Backing up the Oracle 12c emkey

By Michael New, Edward Whalen, Matthew Burke on October 30, 2015


An emkey is an encryption key used to encrypt and decrypt sensitive data stored in the Repository, such as host and database passwords and preferred credentials, and consists of a random number generated during the installation of the Repository. When you install the first OMS, an emkey is copied from a table in the Repository database to the Credential Store, a backup is created in $OMS_HOME/sysman/config/emkey.ora, and the emkey is removed from the Repository. Storing the key separately from the CC 12c SYSMAN schema keeps the schema owner and SYSDBA users from being able to access sensitive data.
During startup, the OMS reads the emkey from the Credential Store, and if not found there, from the Repository. If the emkey has been properly configured, the OMS uses it as the master key to encrypt and decrypt any sensitive Repository data that an administrator stores and requests in the Console.
It is essential that you back up the emkey.ora file, given that all encrypted data would become unusable were this file to be lost or corrupted on all OMS host(s), and that the emkey is deleted from the Repository after CC installation. For now, back up the emkey.ora file to local disk and to another machine not running a CC component, so that you can quickly restore this file from disk in an emergency. You can back up the emkey.ora file from any OMS host, as it is identical across all OMS hosts. This file will also be backed up at both the OS level and using the emctl command, when instituting regular backups.
A Credential Store is a logical store or repository for all named credentials of an EM administrator. It is not located in the Management Repository, but managed by WLS on which CC 12c relies for external authentication. In contrast to the GC 11g Installer, the CC 12c Installer automatically removes the emkey from the OMR database after installation of the first OMS.

Related Posts

Leave a Reply