Professional Documents
Culture Documents
This document describes how to change the security credentials for various
components in an Exalogic machine. You can use the procedures in this document to
change all the security credentials from the settings that were initially configured by
the ECU. You can also use these procedures to change the security credentials for
specific Exalogic components at any time.
The target audience for this document consists of system administrators who are
familiar with the architecture and deployment of Exalogic and Exalogic Control, and
have experience in administering Linux systems, Oracle WebLogic Server, and
Exalogic Control (Oracle VM Manager and Enterprise Manager Ops Center).
This document contains the following sections:
Component Category
Component
User
Physical components
Compute nodes
root
Storage nodes
root
root
root
InfiniBand switches
root
ilom-admin
ilom-operator
admin
Component
User
root
Oracle VM Manager
Oracle Database
In EECS release 2.0.6.x.x, the Exalogic Control stack consists of two Proxy Controller vServers and an
Exalogic Control vServer, which hosts the Enterprise Controller, Oracle VM Manager, and Oracle Virtual
Assembly Builder components. The Exalogic Control vServer also hosts the Oracle Database instance that
is shared by EM Ops Center and Oracle VM Manager.
In EECS releases before 2.0.6.0.0, each component of the Exalogic Control stackthat is, Enterprise
Controller, Proxy Controllers, Oracle VM Manager, and Oracle Databasewas hosted on a separate
vServer.
To change the security credentials for all the components in an Exalogic machine, do
the following:
1.
2.
Compute nodes
IB switches
Cisco switch
Storage nodes
Change the credentials for the Oracle Database component of the Exalogic
Control stack, as described in Section 3.
b.
c.
Change the credentials for the Enterprise Manager Ops Center components, as
described in Section 5.
2.
2.
Note:
Log in to the Exalogic Control Browser User Interface (BUI) as a user with the
Exalogic Systems Admin role or as root.
2.
3.
4.
5.
6.
Enter the new password in the Password and Confirm Password fields.
7.
Click Update.
8.
Check for, and clear, the "Access point is blacklisted..." incident, as follows:
In the navigation pane on the left, select Message Center, then select the Incidents
tab, and check whether an incident with the following description is listed:
Management access point failed authentication during login to asset. Access
point is blacklisted from future connections to prevent security lockout.
This incident occurs if EM Ops Center accessed the asset after its credential was
changed on the asset but before the credential was updated in Exalogic Control.
If the incident exists, do the following:
a.
b.
Click the Take Action(s) on Incident button in the toolbar above the list of
incidents.
The Take Action on Incident dialog box is displayed.
c.
In the Suggested Actions list, select Clear blacklisting and continue using
current credential.
d.
2.
Changing the ILOM Password for a Compute Node Using the BUI
To change the ILOM password for a compute node using the BUI, complete the
following steps:
1.
2.
3.
4.
In the Users panel, select the root account and click Edit.
5.
In the resulting dialog box, enter the new password in the New Password and
Confirm New Password fields.
6.
Click Save.
Changing the ILOM Password for a Compute Node Using the CLI
To change the ILOM password for a compute node using the CLI, complete the
following steps:
1.
2.
2.2.2 Synchronizing Compute Node ILOM Credentials with Enterprise Manager Ops
Center
This section is relevant only for Exalogic machines in a virtual
configuration.
Note:
Log in to the Exalogic Control BUI as a user with the Exalogic Systems Admin
role or as root.
2.
3.
4.
complete the following steps for the SSH and IPMI credentials of the compute
node ILOMs:
a.
b.
5.
c.
Enter the new password in the Password and Confirm Password fields.
d.
Click Update.
Check for, and clear, the Access point is blacklisted incident, as described in
step 8 of Section 2.1.2.
2.
The IB switches are managed using the SSH and IPMI protocols. The instructions in
this section apply only to the SSH protocol.
2.
3.
4.
complete the following steps for the ilom-admin, and ilom-operator users.
The root password can be changed only through the Linux
passwd command.
Note:
a.
b.
c.
Click Save.
2.
Change the password for the ilom-admin user by running the following
command:
-> set /SP/users/ilom-admin password
Enter new password: ***********
Enter new password again: ***********
3.
Repeat the previous step to change the password for the ilom-operator user.
4.
b.
Note:
Log in to the Exalogic Control BUI as a user with the Exalogic Systems Admin
role or as root.
2.
3.
4.
Do the following for the SSH and IPMI credentials of the IB switches:
a.
Select the credential for the IB switch for which you changed the password.
You can identify the IB switch credentials by the description, typically
Infiniband Switch in rack rack_name, as shown in Figure 3.
b.
5.
c.
Enter the new password for the ilom-admin user in the Password and
Confirm Password fields.
d.
Click Update.
Check for, and clear, the Access point is blacklisted incident, as described in
step 8 of Section 2.1.2.
2.
2.
4.
For more guidelines, best practices, and procedures for securing the Cisco switch, see
the documentation provided by Cisco.
2.4.2 Synchronizing Cisco Switch Credentials with Enterprise Manager Ops Center
This section is relevant only for Exalogic machines in a virtual
configuration.
Note:
To synchronize the Cisco switch credentials with Enterprise Manager Ops Center,
complete the following steps:
1.
Log in to the Exalogic Control BUI as a user with the Exalogic Systems Admin
role or as root.
2.
3.
4.
5.
6.
Enter the new telnet password in the Login Password and Confirm Login
fields.
Enter the new administration password in the Admin Password and Confirm
Admin fields.
7.
Click Update.
8.
Check for, and clear, the Access point is blacklisted incident, as described in
step 8 of Section 2.1.2.
Changing the passwords for the ZFS storage appliance involves the following tasks:
1.
2.
3.
Changing the root Password for a Storage Appliance Node Using the BUI
1. Log in as root to the BUI of the storage appliance.
https://storage_node_hostname:215
2.
3.
4.
From the list of users displayed on the left, select Super-User, and click the Edit
entry icon.
5.
6.
Click Apply.
Changing the root Password for a Storage Appliance Node Using the CLI
1. Log in as root (via SSH) to the storage appliance node.
2.
3.
Run commit to apply the new password for the root user.
Changing the root Password for a Storage Appliance ILOM Using the BUI
1. Log in as root to the ILOM interface of the storage appliance.
https://storage_node_ilom
2.
3.
10
4.
In the Users panel, select the root account and click Edit.
5.
In the resulting dialog box, enter the new password in the New Password and
Confirm New Password fields.
6.
Click Save.
Changing the root Password for a Storage Appliance ILOM Using the CLI
Log in as root (via SSH) to the storage appliance ILOM.
1.
2.
Note:
After changing the passwords for the storage nodes, the passwords must be updated
in Enterprise Manager Ops Center.
1.
Log in to the Exalogic Control BUI as a user with the Exalogic Systems Admin
role or as root.
2.
3.
4.
Do the following for the IPMI and SSH credentials of both the storage nodes:
a.
Figure 5 Selecting IPMI and SSH Credentials for Storage Nodes in Exalogic Control
b.
5.
c.
Enter the new password in the Password and Confirm Password fields.
d.
Click Update.
Update the storage administration credential for both the storage nodes.
11
You can identify this credential by the protocol name, Storage Administration,
which is displayed in the Protocol column.
a.
b.
6.
c.
Enter the new passwords in the Admin Password and Confirm Admin
Password fields.
d.
Click Update.
Check for, and clear, the Access point is blacklisted incident, as described in
step 8 of Section 2.1.2.
2.
2.
3.
Log in as admin.
4.
Scroll down the page until you see the Admin/User fields.
5.
6.
Click Submit.
12
Note:
To synchronize the PDU passwords with Enterprise Manager Ops Center, complete
the following steps:
1.
Log in to the Exalogic Control BUI as a user with the Exalogic Systems Admin
role or as root.
2.
3.
4.
b.
5.
c.
Enter the new password in the Password and Confirm Password fields.
d.
Click Update.
Check for, and clear, the Access point is blacklisted incident, as described in
step 8 of Section 2.1.2.
Note:
In the Exalogic rack, the Oracle Database component is shared between Oracle VM
Manager and Enterprise Manager Ops Center. Changing the passwords for the Oracle
Database component involves the following tasks:
1.
Section 3.1, "Changing the root Password for the Oracle Database Component"
13
2.
Section 3.2, "Changing Database Credentials for Enterprise Manager Ops Center
Users"
3.
3.1 Changing the root Password for the Oracle Database Component
To change the passwords for the root user of the database vServer, complete the
following steps:
1.
2.
Log in as root to the vServer that hosts the Oracle Database component of the
Exalogic Control stack:
2.
Log in as root to the vServer that hosts the Enterprise Controller components:
Create a temporary file containing the new password and secure it with 600
permissions.
Example:
# touch /tmp/password
# chmod 600 /tmp/password
# vi /tmp/password
newpassword
3.
To change the database password for the emoc user, run the ecadm command with
the change-db-password subcommand and the -p password_file option. When
prompted, confirm restart of the Enterprise Controller.
Example:
# /opt/sun/xvmoc/bin/ecadm change-db-password -p /tmp/password
The Enterprise Controller will be restarted after the database password is
changed. Continue? (y/n)
y
14
To change the database password for the emoc_ro user, run the ecadm
change-db-password command with the --as_read_only_user option.
Example:
# /opt/sun/xvmoc/bin/ecadm change-db-password --as_read_only_user -p
/tmp/password
The Enterprise Controller will be restarted after the database password is
changed. Continue? (y/n)
y
ecadm:
--- Changed database password, restarting.
5.
Section 3.3.1, "Changing Passwords for OVS, SYS, SYSTEM, SYSMAN, and DBSNMP
Users"
2.
Section 3.3.2, "Changing the Password for the Oracle WebLogic Server Data Source
for Oracle VM Manager"
3.3.1 Changing Passwords for OVS, SYS, SYSTEM, SYSMAN, and DBSNMP Users
To change the password for the ovs user, complete the following steps:
1.
2.
Log in as root to the vServer that hosts the Oracle Database component of the
Exalogic Control stack:
Up to EECS 2.0.4.x.x
#
#
#
#
export ORACLE_HOME=/u01/app/oracle/product/11.2.0/dbhome_1
export ORACLE_SID=elctrldb
cd /u01/app/oracle/product/11.2.0/dbhome_1/bin
./sqlplus sys/password@elctrldb as sysdba
SQL>
SQL>
SQL>
SQL>
SQL>
alter
alter
alter
alter
alter
user
user
user
user
user
OVS identified by
SYS identified by
SYSTEM identified
SYSMAN identified
DBSNMP identified
EECS 2.0.6.x.x
15
new_password;
new_password;
by new_password;
by new_password;
by new_password;
#
#
#
#
export ORACLE_HOME=/u01/app/oracle/product/11.2.0.3/dbhome_1
export ORACLE_SID=elctrldb
cd /u01/app/oracle/product/11.2.0.3/dbhome_1/bin
./sqlplus sys/password@elctrldb as sysdba
SQL>
SQL>
SQL>
SQL>
alter
alter
alter
alter
Note:
user
user
user
user
SYS identified by
SYSTEM identified
SYSMAN identified
DBSNMP identified
new_password;
by new_password;
by new_password;
by new_password;
In EECS 2.0.6, do not change the password for the OVS user.
For more information about changing Oracle Database user passwords, see "Finding
and Changing Default Passwords" in the Oracle Database 2 Day + Security Guide at
http://docs.oracle.com/cd/E11882_01/server.112/e10575/tdpsg_user_
accounts.htm#BABJAEDF.
3.3.2 Changing the Password for the Oracle WebLogic Server Data Source for Oracle
VM Manager
Due to a known issue in Oracle VM, the procedure in this
section does not work for EECS 2.0.6.
Note:
To change the password for the Oracle WebLogic Server data source for Oracle VM
Manager, complete the following steps:
1.
2.
Example:
# /u01/app/oracle/ovm-manager-3/bin/ovm_admin --modifyds elctrldb db-vm 1521
OVS new_password
Note:
Changing the passwords for Oracle VM Manager involves the following tasks:
1.
Section 4.1, "Changing the root Password for the Oracle VM Manager vServer"
(relevant only up to EECS 2.0.4.x.x)
2.
Section 4.2, "Changing admin and weblogic Passwords for Oracle VM Manager"
16
3.
4.
4.1 Changing the root Password for the Oracle VM Manager vServer
Note: This section is applicable to only EECS 2.0.4.x.x and earlier
releases.
To change the passwords for the root user of the Oracle VM Manager vServer,
complete the following steps:
1.
2.
Note:
To change the password for the Oracle VM Manager admin and weblogic users,
complete the following steps:
1.
2.
3.
Increase the number of unsuccessful login attempts that Oracle WebLogic Server
allows before the admin user is locked:
$ /u01/app/oracle/ovm-manager-3/bin/ovm_admin --lockusers tries
4.
17
$ cd /u01/app/oracle/ovm-manager-3/bin
5.
6.
When prompted for the username, enter admin. At the subsequent prompts, enter
the current password and the new password.
For information about the required password length and
allowed characters, see the Oracle VM documentation. At the time of
publication of this guide, the requirement was for a minimum of eight
characters with at least one non-alphabetic character).
Note:
8.
Update the boot.properties file with the new password that you set for the
weblogic user:
a.
b.
new_password is the password that you set earlier for the weblogic user.
18
c.
Note:
Log in to the Exalogic Control BUI as a user with the Exalogic Systems Admin
role or as root.
2.
3.
4.
5.
6.
Enter the new password in the Password and Confirm Password fields.
7.
Click Update.
8.
Revert the number of unsuccessful login attempts to the Oracle VM Manager that
Oracle WebLogic Server allows for the admin user, to the original value.
This step is necessary because, before changing the admin password, the number
of unsuccessful login attempts was increased, as described in Section 4.2,
"Changing admin and weblogic Passwords for Oracle VM Manager."
a.
19
b.
c.
9.
Check for, and clear, the Access point is blacklisted incident, as described in
step 8 of Section 2.1.2.
Changing Passwords for Oracle VM Agents Using the OVMM Web Interface (in
EECS 2.0.4.x.x and Earlier Releases)
Changing Passwords for Oracle VM Agents Using the OVMM Web Interface (in
EECS 2.0.6.x.x)
Changing Passwords for Oracle VM Agents Using the CLI
Oracle VM Manager allows you to change the password for
the Oracle VM agent running on each Oracle VM Server. However,
you must set the same password for Oracle VM agents running on all
Oracle VM Servers in the Exalogic machine.
Note:
Changing Passwords for Oracle VM Agents Using the OVMM Web Interface (in EECS 2.0.4.x.x and
Earlier Releases)
1. Log in as root to the Oracle VM Manager web console.
https://IP_address:7002/ovm/console/
3.
In the Server Pools tab in the management pane, select the server pool.
b.
c.
Enter the current password (default: oracle), and then enter a new password
and confirm it.
You must set the same Oracle VM agent password for all the
server pools in the Exalogic machine.
Note:
d.
Click OK.
The new password is applied to the Oracle VM agents running on all the Oracle
VM Servers in the server pool.
20
Changing Passwords for Oracle VM Agents Using the OVMM Web Interface (in EECS 2.0.6.x.x)
1. Log in as root to the Oracle VM Manager web console.
https://IP_address:7002/ovm/console/
3.
4.
b.
Right-click on the server pool. From the context menu, select Change Servers
Agent Password button.
c.
Enter the old password (default: oracle), and then enter a new password and
confirm it.
You must set the same Oracle VM agent password for all the
server pools in the Exalogic machine.
Note:
d.
Click OK.
The new password is applied to the Oracle VM agents running on all the Oracle
VM Servers in the server pool.
Changing Passwords for Oracle VM Agents Using the CLI
To change the password for the Oracle VM Server agents, run the ovs-agent-passwd
command on all the Oracle VM Server nodes:
# ovs-agent-passwd username password
The username used by Oracle VM Manager to communicate with the agent is oracle.
You must set the same password for all the Oracle VM Server
agents in the Exalogic machine.
Note:
Note:
Changing the passwords for Enterprise Manager Ops Center involves the following
tasks:
1.
2.
Section 5.2, "Change Passwords for Other Enterprise Manager Ops Center Users"
21
2.
Log in as root to the vServer that hosts the Enterprise Controller component of
EM Ops Center.
3.
5.2 Change Passwords for Other Enterprise Manager Ops Center Users
Repeat the procedure described in Section 5.1 to change the passwords for any
additional Enterprise Manager Ops Center users that may have been createdthat is,
any users with the Exalogic Systems Admin, Cloud User, and Cloud Admin roles.
6 Documentation Accessibility
For information about Oracle's commitment to accessibility, visit the Oracle
Accessibility Program website at
http://www.oracle.com/pls/topic/lookup?ctx=acc&id=docacc.
Access to Oracle Support
Oracle customers have access to electronic support through My Oracle Support. For
information, visit http://www.oracle.com/pls/topic/lookup?ctx=acc&id=info or
visit http://www.oracle.com/pls/topic/lookup?ctx=acc&id=trs if you are hearing
impaired.
Oracle Exalogic Elastic Cloud Credentials Management Guide, Release EL X2-2, X3-2 and X4-2
E38253-02
Copyright 2013, 2014, Oracle and/or its affiliates. All rights reserved.
This software and related documentation are provided under a license agreement containing restrictions on use and disclosure and are protected
by intellectual property laws. Except as expressly permitted in your license agreement or allowed by law, you may not use, copy, reproduce, translate,
broadcast, modify, license, transmit, distribute, exhibit, perform, publish, or display any part, in any form, or by any means. Reverse engineering,
disassembly, or decompilation of this software, unless required by law for interoperability, is prohibited.
The information contained herein is subject to change without notice and is not warranted to be error-free. If you find any errors, please report them
to us in writing.
If this is software or related documentation that is delivered to the U.S. Government or anyone licensing it on behalf of the U.S. Government, the
following notice is applicable:
U.S. GOVERNMENT END USERS: Oracle programs, including any operating system, integrated software, any programs installed on the hardware,
and/or documentation, delivered to U.S. Government end users are "commercial computer software" pursuant to the applicable Federal Acquisition
Regulation and agency-specific supplemental regulations. As such, use, duplication, disclosure, modification, and adaptation of the programs,
including any operating system, integrated software, any programs installed on the hardware, and/or documentation, shall be subject to license
terms and license restrictions applicable to the programs. No other rights are granted to the U.S. Government.
This software or hardware is developed for general use in a variety of information management applications. It is not developed or intended for use
in any inherently dangerous applications, including applications that may create a risk of personal injury. If you use this software or hardware in
dangerous applications, then you shall be responsible to take all appropriate failsafe, backup, redundancy, and other measures to ensure its safe
22
use. Oracle Corporation and its affiliates disclaim any liability for any damages caused by use of this software or hardware in dangerous applications.
Oracle and Java are registered trademarks of Oracle and/or its affiliates. Other names may be trademarks of their respective owners.
Intel and Intel Xeon are trademarks or registered trademarks of Intel Corporation. All SPARC trademarks are used under license and are trademarks
or registered trademarks of SPARC International, Inc. AMD, Opteron, the AMD logo, and the AMD Opteron logo are trademarks or registered
trademarks of Advanced Micro Devices. UNIX is a registered trademark of The Open Group.
This software or hardware and documentation may provide access to or information on content, products, and services from third parties. Oracle
Corporation and its affiliates are not responsible for and expressly disclaim all warranties of any kind with respect to third-party content, products,
and services. Oracle Corporation and its affiliates will not be responsible for any loss, costs, or damages incurred due to your access to or use of
third-party content, products, or services.
23
24