This post is also available in:
Português (Portuguese (Brazil))
Scheduled jobs in Oracle Enterprise Manager were failing across multiple hosts with the following error:
LOG: Local Authentication Failed...Attempt PAM authentication...PAM failed with error: Authentication failureThis happens in environments where the oracle user has different passwords on each server — a common situation in companies without a centralized credential management policy.
The fix removes the password dependency entirely: a single SSH Key Named Credential works across all monitored hosts.
Root Cause
OEM authenticates via PAM (Pluggable Authentication Module) using the password stored in the Named Credential. When the oracle user’s password on the target host doesn’t match the stored credential, authentication fails.
In environments with dozens of hosts and inconsistent password rotation history, password-based Named Credentials are simply unmaintainable.
Solution: SSH Key Named Credential
Public/private key authentication eliminates the problem. The OMS uses its private key to authenticate, and each target host only needs the public key in the corresponding user’s authorized_keys.
Step 1 — Generate the key pair on the OMS
Run this as the oracle user on the OMS server:
ssh-keygen -t rsa -b 2048 -f ~/.ssh/id_rsa -N ""If a key pair already exists, confirm it’s there:
ls ~/.ssh/id_rsa ~/.ssh/id_rsa.pubStep 2 — Distribute the public key to target hosts
ssh-copy-id -i ~/.ssh/id_rsa.pub oracle@<hostname>
ssh-copy-id -i ~/.ssh/id_rsa.pub root@<hostname>Repeat for every host monitored by OEM.
Step 3 — Review ~/.ssh/config on the OMS
If you have entries in ~/.ssh/config, make sure IdentityFile points to the right key:
Host *.example.com
IdentityFile ~/.ssh/id_rsa
IdentitiesOnly yes⚠️
IdentitiesOnly yesis important. Without it, SSH tries all available keys before failing, which can triggerToo many authentication failureson hosts with a lowMaxAuthTriessetting — often seen during agent deployments.
Step 4 — Create Named Credential for oracle
Navigate to: Setup → Security → Named Credentials → Create
| Field | Value |
|---|---|
| Credential Name | ORACLE\_SSH\_KEY |
| Authenticating Target Type | Host |
| Credential Type | SSH Key Credentials |
| Scope | Global |
| UserName | oracle |
| SSH Private Key | contents of ~/.ssh/id_rsa |
| SSH Public Key | contents of ~/.ssh/id_rsa.pub |
| Run Privilege | None |
⚠️ Always use Scope: Global. Credentials scoped to Target will not appear in the selection list for multi-host jobs.
Step 5 — Create Named Credential for root
Repeat the process with:
| Field | Value |
|---|---|
| Credential Name | ROOT\_SSH\_KEY |
| UserName | root |
| SSH Private Key | contents of ~/.ssh/id_rsa |
| SSH Public Key | contents of ~/.ssh/id_rsa.pub |
💡 Both credentials share the same key pair. What controls access is the presence of the public key in the correct user’s
authorized_keyson each host.
Step 6 — Set as Preferred Credential
Setup → Security → Preferred Credentials → Target Type: Host → Default Preferred Credentials → Set Credentials → select Named → ORACLE_SSH_KEY → Save
Step 7 — Test
Setup → Security → Named Credentials → select ORACLE_SSH_KEY → Test → pick a target host.
Expected result: Succeeded
Before and After
| Before | After |
|---|---|
PAM authentication failure on every job | SSH key-based authentication |
| Different password per server caused failures | Password-independent |
| Individual credential per host | One Global credential for all hosts |
| Jobs failing across multiple targets | Jobs running successfully on all hosts |
✅ Compatibility: tested on OEM 13c and OEM 13.5. The Named Credentials workflow is equivalent across both versions.
References
- Oracle Documentation — Managing Named Credentials
- Oracle Support — Doc ID 1585459.1 (Named Credentials with SSH Key)