Background

Some of our named credentials use a privileged account to perform root actions via sudo. That account is not the same as the OEM agent binary owner and does not belong to the binary owner’s o/s groups for security reasons.

Sometime that causes problems, like this:

PDP execution may have failed 3430 Insecure operation – please consult your administrator pbrun8.5.1-01[112628]: 3201.07 Exec of /usr/bin/pb_sudo failed: Operation not permitted

The Powerbroker error is a symptom and not the real problem.  The real issue is that the privileged account lacks access to directories in the EM agent home.

Solution

Log into the host as the OEM binary owner and change the permissions as shown:

cd $AGENT_BASE
cd ../

 chmod 755 agent
 cd agent
 chmod 755 agent_inst

cd agent_inst
 chmod 775 diag
 chmod 755 bin install sysman
 chmod 740 internal
 
cd sysman
 chmod 755 ApplicationsState/ config/ emd/ log/ opmn/ recv/
 ls -las

Notice that we’re not changing any file permissions and we are not altering contents of the core/release directories, just agent_inst.

By the way:  This solution makes a very simple and convenient OEM Job.

Verification

In the console click through to Setup | Security | Named Credentials and highlight the privileged credential you need to test.  Select the previously broken host name from the Target Name list and hit the Test button.