Configuring the password file for Oracle ASM monitoring using SSL (4378182)

For Oracle ASM monitoring using SSL the password file should be configured correctly.

Why ASM Needs a Password File:

• ASM (Automatic Storage Management) is a system used by Oracle to manage storage for databases.
• It requires a password file to securely control administrative access, particularly when connecting remotely or performing critical operations.
• The password file ensures only authorized users can perform management tasks like adding or modifying disk groups.

What's Needed:

1). Password File Configuration: A password file is stored on the server to authenticate users with special privileges. This file must be correctly placed in a specific directory ($ORACLE_HOME/dbs) and accessible by the Oracle system.

2). Correct Settings: A setting called remote_login_passwordfile must be configured so that ASM knows to use the password file. This setting is typically set to EXCLUSIVE to indicate ASM should use the file for user authentication.

3). User Privileges Verification: Users with special roles like SYSASM (the ASM administrator role) are listed in the password file. We check that these users have the required roles to perform their duties.

Key Actions:

• Ensure the password file exists and is properly located.
• Verify the system setting points to using the password file.
• Check and assign necessary roles to users for secure management of ASM.

Prior recommended steps

1). Install the Oracle client on the Foglight Agent Manager host with SSL enabled.

2). Test the connection to confirm the setup works as expected outside of the Foglight application. 

For more detailed steps on configuring SSL with Oracle, follow the instructions in Oracle's document 4041251.1 which is attached to this knowledgebase article. This documentation outlines how to configure SSL for client authentication and encryption using self-signed certificates. 

NOTE: Installing and configuring SSL for the Oracle client may require advanced Oracle knowledge and requires database administrators with advanced administration privileges. Database Administration of end users systems is a task which is outside of the scope for Quest Support.

Steps

1). Check remote_login_passwordfile parameter

The ASM instance must be configured to use the correct password file. You can check this with the following SQL command:

i). Connect to the ASM instance:
sqlplus / as sysasm

ii). Run the following query to check the value of the remote_login_passwordfile parameter:
SHOW PARAMETER remote_login_passwordfile;

Expected Values:
EXCLUSIVE: Means the ASM instance is using a password file.
NONE: No password file is being used.

iii). If the value is NONE, you will need to change it to EXCLUSIVE:
ALTER SYSTEM SET remote_login_passwordfile = 'EXCLUSIVE' SCOPE = SPFILE;

iv). Restart the ASM Instance for the change to take effect if needed:
SHUTDOWN IMMEDIATE;
STARTUP;

2. Locate and Verify the Password File

The password file for ASM is usually located in the $ORACLE_HOME/dbs directory. Its typical name format is orapw+ASM or similar, depending on your instance's SID.

i). Navigate to the Directory:
cd $ORACLE_HOME/dbs
ls -l orapw+ASM*

Make sure the file is present and accessible.

3). Confirm ownership and permissions of the password file

Ensure the file is owned by the Oracle user that runs the ASM instance and has appropriate permissions:

ls -l orapw+ASM

Example:

rw-r----. 1 oracle oinstall 1536 Oct  8 12:34 orapw+ASM

3. Use orapwd to Verify/Recreate Password File

To confirm the password file’s validity or recreate it if needed, you can use the orapwd utility.

4). Recreate the Password File (Optional Step):

If you suspect the password file might be corrupted or missing:

orapwd file=$ORACLE_HOME/dbs/orapw+ASM password=YourNewPassword entries=10

file: path to the password file.
password: New password for the SYS user.
entries: The number of users that the password file can contain (typically set to 10).

5). Verify Password File Usage in V$PWFILE_USERS View

You can verify if the password file is being used and the privileges assigned by querying V$PWFILE_USERS:

Connect to ASM as sysasm:
sqlplus / as sysasm

Query to verify users in the password file:
SELECT * FROM V$PWFILE_USERS;

This view should show users (such as SYS) with their assigned privileges (e.g., SYSASM, SYSDBA, etc.). If there are no users listed, it indicates the password file might not be in use.

6). Listener and Password File Sync

If the ASM instance is registered with a remote listener, the password file must be synchronized across nodes (in a RAC setup, for instance):

Copy Password File to Other Nodes (RAC Only):
scp $ORACLE_HOME/dbs/orapw+ASM node2:$ORACLE_HOME/dbs/

This step ensures that all instances in a cluster have the same password file.

Summary:

• Locate and verify the password file in $ORACLE_HOME/dbs.
• Check ownership and permissions of the password file.
• Query V$PWFILE_USERS to confirm users and privileges are correctly registered.
• Recreate the password file with orapwd if necessary.
• Listener and Password File Sync across nodes of a cluster for remote listeners

These checks will help verify that the password file is correctly configured for your ASM instance.