Oracle Enterprise Manager (OEM) locking SYSMAN account
https://dba.stackexchange.com/questions/6758
-
16-10-2019 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
Why does Oracle Enterprise Manager reset my SYSMAN account to LOCKED(TIMED) status?
I've tried rebuilding Enterprise Manager, and re-installation of Enterprise Manager, which always works, until the next reboot, and back to where we started...
Solution
Benoit, you actually had a partial answer, everything you said was correct, but after next reboot, the account locked. After several hours of more research, the following issue was discovered, with the appropriate resolution.
Enterprise Manager had the default SYSMAN password stored for its credentials, and was trying to lock in with that password in rapid succession (300 times a minute or so according to the Event Log). Hence, after several rapid tries with the same wrong password, Oracle locks the account.
Setting a new password in SQL*PLUS or SQL Developer doesn't reset the password used to login to Enterprise Manager, to reset the password in enterprise manager, you need to open a command prompt and do the following:
emctl config oms sso -remove
emctl stop oms
emctl start oms
During the above commands, it'll prompt you for the current SYSMAN password, which you can enter, and it should remove the SYSMAN password used by your Enterprise Manager Console, replacing it with the one you just entered.
OTHER TIPS
The status "LOCKED(TIMED)" means that the account has been locked because the password has expired and must be changed.
This has nothing to do with OEM. It is related to the profile assigned to your SYSMAN account.
You can run the following query (need read on DBA_* views) to check:
select
p.profile as "Profile",
p.limit as "Limit"
from
dba_profiles p,
dba_users u
where
u.USERNAME='SYSMAN'
and u.profile=p.profile
and p.resource_name='PASSWORD_LIFE_TIME'
;
It will give you the name of the profile and the amount of time (in days) after which the password must be changed.
You can remove the password life time with the following:
alter profile "<PROFILE NAME>" limit password_life_time unlimited;
EDIT: "Locked(TIMED)" means the account has been locked because a wrong password has been entered to many time. It the password would have expired, the status would be "EXPIRED(GRACE)".
If Grid Control doesn't have the good password, you can modify the configuration using the following documentation: http://download.oracle.com/docs/cd/E11857_01/em.111/e16790/repository.htm#i1029558 (for OEM 11gR1).
If you are using Oracle with EM Console on Windows, your SYSMAN account will get locked periodically. This happens due to unordered start of DB Instance, DB Listener and EM Console. Correct order should be:
- Listener
- DB Instance
- EM Console
In case if you have your SYSMAN account locked, do following:
To confirm the account is locked:
select account_status from dba_users where username='SYSMAN';
Shutdown EM Console service.
Unlock the SYSMAN account (if you don't know the password for SYSMAN, it may be good time to assign it yourself):
alter user SYSMAN [identified by PWD] account unlock;
Start regedit to put correct order of Oracle services startup.
- In regedit find
My Computer/HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Services/*<OracleDB Instance Service name>* - Create new Multi-string value named "DependOnService" and put name of your the depends on.
Find
My Computer/HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Services/*<EM Console Service name>*Create new Multi-string value named "DependOnService" and put name of your the EM Console serves.
NOTE: Exact names of Oracle services can be obtained from Windows Services Management Console.
You should reset SYSMAN password in EM Console files, the easiest way would be running following command:
emctl setpasswd dbconsole
*NOTE: Enter SYSMAN password (PWD) when prompted. You may also need to set ORACLE_SID before running emctl.*
Now start the EM Console service and see if it works. Reboot the server to make sure everything still operates normally.
