In recent years, organizations have recognized the importance of locking privileged credentials such as the SYS user to enhance overall security. However, this practice has posed challenges for Enterprise Manager administrators who require access to the SYS account for critical activities such as patching, plug-in deployment, and installations. This blog reviews how EM has evolved to support a more secure and compliant process for patching and plug-in deployment activities. We will review new capabilities such as:

  • The removal of the dependency on the SYS user allows administrators to use an admin user for these tasks. Thus, making it easier for organizations to meet their security and compliance policies.
  • How to gain insights into the updated lifecycle management process, regardless of experience with Enterprise Manager
  • Understand how these changes can benefit your organization and enhance your overall Enterprise Manager experience. 
     

Patching: Applying Release Update (RU) using non-SYS user

Starting with EM 13.5 Release Update15 (RU15) and up, applying an RU on OMS does not require a SYS user password. Administrators can apply the RU on Oracle Management Server (OMS) using a non-SYS user and complete the patching process. Below are the steps to apply an RU on OMS using non-SYS users in the repository database.

Note: If your organization does not have restrictions on using the SYS user account and password, then you can perform the patching as usual. Otherwise, follow the instructions in this blog to apply an RU on the OMS using a non-SYS user if there are restrictions on using a SYS user account.
 

Applying RUs on OMS using non-SYS user

The omspatcher framework supports the orchestration of applying RU on OMS using non-SYS users for both the Traditional Method (Offline Patching) and Rapid Platform Update (RPU) Method (Online Patching).

Let’s see how to create the non-SYS user in the repository before proceeding with applying an RU on OMS.

Pre-requisite Steps:

  • Applying RU using non-SYS users is supported from RU15 onwards so ensure the corresponding omspatcher version is downloaded from MOS as per the patch readme file.
  • Once the omspatcher zip file is downloaded, update the omspatcher directory in the OMS home and ensure the version number is the same as updated in the patch readme file.
  • When creating the non-SYS user, the name should be always prefixed with SYSMAN_<username>. The prefix ‘SYSMAN’ with <username> can be in upper or lower case. For example sysman_john or SYSMAN_ADMIN
     

Creating a non-SYS user in the repository database:

The script ‘createLCMUser.pl’ in the omspatcher tool is used to create the non-SYS user in the repository database. Below are the steps to create the user.

  • Navigate to the $OMS_Home/OMSPacther/createLcmUserUtl directory and locate the ‘createLCMUser.pl’ file.
  • Invoke the Perl file ‘CreateLCMUser.pl’ by providing the OMS Oracle home (-oh) as the mandatory parameter.
  • Reference the command and example below.
  • [<oms home>/OMSPatcher/createLcmUserUtl]$ perl createLCMUser.pl -oh <OMS home location>
  • Example: /u01/app/oracle/mw135/OMSPatcher/createLcmUserUtl> perl createLCMUser.pl -oh /u01/app/oracle/mwo135
  • The non-SYS user creation is supported in interactive and silent modes. Based on your preference you can either use interactive or silent mode to create the non-SYS user in the repository database.

Note: The script ‘createLCMUser.pl' requires a repository database SYS user account password for creating the non-SYS user in the repository database. This is a one-time activity and once the non-SYS user is created in the repository database, that user can be used for applying the RUs on OMS.

Interactive Mode:

In this mode, the script ‘createLCMUser.pl’ will prompt for the database username, database user password, and SYS password. Here the EM administrator can provide the database username of their choice by prefixing it with ‘SYSMAN_*’

For example, the EM administrator can provide the username as ‘sysman_john’ or ‘SYSMAN_ADMIN’ and a password according to the password policy defined for EM. Reference here.

Interactive
Figure 1:  Non-SYS user creation using CreateLCMUser utility in interactive mode



In the below example, we create the ‘SYSMAN_ADMIN’ user in the repository database using the createLCMUser.pl script.

Silent Mode:

In this mode, the property file is used to pass the database username, database user password and SYS password using the silent option.  Below is the example command and property file to create the non-SYS user in silent mode.

$OMS_HOME/OMSPatcher/createLcmUserUtl > perl createLCMUser.pl -oh <OMS home location>  -silent -property_file <propertyfile path>

  • property_file is a file path where all user inputs are provided. Below is the example property file.
Silent option
Figure 2:  Non-SYS user creation using CreateLCMUser utility in silent mode

Applying an RU on OMS using a non-SYS user

Once the above steps have been completed and the non_SYS user is created, you are ready to patch the OMS using the non-Sys user. Example: sysman_john or SYSMAN_ADMIN created in the repository database. Patching OMS using a non-SYS user is no different than the normal patching process. Provide the non-SYS user and its password to patch the OMS. Below is the traditional patching flow. When ‘omspatcher apply’ is invoked it will ask for the database username and password. Here, provide the SYSMAN_<username> user that is created in the repository database for patching.

Non-SYS user
Figure 3:  Patching using non-SYS user


Note: If your organization does not have restrictions to use the SYS user account and password then in the below-highlighted screenshot, input the ‘DB user name’ as ‘SYS’ and enter the password for the ‘SYS’ account. Reference the screenshot below in the context of SYS user-based patching which is the normal patching flow.
 

SYS
Figure 4:  Patching using default SYS user

 

Important Things to Remember

  1. Only one non-SYS user can be created in the repository database for EM.
  2. It is important to never delete the non-SYS user from the repository database. Deleting the non-SYS user from the repository can cause issues and disrupt the patching and plug-in deployment processes
  3. Switching to the ‘SYS’ user is not allowed once the non-SYS user is used for activities in EM such as Patching, Plug-in deploy/un-deploy.
  4. EM doesn’t support a mixed mode of applying one RU using a non-SYS user and another RU using a SYS user. The same applies to the plug-in deploy and un-deploy operations. If your EM13.5 is already installed fresh or upgraded with an SYS user and if you have completed the RU apply example: RU15 or later using a non-SYS user, then you cannot switch back to SYS user for applying later RUs example: RU17 on OMS. You should continue the patching with the non-SYS user only.
     

How to use the non-SYS user to perform Plug-in Deployment and Un-deployment on OMS from Console.

In Enterprise Manager plug-in deployment and un-deployment, the use of the SYS user account password is required from the console or emcli. As organizations are locking down SYS users, it’s difficult for EM administrators to get the SYS password and use it for plug-in deployment and the un-deployment process. EM 13.5 Release Update 15 (RU15) and later supports plug-in deployment or un-deployment on OMS without the need for a SYS user password. As an administrator, you can deploy or un-deploy plug-ins on OMS using non-SYS users.

To use the non-SYS user for plug-in deployment or un-deployment, you need to first create the user in the repository database. If the non-SYS user exists in the repository database that you created as part of the patching process, then you can use the same non-SYS user to perform plug-in deployment or un-deployment operations on OMS. Otherwise, create the non-SYS user in the repository database by following the steps updated in the “Creating a non-SYS user in the repository database” section of this blog.

Assuming you have created the non-SYS user or are using an existing non-SYS user that was created as part of the patching process; we will see the changes made to the plug-in deployment or un-deployment screen that accepts the non-SYS user.

Follow the normal plug-in deployment or the un-deployment procedure by downloading the plug-in from self-update and applying it on OMS.  The plug-in deploy screen executes the prerequisite checks.  The next screen asks for repository details.   Provide the non-SYS user credentials and store them as named credentials in EM. Reference below:

GIF for Plugins
Figure 5:  Plug-in deployment on OMS using non-SYS user

 

If you are looking for command line options to deploy or un-deploy plug-in, we have emcli that will pass the non-SYS user credentials using the parameter ‘-dbUser’ and ‘-dbPassword’. Refer to the plug-in documentation for command reference.
 

Conclusion

EM has evolved to support a more secure and compliant process by removing the dependency on the SYS user and allowing administrators to use a non-SYS user for key admin tasks. These changes have made it easier for organizations to meet their security and compliance policies and provide valuable insights for both experienced and new EM users. Overall, these changes benefit organizations by enhancing their EM experience and ensuring a more secure and compliant process for patching and plug-in deployment activities.
 

Additional Resources

Patching with Non-SYS User (Admin User)

Deploying & un-deploying plug-ins to Oracle Management Service