diff --git a/ansible/roles/epel/tasks/install-from-rpm.yml b/ansible/roles/epel/tasks/install-from-rpm.yml
index 56a4b5850..f905892bf 100644
--- a/ansible/roles/epel/tasks/install-from-rpm.yml
+++ b/ansible/roles/epel/tasks/install-from-rpm.yml
@@ -53,11 +53,13 @@
       ansible.builtin.rpm_key:
         state: present
         key: "/root/epel/{{ epel_gpg_key_filename }}"
+      when: not ansible_check_mode
 
     - name: Install epel RPM from S3
       ansible.builtin.yum:
         state: present
         name: "/root/epel/{{ epel_rpm_filename }}"
+      when: not ansible_check_mode
 
   always:
     - name: Restore SELinux state to Enforcing
diff --git a/ansible/roles/nomis-xtag-weblogic/defaults/main.yml b/ansible/roles/nomis-xtag-weblogic/defaults/main.yml
index 1877d75f0..04e4414de 100644
--- a/ansible/roles/nomis-xtag-weblogic/defaults/main.yml
+++ b/ansible/roles/nomis-xtag-weblogic/defaults/main.yml
@@ -1,5 +1,16 @@
 ---
-ssm_parameters_prefix: "weblogic"
+# Following tags must be set on the ASG
+# nomis-environment: e.g. t1
+# oracle-db-name: T1CNOM
+# oracle-db-hostname-a: t1-nomis-db-1-a.fqdn
+# oracle-db-hostname-b: none
+# ndh-ems-hostname: t1-ndh-ems
+nomis_environment: "{{ ec2.tags['nomis-environment'] }}"
+weblogic_db_name: "{{ ec2.tags['oracle-db-name'] }}"
+weblogic_db_hostname_a: "{{ ec2.tags['oracle-db-hostname-a'] }}"
+weblogic_db_hostname_b: "{{ ec2.tags['oracle-db-hostname-b'] }}"
+ndh_ems_server: "{{ ec2.tags['ndh-ems-hostname'] }}"
+
 weblogic_domain_hostname: "{{ ansible_facts.hostname }}"
 weblogic_servername: "{{ ansible_facts.hostname }}"
 weblogic_cluster: "{{ ansible_facts.hostname }}"
@@ -10,7 +21,20 @@ wl_home: /u01/app/oracle/Middleware/wlserver_10.3
 domain_home: /u01/app/oracle/Middleware/user_projects/domains
 domain_name: NomisDomain
 managed_server: WLS_XTAG_OUTBOUND_01
+weblogic_admin_username: weblogic
+weblogic_db_username: xtag
 
 weblogic_servers:
   - { name: WLS_XTAG_OUTBOUND_01 }
   - { name: AdminServer }
+
+db_config: "{{ db_configs[weblogic_db_name] }}"
+xtag_ssm_passwords:
+  weblogic:
+    parameter: "/oracle/weblogic/{{ nomis_environment }}/passwords"
+    users:
+      - weblogic: auto
+  db:
+    parameter: "/oracle/database/{{ db_config.db_name }}/weblogic-passwords"
+    users:
+      - xtag:
diff --git a/ansible/roles/nomis-xtag-weblogic/tasks/get-facts.yml b/ansible/roles/nomis-xtag-weblogic/tasks/get-facts.yml
index 226c6e45c..244e6d1b9 100644
--- a/ansible/roles/nomis-xtag-weblogic/tasks/get-facts.yml
+++ b/ansible/roles/nomis-xtag-weblogic/tasks/get-facts.yml
@@ -1,34 +1,14 @@
 ---
-- name: Set SSM parameters path fact from ec2 ssm-parameters-prefix and Name tag
-  set_fact:
-    ssm_parameters_path: '/{{ ssm_parameters_prefix }}/{{ ec2.tags["Name"] }}'
-
-- name: Set SSM parameters weblogic path facts
-  set_fact:
-    ssm_parameters_path_weblogic_admin_username: "{{ ssm_parameters_path }}/admin_username"
-    ssm_parameters_path_weblogic_admin_password: "{{ ssm_parameters_path }}/admin_password"
-    ssm_parameters_path_weblogic_db_username: "{{ ssm_parameters_path }}/db_username"
-    ssm_parameters_path_weblogic_db_password: "{{ ssm_parameters_path }}/db_password"
-
 - name: Get SSM parameters
-  set_fact:
-    weblogic_admin_username: "{{ lookup('aws_ssm', ssm_parameters_path_weblogic_admin_username, region=ansible_ec2_placement_region) }}"
-    weblogic_admin_password: "{{ lookup('aws_ssm', ssm_parameters_path_weblogic_admin_password, region=ansible_ec2_placement_region) }}"
-    weblogic_db_username: "{{ lookup('aws_ssm', ssm_parameters_path_weblogic_db_username, region=ansible_ec2_placement_region) }}"
-    weblogic_db_password: "{{ lookup('aws_ssm', ssm_parameters_path_weblogic_db_password, region=ansible_ec2_placement_region) }}"
+  import_role:
+    name: ssm-passwords
+  vars:
+    ssm_passwords: "{{ xtag_ssm_passwords }}"
 
-- name: Set db hostname from ec2 oracle-db-hostname tag
-  set_fact:
-    weblogic_db_hostname_a: "{{ ec2.tags['oracle-db-hostname-a'] }}"
-    weblogic_db_hostname_b: "{{ ec2.tags['oracle-db-hostname-b'] }}"
-
-- name: Set db name from ec2 oracle-db-name tag
-  set_fact:
-    weblogic_db_name: "{{ ec2.tags['oracle-db-name'] }}"
-
-- name: Set ndh ems name from ec2 ndh-ems-hostname tag
+- name: Get SSM parameters
   set_fact:
-    ndh_ems_server: "{{ ec2.tags['ndh-ems-hostname'] }}"
+    weblogic_admin_password: "{{ ssm_passwords_dict['weblogic'].passwords[weblogic_admin_username] }}"
+    weblogic_db_password: "{{ ssm_passwords_dict['db'].passwords[weblogic_db_username] }}"
 
 - debug:
     msg: "Configuring Oracle DB {{ weblogic_db_name }} on {{ weblogic_db_hostname_a }},{{ weblogic_db_hostname_b }} with username {{ weblogic_db_username }}"