Meet changing database password policies using Enterprise Manager

February 9, 2023 | 4 minute read
Desiree Abrokwa
Product Manager, Enterprise and Cloud Manageability
Text Size 100%:

This blog assumes the user is familiar with Enterprise Manager and Enterprise Manager Target Credentials.

Enterprise Manager (EM) 13.5 supports the automatic changing of database passwords. This is supported by two types of jobs: one for the database monitoring credentials and another for other database users. These jobs can be used to change the password in EM and the target database. The new password can be user-specified or auto-generated based on the existing password. With password policies changing to meet stricter security requirements, it is imperative that passwords always remain compliant. In EM 13.5 Release Update 12 (RU12), we now support password policy changes with a new reference password feature.

 

Implementing password policy changes with Enterprise Manager

Let’s say your password policy changed from a minimum password length of 8 characters to 12 characters. You need to make sure that all your database monitoring credentials are compliant with this new policy change. Now with EM 13.5 RU12 you can use the “Change the Password for the Database Monitoring User” job and provide a reference password that has 12 characters. This would then auto-generate a new password of 12 characters that now complies with your updated policy.

 

Using the Database Monitoring user password rotation job

The database password rotation jobs change passwords in EM and in target databases. There are two job types: “Change the Password for the Database Monitoring User” and “Change the Password for a Database User”. The first job type changes the database monitoring credentials and the second changes passwords for other database users. The reference password feature is available for both job types. This blog reviews the steps for using the reference password feature in the “Change the Password for the Database Monitoring User” job.

To begin, the following EM privileges are required to use this job:

  1. CONNECT_TARGET
  2. CONFIGURE_TARGET
  3. EDIT_CREDENTIAL
  4. CREATE_JOB

The first two target privileges are for the database targets that the job executes on. The third privilege is used to edit any Named Credentials that reference the database monitoring user. 

Database Monitoring User password rotation steps:

  1. On the EM menu, navigate to the Job tab and then to Activity
  2. From the Activity page, click on the "Create Job" button
  3. Select “Change the Password for the Database Monitoring User”
Figure 1: The job type selected in Oracle Enterprise Manager
Figure 1: The job type selected in Oracle Enterprise Manager

 

  1. Specify a job name and select targets whose monitoring credentials you need to update:
Figure 2: General tab after selecting the job
Figure 2: General tab after selecting the job

 

  • Targets can be individual databases or a group containing databases. 

 

  1. Define the job parameters for changing the password:
Figure 3: Parameters tab for the job with all Auto-Generate new password options
Figure 3: Parameters tab for the job with all Auto-Generate new password options

 

pa
Figure 4: Parameters tab after selecting Auto-Generate New Password: Yes (Based on reference password)

 

  • You are given the option to specify your own password or auto-generate a new password. Auto-generated passwords are only known to and managed by Enterprise Manager
  • Enter the following information in the job parameters to auto-generate a password:
    • Auto-Generate New Password: Yes (Based on Reference Password)
    • Reference Password if Auto-Generated: [Enter Your Reference Password]
      • Note: Ensure your reference password is compliant with your current password policies for EM to auto-generate a new compliant password.
    • Confirm your Reference Password
    • Leave the rest of the fields blank

 

  1. Define a job schedule for the job: 
Figure 5: Schedule tab after selecting the new job type
Figure 5: Schedule tab after selecting the new job type

 

  • To align with your enterprise's password rotation policy, you can specify a repeating schedule for this job. Schedule this job to run before the monitoring user password expires as per the password profile defined for the database user. 
  • Click submit to schedule the job. The database password changes after the job is successfully executed. It updates the password of the user in the database, agent monitoring credentials, and the target-scoped named credentials.

 

Conclusion

Take advantage of EM’s password rotation jobs to simplify the task of changing passwords against your fleet of databases and meet ever changing database password security requirements. Get started now with this enhanced feature!

For more information and a detailed step-by-step guideline on how to use these jobs, see this documentation.

 

Desiree Abrokwa

Product Manager, Enterprise and Cloud Manageability

Desiree is a Product Manager in the Enterprise and Cloud Manageability organization at Oracle Corporation. She currently focuses on the monitoring space of Enterprise Manager. She has a Bachelor of Science degree in Computer Science from the University of Maryland, College Park.


Previous Post

Oracle ranked leader for hybrid cloud and multicloud management

Moe Fardoost | 7 min read

Next Post


Discover Operations Insights for Exadata Database Service with new filtering and thresholds option

Dennis Lee | 4 min read