IMPORTANT UPDATE 20190404: If you use, or have considered using, the EMCLI integration in this script, please take note of the comment posted by Christian Lehnert recently. Christian checked with Oracle ACS who reported that the repository views queried by the EMCLI integration in this script are licensed views and require the Lifecycle Management Pack. If you run the script without using the EMCLI integration, this code path is not reached, so you do not have any licensing implications. If however you do use the EMCLI integration by logging in to EMCLI before running the script, please take this information under advisement. I intend to modify the script going forward to avoid using these repository views, but that will have the side effect of dramatically slowing down the script in EMCLI mode as agent patch checks will have to rely on EM jobs instead of direct repository queries.
Oracle released Oracle Enterprise Manager 13cR2 at the beginning of October 2016. I have upgraded my production system to this new version, and here I provide a 13cR2-compatible version of my EM13c security checkup script. In addition to updating the script for EM13cR2, I have also updated it to take account of Oracle’s recommendation that single-instance non-RAC databases such as OEM repositories should now apply the DBBP Bundle Patch (previously known as the engineered systems bundle patch).
Latest Updates
Acknowledgements for previous release, November 28, 2017, version 2.21: This release includes many improvements provided by Jan Schnackenberg: combining the demo and self-signed certificate checks, adding a more robust multi-dot version string check, and many bugfixes that prevented the script from running correctly on AIX. This release includes the 20171031 bundle patches and latest OPatch, but please note the warning at the end of the script about open bugs with the latest OPatch release. You may wish NOT to install OPatch 13.9.2.1.0 or the DB plugin bundle patch that requires it. Further, due to some changes in the EMCLI implementation to use “emcli list” instead of “emcli execute_sql”, if you use the optional EMCLI integration your EMCLI user will now require the ACCESS_EMCLI_SQL_LIST_VERB privilege. I have updated the create_user_for_checksec13R2.sh script to include this privilege for newly created CHECKSEC user accounts.
Latest release, Oct 18, 2018, version 2.40: This release covers the Oct 16, 2018 critical patch updates.
Download the latest release from https://raw.githubusercontent.com/brianpardy/em13c/master/checksec13R2.sh
EMCLI
If you have used this script for a while, you can download the latest release and just run it. It will continue to work the way it always has. If you would like to enable additional, optional functionality, enable the checksec13R2.sh EMCLI integration by logging in to EMCLI with an OEM administrator account before running checksec13R2.sh. The script will use EMCLI and attempt to check for plugin bundle patches on ALL of your OEM agents, not only the chained agent as it used to. It will also use EMCLI to attempt to validate the Java versions on all of your agents. This functionality requires that the EMCLI user account has access to run the execute_sql and execute_hostcmd, and also requires that the EMCLI user account has preferred credentials set for the repository database (normal and sysdba), repository database host, and for every host with a management agent.
To simplify the process, I have created a script to create a CHECKSEC user account in your OEM environment. The script will prompt you for the named credentials that the new account should use to access your repository database and each host. If you run this script after logging in to EMCLI as SYSMAN, it will create the new OEM user, grant acccess to all specified credentials, and grant EM_ALL_OPERATOR and VIEW_ANY_TARGET privileges so that the new account will have all the access needed to run all the optional checksec13R2.sh checks. I have included sample output from the user creation script at the end of this post. You can download the user creation script at create_user_for_checksec13R2.sh.
Download
You can access my EM13c script repository at https://github.com/brianpardy/em13c. To directly access the EM13cR2 security checkup script, use https://raw.githubusercontent.com/brianpardy/em13c/master/checksec13R2.sh.
Example Output – checksec13R2.sh
Performing EM13c R2 security checkup version 2.7 on omshost.domain.com at Mon May 1 15:38:41 EDT 2017.
Gathering info…
EM13c config… OK
Repos DB… 12.1.0.2.0 OK
OPatch-OMS… OK
OPatch-Agent… OK
OPatch-Repos DB… OK
OMSPatcher-OMS… OK
EMCLI login… OK
EMCLI-Agent list… OK
EMCLI-Agent patches… OK
EMCLI-Agent homes… OK
Using port definitions from configuration files
/etc/oragchomelist
/oracle/oem/gc_inst1/em/EMGC_OMS1/emgc.properties
/oracle/oem/gc_inst1/em/EMGC_OMS1/embip.properties
/oracle/oem/agent13cR1/agent_13.2.0.0.0/../agent_inst/sysman/emd/targets.xml
Agent port found at omshost.domain.com:3872
BIPublisher port found at omshost.domain.com:9803
BIPublisherOHS port found at omshost.domain.com:9852
NodeManager port found at omshost.domain.com:7403
OMSconsole port found at omshost.domain.com:7802
OMSproxy port found at omshost.domain.com:7301
OMSupload port found at omshost.domain.com:4903
WLSadmin found at omshost.domain.com:7102
Repository DB version=12.1.0.2.0 SID=oemdb host=omshost.domain.com
Repository DB target name=oemdb.domain.com
Using OPENSSL=/usr/bin/openssl1 (has TLS1_2=2)
Repository DB on OMS server, will check patches/parameters in /oracle/oem/product/12.1.0/db
(1) Checking SSL/TLS configuration (see notes 2138391.1, 2212006.1)
(1a) Forbid SSLv2 connections
Confirming ssl2 disabled for Agent at omshost.domain.com:3872… OK
Confirming ssl2 disabled for BIPublisher at omshost.domain.com:9803… OK
Confirming ssl2 disabled for NodeManager at omshost.domain.com:7403… OK
Confirming ssl2 disabled for BIPublisherOHS at omshost.domain.com:9852… OK
Confirming ssl2 disabled for OMSconsole at omshost.domain.com:7802… OK
Confirming ssl2 disabled for OMSproxy at omshost.domain.com:7301… OK
Confirming ssl2 disabled for OMSupload at omshost.domain.com:4903… OK
Confirming ssl2 disabled for WLSadmin at omshost.domain.com:7102… OK
Checking SSLv2 on all agents
Confirming ssl2 disabled for Agent at host01.domain.com:3872… OK
Confirming ssl2 disabled for Agent at host02.domain.com:3872… OK
Confirming ssl2 disabled for Agent at host04.usa.domain.com:3872… OK
Confirming ssl2 disabled for Agent at host03.domain.com:3872… OK
Confirming ssl2 disabled for Agent at host05.domain.com:3872… OK
Confirming ssl2 disabled for Agent at host06.domain.com:1830… OK
Confirming ssl2 disabled for Agent at host07.domain.com:3872… OK
Confirming ssl2 disabled for Agent at host08.domain.com:3872… OK
Confirming ssl2 disabled for Agent at host09.domain.com:1830… OK
Confirming ssl2 disabled for Agent at host10.domain.com:3872… OK
Confirming ssl2 disabled for Agent at host11.domain.com:3872… OK
Confirming ssl2 disabled for Agent at host12.domain.com:3872… OK
Confirming ssl2 disabled for Agent at host13.domain.com:3872… OK
Confirming ssl2 disabled for Agent at host14.domain.com:3872… OK
Confirming ssl2 disabled for Agent at host15.domain.com:3872… OK
Confirming ssl2 disabled for Agent at host16.domain.com:3872… OK
Confirming ssl2 disabled for Agent at omshost.domain.com:3872… OK
Confirming ssl2 disabled for Agent at host17.domain.com:3872… OK
Confirming ssl2 disabled for Agent at host18.domain.com:3872… OK
(1b) Forbid SSLv3 connections
Confirming ssl3 disabled for Agent at omshost.domain.com:3872… OK
Confirming ssl3 disabled for BIPublisher at omshost.domain.com:9803… OK
Confirming ssl3 disabled for NodeManager at omshost.domain.com:7403… OK
Confirming ssl3 disabled for BIPublisherOHS at omshost.domain.com:9852… OK
Confirming ssl3 disabled for OMSconsole at omshost.domain.com:7802… OK
Confirming ssl3 disabled for OMSproxy at omshost.domain.com:7301… OK
Confirming ssl3 disabled for OMSupload at omshost.domain.com:4903… OK
Confirming ssl3 disabled for WLSadmin at omshost.domain.com:7102… OK
Checking SSLv3 on all agents
Confirming ssl3 disabled for Agent at host01.domain.com:3872… OK
Confirming ssl3 disabled for Agent at host02.domain.com:3872… OK
Confirming ssl3 disabled for Agent at host04.usa.domain.com:3872… OK
Confirming ssl3 disabled for Agent at host03.domain.com:3872… OK
Confirming ssl3 disabled for Agent at host05.domain.com:3872… OK
Confirming ssl3 disabled for Agent at host06.domain.com:1830… OK
Confirming ssl3 disabled for Agent at host07.domain.com:3872… OK
Confirming ssl3 disabled for Agent at host08.domain.com:3872… OK
Confirming ssl3 disabled for Agent at host09.domain.com:1830… OK
Confirming ssl3 disabled for Agent at host10.domain.com:3872… OK
Confirming ssl3 disabled for Agent at host11.domain.com:3872… OK
Confirming ssl3 disabled for Agent at host12.domain.com:3872… OK
Confirming ssl3 disabled for Agent at host13.domain.com:3872… OK
Confirming ssl3 disabled for Agent at host14.domain.com:3872… OK
Confirming ssl3 disabled for Agent at host15.domain.com:3872… OK
Confirming ssl3 disabled for Agent at host16.domain.com:3872… OK
Confirming ssl3 disabled for Agent at omshost.domain.com:3872… OK
Confirming ssl3 disabled for Agent at host17.domain.com:3872… OK
Confirming ssl3 disabled for Agent at host18.domain.com:3872… OK
(1c) Forbid TLSv1 connections
Confirming tls1 disabled for Agent at omshost.domain.com:3872… OK
Confirming tls1 disabled for BIPublisher at omshost.domain.com:9803… OK
Confirming tls1 disabled for NodeManager at omshost.domain.com:7403… OK
Confirming tls1 disabled for BIPublisherOHS at omshost.domain.com:9852… OK
Confirming tls1 disabled for OMSconsole at omshost.domain.com:7802… OK
Confirming tls1 disabled for OMSproxy at omshost.domain.com:7301… OK
Confirming tls1 disabled for OMSupload at omshost.domain.com:4903… OK
Confirming tls1 disabled for WLSadmin at omshost.domain.com:7102… OK
Checking TLSv1 on all agents
Confirming tls1 disabled for Agent at host01.domain.com:3872… OK
Confirming tls1 disabled for Agent at host02.domain.com:3872… OK
Confirming tls1 disabled for Agent at host04.usa.domain.com:3872… OK
Confirming tls1 disabled for Agent at host03.domain.com:3872… OK
Confirming tls1 disabled for Agent at host05.domain.com:3872… OK
Confirming tls1 disabled for Agent at host06.domain.com:1830… OK
Confirming tls1 disabled for Agent at host07.domain.com:3872… OK
Confirming tls1 disabled for Agent at host08.domain.com:3872… OK
Confirming tls1 disabled for Agent at host09.domain.com:1830… OK
Confirming tls1 disabled for Agent at host10.domain.com:3872… OK
Confirming tls1 disabled for Agent at host11.domain.com:3872… OK
Confirming tls1 disabled for Agent at host12.domain.com:3872… OK
Confirming tls1 disabled for Agent at host13.domain.com:3872… OK
Confirming tls1 disabled for Agent at host14.domain.com:3872… OK
Confirming tls1 disabled for Agent at host15.domain.com:3872… OK
Confirming tls1 disabled for Agent at host16.domain.com:3872… OK
Confirming tls1 disabled for Agent at omshost.domain.com:3872… OK
Confirming tls1 disabled for Agent at host17.domain.com:3872… OK
Confirming tls1 disabled for Agent at host18.domain.com:3872… OK
(1d) Forbid TLSv1.1 connections
Confirming tls1_1 disabled for Agent at omshost.domain.com:3872… OK
Confirming tls1_1 disabled for BIPublisher at omshost.domain.com:9803… OK
Confirming tls1_1 disabled for NodeManager at omshost.domain.com:7403… OK
Confirming tls1_1 disabled for BIPublisherOHS at omshost.domain.com:9852… OK
Confirming tls1_1 disabled for OMSconsole at omshost.domain.com:7802… OK
Confirming tls1_1 disabled for OMSproxy at omshost.domain.com:7301… OK
Confirming tls1_1 disabled for OMSupload at omshost.domain.com:4903… OK
Confirming tls1_1 disabled for WLSadmin at omshost.domain.com:7102… OK
Checking TLSv1.1 on all agents
Confirming tls1_1 disabled for Agent at host01.domain.com:3872… OK
Confirming tls1_1 disabled for Agent at host02.domain.com:3872… OK
Confirming tls1_1 disabled for Agent at host04.usa.domain.com:3872… OK
Confirming tls1_1 disabled for Agent at host03.domain.com:3872… OK
Confirming tls1_1 disabled for Agent at host05.domain.com:3872… OK
Confirming tls1_1 disabled for Agent at host06.domain.com:1830… OK
Confirming tls1_1 disabled for Agent at host07.domain.com:3872… OK
Confirming tls1_1 disabled for Agent at host08.domain.com:3872… OK
Confirming tls1_1 disabled for Agent at host09.domain.com:1830… OK
Confirming tls1_1 disabled for Agent at host10.domain.com:3872… OK
Confirming tls1_1 disabled for Agent at host11.domain.com:3872… OK
Confirming tls1_1 disabled for Agent at host12.domain.com:3872… OK
Confirming tls1_1 disabled for Agent at host13.domain.com:3872… OK
Confirming tls1_1 disabled for Agent at host14.domain.com:3872… OK
Confirming tls1_1 disabled for Agent at host15.domain.com:3872… OK
Confirming tls1_1 disabled for Agent at host16.domain.com:3872… OK
Confirming tls1_1 disabled for Agent at omshost.domain.com:3872… OK
Confirming tls1_1 disabled for Agent at host17.domain.com:3872… OK
Confirming tls1_1 disabled for Agent at host18.domain.com:3872… OK
(1e) Permit TLSv1.2 connections
Confirming tls1_2 available for Agent at omshost.domain.com:3872… OK
Confirming tls1_2 available for BIPublisher at omshost.domain.com:9803… OK
Confirming tls1_2 available for NodeManager at omshost.domain.com:7403… OK
Confirming tls1_2 available for BIPublisherOHS at omshost.domain.com:9852… OK
Confirming tls1_2 available for OMSconsole at omshost.domain.com:7802… OK
Confirming tls1_2 available for OMSproxy at omshost.domain.com:7301… OK
Confirming tls1_2 available for OMSupload at omshost.domain.com:4903… OK
Confirming tls1_2 available for WLSadmin at omshost.domain.com:7102… OK
Checking TLSv1.2 on all agents
Confirming tls1_2 available for Agent at host01.domain.com:3872… OK
Confirming tls1_2 available for Agent at host02.domain.com:3872… OK
Confirming tls1_2 available for Agent at host04.usa.domain.com:3872… OK
Confirming tls1_2 available for Agent at host03.domain.com:3872… OK
Confirming tls1_2 available for Agent at host05.domain.com:3872… OK
Confirming tls1_2 available for Agent at host06.domain.com:1830… OK
Confirming tls1_2 available for Agent at host07.domain.com:3872… OK
Confirming tls1_2 available for Agent at host08.domain.com:3872… OK
Confirming tls1_2 available for Agent at host09.domain.com:1830… OK
Confirming tls1_2 available for Agent at host10.domain.com:3872… OK
Confirming tls1_2 available for Agent at host11.domain.com:3872… OK
Confirming tls1_2 available for Agent at host12.domain.com:3872… OK
Confirming tls1_2 available for Agent at host13.domain.com:3872… OK
Confirming tls1_2 available for Agent at host14.domain.com:3872… OK
Confirming tls1_2 available for Agent at host15.domain.com:3872… OK
Confirming tls1_2 available for Agent at host16.domain.com:3872… OK
Confirming tls1_2 available for Agent at omshost.domain.com:3872… OK
Confirming tls1_2 available for Agent at host17.domain.com:3872… OK
Confirming tls1_2 available for Agent at host18.domain.com:3872… OK
(2) Checking supported ciphers at SSL/TLS endpoints (see notes 2138391.1, 1067411.1)
(2a) Checking LOW strength ciphers on Agent (omshost.domain.com:3872, protocol tls1_2)… OK
(2a) Checking MEDIUM strength ciphers on Agent (omshost.domain.com:3872)… OK
(2a) Checking HIGH strength ciphers on Agent (omshost.domain.com:3872)… OK
(2b) Checking LOW strength ciphers on BIPublisher (omshost.domain.com:9803, protocol tls1_2)… OK
(2b) Checking MEDIUM strength ciphers on BIPublisher (omshost.domain.com:9803)… OK
(2b) Checking HIGH strength ciphers on BIPublisher (omshost.domain.com:9803)… OK
(2c) Checking LOW strength ciphers on NodeManager (omshost.domain.com:7403, protocol tls1_2)… OK
(2c) Checking MEDIUM strength ciphers on NodeManager (omshost.domain.com:7403)… OK
(2c) Checking HIGH strength ciphers on NodeManager (omshost.domain.com:7403)… OK
(2d) Checking LOW strength ciphers on BIPublisherOHS (omshost.domain.com:9852, protocol tls1_2)… OK
(2d) Checking MEDIUM strength ciphers on BIPublisherOHS (omshost.domain.com:9852)… OK
(2d) Checking HIGH strength ciphers on BIPublisherOHS (omshost.domain.com:9852)… OK
(2e) Checking LOW strength ciphers on OMSconsole (omshost.domain.com:7802, protocol tls1_2)… OK
(2e) Checking MEDIUM strength ciphers on OMSconsole (omshost.domain.com:7802)… OK
(2e) Checking HIGH strength ciphers on OMSconsole (omshost.domain.com:7802)… OK
(2f) Checking LOW strength ciphers on OMSproxy (omshost.domain.com:7301, protocol tls1_2)… OK
(2f) Checking MEDIUM strength ciphers on OMSproxy (omshost.domain.com:7301)… OK
(2f) Checking HIGH strength ciphers on OMSproxy (omshost.domain.com:7301)… OK
(2g) Checking LOW strength ciphers on OMSupload (omshost.domain.com:4903, protocol tls1_2)… OK
(2g) Checking MEDIUM strength ciphers on OMSupload (omshost.domain.com:4903)… OK
(2g) Checking HIGH strength ciphers on OMSupload (omshost.domain.com:4903)… OK
(2h) Checking LOW strength ciphers on WLSadmin (omshost.domain.com:7102, protocol tls1_2)… OK
(2h) Checking MEDIUM strength ciphers on WLSadmin (omshost.domain.com:7102)… OK
(2h) Checking HIGH strength ciphers on WLSadmin (omshost.domain.com:7102)… OK
Checking supported ciphers on all agents
(2i) Checking LOW strength ciphers on Agent (host01.domain.com:3872, protocol tls1_2)… OK
(2i) Checking MEDIUM strength ciphers on Agent (host01.domain.com:3872)… OK
(2i) Checking HIGH strength ciphers on Agent (host01.domain.com:3872)… OK
(2i) Checking LOW strength ciphers on Agent (host02.domain.com:3872, protocol tls1_2)… OK
(2i) Checking MEDIUM strength ciphers on Agent (host02.domain.com:3872)… OK
(2i) Checking HIGH strength ciphers on Agent (host02.domain.com:3872)… OK
(2i) Checking LOW strength ciphers on Agent (host04.usa.domain.com:3872, protocol tls1_2)… OK
(2i) Checking MEDIUM strength ciphers on Agent (host04.usa.domain.com:3872)… OK
(2i) Checking HIGH strength ciphers on Agent (host04.usa.domain.com:3872)… OK
(2i) Checking LOW strength ciphers on Agent (host03.domain.com:3872, protocol tls1_2)… OK
(2i) Checking MEDIUM strength ciphers on Agent (host03.domain.com:3872)… OK
(2i) Checking HIGH strength ciphers on Agent (host03.domain.com:3872)… OK
(2i) Checking LOW strength ciphers on Agent (host05.domain.com:3872, protocol tls1_2)… OK
(2i) Checking MEDIUM strength ciphers on Agent (host05.domain.com:3872)… OK
(2i) Checking HIGH strength ciphers on Agent (host05.domain.com:3872)… OK
(2i) Checking LOW strength ciphers on Agent (host06.domain.com:1830, protocol tls1_2)… OK
(2i) Checking MEDIUM strength ciphers on Agent (host06.domain.com:1830)… OK
(2i) Checking HIGH strength ciphers on Agent (host06.domain.com:1830)… OK
(2i) Checking LOW strength ciphers on Agent (host07.domain.com:3872, protocol tls1_2)… OK
(2i) Checking MEDIUM strength ciphers on Agent (host07.domain.com:3872)… OK
(2i) Checking HIGH strength ciphers on Agent (host07.domain.com:3872)… OK
(2i) Checking LOW strength ciphers on Agent (host08.domain.com:3872, protocol tls1_2)… OK
(2i) Checking MEDIUM strength ciphers on Agent (host08.domain.com:3872)… OK
(2i) Checking HIGH strength ciphers on Agent (host08.domain.com:3872)… OK
(2i) Checking LOW strength ciphers on Agent (host09.domain.com:1830, protocol tls1_2)… OK
(2i) Checking MEDIUM strength ciphers on Agent (host09.domain.com:1830)… OK
(2i) Checking HIGH strength ciphers on Agent (host09.domain.com:1830)… OK
(2i) Checking LOW strength ciphers on Agent (host10.domain.com:3872, protocol tls1_2)… OK
(2i) Checking MEDIUM strength ciphers on Agent (host10.domain.com:3872)… OK
(2i) Checking HIGH strength ciphers on Agent (host10.domain.com:3872)… OK
(2i) Checking LOW strength ciphers on Agent (host11.domain.com:3872, protocol tls1_2)… OK
(2i) Checking MEDIUM strength ciphers on Agent (host11.domain.com:3872)… OK
(2i) Checking HIGH strength ciphers on Agent (host11.domain.com:3872)… OK
(2i) Checking LOW strength ciphers on Agent (host12.domain.com:3872, protocol tls1_2)… OK
(2i) Checking MEDIUM strength ciphers on Agent (host12.domain.com:3872)… OK
(2i) Checking HIGH strength ciphers on Agent (host12.domain.com:3872)… OK
(2i) Checking LOW strength ciphers on Agent (host13.domain.com:3872, protocol tls1_2)… OK
(2i) Checking MEDIUM strength ciphers on Agent (host13.domain.com:3872)… OK
(2i) Checking HIGH strength ciphers on Agent (host13.domain.com:3872)… OK
(2i) Checking LOW strength ciphers on Agent (host14.domain.com:3872, protocol tls1_2)… OK
(2i) Checking MEDIUM strength ciphers on Agent (host14.domain.com:3872)… OK
(2i) Checking HIGH strength ciphers on Agent (host14.domain.com:3872)… OK
(2i) Checking LOW strength ciphers on Agent (host15.domain.com:3872, protocol tls1_2)… OK
(2i) Checking MEDIUM strength ciphers on Agent (host15.domain.com:3872)… OK
(2i) Checking HIGH strength ciphers on Agent (host15.domain.com:3872)… OK
(2i) Checking LOW strength ciphers on Agent (host16.domain.com:3872, protocol tls1_2)… OK
(2i) Checking MEDIUM strength ciphers on Agent (host16.domain.com:3872)… OK
(2i) Checking HIGH strength ciphers on Agent (host16.domain.com:3872)… OK
(2i) Checking LOW strength ciphers on Agent (omshost.domain.com:3872, protocol tls1_2)… OK
(2i) Checking MEDIUM strength ciphers on Agent (omshost.domain.com:3872)… OK
(2i) Checking HIGH strength ciphers on Agent (omshost.domain.com:3872)… OK
(2i) Checking LOW strength ciphers on Agent (host17.domain.com:3872, protocol tls1_2)… OK
(2i) Checking MEDIUM strength ciphers on Agent (host17.domain.com:3872)… OK
(2i) Checking HIGH strength ciphers on Agent (host17.domain.com:3872)… OK
(2i) Checking LOW strength ciphers on Agent (host18.domain.com:3872, protocol tls1_2)… OK
(2i) Checking MEDIUM strength ciphers on Agent (host18.domain.com:3872)… OK
(2i) Checking HIGH strength ciphers on Agent (host18.domain.com:3872)… OK
(3) Checking self-signed and demonstration certificates at SSL/TLS endpoints (see notes 2202569.1, 1367988.1, 1914184.1, 2213661.1, 2220788.1, 123033.1, 1937457.1)
(3a) Checking for self-signed certificates on OMS components
Checking certificate at Agent (omshost.domain.com:3872, protocol tls1_2)… OK
Checking certificate at BIPublisherOHS (omshost.domain.com:9852, protocol tls1_2)… OK
Checking certificate at BIPublisher (omshost.domain.com:9803, protocol tls1_2)… OK
Checking certificate at NodeManager (omshost.domain.com:7403, protocol tls1_2)… OK
Checking certificate at OMSconsole (omshost.domain.com:7802, protocol tls1_2)… OK
Checking certificate at OMSproxy (omshost.domain.com:7301, protocol tls1_2)… OK
Checking certificate at OMSupload (omshost.domain.com:4903, protocol tls1_2)… OK
Checking certificate at WLSadmin (omshost.domain.com:7102, protocol tls1_2)… OK
(3b) Checking for demonstration certificates on OMS components
Checking demo certificate at Agent (omshost.domain.com:3872, protocol tls1_2)… OK
Checking demo certificate at BIPublisherOHS (omshost.domain.com:9852, protocol tls1_2)… OK
Checking demo certificate at BIPublisher (omshost.domain.com:9803, protocol tls1_2)… OK
Checking demo certificate at NodeManager (omshost.domain.com:7403, protocol tls1_2)… OK
Checking demo certificate at OMSconsole (omshost.domain.com:7802, protocol tls1_2)… OK
Checking demo certificate at OMSproxy (omshost.domain.com:7301, protocol tls1_2)… OK
Checking demo certificate at OMSupload (omshost.domain.com:4903, protocol tls1_2)… OK
Checking demo certificate at WLSadmin (omshost.domain.com:7102, protocol tls1_2)… OK
(3c) Checking for self-signed certificates on all agents
Checking certificate at Agent (host01.domain.com:3872, protocol tls1_2)… OK
Checking certificate at Agent (host02.domain.com:3872, protocol tls1_2)… OK
Checking certificate at Agent (host04.usa.domain.com:3872, protocol tls1_2)… OK
Checking certificate at Agent (host03.domain.com:3872, protocol tls1_2)… OK
Checking certificate at Agent (host05.domain.com:3872, protocol tls1_2)… OK
Checking certificate at Agent (host06.domain.com:1830, protocol tls1_2)… OK
Checking certificate at Agent (host07.domain.com:3872, protocol tls1_2)… OK
Checking certificate at Agent (host08.domain.com:3872, protocol tls1_2)… OK
Checking certificate at Agent (host09.domain.com:1830, protocol tls1_2)… OK
Checking certificate at Agent (host10.domain.com:3872, protocol tls1_2)… OK
Checking certificate at Agent (host11.domain.com:3872, protocol tls1_2)… OK
Checking certificate at Agent (host12.domain.com:3872, protocol tls1_2)… OK
Checking certificate at Agent (host13.domain.com:3872, protocol tls1_2)… OK
Checking certificate at Agent (host14.domain.com:3872, protocol tls1_2)… OK
Checking certificate at Agent (host15.domain.com:3872, protocol tls1_2)… OK
Checking certificate at Agent (host16.domain.com:3872, protocol tls1_2)… OK
Checking certificate at Agent (omshost.domain.com:3872, protocol tls1_2)… OK
Checking certificate at Agent (host17.domain.com:3872, protocol tls1_2)… OK
Checking certificate at Agent (host18.domain.com:3872, protocol tls1_2)… OK
(3d) Checking for demonstration certificates on all agents
Checking demo certificate at Agent (host01.domain.com:3872, protocol tls1_2)… OK
Checking demo certificate at Agent (host02.domain.com:3872, protocol tls1_2)… OK
Checking demo certificate at Agent (host04.usa.domain.com:3872, protocol tls1_2)… OK
Checking demo certificate at Agent (host03.domain.com:3872, protocol tls1_2)… OK
Checking demo certificate at Agent (host05.domain.com:3872, protocol tls1_2)… OK
Checking demo certificate at Agent (host06.domain.com:1830, protocol tls1_2)… OK
Checking demo certificate at Agent (host07.domain.com:3872, protocol tls1_2)… OK
Checking demo certificate at Agent (host08.domain.com:3872, protocol tls1_2)… OK
Checking demo certificate at Agent (host09.domain.com:1830, protocol tls1_2)… OK
Checking demo certificate at Agent (host10.domain.com:3872, protocol tls1_2)… OK
Checking demo certificate at Agent (host11.domain.com:3872, protocol tls1_2)… OK
Checking demo certificate at Agent (host12.domain.com:3872, protocol tls1_2)… OK
Checking demo certificate at Agent (host13.domain.com:3872, protocol tls1_2)… OK
Checking demo certificate at Agent (host14.domain.com:3872, protocol tls1_2)… OK
Checking demo certificate at Agent (host15.domain.com:3872, protocol tls1_2)… OK
Checking demo certificate at Agent (host16.domain.com:3872, protocol tls1_2)… OK
Checking demo certificate at Agent (omshost.domain.com:3872, protocol tls1_2)… OK
Checking demo certificate at Agent (host17.domain.com:3872, protocol tls1_2)… OK
Checking demo certificate at Agent (host18.domain.com:3872, protocol tls1_2)… OK
(4) Checking EM13c Oracle home patch levels against 30 Apr 2017 baseline (see notes 1664074.1, 2219797.1, 822485.1, 1470197.1)
(4a) OMS REPOSITORY DATABASE HOME (/oracle/oem/product/12.1.0/db) DATABASE BUNDLE PATCH: 12.1.0.2.170418 (APR2017) (25397136)… OK
(4a) OMS REPOSITORY DATABASE HOME (/oracle/oem/product/12.1.0/db) Database PSU 12.1.0.2.170418, Oracle JavaVM Component (APR2017) (25437695)… OK
(4a) OMS REPOSITORY DATABASE HOME (/oracle/oem/product/12.1.0/db) OCW Interim patch for 25481150 (25481150)… OK
(4a) OMS REPOSITORY DATABASE HOME (/oracle/oem/product/12.1.0/db) EM QUERY WITH SQL_ID 4RQ83FNXTF39U PERFORMS POORLY ON ORACLE 12C RELATIVE TO 11G (20243268)… OK
(4b) OMS REPOSITORY DATABASE HOME (/oracle/oem/product/12.1.0/db) sqlnet.ora SQLNET.ENCRYPTION_TYPES_SERVER parameter (76629.1, 2167682.1)… OK
(4b) OMS REPOSITORY DATABASE HOME (/oracle/oem/product/12.1.0/db) sqlnet.ora SQLNET.ENCRYPTION_SERVER parameter (76629.1, 2167682.1)… OK
(4b) OMS REPOSITORY DATABASE HOME (/oracle/oem/product/12.1.0/db) sqlnet.ora SQLNET.ENCRYPTION_TYPES_CLIENT parameter (76629.1, 2167682.1)… OK
(4b) OMS REPOSITORY DATABASE HOME (/oracle/oem/product/12.1.0/db) sqlnet.ora SQLNET.ENCRYPTION_CLIENT parameter (76629.1, 2167682.1)… OK
(4b) OMS REPOSITORY DATABASE HOME (/oracle/oem/product/12.1.0/db) sqlnet.ora SQLNET.CRYPTO_CHECKSUM_TYPES_SERVER parameter (76629.1, 2167682.1)… OK
(4b) OMS REPOSITORY DATABASE HOME (/oracle/oem/product/12.1.0/db) sqlnet.ora SQLNET.CRYPTO_CHECKSUM_SERVER parameter (76629.1, 2167682.1)… OK
(4b) OMS REPOSITORY DATABASE HOME (/oracle/oem/product/12.1.0/db) sqlnet.ora SQLNET.CRYPTO_CHECKSUM_TYPES_CLIENT parameter (76629.1, 2167682.1)… OK
(4b) OMS REPOSITORY DATABASE HOME (/oracle/oem/product/12.1.0/db) sqlnet.ora SQLNET.CRYPTO_CHECKSUM_CLIENT parameter (76629.1, 2167682.1)… OK
(4b) OMS REPOSITORY DATABASE HOME (/oracle/oem/product/12.1.0/db) sqlnet.ora SSL_VERSION parameter (1545816.1)… OK
(4b) OMS REPOSITORY DATABASE HOME (/oracle/oem/product/12.1.0/db) sqlnet.ora SSL_CIPHER_SUITES parameter (1545816.1)… OK
(4b) OMS REPOSITORY DATABASE HOME (/oracle/oem/product/12.1.0/db) listener.ora SSL_VERSION parameter (1545816.1)… OK
(4b) OMS REPOSITORY DATABASE HOME (/oracle/oem/product/12.1.0/db) listener.ora SSL_CIPHER_SUITES parameter (1545816.1)… OK
(4b) OMS REPOSITORY DATABASE HOME (/oracle/oem/product/12.1.0/db) APEX version… OK
(4c) OMS HOME (/oracle/oem/Middleware13cR2) ENTERPRISE MANAGER BASE PLATFORM – OMS 13.2.0.0.170418 PSU (25387277)… OK
(4c) OMS HOME (/oracle/oem/Middleware13cR2) TRACKING BUG TO REGISTER META VERSION FROM PS4 AND 13.1 BUNDLE PATCHES IN 13.2 (SYSTEM PATCH) (23603592)… OK
(4c) OMS HOME (/oracle/oem/Middleware13cR2) MERGE REQUEST ON TOP OF 12.1.3.0.0 FOR BUGS 24571979 24335626 (25322055)… OK
(4c) OMS HOME (/oracle/oem/Middleware13cR2) MERGE REQUEST ON TOP OF 12.1.3.0.0 FOR BUGS 22557350 19901079 20222451 (24329181)… OK
(4c) OMS HOME (/oracle/oem/Middleware13cR2) MERGE REQUEST ON TOP OF 12.1.3.0.0 FOR BUGS 19485414 20022048 (21849941)… OK
(4c) OMS HOME (/oracle/oem/Middleware13cR2) OPSS BUNDLE PATCH 12.1.3.0.170418 (22748215)… OK
(4c) OMS HOME (/oracle/oem/Middleware13cR2) ENTERPRISE MANAGER FOR OMS PLUGINS 13.2.0.0.170430 (Not used for 13.2.2 plugins) (25841652)… OK
(4c) OMS HOME (/oracle/oem/Middleware13cR2) WLS PATCH SET UPDATE 12.1.3.0.170418 (25388793)… OK
(4c) OMS HOME (/oracle/oem/Middleware13cR2) TOPLINK SECURITY PATCH UPDATE CPUJUL2016 (24327938)… OK
Using EMCLI to check for agent bundle patch on all agents
(4d) Agent host01.domain.com:3872 EM-AGENT BUNDLE PATCH 13.2.0.0.170430 (25740081)… FAILED
(4d) Agent host02.domain.com:3872 EM-AGENT BUNDLE PATCH 13.2.0.0.170430 (25740081)… OK
(4d) Agent host04.usa.domain.com:3872 EM-AGENT BUNDLE PATCH 13.2.0.0.170430 (25740081)… OK
(4d) Agent host03.domain.com:3872 EM-AGENT BUNDLE PATCH 13.2.0.0.170430 (25740081)… OK
(4d) Agent host05.domain.com:3872 EM-AGENT BUNDLE PATCH 13.2.0.0.170430 (25740081)… OK
(4d) Agent host06.domain.com:1830 EM-AGENT BUNDLE PATCH 13.2.0.0.170430 (25740081)… OK
(4d) Agent host07.domain.com:3872 EM-AGENT BUNDLE PATCH 13.2.0.0.170430 (25740081)… OK
(4d) Agent host08.domain.com:3872 EM-AGENT BUNDLE PATCH 13.2.0.0.170430 (25740081)… OK
(4d) Agent host09.domain.com:1830 EM-AGENT BUNDLE PATCH 13.2.0.0.170430 (25740081)… OK
(4d) Agent host10.domain.com:3872 EM-AGENT BUNDLE PATCH 13.2.0.0.170430 (25740081)… OK
(4d) Agent host11.domain.com:3872 EM-AGENT BUNDLE PATCH 13.2.0.0.170430 (25740081)… OK
(4d) Agent host12.domain.com:3872 EM-AGENT BUNDLE PATCH 13.2.0.0.170430 (25740081)… OK
(4d) Agent host13.domain.com:3872 EM-AGENT BUNDLE PATCH 13.2.0.0.170430 (25740081)… OK
(4d) Agent host14.domain.com:3872 EM-AGENT BUNDLE PATCH 13.2.0.0.170430 (25740081)… OK
(4d) Agent host15.domain.com:3872 EM-AGENT BUNDLE PATCH 13.2.0.0.170430 (25740081)… FAILED
(4d) Agent host16.domain.com:3872 EM-AGENT BUNDLE PATCH 13.2.0.0.170430 (25740081)… OK
(4d) Agent omshost.domain.com:3872 EM-AGENT BUNDLE PATCH 13.2.0.0.170430 (25740081)… OK
(4d) Agent host17.domain.com:3872 EM-AGENT BUNDLE PATCH 13.2.0.0.170430 (25740081)… OK
(4d) Agent host18.domain.com:3872 EM-AGENT BUNDLE PATCH 13.2.0.0.170430 (25740081)… OK
(5) Checking EM13cR2 Java patch levels against 30 Apr 2017 baseline (see notes 1506916.1, 2241373.1, 2241358.1)
(5a) Common Java (/oracle/oem/Middleware13cR2/oracle_common/jdk) JAVA SE JDK VERSION 1.7.0_141 (13079846)… OK
Using EMCLI to check Java patch levels on all agents
(5b) Agent host01.domain.com:3872 Java VERSION 1.7.0_141… OK
(5b) Agent host02.domain.com:3872 Java VERSION 1.7.0_141… OK
(5b) Agent host04.usa.domain.com:3872 Java VERSION 1.7.0_141… OK
(5b) Agent host03.domain.com:3872 Java VERSION 1.7.0_141… OK
(5b) Agent host05.domain.com:3872 Java VERSION 1.7.0_141… OK
(5b) Agent host06.domain.com:1830 Java VERSION 1.7.0_141… OK
(5b) Agent host07.domain.com:3872 Java VERSION 1.7.0_141… OK
(5b) Agent host08.domain.com:3872 Java VERSION 1.7.0_141… OK
(5b) Agent host09.domain.com:1830 Java VERSION 1.7.0_141… OK
(5b) Agent host10.domain.com:3872 Java VERSION 1.7.0_141… OK
(5b) Agent host11.domain.com:3872 Java VERSION 1.7.0_141… OK
(5b) Agent host12.domain.com:3872 Java VERSION 1.7.0_141… OK
(5b) Agent host13.domain.com:3872 Java VERSION 1.7.0_141… OK
(5b) Agent host14.domain.com:3872 Java VERSION 1.7.0_141… OK
(5b) Agent host15.domain.com:3872 Java VERSION 1.7.0_141… OK
(5b) Agent host16.domain.com:3872 Java VERSION 1.7.0_141… OK
(5b) Agent omshost.domain.com:3872 Java VERSION 1.7.0_141… OK
(5b) Agent host17.domain.com:3872 Java VERSION 1.7.0_141… OK
(5b) Agent host18.domain.com:3872 Java VERSION 1.7.0_141… OK
(6) Checking EM13cR2 OPatch/OMSPatcher patch levels against 30 Apr 2017 requirements (see patch 25197714 README, patches 6880880 and 19999993)
(6a) OMS OPatch (/oracle/oem/Middleware13cR2/OPatch) VERSION 13.9.1.3.0 or newer… OK
(6b) OMSPatcher (/oracle/oem/Middleware13cR2/OPatch) VERSION 13.8.0.0.2 or newer… OK
Checking OPatch patch levels on all agents
(6c) Agent host01.domain.com:3872 ORACLE_HOME OPatch VERSION 13.9.1.3.0… OK
(6c) Agent host02.domain.com:3872 ORACLE_HOME OPatch VERSION 13.9.1.3.0… OK
(6c) Agent host04.usa.domain.com:3872 ORACLE_HOME OPatch VERSION 13.9.1.3.0… OK
(6c) Agent host03.domain.com:3872 ORACLE_HOME OPatch VERSION 13.9.1.3.0… OK
(6c) Agent host05.domain.com:3872 ORACLE_HOME OPatch VERSION 13.9.1.3.0… OK
(6c) Agent host06.domain.com:1830 ORACLE_HOME OPatch VERSION 13.9.1.3.0… OK
(6c) Agent host07.domain.com:3872 ORACLE_HOME OPatch VERSION 13.9.1.3.0… OK
(6c) Agent host08.domain.com:3872 ORACLE_HOME OPatch VERSION 13.9.1.3.0… OK
(6c) Agent host09.domain.com:1830 ORACLE_HOME OPatch VERSION 13.9.1.3.0… OK
(6c) Agent host10.domain.com:3872 ORACLE_HOME OPatch VERSION 13.9.1.3.0… OK
(6c) Agent host11.domain.com:3872 ORACLE_HOME OPatch VERSION 13.9.1.3.0… OK
(6c) Agent host12.domain.com:3872 ORACLE_HOME OPatch VERSION 13.9.1.3.0… OK
(6c) Agent host13.domain.com:3872 ORACLE_HOME OPatch VERSION 13.9.1.3.0… OK
(6c) Agent host14.domain.com:3872 ORACLE_HOME OPatch VERSION 13.9.1.3.0… OK
(6c) Agent host15.domain.com:3872 ORACLE_HOME OPatch VERSION 13.9.1.3.0… OK
(6c) Agent host16.domain.com:3872 ORACLE_HOME OPatch VERSION 13.9.1.3.0… OK
(6c) Agent omshost.domain.com:3872 ORACLE_HOME OPatch VERSION 13.9.1.3.0… OK
(6c) Agent host17.domain.com:3872 ORACLE_HOME OPatch VERSION 13.9.1.3.0… OK
(6c) Agent host18.domain.com:3872 ORACLE_HOME OPatch VERSION 13.9.1.3.0… OK
(7) Agent plugin bundle patch checks on all agents…
(7a) EM DB PLUGIN BUNDLE PATCH 13.2.1.0.170430 MONITORING @ host01.domain.com:3872 (25839989)… OK – plugin not installed
(7b) EM DB PLUGIN BUNDLE PATCH 13.2.1.0.161231 DISCOVERY @ host01.domain.com:3872 (25197692)… OK – plugin not installed
(7c) EM FMW PLUGIN BUNDLE PATCH 13.2.1.0.170430 MONITORING @ host01.domain.com:3872 (25839746)… OK – plugin not installed
(7d) EM FMW PLUGIN BUNDLE PATCH 13.2.1.0.170228 DISCOVERY @ host01.domain.com:3872 (25501430)… OK
(7e) EM SI PLUGIN BUNDLE PATCH 13.2.1.0.170331 MONITORING @ host01.domain.com:3872 (25682670)… OK – plugin not installed
(7f) EM-BEACON BUNDLE PATCH 13.2.0.0.161231 @ host01.domain.com:3872 (25162444)… OK – plugin not installed
(7g) EM EXADATA PLUGIN BUNDLE PATCH 13.2.1.0.170228 DISCOVERY @ host01.domain.com:3872 (25501436)… OK
(7h) EM EXADATA PLUGIN BUNDLE PATCH 13.2.1.0.170228 MONITORING @ host01.domain.com:3872 (25362875)… OK – plugin not installed
(7i) EM FUSION APPS PLUGIN BUNDLE PATCH 13.2.1.0.170228 MONITORING @ host01.domain.com:3872 (25522944)… OK – plugin not installed
(7j) EM FUSION APPS PLUGIN BUNDLE PATCH 13.2.1.0.170430 DISCOVERY @ host01.domain.com:3872 (25839874)… OK – plugin not installed
(7k) EM OVI PLUGIN BUNDLE PATCH 13.2.1.0.170228 MONITORING @ host01.domain.com:3872 (25501416)… OK – plugin not installed
(7l) EM OVI PLUGIN BUNDLE PATCH 13.2.1.0.170131 DISCOVERY @ host01.domain.com:3872 (25362898)… OK – plugin not installed
(7m) EM VIRTUALIZATION PLUGIN BUNDLE PATCH 13.2.1.0.170131 MONITORING @ host01.domain.com:3872 (25362890)… OK – plugin not installed
(7n) EM VIRTUALIZATION PLUGIN BUNDLE PATCH 13.2.1.0.161231 DISCOVERY @ host01.domain.com:3872 (25197712)… OK – plugin not installed
(8a) EM DB PLUGIN BUNDLE PATCH 13.2.1.0.170430 MONITORING @ host02.domain.com:3872 (25839989)… OK – plugin not installed
(8b) EM DB PLUGIN BUNDLE PATCH 13.2.1.0.161231 DISCOVERY @ host02.domain.com:3872 (25197692)… OK – plugin not installed
(8c) EM FMW PLUGIN BUNDLE PATCH 13.2.1.0.170430 MONITORING @ host02.domain.com:3872 (25839746)… OK – plugin not installed
(8d) EM FMW PLUGIN BUNDLE PATCH 13.2.1.0.170228 DISCOVERY @ host02.domain.com:3872 (25501430)… OK
(8e) EM SI PLUGIN BUNDLE PATCH 13.2.1.0.170331 MONITORING @ host02.domain.com:3872 (25682670)… OK – plugin not installed
(8f) EM-BEACON BUNDLE PATCH 13.2.0.0.161231 @ host02.domain.com:3872 (25162444)… OK – plugin not installed
(8g) EM EXADATA PLUGIN BUNDLE PATCH 13.2.1.0.170228 DISCOVERY @ host02.domain.com:3872 (25501436)… OK
(8h) EM EXADATA PLUGIN BUNDLE PATCH 13.2.1.0.170228 MONITORING @ host02.domain.com:3872 (25362875)… OK – plugin not installed
(8i) EM FUSION APPS PLUGIN BUNDLE PATCH 13.2.1.0.170228 MONITORING @ host02.domain.com:3872 (25522944)… OK – plugin not installed
(8j) EM FUSION APPS PLUGIN BUNDLE PATCH 13.2.1.0.170430 DISCOVERY @ host02.domain.com:3872 (25839874)… OK – plugin not installed
(8k) EM OVI PLUGIN BUNDLE PATCH 13.2.1.0.170228 MONITORING @ host02.domain.com:3872 (25501416)… OK – plugin not installed
(8l) EM OVI PLUGIN BUNDLE PATCH 13.2.1.0.170131 DISCOVERY @ host02.domain.com:3872 (25362898)… OK – plugin not installed
(8m) EM VIRTUALIZATION PLUGIN BUNDLE PATCH 13.2.1.0.170131 MONITORING @ host02.domain.com:3872 (25362890)… OK – plugin not installed
(8n) EM VIRTUALIZATION PLUGIN BUNDLE PATCH 13.2.1.0.161231 DISCOVERY @ host02.domain.com:3872 (25197712)… OK – plugin not installed
(9a) EM DB PLUGIN BUNDLE PATCH 13.2.1.0.170430 MONITORING @ host04.usa.domain.com:3872 (25839989)… OK – plugin not installed
(9b) EM DB PLUGIN BUNDLE PATCH 13.2.1.0.161231 DISCOVERY @ host04.usa.domain.com:3872 (25197692)… OK – plugin not installed
(9c) EM FMW PLUGIN BUNDLE PATCH 13.2.1.0.170430 MONITORING @ host04.usa.domain.com:3872 (25839746)… OK – plugin not installed
(9d) EM FMW PLUGIN BUNDLE PATCH 13.2.1.0.170228 DISCOVERY @ host04.usa.domain.com:3872 (25501430)… OK – plugin not installed
(9e) EM SI PLUGIN BUNDLE PATCH 13.2.1.0.170331 MONITORING @ host04.usa.domain.com:3872 (25682670)… OK – plugin not installed
(9f) EM-BEACON BUNDLE PATCH 13.2.0.0.161231 @ host04.usa.domain.com:3872 (25162444)… OK – plugin not installed
(9g) EM EXADATA PLUGIN BUNDLE PATCH 13.2.1.0.170228 DISCOVERY @ host04.usa.domain.com:3872 (25501436)… OK – plugin not installed
(9h) EM EXADATA PLUGIN BUNDLE PATCH 13.2.1.0.170228 MONITORING @ host04.usa.domain.com:3872 (25362875)… OK – plugin not installed
(9i) EM FUSION APPS PLUGIN BUNDLE PATCH 13.2.1.0.170228 MONITORING @ host04.usa.domain.com:3872 (25522944)… OK – plugin not installed
(9j) EM FUSION APPS PLUGIN BUNDLE PATCH 13.2.1.0.170430 DISCOVERY @ host04.usa.domain.com:3872 (25839874)… OK – plugin not installed
(9k) EM OVI PLUGIN BUNDLE PATCH 13.2.1.0.170228 MONITORING @ host04.usa.domain.com:3872 (25501416)… OK – plugin not installed
(9l) EM OVI PLUGIN BUNDLE PATCH 13.2.1.0.170131 DISCOVERY @ host04.usa.domain.com:3872 (25362898)… OK – plugin not installed
(9m) EM VIRTUALIZATION PLUGIN BUNDLE PATCH 13.2.1.0.170131 MONITORING @ host04.usa.domain.com:3872 (25362890)… OK – plugin not installed
(9n) EM VIRTUALIZATION PLUGIN BUNDLE PATCH 13.2.1.0.161231 DISCOVERY @ host04.usa.domain.com:3872 (25197712)… OK – plugin not installed
(10a) EM DB PLUGIN BUNDLE PATCH 13.2.1.0.170430 MONITORING @ host03.domain.com:3872 (25839989)… OK – plugin not installed
(10b) EM DB PLUGIN BUNDLE PATCH 13.2.1.0.161231 DISCOVERY @ host03.domain.com:3872 (25197692)… OK – plugin not installed
(10c) EM FMW PLUGIN BUNDLE PATCH 13.2.1.0.170430 MONITORING @ host03.domain.com:3872 (25839746)… OK – plugin not installed
(10d) EM FMW PLUGIN BUNDLE PATCH 13.2.1.0.170228 DISCOVERY @ host03.domain.com:3872 (25501430)… OK
(10e) EM SI PLUGIN BUNDLE PATCH 13.2.1.0.170331 MONITORING @ host03.domain.com:3872 (25682670)… OK – plugin not installed
(10f) EM-BEACON BUNDLE PATCH 13.2.0.0.161231 @ host03.domain.com:3872 (25162444)… OK – plugin not installed
(10g) EM EXADATA PLUGIN BUNDLE PATCH 13.2.1.0.170228 DISCOVERY @ host03.domain.com:3872 (25501436)… OK
(10h) EM EXADATA PLUGIN BUNDLE PATCH 13.2.1.0.170228 MONITORING @ host03.domain.com:3872 (25362875)… OK – plugin not installed
(10i) EM FUSION APPS PLUGIN BUNDLE PATCH 13.2.1.0.170228 MONITORING @ host03.domain.com:3872 (25522944)… OK – plugin not installed
(10j) EM FUSION APPS PLUGIN BUNDLE PATCH 13.2.1.0.170430 DISCOVERY @ host03.domain.com:3872 (25839874)… OK – plugin not installed
(10k) EM OVI PLUGIN BUNDLE PATCH 13.2.1.0.170228 MONITORING @ host03.domain.com:3872 (25501416)… OK – plugin not installed
(10l) EM OVI PLUGIN BUNDLE PATCH 13.2.1.0.170131 DISCOVERY @ host03.domain.com:3872 (25362898)… OK – plugin not installed
(10m) EM VIRTUALIZATION PLUGIN BUNDLE PATCH 13.2.1.0.170131 MONITORING @ host03.domain.com:3872 (25362890)… OK – plugin not installed
(10n) EM VIRTUALIZATION PLUGIN BUNDLE PATCH 13.2.1.0.161231 DISCOVERY @ host03.domain.com:3872 (25197712)… OK – plugin not installed
(11a) EM DB PLUGIN BUNDLE PATCH 13.2.1.0.170430 MONITORING @ host05.domain.com:3872 (25839989)… OK – plugin not installed
(11b) EM DB PLUGIN BUNDLE PATCH 13.2.1.0.161231 DISCOVERY @ host05.domain.com:3872 (25197692)… OK – plugin not installed
(11c) EM FMW PLUGIN BUNDLE PATCH 13.2.1.0.170430 MONITORING @ host05.domain.com:3872 (25839746)… OK – plugin not installed
(11d) EM FMW PLUGIN BUNDLE PATCH 13.2.1.0.170228 DISCOVERY @ host05.domain.com:3872 (25501430)… OK
(11e) EM SI PLUGIN BUNDLE PATCH 13.2.1.0.170331 MONITORING @ host05.domain.com:3872 (25682670)… OK – plugin not installed
(11f) EM-BEACON BUNDLE PATCH 13.2.0.0.161231 @ host05.domain.com:3872 (25162444)… OK – plugin not installed
(11g) EM EXADATA PLUGIN BUNDLE PATCH 13.2.1.0.170228 DISCOVERY @ host05.domain.com:3872 (25501436)… OK
(11h) EM EXADATA PLUGIN BUNDLE PATCH 13.2.1.0.170228 MONITORING @ host05.domain.com:3872 (25362875)… OK – plugin not installed
(11i) EM FUSION APPS PLUGIN BUNDLE PATCH 13.2.1.0.170228 MONITORING @ host05.domain.com:3872 (25522944)… OK – plugin not installed
(11j) EM FUSION APPS PLUGIN BUNDLE PATCH 13.2.1.0.170430 DISCOVERY @ host05.domain.com:3872 (25839874)… OK – plugin not installed
(11k) EM OVI PLUGIN BUNDLE PATCH 13.2.1.0.170228 MONITORING @ host05.domain.com:3872 (25501416)… OK – plugin not installed
(11l) EM OVI PLUGIN BUNDLE PATCH 13.2.1.0.170131 DISCOVERY @ host05.domain.com:3872 (25362898)… OK – plugin not installed
(11m) EM VIRTUALIZATION PLUGIN BUNDLE PATCH 13.2.1.0.170131 MONITORING @ host05.domain.com:3872 (25362890)… OK – plugin not installed
(11n) EM VIRTUALIZATION PLUGIN BUNDLE PATCH 13.2.1.0.161231 DISCOVERY @ host05.domain.com:3872 (25197712)… OK – plugin not installed
(12a) EM DB PLUGIN BUNDLE PATCH 13.2.1.0.170430 MONITORING @ host06.domain.com:1830 (25839989)… OK – plugin not installed
(12b) EM DB PLUGIN BUNDLE PATCH 13.2.1.0.161231 DISCOVERY @ host06.domain.com:1830 (25197692)… OK – plugin not installed
(12c) EM FMW PLUGIN BUNDLE PATCH 13.2.1.0.170430 MONITORING @ host06.domain.com:1830 (25839746)… OK – plugin not installed
(12d) EM FMW PLUGIN BUNDLE PATCH 13.2.1.0.170228 DISCOVERY @ host06.domain.com:1830 (25501430)… OK
(12e) EM SI PLUGIN BUNDLE PATCH 13.2.1.0.170331 MONITORING @ host06.domain.com:1830 (25682670)… OK – plugin not installed
(12f) EM-BEACON BUNDLE PATCH 13.2.0.0.161231 @ host06.domain.com:1830 (25162444)… OK – plugin not installed
(12g) EM EXADATA PLUGIN BUNDLE PATCH 13.2.1.0.170228 DISCOVERY @ host06.domain.com:1830 (25501436)… OK – plugin not installed
(12h) EM EXADATA PLUGIN BUNDLE PATCH 13.2.1.0.170228 MONITORING @ host06.domain.com:1830 (25362875)… OK – plugin not installed
(12i) EM FUSION APPS PLUGIN BUNDLE PATCH 13.2.1.0.170228 MONITORING @ host06.domain.com:1830 (25522944)… OK – plugin not installed
(12j) EM FUSION APPS PLUGIN BUNDLE PATCH 13.2.1.0.170430 DISCOVERY @ host06.domain.com:1830 (25839874)… OK – plugin not installed
(12k) EM OVI PLUGIN BUNDLE PATCH 13.2.1.0.170228 MONITORING @ host06.domain.com:1830 (25501416)… OK – plugin not installed
(12l) EM OVI PLUGIN BUNDLE PATCH 13.2.1.0.170131 DISCOVERY @ host06.domain.com:1830 (25362898)… OK – plugin not installed
(12m) EM VIRTUALIZATION PLUGIN BUNDLE PATCH 13.2.1.0.170131 MONITORING @ host06.domain.com:1830 (25362890)… OK – plugin not installed
(12n) EM VIRTUALIZATION PLUGIN BUNDLE PATCH 13.2.1.0.161231 DISCOVERY @ host06.domain.com:1830 (25197712)… OK – plugin not installed
(13a) EM DB PLUGIN BUNDLE PATCH 13.2.1.0.170430 MONITORING @ host07.domain.com:3872 (25839989)… OK – plugin not installed
(13b) EM DB PLUGIN BUNDLE PATCH 13.2.1.0.161231 DISCOVERY @ host07.domain.com:3872 (25197692)… OK – plugin not installed
(13c) EM FMW PLUGIN BUNDLE PATCH 13.2.1.0.170430 MONITORING @ host07.domain.com:3872 (25839746)… OK – plugin not installed
(13d) EM FMW PLUGIN BUNDLE PATCH 13.2.1.0.170228 DISCOVERY @ host07.domain.com:3872 (25501430)… OK
(13e) EM SI PLUGIN BUNDLE PATCH 13.2.1.0.170331 MONITORING @ host07.domain.com:3872 (25682670)… OK – plugin not installed
(13f) EM-BEACON BUNDLE PATCH 13.2.0.0.161231 @ host07.domain.com:3872 (25162444)… OK – plugin not installed
(13g) EM EXADATA PLUGIN BUNDLE PATCH 13.2.1.0.170228 DISCOVERY @ host07.domain.com:3872 (25501436)… OK
(13h) EM EXADATA PLUGIN BUNDLE PATCH 13.2.1.0.170228 MONITORING @ host07.domain.com:3872 (25362875)… OK – plugin not installed
(13i) EM FUSION APPS PLUGIN BUNDLE PATCH 13.2.1.0.170228 MONITORING @ host07.domain.com:3872 (25522944)… OK – plugin not installed
(13j) EM FUSION APPS PLUGIN BUNDLE PATCH 13.2.1.0.170430 DISCOVERY @ host07.domain.com:3872 (25839874)… OK – plugin not installed
(13k) EM OVI PLUGIN BUNDLE PATCH 13.2.1.0.170228 MONITORING @ host07.domain.com:3872 (25501416)… OK – plugin not installed
(13l) EM OVI PLUGIN BUNDLE PATCH 13.2.1.0.170131 DISCOVERY @ host07.domain.com:3872 (25362898)… OK – plugin not installed
(13m) EM VIRTUALIZATION PLUGIN BUNDLE PATCH 13.2.1.0.170131 MONITORING @ host07.domain.com:3872 (25362890)… OK – plugin not installed
(13n) EM VIRTUALIZATION PLUGIN BUNDLE PATCH 13.2.1.0.161231 DISCOVERY @ host07.domain.com:3872 (25197712)… OK – plugin not installed
(14a) EM DB PLUGIN BUNDLE PATCH 13.2.1.0.170430 MONITORING @ host08.domain.com:3872 (25839989)… OK – plugin not installed
(14b) EM DB PLUGIN BUNDLE PATCH 13.2.1.0.161231 DISCOVERY @ host08.domain.com:3872 (25197692)… OK – plugin not installed
(14c) EM FMW PLUGIN BUNDLE PATCH 13.2.1.0.170430 MONITORING @ host08.domain.com:3872 (25839746)… OK – plugin not installed
(14d) EM FMW PLUGIN BUNDLE PATCH 13.2.1.0.170228 DISCOVERY @ host08.domain.com:3872 (25501430)… OK
(14e) EM SI PLUGIN BUNDLE PATCH 13.2.1.0.170331 MONITORING @ host08.domain.com:3872 (25682670)… OK – plugin not installed
(14f) EM-BEACON BUNDLE PATCH 13.2.0.0.161231 @ host08.domain.com:3872 (25162444)… OK – plugin not installed
(14g) EM EXADATA PLUGIN BUNDLE PATCH 13.2.1.0.170228 DISCOVERY @ host08.domain.com:3872 (25501436)… OK
(14h) EM EXADATA PLUGIN BUNDLE PATCH 13.2.1.0.170228 MONITORING @ host08.domain.com:3872 (25362875)… OK – plugin not installed
(14i) EM FUSION APPS PLUGIN BUNDLE PATCH 13.2.1.0.170228 MONITORING @ host08.domain.com:3872 (25522944)… OK – plugin not installed
(14j) EM FUSION APPS PLUGIN BUNDLE PATCH 13.2.1.0.170430 DISCOVERY @ host08.domain.com:3872 (25839874)… OK – plugin not installed
(14k) EM OVI PLUGIN BUNDLE PATCH 13.2.1.0.170228 MONITORING @ host08.domain.com:3872 (25501416)… OK – plugin not installed
(14l) EM OVI PLUGIN BUNDLE PATCH 13.2.1.0.170131 DISCOVERY @ host08.domain.com:3872 (25362898)… OK – plugin not installed
(14m) EM VIRTUALIZATION PLUGIN BUNDLE PATCH 13.2.1.0.170131 MONITORING @ host08.domain.com:3872 (25362890)… OK – plugin not installed
(14n) EM VIRTUALIZATION PLUGIN BUNDLE PATCH 13.2.1.0.161231 DISCOVERY @ host08.domain.com:3872 (25197712)… OK – plugin not installed
(15a) EM DB PLUGIN BUNDLE PATCH 13.2.1.0.170430 MONITORING @ host09.domain.com:1830 (25839989)… OK – plugin not installed
(15b) EM DB PLUGIN BUNDLE PATCH 13.2.1.0.161231 DISCOVERY @ host09.domain.com:1830 (25197692)… OK – plugin not installed
(15c) EM FMW PLUGIN BUNDLE PATCH 13.2.1.0.170430 MONITORING @ host09.domain.com:1830 (25839746)… OK – plugin not installed
(15d) EM FMW PLUGIN BUNDLE PATCH 13.2.1.0.170228 DISCOVERY @ host09.domain.com:1830 (25501430)… OK
(15e) EM SI PLUGIN BUNDLE PATCH 13.2.1.0.170331 MONITORING @ host09.domain.com:1830 (25682670)… OK – plugin not installed
(15f) EM-BEACON BUNDLE PATCH 13.2.0.0.161231 @ host09.domain.com:1830 (25162444)… OK – plugin not installed
(15g) EM EXADATA PLUGIN BUNDLE PATCH 13.2.1.0.170228 DISCOVERY @ host09.domain.com:1830 (25501436)… OK
(15h) EM EXADATA PLUGIN BUNDLE PATCH 13.2.1.0.170228 MONITORING @ host09.domain.com:1830 (25362875)… OK – plugin not installed
(15i) EM FUSION APPS PLUGIN BUNDLE PATCH 13.2.1.0.170228 MONITORING @ host09.domain.com:1830 (25522944)… OK – plugin not installed
(15j) EM FUSION APPS PLUGIN BUNDLE PATCH 13.2.1.0.170430 DISCOVERY @ host09.domain.com:1830 (25839874)… OK – plugin not installed
(15k) EM OVI PLUGIN BUNDLE PATCH 13.2.1.0.170228 MONITORING @ host09.domain.com:1830 (25501416)… OK – plugin not installed
(15l) EM OVI PLUGIN BUNDLE PATCH 13.2.1.0.170131 DISCOVERY @ host09.domain.com:1830 (25362898)… OK – plugin not installed
(15m) EM VIRTUALIZATION PLUGIN BUNDLE PATCH 13.2.1.0.170131 MONITORING @ host09.domain.com:1830 (25362890)… OK – plugin not installed
(15n) EM VIRTUALIZATION PLUGIN BUNDLE PATCH 13.2.1.0.161231 DISCOVERY @ host09.domain.com:1830 (25197712)… OK – plugin not installed
(16a) EM DB PLUGIN BUNDLE PATCH 13.2.1.0.170430 MONITORING @ host10.domain.com:3872 (25839989)… OK – plugin not installed
(16b) EM DB PLUGIN BUNDLE PATCH 13.2.1.0.161231 DISCOVERY @ host10.domain.com:3872 (25197692)… OK – plugin not installed
(16c) EM FMW PLUGIN BUNDLE PATCH 13.2.1.0.170430 MONITORING @ host10.domain.com:3872 (25839746)… OK – plugin not installed
(16d) EM FMW PLUGIN BUNDLE PATCH 13.2.1.0.170228 DISCOVERY @ host10.domain.com:3872 (25501430)… OK
(16e) EM SI PLUGIN BUNDLE PATCH 13.2.1.0.170331 MONITORING @ host10.domain.com:3872 (25682670)… OK – plugin not installed
(16f) EM-BEACON BUNDLE PATCH 13.2.0.0.161231 @ host10.domain.com:3872 (25162444)… OK – plugin not installed
(16g) EM EXADATA PLUGIN BUNDLE PATCH 13.2.1.0.170228 DISCOVERY @ host10.domain.com:3872 (25501436)… OK
(16h) EM EXADATA PLUGIN BUNDLE PATCH 13.2.1.0.170228 MONITORING @ host10.domain.com:3872 (25362875)… OK – plugin not installed
(16i) EM FUSION APPS PLUGIN BUNDLE PATCH 13.2.1.0.170228 MONITORING @ host10.domain.com:3872 (25522944)… OK – plugin not installed
(16j) EM FUSION APPS PLUGIN BUNDLE PATCH 13.2.1.0.170430 DISCOVERY @ host10.domain.com:3872 (25839874)… OK – plugin not installed
(16k) EM OVI PLUGIN BUNDLE PATCH 13.2.1.0.170228 MONITORING @ host10.domain.com:3872 (25501416)… OK – plugin not installed
(16l) EM OVI PLUGIN BUNDLE PATCH 13.2.1.0.170131 DISCOVERY @ host10.domain.com:3872 (25362898)… OK – plugin not installed
(16m) EM VIRTUALIZATION PLUGIN BUNDLE PATCH 13.2.1.0.170131 MONITORING @ host10.domain.com:3872 (25362890)… OK – plugin not installed
(16n) EM VIRTUALIZATION PLUGIN BUNDLE PATCH 13.2.1.0.161231 DISCOVERY @ host10.domain.com:3872 (25197712)… OK – plugin not installed
(17a) EM DB PLUGIN BUNDLE PATCH 13.2.1.0.170430 MONITORING @ host11.domain.com:3872 (25839989)… OK – plugin not installed
(17b) EM DB PLUGIN BUNDLE PATCH 13.2.1.0.161231 DISCOVERY @ host11.domain.com:3872 (25197692)… OK – plugin not installed
(17c) EM FMW PLUGIN BUNDLE PATCH 13.2.1.0.170430 MONITORING @ host11.domain.com:3872 (25839746)… OK – plugin not installed
(17d) EM FMW PLUGIN BUNDLE PATCH 13.2.1.0.170228 DISCOVERY @ host11.domain.com:3872 (25501430)… OK
(17e) EM SI PLUGIN BUNDLE PATCH 13.2.1.0.170331 MONITORING @ host11.domain.com:3872 (25682670)… OK – plugin not installed
(17f) EM-BEACON BUNDLE PATCH 13.2.0.0.161231 @ host11.domain.com:3872 (25162444)… OK – plugin not installed
(17g) EM EXADATA PLUGIN BUNDLE PATCH 13.2.1.0.170228 DISCOVERY @ host11.domain.com:3872 (25501436)… OK
(17h) EM EXADATA PLUGIN BUNDLE PATCH 13.2.1.0.170228 MONITORING @ host11.domain.com:3872 (25362875)… OK – plugin not installed
(17i) EM FUSION APPS PLUGIN BUNDLE PATCH 13.2.1.0.170228 MONITORING @ host11.domain.com:3872 (25522944)… OK – plugin not installed
(17j) EM FUSION APPS PLUGIN BUNDLE PATCH 13.2.1.0.170430 DISCOVERY @ host11.domain.com:3872 (25839874)… OK – plugin not installed
(17k) EM OVI PLUGIN BUNDLE PATCH 13.2.1.0.170228 MONITORING @ host11.domain.com:3872 (25501416)… OK – plugin not installed
(17l) EM OVI PLUGIN BUNDLE PATCH 13.2.1.0.170131 DISCOVERY @ host11.domain.com:3872 (25362898)… OK – plugin not installed
(17m) EM VIRTUALIZATION PLUGIN BUNDLE PATCH 13.2.1.0.170131 MONITORING @ host11.domain.com:3872 (25362890)… OK – plugin not installed
(17n) EM VIRTUALIZATION PLUGIN BUNDLE PATCH 13.2.1.0.161231 DISCOVERY @ host11.domain.com:3872 (25197712)… OK – plugin not installed
(18a) EM DB PLUGIN BUNDLE PATCH 13.2.1.0.170430 MONITORING @ host12.domain.com:3872 (25839989)… OK – plugin not installed
(18b) EM DB PLUGIN BUNDLE PATCH 13.2.1.0.161231 DISCOVERY @ host12.domain.com:3872 (25197692)… OK – plugin not installed
(18c) EM FMW PLUGIN BUNDLE PATCH 13.2.1.0.170430 MONITORING @ host12.domain.com:3872 (25839746)… OK – plugin not installed
(18d) EM FMW PLUGIN BUNDLE PATCH 13.2.1.0.170228 DISCOVERY @ host12.domain.com:3872 (25501430)… OK
(18e) EM SI PLUGIN BUNDLE PATCH 13.2.1.0.170331 MONITORING @ host12.domain.com:3872 (25682670)… OK – plugin not installed
(18f) EM-BEACON BUNDLE PATCH 13.2.0.0.161231 @ host12.domain.com:3872 (25162444)… OK – plugin not installed
(18g) EM EXADATA PLUGIN BUNDLE PATCH 13.2.1.0.170228 DISCOVERY @ host12.domain.com:3872 (25501436)… OK
(18h) EM EXADATA PLUGIN BUNDLE PATCH 13.2.1.0.170228 MONITORING @ host12.domain.com:3872 (25362875)… OK – plugin not installed
(18i) EM FUSION APPS PLUGIN BUNDLE PATCH 13.2.1.0.170228 MONITORING @ host12.domain.com:3872 (25522944)… OK – plugin not installed
(18j) EM FUSION APPS PLUGIN BUNDLE PATCH 13.2.1.0.170430 DISCOVERY @ host12.domain.com:3872 (25839874)… OK – plugin not installed
(18k) EM OVI PLUGIN BUNDLE PATCH 13.2.1.0.170228 MONITORING @ host12.domain.com:3872 (25501416)… OK – plugin not installed
(18l) EM OVI PLUGIN BUNDLE PATCH 13.2.1.0.170131 DISCOVERY @ host12.domain.com:3872 (25362898)… OK – plugin not installed
(18m) EM VIRTUALIZATION PLUGIN BUNDLE PATCH 13.2.1.0.170131 MONITORING @ host12.domain.com:3872 (25362890)… OK – plugin not installed
(18n) EM VIRTUALIZATION PLUGIN BUNDLE PATCH 13.2.1.0.161231 DISCOVERY @ host12.domain.com:3872 (25197712)… OK – plugin not installed
(19a) EM DB PLUGIN BUNDLE PATCH 13.2.1.0.170430 MONITORING @ host13.domain.com:3872 (25839989)… OK – plugin not installed
(19b) EM DB PLUGIN BUNDLE PATCH 13.2.1.0.161231 DISCOVERY @ host13.domain.com:3872 (25197692)… OK – plugin not installed
(19c) EM FMW PLUGIN BUNDLE PATCH 13.2.1.0.170430 MONITORING @ host13.domain.com:3872 (25839746)… OK – plugin not installed
(19d) EM FMW PLUGIN BUNDLE PATCH 13.2.1.0.170228 DISCOVERY @ host13.domain.com:3872 (25501430)… OK
(19e) EM SI PLUGIN BUNDLE PATCH 13.2.1.0.170331 MONITORING @ host13.domain.com:3872 (25682670)… OK – plugin not installed
(19f) EM-BEACON BUNDLE PATCH 13.2.0.0.161231 @ host13.domain.com:3872 (25162444)… OK – plugin not installed
(19g) EM EXADATA PLUGIN BUNDLE PATCH 13.2.1.0.170228 DISCOVERY @ host13.domain.com:3872 (25501436)… OK
(19h) EM EXADATA PLUGIN BUNDLE PATCH 13.2.1.0.170228 MONITORING @ host13.domain.com:3872 (25362875)… OK – plugin not installed
(19i) EM FUSION APPS PLUGIN BUNDLE PATCH 13.2.1.0.170228 MONITORING @ host13.domain.com:3872 (25522944)… OK – plugin not installed
(19j) EM FUSION APPS PLUGIN BUNDLE PATCH 13.2.1.0.170430 DISCOVERY @ host13.domain.com:3872 (25839874)… OK – plugin not installed
(19k) EM OVI PLUGIN BUNDLE PATCH 13.2.1.0.170228 MONITORING @ host13.domain.com:3872 (25501416)… OK – plugin not installed
(19l) EM OVI PLUGIN BUNDLE PATCH 13.2.1.0.170131 DISCOVERY @ host13.domain.com:3872 (25362898)… OK – plugin not installed
(19m) EM VIRTUALIZATION PLUGIN BUNDLE PATCH 13.2.1.0.170131 MONITORING @ host13.domain.com:3872 (25362890)… OK – plugin not installed
(19n) EM VIRTUALIZATION PLUGIN BUNDLE PATCH 13.2.1.0.161231 DISCOVERY @ host13.domain.com:3872 (25197712)… OK – plugin not installed
(20a) EM DB PLUGIN BUNDLE PATCH 13.2.1.0.170430 MONITORING @ host14.domain.com:3872 (25839989)… OK – plugin not installed
(20b) EM DB PLUGIN BUNDLE PATCH 13.2.1.0.161231 DISCOVERY @ host14.domain.com:3872 (25197692)… OK – plugin not installed
(20c) EM FMW PLUGIN BUNDLE PATCH 13.2.1.0.170430 MONITORING @ host14.domain.com:3872 (25839746)… OK – plugin not installed
(20d) EM FMW PLUGIN BUNDLE PATCH 13.2.1.0.170228 DISCOVERY @ host14.domain.com:3872 (25501430)… OK
(20e) EM SI PLUGIN BUNDLE PATCH 13.2.1.0.170331 MONITORING @ host14.domain.com:3872 (25682670)… OK – plugin not installed
(20f) EM-BEACON BUNDLE PATCH 13.2.0.0.161231 @ host14.domain.com:3872 (25162444)… OK – plugin not installed
(20g) EM EXADATA PLUGIN BUNDLE PATCH 13.2.1.0.170228 DISCOVERY @ host14.domain.com:3872 (25501436)… OK
(20h) EM EXADATA PLUGIN BUNDLE PATCH 13.2.1.0.170228 MONITORING @ host14.domain.com:3872 (25362875)… OK – plugin not installed
(20i) EM FUSION APPS PLUGIN BUNDLE PATCH 13.2.1.0.170228 MONITORING @ host14.domain.com:3872 (25522944)… OK – plugin not installed
(20j) EM FUSION APPS PLUGIN BUNDLE PATCH 13.2.1.0.170430 DISCOVERY @ host14.domain.com:3872 (25839874)… OK – plugin not installed
(20k) EM OVI PLUGIN BUNDLE PATCH 13.2.1.0.170228 MONITORING @ host14.domain.com:3872 (25501416)… OK – plugin not installed
(20l) EM OVI PLUGIN BUNDLE PATCH 13.2.1.0.170131 DISCOVERY @ host14.domain.com:3872 (25362898)… OK – plugin not installed
(20m) EM VIRTUALIZATION PLUGIN BUNDLE PATCH 13.2.1.0.170131 MONITORING @ host14.domain.com:3872 (25362890)… OK – plugin not installed
(20n) EM VIRTUALIZATION PLUGIN BUNDLE PATCH 13.2.1.0.161231 DISCOVERY @ host14.domain.com:3872 (25197712)… OK – plugin not installed
(21a) EM DB PLUGIN BUNDLE PATCH 13.2.1.0.170430 MONITORING @ host15.domain.com:3872 (25839989)… OK – plugin not installed
(21b) EM DB PLUGIN BUNDLE PATCH 13.2.1.0.161231 DISCOVERY @ host15.domain.com:3872 (25197692)… OK – plugin not installed
(21c) EM FMW PLUGIN BUNDLE PATCH 13.2.1.0.170430 MONITORING @ host15.domain.com:3872 (25839746)… OK – plugin not installed
(21d) EM FMW PLUGIN BUNDLE PATCH 13.2.1.0.170228 DISCOVERY @ host15.domain.com:3872 (25501430)… OK
(21e) EM SI PLUGIN BUNDLE PATCH 13.2.1.0.170331 MONITORING @ host15.domain.com:3872 (25682670)… OK – plugin not installed
(21f) EM-BEACON BUNDLE PATCH 13.2.0.0.161231 @ host15.domain.com:3872 (25162444)… OK – plugin not installed
(21g) EM EXADATA PLUGIN BUNDLE PATCH 13.2.1.0.170228 DISCOVERY @ host15.domain.com:3872 (25501436)… OK
(21h) EM EXADATA PLUGIN BUNDLE PATCH 13.2.1.0.170228 MONITORING @ host15.domain.com:3872 (25362875)… OK – plugin not installed
(21i) EM FUSION APPS PLUGIN BUNDLE PATCH 13.2.1.0.170228 MONITORING @ host15.domain.com:3872 (25522944)… OK – plugin not installed
(21j) EM FUSION APPS PLUGIN BUNDLE PATCH 13.2.1.0.170430 DISCOVERY @ host15.domain.com:3872 (25839874)… OK – plugin not installed
(21k) EM OVI PLUGIN BUNDLE PATCH 13.2.1.0.170228 MONITORING @ host15.domain.com:3872 (25501416)… OK – plugin not installed
(21l) EM OVI PLUGIN BUNDLE PATCH 13.2.1.0.170131 DISCOVERY @ host15.domain.com:3872 (25362898)… OK – plugin not installed
(21m) EM VIRTUALIZATION PLUGIN BUNDLE PATCH 13.2.1.0.170131 MONITORING @ host15.domain.com:3872 (25362890)… OK – plugin not installed
(21n) EM VIRTUALIZATION PLUGIN BUNDLE PATCH 13.2.1.0.161231 DISCOVERY @ host15.domain.com:3872 (25197712)… OK – plugin not installed
(22a) EM DB PLUGIN BUNDLE PATCH 13.2.1.0.170430 MONITORING @ host16.domain.com:3872 (25839989)… OK – plugin not installed
(22b) EM DB PLUGIN BUNDLE PATCH 13.2.1.0.161231 DISCOVERY @ host16.domain.com:3872 (25197692)… OK – plugin not installed
(22c) EM FMW PLUGIN BUNDLE PATCH 13.2.1.0.170430 MONITORING @ host16.domain.com:3872 (25839746)… OK – plugin not installed
(22d) EM FMW PLUGIN BUNDLE PATCH 13.2.1.0.170228 DISCOVERY @ host16.domain.com:3872 (25501430)… OK
(22e) EM SI PLUGIN BUNDLE PATCH 13.2.1.0.170331 MONITORING @ host16.domain.com:3872 (25682670)… OK – plugin not installed
(22f) EM-BEACON BUNDLE PATCH 13.2.0.0.161231 @ host16.domain.com:3872 (25162444)… OK – plugin not installed
(22g) EM EXADATA PLUGIN BUNDLE PATCH 13.2.1.0.170228 DISCOVERY @ host16.domain.com:3872 (25501436)… OK
(22h) EM EXADATA PLUGIN BUNDLE PATCH 13.2.1.0.170228 MONITORING @ host16.domain.com:3872 (25362875)… OK – plugin not installed
(22i) EM FUSION APPS PLUGIN BUNDLE PATCH 13.2.1.0.170228 MONITORING @ host16.domain.com:3872 (25522944)… OK – plugin not installed
(22j) EM FUSION APPS PLUGIN BUNDLE PATCH 13.2.1.0.170430 DISCOVERY @ host16.domain.com:3872 (25839874)… OK – plugin not installed
(22k) EM OVI PLUGIN BUNDLE PATCH 13.2.1.0.170228 MONITORING @ host16.domain.com:3872 (25501416)… OK – plugin not installed
(22l) EM OVI PLUGIN BUNDLE PATCH 13.2.1.0.170131 DISCOVERY @ host16.domain.com:3872 (25362898)… OK – plugin not installed
(22m) EM VIRTUALIZATION PLUGIN BUNDLE PATCH 13.2.1.0.170131 MONITORING @ host16.domain.com:3872 (25362890)… OK – plugin not installed
(22n) EM VIRTUALIZATION PLUGIN BUNDLE PATCH 13.2.1.0.161231 DISCOVERY @ host16.domain.com:3872 (25197712)… OK – plugin not installed
(23a) EM DB PLUGIN BUNDLE PATCH 13.2.1.0.170430 MONITORING @ omshost.domain.com:3872 (25839989)… OK – plugin not installed
(23b) EM DB PLUGIN BUNDLE PATCH 13.2.1.0.161231 DISCOVERY @ omshost.domain.com:3872 (25197692)… OK – plugin not installed
(23c) EM FMW PLUGIN BUNDLE PATCH 13.2.1.0.170430 MONITORING @ omshost.domain.com:3872 (25839746)… OK – plugin not installed
(23d) EM FMW PLUGIN BUNDLE PATCH 13.2.1.0.170228 DISCOVERY @ omshost.domain.com:3872 (25501430)… OK – plugin not installed
(23e) EM SI PLUGIN BUNDLE PATCH 13.2.1.0.170331 MONITORING @ omshost.domain.com:3872 (25682670)… OK – plugin not installed
(23f) EM-BEACON BUNDLE PATCH 13.2.0.0.161231 @ omshost.domain.com:3872 (25162444)… OK
(23g) EM EXADATA PLUGIN BUNDLE PATCH 13.2.1.0.170228 DISCOVERY @ omshost.domain.com:3872 (25501436)… OK
(23h) EM EXADATA PLUGIN BUNDLE PATCH 13.2.1.0.170228 MONITORING @ omshost.domain.com:3872 (25362875)… OK – plugin not installed
(23i) EM FUSION APPS PLUGIN BUNDLE PATCH 13.2.1.0.170228 MONITORING @ omshost.domain.com:3872 (25522944)… OK – plugin not installed
(23j) EM FUSION APPS PLUGIN BUNDLE PATCH 13.2.1.0.170430 DISCOVERY @ omshost.domain.com:3872 (25839874)… OK – plugin not installed
(23k) EM OVI PLUGIN BUNDLE PATCH 13.2.1.0.170228 MONITORING @ omshost.domain.com:3872 (25501416)… OK – plugin not installed
(23l) EM OVI PLUGIN BUNDLE PATCH 13.2.1.0.170131 DISCOVERY @ omshost.domain.com:3872 (25362898)… OK – plugin not installed
(23m) EM VIRTUALIZATION PLUGIN BUNDLE PATCH 13.2.1.0.170131 MONITORING @ omshost.domain.com:3872 (25362890)… OK – plugin not installed
(23n) EM VIRTUALIZATION PLUGIN BUNDLE PATCH 13.2.1.0.161231 DISCOVERY @ omshost.domain.com:3872 (25197712)… OK – plugin not installed
(24a) EM DB PLUGIN BUNDLE PATCH 13.2.1.0.170430 MONITORING @ host17.domain.com:3872 (25839989)… OK – plugin not installed
(24b) EM DB PLUGIN BUNDLE PATCH 13.2.1.0.161231 DISCOVERY @ host17.domain.com:3872 (25197692)… OK – plugin not installed
(24c) EM FMW PLUGIN BUNDLE PATCH 13.2.1.0.170430 MONITORING @ host17.domain.com:3872 (25839746)… OK – plugin not installed
(24d) EM FMW PLUGIN BUNDLE PATCH 13.2.1.0.170228 DISCOVERY @ host17.domain.com:3872 (25501430)… OK
(24e) EM SI PLUGIN BUNDLE PATCH 13.2.1.0.170331 MONITORING @ host17.domain.com:3872 (25682670)… OK – plugin not installed
(24f) EM-BEACON BUNDLE PATCH 13.2.0.0.161231 @ host17.domain.com:3872 (25162444)… OK – plugin not installed
(24g) EM EXADATA PLUGIN BUNDLE PATCH 13.2.1.0.170228 DISCOVERY @ host17.domain.com:3872 (25501436)… OK
(24h) EM EXADATA PLUGIN BUNDLE PATCH 13.2.1.0.170228 MONITORING @ host17.domain.com:3872 (25362875)… OK – plugin not installed
(24i) EM FUSION APPS PLUGIN BUNDLE PATCH 13.2.1.0.170228 MONITORING @ host17.domain.com:3872 (25522944)… OK – plugin not installed
(24j) EM FUSION APPS PLUGIN BUNDLE PATCH 13.2.1.0.170430 DISCOVERY @ host17.domain.com:3872 (25839874)… OK – plugin not installed
(24k) EM OVI PLUGIN BUNDLE PATCH 13.2.1.0.170228 MONITORING @ host17.domain.com:3872 (25501416)… OK – plugin not installed
(24l) EM OVI PLUGIN BUNDLE PATCH 13.2.1.0.170131 DISCOVERY @ host17.domain.com:3872 (25362898)… OK – plugin not installed
(24m) EM VIRTUALIZATION PLUGIN BUNDLE PATCH 13.2.1.0.170131 MONITORING @ host17.domain.com:3872 (25362890)… OK – plugin not installed
(24n) EM VIRTUALIZATION PLUGIN BUNDLE PATCH 13.2.1.0.161231 DISCOVERY @ host17.domain.com:3872 (25197712)… OK – plugin not installed
(25a) EM DB PLUGIN BUNDLE PATCH 13.2.1.0.170430 MONITORING @ host18.domain.com:3872 (25839989)… OK – plugin not installed
(25b) EM DB PLUGIN BUNDLE PATCH 13.2.1.0.161231 DISCOVERY @ host18.domain.com:3872 (25197692)… OK – plugin not installed
(25c) EM FMW PLUGIN BUNDLE PATCH 13.2.1.0.170430 MONITORING @ host18.domain.com:3872 (25839746)… OK – plugin not installed
(25d) EM FMW PLUGIN BUNDLE PATCH 13.2.1.0.170228 DISCOVERY @ host18.domain.com:3872 (25501430)… OK
(25e) EM SI PLUGIN BUNDLE PATCH 13.2.1.0.170331 MONITORING @ host18.domain.com:3872 (25682670)… OK – plugin not installed
(25f) EM-BEACON BUNDLE PATCH 13.2.0.0.161231 @ host18.domain.com:3872 (25162444)… OK – plugin not installed
(25g) EM EXADATA PLUGIN BUNDLE PATCH 13.2.1.0.170228 DISCOVERY @ host18.domain.com:3872 (25501436)… OK
(25h) EM EXADATA PLUGIN BUNDLE PATCH 13.2.1.0.170228 MONITORING @ host18.domain.com:3872 (25362875)… OK – plugin not installed
(25i) EM FUSION APPS PLUGIN BUNDLE PATCH 13.2.1.0.170228 MONITORING @ host18.domain.com:3872 (25522944)… OK – plugin not installed
(25j) EM FUSION APPS PLUGIN BUNDLE PATCH 13.2.1.0.170430 DISCOVERY @ host18.domain.com:3872 (25839874)… OK – plugin not installed
(25k) EM OVI PLUGIN BUNDLE PATCH 13.2.1.0.170228 MONITORING @ host18.domain.com:3872 (25501416)… OK – plugin not installed
(25l) EM OVI PLUGIN BUNDLE PATCH 13.2.1.0.170131 DISCOVERY @ host18.domain.com:3872 (25362898)… OK – plugin not installed
(25m) EM VIRTUALIZATION PLUGIN BUNDLE PATCH 13.2.1.0.170131 MONITORING @ host18.domain.com:3872 (25362890)… OK – plugin not installed
(25n) EM VIRTUALIZATION PLUGIN BUNDLE PATCH 13.2.1.0.161231 DISCOVERY @ host18.domain.com:3872 (25197712)… OK – plugin not installed
Cleaning up temporary files… done
Failed test count: 2 – Review output
emcliagentbundlecheck:25740081 missing on host01.domain.com:3872
emcliagentbundlecheck:25740081 missing on host15.domain.com:3872
Visit https://pardydba.wordpress.com/2016/10/28/securing-oracle-enterprise-manager-13cr2/ for more information.
Download the latest release from https://raw.githubusercontent.com/brianpardy/em13c/master/checksec13R2.sh
Download the latest beta release from https://raw.githubusercontent.com/brianpardy/em13c/beta/checksec13R2.sh
Example Output – create_user_for_checksec13R2.sh
Welcome to ./create_user_for_checksec13R2.sh, version 1.0, released 20170314.
Download the latest release of this script at any time from:
https://raw.githubusercontent.com/brianpardy/em13c/master/create_user_for_checksec13R2.sh
This script exists to supplement checksec13R2.sh and enable additional checks. When run, this
script will create a user named CHECKSEC in your EM13cR2 environment and give that user a
random password, which gets printed to the screen at the end of the script. The script then
grants CHECKSEC VIEW_ANY_TARGET and EM_ALL_OPERATOR privilege, and then prompts you to supply
the names of credentials existing in your EM13cR2 environment. The script validates the names of
credentials supplied, grants VIEW access to CHECKSEC for each credential, and assigns those
credentials as preferred credentials for CHECKSEC for each relevant target.
Providing credentials for the repository database enables the following additional checks in
checksec13R2.sh:
* Check for presence/absence of plugin bundle patches on all agents
Providing host credentials for every monitored host running an agent enables the following
additional checks in checksec13R2.sh:
* Check for presence/absence of the latest Java version on all agents
Login to EMCLI as SYSMAN before running this script. If you already have an CHECKSEC account,
running this script will delete and recreate it with a new password.
Continue? [y/n]
Continuing…
Synchronized successfully
User “CHECKSEC” deleted successfully
User “CHECKSEC” created successfully
Created user CHECKSEC with password: [redacted]
Now CHECKSEC needs preferred credentials for the repository DB and repository DB host.
Your repository DB target name is oemdb.domain.com
Enter the credential name for the repository DB Normal Database Credentials: DB-OEMDB-SYSTEM
Enter the credential name for the repository DB SYSDBA Database Credentials: DB-OEMDB-SYS
Enter the credential name for the repository DB Database Host Credentials: HOST-OMSHOST-ORACLE
Validating that supplied credentials exist.
Credentials “DB-OEMDB-SYSTEM:SYSMAN” tested successfully
Credentials “DB-OEMDB-SYS:SYSMAN” tested successfully
Credentials “HOST-OMSHOST-ORACLE:SYSMAN” tested successfully
Granting CHECKSEC GET_CREDENTIAL access to supplied credentials.
Privileges granted to user/role “CHECKSEC” successfully
Confirmed supplied credentials exist and granted to CHECKSEC.
The next section asks you to supply credentials for the account used to run the Oracle Management Agent.
You will receive a separate prompt for each agent. Enter ‘done’ (without quotes) to skip this step.
If you provide these credentials, checksec13R2.sh can report on the Java version used by your agents.
Generating a list of all agent targets.
Now loop through all agent targets and provide named credentials for the agent user account on each host.
Enter the credential name to login as the agent user for host1.domain.com:3872: HOST-HOST1-ORAAGENT
Credentials “HOST-HOST1-ORAAGENT:SYSMAN” tested successfully
Privileges granted to user/role “CHECKSEC” successfully
Enter the credential name to login as the agent user for host2.domain.com:3872: HOST-HOST2-ORAAGENT
Credentials “HOST-HOST2-ORAAGENT:SYSMAN” tested successfully
Privileges granted to user/role “CHECKSEC” successfully
Enter the credential name to login as the agent user for host3.domain.com:3872: HOST-HOST3-ORAAGENT
Credentials “HOST-HOST3-ORAAGENT:SYSMAN” tested successfully
Privileges granted to user/role “CHECKSEC” successfully
Enter the credential name to login as the agent user for host4.domain.com:1830: HOST-HOST4-ORAAGENT
Credentials “HOST-HOST4-ORAAGENT:SYSMAN” tested successfully
Privileges granted to user/role “CHECKSEC” successfully
Enter the credential name to login as the agent user for host5.domain.com:3872: HOST-HOST5-ORAAGENT
Credentials “HOST-HOST5-ORAAGENT:SYSMAN” tested successfully
Privileges granted to user/role “CHECKSEC” successfully
Enter the credential name to login as the agent user for host6.domain.com:1830: HOST-HOST6-ORAAGENT
Credentials “HOST-HOST6-ORAAGENT:SYSMAN” tested successfully
Privileges granted to user/role “CHECKSEC” successfully
Enter the credential name to login as the agent user for host7.domain.com:3872: HOST-HOST7-ORAAGENT
Credentials “HOST-HOST7-ORAAGENT:SYSMAN” tested successfully
Privileges granted to user/role “CHECKSEC” successfully
Enter the credential name to login as the agent user for host8.domain.com:3872: HOST-HOST8-ORAAGENT
Credentials “HOST-HOST8-ORAAGENT:SYSMAN” tested successfully
Privileges granted to user/role “CHECKSEC” successfully
Enter the credential name to login as the agent user for host9.domain.com:1830: HOST-HOST9-ORAAGENT
Credentials “HOST-HOST9-ORAAGENT:SYSMAN” tested successfully
Privileges granted to user/role “CHECKSEC” successfully
Enter the credential name to login as the agent user for host10.domain.com:3872: HOST-HOST10-ORAAGENT
Credentials “HOST-HOST10-ORAAGENT:SYSMAN” tested successfully
Privileges granted to user/role “CHECKSEC” successfully
Enter the credential name to login as the agent user for host11.domain.com:3872: HOST-HOST11-ORAAGENT
Credentials “HOST-HOST11-ORAAGENT:SYSMAN” tested successfully
Privileges granted to user/role “CHECKSEC” successfully
Enter the credential name to login as the agent user for host12.domain.com:3872: HOST-HOST12-ORAAGENT
Credentials “HOST-HOST12-ORAAGENT:SYSMAN” tested successfully
Privileges granted to user/role “CHECKSEC” successfully
Enter the credential name to login as the agent user for host13.domain.com:3872: HOST-HOST13-ORAAGENT
Credentials “HOST-HOST13-ORAAGENT:SYSMAN” tested successfully
Privileges granted to user/role “CHECKSEC” successfully
Enter the credential name to login as the agent user for host14.domain.com:3872: HOST-HOST14-ORAAGENT
Credentials “HOST-HOST14-ORAAGENT:SYSMAN” tested successfully
Privileges granted to user/role “CHECKSEC” successfully
Enter the credential name to login as the agent user for host15.domain.com:3872: HOST-HOST15-ORAAGENT
Credentials “HOST-HOST15-ORAAGENT:SYSMAN” tested successfully
Privileges granted to user/role “CHECKSEC” successfully
Enter the credential name to login as the agent user for host16.domain.com:3872: HOST-HOST16-ORAAGENT
Credentials “HOST-HOST16-ORAAGENT:SYSMAN” tested successfully
Privileges granted to user/role “CHECKSEC” successfully
Enter the credential name to login as the agent user for omshost.domain.com:3872: HOST-OMSHOST-ORACLE
Credentials “HOST-OMSHOST-ORACLE:SYSMAN” tested successfully
Privileges granted to user/role “CHECKSEC” successfully
Enter the credential name to login as the agent user for host17.domain.com:3872: HOST-HOST17-ORAAGENT
Credentials “HOST-HOST17-ORAAGENT:SYSMAN” tested successfully
Privileges granted to user/role “CHECKSEC” successfully
Enter the credential name to login as the agent user for host18.domain.com:3872: HOST-HOST18-ORAAGENT
Credentials “HOST-HOST18-ORAAGENT:SYSMAN” tested successfully
Privileges granted to user/role “CHECKSEC” successfully
Logging out of EMCLI
Logout successful
Logging in to EMCLI as CHECKSEC
Login successful
Setting preferred credentials DB-OEMDB-SYSTEM for CHECKSEC on oemdb.domain.com
Successfully set preferred credentials for target oemdb.domain.com:oracle_database.
Setting preferred credentials DB-OEMDB-SYS for CHECKSEC on oemdb.domain.com
Successfully set preferred credentials for target oemdb.domain.com:oracle_database.
Setting preferred credentials HOST-OMSHOST-ORACLE for CHECKSEC on oemdb.domain.com
Successfully set preferred credentials for target oemdb.domain.com:oracle_database.
Now assigning preferred credentials for agent targets.
Setting preferred credentials for CHECKSEC on host1.domain.com:3872
Successfully set preferred credentials for target host1.domain.com:host.
Setting preferred credentials for CHECKSEC on host2.domain.com:3872
Successfully set preferred credentials for target host2.domain.com:host.
Setting preferred credentials for CHECKSEC on host3.domain.com:3872
Successfully set preferred credentials for target host3.domain.com:host.
Setting preferred credentials for CHECKSEC on host4.domain.com:1830
Successfully set preferred credentials for target host4.domain.com:host.
Setting preferred credentials for CHECKSEC on host5.domain.com:3872
Successfully set preferred credentials for target host5.domain.com:host.
Setting preferred credentials for CHECKSEC on host6.domain.com:1830
Successfully set preferred credentials for target host6.domain.com:host.
Setting preferred credentials for CHECKSEC on host7.domain.com:3872
Successfully set preferred credentials for target host7.domain.com:host.
Setting preferred credentials for CHECKSEC on host8.domain.com:3872
Successfully set preferred credentials for target host8.domain.com:host.
Setting preferred credentials for CHECKSEC on host9.domain.com:1830
Successfully set preferred credentials for target host9.domain.com:host.
Setting preferred credentials for CHECKSEC on host10.domain.com:3872
Successfully set preferred credentials for target host10.domain.com:host.
Setting preferred credentials for CHECKSEC on host11.domain.com:3872
Successfully set preferred credentials for target host11.domain.com:host.
Setting preferred credentials for CHECKSEC on host12.domain.com:3872
Successfully set preferred credentials for target host12.domain.com:host.
Setting preferred credentials for CHECKSEC on host13.domain.com:3872
Successfully set preferred credentials for target host13.domain.com:host.
Setting preferred credentials for CHECKSEC on host14.domain.com:3872
Successfully set preferred credentials for target host14.domain.com:host.
Setting preferred credentials for CHECKSEC on host15.domain.com:3872
Successfully set preferred credentials for target host15.domain.com:host.
Setting preferred credentials for CHECKSEC on host16.domain.com:3872
Successfully set preferred credentials for target host16.domain.com:host.
Setting preferred credentials for CHECKSEC on omshost.domain.com:3872
Successfully set preferred credentials for target omshost.domain.com:host.
Setting preferred credentials for CHECKSEC on host17.domain.com:3872
Successfully set preferred credentials for target host17.domain.com:host.
Setting preferred credentials for CHECKSEC on host18.domain.com:3872
Successfully set preferred credentials for target host18.domain.com:host.
All finished. User CHECKSEC now logged in to EMCLI.
Now go run the checksec13R2.sh script.
As a reminder, user CHECKSEC has password [redacted].
Pardy DBA 
Much of the data is already presented in Enterprise Manager Console -> Setup -> Security ->Security Console ->Secure Communication tab. Please check it out.
Hi Angeline,
That is absolutely true, thank you for calling out the Security Console. I should have mentioned it as well. I first created these scripts on EM12c which did not provide as much detail within the application, but for everyone on EM13c the Security Console is a great resource for viewing much of this information. I would like to think that this script fills a bit of a gap in that it provides MOS IDs for notes containing more information about the configuration items it checks, consolidates in details on patches applicable to the repository DB, OMS itself, plugins, and agents (also available within EM13c on the separate patch recommendations page of course – but I haven’t ever seen it recommend a JDK upgrade for an agent), and it does not require any login credentials within the EM13c stack itself, allowing auditors, consultants, or security admins to run the script without granting them login privileges to the OEM environment, or even without access to the oracle software owner account if they are solely given permission to run this script via sudo.
I would love to see the Security Console extended such that it provides a single interface from which to configure all of these security items, rather than only a place for reports. A file chooser and an “upload certificate” button on the Security Console that replaced the existing “emctl secure oms”, “emctl secure console”, and “emctl secure wls” commands to deploy a third party certificate to the OMS and the agents’ truststores would go a long way towards helping users secure the environment. A checkbox on the Security Console could provide one-click access to lock all agents down to TLSv1.2. A “check for updates” button that went out and downloaded the latest JDK and deployed it to agents would be excellent. An indication of the strength of the encryption protocols permitted when communicating with any EM13c component (along the lines of OpenSSL’s LOW, MEDIUM, and HIGH, as in this script) would help sites with a need to eliminate US export-grade encryption ciphers or a need to allow only the strongest available ciphers for each component.
Honestly I would love to see OEM distributed in a fully locked-down state so that there was not even any value in a script like mine. Users who need to open their environment up to obsolete and known-vulnerable TLS versions like TLSv1 or 40-bit RC5 encryption are the ones I would prefer to have seeking out MOS notes or consulting organizations to figure out how to do it, not the people who are trying to secure a recently-released piece of enterprise software to the standards implied by their security posture.
I receive a decent number of questions on this blog and elsewhere from people trying to implement the hardening described in MOS notes and tested by this script, and not everyone is able to do it successfully. I’m not sure if it is due to confusing or incomplete documentation, configuration bugs, site-specific configuration caveats, or what, but as I see it, not every site that could benefit from this hardening has been able to implement it, despite desire and intent to do so. Many sites remain in a relatively insecure state simply due to hesitancy to modify things that are working, and don’t know that their site could run just fine with a well locked-down OMS. Secured by default would put the burden and risk of running a site out of compliance with standard security practices on those sites that elect to take that risk, rather than those too cautious to jump into hardening such a critical piece of software as OEM.
Thank you again!
-Brian
Pingback: Script to automate lock down of all EM13cR2 agents to HIGH strength ciphersuites | Pardy DBA
Pingback: Securing Oracle Enterprise Manager 13c | Pardy DBA
Hi Brian,
I try to run without create user checksec. I log in firt With emcli sysman and password.
The scipts Return error.
Regards
Hoa Hoa
./checksec13R2.sh
: command not foundline 159:
: command not foundline 161:
: command not foundline 165:
: command not foundline 173:
: command not foundline 176:
: command not foundline 177:
: command not foundline 181:
: command not foundline 185:
: command not foundline 187:
: command not foundline 188:
: command not foundline 189:
: command not foundline 197:
: command not foundline 201:
: command not foundline 203:
: command not foundline 206:
: command not foundline 210:
: command not foundline 211:
at Tue Oct 24 12:39:39 CEST 2017.up version 2.19
: command not foundline 213:
Gathering info…
: command not foundline 215:
‘/checksec13R2.sh: line 388: syntax error near unexpected token `{
‘/checksec13R2.sh: line 388: `cleantemp () {
Hi Brian,
I get the errors because of format file. I am using dos2unix checksec13R2.sh, then scripts running successfully. Thanks for Nice scripts.
Regards
Hoa Hoa
Hello Hoa Hoa,
Thank you very much for trying out the scripts and reporting the issues you ran into. I’m very glad to hear that they worked for you once you fixed the file formatting with dos2unix! If you have any further problems or would like to request any new or changed features, please do let me know any time. Have a great day!
-Brian
Hello, Brian,
I have one more question. A colleague looked at the script again. We came across the fact that you are querying the views mgmt$applied_patches and mgmt$oh_installed_targets at the emcli list -sql to find out the status of the agents and plugins. As far as we know, these views can be licensed with the Lifecycle Management Pack.
Can you confirm this? If so, it would be a good thing if you could perhaps make a reference to this at the beginning of the article, since not everyone has licensed the pack and would therefore be in breach of the license when using this great script.
Greetings,
Christian
Cheers Christian,
Thank you for noticing and calling out this point. I spent quite a bit of time wondering about this myself, and initially I was concerned about querying those views. First, let me say that I do not work for Oracle and cannot issue authoritative comments on licensing, and I also am not a lawyer, and I am definitely not your organization’s lawyer, so please confirm anything I say through other means before trusting me and potentially placing your organization at legal risk.
With that disclaimer out of the way: I very specifically limited this script so that it ONLY reports on Enterprise Manager components. This script will report on, for example, the patches applied to your Enterprise Manager agents. It will NOT report on patches that may be necessary for the server hosts where you have those agents running. It will report on patches applied for the database used as a repository for Enterprise Manager, but it will NOT report on patches that may be necessary for the database targets that you manage with Enterprise Manager.
It is absolutely true, to my understanding, that a customer must license the Lifecycle Management Pack if they wish to use EM to manage and report on the patches applied on, or needed by, their licensable targets. However, in the EM licensing manual, I see that chapter 9 on “Enterprise Manager Base Functionality” does list the following items as included in OEM base, and not requiring further licensing:
“Agent Provisioning and Patching / Automate deployment of agent software and patches to the target servers.”
I note also that “Patch Recommendations / My Oracle Support Critical Patch Recommendations” is listed as base functionality for database targets, which I believe is enough to permit reporting on the repository database’s state (although I use OPatch/OMSPatcher to retrieve repository DB state, not the views that you mentioned).
So to try to sum this all up: I do not have any written statement from Oracle that this script is or is not in compliance with any specific licensing setup. I believe, but cannot guarantee, that the script’s usage of potentially licensed views solely to identify the state of OEM components is within the spirit of Oracle’s licensing. I believe that if someone modified this script to run checks on non-OEM components using the data contained in those licensed views that they could very easily violate their license.
I will try to come up with some appropriate wording to make this more explicit and place it at the top of the page and script.
Thank you very much!
Hi Brian,
thanks for your feedback. I asked our ACS Team and got this information.
…. “…Licensing Information Manual (https://docs.oracle.com/cd/cloud-control-13.3/OEMLI/GUID-B7FDEFFE-DECB-4826-A3C8-7660B013C5DE.htm#GUID-4E100F17-C17F-4ADD-9DF9-D5D498A5ECF4).
Und ja, beide angegebenen Views sind gelistet als Repository Views, die nur mit der LIfecycle Management Lizenz genutzt werden dürfen…” ….
Translation:
… “…Licensing Information Manual (https://docs.oracle.com/cd/cloud-control-13.3/OEMLI/GUID-B7FDEFFE-DECB-4826-A3C8-7660B013C5DE.htm#GUID-4E100F17-C17F-4ADD-9DF9-D5D498A5ECF4).
And yes, both specified views are listed as repository views, which may only be used with the LIfecycle Management license…”. ….
I appreciate your work!
Best regards,
Christian