Change oracle default passwords for sys, system, dbsnmp and sysman

Jephe Wu -  http://linuxtechres.blogspot.com

Objective: change oracle default passwords for users such as sys,system,sysman and dbsnmp for auditing purpose
Environment: Oracle 11.1.0.6.0 64bit, RHEL 5.4 or Windows server


Steps:
1. make sure dbconsole is stopped
login as oracle
emctl stop dbconsole
emctl status dbconsole

2. Change passwords for above users from sqlplus prompt

alter user sys identified by "passwordstring";
alter user system identified by "passwordstring";
note: changing sys and system password is straight forward, that's done for sys and system.

however, for sysman and dbsnmp, there are a bit complicated.
alter user sysman identified by "passwordstring";
alter user dbsnmp identified by "passwordstring";

3. confirm passwords have been changed

sqlplus sys
sqlplus system
sqlplus dbsnmp
sqlplus sysman

If sysman or dbsnmp account is locked, unlock it:
alter user sysman account unlock;


For sysman user, there are different approach for database version less than 10.2.0.4 or equal/above 10.2.0.4

4.  Set a new repository password after changing sysman password


4.1 since Oracle 10.2.0.4, use this new method 'setpasswd'
[oracle@jephe]$ emctl setpasswd dbconsole
Oracle Enterprise Manager 11g Database Control Release 11.1.0.6.0
Copyright (c) 1996, 2007 Oracle Corporation.  All rights reserved.
https://jephe.domain.com:1158/em/console/aboutApplication
Please enter new repository password:
Repository password successfully updated.

4.2 If the database version is less than 10.2.0.4
  • Go to $ORACLE_HOME/host_sid/sysman/config
    1. Save the file emoms.properties to emoms.properties.orig
    2. Edit the file emoms.properties
      1. Search for the line beginning with:
        oracle.sysman.eml.mntr.emdRepPwd=
        Replace the encrypted value by the new password value
      2. Search for the line:
        oracle.sysman.eml.mntr.emdRepPwdEncrypted=TRUE
        Replace TRUE by FALSE


5. startup dbconsole and login as sys or system to check if it can connect to database instance

emctl start dbconsole
https://jephe.domain.com:1158/em/

5.1  After emctl start dbconsole, Check that the password has been encrypted if the version is less than 10.2.0.4
  • Edit the file $ORACLE_HOME/host_sid/sysman/config/emoms.properties
    1. Search for the line beginning with:
      oracle.sysman.eml.mntr.emdRepPwd=
      Check that the password is encrypted
    2. Search for the line beginning with:
      oracle.sysman.eml.mntr.emdRepPwdEncrypted=
      Check that the value is TRUE

6. For dbsnmp user password change, approach is the same for 10g and 11g database.

On Unix - DB Control Release 11.2.x and higher

$ export ORACLE_SID=<database_sid>
$ export ORACLE_UNQNAME=<value of the DB_UNIQUE_NAME database parameter>
$ emctl stop dbconsole

SQL> alter user dbsnmp identified by <new dbsnmp password> ;
sqlplus dbsnmp  # double check if you can login;


  1. Go to $ORACLE_HOME/host_sid/sysman/emd
    1. Save the file targets.xml to targets.xml.orig
    2. Edit the file targets.xml with your favorite text editor
      1. Search for the line:
        <property name="password" value="<encrypted_string>" encrypted="TRUE">
      2. Replace the encrypted value by the new password value
      3. Replace TRUE by FALSE
    3. Restart the standalone dbconsole
On Unix - DB Control Release 11.2.x and higher

$ export ORACLE_SID=<database_sid>
$ export ORACLE_UNQNAME=<value of the DB_UNIQUE_NAME database parameter>
$ emctl start dbconsole


Check that the password has been encrypted
Edit the file targets.xml
Search for the line: <property name="password" value="<encrypted_string>" encrypted="TRUE">
Check that the password VALUE is encrypted
Check that the value of ENCRYPTED is TRUE

Note: In case of RAC DB, the dbsnmp password should be changed in targets.xml not only for instances(oracle_database), but also for rac_database target. The file targets.xml needs to be updated on all the RAC Cluster nodes.

Note:
a. Use OEM interface to change user password.
If when you try to access Enterprise Manager at https://jephe.domain.com:1158/em, it prompts you the sysman,mgmt_view and dbsnmp passwords are going to expiry and ask you to change it, you can change it through OEM interface, after that, the blank screen will come out and with 'done' appear at the bottom of the page, you can close the page and login to Oracle database server as oracle to stop dbconsole (emctl stop dbconsole), after that ,you can run 'emctl setpasswd dbconsole' to change repository password. Change repository password same as sysman password.

References:
a. How To Change the Password of the Database User Sysman (DB Control Repository Schema) [ID 259379.1] 
b. How to Change DBSNMP Password in Database 10g and 11g Monitored by DB Control [ID 259387.1] 
c. http://thetendjee.wordpress.com/2006/07/19/changing-sysman-and-dbsnmp-passwords-it-aint-that-easy/