emcli is a utility for interacting with Oracle Cloud Control from the command line.
We configure autologin to conveniently use it in our automation scripts:
emcli setup -url="https://oms:7803/em" -username="test" -autologin
test is a Cloud Control account, which must exist prior to running the command above.
Now you can start using emcli. For example, you can list the registered targets:
emcli list -resource="Targets" -format="name:csv"
TARGET_NAME,TARGET_TYPE,TARGET_GUID,TYPE_VERSION,TYPE_QUALIFIER1,TYPE_QUALIFIER2,TYPE_QUALIFIER3,TYPE_QUALIFIER4,TYPE_QUALIFIER5,EMD_URL,TIMEZONE_REGION,DISPLAY_NAME,HOST_NAME,LAST_METRIC_LOAD_TIME,TYPE_DISPLAY_NAME,BROKEN_REASON,BROKEN_STR,OWNER,LAST_LOAD_TIME_UTC,CREATION_DATE
EM Console Service,oracle_em_service,54ABB160C4A4146A7F8167B56739216D,3.0, , , , , , ,Europe/Zurich,EM Console Service, ,2021-01-11 11:18:38.0,EM Service,0, ,SYSMAN,2021-01-11 10:18:38.0,2021-01-07 16:20:09.0
EM Jobs Service,oracle_em_service,F0E4D5A3A4489A66964A5F2894638605,3.0, , , , , , ,Europe/Zurich,EM Jobs Service, ,2021-03-03 12:01:25.0,EM Service,0, ,SYSMAN,2021-03-03 11:01:25.0,2021-01-07 16:19:55.0
...
The other day, emcli couldn’t log in to the database anymore:
emcli list -resource="Targets" -format="name:csv"
ORA-01017: invalid username/password; logon denied
The password of the test account hasn’t changed – I could still log in to both the database and Cloud Control.
The question arose: what credentials was emcli sending to the database? Even the emcli log with the highest logging level didn’t reveal anything. So I configured database auditing:
audit session
The following audit entry provided useful information:
SESSIONID:[7] "2287527" ENTRYID:[1] "1" STATEMENT:[1] "1" USERID:[9] "MGMT_VIEW" USERHOST:[14] "oms" TERMINAL:[7] "unknown" ACTION:[3] "100" RETURNCODE:[4] "1017" COMMENT$TEXT:[135] "Authenticated by: DATABASE;AUTHENTICATED IDENTITY: MGMT_VIEW; Client address: (ADDRESS=(PROTOCOL=tcp)(HOST=x.x.x.x)(PORT=35590))" OS$USERID:[6] "oracle" DBID:[10] "2187817836" CURRENT_USER:[9] "MGMT_VIEW"
First, it was the MGMT_VIEW account which couldn’t log in. Second, it wasn’t emcli who attempted to log in, it was the OMS instead.
In other words, emcli logs in to Cloud Control with its configured account. Then, OMS logs in with MGMT_VIEW to execute the query on emcli’s behalf.
In this case, a glimpse on dba_users.password_change_date revealed that someone changed the password. This should never be done except with the following emctl command, which also corrected the problem.
emctl config oms -change_view_user_pwd -auto_generate
In summary, emcli uses the configured account just to initially connect to Cloud Control. Then, Cloud Control creates another session with a different account to execute emcli’s request. If the password of this intermediary account doesn’t match the password stored in the repository, ORA-01017 will be passed to emcli, but unfortunately, without any further information. Luckily, you can use database auditing to find out the affected user.