Today I want to talk about an error that I haven’t seen before until I upgraded my demo Enterprise Manager environment to the latest 24ai version. I went through the standard process of upgrading the OMs and then upgraded the agents. Everything went fine expect that any jobs executed against a database or a host were failing with:
Failed to ascii decode encrypted-text (status=1)
Some jobs finished correctly, however that error was still present on the job log file. I came to know by using KB656298 – Failed to ascii decode encrypted-text (status=1) After EM Upgrade that I totally forgot to execute root.sh script after the upgrade.
One thing I need to mention is that some agents worked fine and some of them I needed to restart after executing root.sh.
The KB note doesn’t mention anything about the need of restarting the agent. Next time I need to make sure I execute all the needed steps after upgrading the agents.
We hear more and more about the benefits of using AI models in terms of efficiency and speed innovation for the software industry. One thing that we also started hearing last month is that new models also offer new ways to exploit security vulnerabilities by bad actors.
Oracle Database Engineering is actively working with leading AI model providers in order to continuously discover vulnerabilities using advanced AI techniques to rapidly remediate and deliver fixes via the existing database release updates.
What does this mean to you?
Patch, patch and patch TODAY! You must apply the quarterly release update (RU) promptly, this is RU31 for 19c (19.31) or RU2 for 26ai (23.26.2). If you are not in 19c or 26ai yet you must upgrade your database as soon as possible. Also make sure your client libraries are upgraded to 19c or 26ai.
Changes are also coming on the way and frequency Oracle delivers security patches. From the Accelerating Vulnerability Detection and Response blog:
Oracle is expanding how security fixes are delivered to customers with a monthly Critical Security Patch Update (CSPU), starting in May 2026. CSPUs provide targeted fixes for critical security issues, allowing customers to address high-priority vulnerabilities without waiting for the next quarterly release. Each CSPU is smaller and more focused, making it easier to apply critical fixes quickly. Quarterly Critical Patch Updates will continue to include all fixes released in prior CSPUs.
This approach enables customers to apply critical fixes more quickly on premises, while continuing to support established quarterly patching cycles through cumulative updates. All patches are applied automatically in Oracle-managed cloud environments.
Review recent communication information
This information is now available through several channels including blog posts & MOS.
As Mike Dietrich mentioned is his post, we live in an interesting and challenging era that we can’t stop but we should rather be prepared. For Oracle Database Administrators this means to have all your Oracle databases upgraded and patched to either 19.31 or 23.26.2. Patch NOW!
To make this process easier use automation tools like Oracle AutoUpgrade, FPP or Oracle Database Lifecycle Management in OEM.
Beginning May 28, 2026, Oracle will deliver a Critical Security Patch Update (CSPU) each month. CSPUs provide targeted fixes for critical vulnerabilities in a smaller, more focused format, allowing customers to address high-priority issues without waiting for the next quarterly release.
Support has also issued Product-Specific guidance notes. I recommend to take a look at the general note as there are links to several specific products:
In this post I want to provide a practical use of the AI Vector search functionality in the Oracle database. The use case is to be able to use AI Vector search on data that Oracle Enterprise Manager (EM) produces. In this case incidents data. The idea is to be able to search incidents using vectors in Oracle.
But what is Vector search and why we want to use it? Vector search is a feature that enables searching data by semantics or meanings and values. We want to use it in combination with an LLM in order to ask questions about our data. What kind of data? In this case EM’s incident data.
There are several challenges that we’ll have to work on in order to be able to use AI Vector search. The first challenge is that AI Vector search is a feature of the 26AI (former 23AI) database. Oracle EM doesn’t support 26AI as a repository database. Oracle EM 24AI only supports 19.22 as a repository database as of today. So the question is, how we can me this work?
We will have to use an intermediate Oracle database for the AI Vector functionality. I decided to use the 26AI free version of the Oracle database. You can download a VirtualBox appliance image and run it in your personal computer. There are several limitations of the 26AI free version but it works for my use case.
We are going to call below REST API from the host where the 26AI free database is running.
$ curl -X GET -u sysman:<password> -H "Content-Type:application/json" https://EM_HOST:EM_CONSOLE_HTTPS_PORT/em/api/incidents --insecure
This produces a JSON output with the first set of all open incidents with the most recently created incidents listed first.
I can create a Shell script that executes this CURL command, obtains the data in JSON format and then executes jq in order to convert it into CSV format. It will look similar to this:
#!/bin/bash
# Fetch JSON data using curl
JSON_DATA=$(curl -X GET -u sysman:<password> -H "Content-Type:application/json" https://EM_HOST:EM_CONSOLE_HTTPS_PORT/em/api/incidents --insecure)
# Define the jq filter to extract and format data into CSV
# @csv: Convert the array into a CSV-formatted string
JQ_FILTER='.[].results | [.id, .displayId, .message, .severity, .status, .isOpen, .timeCreated, .timeUpdated, .target_names] | @csv' # Example filter
# Extract data and format as CSV using jq
CSV_CONTENT=$(echo "$JSON_DATA" | jq -r "$JQ_FILTER")
# Define CSV header (adjust to match your selected fields)
CSV_HEADER="id,displayId,message,severity, status, isOpen, timeCreated, timeUpdated, target_names"
# Output to a CSV file
echo "$CSV_HEADER" > incidents.csv
echo "$CSV_CONTENT" >> incidents.csv
echo "CSV data saved to incidents.csv"
We need now to insert this data into the 26AI free database and create the Vectors. Before we do that we need to find a way to generate the vectors from our incident data. For that we will use a model provided by Oracle named all-MiniLM-L12-v2.
Let’s download and load the model into our 26AI free database.
$ mkdir -p /home/oracle/onnx
$ cd /home/oracle/onnx
$ wget https://adwc4pm.objectstorage.us-ashburn-1.oci.customer-oci.com/p/VBRD9P8ZFWkKvnfhrWxkpPe8K03-JIoM5h_8EJyJcpE80c108fuUjg7R5L5O7mMZ/n/adwc4pm/b/OML-Resources/o/all_MiniLM_L12_v2_augmented.zip
$ unzip -oq all_MiniLM_L12_v2_augmented.zip
$ sqlplus sys as sysdba
SQL> create user em_inc identified by password quota unlimited on users;
SQL> grant create session, db_developer_role, create mining model to em_inc;
SQL> create or replace directory model_onnx as '/home/oracle/onnx';
SQL> grant read, write on directory model_onnx to em_inc;
SQL> begin
dbms_vector.drop_onnx_model (
model_name => 'ALL_MINILM_L12_V2',
force => true);
dbms_vector.load_onnx_model (
directory => 'model_onnx',
file_name => 'all_MiniLM_L12_v2.onnx',
model_name => 'ALL_MINILM_L12_V2');
end;
/
SQL> select model_name, algorithm, mining_function from user_mining_models where model_name = 'ALL_MINILM_L12_V2';
MODEL_NAME ALGORITHM MINING_FUNCTION
------------------------------ ---------- ---------------
ALL_MINILM_L12_V2 ONNX EMBEDDING
At this point I can generate the Vector embeddings for the incident data.
We will now import our incident data from the CSV file and create the vector.
SQL> conn em_inc/password
SQL> create table incidents as
select id, displayId, message, severity, status, isOpen, timeCreated, timeUpdated, target_names
from external (
(
id varchar2(40),
displayId number(6),
message varchar2(500),
severity varchar2(100),
status varchar(400),
isOpen varchar(50),
timeCreated varchar(400),
timeUpdated varchar(400),
target_names varchar(1500)
)
type oracle_loader
default directory model_dir
access parameters (
records delimited by newline
skip 1
badfile model_dir
logfile model_dir:'incidents_ext_tab_%a_%p.log'
discardfile model_dir
fields csv with embedded terminated by ',' optionally enclosed by '"'
missing field values are null
)
location ('incidents.csv')
reject limit unlimited
);
SQL> alter table incidents add (
incidents_vector vector
);
SQL> update incidents
set incidents_vector = vector_embedding(all_minilm_l12_v2 using message as data);
SQL> commit;
Let’s now perform a Vector similarity search using the VECTOR_DISTANCE function. This first query will do a search on “Incidents related to agents” query Vector.
SQL> SELECT vector_distance(incidents_vector, (vector_embedding(all_minilm_l12_v2 using 'Incidents related to agents' as data)), EUCLIDEAN) as distance,
message
FROM incidents
order by distance
FETCH EXACT FIRST 10 ROWS ONLY;
DISTANCE
MESSAGE
0.98592836033379427
Process em_agent crashed unexpectedly.
0.98592836033379427
Process em_agent crashed unexpectedly.
0.98592836033379427
Process em_agent crashed unexpectedly.
1.08642161802020090
Number of Active Agents crossed the critical threshold (1). Current value: 0
1.09352931649992050
Agent Unreachable (REASON = Unable to connect to the agent at https://host:3872/emd/main/ [Connection refused]). Host is reachable.
1.09352931649992050
Agent Unreachable (REASON = Unable to connect to the agent at https://host:3872/emd/main/ [Connection refused]). Host is reachable.
1.09352931649992050
Agent Unreachable (REASON = Unable to connect to the agent at https://host:3872/emd/main/ [Connection refused]). Host is reachable.
1.23613168789133000
Process ora_pmon crashed unexpectedly.
1.23613168789133000
Process ora_pmon crashed unexpectedly.
Let’s analyze these results. The shortest distance in the Similarity Vector search is for the message containing the same exact word “agent”, the second closest distance is for messages having the word “Agent” and the third one is for messages not having the word “a(A)gent”.
If you are migrating to multi-tenant architecture of the Oracle database, you’ll find out that in order to connect to the pluggable database (PDB) you must use the service name for the PDB. But, what if you have a legacy application that can only use SID instead of the service name?
For that, you can enable the parameter USE_SID_AS_SERVICE_LISTENER in the listener configuration, so the service name will act as an SID.
Problem solved, right? Well, the problem is now with applications that require the service name and not the SID. One of them is Oracle Enterprise Manager (EM). If you turn on this parameter at the listener level then, you won’t be able to connect to the databases and they will show down (red) in the EM console.
So, what can we do? In EM 13.5 RU16 or higher there’s functionality that allows EM to connect to the database by using an Agent preferred connect descriptor. This way, you can provide the connect descriptor using the service name.
One important note to mention is that you must have RU16 or higher applied to both, the OMS and the Agents in order to enable this functionality.
Follow the My Oracle Support Note “EM 13c: How To Enable Agent Preferred Connect Descriptor Support For RAC Instance, Single Instance DB (Doc ID 2963079.1) ” to enable this functionality. You will have to restart your OMS, so be prepared.
After you enable this setting, navigate to the Monitoring Configuration of your target and look for the new Agent preferred descriptor section. It looks like the image below.
Add the proper connect descriptor and viola! EM is now able to connect to your target.
Is always recommended to turn the USE_SID_AS_SERVICE_LISTENER parameter off after migrations and upgrades. Sometimes this is not an option if you have legacy applications though. This feature allows you connect your EM when the parameter USE_SID_AS_SERVICE_LISTENER must be turned on.
In this blog I want to provide some important steps if you want to monitor Oracle databases running on AWS RDS.
The first step is to have an Oracle Enterprise Manager (EM) installation. This can be on-prem or running on EC2. If you need to setup EM in EC2 you can use one of the pre-built images that already contains an Oracle database. You are going to need this database for the EM repository. One quick example can be the Oracle database 19c image by cloudimg running on Oracle Linux. Just make sure you add enough space in the filesystem so you can also install the EM software.
Once the EC2 instance is up and running, go ahead and patch the Oracle database with the latest RU (RU28 as of today).
Download the Oracle EM 13.5 software from oracle.com and also download the latest RU available (RU27 as of today).
Install EM 13.5 and patch it with RU27. Follow below videos if you need additional guidance on how to install and patch EM.
Next we are going to follow the instructions that RDS has available for the EM agent installation. Remember that because there’s no actual access to the RDS host, we can’t install the EM agent using the traditional way.
Verify all the network pre-reqs so your RDS instance can actually reach your EM installation running on EC2. If you EM is running on-prem then a VPN setup will be required.
Now is time to create an option group once all the network pre-reqs are met. The option group is how we actually ask the RDS console to provide us the option to deploy an EM agent. The option for the option group needs to be OEM_AGENT.
Before you deploy the option group to your RDS instance, you will have to provide information about your EM instance, including:
EM Host Name
EM upload port
EM registration key
Then deploy the option group to your RDS instance.
Once the deployment finishes, you will actually have the EM agent up and running in your RDS instance and showing up in the EM console.
The next step is to discover your DB instance and the listener. Follow below link for the documentation.
My EM demo environment was running EM 13.5 RU21 and the EM repository database 19c RU18. As per of the EM pre-reqs you need to be at least on EM13.5 RU22 and the DB needs to have the latest RU available.
So before even trying to upgrade, I needed to patch my EM. I decided to skip the patch but the UI is really good at reminding it.
So, I patched my EM to RU25 and the EM repository DB to RU26.
Let me execute the 24ai installer and follow the instructions.
Here I decided to upgrade my 13.5 environment instead of creating a new one. There are 2 options though. Upgrade end-to-end or just install the binaries and proceed with the upgrade later.
NOTE: I chose end-to-end first, but ended going back and selecting the second option. The wizard gives a failure in the pre-reqs as it knows that RU 1 is already available for 24ai and you must install it before attempting the upgrade.I’ll share a MOS note on how to deploy it in subsequent steps.
I skipped the software updates.
Then the UI ran the pre-checks.
The pre-checks failed due the fact that 24ai RU1 needed to be applied.
I had to use below MOS note in order to apply RU1 with the bitonly option.
13.5: How to Apply Release Update on the OMS During the Install/Upgrade (Doc ID 2810169.1)
Select your new 24ai home location.
Type the EM repository connection details.
I performed to upgrade using the SYS DB account.
I had an issue with Plug-ins. My environment had 2 plug-ins deployed that are no longer supported in 24ai. I had to use EMCLI commands to un-deploy them.
Oracle Enterprise Manager 24AI was announced on December 2024 during the Oracle Enterprise Manager Technology Forum 2024. If you would like to see all the Forum’s recordings please register below.
In this post, I want to provide a quick overview of the most interesting new features of EM 24AI to you.
Oracle EM 24AI provides a set of new features based on 4 focus areas:
Platform Modernization
Operational Continuity
AI Insights
Performance and Automation
I’m going to share only the features available as of today with the first release of EM 24AI.
Platform Modernization
New Navigation Menu allows you to easily search and access monitoring and administration options from anywhere.
Dashboard Enhancements to select the duration of time for which you want to display data.
Target Monitoring Using Remote Agents without requiring an agent to be installed on the same host as the targets.
Support for Oracle Key Vault and secrets management appliance to store, manage and share security objects and encryption keys.
EM pages enhancements using JET to easily access features with a re-organized menu, enabling direct navigation to each component.
Data Masking and Subsetting enhancements with a unified console experience.
Operational Continuity
Zero Downtime Monitoring that process and handles incident and notification capabilities even during planned maintenance.
New Job System Console which provided deeper information regarding your jobs and job system.
REST APIs enhancements that include the ability to control target blackouts.
Performance and Automation
New swim lanes visualization in ADDM Spotlight that use time-series data aggregated to display findings by overall impact for each ADDM task.
New Metrics to Monitor Raft-based Sharding for 23c and later.
New DBSAT 3.1 Standards.
New SCAP Standards for Oracle Linux 7,8 and 9.
Redesigned Plug-Ins for Non-Oracle targets including Microsoft IIS, JBoss EPA, Apache Tomcat and IBM Websphere.
AI Insights features will be coming in future release updates. If you want to learn more about this new release of Oracle Enterprise Manager please click below.
Here are the results based on my demo environment:
REST API results from CURL
The second test is by using Ansible. If you are not familiar on how to configure Ansible in order to work with EM, please follow the Oracle Live Labs that we created about this.
As soon as you enable the Database Lifecycle Management Pack; Oracle Enterprise Manager will automatically collect hundreds of configuration items of your database estate. However if you need to customize this collection, Configuration Extensions provide a way to identify files and other configuration data that Cloud Control does not already collect.
In this blog, I’ll show you how I created a Configuration Extension (CE) in order to collect DB Services data.
CE’s are found under the Enterprise -> Configuration menus.
While in the CE dashboard, you can create, edit, delete and deploy CE’s using the available menu.
Let’s click the “Create” button.
Using the CE create wizard type a name for the CE, a target type and a Sample Target. As soon as you select “Database Instance” for the Target Type a new option will enable. This option is to select between “Files & Commands” or “SQL”.
In this example I’m going to choose “SQL” and then type the required SQL required to retrieve the data I need from the DB. Let’s type “select name as service_name from dba_services”. Also type “service_name” in the alias section and choose the “Database Query Parser”.
The entries should look similar to the screenshot above.
The data extracted from the DB in the CE is in XML format. We need to add parser rules in order to match and identify nodes in the parsed tree. Click on the number of “Rules” in the table. In this case click on the number “0”.
On the Parser Rule page click “Add” and type this condition and expression:
Condition: /root/row
Expression: SERVICE_NAME/text()
This will allow the parser to use the text inside the SERVICE_NAME node as the name of the row. Click the return button.
Now we can click on the “Preview” button from the menu.
It will show you the preview output. Similar like this:
Click “OK” and then click “Save”.
Select your newly created CE and click on “Manage Deployments” button. Select the targets where you want to deploy the CEs and click “Apply”.
It will look similar to the screen below:
Navigate to the configuration of your target and verify the CE is correctly pulling the desired configuration data.
Now we have our CE correctly gathering the desired configuration data of our DB.
You can find the documentation for Configuration Extensions below.
In this post I want to share the required steps to discover ExaCC or ExaCS in Oracle Enterprise Manager (EM). I’ll provide as much detail as possible.
Make sure your EM is at least on 13.5 RU 16. If not, please apply RU 16 to EM. Follow this link if you want to know how to patch EM. HERE!
You need to designate a “monitoring” agent for the discovery. Is recommended that this agent sits outside your Exadata rack and has access to the OCI REST APIs. More information HERE!
Make sure this agent has both the Database and the Exadata plugins deployed and is patched to the same RU level as the OMS. HERE!
The agent must be able to reach the OCI REST APIs. There are 3 ways to achieve this. a) You can use a Proxy b) You can use the OCI Management Gateway c) You can have direct network connection
Below is a list of APIs that you will need access to: Either grant access to (*.oci.oraclecloud.com) or individual URLS: https://query.<oci_region>.oci.oraclecloud.com https://identity.<oci_region>.oci.oraclecloud.com https://database.<oci_region>.oci.oraclecloud.com https://wss.exacc.<oci_region>.oci.oraclecloud.com https://management-agent.<oci_region>.oci.oraclecloud.com https://certificatesmanagement.<oci_region>.oci.oraclecloud.com https://certificates.<oci_region>.oci.oraclecloud.com https://telemetry-ingestion.<oci_region>.oci.oraclecloud.com https://auth.<oci_region>.oci.oraclecloud.com https://objectstorage.<oci_region>.oci.oraclecloud.com
You may also test that connectivity by executing: $ curl -v https://query.<oci_region>.oci.oraclecloud.com
Create or use an OCI account that has access to read your Exadata racks. These are the policies I have used: allow group <domain/group name> to read database-family in compartment <compartment name> You can find more information about the required policies HERE!
Setup API Keys for authentication. Please follow instructions in the MOS note below: EM13.5: Manage OCI Connectivity Named Credentials Test Failed with Invalid Private Key. (Doc ID 2792126.1)
Create an EM Named Credential using the API Keys created on the previous step. More details HERE!
You also need the proper Storage Server credentials. If you don specify them during the discovery process, Storage Server targets will not be discovered. Instructions on how to retrieve this credential can be found HERE! If you can’t retrieve these credentials, please open a Service Request with support.
Discover your Exadata Infrastructure following the discovery wizard. More information HERE!
After finishing the discovery, you should have your Exadata Cloud target in EM. Please wait between 15 to 20 minutes for the target information to be populated.
If your network setup does not allow direct connectivity to the OCI REST APIs then you will have to use an internal Proxy or use the OCI Management Gateway. More information about the OCI Management Gateway can be found HERE!
Update: You will also have to modify 2 parameters. One at the OMS level and one at the agent level. Please follow below MOS notes:
OEM 13c : SSH Key Credential Test On a Host Target Fails With “Remote operation timed out.” (Doc ID 2415262.1) EM 13.2: Agent Patching From EM Console Fails With Error “concurrent job tasks limit (50) has been reached” (Doc ID 2476803.1)
