Named credentials in OEM12c

Jeroen Gouma 4
0 0
Read Time:3 Minute, 41 Second

In Oracle Enterprise Manager 12c (aka OEM) there is such a great facility called “Named Credentials”. This allows someone to create a pair of username/password which can be used afterwards without knowing the actual password. Named credentials can be defined on target (i.e. single database or host) or on global level (available on all targets of specified type).

This already works great for a single user (no need to remember all the different passwords, just key them in once and give them a useful name), but how about a bigger environment. If a password change is executed all administrators have to update their stored Named Credentials. If one is missed, his/her jobs will fail and irritation level will increase.

It would be nice to have 1 user who is responsible for setting up and maintaining the Named Credential, and all other admins just consuming them when needed. This functionality is out of the box available in the OEM console, so whats the worry…? No worries, but now we upscale a bit.

Imagine we have several administrators who only consume the Named Credentials. If a new colleague arrives, he has to be granted use ‘View’ rights on all (maybe a lot) Named Credentials. Same applies if a new Named Credential is added to the pool. It has to be granted to all admins. Or the other way around: the current admin leaves his job: all change rights on all Named Credentials have to be changed…. This calls for the usage of a group functionality.

This functionality is  not available in the GUI of OEM, neither explained in the manuals (at least I couldn’t find it).

Luckely we have EMCLI (Enterprise Manager Command Line Interface), giving a lot more functionality then the GUI does. And since it is command line, we can also script against it. Installation instructions for EMCLI can be found in your OEM instance: Navigate to Setup > Command Line Interface…

One small downside on this construction is the fact that the admins can not be ‘Super Administrator’ anymore, the will have be ‘demoted’ to ‘Admin’.

What we will do is:

  1. Create required accounts and roles in OEM
  2. Create a user who will be owner of all named credentials (it’s pure administrative)
  3. List all named credentials
  4. Grant access to the named credentials to the roles
  5. Grant the appropriate roles to the administrators

Login in the OEM console using an account with super administrator privileges (i.e. sysman).

  • Navigate to Setup > Security > Roles and click “Create”. Give this role the name “MY_SEC_ADMIN”, Click “Review” and then “Finish”
  • Navigate to Setup > Security > Roles and click “Create”. Give this role the name “MY_SEC_USER”, Click “Review” and then “Finish”
  • Navigate to Setup > Security > Roles and click “Create”. Give this role the name “MY_PUBLIC”, click “Next”, grant all privileges you might need  and continue until “Finish”
  • Navigate to Setup > Security > Administrators  and click “Create”. Give this user the name “Credential_owner”, select “Superadministrator”, click “Review” and then “Finish”

Logout from OEM console, and login again using the newly created account Credential_owner

  • Navigate to Setup > Security > Named Credentials
  • Create a new named credential

Next step is to start emcli and connect to your OEM instance:

C:\emcli>emcli setup -url= -autologin -username=Credential_owner
Oracle Enterprise Manager Cloud Control 12c Release 2.
Copyright (c) 1996, 2012 Oracle Corporation and/or its affiliates. All rights reserved.

Enter password

Emcli setup successful


Next step is to list all named credentials this user has access on:

C:\emcli> emcli list_named_credentials

For each named credential a line will be written with Credential Name, Credential Owner and some target info.

To grant read access to all users who are in the group “MY_SEC_USER” execute the following statement:

C:\emcli>emcli grant_privs -name=”MY_SEC_USER” -privilege=”GET_CREDENTIAL;CRED_NAME=<credential_name>:CRED_OWNER=Credential owner”

To grant full access to the users in the group “My_SEC_ADMIN”you can use the following:

C:\emcli>emcli grant_privs -name=”MY_SEC_USER” -privilege=”FULL_CREDENTIAL;CRED_NAME=<credential_name>:CRED_OWNER=Credential owner”

Of course there is a lot more that can be achieved on this subject. This post is just to get you started…

About Post Author

Jeroen Gouma

Jeroen is working as senior consultant at AMIS. During the last years he specialized in designing and building complex Cloud environments.
0 %
0 %
0 %
0 %
0 %
0 %

Average Rating

5 Star
4 Star
3 Star
2 Star
1 Star

4 thoughts on “Named credentials in OEM12c

  1. Is there a possibly to modify multiple privileges (wildcard) with emcli grant_privs in one command?

    1. Using a wildcard seems not te be working, although you can specify more then one privilige in a command:

      emcli grant_privs

  2. Is the ability to grant to a private role possible in the GUI or only via emcli ? I cannot seem to get the private role to list when I have “normal” users wanting to share creds using the UI. I would rather that they didnt know about emcli !

  3. Hi,

    I’ve tried this command to add this to a role and it does not work as you stated. Can you confirm ?
    oracle@chrbl274@oms12c:/export/home/oracle> emcli grant_privs -name=”SR_ENG_ROLE” -privilege=”GET_CREDENTIAL;CRED_NAME=ORACLE_C401:CRED_OWNER=SR_ENTERPRISE”

    Error: Invalid privilege: GET_CREDENTIAL privilege cannot be granted to a role

Comments are closed.

Next Post

AMIS "Enterprise to Mobility” Oracle ADF Conference May 21-23. Featuring Chris Muir & Frank Nimphius

AMIS is offering a unique 3 day conference (May 21-23) aimed at breaching the divide between traditional Oracle Fusion Middleware experts and the brave new world of enterprise mobility. The enterprise landscape is rapidly evolving to integrate mobile into the mix, and this presents many opportunities to update skills while also […]
Enterprise to mobility event AMIS
%d bloggers like this: