How to Change OEM DBSNMP monitoring credentials using EMCLI Shell Script or Rundeck

When an Oracle database is installed, a DBSNMP user is provisioned out-of-the-box that is primarily used for monitoring that database from Enterprise Manager Cloud Control.

Password rotation is a normal part of the security policy for all users, and this typically applies to the DBSNMP user as well. This becomes a burden when dealing with hundreds or perhaps thousands of databases. This task usually involves changing the password for this database user and then updating all Enterprise Manager configurations that use this password for monitoring/administrating that database.

Now using below shell script you can configure a Rundeck job or Intergrate shell script with you security tools. Basically I have using EMCLI to change DBSNMP Password from Oracle Enterprise Manager [OEM] so it will submit a job to change database password.

Configure below shell script with Rundeck Job.
Create a Job in Rundeck with below fields or using below YAML to import into your Rundeck job

- defaultTab: nodes
  description: This will update the DBSNMP password in OEM & Database without blackouts
  executionEnabled: true
  id: 365624b5-7d04-47e6-a1ac-c1e710f295ff
  loglevel: INFO
  name: Change Oracle DBSNMP from OEM - Dev
  nodeFilterEditable: false
  options:
  - enforced: true
    name: Host
    required: true
    values:
    - dbadeedsoem
    valuesListDelimiter: ','
  - description: Enter the OEM Sysman Password
    hidden: true
    label: Enter the Sysman Password
    name: sysman_pwd
    secure: true
    storagePath: keys/rundeck/private.key/dev_sysman
    valueExposed: true
  - description: Enter the Database ServerName
    label: Select Database HostName
    name: Target_Name
    values:
    - dbadeeds01
    - dbadeeds02
    - dbadeeds03
    - dbadeeds04
    
    valuesListDelimiter: ','
  - label: Enter the Old Database DBSNMP Password
    name: Db_Old_Passwd
    secure: true
    valueExposed: true
  - description: Keep 15Digits with alphanumeric values
    label: Enter the New DBSNMP Password
    name: Db_New_Passwd
    required: true
    secure: true
    valueExposed: true
  - description: Like oracle_database or rac_database or pdb_database
    label: Enter the OEM Target Type
    name: Target_Type
    required: true
    values:
    - oracle_database
    - pdb_database
    - rac_database
    valuesListDelimiter: ','
  plugins:
    ExecutionLifecycle: null
  scheduleEnabled: true
  sequence:
    commands:
    - exec: ansible-playbook /u1/ansible/DatabaseAsCode/ora/roles/oradb-automation-master/chg_dbsnmp_emcli.yml
        -e "sysman_pwd=${option.sysman_pwd} target_name=${option.Target_Name} old_paswd=${option.Db_Old_Passwd}
        new_paswd=${option.Db_New_Passwd} target_type=${option.Target_Type}" --limit
        $RD_OPTION_HOST
    keepgoing: false
    strategy: node-first
  uuid: 365624b5-7d04-47e6-a1ac-c1e710f295ff

#!/bin/sh
## Date       : 11/19/2020
## Version    : v1
## Author     : Sandeep R Narani
## Purpose    : To Check & Change Oracle Database DBSNMP user password in RAC & Standalone Env
sysman_pwd=${1}
#dbname=${2}
dbhname=${2}
dboldpasswd=${3}
dbnewpasswd=${4}
target_type=${5} ### oracle_database or rac_database or pdb_database ###
###Keep you OMS URL here####
export EMCLI_PROD_OMS_URL=https://dbadeedsoem_url:7800/em
export EMCLI_USERNAME=sysman
### Hide you sysman password with base64 encryption format###
##export PPWD=`echo "sdhsdbcbkjsd" | openssl enc -base64 -d`
export EMCLI_AUTOLOGIN=true
export EMCLI_DIR=/u1/app/oracle/OEM13c/OMS/bin
export EMCLI_TRUSTALL=true
TIMESTAMP=`date +%Y%m%d%H%M`
hostn=`hostname`
$EMCLI_DIR/emcli login -username=sysman -password=${sysman_pwd}
$EMCLI_DIR/emcli sync -url=$EMCLI_PROD_OMS_URL -username=sysman -password=${sysman_pwd} -trustall
echo "Getting the exact target name ${dbhname} from OEM"
if [ `$EMCLI_DIR/emcli list -noheader -script -sql="SELECT a.target_name FROM sysman.mgmt\\$availability_current a, sysman.mgmt\\$target t WHERE a.target_name = t.target_name AND a.target_guid=t.target_guid AND a.availability_status = 'Target Up' AND t.target_type='${target_type}' and t.host_name like '${dbhname}%'"| wc -l` -gt 0 ]; then
 myTarget=`$EMCLI_DIR/emcli list -noheader -script -sql="SELECT a.target_name FROM sysman.mgmt\\$availability_current a, sysman.mgmt\\$target t WHERE a.target_name = t.target_name AND a.target_guid=t.target_guid AND a.availability_status = 'Target Up' AND t.target_type='${target_type}' AND t.host_name LIKE '${dbhname}%'"`
echo "${myTarget}"
for fdbname in ${myTarget};
 do 
 echo "Update the DBSNMP for $fdbname in ${dbhname} server"
 $EMCLI_DIR/emcli update_db_password -target_name="$fdbname" -user_name="dbsnmp" -change_all_references=yes -change_at_target=yes -old_password="${dboldpasswd}" -new_password="${dbnewpasswd}" -retype_new_password="${dbnewpasswd}"
done
else 
echo "Targets did not found in OMS"
exitCleanly
fi
$EMCLI_DIR/emcli logout

# Command Usage ./emagent_emcli.ksh

# [oracle:oem13c]/home/oracle/narans39$ ./dbsnmp_emcli.sh **** dbadeeds01 changechange123 newnewnewpwd123 oracle_database

# Synchronized successfully

# Getting the exact target name taudb from OEM

# dbaudb_dbadeeds01.systems.com

# Update the DBSNMP for dbaudb_dbadeeds01.systems.com

# Successfully submitted a job to change the password in Enterprise Manager and on the target database: “dbaudb_dbadeeds01.systems.com”

# Execute “emcli get_jobs -job_id=BA4A56C57AB83456E0536C0D670A828A” to check the status of the job.

# Search for job name “CHANGE_PWD_JOB_1612199034615” on the Jobs home page to check job execution details.

# Logout successful

Hopefully you like this !

DBADEEDS