRYPTED="TRUE"/>
| |
| − | This is where you will set the value of the password. Replace the above with:
| |
| − | | |
| − | <Property NAME="password" VALUE="topsecret" ENCRYPTED="FALSE"/>
| |
| − | Note that you changed the value of ENCRYPTED to FALSE.
| |
| − | | |
| − | If this is a RAC database, this line will occur twice in the file. Make sure you change both occurrences. Search the file for the word "password" to locate these two instances.
| |
| − | | |
| − | Now stop the agent by issuing:
| |
| − | /u01/app/oracle/10.1/gridc/bin/emctl stop agent
| |
| − | Restart the agent:
| |
| − | /u01/app/oracle/10.1/gridc/bin/emctl stop agent | |
| − | When you restart the agent, the cleartext password in the configuration file is encrypted. If you check the above line in the targets.xml file again, you will see something similar to:
| |
| − | <Property NAME="password" VALUE="3797cf30e7c4a9c6" ENCRYPTED="TRUE"/>
| |
| − | Note how the cleartext value has been converted to encrypted value.
| |
| − | | |
| − | Now the agent is configured with the new password.
| |
| − | | |
| − | If you use the stand-alone Database Console instead of Grid Control, then the procedure is similar—except that in Step 2, you would go to ORACLE_HOME, not where the Agent Home is located.
| |
| − | Implications
| |
| − | There are no user implications here.
| |
| − | | |
| − | ==Action Plan==
| |
| − | | |
| − | Change the password of the user DBSNMP.
| |
| − | Update the agent files to reflect the new password.
| |
