The DBSNMP Account and User

I talk a lot about Enterprise Manager 12c, from the OMS all the way to the EM CLI and the Agent, but I was discussing some interesting history with the account used by the OEM Management Agent- the DBSNMP account.

The origination of the DBSNMP account was to support Oracle SNMP, (Simple Network Management Protocol.)  Back in Oracle 7-8i days, this account was vulnerable to all kinds of nasty issues and there were steps that administrators needed to take to secure it-  from making the snmp_rw.ora file inaccessible except to the ORACLE OS user, (residing in the $ORACLE_HOME/rdbms/admin directory) to stopping the listener and the “Intelligent Agent” back then to update passwords and lock everything else down, not to mention how many patches have been released to assist.

The DBSNMP was *the* account used by the Oracle’s Intelligent Agent which connected automatically to remote servers and provided information to Enterprise Manager earlier incarnations.  The DBSNMP account is still used by OEM via the Management Agent for instance/node target discovery and connectivity by the OMS to the target instance/node.

The DBNSMP user was one of those accounts that was granted the SELECT ANY DICTIONARY privilege and was set during many installations of Oracle’s RDBMS to be locked upon completion of the installation process.  Forward thinking on the administrator’s part  these days, should ensure that this account is both configured with a secure password, unlocked, as well as set to a proper profile, (vs. DEFAULT) that doesn’t lock and expire the account after 90 days.  If you have to ask why, consider how many times I’ve had folks ask me why a target was unreachable and I found the DBSNMP account locked.

The user is created as part of the catalog.sql call and the unique script that creates it in the Oracle home is $ORACLE_HOME/rdbms/admin/catsnmp.sql.

The schema for the DBNSMP user contains a number of tables that by category, are interesting and often unexpected:

DBSNMP.MGMT_SNAPSHOT_xxx:  Tables containing all snapshot information

DBSNMP.MGMT_BASELINE_xxx:  Tables containing information regarding baselines.

DBSNMP.MGMT_CAPTURE_xxx:  Tables containing statistical information captured.

DBSNMP.MGMT_RESPONSE_xxx:  Tables contain info regarding instance bounce

DBSNMP.MGMT_LATEST_xxx:  Each table houses the information for the metric named in the table.

DBSNMP.MGMT_HISTORY_xxx:  Historical information for the type of table named.

The privileges granted to the DBSNMP account are:

PRIVILEGE
--------------------------------------------------------------------------------
CREATE PROCEDURE
UNLIMITED TABLESPACE
SELECT ANY DICTIONARY
CREATE TABLE
OEM_MONITOR
EXECUTE on SYS.DBMS_SERVER_ALERT
EXECUTE on SYS.DBMS_MANAGEMENT_PACKS
SELECT on APPQOSSYS.WLM_CLASSIFIER_PLAN
SELECT on APPQOSSYS.WLM_METRICS_STREAM
SELECT on APPQOSSYS.WLM_MPA_STREAM
SELECT on APPQOSSYS.WLM_VIOLATION_STREAM
EXECUTE on SYSMAN.MGMT_EMREP_OOB_MONITORING

DB Console to EM Express

With the DB Console gone, what does this mean for the new, evolved Enterprise Manager Database Express?  EM Express still is dependent upon the DBNSMP user and to find out if you have it installed and configured in DB12c is a quick query run away:

 select dbms_xdb_config.gethttpsport() from dual;

If it comes back without a value or error, nope, you need to run through the steps here to get it set up.

So always remember to keep the following as part of your checklist or even better, set up in a template, (the less manual, the less human error!):

• Ensure the account is unlocked
• Set the password to something unique and different from SYS, SYSTEM, etc.
• Update the profile to one that DOES NOT expire after a set number of days or you must manage it pro-actively to deter from agent unreachable issues with targets.