Remove OEM 13c Management Repository


Removing the SYSMAN schema and other OEM-related objects from a database consisted of disabling constraints and running a series of DDL scripts in earlier versions of OEM.  Always use RepManager to perform this cleanup for OEM 13c.

RepManager ‘-drop’ command drops the SYSMAN, SYSMAN_MDS, SYSMAN_OPSS, SYSMAN_RO, and SYSMAN_BIPLATFORM schemas and removes their artifacts, including tablespaces and datafiles.


Note:  The following run-time example has been simplified from actual stdout and uses a reference to $MW_HOME (more...)

Add a CA Cert to OEM Admin Server

Outbound CA Certificates

Certificate files from certifying authorities are widely used for authentication.  Someone in your company is responsible for issuing and managing those certificates.

Outward bound communication, like connections to an LDAP server, may require a CA cert to authenticate your connection.

Working with keytool

Certificate files are very simple text files that contain strings of nonsense text.

You can only read and edit the cacerts file using keytool (available on all hosts).  It (more...)

Resolve PDP Error for Named Credentials


Some of our named credentials use a privileged account to perform root actions via sudo. That account is not the same as the OEM agent binary owner and does not belong to the binary owner’s o/s groups for security reasons.

Sometime that causes problems, like this:

PDP execution may have failed 3430 Insecure operation – please consult your administrator pbrun8.5.1-01[112628]: 3201.07 Exec of /usr/bin/pb_sudo failed: Operation not permitted

The Powerbroker error is (more...)

Catalog your Named Credentials

You can catalog your named credentials quickly and easily with EM CLI.

emcli login -username=SYSMAN

emcli sync

[ $NCCATALOG ] && rm -f ${NCCATALOG}
touch ${NCCATALOG}

for thisNC in `emcli list_named_credentials | awk '{ print $1 }' | grep -v "Credential"`; do
emcli get_named_credential -cred_name=${thisNC} >>${NCCATALOG}



Your results will look like this:

Credential Name:CRED_SYSDBA
Credential Owner:SYSMAN
Credential Type:DBCreds
Credential Target Type:oracle_database
Credential Username:sys
Credential Scope:global
Credential Guid:<string>
Credential Stripe:TARGETS

You Can Not Outsmart a SYSMAN Password Change

There are no circumstances where manually changing the passwords for the SYSMAN-named database accounts will end happily.  Never attempt to change the passwords for SYSMAN, SYSMAN_APM, SYSMAN_BIPLATFORM, SYSMAN_MDS, SYSMAN_OPSS, or SYSMAN_RO from within the database.

OEM security is managed by the WebLogic admin server.  The database passwords are only part of the puzzle.  Your WLS relies on wallets and other encrypted files to keep it all straight.  When you do the password change in the (more...)

I’m Not Waiting – Collect my Metric Extensions Now!

We use OEM to populate other system management systems at our company by providing configuration and metric data of all kinds.  When we get requests that require data that OEM doesn’t collect out of the box, we build metric extensions.

If you’ve worked with 12c metric extensions you know that the agents appear to perform these special metric collections whenever OEM feels like it.  At least that’s the way it seems.

I need to be (more...)

Plugin versions on agent does not support target type rac_database

I wasn’t able to promote database targets after I applied the July bundle patch.  I quickly opened an SR and received the following excellent, if scary, advice.   The solution, as you’ll see, involves directly manipulating data in the SYSMAN schema.

The Error Message

“Plugin versions on agent does not support target type rac_database”.

In this case the agents appeared to have a later release of the database plugin than the management (more...)

Turn OEM Job Output into Lists


We have an OEM job that we run after each system-wide Unix password change to verify success on all hosts.

The OEM Job is run against Dynamic Groups of hosts.  In this example I’ve limited it to the group DBHosts.


The job consists of a very simple call for id


The Credentials for the job contain the new password, of course.

The job quickly tries to connect to each host with that named named (more...)

SELinux blocked my .Xauthority

I was attempting to install an OEM management server on a new host in the lab using runInstaller.  Of course the installer is an X-windows app so I need to configure port forwarding to get the display back to MacBook.

I added the new host and its bastion to my ~/.ssh/config file to set up port forwarding:

ConnectTimeout 60
StrictHostKeyChecking ask
ProxyCommand none
UserKnownHostsFile ~/.ssh/known_Hosts
User oracle

Host newlaboms. (more...)

User Defined Target Properties

We can create our own target property classifications using EM CLI.  In this example we’ll create a new property named “Product Type”.  In my shop we’ll use that property to identify Oracle RAC and single instance databases, but also noSQL targets that we’re adding to our EM environment.  That custom property will then be used to define Administrative Groups and we’ll map specific Monitoring Templates to each of those groups.

Here’s the syntax for creating (more...)