EM12c: How to Retrieve Passwords from the Named Credentials

In my previous post, I have showed how to list all named credentials in Enterprise Manager Cloud Control. As you see, it was not possible using regular user interface, so we connected to the repository database to get the information. Now let’s keep digging and see if we can retrieve “encrypted information” saved in named credentials.

The username, password and role information of named credentials are stored in em_nc_cred_columns table. When we examine it, we can see that there’s one-to-many relation with em_nc_creds using target_guid column, and the sensitive information are stored in cred_attr_value column. That column is encrypted using em_crypto package. The encryption algrotim uses a secret key which is stored in “Admin Credentials Wallet” and a salt (random data for additional security). The wallet file is located in $MIDDLEWARE_HOME/gc_inst/em/EMGC_OMS1/sysman/config/adminCredsWallet/cwallet.sso) and the salt data can be found in cred_salt column of the em_nc_cred_columns table. Here’s what it looks like:

encrypted_credentials

To decrypt the information, we need to call the decrypt in em_crypto package, but if we call it without opening the wallet, we get the following error:

How can we read the secret key from that wallet? Easiest way is, make Enterprise Manager open the wallet and store the secret key in the repository database. So we issue the following command:

It asks for SYSMAN password. If you enter the correct password, it reads the wallet file and store the secret key into the repository database. Of course it makes your system unsecure. If you issue the command “emctl config emkey -remove_from_repos”, you can remove the key from repository.

Ok, if you issued the above command and stored the secret key into the repository, you can use the following query to fetch the decrypted information:

Sample output:

decrypted_credentials

Please share this post Share on Facebook2Share on Google+0Share on LinkedIn7Share on Reddit0Tweet about this on Twitter

Gokhan Atil is a database administrator who has hands-on experience with both RDBMS and noSQL databases (Oracle, PostgreSQL, Microsoft SQL Server, Sybase IQ, MySQL, Cassandra, MongoDB and ElasticSearch), and strong background on software development. He is certified as Oracle Certified Professional (OCP) and is awarded as Oracle ACE (in 2011) and Oracle ACE Director (in 2016) for his continuous contributions to the Oracle users community.

8 Comments

  1. Pingback: Log Buffer #409, A Carnival of the Vanities for DBAs | InsideMySQL

  2. Roy Niemann

    Stupid but serious question: Why would you want to be able to decrypt passwords. That in an of itself is insecure even if you’ve wrapped it properly. I’m just curious.

    • Gokhan Atil

      Roy, I personally do not want (and never needed) to decrypt others’ passwords but this article shows that it’s possible to decrypt passwords although they are secured by the application layer of EM12c.

  3. Pingback: list database monitoring users | Laurent Schneider

  4. Yakiv

    Hi Gokhan, very nice one.
    Real life use case – needed to extract SSH private key from OMS repository to test it from command line. Since it is also encrypted in similar way and DBA who created it was unreachable I had to decrypt it using your approach.
    Thanks a lot,
    Yakiv.

    • Gokhan Atil

      Hi Yakiv,

      I’m glad to hear that it helped you, and thanks for sharing your real life use case.

  5. Yas V

    Another real world example, we had a contractor install OEM and set this up but he didn’t leave the passwords behind for the various services. This made it easy to get a list so we can save and then secure back up. Thanks for posting this.

  6. Tom

    Thanks. Like a lot of people I had to retrieve some passwords not left by a former college so this came in handy. I did need to modify ‘%user%’ in line 6 to ‘%username%’ top avoid catching the “userpassword” attribute as well.

Leave Comment

Your email address will not be published. Required fields are marked *