I’m in the middle of moving GC to a new server (which for me means doing a fresh install as prior experiences showed me that was by far the quick and dirty way as opposed to fighting with cloning the thing). While doing so, I ran across a post-patch step of securing emkey.ora…What happens if you don’t remove it from the repository, I wondered..
Pythian has a great example showing what happens. Which, if you have Grid Control set up to monitor Data Guard dbs, you may have just handed over the kingdom to someone who accessed your OEM db. Granted, they would have to have enough access to run the queries, but all that means is they managed to access a server with a user that can log in ‘/as sysdba’ and from there…
Okay. So after setting everything up, you run
emctl config emkey -remove_from_repos
and all is well, right?
Well, not exactly. The Oracle notes say to backup the file. They don’t say to backup it up to a secure location and then purge it from the OMS home. I need to do some testing (which I don’t have time to do right now), but I’m wondering if the file Has to stay in the OMS home. If so, how secure is it really?
The person either accessed the GC respository with a password to an account such as sys (which would allow them to run such queries). Or, they got onto the server and can connect ‘/as sysdba’. If the latter occurs and we’re supposed to keep the emkey.ora in the oms home, all they need to do is:
emctl config emkey -copy_to_repos
And we’re back where we started…