This discussion is archived
3 Replies Latest reply: Mar 1, 2012 6:28 PM by user704352 RSS

Password policy and OEM

steffi Newbie
Currently Being Moderated
So we have a password policy that automatically locks accounts on 3 attempts.

When OEM sends a saved preferred credential to a database. it looks like it has several attempt before it prompts you via the login panel for the credentials.

By the time you reach the login panel the account is already locked because it looks like OEM has had several attempts against the database already.

So what we have is a situation where our password policy is out of sync with what OEM v 10 expects.

The only way it works is if the DBA unlocks the account prior to my hitting login from the login screen.

This is all because I've had to change my password ever 60 days and OEM has remembered my old password which now is no longer valid against the
target database.

Thoughts?
  • 1. Re: Password policy and OEM
    EricvdS Expert
    Currently Being Moderated
    Change the preferred credential if you have changed your password on the target db.
    Or let the dba create a new profile for your account (and other OEM users) with less strict settings on all target db's.

    Eric
  • 2. Re: Password policy and OEM
    steffi Newbie
    Currently Being Moderated
    that later suggestion violates the new policy so that's not happening.

    the point about it all is that you don't have a change to change the preferred credential before your account is locked out.

    the whole problem seems to be that OEM assumes no DBA would be stupid enough to setup your account to automatically lock on 3 failed attempts.

    But for whatever reason when OEM tries the old preferred credential it eventually locks your account meaning that it's tried to use those old credentials
    more than once already before you get to even login when prompted for your new credentials.

    Edited by: steffi on Feb 21, 2012 2:14 PM
  • 3. Re: Password policy and OEM
    user704352 Newbie
    Currently Being Moderated
    If preferred credentials are specified, OEM uses those credentials and checks if the login can be performed with those credentials. But, if the saved preferred credentials are different from what the database is configured, we will run into the max_failed_attempts usecase.

    The same preferred credentials will be used by background jobs and so if the password is changed on the database without updating the preferred credentials, the account could be locked out quickly if there are any background jobs.

    Also, OEM provides command line scripts (emcli update_db_password) that can be used to update the password in the database as well as update the preferred credentials with the same password, which is the recommeded way to change password when they are used in preferred credentials.

Legend

  • Correct Answers - 10 points
  • Helpful Answers - 5 points