In my previous post, I have showed how to list all named credentials in Enterprise Manager Cloud Control. As you see, it was not possible using regular user interface, so we connected to the repository database to get the information. Now let’s keep digging and see if we can retrieve “encrypted information” saved in named credentials.

The username, password and role information of named credentials are stored in em_nc_cred_columns table. When we examine it, we can see that there’s one-to-many relation with em_nc_creds using target_guid column, and the sensitive information are stored in cred_attr_value column. That column is encrypted using em_crypto package. The encryption algrotim uses a secret key which is stored in “Admin Credentials Wallet” and a salt (random data for additional security). The wallet file is located in $MIDDLEWARE_HOME/gc_inst/em/EMGC_OMS1/sysman/config/adminCredsWallet/cwallet.sso) and the salt data can be found in cred_salt column of the em_nc_cred_columns table. Here’s what it looks like:

encrypted_credentials

To decrypt the information, we need to call the decrypt in em_crypto package, but if we call it without opening the wallet, we get the following error:

How can we read the secret key from that wallet? Easiest way is, make Enterprise Manager open the wallet and store the secret key in the repository database. So we issue the following command:

It asks for SYSMAN password. If you enter the correct password, it reads the wallet file and store the secret key into the repository database. Of course it makes your system unsecure. If you issue the command “emctl config emkey -remove_from_repos”, you can remove the key from repository.

Ok, if you issued the above command and stored the secret key into the repository, you can use the following query to fetch the decrypted information:

Sample output:

decrypted_credentials

6 Responses to “EM12c: How to Retrieve Passwords from the Named Credentials”

  1. Roy Niemann says:

    Stupid but serious question: Why would you want to be able to decrypt passwords. That in an of itself is insecure even if you’ve wrapped it properly. I’m just curious.

    • Gokhan Atil says:

      Roy, I personally do not want (and never needed) to decrypt others’ passwords but this article shows that it’s possible to decrypt passwords although they are secured by the application layer of EM12c.

  2. Hi Gokhan, very nice one.
    Real life use case – needed to extract SSH private key from OMS repository to test it from command line. Since it is also encrypted in similar way and DBA who created it was unreachable I had to decrypt it using your approach.
    Thanks a lot,
    Yakiv.

    • Gokhan Atil says:

      Hi Yakiv,

      I’m glad to hear that it helped you, and thanks for sharing your real life use case.

  3. Another real world example, we had a contractor install OEM and set this up but he didn’t leave the passwords behind for the various services. This made it easy to get a list so we can save and then secure back up. Thanks for posting this.

  4. Thanks. Like a lot of people I had to retrieve some passwords not left by a former college so this came in handy. I did need to modify ‘%user%’ in line 6 to ‘%username%’ top avoid catching the “userpassword” attribute as well.

Trackbacks/Pingbacks

  1. Log Buffer #409, A Carnival of the Vanities for DBAs | InsideMySQL - […] EM12c: How to Retrieve Passwords from the Named Credentials […]
  2. list database monitoring users | Laurent Schneider - […] To retrieve this information, you need some to hijack your database, read this : Gökhan Atil […]

Leave a Reply

Your email address will not be published. Required fields are marked *