I've got a problem - it's been with Oracle support for over 2 weeks now and have had no reply.
Our infrastructure is 10.2.0.4 on Solaris. The requirement is having Kerberos enabled authentication for the database and management is via EM Database Control not Grid Control so each Database is managed individually and is self-contained.
Kerberos was installed and is working fine. You can get a ticket and login OK. What became obvious, however, that by enabling Kerberos, Database Control partially breaks. I know you can't have Kerberos EM accounts setup but that's not what we need to do.The agent just can not connect to the local database. I've done a bit of trouble-shooting and it's pretty obvious what the issue is but sorting it out is a bit of a problem.
Right, when you enable Kerberos, most of the settings are done in the sqlnet.ora file on the database server. The interesting setting here is the line :-
SQLNET.AUTHENTICATION_SERVICES= (BEQ,KERBEROS5)
Correct me if I'm right, but what this basically does is to say that any 'local' connections (eg sqlplus / as sysdba) just go in through the usual database/host group accounts (BEQ) whilst any other connections (sqlnet) go through Kerberos. This is where the problem looks as though it is. The EMAgent insists on using a full descriptor (host, port, sid etc..) and thus loops back through sqlnet and hits the Kerberos authentication brick wall and produces the standard Kerberos error :-
Thread-8 ERROR vpxoci: ORA-12638: Credential retrieval failed
vpxoci: Login 0xfdf08 failed, error=ORA-12638: Credential retrieval failed
TargetManager: Exception in computing dynamic properties of {db1.server1.acme.co.uk, oracle_database },SystemTablespaceNumber::ORA-12638: Credential retrieval failed
Thread-8 WARN vpxoci: OCI Error -- ErrorCode(12638): ORA-12638: Credential retrieval failed
The connect descriptor being used by the agent is :-
LOGIN = dbsnmp/<PW>@(DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=server1.acme.co.uk)(PORT=1521))(CONNECT_DATA=(SID=DB1)))
I've briefly edited the emoms.properties file to change the descriptor to IPC based and it still errors just the same. To duplicate this error we just created a normal database account "account1" identified internally and used these descriptors outside EM with sqlplus and it's just the same, so running :-
sqlplus account1/password@(DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=server1.acme.co.uk)(PORT=1521))(CONNECT_DATA=(SID=DB1)))
gives exactly the same credentials error and :-
# sqlplus account1/password
connects just fine. BTW, if you edit the original sqlnet.ora file and change (BEQ,KERBEROS5) to (BEQ) or even just remove the line, it all works fine but obviously disables Kerberos which isn't an option.
If someone has experienced this and knows a patch/fix or which configuration files to hand-edit I'd appreciate it.
Thks