PK A^Eoa,mimetypeapplication/epub+zipPKA^EiTunesMetadata.plist{ artistName Oracle Corporation book-info cover-image-hash 822974411 cover-image-path OEBPS/dcommon/oracle-logo.jpg package-file-hash 420307042 publisher-unique-id E27152-02 unique-id 655179824 genre Oracle Documentation itemName Oracle® Fusion Middleware Administrator's Guide for Oracle Privileged Account Manager, 11g Release 2 (11.1.2) releaseDate 2012-08-17T05:58:38Z year 2012 PK+{PKA^EMETA-INF/container.xml PKYuPKA^EOEBPS/app_cli.htm Working with the Command Line Tool

A Working with the Command Line Tool

You can use the Oracle Privileged Account Manager command line tool to perform many of the same tasks you perform from the Oracle Privileged Account Manager's Console.


Note:

Globalization support for the Oracle Privileged Account Manager command line tool is not available for this release. The command line tool messages and help are only provided in English.


This appendix describes how to launch and use the command line tool. The topics include:

A.1 Launching the Command Line Tool

Use the following steps to launch the Oracle Privileged Account Manager command line tool:

  1. Open a command window and change directory to ORACLE_HOME/opam/bin.

  2. At the prompt, type one of the following commands to launch the Console:

    • On UNIX systems, type: opam.sh

    • On Windows systems, type: opam.bat

    Invoking the command line tool, automatically connects you to the Oracle Privileged Account Manager server.

    You can invoke the Oracle Privileged Account Manager command line tool from a remote client by providing the Oracle Privileged Account Manager server's URL (running on the same machine or on a different machine) in the -url option.


  3. Note:

    For security purposes, the Oracle Privileged Account Manager server only responds to SSL traffic.

    When you provide the Oracle Privileged Account Manager server target to the Oracle Privileged Account Manager command line tool (or to Oracle Privileged Account Manager's web-based Console), you must provide the SSL endpoint as https://hostname:sslport/opam.

    By default, webLogic responds to SSL on port 7002. The default Oracle Privileged Account Manager server SSL port is 18102. You can use the WebLogic console to check the port for your particular instance.


A.2 Oracle Privileged Account Manager Commands

This section describes the commands that you can use with the Oracle Privileged Account Manager command line tool.

The topics in this section include

A.2.1 Issuing Commands

Use the following syntax to issue any of the Oracle Privileged Account Manager commands:

[-url <url>] -u <username> [-p <password>] [-debug] -x <opam-command>

where:

OptionDescription

-url <url>

Provide the URL address for the Oracle Privileged Account Manager server.

Note: If you do not specify a URL for this option, it defaults to https://hostname:18102/opam.

-u <username>

Provide your log-in user name.

-p <password>

Provide your log-in password.

-debug

Run the debugger.

-x <opam-command>

Run the specified Oracle Privileged Account Manager command.


For example:

-url https://hostname:sslport/opam -u <username> [-p <password>] [debug] 
-x addtarget -targetname <targetname> -host <hostname> -port 22 
-organization <organization>

A.2.2 addaccount Command

Use the addaccount command to add a privileged account.

Command Syntax:

[-url <url>] -u <username> [-p <password>] [-debug] -x addaccount <options>

The following table describes the options you can use with this command:

OptionDescription

-targetid <target id>

Identify the target GUID value of a configured target.

-accountname <accounttname>

Provide a name for the new account.

[-help]

Optional. Displays usage options for this command.


A.2.3 addtarget Command

Use the addtarget command to add a target.

Command Syntax:

[[-url <url>] -u <username> [-p <password>] [-debug] -x addtarget <options>

Oracle Privileged Account Manager supports multiple target types, and the parameters they require can vary. These parameters should be discovered at run time, before you execute an addtarget command.

For example,

  • Execute the following command to see a list of supported target types:

    sh opam.sh –url <OPAM url> -u <security admin user> 
    -p <security admin user password> -x addtarget –help

    For example, if https://hostname:sslport/opam is the Oracle Privileged Account Manager server URL, execute the following command:

    sh opam.sh -url https://hostname:sslport/opam -u sec_admin -p welcome1 
    -x addtarget -help
  • Execute the following command to see a list of the required and optional attributes for a specified target type:

    sh opam.sh –url <OPAM url> -u <security admin user> 
    -p <security admin user password> -x addtarget
    –targettype <any supported target type> –help

    For example, to see a list of attributes for the LDAP target type with https://hostname:sslport/opam as the Oracle Privileged Account Manager server URL, execute the following command:

    sh opam.sh -url https://hostname:sslport/opam -u sec_admin -p welcome1 
    -x addtarget -targettype ldap -help

The following table describes the parameters required for LDAP targets.


Note:

You must specify all multi-valued attributes in this format: value1|value2|...


OptionDescription

-targetname <targetname>

Provide a name for the target.

-targettype <ldap | unix | database> <type-specific attributes>

Specify a target type and provide any type-specific attributes.

-domain <domain>

Provide a domain name.

-host <host>

Provide the host name.

-port <port>

Provide the TCP/IP port number used to communicate with the LDAP server.

-ssl <ssl>

Optional. Specify to connect to the LDAP server using SSL.

-principal <principal>

Provide the distinguished name with which to authenticate to the LDAP server.

-credentials <credentials>

Provide the principal's password.

-baseContexts <baseContexts> [Multi-Valued]

Specify one or more starting points in the LDAP tree to use when searching the tree.

Searches are performed when discovering users from the LDAP server or when looking for groups in which the user is a member.

-accountNameAttribute <accountNameAttribute>

Specify the attribute that holds the account's user name.

[-description <description>]

Provide a description of the target.

[-organization <organization>]

Provide the organization name.

[-uidAttribute <uidAttribute>]

Provide the name of the LDAP attribute that is mapped to the UID attribute. (Defaults to uid)

[-accountSearchFilter <accountSearchFilter>]

Optional. Provide an LDAP filter to control which accounts are returned from the LDAP resource.

If you do not specify a filter, then only accounts that include all specified object classes will be returned. (Defaults to (uid=*))

[-passwordAttribute <passwordAttribute>]

Optional. Specify the name of the LDAP attribute that holds the password.

When changing a user's password, Oracle Privileged Account Manager sets the new password to this attribute. (Defaults to userpassword)

[-accountObjectClasses <accountObjectClasses>] [Multi-Valued]

Specify the objectclass or objectclasses to use when creating new user objects in the LDAP tree.

When entering more than one objectclass, put each entry on its own line and do not use commas or semicolons to separate multiple object classes.

Some objectclasses may require that you specify all objectclasses in the class hierarchy. (Defaults to "top|person|organizationalPerson|inetOrgPerson")


A.2.4 checkin and checkout Commands

Use the checkin command to check in privileged accounts and the checkout command to check out privileged accounts.


Note:

The checkout operation also provides a password for you to use.


Command Syntax:

[-url <url>] -u <username> [-p <password>] [-debug] -x checkin <options>
[-url <url>] -u <username> [-p <password>] [-debug] -x checkout <options>

The following table describes the options you can use with these commands:

OptionDescription

-accountid <account id>

Identify the account to be checked-out or checked-in.

[-help]

Optional. Displays usage options for this command.


A.2.5 displayallaccounts Command

Use the displayallaccounts command to display a listing of all accounts.

Command Syntax:

[-url <url>] -u <username> [-p <password>] [-debug] -x displayallaccounts <options>

The following table describes the options you can use with this command:

OptionDescription

[-help]

Optional. Displays usage options for this command.


A.2.6 displayallgroups Command

Use the displayallgroups command to display a listing of all groups.

Command Syntax:

[-url <url>] -u <username> [-p <password>] [-debug] -x displayallgroups <options>

The following table describes the options you can use with this command:

OptionDescription

[-help]

Optional. Displays usage options for this command.


A.2.7 displayalltargets Command

Use the displayalltargets command to display a listing of all targets.

Command Syntax:

[-url <url>] -u <username> [-p <password>] [-debug] -x displayalltargets <options>

The following table describes the options you can use with this command:

OptionDescription

[-help]

Optional. Displays usage options for this command.


A.2.8 displayallusers Command

Use the displayallusers command to display a listing of all users.

Command Syntax:

[-url <url>] -u <username> [-p <password>] [-debug] -x displayallusers <options>

The following table describes the options you can use with this command:

OptionDescription

[-help]

Optional. Displays usage options for this command.


A.2.9 displaycheckedoutaccounts Command

Use the displaycheckedoutaccounts command to display a listing of a user's checked out accounts.

Command Syntax:

[-url <url>] -u <username> [-p <password>] [-debug] -x displaycheckedoutaccounts <options>

The following table describes the options you can use with this command:

OptionDescription

[-help]

Optional. Displays usage options for this command.


A.2.10 displaydomaintree Command

Use the displaydomaintree command to display a domain tree.

Command Syntax:

[-url <url>] -u <username> [-p <password>] [-debug] -x displaydomaintree <options>

The following table describes the options you can use with this command:

OptionDescription

[-help]

Optional. Displays usage options for this command.


A.2.11 displaytargettypetree Command

Use the displaytargettypetree command to display a target type tree.

Command Syntax:

[-url <url>] -u <username> [-p <password>] [-debug] -x displaytargettypetree <options>

The following table describes the options you can use with this command:

OptionDescription

[-help]

Optional. Displays usage options for this command.


A.2.12 export and import Commands

Use the export command to export data stored in Oracle Privileged Account Manager, such as targets and accounts, to XML format. Use the import command to import data to OPAM from XML file. These options are useful for performing

  • Bulk operations, such as querying or loading large volumes of data

  • Back-up and recovery operations, such as periodically backing up Oracle Privileged Account Manager data to XML

  • Migration operations, such as exporting data from one Oracle Privileged Account Manager instance and importing it to another instance


Note:

You must be an administrator with the Security Administrator Admin Role to use these commands.


The export command exports all Oracle Privileged Account Manager data; including targets, accounts, policies, and grants.


Note:

Exporting accounts also exports the passwords for those accounts. For added security, you can export the passwords in an encrypted format by using the -encpassword and -enckeylen options.

Be sure to note the encryption password and encryption key length because you must provide that same password for decryption during the import operation.


You can create an import XML file from previously exported data or you can manually create the file. If you previously exported the XML file with an encryption password, then you must provide the same password for decryption during import.

Command Syntax:

[-url <url>] -u <username> [-p <password>] [-debug] -x export <options>
[-url <url>] -u <username> [-p <password>] [-debug] -x import <options>

The following table describes the options you can use with the export and import commands:

OptionDescription

-f <export file>

Specify an export file name.

-encpassword <encryption password>

Specify a password to use when encrypting/decrypting account passwords.

-enckeylen <key length for password encryption>

Specify the minimum key length for an encryption/decryption password. (Defaults to 128 bits)

-log <log file location>

Specify a file name and location for the log file. (Defaults to log.txt)

[-help]

Optional. Displays usage options for this command.


The XML schema for an import or export file is located in the following file:

ORACLE_HOME/opam/jlib/OPAMBulkTool.xsd

The following example shows some sample XML definitions of Oracle Privileged Account Manager elements.

Example A-1 Sample XML Definition of Oracle Privileged Account Manager Elements

<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<OPAMData xmlns="http://www.example.org/OPAMBulkTool"
 xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
 xsi:schemaLocation="http://www.example.org/OPAMBulkTool OPAMBulkTool.xsd">
  <usagepolicy>
    <name value="Accounting Usage Policy"/>
    <status value="active"/>
    <description value="null"/>
    <globaldefault value="n"/>
    <dateorduration value="duration"/>
    <expiremin value="30"/>
    <expiredate value="08/08/2088"/>
    <expiretime value="11:30am"/>
    <timezone value="America/Los_Angeles"/>
    <usagedays>
      <day fromtime="12:0am" totime="12:0am" value="monday"/>
      <day fromtime="12:0am" totime="12:0am" value="tuesday"/>
      <day fromtime="12:0am" totime="12:0am" value="wednesday"/>
      <day fromtime="12:0am" totime="12:0am" value="thursday"/>
      <day fromtime="12:0am" totime="12:0am" value="friday"/>
      <day fromtime="12:0am" totime="12:0am" value="saturday"/>
      <day fromtime="12:0am" totime="12:0am" value="sunday"/>
    </usagedays>
  </usagepolicy>
  <passwordpolicy>
    <name value="Accounting Password Policy"/>
    <status value="active"/>
    <description value=""/>
    <globaldefault value="n"/>
    <changepassevery value="30-days"/>
    <changepasscheckout value="y"/>
    <changepasscheckin value="y"/>
    <passwordlength max="20" min="8"/>
    <minalphabets value="1"/>
    <minnumeric value="1"/>
    <minalphanumeric value="2"/>
    <specialchars max="5" min="1"/>
    <repeatedchars max="1" min="0"/>
    <minuniquechars value="1"/>
    <minuppercasechars value="1"/>
    <minlowercasechars value="1"/>
    <startwithchar value="n"/>
    <accountnameaspass value="n"/>
  </passwordpolicy>
  <target>
    <type name="database"/>
    <name value="AccountsDB"/>
    <attributes>
      <attributeName name="domain" value="Accounting"/>
      <attributeName name="host" value="localhost"/>
      <attributeName name="jdbcUrl" value="jdbc:oracle:thin:@dbhost:1521:orcl"/>
      <attributeName name="loginUser" value="system"/>
      <attributeName name="loginPassword" value="welcome1"/>
      <attributeName name="dbType" value="Oracle"/>
      <attributeName name="description" value="Accounting Database"/>
      <attributeName name="organization" value="Accounting"/>
      <attributeName name="connectionProperties" value=""/>
    </attributes>
  </target>
  <account>
    <name value="ACCT_DBA"/>
    <target name="AccountsDB"/>
    <passwordpolicy name="Accounting Password Policy"/>
    <grantee>
      <user name="johndoe"/>
      <user name="janedoe"/>
    </grantee>
    <shared value="false"/>
    <status value="checkedIn"/>
  </account>
</OPAMData>

A.2.13 getglobalconfig Command

Use the getglobalconfig command to view the OPAM Global Config configuration entry, which enables you to access and manage various Oracle Privileged Account Manager server properties.

Command Syntax:

[-url <url>] -u <username> [-p <password>] [-debug] -x getglobalconfig <options>

The following table describes the options you can use with this command:

OptionDescription

[-help]

Optional. Displays usage options for this command.



Note:

You use the modifyglobalconfig command to modify the server properties. Refer to modifyglobalconfig Command for more information.


A.2.14 grantgroupaccess Command

Use the grantgroupaccess command to give a group access to a privileged account.

[-url <url>] -u <username> [-p <password>] [-debug] -x grantgroupaccess <options>

The following table describes the options you can use with this command:

OptionDescription

-accountid <account id>

Identify the account to which the group is granted access.

-groupname <group name>

Identify the group to be given access.

[-help]

Optional. Displays usage options for this command.


A.2.15 grantuseraccess Command

Use the grantuseraccess command to give a user access to a privileged account.

Command Syntax:

[-url <url>] -u <username> [-p <password>] [-debug] -x grantuseraccess <options>

The following table describes the options you can use with this command:

OptionDescription

-accountid <account id>

Identify the account to which the user is granted access.

-userid <user id>

Identify the user to be given access.

[-help]

Optional. Displays usage options for this command.


A.2.16 modifyglobalconfig Command

Use the modifyglobalconfig command to manage the following Oracle Privileged Account Manager server properties in the OPAM Global Config configuration entry:

  • policyenforcerinterval. Interval (in seconds) in which Oracle Privileged Account Manager checks accounts and then automatically checks-in the accounts that have exceeded the expiration time defined in the Usage Policy. (Default is 3600 seconds)

  • passwordcyclerinterval. Interval (in seconds) in which Oracle Privileged Account Manager checks and then resets the password for any accounts that have exceeded the maximum password age defined in the Password Policy. (Default is 3600 seconds)


Note:

to access these properties, you must use the getglobalconfig command to view the OPAM Global Config configuration entry. Refer to getglobalconfig Command for more information.


Command Syntax:

[-url <url>] -u <username> [-p <password>] [-debug] -x modifyglobalconfig <options>

The following table describes the options you can use with this command:

OptionDescription

-propertyname <property name>

Specifies which server property to be modified.

-propertyvalue <property value>

Specifies the interval (in seconds).

[-help]

Optional. Displays usage options for this command.


For example,

-x modifyglobalconfig -propertyname policyenforcerinterval -propertyvalue 600

See Also:

getglobalconfig Command

A.2.17 removeaccount Command

Use the removeaccount command to remove a privileged account.

Command Syntax:

[-url <url>] -u <username> [-p <password>] [-debug] -x removeaccount <options>

The following table describes the options you can use with this command:

OptionDescription

-accountid <account id>

Identify the account to be removed.

[-help]

Optional. Displays usage options for this command.


A.2.18 removegroupaccess Command

Use the removegroupaccess command to remove a group's access to a privileged account.

[-url <url>] -u <username> [-p <password>] [-debug] -x removegroupaccess <options>

The following table describes the options you can use with this command:

OptionDescription

-accountid <account id>

Identify the account where access is being removed.

-groupname <group name>

Identify the group whose access is being removed.

[-help]

Optional. Displays usage options for this command.


A.2.19 removetarget Command

Use the removetarget command to remove a target.

Command Syntax:

[-url <url>] -u <username> [-p <password>] [-debug] -x removetarget <options>

The following table describes the options you can use with this command:

OptionDescription

-targetid <target id>

Identify the target to be removed.

[-help]

Optional. Displays usage options for this command.


A.2.20 removeuseraccess Command

Use the removeuseraccess command to remove a user's access to a privileged account.

Command Syntax:

[-url <url>] -u <username> [-p <password>] [-debug] -x removeuseraccess <options>

The following table describes the options you can use with this command:

OptionDescription

-accountid <account id>

Identify the account where access is being removed.

-userid <user id>

Identify the user whose access is being removed.

[-help]

Optional. Displays usage options for this command.


A.2.21 resetpassword Command

Use the resetpassword command to manually reset the password for an account you have checked out. When you execute this command, Oracle Privileged Account Manager returns the account details and prompts you to enter a new password.


Note:

For most users, if the account has already been checked back in, you will get an error.

If you are an administrator with the Security Administrator or User Manager Admin Role, you can use this command to reset a password for both checked out and checked-in accounts.


Command Syntax:

[-url <url>] -u <username> [-p <password>] -x resetpassword -accountid <accountid>

No options are used with this command.

A.2.22 retrieveaccount Command

Use the retrieveaccount command to get information about a privileged account, such as which target the account is on. This infTKormation does not include passwords.

Command Syntax:

[-url <url>] -u <username> [-p <password>] [-debug] -x retrieveaccount <options>

The following table describes the options you can use with this command:

OptionDescription

-accountid <account id>

Identify the account to be retrieved.

[-help]

Optional. Displays usage options for this command.


A.2.23 retrievegrantees Command

Use the retrievegrantees command to get information about the grantees on a privileged account.

Command Syntax:

[-url <url>] -u <username> [-p <password>] [-debug] -x retrievegrantees <options>

The following table describes the options you can use with this command:

OptionDescription

-accountid <account id>

Identify from which account the grantees are to be retrieved.

[-help]

Optional. Displays usage options for this command.


A.2.24 retrievegroup Command

Use the retrievegroup command to get information about groups on a privileged account.

Command Syntax:

[-url <url>] -u <username> [-p <password>] [-debug] -x retrievegroup <options>

The following table describes the options you can use with this command:

OptionDescription

-groupname <group name>

Provide the name of the group to retrieve.

[-help]

Optional. Displays usage options for this command.


A.2.25 retrievetarget Command

Use the retrievetarget command to get information about a target.

Command Syntax:

[-url <url>] -u <username> [-p <password>] [-debug] -x retrievetarget <options>

The following table describes the options you can use with this command:

OptionDescription

-targetid <target id>

Identify the target to be retrieved.

[-help]

Optional. Displays usage options for this command.


A.2.26 retrieveuser Command

Use the retrieveuser command to get information about a user.

Command Syntax:

[-url <url>] -u <username> [-p <password>] [-debug] -x retrieveuser <options>

The following table describes the options you can use with this command:

OptionDescription

-userid <user id>

Identify the user to be retrieved.

[-help]

Optional. Displays usage options for this command.


A.2.27 searchaccount Command

Use the searchaccount command to search for an account.

Command Syntax:

[-url <url>] -u <username> [-p <password>] [-debug] -x searchaccount <options>

The following table describes the options you can use with this command:

OptionDescription

-accountid <account id>

Identify the account to search for.

[-help]

Optional. Displays usage options for this command.


For example, the following search will return all targets:

https://<host name>:<port>/opam/target/search?

Whereas, the following search will return all targets whose type contains ldap and org:

https://<host name>:<port>/opam/target/search?type=ldap&org=us

A.2.28 searchgroup Command

Use the searchgroup command to search for a group.

Command Syntax:

[-url <url>] -u <username> [-p <password>] [-debug] -x searchgroup <options>

The following table describes the options you can use with this command:

OptionDescription

[-groupname <group name>]

Optional. Provide the name of the group to search for.

[-description <description>]

Optional. Provide a description of the group.

[-accountname <account name>]

Optional. Provide the name of the account to search.

[-targetname <target name>]

Optional. Provide the name of the target to search.

[-help]

Optional. Displays usage options for this command.


A.2.29 searchtarget Command

Use the searchtarget command to search for a target.

Command Syntax:

[-url <url>] -u <username> [-p <password>] [-debug] -x searchtarget <options>

The following table describes the options you can use with this command:

OptionDescription

[-targettype <ldap | solaris | oracledb>]

Optional. Identify the type of target to search for as LDAP, Solaris, or Oracle DB.

[-domain <domain>]

Optional. Provide a domain to search.

[-targetname <target name>]

Optional. Provide the target name to search for.

[-help]

Optional. Displays usage options for this command.


A.2.30 searchuser Command

Use the searchuser command to search for a user.

Command Syntax:

[-url <url>] -u <username> [-p <password>] [-debug] -x searchuser <options>

The following table describes the options you can use with this command:

OptionDescription

[-userid <user id>]

Optional. Search for the user by the user ID.

[-firstname <first name>]

Optional. Provide the user's first name.

[-lastname <last name>]

Optional. Provide the user's last name.

[-accountname <account name>]

Optional. Provide the name of the account to search.

[-targetname <target name>]

Optional. Provide the name of the target to search.

[-help]

Optional. Displays usage options for this command.


A.2.31 showpassword Command

Use the showpassword command to view the password for an account you have checked out. When you execute this command, Oracle Privileged Account Manager returns the account details and the password.


Note:

If the account has already been checked back in, you will get an error.

If you are an administrator with the Security Administrator or User Manager Admin Role, you can use this command to view a password for both checked out and checked-in accounts.


Command Syntax:

[-url <url>] -u <username> [-p <password>] -x showpassword -accountid <accountid>

No options are used with this command.

PK}UTTPKA^EOEBPS/dcommon/oracle.gifJGIF87aiyDT2F'G;Q_oKTC[ 3-Bq{ttsoGc4I)GvmLZ).1)!ꑈ53=Z]'yuLG*)g^!8C?-6(29K"Ĩ0Яl;U+K9^u2,@@ (\Ȱ Ë $P`lj 8x I$4H *(@͉0dа8tA  DсSP v"TUH PhP"Y1bxDǕ̧_=$I /& .)+ 60D)bB~=0#'& *D+l1MG CL1&+D`.1qVG ( "D2QL,p.;u. |r$p+5qBNl<TzB"\9e0u )@D,¹ 2@C~KU 'L6a9 /;<`P!D#Tal6XTYhn[p]݅ 7}B a&AƮe{EɲƮiEp#G}D#xTIzGFǂEc^q}) Y# (tۮNeGL*@/%UB:&k0{ &SdDnBQ^("@q #` @1B4i@ aNȅ@[\B >e007V[N(vpyFe Gb/&|aHZj@""~ӎ)t ? $ EQ.սJ$C,l]A `8A o B C?8cyA @Nz|`:`~7-G|yQ AqA6OzPbZ`>~#8=./edGA2nrBYR@ W h'j4p'!k 00 MT RNF6̙ m` (7%ꑀ;PKl-OJPKA^EOEBPS/dcommon/oracle-logo.jpgGfJFIFC    $.' ",#(7),01444'9=82<.342C  2!!22222222222222222222222222222222222222222222222222'7" }!1AQa"q2#BR$3br %&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz w!1AQaq"2B #3Rbr $4%&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz ?( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( (QEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQE!KEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEzE7V%ȣOΏ9??:a"\fSrğjAsKJ:nOzO=}E1-I)3(QEQEQEQEQEQEQE֝Hza<["2"pO#f8M[RL(,?g93QSZ uy"lx4h`O!LŏʨXZvq& c՚]+: ǵ@+J]tQ]~[[eϸ (]6A&>ܫ~+כzmZ^(<57KsHf妬Ϧmnẁ&F!:-`b\/(tF*Bֳ ~V{WxxfCnMvF=;5_,6%S>}cQQjsOO5=)Ot [W9 /{^tyNg#ЄGsֿ1-4ooTZ?K Gc+oyڙoNuh^iSo5{\ܹ3Yos}$.nQ-~n,-zr~-|K4R"8a{]^;I<ȤL5"EԤP7_j>OoK;*U.at*K[fym3ii^#wcC'IIkIp$󿉵|CtĈpW¹l{9>⪦׺*ͯj.LfGߍԁw] |WW18>w.ӯ! VӃ :#1~ +މ=;5c__b@W@ +^]ևՃ7 n&g2I8Lw7uҭ$"&"b eZ":8)D'%{}5{; w]iu;_dLʳ4R-,2H6>½HLKܹR ~foZKZ࿷1[oZ7׫Z7R¢?«'y?A}C_iG5s_~^ J5?œ tp]X/c'r%eܺA|4ծ-Ե+ْe1M38Ǯ `|Kյ OVڅu;"d56, X5kYR<̭CiطXԮ];Oy)OcWj֩}=܅s۸QZ*<~%뺃ȶp f~Bðzb\ݳzW*y{=[ C/Ak oXCkt_s}{'y?AmCjޓ{ WRV7r. g~Q"7&͹+c<=,dJ1V߁=T)TR՜*N4 ^Bڥ%B+=@fE5ka}ędܤFH^i1k\Sgdk> ֤aOM\_\T)8靠㡮3ģR: jj,pk/K!t,=ϯZ6(((((((49 xn_kLk&f9sK`zx{{y8H 8b4>ÇНE|7v(z/]k7IxM}8!ycZRQ pKVr(RPEr?^}'ðh{x+ՀLW154cK@Ng C)rr9+c:׹b Жf*s^ fKS7^} *{zq_@8# pF~ [VPe(nw0MW=3#kȵz晨cy PpG#W:%drMh]3HH<\]ԁ|_W HHҡb}P>k {ZErxMX@8C&qskLۙOnO^sCk7ql2XCw5VG.S~H8=(s1~cV5z %v|U2QF=NoW]ո?<`~׮}=ӬfԵ,=;"~Iy7K#g{ñJ?5$y` zz@-~m7mG宝Gٱ>G&K#]؃y1$$t>wqjstX.b̐{Wej)Dxfc:8)=$y|L`xV8ߙ~E)HkwW$J0uʟk>6Sgp~;4֌W+חc"=|ř9bc5> *rg {~cj1rnI#G|8v4wĿhFb><^ pJLm[Dl1;Vx5IZ:1*p)إ1ZbAK(1ׅ|S&5{^ KG^5r>;X׻K^? s fk^8O/"J)3K]N)iL?5!ƾq:G_=X- i,vi2N3 |03Qas ! 7}kZU781M,->e;@Qz T(GK(ah(((((((Y[×j2F}o־oYYq $+]%$ v^rϭ`nax,ZEuWSܽ,g%~"MrsrY~Ҿ"Fت;8{ѰxYEfP^;WPwqbB:c?zp<7;SBfZ)dϛ; 7s^>}⍱x?Bix^#hf,*P9S{w[]GF?1Z_nG~]kk)9Sc5Ո<<6J-ϛ}xUi>ux#ţc'{ᛲq?Oo?x&mѱ'#^t)ϲbb0 F«kIVmVsv@}kҡ!ˍUTtxO̧]ORb|2yԵk܊{sPIc_?ħ:Ig)=Z~' "\M2VSSMyLsl⺿U~"C7\hz_ Rs$~? TAi<lO*>U}+'f>7_K N s8g1^CeКÿE ;{+Y\ O5|Y{/o+ LVcO;7Zx-Ek&dpzbӱ+TaB0gNy׭ 3^c T\$⫫?F33?t._Q~Nln:U/Ceb1-im WʸQM+VpafR3d׫é|Aү-q*I P7:y&]hX^Fbtpܩ?|Wu󭏤ʫxJ3ߴm"(uqA}j.+?S wV ~ [B&<^U?rϜ_OH\'.;|.%pw/ZZG'1j(#0UT` Wzw}>_*9m>󑓀F?EL3"zpubzΕ$+0܉&3zڶ+jyr1QE ( ( ( ( ( ( ( (UIdC0EZm+]Y6^![ ԯsmܶ捆?+me+ZE29)B[;я*wGxsK7;5w)}gH~.Ɣx?X\ߚ}A@tQ(:ͧ|Iq(CT?v[sKG+*רqҍck <#Ljα5݈`8cXP6T5i.K!xX*p&ќZǓϘ7 *oƽ:wlຈ:Q5yIEA/2*2jAҐe}k%K$N9R2?7ýKMV!{W9\PA+c4w` Wx=Ze\X{}yXI Ү!aOÎ{]Qx)#D@9E:*NJ}b|Z>_k7:d$z >&Vv󃏽WlR:RqJfGإd9Tm(ҝEtO}1O[xxEYt8,3v bFF )ǙrPNE8=O#V*Cc𹾾&l&cmCh<.P{ʦ&ۣY+Gxs~k5$> ӥPquŽўZt~Tl>Q.g> %k#ú:Kn'&{[yWQGqF}AЅ׮/}<;VYZa$wQg!$;_ $NKS}“_{MY|w7G!"\JtRy+贾d|o/;5jz_6fHwk<ѰJ#]kAȎ J =YNu%dxRwwbEQEQEQEQEQEQEQEQEQE'fLQZ(1F)hQ@X1KEQE-Q@ 1KE3h=iPb(((1GjZ(-ʹRPbR@ 1KE7`bڒyS0(-&)P+ ڎԴP11F)h&:LRmQ@Q@Š(((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((_ğ<+F; sU%ԑ >,BH(uSU xþ1Wϲs${wgoQn_swB/'L\ܓFgԏZ ^dj^L^NmH Ҁ6(?nƓjh%ةlΣ /F6}pj2E3HgHЌ(UQR8oX,G8OB]>o9@$xWy'ڹOM=ҼWb"٠9-*r⬻zWokeh͝(F@n~X=q+⟇1b>ƑeIX.~C,o5የ-m;D Nʬ` `+CcE??Ki!R!cxw[ jvc}&Eٱ7T)8&þ/?os$wSn^bo:-4^js4JKm!#rv89>' O59t , \8r,Vk|IgxEv((RmĜ+bkz6,u/}-|.'<VÚ~tk,^cH61¢ !;M;Ėz[#CuAƶ+j_&*/;Q8d ǹHyAsM↷7l-6rò,%Fs;A*',}'f[]tݷs~UWhk?:4JE]WpcY=" ƚw/|_xSw(kycH#r28,X7D5Kh76 mɍ~0H;6194WpGӧգ%8Z&GdPƧo6kcO5Kv`{}fyq \`@?Kv=26OޝyAe Qɼ芍H8͟2敮j#;iѻm؏6+wTx;KYY\-%'Aӣ?|=\-ٴk+٬$ɷ[$ISPE*vyPTaĜT`J|IgxEv((RmĜ+~~h ާ2}0F9|g=m5+x1h $)\  sdx^JfbKXYPCaݎ6-mS] mgC&>d, !Ƥ(p窀 V?IgZk:kHꧽsxg7__hÍB97 +9nn_o9Wc/m8ր=Y#t9? /q'#  Y}icמ o-{cŵ%'s s G^mqRwا s@W>w* O2Frk]k1֛4mݬRIp8F`F@kMvN&R +7đTT!z.W~k7KWX ߰E$HS`ʞK QL.dk 9y) F0v^k;{k9wyyv<'+.+^h~Fg"yRM?:3m' 2v{_kٲM[oǙ ~mUp~܎Mz~#ּQ/Cz5(u9KxTFAF$~VxIz~"uR-c6)#$=2H>?}wݻ~}S3Şҵ42+W죝ݑb˝$lmۑ]E-em[WwQ艥>#\H$i8\qQ^'):Ѵ zAT,H e @z`QEQEQEQEQEQEQEQEQEQEQEQEbj??G_h߷nw}s{aE~4?֖0֦bّL cs:FխeZ|i4m$ldnxuzE~ιqnO yQGA9bVqlX?|'}X,Xno-FIZ7 rrעCgqysg ]ZD) /ܣgX'_~ Dž/{/n"I! `θ9M ]i6[<&SnH%~UXvqX]wk&vMDlppAX?Z&}z7kz/̄*pNNHvV~'ypo3g=Eq\~5tX HVkxbcv, |" C6ppAK-[va4aCa qԎ(=#Ś3,:d%R8"F7H?2|K=&?5wlQwr;aQGQNO\Eq54ծmX_a$\%_r0N9=x6si׿ 47ԥC\%' ,jG2\x>ͧh6Wr^OooR\ɝ2I9$g(((((((((((((D~<1-ݮoL f- |) :n Fc^T32p^#CA aƱ-瀾 ^:{kqB)K !V !Ev}r~=<Dׄ,[,tWEځ@L2@j'4?icpwg81Fs@|&0wvsH.Do$(&P07s:S#@{${BKVuYo0:|X]JZ)PI"tl1M$Q^MY.ݣYli A8'|O|+4}K&l$ T£q=$,'ß~ U~xU^^W3˄AݎI Fmr-oxz_RK+MWSVG)BDžRU OM 4s9?3Fy +_t8|ock%`Dʬ6 #$ǃOxQ񾭥OփLl>YB$Gű xHljfP-ySA0b6ZxϦ;EKcI ;qiT_WYE)$񾉬Ħm8IPFaA0sb@=Op[L?tRy}à њ|g Ծ/j1$!  Q+R'/\hگZ+y)ʧ-'O6zmơxY%b#v㍀ % b3gīcNy$(bI'5gXڟbj+t2'x`h#NMY.ݣYli A8'Iz]:yMcLEW H1x{?vZﵻeLJ窶 #<EyčN:,g"ɻl(Õ @<>v>mC|bl!|`|ʕ&?ukXEvQ*Ax4^-#N' T4Iv9%X<΅[Wu7@l5B(c1꯹w ]GC L-$ew-nqf:}POx ;H=R,2]0*s k[nhQGQNto_W"3Iڸ\xo>'EL1m7 8+6Xoq6h׼exண]K@V,Gb׍,jʿmv,81Ƈ|:Wco|,mbNY 2y8u-N&KqKòx3:]V͜~c CKsjRh#ԭK@Av]#7^W{_{~o /{syOcbs)#Ɩ յr-<]YdFE%€x e|GyMJD&\ZRN"2Gčrݸjti:IT YT$q$)KwL־jz^SA{ y7X In&zA R Ym>4]mʓCm9,ƝZ-bNWe,~-&$GDoh>#Liog7!GC<F~2 y$ !* ҼOiľ#ZYZj5yc3 \ 7=0C=FMSsMԾH/Y$ Y@Pb9 Vu'τxN}J[cx|/\.WTp 9<X$GGf~\$ S WM|1>أ}a__j鯗f?Xg/i<%ֈtսHc. Q1Z<=Wbp"W%>lg%N20HmsU֭t/]3Z29P;@[ ㉵:v[ڼlU@5m'|gο5앇&/k{xyu]#5, rI!x]?ÚtWntIu&Bsӂ674Q\`$G5( 3:* ,΋8 $5|K5E4}j9 M 8z@e>8ׇx,l0$|f8A8T yu( (Hʰ`ܢWρ]RMףKg*$Ȥdt#<5};Gp}/m9Ep` w7I8vwDsmBh8p+Gx[KmKZ8M c*%Sow4=^ #hp[c~`7c8k>⟂tϴ~䵻{92, ]FaEPEy|Ztm}XaaJ0r9<a|~ݻgwc@W P%-5s_+~LdlltrONٮ_m--j;K@7,Y@=N<z@W/Ey7ZxQ_-H|Fgf(']k?ekwVd>2 zu溏>!5-m`:M\.- gwLvvŠ)'M$Ѯ"Q c9H`89?.qT!jGoˍ/P`4 SF8(K OjQ٤R QPN8'UxhzHxH;N2qlQ\?.h8<7I3mٷ?ŝ8MzGԵ-f=X8 jQX~ yu( (Hʰ`˾7\F9D2)B ]9 v^:;]I7XrWxl x-h%@WR2#5N񎧨Xj>$`?{#7xwWG׵O<7"`0p S6fmagkkC n'j(FO'kZoo-5B`m($uv1Np9,qPEpM爾(k%h%QC!n.f+mIxBmM,t24 fȍ洀mbJ @Ej9#V_,e~iaɇ+GF*8PQEc\i˫K% 5m'3ƣNhbjΧk뚗֛X-ǐH$ֻ(C73EettY%FHA 1xR& bCLӧ6R4x7 |=3p:+e及cK}ti"w̠ v~o:9- <~O'w)Ǘ~}_'.+wK<}l{8?ěgPx{5-^ H{FG=YaA{j;&L$OUl#<?KA׼GuT'+I2Kv08V]sO66>;Xu7nF:pdVSXT(JPw㌎pHMniZ&}:uܗ;6qX}wwg۞35b|5 >14Oy=Y۩Va }nb s@+'^^ K ;q+'ÿ)OgݻۥsN՟_ze쯴n~s|͛zeh’yBNʹd^!r\i*X pF1/ho򮿴|vwݍm۞6׬W+«};YҼ'' &HVKeB~N%R(/KqkG|G}iaxcvTd,r ֵ<%/l,-+{ &cN| X0+DӴOg[?nf3srN3N.um U~ek0qq@7|>^H.#[ r0cW/4/WmTe @? 16w:t.$;$a(f$֧!1tI$vQ'vrI'&мWf-u2 I$2<b@ A@Gz뚷m"= ϗm˴1'?!j|=+KmsH"%)Ǔ` n'_qw8ա{t39U rv)lF} W+CVOu-&9TS#DB0l` y'$ ĺ jvibhR]As'hVۿx% eW4* ?6 b q|KDTs K1QG,iZUevv(I9$I$X~$w_j1WBcHF΀ xO&]^ x7q&E yU?3mW/ῇ~%}H,hL b:?a- 9ܯ] 8⏍Huw҈b in|Aa$`--JbJ?)(W(_[[ڶdݵB8WJï:Awjw邏vqֹR_?^ۏ9@ko-ıH^I$`I$'+yc P_])#hY3w%w_[YwwW[ ˴e98\}iZʓBku |:QwiƝ\|߲K.AjQ1ᆌ^^K;+QΧ<1GCH 噹y\w=~@s< 77uu+3qؒ2I]-xGNC%<ד.@=~T@\#pȊFި}+y#GwM淬jA.]av͵I9k(((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((PK優LfGfPKA^EOEBPS/dcommon/cpyr.htmD Oracle Legal Notices

Oracle Legal Notices

Copyright Notice

Copyright © 1994-2014, Oracle and/or its affiliates. All rights reserved.

Trademark Notice

Oracle and Java are registered trademarks of Oracle and/or its affiliates. Other names may be trademarks of their respective owners.

Intel and Intel Xeon are trademarks or registered trademarks of Intel Corporation. All SPARC trademarks are used under license and are trademarks or registered trademarks of SPARC International, Inc. AMD, Opteron, the AMD logo, and the AMD Opteron logo are trademarks or registered trademarks of Advanced Micro Devices. UNIX is a registered trademark of The Open Group.

License Restrictions Warranty/Consequential Damages Disclaimer

This software and related documentation are provided under a license agreement containing restrictions on use and disclosure and are protected by intellectual property laws. Except as expressly permitted in your license agreement or allowed by law, you may not use, copy, reproduce, translate, broadcast, modify, license, transmit, distribute, exhibit, perform, publish, or display any part, in any form, or by any means. Reverse engineering, disassembly, or decompilation of this software, unless required by law for interoperability, is prohibited.

Warranty Disclaimer

The information contained herein is subject to change without notice and is not warranted to be error-free. If you find any errors, please report them to us in writing.

Restricted Rights Notice

If this is software or related documentation that is delivered to the U.S. Government or anyone licensing it on behalf of the U.S. Government, the following notice is applicable:

U.S. GOVERNMENT END USERS: Oracle programs, including any operating system, integrated software, any programs installed on the hardware, and/or documentation, delivered to U.S. Government end users are "commercial computer software" pursuant to the applicable Federal Acquisition Regulation and agency-specific supplemental regulations. As such, use, duplication, disclosure, modification, and adaptation of the programs, including any operating system, integrated software, any programs installed on the hardware, and/or documentation, shall be subject to license terms and license restrictions applicable to the programs. No other rights are granted to the U.S. Government.

Hazardous Applications Notice

This software or hardware is developed for general use in a variety of information management applications. It is not developed or intended for use in any inherently dangerous applications, including applications that may create a risk of personal injury. If you use this software or hardware in dangerous applications, then you shall be responsible to take all appropriate fail-safe, backup, redundancy, and other measures to ensure its safe use. Oracle Corporation and its affiliates disclaim any liability for any damages caused by use of this software or hardware in dangerous applications.

Third-Party Content, Products, and Services Disclaimer

This software or hardware and documentation may provide access to or information on content, products, and services from third parties. Oracle Corporation and its affiliates are not responsible for and expressly disclaim all warranties of any kind with respect to third-party content, products, and services. Oracle Corporation and its affiliates will not be responsible for any loss, costs, or damages incurred due to your access to or use of third-party content, products, or services.

Alpha and Beta Draft Documentation Notice

If this document is in preproduction status:

This documentation is in preproduction status and is intended for demonstration and preliminary use only. It may not be specific to the hardware on which you are using the software. Oracle Corporation and its affiliates are not responsible for and expressly disclaim all warranties of any kind with respect to this documentation and will not be responsible for any loss, costs, or damages incurred due to the use of this documentation.

Oracle Logo

PK0hPKA^EOEBPS/dcommon/blafdoc.cssc@charset "utf-8"; /* Copyright 2002, 2011, Oracle and/or its affiliates. All rights reserved. Author: Robert Crews Version: 2011.8.12 */ body { font-family: Tahoma, sans-serif; /* line-height: 125%; */ color: black; background-color: white; font-size: small; } * html body { /* http://www.info.com.ph/~etan/w3pantheon/style/modifiedsbmh.html */ font-size: x-small; /* for IE5.x/win */ f\ont-size: small; /* for other IE versions */ } h1 { font-size: 165%; font-weight: bold; border-bottom: 1px solid #ddd; width: 100%; text-align: left; } h2 { font-size: 152%; font-weight: bold; text-align: left; } h3 { font-size: 139%; font-weight: bold; text-align: left; } h4 { font-size: 126%; font-weight: bold; text-align: left; } h5 { font-size: 113%; font-weight: bold; display: inline; text-align: left; } h6 { font-size: 100%; font-weight: bold; font-style: italic; display: inline; text-align: left; } a:link { color: #039; background: inherit; } a:visited { color: #72007C; background: inherit; } a:hover { text-decoration: underline; } a img, img[usemap] { border-style: none; } code, pre, samp, tt { font-family: monospace; font-size: 110%; } caption { text-align: center; font-weight: bold; width: auto; } dt { font-weight: bold; } table { font-size: small; /* for ICEBrowser */ } td { vertical-align: top; } th { font-weight: bold; text-align: left; vertical-align: bottom; } li { text-align: left; } dd { text-align: left; } ol ol { list-style-type: lower-alpha; } ol ol ol { list-style-type: lower-roman; } td p:first-child, td pre:first-child { margin-top: 0px; margin-bottom: 0px; } table.table-border { border-collapse: collapse; border-top: 1px solid #ccc; border-left: 1px solid #ccc; } table.table-border th { padding: 0.5ex 0.25em; color: black; background-color: #f7f7ea; border-right: 1px solid #ccc; border-bottom: 1px solid #ccc; } table.table-border td { padding: 0.5ex 0.25em; border-right: 1px solid #ccc; border-bottom: 1px solid #ccc; } span.gui-object, span.gui-object-action { font-weight: bold; } span.gui-object-title { } p.horizontal-rule { width: 100%; border: solid #cc9; border-width: 0px 0px 1px 0px; margin-bottom: 4ex; } div.zz-skip-header { display: none; } td.zz-nav-header-cell { text-align: left; font-size: 95%; width: 99%; color: black; background: inherit; font-weight: normal; vertical-align: top; margin-top: 0ex; padding-top: 0ex; } a.zz-nav-header-link { font-size: 95%; } td.zz-nav-button-cell { white-space: nowrap; text-align: center; width: 1%; vertical-align: top; padding-left: 4px; padding-right: 4px; margin-top: 0ex; padding-top: 0ex; } a.zz-nav-button-link { font-size: 90%; } div.zz-nav-footer-menu { width: 100%; text-align: center; margin-top: 2ex; margin-bottom: 4ex; } p.zz-legal-notice, a.zz-legal-notice-link { font-size: 85%; /* display: none; */ /* Uncomment to hide legal notice */ } /*************************************/ /* Begin DARB Formats */ /*************************************/ .bold, .codeinlinebold, .syntaxinlinebold, .term, .glossterm, .seghead, .glossaryterm, .keyword, .msg, .msgexplankw, .msgactionkw, .notep1, .xreftitlebold { font-weight: bold; } .italic, .codeinlineitalic, .syntaxinlineitalic, .variable, .xreftitleitalic { font-style: italic; } .bolditalic, .codeinlineboldital, .syntaxinlineboldital, .titleinfigure, .titleinexample, .titleintable, .titleinequation, .xreftitleboldital { font-weight: bold; font-style: italic; } .itemizedlisttitle, .orderedlisttitle, .segmentedlisttitle, .variablelisttitle { font-weight: bold; } .bridgehead, .titleinrefsubsect3 { font-weight: bold; } .titleinrefsubsect { font-size: 126%; font-weight: bold; } .titleinrefsubsect2 { font-size: 113%; font-weight: bold; } .subhead1 { display: block; font-size: 139%; font-weight: bold; } .subhead2 { display: block; font-weight: bold; } .subhead3 { font-weight: bold; } .underline { text-decoration: underline; } .superscript { vertical-align: super; } .subscript { vertical-align: sub; } .listofeft { border: none; } .betadraft, .alphabetanotice, .revenuerecognitionnotice { color: #f00; background: inherit; } .betadraftsubtitle { text-align: center; font-weight: bold; color: #f00; background: inherit; } .comment { color: #080; background: inherit; font-weight: bold; } .copyrightlogo { text-align: center; font-size: 85%; } .tocsubheader { list-style-type: none; } table.icons td { padding-left: 6px; padding-right: 6px; } .l1ix dd, dd dl.l2ix, dd dl.l3ix { margin-top: 0ex; margin-bottom: 0ex; } div.infoboxnote, div.infoboxnotewarn, div.infoboxnotealso { margin-top: 4ex; margin-right: 10%; margin-left: 10%; margin-bottom: 4ex; padding: 0.25em; border-top: 1pt solid gray; border-bottom: 1pt solid gray; } p.notep1 { margin-top: 0px; margin-bottom: 0px; } .tahiti-highlight-example { background: #ff9; text-decoration: inherit; } .tahiti-highlight-search { background: #9cf; text-decoration: inherit; } .tahiti-sidebar-heading { font-size: 110%; margin-bottom: 0px; padding-bottom: 0px; } /*************************************/ /* End DARB Formats */ /*************************************/ @media all { /* * * { line-height: 120%; } */ dd { margin-bottom: 2ex; } dl:first-child { margin-top: 2ex; } } @media print { body { font-size: 11pt; padding: 0px !important; } a:link, a:visited { color: black; background: inherit; } code, pre, samp, tt { font-size: 10pt; } #nav, #search_this_book, #comment_form, #comment_announcement, #flipNav, .noprint { display: none !important; } body#left-nav-present { overflow: visible !important; } } PKr.hcPKA^EOEBPS/dcommon/doccd_epub.jsM /* Copyright 2006, 2012, Oracle and/or its affiliates. All rights reserved. Author: Robert Crews Version: 2012.3.17 */ function addLoadEvent(func) { var oldOnload = window.onload; if (typeof(window.onload) != "function") window.onload = func; else window.onload = function() { oldOnload(); func(); } } function compactLists() { var lists = []; var ul = document.getElementsByTagName("ul"); for (var i = 0; i < ul.length; i++) lists.push(ul[i]); var ol = document.getElementsByTagName("ol"); for (var i = 0; i < ol.length; i++) lists.push(ol[i]); for (var i = 0; i < lists.length; i++) { var collapsible = true, c = []; var li = lists[i].getElementsByTagName("li"); for (var j = 0; j < li.length; j++) { var p = li[j].getElementsByTagName("p"); if (p.length > 1) collapsible = false; for (var k = 0; k < p.length; k++) { if ( getTextContent(p[k]).split(" ").length > 12 ) collapsible = false; c.push(p[k]); } } if (collapsible) { for (var j = 0; j < c.length; j++) { c[j].style.margin = "0"; } } } function getTextContent(e) { if (e.textContent) return e.textContent; if (e.innerText) return e.innerText; } } addLoadEvent(compactLists); function processIndex() { try { if (!/\/index.htm(?:|#.*)$/.test(window.location.href)) return false; } catch(e) {} var shortcut = []; lastPrefix = ""; var dd = document.getElementsByTagName("dd"); for (var i = 0; i < dd.length; i++) { if (dd[i].className != 'l1ix') continue; var prefix = getTextContent(dd[i]).substring(0, 2).toUpperCase(); if (!prefix.match(/^([A-Z0-9]{2})/)) continue; if (prefix == lastPrefix) continue; dd[i].id = prefix; var s = document.createElement("a"); s.href = "#" + prefix; s.appendChild(document.createTextNode(prefix)); shortcut.push(s); lastPrefix = prefix; } var h2 = document.getElementsByTagName("h2"); for (var i = 0; i < h2.length; i++) { var nav = document.createElement("div"); nav.style.position = "relative"; nav.style.top = "-1.5ex"; nav.style.left = "1.5em"; nav.style.width = "90%"; while (shortcut[0] && shortcut[0].toString().charAt(shortcut[0].toString().length - 2) == getTextContent(h2[i])) { nav.appendChild(shortcut.shift()); nav.appendChild(document.createTextNode("\u00A0 ")); } h2[i].parentNode.insertBefore(nav, h2[i].nextSibling); } function getTextContent(e) { if (e.textContent) return e.textContent; if (e.innerText) return e.innerText; } } addLoadEvent(processIndex); PKo"nR M PKA^EOEBPS/basic_started.htm Getting Started with Administering Oracle Privileged Account Manager

3 Getting Started with Administering Oracle Privileged Account Manager

You can administer Oracle Privileged Account Manager from the Console and from the command line. This chapter describes how to perform basic administration tasks.


Note:

This chapter assumes you have installed and configured Oracle Privileged Account Manager as described in Oracle Fusion Middleware Installation Guide for Oracle Identity and Access Management.

Reading the "Configuring Oracle Privileged Account Manager" chapter in the Oracle Fusion Middleware Installation Guide for Oracle Identity and Access Management might be particularly helpful.

In this guide, when you are instructed to start the Oracle WebLogic Administration Server (Admin Server) or various Managed Servers, refer to "Starting or Stopping the Oracle Stack" in the Oracle Fusion Middleware Installation Guide for Oracle Identity and Access Management for instructions.


This chapter includes the following topics:

3.1 Getting Started after Installing 11g Release 2 (11.1.2)

After installing 11g Release 2, Oracle recommends:

  • Reviewing Table 3-1 to understand the default application URLs for various interfaces that you use to manage Oracle Privileged Account Manager in this release:

    Table 3-1 Default Application URLs

    InterfaceDefault URL

    Oracle Identity Navigator


    http://adminserver_host:adminserver_port/oinav/

    Oracle WebLogic Server Administrative Console

    http://adminserver_host:adminserver_port/console/

    Oracle Privileged Account Manager Console

    http://adminserver_host:adminserver_port/oinav/opam

    Oracle Privileged Account Manager Server

    http://managedserver_host:managedserver_port/opam


  • Reviewing Table 3-2 to understand various default ports for Oracle Privileged Account Manager in this release:

    Table 3-2 Default Ports

    Port TypeDefault PortDescription

    Oracle Privileged Account Manager


    18102

    Default SSL-enabled port for the WebLogic Managed Server where the Oracle Privileged Account Manager server is deployed.

    In a shiphome (such as an out-of-the-box environment) there are two WebLogic servers relevant to Oracle Privileged Account Manager:

    • The WebLogic Admin Server in the Oracle Privileged Account Manager domain runs Oracle Identity Navigator and the Oracle Privileged Account Manager Console.

    • An additional WebLogic Managed Server runs the Oracle Privileged Account Manager server.

    WebLogic responds to SSL

    7002

    Default SSL-enabled port for the WebLogic Admin Server (where Oracle Identity Navigator and the Oracle Privileged Account Manager Console are deployed).


3.2 Deploying ICF Connectors in Oracle Privileged Account Manager

Oracle Privileged Account Manager enables you to secure, share, audit, and manage administrator-identified account credentials. To provide these capabilities, Oracle Privileged Account Manager must be able to access and manage privileged accounts on a target system.

Connectors enable Oracle Privileged Account Manager to interact with target systems, such as LDAP or Oracle Database, and to perform Oracle Privileged Account Manager-relevant administrative operations on those systems.

Oracle Privileged Account Manager leverages connectors that are compliant with the ICF standard.

This section describes how Oracle Privileged Account Manager consumes these ICF connectors. The topics include:

For more information about the Identity Connector Framework, refer to "Understanding the Identity Connector Framework" in the Oracle Fusion Middleware Developer's Guide for Oracle Identity Manager.

3.2.1 About ICF Connectors

Oracle Privileged Account Manager ships with the following ICF-compliant connectors that were developed by Oracle:

  • Database User Management (DBUM) Connector

  • Generic LDAP Connector

  • Oracle Identity Manager Connector for UNIX

These connectors enable Oracle Privileged Account Manager to manage privileged accounts on a range of target systems belonging to the preceding types.

Oracle Privileged Account Manager can also use customer-created, ICF-compliant connectors, which empowers you to manage your proprietary systems by using Oracle Privileged Account Manager.

For more information about the Identity Connector Framework, refer to "Developing Identity Connectors" in the Oracle Fusion Middleware Developer's Guide for Oracle Identity Manager.

3.2.2 Locating the Oracle Privileged Account Manager Connector Bundles

Because ICF connectors are generic, and useful in numerous contexts, a given Oracle installation puts all connector bundles into a single location on the file system. All components (such as Oracle Privileged Account Manager) that rely on these connector bundles can access them from this location:

ORACLE_HOME/connectors

The connectors that are pushed into ORACLE_HOME/connectors are actually shipped with Oracle Identity Manager. Of all the connectors in this directory, only the following three connectors are certified with Oracle Privileged Account Manager for this release:

  • org.identityconnectors.dbum-1.0.1116.jar

  • org.identityconnectors.genericunix-1.0.0.jar

  • org.identityconnectors.ldap-1.0.6380.jar


Note:

If you obtain any new ICF connectors from Oracle, you must place them in the location specified in the instructions provided.

Storing custom third-party connectors is at your discretion; however, you must ensure they can be read by Oracle Privileged Account Manager at run time.


3.2.3 Consuming ICF Connectors

Oracle Privileged Account Manager consumes ICF connectors by using the opam-config.xml file. The contents of this file provide the following information to Oracle Privileged Account Manager:

  1. Where to pick up the ICF connector bundle (on the file system)

  2. Which configuration attributes are relevant for the Oracle Privileged Account Manager use-cases

  3. How to render the Oracle Privileged Account Manager Console when configuring connectivity to a target system using a particular connector

You will find the opam-config.xml file in the ORACLE_HOME/opam/config directory. During domain creation, the opam-config.xml file is copied to the
DOMAIN_HOME/config/fmwconfig/opam directory, and this file is applicable for that domain. The out-of-the-box image is configured to pick up and use the connector bundles that ship with the Oracle Identity Management Suite.

The opam-config.xsd file (also located in the ORACLE_HOME/opam/config directory) describes the schema for opam-config.xml. If you make any changes to
DOMAIN_HOME/config/fmwconfig/opam/opam-config.xml file, verify them with the opam-config.xsd file.

3.2.4 Adding New Connectors to an Existing Oracle Privileged Account Manager Installation

This section describes the processes for adding new connectors to your existing Oracle Privileged Account Manager installation. The topics include:

3.2.4.1 Adding Connectors Supplied by Oracle

If you are adding new ICF connectors that are supplied by Oracle, then they will be accompanied by installation instructions. These instructions describe where to store the connector bundle and how to modify the installation specific opam-config.xml file.

3.2.4.2 Adding Custom Connectors

Oracle Privileged Account Manager can use custom connectors that you created or that were created by a third party. However, these connectors must strictly adhere to the ICF standard. After verifying that the connector is ICF-compliant, perform the following steps to deploy the connector for Oracle Privileged Account Manager consumption:

  1. Put the connector bundle in a location on the file system where the bundle can be read by the Oracle Privileged Account Manager at run time.

  2. Perform the following steps to create a configuration block for the connector and include that block in the installation specific opam-config.xml file:

    1. Design and create a relevant configuration block.

      Both the opam-config.xml and opam-config.xsd files contain documentation and an example at the beginning of the file describing how to create a configuration block.

    2. Ensure that this connector configuration block includes the file system location you specified for the connector bundle in step 1.

    3. Add the new connector configuration block to the opam-config.xml file by containing it in a <connectorConfig> block.

    4. Validate the modified opam-config.xml file against the opam-config.xsd file to ensure that the Oracle Privileged Account Manager server can read the modified file. You can use your favorite XML schema validation tool for this purpose.

  3. Restart the Oracle Privileged Account Manager server.

  4. Connect to Oracle Privileged Account Manager, and then add and configure a new target system using the newly added connector type.

3.3 Starting Oracle Privileged Account Manager

This section provides some high-level information about starting and working with Oracle Privileged Account Manager's Console. The topics include:

3.3.1 Starting WebLogic

Before you start Oracle Privileged Account Manager, you must start the WebLogic servers and console.


Note:


  1. Connect the Node Manager to WLST by running the nmConnect command.

    See "Node Manager Commands" in the Oracle Fusion Middleware WebLogic Scripting Tool Command Reference for instructions.

  2. Start the WebLogic Admin Server. For example,

    On UNIX, type

    MIDDLEWARE_HOME/user_projects/domains/DOMAIN_NAME/bin/startWebLogic.sh
    

    On Windows, type

    MIDDLEWARE_HOME\user_projects\domains\DOMAIN_NAME\bin\startWebLogic.bat
    
  3. Start the Oracle Privileged Account Manager managed server.

  4. Open a browser and start the WebLogic Console from the following location:

    http://adminserver_host:adminserver_port/console

3.3.2 Configuring SSL Communication in Oracle Privileged Account Manager

Oracle Privileged Account Manager can connect to target systems through Secure Socket Layer (SSL) or non-SSL options. The SSL option is more secure, but requires some additional configuration.

To communicate securely over SSL with a target system, the WebLogic instance running Oracle Privileged Account Manager must trust the SSL certificate used by the target system because Oracle Privileged Account Manager inherits its SSL configuration from the WebLogic container in which it runs. To have the WebLogic instance running Oracle Privileged Account Manager (and therefore Oracle Privileged Account Manager) trust the target system's SSL certificate, you must import the certificate into the truststore used by that WebLogic instance.

Use the following steps to enable SSL communication between the target system and Oracle Privileged Account Manager:

  1. Export the SSL certificate from the target system host computer.


    Note:

    The steps for exporting an SSL certificate are different for each target system type. Refer to the product documentation provided for your target system for detailed instructions.


  2. Copy the certificate to the machine where you have the WebLogic instance running Oracle Privileged Account Manager.

    If you have the Oracle Privileged Account Manager/Oracle Identity Navigator Console and the Oracle Privileged Account Manager server running on different machines, you must copy the SSL certificate to the Oracle Privileged Account Manager server machine.

  3. Run the following command to import the certificate into the JVM truststore of the WebLogic Server on which Oracle Privileged Account Manager is running:

    JAVA_HOME\bin\keytool -import -file FILE_LOCATION -keystore TRUSTSTORE_LOCATION 
    -storepass TRUSTSTORE_PASSWORD -trustcacerts -alias ALIAS
    

    Where

    • JAVA_HOME is the location used by your WebLogic server. For example.

      • MIDDLEWARE_HOME/jrockit..

      • MIDDLEWARE_HOME/jdk..

      • The location where you installed the Java software

    • FILE_LOCATION is the full path and name of the certificate file.

    • TRUSTSTORE_LOCATION is one of the following truststore paths:

      Table 3-3 Truststore Locations

      If you are using:Import the Certificate into the Keystore in This Directory:

      Oracle jrockit_R27.3.1-jdk

      JROCKIT_HOME/jre/lib/security

      The default Oracle WebLogic Server JDK

      WEBLOGIC_HOME/java/jre/lib/security/cacerts

      A JDK other than Oracle
      jrockit_R27.3.1-jdk or
      Oracle WebLogic Server JDK

      JAVA_HOME/jre/lib/security/cacerts


    • TRUSTSTORE_PASSWORD is the password for the truststore.

    • ALIAS is an alias for the certificate.


    Note:

    The default password for the cacerts keystore is changeit.


  4. Restart all WebLogic servers.


Note:

For more information about WebLogic security concepts and how to create custom keystores, refer to "Configuring Identity and Trust" in the Oracle Fusion Middleware Securing Oracle WebLogic Server.


3.3.3 Assigning the Application Configurator Role to a User

After installation, you do not have any users present with administrator roles. You must select a user and grant that person the Application Configurator role by using Oracle Identity Navigator.


Note:

Refer to "Assigning a Common Admin Role" in Oracle Fusion Middleware Administrator's Guide for Oracle Identity Navigator for instructions.

The Application Configurator user can have other roles in addition to this role. For more information about other Admin Roles, see Section 2.3.1, "Administration Role Types."


When the Application Configurator user logs in by using the following URL, that user will see a empty screen with a Configure OPAM link.

http://adminserver_host:adminserver_port/oinav/opam

The Application Configurator user can use this link to let the Oracle Privileged Account Manager Console know where Oracle Privileged Account Manager server is running by providing the Oracle Privileged Account Manager server's host and port.

When the Oracle Privileged Account Manager Console can successfully communicate with the Oracle Privileged Account Manager server, the Oracle Privileged Account Manager Console will be populated with content.


Note:

Oracle Privileged Account Manager administrators and users will probably never have to use the Oracle Identity Navigator interface except during the initial set-up of Oracle Privileged Account Manager.


3.3.4 Invoking Oracle Privileged Account Manager's Web-Based Console

You can access Oracle Privileged Account Manager's Console by opening a browser window and entering the following URL:

http://adminserver_host:adminserver_port/oinav/opam

When the Oracle Privileged Account Manager page displays with the Sign In screen, log in with the appropriate administcrator or end user credentials.


Note:

If you prefer using Oracle Privileged Account Manager's command line tool or Oracle Privileged Account Manager's RESTful interface, refer to Appendix A, "Working with the Command Line Tool" or Appendix B, "Working with Oracle Privileged Account Manager's RESTful Interface" (respectively) for detailed information about using those interfaces.


3.4 Navigating Oracle Privileged Account Manager's Console

This section provides a high-level overview of the Oracle Privileged Account Manager Console.


Note:

Access to certain features in the Console is based on your administration role (Admin Role) and credentials. For example, the Reports and Administration accordions described in this section are not available to users with the Security Administrator role.

Refer to Section 2.3, "Understanding Oracle Privileged Account Manager Authorization" for more information about Admin Roles.


The topics in this section include:


Tip:

Hover your mouse over elements in the Oracle Privileged Account Manager interface (such as nodes in the Home accordion or parameter fields) to see helpful prompts.


3.4.1 Working with the Home Accordion

When you log in to Oracle Privileged Account Manager, the Home accordion is displayed and expanded by default. Based on your Admin Role and credentials, this area gives you access to a tree containing some or all of the following nodes:

  • Accounts: Search, open, add, and remove accounts

  • Targets: Search, open, add, and remove targets

  • Policies: Search, open, create, and delete Password Policies and Usage Policies

  • Grantees: Search, open, add, and remove grantees (users and groups)

  • My Checked-out Accounts: View, check out, and check in accounts


Note:

For detailed information about Admin Roles, see Section 2.3.1, "Administration Role Types."


You can expand these nodes to view the target types, domains, Password and Usage Policies, and Users and Groups Grantees.

Example Home tree nodes

For example, in this figure, the ldap node is the Target Type, and us is the Domain. So, if you are looking for an account and know that it is managed by an LDAP target in the us Domain, simply click the us node to view a list of the accounts in that domain. The results display in the Search Results table.


Selecting the nodes or subnodes on this accordion causes a new page to display. You use parameters on these pages to configure and manage Oracle Privileged Account Manager.

Above the Home accordion are two menus that you can use to control how the Home accordion is displayed:

  • View: Use the options on this drop-down menu to expand or collapse all nodes at once, expand or collapse all subnodes below a selected node, or scroll to the first or last node.

  • Perspective: Use this drop-down menu to control whether information is displayed from a Target Type or from a Domain perspective.

3.4.2 Working with the Reports Accordion

Expand the Reports accordion and click a Report link to access different reports about the targets and privileged accounts in your deployment. The information is displayed in the Reports page on the right side of the Console.


Note:

For detailed information about these Reports, see Section 5.1.5, "Working with Reports."


3.4.3 Working with the Administration Accordion

Expand the Administration accordion and click Server Configuration to open a Server Configuration tab. You use the Server Configuration tab to set up and test a connection to your Oracle Privileged Account Manager server.


Note:

For detailed information about managing an Oracle Privileged Account Manager server, see Section 4.4, "Managing an Oracle Privileged Account Manager Server."


3.4.4 Working with the Search Portlet

You use Oracle Privileged Account Manager's Search portlet to search for targets, accounts, policies, users, and groups.

Figure 3-1 Example Search Portlet

Example OPAM Search Portlet

You can configure searches by using one or more of the parameters displayed in a Search portlet. The available parameters depend on the type of search. The following table describes the different search parameters:

Table 3-4 Search Portlet Parameters

Parameter NameDescriptionSearch Type

Account Name

Enter one or more letters of the account name for which you are searching.

Accounts, Users, Groups

Target Name

Specify one or more letters of the target name on which to search.

Accounts, Targets, Users, Groups

Target Type

Specify All (to search all target types), ldap, unix, or database.

Accounts, Targets

Domain

Specify the domain on which to search.

Accounts, Targets

Host Name

Specify the name of the host on which to search.

Targets

Policy Name

Specify one or more letters of the policy name for which you are searching.

Policies

Policy Status

Specify whether to search for All policies or limit the search to only Active or only Disabled policies.

Policies

Policy Type

Specify whether to search for All policy types or limit the search to only Password Policies or only Usage Policies.

Policies

User Name

Specify one or more letters of the user's name for which you are searching.

Users

First Name

Specify one or more letters of the user's first name.

Users

Last Name

Specify one or more letters of the user's last name.

Users

Group Name

Specify one or more letters of the group name for which you are searching.

Groups

Description

Provide the group description.

Groups


The general steps for performing a search are as follows:

  1. Select the appropriate node in the Home tree.

    For example, to search for an account, select the Accounts node.

  2. Enter one or more of the search parameters available in the Search portlet and then click Search.

    For example, to search for a list of all the accounts on a particular LDAP target, enter one or more letters of the target's name, select LDAP from Target Type menu, and then click Search.

    The results are displayed in the Search Results table.


    Note:

    You can use the Status menu, located above the Search Results table, to control the search results based on the account status. See the table in Section 3.4.5, "Working with a Search Results Table" for more information.


  3. To perform another search, click Reset.

3.4.5 Working with a Search Results Table

You can use the drop-down menus and icons located along the top of the different Search Results tables to perform various tasks.

Figure 3-2 Example Search Results Table

Example Search Results table

The following table describes these features:


Note:

The availability of these features change, based on your role (privileges) and what type of search was performed. See Section 2.3.1, "Administration Role Types" for more information.


Table 3-5 Search Results Table Features

Feature NameSearch TypeDescription

Actions

Accounts, Targets, Policies, Users, Groups, and My Checked-out Accounts

Click to select an action from a drop-down menu.

Note: The Actions menu options duplicate the task icons displayed above the table.

View

Accounts, Targets, Policies, Users, Groups, and My Checked-out Accounts

Use this drop-down menu to control how the columns are displayed in the Search Results table.

  • Columns > Show All: Displays all columns in the table.

  • Columns > Manage Columns: Provides a dialog that enables you to display or hide columns.

  • Reorder Columns: Select this option and a dialog displays that enables you to select the visible columns and shift their order.

Status

Accounts only

Choose an option from the menu to control how the search results are displayed:

  • All: Lists all accounts on the target.

  • Available Accounts: Lists only those accounts that are available to be checked-out.

    Note: If you are viewing the account as an administrator, Available Accounts are accounts that can be checked out by any user who has been granted access to that account. If you are viewing the account as a grantee, Available Accounts means you can check out the account.

  • Checked-out Accounts: Lists only those accounts that are currently checked-out.

  • Unavailable Accounts: Lists only those accounts that you have not been granted permission to checkout.

Add

Accounts, Targets, Users, and Groups

Click to add a new target, account, user, or group to the Oracle Privileged Account Manager repository.

Open

Accounts, Targets, Policies, Users, and Groups

Click to open the selected account, target, policy, user, or group.

Remove

Accounts, Targets, Policies, Users, and Groups

Click to remove the selected account, target, policy, user, or group from the Oracle Privileged Account Manager repository.

Show Password

Accounts only

Click to open a message listing the account name and the password for that account.

Reset Password

Accounts only

Click to open the Reset Password dialog where you can enter a new password for the selected account.

Create Password Policy

Policies only

Click to create a Password Policy. See Section 5.1.2.2, "Adding Targets to Oracle Privileged Account Manager" for more information.

Create Usage Policy

Policies only

Click to create a Usage Policy. See Section 5.1.2.2, "Adding Targets to Oracle Privileged Account Manager" for more information.

Delete

Policies only

Click to delete a selected policy from the Oracle Privileged Account Manager repository.

Check-In

My Checked-out
Accounts only

Click to check in the selected checked-out account. See Section 5.1.3.7, "Checking In Accounts" for more information.


PKTsPKA^E OEBPS/toc.ncx  Oracle® Fusion Middleware Administrator's Guide for Oracle Privileged Account Manager, 11g Release 2 (11.1.2) Cover Title and Copyright Information Contents List of Examples List of Figures List of Tables Preface What's New in This Guide? Part I Understanding Oracle Privileged Account Manager 1 Understanding Oracle Privileged Account Manager 2 Understanding Oracle Privileged Account Manager Security Part II Basic Administration 3 Getting Started with Administering Oracle Privileged Account Manager 4 Adding and Managing an Oracle Privileged Account Manager Server 5 Configuring and Managing Oracle Privileged Account Manager 6 Managing Oracle Privileged Account Manager Auditing and Logging Part III Advanced Administration 7 Configuring Oracle Privileged Account Manager for Integrated Solutions Part IV Appendixes A Working with the Command Line Tool B Working with Oracle Privileged Account Manager's RESTful Interface C Troubleshooting Oracle Privileged Account Manager Glossary Index Copyright PK$: PKA^EOEBPS/content.opfI Oracle® Fusion Middleware Administrator's Guide for Oracle Privileged Account Manager, 11g Release 2 (11.1.2) en-US E27152-02 Oracle Corporation Oracle Corporation Oracle® Fusion Middleware Administrator's Guide for Oracle Privileged Account Manager, 11g Release 2 (11.1.2) 2012-08-17T05:58:38Z Provides conceptual and procedural information related to administering and using Oracle Privileged Account Manager. PK KeNIPKA^EOEBPS/part_basic_adm.htmp Basic Administration

Part II

Basic Administration

This part provides information about performing basic administration tasks for Oracle Privileged Account Manager, and it contains the following chapters:

PK<-KPKA^EOEBPS/adv_config.htm V Configuring Oracle Privileged Account Manager for Integrated Solutions

7 Configuring Oracle Privileged Account Manager for Integrated Solutions

This chapter explains how to configure Oracle Privileged Account Manager for integration with commonly used directory and identity management technologies and contains the following topics:

7.1 Integrating with Oracle Identity Manager

This section describes how you can use Oracle Identity Manager to manage access to the LDAP groups that are also Oracle Privileged Account Manager grantees.

Integration with Oracle Identity Manager enables Oracle Privileged Account Manager to

  • Manage the identity lifecycle from hiring to retirement

  • Provide a native ability to automate adding and removing users to the proper LDAP groups based on their HR system updates

  • Provide the ability to manually request access to accounts

  • Support the ability to get approvals for requests

  • Support reporting that you can use for attestation reporting; either to augment or in-lieu of Oracle Privileged Account Manager's own reporting.

The topics in this section include:

7.1.1 Overview

Oracle Privileged Account Manager is optimized for managing shared and privileged accounts, such as root on an UNIX system.

Oracle Privileged Account Manager determines which users can check out passwords for accounts on a target, based on the grants those users have received. Grants can be made directly or through membership in groups. The groups themselves can be static or dynamic.

Ideally, the LDAP groups should match your enterprise roles. For example, if you have a "Data Center Product UNIX Administrators" enterprise role, you should have a corresponding LDAP group. The benefit of this match is that you can use these groups to control access to other applications besides Oracle Privileged Account Manager target-accounts.


Note:

To create an LDAP group, contact your LDAP administrator.


7.1.2 Configuring Oracle Privileged Account Manager for the Integration

To configure Oracle Privileged Account Manager for integration with Oracle Identity Manager, you must be an Oracle Privileged Account Manager administrator and perform the following tasks:

  • Use a specific Oracle Privileged Account Manager account on an Oracle Privileged Account Manager target.

  • Assign an LDAP group that restricts access to the Oracle Privileged Account Manager target-account to only the members of that LDAP group. However, you can assign multiple LDAP groups.

7.1.3 Integrating the Oracle Identity Manager Core

Oracle Identity Manager provides the following features to support this integration:

  • LDAP connector(s) to manage LDAP groups

  • Populate the resource catalog with proper enterprise roles and entitlements. Oracle Privileged Account Manager target-accounts are entitlements because Oracle Identity Manager is not actually granting direct access to the actual account only a representation of that account.

Refer to the Oracle Identity Manager documentation for more detailed information about accounts, entitlements, and roles.

7.1.4 Configuring an Oracle Identity Manager Administrator

You must configure an Oracle Identity Manager administrator who can perform the following tasks:

  • Configure an Oracle Identity Manager rule that assigns users to the proper LDAP groups based on a business rule when you add users to Oracle Identity Manager (either manually through the user screen or automatically by using an HR/text feed).

  • Use Oracle Identity Manager's native functionality to build requests for items in the Oracle Identity Manager resource catalog to ensure that the Oracle Identity Manager catalog is properly populated. Oracle Identity Manager enables users to request access to entitlements contained in the Oracle Identity Manager catalog.

  • Set approver fields to the proper values. For example, in situations where one employee requests access to the email account of another employee who will be away from the office for an extended period of time.

  • Handle "firecall" requests, where an Oracle Privileged Account Manager user must access a system that is outside the normal business process.

    Firecall requests are handled based upon your business requirements and business rules. For example, if the Oracle Privileged Account Manager user is authorized for a target, but the access policy prevents that user from getting the password, then the Oracle Privileged Account Manager administrator can temporarily change the access policy for that target-account.

    If the user cannot wait for Oracle Identity Manager, the Oracle Privileged Account Manager administrator can manually direct access (for example, add a specific grantee to the account) instead.

7.1.5 Managing Oracle Identity Manager Workflows

Oracle Privileged Account Manager leverages Oracle Identity Manager for workflow support. The integration points include:

  • Access to privileged accounts granted to roles in Oracle Privileged Account Manager by an Oracle Privileged Account Manager Admin

  • End users can request membership in these roles via Oracle Identity Manager

  • Standard Oracle Identity Manager workflow used to approve these requests

  • Membership in the requested role results in end user getting access to the corresponding privileged accounts in Oracle Privileged Account Manager

Figure 7-1 Oracle Identity Manager Workflow Topology

Figure showing OIM-OPAM workflow topology

7.2 Integrating with Oracle Access Management Access Manager

This section explains how Oracle Access Management Access Manager (Access Manager) integrates with Oracle Privileged Account Manager. Using this integration scenario, you can protect Oracle Privileged Account Manager with Access Manager using a WebGate agent.

The topics in this section include:

7.2.1 Before You Begin

Before starting the procedure described in Section 7.2.2, "Enabling Single Sign-On," be aware of the following:

  • The instructions assume that you configured Oracle Internet Directory as the Identity Store; however, other component configurations are possible. Refer to the system requirements and certification documentation on Oracle Technology Network for more information about supported configurations.

  • In addition, the instructions describe a specific example of using Access Manager to protect URLs. Although they outline the general approach for this type of configuration, you are not limited to using the exact steps and components described here. For example, Oracle Internet Directory is one of several identity stores certified with Access Manager 11g.

  • You can use Oracle Adaptive Access Manager as an authentication option with Access Manager. Oracle Adaptive Access Manager provides strong-authentication and risk-based authorization that can be used to provide layered security for Oracle Privileged Account Manager.

    To enable Oracle Adaptive Access Manager with Oracle Privileged Account Manager, select Access Manager as the authentication option for the WebGate that is protecting Oracle Privileged Account Manager.

  • If you deployed Oracle Identity Navigator with Oracle Privileged Account Manager, and you are using Oracle Identity Navigator as the user interface for Oracle Privileged Account Manager, you can also protect Oracle Identity Navigator with Access Manager while enabling Oracle Single Sign-On.

    Refer to "Integrating with Oracle Identity Navigator" in Oracle Fusion Middleware Integration Guide for Oracle Identity Management Suite for instructions.

  • Oracle Privileged Account Manager is protected by the domain agent out-of-the-box.

7.2.2 Enabling Single Sign-On

By default, the Access Manager 11g agent provides Single Sign On functionality for Oracle Privileged Account Manager and the following Identity Management consoles:

  • Oracle Identity Manager

  • Access Manager

  • Oracle Adaptive Access Manager

  • Oracle Authorization Policy Manager

  • Oracle Identity Navigator

The Access Manager agent can only protect consoles in a single domain. If your environment spans multiple domains, you can use Access Manager 11g WebGate for Oracle HTTP Server 11g. Configuring Oracle Privileged Account Manager for WebGate-based single sign-on is the same as configuring Oracle Identity Navigator. Refer to "Integrating with Oracle Identity Navigator" in Oracle Fusion Middleware Integration Guide for Oracle Identity Management Suite.

You can use Access Manager to enable Single Sign On for the Oracle Privileged Account Manager's user interface by using any Access Manager authentication scheme as the challenge method.

The prerequisites are as follows:

  • Oracle HTTP Server has been installed.

    When installing Oracle HTTP Server, deselect Oracle WebCache and associated selected components with WebLogic domain.

  • Access Manager 11g has been installed and configured properly.

  • Oracle HTTP Server 11g has been installed and configured as a front-ending proxy web server for Oracle Privileged Account Manager.

  • Access Manager 11g WebGate for Oracle HTTP Server 11g has been installed on the Oracle HTTP Server 11g.


See Also:

Oracle Fusion Middleware Installation Guide for Oracle Identity and Access Management for details about installation of the listed components.


The high-level steps for enabling Single Sign On in Oracle Privileged Account Manager are as follows:

  1. Use the Access Manager Administration Console to configure a new resource for the agent under which the Oracle Privileged Account Manager URL is to be protected. For information, see Section 7.2.2.1, "Configure a New Resource for the Agent."

  2. Configure Oracle HTTP Server to point to the Access Manager domain which has the resources and policies configured. For information, see Section 7.2.2.2, "Configure Oracle HTTP Server for the Access Manager Domain."

  3. Use the Administration Console to add the two new identity providers, namely the Access Manager Identity Asserter and the Oracle Internet Directory Authenticator. For information, see Section 7.2.2.3, "Add New Identity Providers.".

  4. Use a WLST command to enable access to more than one application using multiple tabs in a browser session. For information, see Section 7.2.2.4, "Configure Access to Multiple Applications."

7.2.2.1 Configure a New Resource for the Agent

Perform these steps in the Access Manager administration console:

  1. Select the Policy Configuration tab.

  2. Under Application Domains, select the agent under which the Oracle Privileged Account Manager URL is to be protected (for example, -OIMDomain).

  3. Choose Resources and click the create icon to add a new resource. Enter the type, host identifier and value, (/oinav/…/*) and click the Apply button.

  4. Choose Protected Policy or the policy whose authentication schema is the LDAP schema. In the resources table, click the add icon and choose the Oracle Privileged Account Manager URL (/oinav/…/*) from the drop-down list.

  5. Repeat the step for Authorization Policy.

7.2.2.2 Configure Oracle HTTP Server for the Access Manager Domain

Perform these steps to ensure that Oracle HTTP Server front ends the Oracle WebLogic Server container where Oracle Privileged Account Manager is installed.

  1. Navigate to the Oracle HTTP Server server config directory, for example, /scratch/mydir1/oracle/product/11.1.1/as_1/instances/instance1/config/OHS/ohs1), and find the mod_wl_ohs.conf file.

  2. In the <IfModule mod_weblogic.c> block, add the host and the port number of the Oracle Privileged Account Manager URL to be protected. For example:

    MatchExpression /oinav* WebLogicHost=host WebLogicPort=port
    
  3. Restart the Oracle HTTP Server server in the OHS install bin directory, for example, /scratch/mydir1/oracle/product/11.1.1/as_1/instances/instance1/bin) by executing the following command:

    -./opmnctl restartproc ias=component=ohs1
    

7.2.2.3 Add New Identity Providers

Perform these steps to add two new identity providers:

  1. Using the Administration Console, navigate to Security Realms, then myrealm, then Providers.

  2. Add these two providers: Access Manager Identity Asserter and Oracle Internet Directory Authenticator.

  3. Set the Control Flag of the Access Manager Identity Asserter to Required.

  4. Update the following settings in the Oracle Internet Directory Authenticator:

    • Set the Control Flag to Sufficient

    • Select the Provider specific tab and make the necessary changes, supplying the host, port, and other credentials of the Oracle Internet Directory server. Configure the correct LDAP setting in the Oracle Internet Directory Authenticator.

    The users and Groups in the LDAP will be reflected in the console.

  5. Re-order the providers as follows:

    1. Access Manager Identity Asserter

    2. Authenticator

    3. Default Authenticator

    4. Default Identity Asserter

  6. Restart Oracle WebLogic Server.

  7. Enter the protected Oracle Privileged Account Manager URL, which will have the host and port from the Oracle HTTP Server install:

    http://OHSHost:OHSPort/oinav/faces/idmNag.jspx
    

7.2.2.4 Configure Access to Multiple Applications

The following applies when Single Sign On protection is provided by an 11g Access Manager Server. Perform these steps to configure access to applications using multiple tabs in a single browser session by changing to FORM cache mode.

  1. Stop the Access Manager Managed Servers.

  2. Execute the following online Access Manager WLST command:

    configRequestCacheType(type='FORM')
    
  3. Restart the Access Manager Managed Servers.

PK ߐlV VPKA^EOEBPS/basic_tasks.htm Configuring and Managing Oracle Privileged Account Manager

5 Configuring and Managing Oracle Privileged Account Manager

This chapter explains how to configure and manage Oracle Privileged Account Manager. This information is organized into the following topics:


Note:

You can also use Oracle Privileged Account Manager's command line tool or Oracle Privileged Account Manager's RESTful interface to perform many of the tasks described in this chapter.

If you prefer using these interfaces instead of the Oracle Privileged Account Manager Console, see Appendix A, "Working with the Command Line Tool" or Appendix B, "Working with Oracle Privileged Account Manager's RESTful Interface" for instructions.


5.1 Administering Oracle Privileged Account Manager

This section provides instructions for administrators who must configure and maintain Oracle Privileged Account Manager.

The topics include:

You must be an Oracle Privileged Account Manager administrator with a particular Admin Role to perform the different configuration tasks described in this section.

The following list describes the basic workflow that is performed by Oracle Privileged Account Manager administrator users based on their different Admin Roles:


Note:

An administrator with the Application Configurator Admin Role should have already configured a connection to the Oracle Privileged Account Manager server. See Section 4.4.1, "Configuring a Connection to the Oracle Privileged Account Manager Server" for more information.


Table 5-1 Administrator Workflows Based on Admin Roles

AdministratorResponsibility

Security Administrator

  1. Evaluates Oracle Privileged Account Manager's Default Usage Policy and Default Password Policy and, if necessary, modifies these policies or creates new ones.

  2. Adds targets to Oracle Privileged Account Manager.

  3. Adds privileged accounts on that target.

    Note: This role cannot assign grantees to privileged accounts.

  4. Assigns Usage Policy and Password Policy to the accounts.

  5. Manages existing targets, accounts, and policies.

User Manager

  1. Assigns grants to accounts.

  2. Creates and manages Usage Policies as needed.

  3. Assigns Usage Policy to grants.

  4. Manages existing grants and Usage Policy assignments.

Security Auditor

Reviews Oracle Privileged Account Manager reports.



Note:

For more information about these Admin Roles, see Section 2.3.1, "Administration Role Types."


5.1.1 Working with Policies

This section provides information about working with Oracle Privileged Account Manager Usage Policies and Password Policies.

The topics include

5.1.1.1 Policies Overview

In Oracle Privileged Account Manager, there are two types of policies:

  • Password Policy. This policy type captures the password construction rules enforced by a specific target on an associated privileged account. For example, minimum and maximum number of numeric characters. You use a Password Policy to create a password value that Oracle Privileged Account Manager uses to reset a password for a privileged account.

  • Usage Policy. This policy type defines when and how a grantee can use a privileged account. (Default access is 24x7.)

Every privileged account that is managed by Oracle Privileged Account Manager must have an associated Password Policy. A Usage Policy only applies at the level of a grant. You can associate a single Password Policy with multiple privileged accounts and a single Usage Policy with multiple grants.

Oracle Privileged Account Manager provides a Default Password Policy and a Default Usage Policy. You can choose to use the default policies, to modify these policies, or to create your own, specialized policies.

To review the parameter settings for these policies, see Section 5.1.1.2, "Viewing Policies."


Note:

Only administrators with the Security Administrator Admin Role or the User Manager Admin Role can work with policies.

  • An administrator with the Security Administrator Admin Role can modify the Default Password Policy and Default Usage Policy, create new policies, or delete policies.

    Administrators with the Security Administrator Admin Role can assign Password Policies, but they cannot assign Usage Policies.

  • An administrator with the User Manager Admin Role can only assign a Usage Policy to accounts at the grantee-account pair level. In other words, the User Manager can assign different Usage Policies to different grantees of the same account.

    Administrators with the User Manager Admin Role cannot assign Password Policies.


5.1.1.2 Viewing Policies

To review the parameter settings for a Password Policy or a Usage Policy:

  1. Select Password Policies or Usage Policies from the Home tree.

  2. When the Policies page displays, use one of the following methods to open a policy:

    • Click the Row number next to the policy name and then click the Open icon located above the Search Results table.

    • Click the policy name (an active link) in the Search Results table.

      For example, clicking the Default Password Policy link opens the Password Policy: Default Password Policy page.

    A Password Policy page contains three tabs:

    • General. Contains parameters used to specify general information about the policy and Password Lifecycle Rules for the policy.

    • Password Complexity Rules. Contains parameters that govern the complexity requirements for account passwords.

    • Privileged Accounts. Provides information about the privileged accounts currently using the Default Password Policy.

    A Usage Policy page also contains three tabs:

    • General Fields. Contains parameters used to specify general information about the policy.

    • Usage Rules. Contains parameters that govern when the account can be checked out and when the check out expires.

    • Grantees. Provides information about the grantees who are authorized to use that account.

5.1.1.3 Modifying the Default Password Policy

After evaluating the Default Password Policy, you may decide you want to modify the settings to better suit your environment.

To modify the Default Password Policy, use the following steps:

  1. Select Password Policies from the Home tree.

  2. When the Policies page displays, select the Default Password Policy link in the Search Results table to open the Password Policy: Default Password Policy page.

  3. Select the General tab to edit the Policy Description field in the General Fields area or to modify any of the following Password Lifecycle Rules:

    • Password maximum age: Use the two menus to specify a duration period (number of days, hours, or minutes) after which Oracle Privileged Account Manager must automatically reset the account password.

      For example, if your enterprise wants a security policy where account passwords must be changed every month, you would set this value to 30 days.

      Every time the account is checked out and its password gets changed (if the policy is configured so that passwords must be changed on checkout/check-in) Oracle Privileged Account Manager tracks the password change time.


      Note:

      An administrator with the Security Administrator Admin Role can also manually reset a password by using the Reset Password option (described in Section 5.1.3.5.2, "Resetting an Account Password") and Oracle Privileged Account Manager tracks this password change time as well.


      If Oracle Privileged Account Manager detects the account is idle and no password changes have occurred over the specified number of days, then Oracle Privileged Account Manager automatically resets the password to a new, randomized value, which helps the enterprise to automatically enforce the security policy without human intervention.

      To disable this automatic reset option, set the numeric value to 0.

    • Reset password on check-in: Use this option to specify whether Oracle Privileged Account Manager must auto-generate and set a randomized password during a check-in operation.

      Uncheck this box if you do not want the password to be reset during the check-in operation.

    • Reset password on check-out: Use this option to specify whether Oracle Privileged Account Manager must auto-generate and set a randomized password during a check-out operation.

      Uncheck this box if you do not want the password to be reset during the check-out operation.


    Note:

    • For higher security, the Password must be changed on check-in and Password must be reset on check-out options are both enabled by default to require password changes, but they can be disabled if required. For example, some enterprises may only require that passwords be reset every 30 days.

    • If your enterprise prefers that passwords not be automatically managed at all; that they are only changed through human intervention, disable all three of these Password Lifecycle Rules options.

      After disabling these three options, the only way to manually change passwords is by using the Reset Password option (described in Section 5.1.3.5.2, "Resetting an Account Password"). Oracle Privileged Account Manager is still useful in this case, as you can reset and centrally manage passwords for multiple systems from one place by using Oracle Privileged Account Manager.


  4. Select the Password Complexity Rules tab to change one or more of the parameters that define the default password requirements.

    ParameterDescription

    Characters for Password

    Specify the minimum and maximum number of characters required.

    Alphabetic Characters

    Specify the minimum number of alphabetic characters required.

    Numeric Characters

    Specify the minimum number of numeric characters required.

    Alphanumeric Characters

    Specify the minimum number of alphanumeric characters required.

    Special Characters

    Specify the minimum and maximum number of special characters (such as * or @) required.

    Repeated Characters

    Specify the minimum and maximum number of repeated characters allowed.

    Unique Characters

    Specify the minimum number of unique characters required.

    Uppercase Characters

    Specify the minimum number of uppercase characters required.

    Lowercase Characters

    Specify the minimum number of lowercase characters required.

    Start with Character (not digit)

    Specify the first character required to start a password.

    Required Characters

    Specify characters that are required in a password.

    Allowed Characters

    Specify which characters are permitted in a password.

    Disallowed Characters

    Specify which characters are not permitted in a password.

    Disallowed as Password

    Enable (check) the Account Name box to prohibit the use of an account name in the password.


  5. Select the Privileged Accounts tab to review which accounts are currently using the Default Password Policy.


    Note:

    To specify a different Password Policy for any account listed in the table, click the Account Name link. When the Account page displays, select a different policy name from the Password Policy menu.


  6. When you are finished editing the policy, click Apply to save your changes.

5.1.1.4 Modifying the Default Usage Policy

To modify the default Usage Policy,

  1. Select Usage Policies from the Home tree.

  2. When the Policies tab displays, select the Default Usage Policy link in the Search Results table to open the Usage Policy: Default Password Policy page with three tabs.

  3. On the General Fields tab, you can only change content in the Description field.

  4. Select the Usage Rules tab to change one of more of following parameter settings:

    ParameterDescription

    Timezone

    Select a different time zone from the menu.

    Permitted Usage Dates

    Use the checkboxes and drop menus to change when grantees are allowed to use the account. Select one or more days of the week and the periods of time when grantees can access this account. (Default access is 24x7.)

    Expiration Dates

    Enable one of the following options to change when grantees' access to the account expires:

    • Automatically check in account. Use the counter to specify the number of minutes after last check out.

    • Automatically check in account on this date. Click the Calendar icon to open a Select Date and Time dialog.

      Use the month and year menus or click a day in the calendar to specify an expiration date.

      Use the hours, minutes, and seconds menus and enable the AM or PM buttons to specify an expiration time.



    Note:

    If you are configuring a Usage Policy for a shared privileged account, it is prudent to configure an Automatic check-in option to ensure the account gets checked-in and the password gets cycled in a timely manner.

    In addition, consider limiting how many users can access the shared account and further segregate these users by specifying when they can access the account. By specifying which days of the week and what times of the day each user can access the account, you minimize overlapping checkouts and improve Oracle Privileged Account Manager's auditing ability.

    For more information about shared accounts, see Section 2.4.2, "Securing Shared Accounts."


  5. Select the Grantees tab to view which grantees this policy is assigned.


    Note:

    To specify a different Usage Policy for any grantee listed in the table, click the Account Name link. When the Account page displays, select a different policy name from the Usage Policy menu.



    Tip:

    Clicking the active links in Grantee Name or Account Name columns enable you to navigate to other screens for additional information.


  6. When you are finished editing the policy, click Apply to save your changes.

5.1.1.5 Creating a Password Policy

To create a Password Policy, use the following steps:

  1. Select the Password Policies node from the Home tree.

  2. When the Policies tab displays, click Create Password Policy at the top of the Search Results table.

    A new, Password Policy: Untitled page displays with three tabs.

  3. Provide the following information on the General tab:

    1. Policy Name: Enter a name for the new policy.

    2. Policy Status: Click the button to specify whether the policy is Active or Disabled.

      Disabling a policy applies the Default Password Policy to all accounts and grants associated with that disabled policy. If you simply assigned a different policy to those accounts and grants, you would lose all information about the old policy assignment.

      Making the policy Active puts that policy into effect for the associated accounts and grants.

    3. Configure the Password Lifecycle Rules to allow Oracle Privileged Account Manager to auto-generate and set a randomized account password under certain conditions, as described in step 3.

  4. Use the parameters on the Password Complexity Rules tab to define the complexity rules requirements for passwords. Refer to the table provided in step 4 for a description of these parameter settings.

  5. Assign the policy to accounts or grantees using the instructions provided in Section 5.1.1.8, "Assigning Policies."

    After you assign this policy, you can select the Privileged Accounts tab to review which accounts are using this policy.

  6. Click Save.

5.1.1.6 Creating a Usage Policy

To create a Usage Policy, use the following steps:

  1. Select Usage Policies node from the Home tree.

  2. When the Policies tab displays, click Create Usage Policy at the top of the Search Results table.

    A new, Usage Policy: Untitled page displays with three tabs.

  3. Provide the following information on the General tab:

    1. Policy Name: Enter a name for the new policy.

    2. Policy Status: Click the button to specify whether the policy status is Active or Disabled.

      Disabling a policy applies the Default Usage Policy to all accounts and grants associated with that disabled policy. If you simply assigned a different policy to those accounts and grants, you would lose all information about the old policy assignment.

      Making the policy Active puts that policy into effect for the associated accounts and grants.

    3. Description: Enter a description of the policy.

  4. Select the Usage Rules tab. Use the options on this page to define rules for using a privileged account. Refer to the table provided in step 4 for a description of these parameter settings.

  5. Assign the policy to accounts or grantees using the instructions provided in Section 5.1.1.8, "Assigning Policies."

    After you assign this policy, you can select the Grantees tab to review which users or groups are using this policy.

  6. Click Save.

5.1.1.7 Searching for Policies

Use the following steps to search for a policy:

  1. In the Home tree,

    • Select Policies to search all policies.

    • Select the Password Policies node or the Usage Policies node to search for policies that are the selected policy type.

  2. When the Search Policies portlet displays, enter your search criteria into one or more of the following fields.

    • Policy Name: Enter all or any part of a policy name.

    • Policy Status: Select All to search all policies. Select Active or Inactive to limit the search to just active or inactive policies.

    • Policy Type: Select All to search all policies, or specify Password Policy or Usage Policy to limit the search to just the selected policy type.


      Note:

      Selecting Password Policies or Usage Policies in step 1, automatically enters that policy type into the Policy Type field.


  3. Click Search.

Review your search results in the Search Results table.

5.1.1.8 Assigning Policies

As previously stated, when you add a new privileged account, the Default Password Policy and Default Usage Policy are automatically assigned to that account.

To assign a different Password Policy or Usage Policy, you must first create the policy as described in Section 5.1.1.5, "Creating a Password Policy" or in Section 5.1.1.6, "Creating a Usage Policy."


Note:

  • Administrators with the Security Administrator Admin Role can assign a Password Policy or a Usage Policy to an account. However, this role can only apply a Usage Policy at the account level.

  • Administrators with the User Manager Admin Role can assign a Usage Policy to accounts at the grantee-account pair level. In other words, the User Manager can assign different Usage Policies to different grantees of the same account.

    The User Manager Admin Role cannot assign Password Policies.


5.1.1.8.1 Assigning Password Policies to Accounts

You can assign Password Policies to an account from the Accounts page, from the Targets page, or from the Policies page.

From the Accounts Page

To assign a Password Policy from the Accounts page,

  1. Use one of the following methods to locate the account:

    • Select the Accounts node in the Home tree, and then use the Search Accounts portlet to search for the account. See Section 5.1.3.3, "Searching for Privileged Accounts" for instructions.

    • Select the account's Target Type node or Domain node in the Home tree.

      For example, if you know the account is assigned to an LDAP target, select the ldap node.

  2. When the Search Results display, click the account's Account Name link in the table to open the Account: AccountName page.

  3. On the General tab, select a different policy name from the Password Policy menu.

  4. After selecting the new policy, click Test to verify that the account can be managed by Oracle Privileged Account Manager. You should see a Test Succeeded dialog confirming the test was successful.

  5. Click Apply to finish assigning the policy to the selected account.

From the Targets Page

To assign a Password Policy from the Targets page,

  1. Use one of the following methods to locate the account:

    • Select the Targets node in the Home tree, and then use the Search Targets portlet to search for the account target. See Section 5.1.2.3, "Searching for Targets" for instructions.

    • Select the account's Target Type node or Domain node in the Home tree.

      For example, if you know the account is assigned to a UNIX target, select the unix node.

  2. Click the account's Target Name link in the Search Results table to open the Target: TargetName page.

  3. Click the Privileged Accounts tab to view a list of the accounts currently managed on the target.

    Notice that the table lists the Password Policy that is currently assigned to each account.

  4. Locate the account and click the Account Name link.

  5. When the General tab displays, select a different policy name from the Password Policy menu.

  6. After selecting the new policy, click Test to verify that the account can be managed by Oracle Privileged Account Manager. You should see a Test Succeeded dialog confirming the test was successful.

  7. Click Apply to finish assigning the policy to the selected account.

From the Policies Page

To assign a Password Policy from the Policies page,

  1. Select the Password Policies node in the Home tree.

  2. Locate the policy you want to assign in the Search Results table. Click the Policy Name link to open the Password Policy: PolicyName page.

  3. Select the Privileged Accounts tab.

  4. Locate the account and click the Account Name link to open the Account: AccountName page.

  5. When the General tab displays, select a different policy name from the Password Policy menu.

  6. After selecting the new policy, click Test to verify that the account can be managed by Oracle Privileged Account Manager. You should see a Test Succeeded dialog confirming the test was successful.

  7. Click Apply to finish assigning the policy to the selected account.

5.1.1.8.2 Assigning a Usage Policy to Users and Groups

When you add grantees to an account, as described in Section 5.1.4.2, "Granting Accounts to Users" or Section 5.1.4.3, "Granting Accounts to Groups," Oracle Privileged Account Manager adds the user or group name to the Users or Groups table on the Grants tab and automatically assigns the Default Usage Policy.

You can assign a different Usage Policy from the Accounts page or from the Usage Policies page.


Note:

When you create a new Usage Policy for an account, the new policy will not automatically be assigned to the existing grantees on that account. Oracle Privileged Account Manager allows you to assign customized policies to individual grantees, so you do not want the new policy to override those other policy assignments.

However, if you create a new policy for an account and then add new grantees, those (and future) grantees will automatically be associated with that policy because it has become the new default Usage Policy for the account.


From the Accounts Page

To assign a Usage Policy from the Accounts page,

  1. Use one of the following methods to locate the account:

    • Select the Accounts node in the Home tree, and then use the Search Accounts portlet to search for the account. See Section 5.1.3.3, "Searching for Privileged Accounts" for instructions.

    • Select the account's Target Type node or Domain node in the Home tree.

      For example, if you know the account is assigned to an LDAP target, select the ldap node.

  2. Locate the account's Account Name link to open the Account: AccountName page.

  3. Select the Grants tab.

  4. Locate the grantee in the Users or Groups table, and use the Usage Policy menu in that row to select a different policy.

  5. Click Apply to add your changes.

From the Targets Page

To assign a Usage Policy from the Targets page,

  1. Use one of the following methods to locate the account:

    • Select the Targets node in the Home tree, and then use the Search Targets portlet to search for the account target. See Section 5.1.2.3, "Searching for Targets" for instructions.

    • Select the account's Target Type node or Domain node in the Home tree.

      For example, if you know the account is assigned to an UNIX target, select the unix node.

  2. Click the account's Target Name in the Search Results table to open that target.

  3. When the Target: TargetName page displays, click the Grants tab to view a list of the grantees currently granted access to that account.

    Notice that the table lists the Usage Policy that is currently assigned to each grantee.

  4. Locate the grantee in the Users or Groups table, and use the Usage Policy menu in that row to select a different policy.

  5. Click Apply to finish assigning the policy to the selected account.

From the Policies Page

To assign a Usage Policy from the Policies page,

  1. Select the Usage Policies node in the Home tree.

  2. When the search results display, locate the policy you want to assign in the Search Results table. Click the Policy Name link to open the Usage Policy: PolicyName page.

  3. Select the Grantees tab.

  4. Locate the user or group name in the Grantees table and then click that grantee's Account Name link to open the account.

  5. When the Account: AccountName page displays, click the Grants tab.

  6. Locate the grantee in the Users or Groups table, and use the Usage Policy menu in that row to select a different policy.

  7. Click Apply to add your changes.

5.1.1.9 Deleting Policies

To delete a policy, use the following steps:

  1. Locate and select the policy to be deleted.

  2. Click the Delete icon.

  3. When the Confirm Remove dialog displays, click the Remove button.

    The policy will be deleted and all accounts using that policy will revert to using the applicable Default Policy.

5.1.2 Working with Targets

This section describes the different tasks you can perform when working with targets in Oracle Privileged Account Manager.


Note:

You must be an Oracle Privileged Account Manager administrator with the Security Administrator Admin Role to add, edit, or remove targets.


The topics in this section include:

5.1.2.1 What Are Targets?

A target is a software system that contains, uses, and relies on user, system, or application accounts.

You cannot create targets in, or delete targets from, your environment by using Oracle Privileged Account Manager. Rather, Oracle Privileged Account Manager manages existing targets that were provisioned using other mechanisms.

When you "add" a target in Oracle Privileged Account Manager, you are creating a reference to that target. In effect, you are registering the target and asking Oracle Privileged Account Manager to manage it. When you "remove" a target from Oracle Privileged Account Manager, you are only removing that reference.

5.1.2.2 Adding Targets to Oracle Privileged Account Manager


Note:

When adding a target of any Target Type, you must configure a service account (also called an unattended account) with privileges that enable that account to

  • Search for accounts on the target system

  • Modify the passwords of accounts on the target system

For additional information about service accounts, see the description on page 1-3.


Use the following steps to add a target for Oracle Privileged Account Manager to manage:

  1. Log in to Oracle Privileged Account Manager and expand the Home accordion.

  2. Select the Targets node to open the Targets page.

  3. Click Add, located in the Search Results table toolbar to open a new Target: Untitled page displays with two tabs:.

    • General. Contains two areas with parameters used to specify Basic Configuration and Advanced Configuration information for the target.

    • Privileged Accounts. Lists the privileged accounts currently being managed on the target and enables you to add, open, and remove the accounts that are managed by that target.

  4. Select a target type (ldap, unix, or database) from the Target Type menu.

    The Target: Untitled page refreshes and the target configuration parameters change, based on the selected target type. You must specify all of the required attributes (indicated by an asterisk * symbol).

    The following parameters are common to all target types:

    • Target Name: Enter a name for the new target.

    • Description: Enter a description for this target.

    • Organization: Enter the name of an organization to associate with the target.

    • Domain: Enter the domain of the target server.

    • Host: Enter the host name of the target server.

    The following table describes the remaining Basic Configuration parameters that are unique to each target type.

    Table 5-2 Basic Configuration Parameters for Targets

    For ldap Target TypesFor unix Target TypesFor database Target Types

    TCP Port: Enter the TCP/IP port to use when communicating with the LDAP server.

    You can use the up/down arrow icons to increment this value.

    Port: Enter the port used to connect with the UNIX server.

    For example, use port 22 for ftp, and port 23 for telnet.

    You can use the up/down arrow icons to increment this value.

    Database Connection URL: Enter the JDBC URL used to identify the target system location. For example,

    Oracle:jdbc:oracle:thin:@<host>:
    <port>:<sid>

    Refer to the Oracle Identity Manager Connector Guide for Database User Management for information about which special options are supported.

    SSL: Enable this box to use Secure Socket Layer (SSL) when connecting to the LDAP server.

    Note: For SSL connectivity, you must import an SSL certificate to the WebLogic server running Oracle Privileged Account Manager. For more information, see Section 3.3.2, "Configuring SSL Communication in Oracle Privileged Account Manager."

    Login User: Enter the user name to use when connecting to this target.

    Admin User Name: Enter the administrator's name to use when connecting to this target.

    Note: If you are using the sys user name, you must enter internal_logon=sysdba in the Connection Properties field located in the Advanced Configuration area. This entry is not required for "system."

    Principal: Enter the distinguished name (DN) to use when authenticating to the LDAP server.

    For example, cn=admin

    Login User Password: Enter the user's password.

    Admin User Password: Enter the user's password.

    Password: Enter the user's password.

    Login Shell Prompt: Enter the shell prompt to display when you log in to the target. For example, $ or #.

    Database Type: Select the type of database (Oracle or MSSQL) for which the connector will be used.

    This connector supports the Oracle MSSQL, MySQL, DB2, and Sybase database types.

    You can also configure this connector to work with custom database types.

    Base Contexts: Enter one or more starting points in the LDAP tree to use when searching the tree for users on the LDAP server or when looking for groups where the user is a member. Use a pipe (|) to separate values.

    Sudo authorization: Enable this box if the user requires sudo authorization.

    Do not enable this box for the root user.


    Account User Name Attribute: Enter the attribute to be used as the account's user name. (Default is uid.)




  5. You can also specify these optional, advanced configuration parameters.

    Table 5-3 Advanced Configuration Parameters for Targets

    For ldap Target TypesFor unix Target TypesFor database Target Types

    Uid Attribute: Enter the name of the LDAP attribute that is mapped to the Uid attribute.

    Command timeout: Specify how long (in milliseconds) to wait for the command to complete before terminating that command.

    Connection Properties: Enter connection properties to use while configuring a secured connection. These properties must be name-value pairs given in following format: prop1=val1#prop2=val2.

    LDAP Filter for Retrieving Accounts: Enter an optional LDAP filter to control which accounts are returned from the LDAP resource. If you do not specify a filter, Oracle Privileged Account Manager returns only those accounts that include all of the specified object classes.



    Password Attribute: Enter the name of the LDAP attribute that holds the password.

    When changing a user's password, Oracle Privileged Account Manager sets the new password to this attribute.



    Account Object Classes: Enter one or more object classes to use when creating new user objects in the LDAP tree.

    Type each object class on its own line. Do not use commas or semicolons to separate entries.

    Some object classes require that you specify them in their class hierarchy, using a pipe (|) to separate the values.




  6. When you are finished, click Test to check the target's configuration.

    If the target's configuration settings are valid, a Test Succeeded message displays.

  7. Click Save to add your new target on the Oracle Privileged Account Manager server.

You can now associate this target with a privileged account. For instructions, proceed to Section 5.1.3.2, "Adding Privileged Accounts into Oracle Privileged Account Manager."

5.1.2.3 Searching for Targets

If you have administrator privileges, you can search for targets using the following criteria or a combination of these items:

  • Target Name

  • Target Type

  • Host Name

  • Domain

To search for a target,

  1. Select the Targets node, a target type node, or a domain node in the Home tree.

  2. When the Targets tab displays, use the parameter fields in the Search Targets portlet to specify your search criteria.


    Note:

    If you started by selecting a target type node or a domain node, notice that Oracle Privileged Account Manager automatically inserts that information in the Target Type field or the Domain field.


  3. Click Search.

    Review your search results in the Search Results table.

5.1.2.4 Opening a Target

You can open a target to review and edit the target's configuration parameters and its associated privileged account parameters.

Use one of the following methods to open a target:

  • Click the target name (an active link) in the Search Results table.

  • Select the target row and then click the Open icon.

The Target: targetname page opens where you can access the target and privileged account information.

5.1.2.5 Removing Targets from Oracle Privileged Account Manager

To remove a target, select the target from the Search Results table and then click the Remove icon.

5.1.3 Working with Privileged Accounts

This section describes the different tasks you can perform when working with privileged accounts in Oracle Privileged Account Manager.


Note:

Administrators determine which accounts are privileged within a particular deployment, and they must configure Oracle Privileged Account Manager to manage those accounts.

You must be an Oracle Privileged Account Manager administrator with the Security Administrator Admin Role to add and manage accounts.


The topics in this section include:

5.1.3.1 What is a Privileged Account?

An account on a target is considered privileged in a deployment when that account

  • Is associated with elevated privileges

  • Is used by multiple end-users on a task-by-task basis

  • Requires its usage to be controlled and audited

You cannot create accounts in, or delete accounts from, your environment by using Oracle Privileged Account Manager. Oracle Privileged Account Manager only manages existing accounts that were provisioned using other mechanisms.

When you "add" an account in Oracle Privileged Account Manager, you are creating a reference to that account. In effect, you are registering the account and asking Oracle Privileged Account Manager to manage it. When you "remove" the account from Oracle Privileged Account Manager, you are only removing the reference to that account.

Oracle Privileged Account Manager enables you to manage both system and application accounts. As described in the following Managing System Accounts and Managing Application Accounts sections.

5.1.3.1.1 Managing System Accounts

Oracle Privileged Account Manager's primary purpose is to manage privileged system accounts on a supported target system. Oracle Privileged Account Manager does not mandate what constitutes a privileged system account — it can manage any account on a target system. Administrators are responsible for identifying which accounts are privileged. A privileged account is typically a system account that allows a user to perform administration tasks.

Privileged accounts are suitable for management through Oracle Privileged Account Manager if they are used and shared by multiple individuals in the organization and administrators are required to track the use of these accounts.

Administrators perform the following steps to register an account as a privileged account to be managed by Oracle Privileged Account Manager:

  1. Add the target to Oracle Privileged Account Manager (if this has not already been done). See Section 5.1.2.2, "Adding Targets to Oracle Privileged Account Manager" for instructions.

  2. Add the identified privileged account to the target and assign a Password Policy. See Section 5.1.3.2, "Adding Privileged Accounts into Oracle Privileged Account Manager" and Section 5.1.1, "Working with Policies" for instructions.

  3. Grant access to end users directly or by using LDAP roles/groups and assign a Usage Policy. See Section 5.1.4.2, "Granting Accounts to Users" and Section 5.1.1, "Working with Policies" for instructions.

5.1.3.1.2 Managing Application Accounts

Applications use application accounts to connect to target systems at run time. Traditionally, administrators set up these accounts once during installation and then they are forgotten. Consequently, application accounts can potentially cause hidden vulnerabilities in your deployment. For example, passwords might become less secure over time because they were created using outdated policies or commonly used deployment passwords might be compromised.

Oracle Privileged Account Manager enables you to better manage application accounts. In particular, for applications that store their application accounts in the Credential Store. These applications consume the account credentials at run time from the Credential Store through the Credential Store Framework.

For example, because an application account is essentially a special version of a system account, you can register an application account in Oracle Privileged Account Manager as described in Section 5.1.3.1.1, "Managing System Accounts." You can then add the corresponding CSF mappings for every application that depends on that account, which is how CSF uniquely identifies a credential stored within CSF, and how an application finds its credential in CSF. For more information about CSF mapping, see "Guidelines for the Map Name" in the Oracle Fusion Middleware Application Security Guide.

If you register an account's CSF mappings with Oracle Privileged Account Manager, then every time the account's password changes, Oracle Privileged Account Manager can update the CSF entries that correspond to the registered mappings to reflect the new password and the applications continue to work without service interruption.


Note:

Oracle Privileged Account Manager updates, or synchronizes, CSF only when a password change occurs.


Additionally, you can apply a Password Policy to these applications that periodically cycles the account password. Cycling the password ensures that the application accounts are always compliant with the latest corporate policies and they remain secure. Oracle Privileged Account Manager performs this task with no service interruption.

Finally, its useful to note that Oracle Privileged Account Manager can support an account as both a system account (shared and used by multiple end-users) and as an application account (only used by an application at run time) at the same time. In this configuration, a human end-user who's been granted access can "check-out" the application account to perform manual administrative operations as that application without disrupting application functionality.

For more information about application accounts, review Section 1.2.4, "Oracle Privileged Account Manager-Managed CSF Credentials."

5.1.3.1.3 Sharing Accounts

Oracle Privileged Account Manager enables you to specify whether an account is shared or not shared.

  • Shared accounts enable multiple users to check out the account at the same time.

  • Unshared accounts (Default) enable only one user to check out an account at a time.

Because unshared accounts are more secure, Oracle recommends that you designate an account as shared only if there are compelling business reasons to do so. If sharing is necessary, be sure to read Section 2.4.2, "Securing Shared Accounts."


Note:

If you configure a shared account, be aware that a user can still use the password after checking in the account. Oracle Privileged Account Manager does not reset the account password until the last user checks in the account.

This is a security limitation for shared accounts.


5.1.3.2 Adding Privileged Accounts into Oracle Privileged Account Manager


Note:

Accounts are always added to a target, so you must add a target object before you can add an account. Refer to Section 5.1.2.2, "Adding Targets to Oracle Privileged Account Manager" for more information.


To add a new privileged account

  1. Expand the Home accordion.

  2. Use one of the following methods to locate the target where you want to add the account.

    • Expand the Targets node and select the target from the subtree.

    • Click the Targets node and search for the target by providing search criteria in the Search Targets pane.

  3. Open the target by clicking the Target Name link in the Search Results table.

  4. Select the Privileged Accounts tab.

  5. Click Add in the Search Results table toolbar.

    The Account: Untitled page displays with three subtabs:

    • General: Use to specify information needed to add the account.

    • Grants: Use to associate users and groups (grantees) with the account.

    • Credential Store Framework: Use to add or remove Credential Store Framework (CSF) mappings for the account.

    Use these tabs and the instructions provided in the following sections to add an account:

  6. When you are finished, click Save.

5.1.3.2.1 Adding the Account

To add a new account you must complete the Step 1: Set Target and Step 2: Add Account sections on the General tab as follows:

  1. If the Target Name is undefined, click the search icon.

  2. When the Set Target dialog displays, enter a value in the Target Name field and click the Search button to locate the target where you want to add the account.

    For example, if you know the target name begins with "r," you can type an r into the Target Name field and click the Search button.

  3. When the search results display in the Search Results table, select (check) the Row box next to a target name and then click Set.

    Note that the selected Target Name and its Target Type are displayed on the General tab.

  4. In the Step 2: Add Account section, if the Account Name is undefined, click the search icon.

  5. When the Set Account dialog displays, enter a value in the Account Name field and click the Search button to locate the account you want to add.

    For example, if you know the account name begins with "s," you can type an s into the Account Name field and click the Search button.

  6. When the search results display in the Search Results table, select (check) the Row box next to an account name and then click Set.

    Note that the selected account is displayed as the Account Name on the General tab.

  7. Enable the Shared Account box to allow multiple users to check out this account at the same time.

  8. Specify a Usage Policy and a Password Policy.


    Note:

    Oracle Privileged Account Manager automatically assigns the Default Usage Policy and Default Password Policy to new accounts.
    However, Oracle Privileged Account Manager administrators with the Security Administrator or the User Manager Admin Role can create new policies.

    You can leave the default policies set or choose a different policy from the Usage Policy and Password Policy drop-down menus.

    For more information about policies, refer to Section 5.1.1, "Working with Policies."


  9. Click Test to confirm that the account can be managed by Oracle Privileged Account Manager with these settings.

    If the account configuration settings are valid, a Test Succeeded message displays.

You can now add grantees and CSF mappings to the account. Continue to the following sections for more information.

5.1.3.2.2 Adding Grantees

this section provides instructions for adding grantees to a privileged account.


Note:

Adding a new account does not automatically grant you access to that account. You must complete the process for adding yourself as a grantee.

You must be an Oracle Privileged Account Manager administrator with the User Manager Admin Role to add, edit, or delete grantees.


To associate users and groups with a new account, select the Grants tab and then complete the following steps:

  • To associate users, click Add from the Users table toolbar.

    1. In the Add Users dialog, enter a name into the User Name field and click the arrow icon to search for that user.

    2. When the search results display, select (check) each user you want to associate with this account.

    3. When you are finished adding users, click Add and then click Close.

      Oracle Privileged Account Manager adds those user names to the Users table on the Grants tab.

  • To associate groups, click Add from the Groups table toolbar.

    1. In the Add Group dialog, enter a name into the Group Name field and click the arrow icon to search for that group.

    2. When the search results display, select (check) each group you want to associate with this account.

    3. When you are finished adding groups, click Add and then click Close.

      Oracle Privileged Account Manager adds those group names to the Groups table on the Grants tab.

5.1.3.2.3 Adding CSF Mappings

Oracle Privileged Account Manager enables you to securely store and synchronize account credentials with the Oracle Credential Store Framework (CSF). This capability is useful for managing the lifecycle of application passwords stored in CSF.

When you configure CSF synchronization for an account, Oracle Privileged Account Manager changes the account password based on the assigned Usage Policy.


Note:

Oracle Privileged Account Manager updates, or synchronizes, CSF only when a password change occurs.


To add CSF mappings to an account, complete the following steps:

  1. Select the Account Name link from the Search Results table.

  2. When the Account: AccountName page displays, select the Credential Store Framework tab and click Add.

  3. Enter the following information:

    • Administration Server URL. Enter the server URL in this format, protocol://listen-address:listen-port

    • Username and Password. Enter the user's credentials.

    • Mapping. Enter a map name.

    • Key. Enter a unique key to identify the credential.

  4. Click Add again to create another mapping. You can create as many CSF mappings as needed.

5.1.3.3 Searching for Privileged Accounts

You can search for accounts by using one or more of the following parameters:

  • Account name

  • Target name

  • Target type

  • Domain

To search for accounts, use the following steps:

  1. Select the Accounts node in the Home tree.

  2. When the Accounts tab displays, enter your search criteria in the Search Accounts pane and then click Search.

    For example, to search for a list of all the accounts on a particular target, enter the Target Name and click Search. Your search results are displayed in the Search Results table.


    Note:

    You can use the Status menu, located above the Search Results table, to control the search results based on the account status. See the table in Section 3.4.5, "Working with a Search Results Table" for more information.


  3. To perform another search, click Reset.

5.1.3.4 Opening an Account

You can open an account to view or edit the configuration parameters for that account.

Use one of the following methods to open an account:

  • Click the account name (an active link) in the Search Results table.

  • Select the account row and then click Open Account.

The Account: accountname page opens where you can access information about the associated target, general account parameters, the grantees, and the CSF mapping.

5.1.3.5 Managing Account Passwords

Oracle Privileged Account Manager provides two options for managing account passwords:

  • Show Password. Displays the password for an account.

    If you forget the password for a checked- out account, you can use this feature to view that password again.

    Any user can use Show Password to review the current password for a account they have checked out. However, they cannot access passwords after the account is checked back in or view passwords for accounts that are checked out by other users. In these cases, clicking Show Password will cause an error.

    Administrators with the Security Administration or User Manager Admin Role, who can access all system and target service accounts, can use this feature to view current the password for both checked out and checked in privileged accounts.

  • Reset Password. Resets the existing account password.

    If Security Administrators do not want to use randomized password generation, they can manually set a password of their choosing. For example, administrators might prefer to set a simple, easy-to-type password for one time use, such as during a system upgrade.

    Only administrators with the Security Administration Admin Role can reset account passwords.

See Section 5.1.3.5.1, "Showing an Account Password" and Section 5.1.3.5.2, "Resetting an Account Password" for instructions.


Note:

You can also perform both password management actions by using the Oracle Privileged Account Manager command line tool. Refer to Section A.2.31, "showpassword Command" and Section A.2.21, "resetpassword Command" for instructions.

Oracle Privileged Account Manager audits both types of password management actions to keep track of password access.


5.1.3.5.1 Showing an Account Password

To view the password for a selected account,

  1. Select the account's row in the Search Results table.


    Note:

    Do not click an active link in the table, such as the account name, or you will open the account


  2. Click the Show Password icon located above the table.

    A message displays with the name of the selected account and its password.

5.1.3.5.2 Resetting an Account Password

If necessary, you can manually reset the password for a selected account as follows:

  1. Ensure the privileged account is checked in.

    You cannot perform a manual password reset if the account is in a checked-out state.

  2. Select the account row in the Search Results table.


    Note:

    Do not click an active link in the table, such as the account name, or you will open the account


  3. Click the Reset Password icon located above the table.

    The Reset Password dialog displays.

  4. Type a password into the New Password field and click Save.

    You can use a password string of your choosing. The string does not have comply with the Oracle Privileged Account Manager Password Policy because the Password Policy is used for randomized password generation.

    A message displays with the name of the selected account and its password.

5.1.3.6 Checking Out Accounts

Any administrator or end user can check out an account if they have been granted access to that account. (See Section 5.1.4, "Working with Grantees" for more information.)


Note:

You must be an administrator with the Security Administration Admin Role to modify or remove an account.


Privileged accounts are not shared by default, which means when one user checks out the account, it becomes unavailable to other users and prevents conflicting actions. However, administrators can configure shared accounts, which enables multiple users to check out the account at the same time. (Refer to Section 5.1.3.1.3, "Sharing Accounts" for more information.)

The steps for checking out an account are as follows:

  1. Expand the Accounts node on the Home accordion, and select the account target.

  2. When the Accounts tab displays, locate the account you want to check out in the Search Results table.

    • If the account is available for check out, the Account Status is Available and the Check-out button is displayed.

    • If the account is not available for check out, then the Account Status is Not Granted.

    Figure 5-1 Account Available for Checkout

    Figure illustrating an account available for check-out
  3. Click the Check-out button.

    When the Check-Out Account dialog displays, you can enter a comment in the Comments field, and then click Checkout.

    If the check-out is successful,

    • For an unshared account, the Account Status changes to Checked-Out, the Check Out button changes to a Check In button, and Oracle Privileged Account Manager lists the account on the My Checked-out Accounts page.

    • For a shared account, the Account Status remains Available, the Check Out button remains, and Oracle Privileged Account Manager lists the account on the My Checked-out Accounts page.

<"Wݨ!-- class="sect3" -->

5.1.3.7 Checking In Accounts

Any administrator or end user can check in accounts.


Note:

You can also use the Search Accounts page, the Oracle Privileged Account Manager command line tool, or the RESTful interface to check-in accounts.


The steps for checking in an account are as follows:

  1. Select My Checked-out Accounts on the Home accordion.

    The My Checked-out Accounts page displays with all of your checked-out accounts listed in the Search Results table.

  2. Select (check) the account(s) you want to check in.

  3. Click the Check-in icon located above the table.

  4. When the Check-in Accounts dialog displays, click the Check In button.

    If the check-in is successful, Oracle Privileged Account Manager removes the account name(s) from the My Checked-out Accounts table and the account becomes Available for check-out again.

5.1.3.8 Removing Privileged Accounts from Oracle Privileged Account Manager

You can remove a privileged account from Oracle Privileged Account Manager by using the Targets page or the Search Accounts page.

From the Target Page

To remove an account from a target,

  1. Expand the Home accordion.

  2. Locate the target from which you want to remove the account.

    • Expand the Targets node and select the target from the subtree.

    • Click the Targets node and search for the target by providing search criteria in the Search Targets pane.

  3. Click the target name in the Search Results table to open the target.

  4. Select the Privileged Accounts tab.

  5. In the Search Results table, select the account to be removed and then click Remove.

  6. When you are finished, click the Apply button located at the top of the page.

From the Search Accounts Page

To remove an account from the Search Accounts page,

  1. Expand the Home accordion.

  2. Click the Accounts node, target type node, or domain node in the Home tree to open the Search Accounts page.

  3. Locate the account to be removed.

    • If you selected the Accounts node, use the fields in the Search Accounts section to search for the account. Your search results are displayed in the Search Results table.

    • If you selected a target type or domain node, the account displays in the Search Results table.

  4. In the Search Results table, select the account to be removed, and then click Remove.

  5. When you are finished, click the Apply button located at the top of the page.

5.1.4 Working with Grantees

This section describes the different tasks you can perform when working with grantees in Oracle Privileged Account Manager.


Note:

You must be an Oracle Privileged Account Manager administrator with the User Manager Admin Role to add, edit, or delete grantees.


The topics in this section are:

5.1.4.1 What Are Grantees?

Grantees are users or groups in the ID Store that have been granted access to a privileged account managed by an Oracle Privileged Account Manager administrator. Users cannot check out a privileged account unless they have been granted access to that account.

5.1.4.2 Granting Accounts to Users

Use the following steps to grant access to a privileged account:

  1. Expand the Home accordion.

  2. Click Accounts or a sub-node to locate the account to which you want to grant access.

    If necessary, use the Search Accounts portlet to search for the account as described.

  3. Select the account name in the Search Results table.

    The General, Grants, and Credential Store Framework tabs display.

  4. Select the Grants tab.

    If any users are already associated with this account, their names are listed in the table in the Users area.

  5. Click Add to open the Add Users dialog.

  6. In the Add Users dialog, enter all or part of a user name and then click the arrow icon to browse for the user name to add.

    For example, to grant access to the sec_admin user, you can type sec into this field and the search results will include any existing user name containing those letters.

  7. Select (check) the user name and then click Add to add the selected user as a grantee.

  8. Click Close to close the dialog.

    The new user's name displays in the table.


Note:

At this point, the Default Usage Policy is automatically assigned to the user. However, you can use the Usage Policy menu to select a different policy for that user.


5.1.4.3 Granting Accounts to Groups

Use the following steps to grant access to a privileged account:

  1. Expand the Home accordion.

  2. Click Accounts or a sub-node to locate the account to which you want to grant access.

    If necessary, use the Search Accounts portlet to search for the account as described.

  3. Select the account name in the Search Results table.

    The General, Grants, and Credential Store Framework tabs display.

  4. Select the Grants tab.

    If any groups are already associated with this account, their names are listed in the table in the Groups area.

  5. Click Add to open the Add Groups dialog.

  6. In the Add Groups dialog, enter all or part of a group name and then click the arrow icon to browse for the group name to add.

    For example, to grant access to the OPAM_USER_MANAGER group, you can type opam into this field and the search results will include any existing group names containing those letters.

  7. Select (check) the group name and then click Add to add the selected group as a grantee.

  8. Click Close to close the dialog.

    The new group name displays in the table.


Note:

At this point, the Default Usage Policy is automatically assigned to the group. However, you can use the Usage Policy menu to select a different policy for that group.


5.1.4.4 Searching for Grantees

If you have administrator privileges, you can search for grantees by using the following criteria or a combination of these items.

  • For a user grantee

    • User Name

    • First Name

    • Last Name

    • Target Name

    • Account Name

  • For a group grantee

    • Name

    • Description

    • Target Name

    • Account Name

Use the following steps to search for a grantee:

  1. Select Users or Groups under the Grantees node on the Home tree.

  2. When the Search User or Search Group portlet displays on the right, enter your search criteria into one or more of the fields provided.

  3. Click Search.

Review your search results in the Search Results table.

5.1.4.5 Opening a Grantee

You can open a grantee to view information about that user or group grantee.

Use one of the following methods to open a grantee:

  • Click the User name or the Group name (an active link) in the Search Results table.

  • Select the User or Group row and then click the Open icon.

The User: username or the Group: groupname page opens where you can review the information about that grantee.

5.1.4.6 Removing Grantees from an Account

To remove one or more grantees from an account

  1. Open the account and select the Grants tab.

  2. Select the user or group row in the Search Results table.

  3. Click the Remove icon.

  4. When you are prompted to confirm the removal, click the Remove button to continue, (or Cancel to terminate the operation).

    The prompt closes and the user or group is removed from the table.

5.1.5 Working with Reports

Oracle Privileged Account Manager reports are real-time reports that provide information about the current status of accounts and targets being managed by Oracle Privileged Account Manager.


Note:

You must be an Oracle Privileged Account Manager administrator with the Security Auditor Admin Role to open and review Oracle Privileged Account Manager reports.


The topics in this section include:

To view a report, expand the Reports accordion and click a Report link. The report information is displayed in the Reports page on the right.

5.1.5.1 Working with Deployment Reports

Select the Deployment Report link to view information about how targets and privileged accounts are currently deployed.

Information about the deployment is organized into three portlet:

  • Target and Accounts Deployment table. Provides a list of targets, including their target type and host names. Expand the arrow icon next to a target name to view the accounts associated with that target.


    Tip:

    You can click a link in the Target/Account column to open the configuration page for that target or account.


  • Target Distribution. This portlet illustrates how targets are distributed within your deployment.

  • Account Distribution. This portlet illustrates how accounts are distributed within your deployment, by Organization.

Use the Show and Filter drop-down menus to control how the report content is displayed. For example, use the Show menu to view all targets or filter the results to view a particular target. You can use the Filter menu to view the target and account distribution in bar chart, pie chart or tabular format.

5.1.5.2 Working with Usage Reports

Select the Usage Report link to view information about how privileged accounts are currently being used in your deployment. This information displays in the following portlets:

  • Account Usage. This portlet provides a list of targets, the target types, host names, and the last checked out date. Expand the arrow icon next to a target name to view the accounts associated with that target.

  • Checked Out Accounts. This portlet illustrates which targets are checked out within your deployment.

Use the Show and Filter drop-down menus to control how the report content is displayed. For example, select Show to view just currently checked out accounts or accounts that were checked out in the last hour, day, or week. You can use the Filter menu to view the report information as a bar chart, pie chart, or in tabular format.

5.1.5.3 Working with Failure Reports

The Failure Report provides information about the current state of target and account failures. This information displays in the following portlets:

  • Targets and Accounts Failures. This portlet provides a list of targets, the target status, last error message, and the last failure date. Expand the arrow icon next to a target to view the accounts associated with that target.

  • Target Failures. This portlet illustrates the target failures within your deployment.

  • Account Failures. This portlet illustrates the account failures within your deployment.

Use the Show and Filter drop-down menus to control how the report content is displayed. For example, select Show to view the errors that occurred during the last 24 or 48 hours, the last week, or the last 30 days. You can use the Filter menu to view the report information as a bar chart, pie chart, or in tabular format.

5.2 Working with Self-Service

This section provides instructions for users working with Oracle Privileged Account Manager.

The topics include:

5.2.1 Self-Service Workflow

This section describes the basic workflow for self-service users:

  1. Searching for an account

  2. Checking out the account

  3. Viewing checked-out accounts

  4. Checking in accounts

5.2.2 Searching for Accounts

You can search for an account by following the instructions provided in Section 5.1.3.3, "Searching for Privileged Accounts."

5.2.3 Checking Accounts Out and In

To check out a privileged account granted to you, see Section 5.1.3.6, "Checking Out Accounts."

To check an account back in again, follow the instructions provided in Section 5.1.3.7, "Checking In Accounts."

5.2.4 Viewing Checked-Out Accounts

To review which accounts you currently have checked-out, select My Checked-out Accounts on the Home accordion.

The My Checked-out Accounts page displays with all of your checked-out accounts listed in the Search Results table.

5.3 Moving from a Test Environment to a Production Environment

For information about moving Oracle Fusion Middleware components from one environment to another, see "Moving from a Test to a Production Environment" in Oracle Fusion Middleware Administrator's Guide.

For information about moving Identity Management components, including Oracle Privileged Account Manager, from a test environment to a production environment, see "Moving Identity Management Components to a Target Environment" in Oracle Fusion Middleware Administrator's Guide.

PKF6"PKA^E OEBPS/lot.htmF List of Tables PKi4KFPKA^E OEBPS/lof.htm" List of Figures PK#KPKA^EOEBPS/app_trouble.htmSL Troubleshooting Oracle Privileged Account Manager

C Troubleshooting Oracle Privileged Account Manager

This appendix describes how to diagnose and solve common problems that you might encounter when using Oracle Privileged Account Manager.

The information in this appendix is organized into the following sections:

C.1 Common Problems and Solutions

This section describes some common problems and provides information to help you resolve those problems.

The topics include:

C.1.1 Console Cannot Connect to Oracle Privileged Account Manager Server

Oracle Privileged Account Manager Console cannot connect to the Oracle Privileged Account Manager server.

Reason

If the Console is not connecting to the Oracle Privileged Account Manager server, then you might have a configuration problem with the Console or with Oracle Platform Security Services Trust.

Solution

C.1.2 Console Changes Are Not Reflected in Other, Open Pages

When you have multiple browser windows or Console tabs open against the same Oracle Privileged Account Manager Console, updates made in one window or tab are not immediately reflected in the other windows or tabs.

Reason

The Oracle Privileged Account Manager Console does not proactively push updates to the browser.

Solution:

Refresh the browser window or tab.

C.1.3 Cannot Access Targets or Accounts

Your attempts to access targets and privileged accounts are failing. You cannot check-out, check-in, or test.

Reason

The ICF connector being used by Oracle Privileged Account Manager is having issues interacting with the target system.

Solution:

  • Verify that the target system is up, and that the privileged account of interest exists.

  • Increase Oracle Privileged Account Manager's logging level to TRACE:32 (its finest level) and review the trace logs to determine where the failure occurs.

    Problems are often caused by environmental issues that can be identified using the trace logs and remedied by fixing the configuration on the target system. Refer to Chapter 6, "Managing Oracle Privileged Account Manager Auditing and Logging" for more information.

  • You might have a connector issue. Submit a bug that includes a reproducible test case, target system details, and trace logs.

C.1.4 Cannot Add Database Targets

This section describes issues that can prevent you from adding database targets:

C.1.4.1 Cannot Connect to Oracle Database with sysdba Role

Your attempts to connect to Oracle Database using the sysdba role are failing with the following error message:

Invalid Connection Details, see server log for details.

Reason

To connect to Oracle Database as a user with sysdba role, you must configure the Advanced Properties option with the value, internal_logon=sysdba.

You must also specify this setting for the Oracle Database SYS account, which must connect with the sysdba role. The Oracle Database SYS user is a special account and if you do not use this role, then the connection might fail. However, it is a better practice to create an Oracle Privileged Account Manager service account instead of using SYS.

Solution:

Perform the following steps to connect to Oracle Database as a user with the sysdba role:


Note:

These configuration steps are not necessary if you are connecting as a normal user.


  1. Open the target's General tab and expand Advanced Configuration to view the configuration options.

  2. Enter the internal_logon=sysdba value into the Connection Properties field.

  3. Click Test to retest the connection.

  4. Save your changes.

C.1.4.2 Cannot Find Special Options for Adding a Database Target

You cannot find configuration options for connecting to database targets such as Oracle RAC Database or for using Secure Socket Layer (SSL).

Reason

Oracle Privileged Account Manager uses a Generic Database connector where special configuration options for specific database target systems are not exposed in a clean or intuitive manner.

Solution:

Define special connectivity options for database targets by modifying the Database Connection URL and Connection Properties parameter values.


Note:


C.1.5 Cannot Add an Active Directory LDAP Target

An LDAP target using Microsoft Active Directory fails when you test the connection, search for accounts, or check out passwords.

Reason

Active Directory defaults require specific configuration, so you must change the generic default values for the LDAP target. Oracle Privileged Account Manager uses a Generic LDAP connector where special or custom configuration options for specific LDAP target systems are not obvious. (Usually, only Active Directory LDAP targets cause issues.)

Solution:

When adding the LDAP target, you must

  • Use SSL to communicate with Active Directory.

  • Specify the following Advanced Configuration parameters (see Table 5-3):

    • Set Password Attribute to unicodepwd

    • Set Advanced Configuration > Account Object Classes to top|person|organizationalPerson|user.

  • Specify an attribute that is suitable for data in Active Directory, such as uid or samaccountname, for the Account User Name Attribute, Uid Attribute, and LDAP Filter for Retrieving Accounts configuration parameters (described in Table 5-2 and Table 5-3).

C.1.6 Grantee Cannot Perform a Checkout

A grantee's attempt to checkout an account is failing with an Insufficient Privileges error.

Reason

The username is case-sensitive for Oracle Privileged Account Manager grants, but not always for WebLogic authentication.

Solution:

Ensure that you enable the Use Retrieved User Name As Principal option for the authenticator being used for your production ID Store. Refer to Section 4.3.1, "Configuring the External Identity Store" for more information.

C.1.7 Cannot View Roles from the Configured Remote ID Store

When you try to grant to a user or group, you cannot view all roles from the configured remote ID Store.

Reason

You logged into Oracle Privileged Account Manager with a user ID that has been retrieved from a user, on an authenticator that is not pointing to your ID Store. The culprit is usually the DefaultAuthenticator.

Solution:

Perform the following actions:

  • Set the Control Flag for all authenticators to SUFFICIENT.

  • Verify that the user who is logging in exists on the remote ID store.

  • Verify that the user has the relevant Oracle Privileged Account ManagerAdmin Roles. (Refer to Section 2.3.1, "Administration Role Types" for more information.)

  • Ensure those Oracle Privileged Account ManagerAdmin Roles exist on the remote ID Store.

C.1.8 Group Membership Changes Are Not Immediately Reflected in Oracle Privileged Account Manager

You have an indirect grant through group membership and updates to that group membership are not immediately reflected in Oracle Privileged Account Manager.

For example, if you assign a user to a Oracle Privileged Account Manager administration role or to a group granted with a Oracle Privileged Account Manager privileged account, you may not be able to view these changes right away.

Reason

WebLogic caches group memberships from Identity Store providers by default.

Solution:

Modify the caching settings in your WebLogic Authenticator and Asserter configuration to suit your requirements.

C.1.9 Cannot Use Larger Key Sizes for Export/Import

You are unable to use key sizes larger than 128-bits for export or import operations.

Reason

The default JRE installation does not contain the Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files 6.

Solution:

Apply the JCE patch, available for download from http://www.oracle.com/technetwork/java/javase/downloads/jce-6-download-429243.html

C.2 Diagnosing Oracle Privileged Account Manager Problems

This section provides information about how to diagnose Oracle Privileged Account Manager problems.

The topics include:

C.2.1 Increase the Log Level

When an Oracle Privileged Account Manager error occurs, you can gather more information about what caused the error by generating complete logs that include debug information and connector logging. the following steps:

  1. Set the Oracle Privileged Account Manager logging level to the finest level, which is TRACE:32.


    Note:


  2. Repeat the task or procedure where you originally encountered the error.

  3. Examine the log information generated using the DEBUG level.

C.2.2 Examine Exceptions in the Logs

Examining the exceptions logged to the Oracle Privileged Account Manager log file can help you identify various problems.

You can access Oracle Privileged Account Manager's diagnostic log in the following directories:

DOMAIN_HOME/servers/Adminserver/logs
DOMAIN_HOME/servers/opamserver/logs

C.3 Need More Help?

You can find more solutions on My Oracle Support (formerly MetaLink) at http://support.oracle.com. If you do not find a solution for your problem, log a service request.

PKǸSSPKA^EOEBPS/index.htm Index

Index

A  B  C  D  E  F  G  H  I  J  L  M  N  O  P  R  S  T  U  V  W 

A

access rights, 2.3.1
accordions
Administration, 3.4.3
Home, 3.4.1
Reports, 3.4.2
accounts, privileged
access issues, C.1.3
access rights, 2.3.1, 2.3.2
adding, 5.1.3.2, A.2.2, B.2.1
administration roles, 2.3.1
assigning policies, 5.1.1.8.1
auditing, 6.1
checking out/in, 2.4.2.1, 5.1.3.6, 5.1.3.7, A.2.4, B.2.10, B.2.11
deployment report, 3.4.2
description, 1.1, 5.1.3.1
display listing, A.2.5
granting to groups, 5.1.4.3, A.2.14
granting to users, 5.1.4.2, A.2.15
managing, 1.2.4, 5.1.3.1
mapping, 5.1.3.2, 5.1.3.2, 5.1.3.2.3
opening, 5.1.3.4
removing, 5.1.3.8, A.2.17, B.2.6
removing access, A.2.18, A.2.20, B.2.8
resetting passwords, 1.2, 5.1.1.3, 5.1.1.3, 5.1.3.5.2, 5.1.3.5.2
retrieving, A.2.22, B.1.8, B.2.3
searching, 3.4.4, 5.1.3.3, A.2.27, B.3.1
securing shared, 2.4.2, 2.4.2.2
shared, 2.4.2.2, 5.1.3.2.1
sharing, 2.4.2.2, 5.1.3.1.3, 5.1.3.2.1
showing checked out, 5.2.4, A.2.9, B.3.2
status, 3.4.4, 5.1.3.3
updating, B.2.5
verifying, B.2.2
accounts, service, 1.2.1, 5.1.2.2, Glossary
accounts, unattended, 1.2.1, 5.1.2.2, Glossary
activating
Password Policies, 5.1.1.5
Usage Policies, 5.1.1.6
adding
CSF mappings, 5.1.3.2.3
grantees, 5.1.3.2.2
identity providers, 7.2.2.3
new connectors, 3.2.4
Password Policies, 5.1.1.5
privileged accounts, 5.1.3.2, 5.1.3.2, B.2.1
targets, 5.1.2.2, A.2.2, B.1.2, C.1.4
Usage Policies, 5.1.1.5
ADF
authentication, 2.2
definition/purpose, Glossary
Oracle Privileged Account Manager Console, 1.2.3
Admin Roles, Common, 2.3.1, 2.3.1
Administration accordion, 3.4.3
administrators
configuring OIM, 7.1.4
default, 2.3.1
agents, WebGate, 7.2
APIs, REST, B
application accounts
managing, 5.1.3.1
targets, 5.1.2.1
Application Configurator role
access rights, 2.3.1
assigning, 3.3.3
Application Development Framework, Oracle
See ADF
applications
configuring access to multiple, 7.2.2.4
default URLs, 3.1
deploying client, 2.2.1
roles, 2.3.1
storing credentials, 1.2.4
unattended, 1.2.2
writing custom, 1.2.3
architecture
diagram, 1.2.3
Oracle Privileged Account Manager server, 4.1
assigning policies, 5.1.1.8.1
attended accounts, 1.2.1
attributes, retrieving target, B.1.1
audit logs
default file location, 6.1.1
saving, 6.1.1
audit reports
configuring, 6.1.1.1
default report types, 6.1.2
deploying, 6.1.1.3
example, 6.1.2
audit schema, 6.1.1.2
auditing
event types, 6.1
example audit report, 6.1.2
file-based, 6.1.1.1
logging levels, 6.1.1.4
managing, 6
password management actions, 5.1.3.5
privileged accounts, 6.1
saving audit logs, 6.1.1
shared accounts, 2.4.2.2
authentication
ADF-based, 2.2
framework, 2.1
JAAS support, 1.2.3, 2.1
modes, 2.2
Oracle Privileged Account Manager command line tool client, 2.2.2
Oracle Privileged Account Manager server, 2.2.2
SAML-based token, 2.2
schema, 7.2.2.1
user, 2.2.1
authorization
Common Admin Roles, 2.3
end users/enterprise users, 2.3.2
framework, 2.1
mapping users to Admin Roles, 2.3.1
weblogic or bootstrap user, 2.3.1

B

basic logging, configuring, 6.2.1
BI Publisher
audit reports, 6.1.1.2, 6.1.2
configuring connection to server, 6.1.1.3
deploying audit reports, 6.1.1.3
example audit report, 6.1.2
features, 1.2.1
bootstrap user, 2.3.1, Glossary

C

catalogs, 7.1.4
certificates, SSL, 3.3.2
channels, secure versus unsecure, 2.4.1.1
checking out/in
privileged accounts, 5.1.3.6, 5.1.3.7, A.2.4, B.2.10, B.2.11
shared accounts, 2.4.2.2
troubleshooting, C.1.6
clients, third-party, 1.2.3
command line tool
adding Oracle Privileged Account Manager server, 4.1
commands, A.2
security, 2.2.2, 2.4.1.2
starting, A.1
using, A
command syntax, A.2.1
commands
importing SSL certificates, 3.3.2
launch command line tool, A.1
OPAM command line, A.2
WLST, 7.2.2.4
Common Admin Roles, 2.3.1, 2.3.1
configuring
access to multiple applications, 7.2.2.4
audit reports, 6.1.1.1
data sources, 6.1.1.3
external identity store, 4.3
OIM administrators, 7.1.4
Oracle HTTP Server, 7.2.2.2
Oracle Internet Directory authenticator, 4.3.1
shared accounts, 5.1.3.2.1
connecting to Oracle Privileged Account Manager server, 3.4.3, C.1.1
connectors
adding new, 3.2.4
bundle location, 3.2.2
connecting to target systems, 2.4.1.1
deploying, 3.2
description, 3.2, 3.2
Identity Connector FrameWork, 1.2.1
installing, 3.2
LDAP, 7.1.3
opam-config.xml file, 3.2.3, 3.2.4.1, 3.2.4.2
opam-config.xsd file, 3.2.3, 3.2.3, 3.2.4.2, 3.2.4.2
shipped with Oracle Privileged Account Manager, 3.2.1
storing, 3.2.2
supported database types, 5.1.2.2
writing, 3.2.1
Console
configuring SSO, 2.2.1
description, 1.2.3
securing, 2.4.1.2
troubleshooting issues, C.1.2
user authentication, 2.2.1
converting LDIF files, 4.3.2
creating
Password Policies, 5.1.1.5, B.7.1
schema, 6.1.1.2, Glossary
Usage Policies, 5.1.1.6, B.6.1
Credential Store Framework
See CSF.
credentials
managing application, 1.2.4.3
provisioning through Oracle Privileged Account Manager, 1.2.4.1
starting servers, 3.3.1
storing, 1.2.4, 1.2.4, 5.1.3.2.3
using CSF, 1.2.4
CSF
account mapping, 1.2.4.1, 5.1.3.2, 5.1.3.2, 5.1.3.2.3
definition/purpose, 1.2.1, Glossary
custom applications, writing, 1.2.3
custom connectors, adding, 3.2.4.2

D

data
exporting, A.2.12
importing, A.2.12
data sources
configuring, 6.1.1.3
defining JDBC, 6.1.1.3
default
administrator, 2.3.1
audit report types, 6.1.2
password requirements, setting, 5.1.1.3
ports, 3.1, 3.1, A.1
URLs, 3.1, 3.1
Default Password Policy, 5.1.1.1, 5.1.3.2.1
Default Usage Policy, 5.1.1.1, 5.1.3.2.1
defining
JDBC connections and data sources, 6.1.1.3, 6.1.1.3
policies, 2.1
roles, 2.1
deleting
grantees, 5.1.4.6
Password Policies, B.7.3
policies, 5.1.1.9
Usage Policies, B.6.4
deploying
audit reports in BI Publisher, 6.1.1.3
client applications, 2.2.1
connectors, 3.2, 3.2.4.2
Oracle Privileged Account Manager in Oracle Fusion Middleware, 1.3
Deployment Reports, 5.1.5.1
diagnosing problems, C.2
diagnostic logs, 6.2
disabling
Password Policies, 5.1.1.5
Usage Policies, 5.1.1.6
displaying
checked out accounts, A.2.9, B.3.2
domain tree, A.2.10
group listing, A.2.6
privileged accounts list, A.2.5
target listing, A.2.7
target type tree, A.2.11
user listing, A.2.8
domain tree, displaying, A.2.10
DOMAIN_HOME, 6.1.1, 6.1.1.1, 6.1.1.2, Glossary
duration, password, 5.1.1.3

E

end users
privileges, 2.3.2
self-service instructions, 5.2
enterprise roles
creating, 4.3.2
populating resource catalog, 7.1.3
entitlements
populating resource catalog, 7.1.3
requesting access, 7.1.4
exporting data, A.2.12
external identity store, configuring, 4.3

F

Failure Reports, 5.1.5.3
file-based auditing, configuring, 6.1.1.1
files
audit logs, 6.1.1
connector bundles, 3.2.2
converting LDIF, 4.3.2
jps-config.xml, 6.1.1.1, 6.1.1.2, 6.1.1.4
mod_wl_ohs.conf file, 7.2.2.2
opam_product_BIP11gReports_11_1_1_6_0.zip, 6.1.1.3
opam-config.xml file, 3.2.3, 3.2.4.1, 3.2.4.2
opam-config.xsd file, 3.2.3, 3.2.3, 3.2.4.2, 3.2.4.2
Repository Creation Utility zip, 6.1.1.2
firecall requests, 7.1.4
framework
ADF, Glossary
authentication and authorization, Preface, 2
Oracle Privileged Account Manager, 2
Framework, Credential Store
See CSF.
Framework, Identity Connector
See ICF.

G

generating audit reports, 6.1.1.1
generic logs, default location, 6.2
grantees
adding to privileged accounts, 5.1.3.2.2
granting accounts, 5.1.4.2, 5.1.4.3, A.2.14, B.2.7
opening, 5.1.4.5
removing, 5.1.4.6
retrieving, A.2.23, B.2.9
searching, 5.1.4.4
groups
display listing, A.2.6
retrieving, B.5.1
searching, A.2.28, B.5.2
groups, granting accounts, 5.1.4.3

H

Home accordion, 3.4.1
HTTP Basic-Authorization, 2.2, 2.2.2

I

ICF, 1.2.1, Glossary
ID Store, OPSS, 1.3
Identity Connector FrameWork
See ICF.
identity propagation, 2.2.1, Glossary
identity providers, adding, 7.2.2.3
identity store
configuring, 4.3
Oracle Internet Directory, 4.3.1, 7.2.1
Oracle Virtual Directory, 4.3.1
importing
data, A.2.12
SSL certificates, 3.3.2
integrating with
Oracle Access Management Access Manager, 7.2
Oracle Identity Manager, 7.1
Oracle Identity Manager workflows, 7.1.5
Oracle technologies, 1.2.1
interfaces
configuring SSO, 2.2.1
Oracle Privileged Account Manager, 1.2.3
securing, 2.4.1.2

J

JAAS authentication support, 1.2.3, 2.1
jar files, connector, 3.2.2
JavaScript Object Notation
See JSON.
JDBC connections and data sources, 6.1.1.3
jps-config.xml file, 6.1.1.1, 6.1.1.2, 6.1.1.4
JSON Representations
description, Glossary
Oracle Privileged Account Manager architecture, 1.2.3
RESTful APIs, B

L

launching the command line tool, A.1
LDAP connectors, 7.1.3
LDAP groups, 7.1.1, 7.1.2
LDIF files, converting, 4.3.2
ldifmigrator, 4.3.2, 4.3.2, Glossary
loading audit schema, 6.1.1.2
logging
audit logger, 6.1
audit logs location, 6.1.1
configuring basic, 6.2.1
diagnosing problems, C.2.1
exceptions, C.2.2
generic logger, 6.2
generic logs location, 6.2
setting audit logging levels, 6.1.1.4
setting basic logging levels, 6.2.1

M

managing
account credentials, 1.2.4
application credentials, 1.2.4.3
Oracle Privileged Account Manager audit logging, 6
passwords, 1.2, 5.1.3.5
public key security, 1.2.1
mapping, CSF, 1.2.4.1, 5.1.3.2, 5.1.3.2.3
metadata, storing, 2.2
Migration Tool, Oracle Internet Directory, 4.3.2
mod_wl_ohs.conf file, 7.2.2.2
modifying
Default Password Policy, 5.1.1.3
default Usage Policy, 5.1.1.4
policies, 5.1.1.1
My Oracle Support, C.3

N

network channel, securing, 2.4.1

O

opam_product_BIP11gReports_11_1_1_6_0.zip file, 6.1.1.3
opam-config.xml file, 3.2.3, 3.2.4.1, 3.2.4.2
opam-config.xsd file, 3.2.3, 3.2.3, 3.2.4.2, 3.2.4.2
opam-logging.xml file, 6.2.1
opening
grantees, 5.1.4.5
policies, 5.1.1.2
privileged accounts, 5.1.3.4
targets, 5.1.2.4
OPSS
description, Glossary
ID Store, 1.3
Policy Store, 1.2.1
providing authentication, 2.2, 2.2.1
Security Store, 1.3
Trust Service, 1.2.1
OPSS Trust Service, 2.2.1, Glossary
OPSS-Trust Service Assertions, 2.2
OPSS-Trust tokens, 2.1
Oracle Access Management Access Manager
integration with, 7.2
Oracle Application Development Framework
See ADF.
Oracle Fusion Middleware
deploying Oracle Privileged Account Manager, 1.3
Oracle Fusion Middleware Audit Framework, 1.2.1
Oracle HTTP Server, 7.2.2
configuring, 7.2.2.2
Oracle Identity Manager
configuring administrators, 7.1.4
enterprise roles, 7.1.3
entitlements, 7.1.3, 7.1.4
integration, 7.1, 7.1.5
resource catalog, 7.1.3
rules, 7.1.4
workflow support, 7.1.5
Oracle Internet Directory
configuring authenticator, 4.3.1
Data Migration Tool (ldifmigrator), 4.3.2, Glossary
identity store, 4.3.1, 7.2.1
Oracle Platform Security Services
See OPSS
Oracle Privileged Account Manager
architecture and topology, 1.2.3
command syntax, A.2.1
default connectors, 3.2.1
interfaces, 1.2.3
managed server, starting, 3.3.1
securing, 2.4
Oracle Privileged Account Manager Console
about, 1.2.3
adding Oracle Privileged Account Manager server, 4.1
ADF, 1.2.3
configuring SSO, 2.2.1
securing, 2.4.1.2
Oracle Privileged Account Manager server
architecture, 4.1
authentication, 2.2.2
connecting to, 3.4.3, C.1.1
description/purpose, 4.1
Oracle Virtual Directory
identity store, 4.3.1
Oracle Wallet, 1.2.1

P

packet sniffing, 2.4.1.1
Password Complexity Rules, 5.1.1.3
Password Policies
activating, 5.1.1.5
assigning to accounts, 5.1.1.8.1
creating, 5.1.1.5, B.7.1
deleting, B.7.3
description/purpose, 5.1.1.1
disabling, 5.1.1.5
modifying, 5.1.1.1, 5.1.1.3
resetting passwords, 5.1.1.3, 5.1.1.3, 5.1.3.5.2
retrieving, B.7.2
searching, 5.1.1.7
specifying password durations, 5.1.1.3
updating, B.7.4
Password Policy, Default, 5.1.3.2.1
passwords
defining requirements, 5.1.1.3
managing, 1.2, 5.1.3.5
privileged, 1.2
propagating, 2.4.1
resetting, 2.4.3, A.2.21, B.2.4
resetting automatically, 1.2, 5.1.1.3
resetting manually, 5.1.1.3, 5.1.3.5.2
showing, 5.1.3.5, A.2.31, B.2.13
specifying duration period, 5.1.1.3
storing, 1.2
policies
assigning to accounts, 5.1.1.8.1
creating, 5.1.1.5, 5.1.1.6, B.6.1, B.7.1
default, 5.1.3.2.1
defining, 2.1
deleting, 5.1.1.9, B.6.4, B.7.3
description/purpose, 5.1.1.1
disabling, 5.1.1.5, 5.1.1.6
making active, 5.1.1.5, 5.1.1.6
modifying, 5.1.1.3, 5.1.1.4
opening, 5.1.1.2
retrieving, B.6.2, B.7.2
searching, 5.1.1.7
searching for, B.8.1
types, 5.1.1.1
updating, B.6.3, B.7.4
verifying, 5.1.1.8.1, 5.1.1.8.1
viewing, 5.1.1.2
Policy Store, OPSS, 1.2.1
ports
default, 3.1, A.1
SSL, 4.1, A.1
privileged accounts
access rights, 2.3.1, 2.3.2
adding, 5.1.3.2
administration roles, 2.3.1
assigning policies, 5.1.1.8.1
auditing, 6.1
checking out/in, 5.1.3.6, 5.1.3.7
deployment report, 3.4.2
description, 1.1, 5.1.3.1
display listing, A.2.5
granting to groups, 5.1.4.3
granting to users, 5.1.4.2
managing, 5.1.3.1
mapping, 5.1.3.2, 5.1.3.2, 5.1.3.2.3
opening, 5.1.3.4
removing, A.2.17
removing from target, 5.1.3.8
removing group access, A.2.18
resetting passwords, 1.2, 5.1.1.3, 5.1.3.5.2
searching, 3.4.4, 5.1.3.3
searching for, A.2.27
securing shared, 2.4.2
sharing, 2.4.2.1, 5.1.3.1.3, 5.1.3.1.3, 5.1.3.2.1
showing checked out, 5.2.4, A.2.9, B.3.2
status, 3.4.4, 5.1.3.3
privileged passwords, 1.2
privileges
administrators, 2.3.1
end users, 2.3.2
propagating passwords, 2.4.1
propagation, identity, 2.2.1
provisioning
credentials, 1.2.4.1
process diagram, 1.2.4.1
public key security, managing, 1.2.1

R

registered accounts, retrieving, B.1.9
removing
accounts from targets, 5.1.3.8
grantees, 5.1.4.6, A.2.18, A.2.20
privileged accounts, A.2.17, B.2.6
required Admin Role, 2.3.1
targets, 5.1.2.5, A.2.19, B.1.6
reporting
BI Publisher, 6.1.1.2, 6.1.2
example audit report, 6.1.2
reports
audit, 6.1.1.3
configuring, 6.1.1.1
default audit, 6.1.2
Deployment, 5.1.5.1
example audit, 6.1.2
Failure, 5.1.5.3
Usage, 5.1.5.2
viewing, 5.1.5
Reports accordion, 3.4.2
Repository Creation Utility, 6.1.1.2, Glossary
Representational state transfer service
See REST (Restful).
resetting passwords, 1.2, 2.4.3, 5.1.1.3, 5.1.3.5.2, A.2.21, B.2.4
resource catalog, 7.1.3
REST (RESTful)
APIs, Preface
definition/purpose, Glossary
interface, B
service, 1.2.3
retrieving
available accounts, B.1.8
grantees, A.2.23, B.2.9
groups, B.5.1
Password Policies, B.7.2
privileged accounts, A.2.22, B.2.3
registered accounts, B.1.9
target types, B.1.10
targets, A.2.25, B.1.4
Usage Policies, B.6.2
users, A.2.26, B.2.12, B.4.1
retrieving target attributes, B.1.1
roles
administration, 2.3.1
application, 2.3.1
Application Configurator, 2.3.1
defining, 2.1
enterprise, 4.3.2, 7.1.1
Security Administrator, 2.3.1
User Manager, 2.3.1
rules, configuring OIM, 7.1.4

S

SAML
definition/purpose, Glossary
SAML-based token authentication, 2.2
saving audit logs, 6.1.1
schema
authentication, 7.2.2.1
creating, 6.1.1.2, Glossary
for opam-config.xml, 3.2.3
loading, 6.1.1.2
validating, 3.2.4.2
Search Results tables, using, 3.4.5
searching
for grantees, 5.1.4.4
for groups, A.2.28, B.5.2
for policies, 5.1.1.7, B.8.1
for privileged accounts, 3.4.4, 5.1.3.3, A.2.27, B.3.1
for targets, 5.1.2.3, A.2.29, B.1.7
for users, A.2.30, B.4.2, B.4.3
securing
command line tool, 2.2.2, 2.4.1.2
Console, 2.4.1.2
network channel, 2.4.1
Oracle Privileged Account Manager, 2.4
public keys, 1.2.1
shared accounts, 2.4.2, 2.4.2.3
Security Administrator role, 2.3.1
Security Store, OPSS, 1.3
self-service, 5.2.1
servers
BI Publisher, 6.1.1.3
connecting to Oracle Privileged Account Manager server, 3.4.3, C.1.1
Oracle Privileged Account Manager architecture diagram, 4.1
starting, 3.3.1
service accounts, 1.2.1, 5.1.2.2, Glossary
shared accounts
auditing, 2.4.2.2
configuring, 5.1.3.2.1
description, 2.4.2, 5.1.3.1.3
limitations, 5.1.3.1.3
securing, 2.4.2.2
security limitations, 2.4.2.2
showing passwords, 5.1.3.5, A.2.31, B.2.13
SSL
communication, 1.2.3, 2.2.2
default ports, 4.1, A.1
enabling, 5.1.2.2
importing certificates, 3.3.2
specifying endpoint, 4.1, A.1
specifying the port, 4.4.1
using, 2.2, 4.1, A.1
SSO
configuring for user interface, 2.2.1
enabling, 7.2.2
starting
command line tool, A.1
Oracle Privileged Account Manager managed server, 3.3.1
WebLogic Admin Server, 3.3.1
status, privileged accounts, 3.4.4, 5.1.3.3
storing
connectors, 3.2.2
credentials, 1.2.4, 5.1.3.2.3
CSF mappings, 1.2.4.1
metadata, 2.2
passwords, 1.2
sudo authorization, 5.1.2.2
Support, My Oracle, C.3
system accounts
managing, 5.1.3.1
targets, 5.1.2.1
systems, connecting to target, 2.4.1.1

T

target type tree, displaying, A.2.11
target types, retrieving, B.1.10
targets
adding, 5.1.2.2, A.2.2, B.1.2
connecting to, 2.4.1.1, C.1.3
display listing, A.2.7
opening, 5.1.2.4
removing, 5.1.2.5, A.2.19, B.1.6
removing accounts, 5.1.3.8
retrieving, A.2.25, B.1.4
searching for, 5.1.2.3, A.2.29, B.1.7
target types, 5.1.2.2
updating, B.1.5
verifying, B.1.3
third-party clients, 1.2.3
tokens, OPSS Trust, 2.1
topology and architecture diagram, 1.2.3
troubleshooting common problems, C
Trust Service, OPSS, 1.2.1

U

unattended
accounts See service accounts.
applications, 1.2.2
unsecure channels, 2.4.1.1
unshared accounts, 2.4.2
 updating
accounts, B.2.5
Password Policies, B.7.4
targets, B.1.5
Usage Policies, B.6.3
URIs, B
URLs, default application, 3.1
Usage Policies
activating, 5.1.1.6
assigning to accounts, 5.1.1.8.1
creating, 5.1.1.6, B.6.1
deleting, B.6.4
description/purpose, 5.1.1.1
disabling, 5.1.1.6
modifying, 5.1.1.1, 5.1.1.4
retrieving, B.6.2
searching, 5.1.1.7
updating, B.6.3
Usage Policy, Default, 5.1.3.2.1
Usage Reports, 5.1.5.2
user authentication, 2.2.1
User Manager role, 2.3.1
users
bootstrap, 2.3.1, Glossary
display listing, A.2.8
granting accounts, 5.1.4.2, B.2.7
removing access, A.2.20, B.2.8
retrieving, A.2.26, B.2.12, B.4.1
searching for, A.2.30, B.4.2, B.4.3
self-service, 5.2.1
sharing accounts, 2.4.2.1, 5.1.1.4
utilities, Repository Creation Utility, 6.1.1.2

V

validating opam-config.xml, 3.2.4.2
verifying
OID configuration, 4.3.1
policies, 5.1.1.8.1, 5.1.1.8.1
privileged accounts, B.2.2
targets, B.1.3
viewing policies, 5.1.1.2
viewing reports, 5.1.5

W

WebGate agents, 7.2
WebLogic
SSL port, 4.1, A.1
starting Admin Server, 3.3.1
weblogic user, 2.3.1
WLST commands, 7.2.2.4
workflows
administrator, 5.1
integrating with Oracle Identity Manager, 7.1.5
Oracle Identity Manager support, 7.1.5
self-service, 5.2.1
PK{M* PKA^EOEBPS/app_rest.htm Working with Oracle Privileged Account Manager's RESTful Interface

B Working with Oracle Privileged Account Manager's RESTful Interface

While Oracle Privileged Account Manager can be consumed through several client interfaces, its fundamental access mechanism or layer is encapsulated in its RESTful interfaces.

All interactions with Oracle Privileged Account Manager's server that are being used by external parties, such as a non-Oracle Privileged Account Manager server, are exposed through RESTful interfaces. All externally visible Oracle Privileged Account Manager resources are modeled by URIs, while standard HTTP operations are mapped to relevant Oracle Privileged Account Manager operations on those resources.

This appendix describes Oracle Privileged Account Manager's RESTful interface. The specific APIs that are exposed through this interface are documented in the following sections:


Note:

You can also use Oracle Privileged Account Manager's web-based Console or command line tool to perform tasks described in this appendix.

Refer to Chapter 5, "Configuring and Managing Oracle Privileged Account Manager" or Appendix A, "Working with the Command Line Tool" for more information.


B.1 Target Resource

The APIs described in this section include:

B.1.1 Get Target Attributes

Use this API to retrieve a list of the attributes that are associated with all of the target types.

You can use the list of supported target types, along with these attributes, to create the JSON object required to add a target. Refer to Section B.1.2, "Add a Target" for more information.


Note:

You must have a JSON browser extension, such as Firefox JSONview, to create the JSON object.


URI

https://opam_server_host:opam_ssl_port/opam/target/attributes/{locale}

Method

GET

Returns on Success

Status code 200 and the JSON representation of target types, along with the attributes associated with them.


Sample URI

https://opam_server_host:opam_ssl_port/opam/target/attributes/en

Example B-1 JSON Output of Supported Target Types with Attributes

{
   "TargetAttributes":[
      {
         "TargetType":"ldap",
         "DisplayName":"ldap",
         "BasicAttributes":[
            {
               "name":"targetName",
               "type":"string",
               "description":"",
               "label":"Target Name",
               "mask":"false",
               "array":"false",
               "required":"true"
            },
            {
               "name":"description",
               "type":"string",
               "description":"",
               "label":"Description",
               "mask":"false",
               "array":"false",
               "required":"false"
            },
            {
               "name":"organization",
               "type":"string",
               "description":"",
               "label":"Organization",
               "mask":"false",
               "array":"false",
               "required":"false"
            },
            {
               "name":"domain",
               "type":"string",
               "description":"",
               "label":"Domain",
               "mask":"false",
               "array":"false",
               "required":"true"
            },
            {
               "name":"host",
               "type":"string",
               "description":"",
               "label":"Host",
               "mask":"false",
               "array":"false",
               "required":"true"
            },
            {
               "name":"port",
               "type":"int",
               "description":"TCP/IP port number used to communicate with the LDAP server.",
               "label":"TCP Port",
               "default":"",
               "mask":"false",
               "array":"false",
               "required":"true"
            },
            {
               "name":"ssl",
               "type":"boolean",
               "description":"Select the check box to connect to the LDAP server using SSL.",
               "label":"SSL",
               "default":"false",
               "mask":"false",
               "array":"false",
               "required":"true"
            },
            {
               "name":"principal",
               "type":"string",
               "description":"The distinguished name with which to authenticate
to the LDAP server.", "label":"Principal", "default":"", "mask":"false", "array":"false", "required":"true" }, { "name":"credentials", "type":"string", "description":"Password for the principal.", "label":"Password", "default":"", "mask":"true", "array":"false", "required":"true" }, { "name":"baseContexts", "type":"string", "description":"One or more starting points in the LDAP tree that will be used
when searching the tree. Searches are performed when discovering users from
the LDAP server or when looking for the groups of which a user is a member.", "label":"Base Contexts", "default":[ ], "mask":"false", "array":"true", "required":"true" }, { "name":"accountNameAttribute", "type":"string", "description":"Attribute which holds the account's user name.", "label":"Account User Name Attribute", "default":"uid", "mask":"false", "array":"false", "required":"true" } ], "AdvancedAttributes":[ { "name":"uidAttribute", "type":"string", "description":"The name of the LDAP attribute which is mapped
to the Uid attribute.", "label":"Uid Attribute", "default":"uid", "mask":"false", "array":"false", "required":"false" }, { "name":"accountSearchFilter", "type":"string", "description":"An optional LDAP filter to control which accounts are returned
from the LDAP resource. If no filter is specified, only accounts that include
all specified object classes are returned.", "label":"LDAP Filter for Retrieving Accounts", "default":"(uid=*)", "mask":"false", "array":"false", "required":"false" }, { "name":"passwordAttribute", "type":"string", "description":"The name of the LDAP attribute which holds the password.
When changing an user's password, the new password is set to this attribute.", "label":"Password Attribute", "default":"userpassword", "mask":"false", "array":"false", "required":"false" }, { "name":"accountObjectClasses", "type":"string", "description":"The object class or classes that will be used when
creating new user objects in the LDAP tree. When entering more than one
object class, each entry should be on its own line; do not use commas or
semi-colons to separate multiple object classes. Some object classes
may require that you specify all object classes in the class hierarchy.", "label":"Account Object Classes", "default":[ "top", "person", "organizationalPerson", "inetOrgPerson" ], "mask":"false", "array":"true", "required":"false" } ] } ] }

Where:

  • TargetAttributes is an array of objects, where each object represents a target type.

  • TargetType is the target type.

  • DisplayName is how the target type name should display.

  • BasicAttributes is an array of objects, where each object represents basic attributes for the target type.

  • AdvancedAttributes is an array of objects, where each object represents advanced attributes for the target type.

  • name is the attribute name to use when constructing the target JSON to create a target.

  • type is the attribute type. Acceptable values include string, int, boolean, or lov (list of values).

  • description is a helpful description of the attribute.

  • label is how the attribute name should display.

  • default is a default value for the attribute.

    Specify a single value if the array parameter is false or specify an array of values if array is true.

  • mask hides sensitive values, such as credentials.

    • Specify true to hide attributes.

    • Specify false if hiding attributes is not necessary.

  • array indicates whether the attribute is single-valued or an array of multiple values.

    • Specify true if the attribute is an array of multiple values.

    • Specify false if the attribute is single-valued.

  • required indicates whether the attribute are mandatory or optional.

    • Specify true for mandatory attributes.

    • Specify false for optional attributes.

B.1.2 Add a Target

Use this API to add a target.


Note:

First, you must obtain a list of attributes for the target type as described in Section B.1.1, "Get Target Attributes." You use these attributes to create the JSON object sent in the body.


URI

https://opam_server_host:opam_ssl_port/opam/target

Method

POST

Body

JSON representation of target for addition/test

Returns on Success

Status code 201 Created and Location


Example B-2 Sample JSON Representation of Target for Addition

{
   "target":{
      "targetType":"ldap",
      "targetName":"hhsharma-ldap2",
      "host":"opam_server_host",
      "domain":"berkeley",
      "description":"Ldap target",
      "organization":"ST-US",
      "credentials":"welcome",
      "uidAttribute":"uid",
      "port":"9876",
      "passwordAttribute":"userpassword",
      "principal":"cn=orcladmin",
      "accountSearchFilter":"(uid=*)",
      "baseContexts":[
         "cn=Users,c=US"
      ],
      "ssl":"false",
      "accountObjectClasses":[
         "top",
         "person",
         "organizationalPerson",
         "inetOrgPerson"
      ],
      "accountNameAttribute":"uid"
   }
}

Sample Output

https://opam_server_host:opam_ssl_port/opam/target
/9bbcbbb087174ad1900ea691a2573b61 as the Location.

Where:

  • target is the target JSON object.

  • targetName is the name of the target.

  • targetType is the target type.

All of the other attributes are dynamic and they correspond to the attributes in Section B.1.1, "Get Target Attributes."

B.1.3 Verify a Target

Use this API to verify a target.


Note:

First, you must obtain a list of attributes for the target type. Refer to Section B.1.1, "Get Target Attributes," to create the JSON object to be sent in the body.


URI

https://opam_server_host:opam_ssl_port/opam/target/test

Method

PUT

Body

JSON representation of target for addition/test

Returns on Success

Status code 200


Example B-3 Sample JSON Representation of Target for Addition/Verification

{
   "target":{
      "targetType":"ldap",
      "targetName":"hhsharma-ldap2",
      "host":"opam_server_host",
      "domain":"berkeley",
      "description":"Ldap target",
      "organization":"ST-US",
      "credentials":"welcome",
      "uidAttribute":"uid",
      "port":"9876",
      "passwordAttribute":"userpassword",
      "principal":"cn=orcladmin",
      "accountSearchFilter":"(uid=*)",
      "baseContexts":[
         "cn=Users,c=US"
      ],
      "ssl":"false",
      "accountObjectClasses":[
         "top",
         "person",
         "organizationalPerson",
         "inetOrgPerson"
      ],
      "accountNameAttribute":"uid"
   }
}

Where:

  • target is the target JSON object.

  • targetName is the name of the target.

  • targetType is the target type.

All of the other attributes are dynamic and they correspond to the attributes in Section B.1.1, "Get Target Attributes."

B.1.4 Retrieve a Target

Use this API to retrieve a target.

URI

https://opam_server_host:opam_ssl_port/opam/target/{targetUID}

Method

GET

Body


Returns on Success

Status code 200 and JSON representation of target


Example B-4 Sample JSON Representation of Target

{
   "target":{
      "targetUID":"9bbcbbb087174ad1900ea691a2573b61",
      "targetType":"ldap",
      "targetName":"hhsharma-ldap",
      "host":"opam_server_host",
      "domain":"berkeley",
      "description":"Ldap target",
      "organization":"ST-US",
      "credentials":"welcome",
      "uidAttribute":"uid",
      "port":"9876",
      "passwordAttribute":"userpassword",
      "principal":"cn=orcladmin",
      "accountSearchFilter":"(uid=*)",
      "baseContexts":[
         "cn=Users,c=US"
      ],
      "ssl":"false",
      "accountObjectClasses":[
         "top",
         "person",
         "organizationalPerson",
         "inetOrgPerson"
      ],
      "accountNameAttribute":"uid",
      "accounts":[
         {
            "account":{
               "uri":"https:\/\/opam_server_host:opam_ssl_port\/opam\/account\
/c11066278022489aad758aec69d9727d" } }, { "account":{ "uri":"https:\/\/opam_server_host:opam_ssl_port\/opam\/account\
/3740553e999a4f6aa8e8f9286d320cb4" } } ] } }

Where:

  • target is the target JSON object.

  • targetUID is the target's unique identifier.

  • targetName is the name of the target.

  • targetType is target type.

  • accounts is an array of accounts that are associated with the target.

  • account is the account JSON object containing the account's URI.

  • uri is the account's URI.

All of the other attributes are dynamic and they correspond to the attributes in Section B.1.1, "Get Target Attributes."

B.1.5 Update a Target

Use this API to update a target.

You can change all of the attributes, except targetType and targetUID, and you can change multiple attributes at a time.

URI

https://opam_server_host:opam_ssl_port/opam/target/{targetUID}

Method

PUT

Body

JSON representation of Target Modification

Returns on Success

Status code 201


Example B-5 Sample JSON Object to Modify Target

{
   "modifications":[
      {
         "modification":{
            "host":"opam_server_host:opam_ssl_port
         }
      },
      {
         "modification":{
            "port":"6000"
         }
      }
   ]
}

Where:

  • targetUID is the target's unique identifier.

  • modifications is an array of modification JSON objects.

  • modification is a JSON object representing the modification of a single attribute.

For this API, you must update the host and port attributes on the target. Their value is updated to the value provided with them.

B.1.6 Remove a Target

Use this API to delete a target.

URI

https://opam_server_host:opam_ssl_port/opam/target/{targetUID}

Method

DELETE

Body


Returns on Success

Status code 200


B.1.7 Search for Targets

Use this API to search for a target using any of the following request parameters:

  • type

  • domain

  • org

  • name

  • hostname

All of these parameters are optional.

URI

https://opam_server_host:opam_ssl_port/opam/target/search?param1=value1&param2=value2

Method

GET

Body


Returns on Success

Status code 200 and JSON representation of Target Collection


Sample URIs:

<col width="*" span="1"/>

https://opam_server_host:opam_ssl_port/opam/target/search?

Returns all targets

https://opam_server_host:opam_ssl_port/opam/target/search?type=ldap&org=us

Returns all targets whose type contains ldap and org contains us.


Example B-6 Sample JSON Representation of Target Collection

{
   "Target Collection":[
      {
         "target":{
            "uri":"https:\/\/opam_server_host:opam_ssl_port\/opam\/target\
/9bbcbbb087174ad1900ea691a2573b61", "type":"ldap", "name":"hhsharma-ldap", "host":"opam_server_host", "domain":"berkeley" } }, { "target":{ "uri":"https:\/\/opam_server_host:opam_ssl_port\/opam\/target\
/ac246a162ce948c7b1cdcc17dfc92c15", "type":"ldap", "name":"hhsharma-ldap2", "host":"opam_server_host:opam_ssl_port", "domain":"berkeley" } } ] }

Where:

  • Target Collection is an array of target JSON objects.

  • target is the target JSON object.

  • uri is the target resource URI.

  • type is the target type.

  • hostname is the target's host name.

  • name is the target name.

  • org is the target's organization.

  • domain is the target's domain.

B.1.8 Get Available Accounts

Use this API to retrieve all of the accounts present on the target system.

URI

https://opam_server_host:opam_ssl_port/opam/target/attributes/{locale}

Method

GET

Body


Returns on Success

Status code 200 OK and JSON representation of account collection


Example B-7 Sample JSON Representation of Account Collection

{
   "AvailableAccounts":[
      {
         "accountName":"SCOTT",
         "accountUid":"SCOTT"
      },
      {
         "accountName":"BLAKE",
         "accountUid":"BLAKE "
      },
      {
         "accountName":"JONES",
         "accountUid":"JONES"
      }
   ]
}

Where:

  • AvailableAccounts is an array of the accounts present on the target system.

  • accountName is the account name.

  • accountUID is the account's unique identifier.

B.1.9 Retrieve Accounts Registered on a Target

Use this API to retrieve all the accounts on the target that are registered with Oracle Privileged Account Manager.

URI

https://opam_server_host:opam_ssl_port/opam/target/{targetUID}/accounts

Method

GET

Body


Returns on Success

Status code 200 and JSON representation of URI collection of accounts


Example B-8 Sample JSON Representation of URI Collection of Accounts

{
   "URI Collection":[
      {
         "account":{
            "uri":"https:\/\/opam_server_host:opam_ssl_port\/opam\/account\
/3740553e999a4f6aa8e8f9286d320cb4", "accountName":"sherlock" } }, { "account":{ "uri":"https:\/\/opam_server_host:opam_ssl_port\/opam\/account\
/c11066278022489aad758aec69d9727d", "accountName":"himanshu" } } ] }

Where:

  • URI Collection is an array of accounts on a target that are registered with Oracle Privileged Account Manager.

  • account is the account JSON object.

  • uri is the account's URI.

  • accountName is the account name.

B.1.10 Get Target Types

Use this API to retrieve a list of all supported target types.

URI

https://opam_server_host:opam_ssl_port/opam/target/types

Method

GET

Body


Returns on Success

Status code 200 and JSON representation of supported target types


Example B-9 Sample JSON Representation of Supported Target Types

{
   "targettypes":[
      "ldap",
      "unix",
      "database"
   ]
}

Where:

  • targettypes are the supported target types.

B.2 Account Resource

The APIs described in this section include:

B.2.1 Add an Account to a Target

Use this API to add an account to the target. This API does not create an account on the target system, but it registers the existing account with the OPAM target.

URI

https://opam_server_host:opam_ssl_port/opam/account

Method

POST

Body

JSON representation for account addition/verification

Returns on Success

Status code 201 and Location


Example B-10 Sample JSON Representation of Account for Addition/Verification

{
   "account":{
      "accountName":"lucie",
      "passwordpolicy":"passwordpolicy2",
      "shared":"true",
      "targetUID":"9bbcbbb087174ad1900ea691a2573b61"
   }
}

Where:

  • account is the account JSON object.

  • accountName is the name of the account.

  • passwordpolicy is the policy ID of the Password Policy applicable to the account. This parameter is optional. By default, this parameters uses the global Default Password Policy.

  • shared indicates the shared status of the account. This value is a Boolean and the default setting is false.

  • targetUID is the target's unique identifier.

B.2.2 Verify an Account

Use this API to verify whether the account is present on the target system.

URI

https://opam_server_host:opam_ssl_port/opam/account/test

Method

PUT

Body

JSON representation for account addition/verification

Returns on Success

Status code 200


Example B-11 Sample JSON Representation of Account Addition/Verification

{
   "account":{
      "accountName":"lucie",
      "passwordpolicy":"passwordpolicy2",
      "shared":"true",
      "targetUID":"9bbcbbb087174ad1900ea691a2573b61"
   }
}

Where:

  • account is the account JSON object.

  • accountName is the name of the account.

  • passwordpolicy is the policy ID of the Password Policy applicable to the account. This parameter is optional. By default, this parameters uses the global Default Password Policy.

  • shared indicates the shared status of the account. This value is a Boolean and the default setting is false.

  • targetUID is the target's unique identifier.

B.2.3 Retrieve an Account

Use this API to retrieve an account.

URI

https://opam_server_host:opam_ssl_port/opam/account/{accountUID}

Method

GET

Body


Returns on Success

Status code 200 and JSON representation of account


Example B-12 Sample JSON Representation of Account

{
   "account":{
      "accountUID":"3f74a85e39e64432ba917a2e60fa15aa",
      "targetUID":"9bbcbbb087174ad1900ea691a2573b61",
      "accountName":"lucie",
      "shared":true,
      "status":"checkedIn",
      "usagepolicy":"usagepolicy1",
      "passwordpolicyname":"Default Password Policy",
      "passwordpolicy":"passwordpolicy2",
      "grantees":{
         "users":[
            "opamuser1"
         ],
         "roles":[
            "opamgroup1"
         ]
      }
   }
}

Where:

  • account is the account JSON object.

  • accountUID is the account's unique identifier.

  • accountName is the name of the account.

  • passwordpolicy is the policy ID of the Password Policy applicable to the account.

  • passwordpolicyname is the name of the applicable Password Policy.

  • shared indicates the shared status of the account. This value is a Boolean and the default setting is false.

  • targetUID is target's unique identifier.

  • status indicates whether the account has been checked in by anyone. Acceptable values are checkedIn and checkedOut.

  • grantees are grantees of the account.

  • users are users who have been granted the account. Each value is the user's login ID/UID.

  • roles are groups or roles that have been granted the account. Each value is a group name of the group.

B.2.4 Reset Password

Use this API to reset the password on the account.

URI

https://opam_server_host:opam_ssl_port/opam/account/{accountUID}/resetpassword

Method

PUT

Body

JSON representation of the new password

Returns on Success

Status code 200


Example B-13 Sample JSON Representation of the New Password

{
   "password":"welcome1"
}

Where:

  • accountUID is the account's unique identifier.

B.2.5 Update an Account

Use this API to update an account. You can change multiple attributes at a time. Only usagepolicy and shared attributes can be updated.

URI

https://opam_server_host:opam_ssl_port/opam/account/{accountUID}

Method

PUT

Body

JSON representation of account modifications

Returns on Success

Status code 200


Example B-14 Sample JSON Representation of Account Modifications

{
   "modifications":[
      {
         "modification":{
            "passwordpolicy":"passwordpolicy2"
         }
      },
      {
         "modification":{
            "shared":"false"
         }
      }
   }
}

Where:

  • accountUID is the account's unique identifier.

  • modifications are an array of modification JSON objects.

  • modification is a JSON object representing the modification of a single attribute.

B.2.6 Remove an Account

Use this API to remove an account.

URI

https://opam_server_host:opam_ssl_port/opam/account/{accountUID

Method

DELETE

Body


Returns on Success

Status code 200


Where:

  • accountUID is the account's unique identifier.

B.2.7 Grant a User/Role Access to an Account

Use this API to grant a user or role access to an account. Multiple users and roles can be granted the access at a time.

URI

https://opam_server_host:opam_ssl_port/opam/account/{accountUID}

Method

PUT

Body

JSON representation for adding grantees

Returns on Success

Status code 200


Example B-15 Sample JSON Representation for Adding Grantees

{
   "modifications":[
      {
         "modification":{
            "usagepolicy":"usagepolicy1",
            "role":"opamgroup1",
            "operation":"add"
         }
      },
      {
         "modification":{
            "usagepolicy":"usagepolicy1",
            "user":"opamuser1",
            "operation":"add"
         }
      }
   ]
}

Where:

  • accountUID is the account's unique identifier.

  • modifications are an array of modification JSON objects.

  • modification is a JSON object representing the modification of a single attribute.

  • role indicates that a group has to be granted an access. This parameter value is the group name.

  • user indicates that a user has to be granted an access. This parameter value is the user login id.

  • usagepolicy indicates the Usage Policy identifier to be applied to the grant.

  • operation indicates the type of operation to be performed. Acceptable values include:

    • add indicates grant.

    • delete indicates revocation.

    • replace indicates replacement of usagepolicy with a new value.

B.2.8 Remove a User's/Role's Access to an Account

Use this API to remove a user's access or a role's access to an account. You can revoke multiple user and role grants at a time.

URI

https://opam_server_host:opam_ssl_port/opam/account/{accountUID}

Method

PUT

Body

JSON representation for removing grantees

Returns on Success

Status code 200


Example B-16 Sample JSON Representation for Removing Grantees

{
   "modifications":[
      {
         "modification":{
            "usagepolicy":"usagepolicy1",
            "role":"opamgroup1",
            "operation":"delete"
         }
      },
      {
         "modification":{
            "usagepolicy":"usagepolicy1",
            "user":"opamuser1",
            "operation":"delete"
         }
      }
   ]
}

Where:

  • accountUID is the account's unique identifier.

  • modifications are an array of modification JSON objects.

  • modification is a JSON object representing a single modification.

  • role indicates that a group has to be granted an access. This parameter value is the group name.

  • user indicates that a user has to be granted an access. This parameter value is the user login id.

  • usagepolicy indicates the Usage Policy identifier to be applied to the grant.

  • operation indicates the type of operation to be performed. Acceptable values include:

    • add indicates a grant.

    • delete indicates a revocation.

    • replace indicates the replacement of the usagepolicy with a new value.

B.2.9 Retrieve Grantees on an Account

Use this API to retrieve all the grantees of an account. A grantee can be a user or a role.

URI

https://opam_server_host:opam_ssl_port/opam/account/{accountUID}/grantees

Method

GET

Body


Returns on Success

Status code 200 and JSON representation of Grantees


Example B-17 Sample JSON Representation of Grantees

{
   "grantees":{
      "users":[
         "opamuser1"
      ],
      "roles":[
         "opamgroup1"
      ]
   }
}

Where:

  • grantees are grantees of the account.

  • users are the users who have been granted the account. Each value is the user's login ID/UID.

  • roles are the groups or roles who have been granted the account. Each value is a group name.

B.2.10 Check Out an Account

Use this API to check out an account.

URI

https://opam_server_host:opam_ssl_port/opam/account/{accountUID}/checkout

Method

PUT

Body


Returns on Success

Status code 200 and JSON representation of account token


Example B-18 Sample JSON Representation of Account Token

{
   "accountToken":{
      "accountName":"lucie",
      "accountUID":"3f74a85e39e64432ba917a2e60fa15aa",
      "accountPassword":"GJN8p2ol"
   }
}

Where:

  • accountUID is the account's unique identifier.

  • accountName is the name of the account.

  • accountpassword is the account password.

B.2.11 Check In an Account

Use this API to check in an account.

URI

https://opam_server_host:opam_ssl_port/opam/account/{accountUID}/checkin

Method

PUT

Body


Returns on Success

Status code 200


B.2.12 Retrieve Users Who Checked Out an Account

Use this API to retrieve a list of all users who have currently checked out an account.

URI

https://opam_server_host:opam_ssl_port/opam/account/{accountUID}/whocheckedout

Method

GET

Body


Returns on Success

Status code 200 and JSON representation of users who checked out the account.


Example B-19 Sample JSON Representation of Users Who Checked Out the Account

{
   "users":[
      {
         "user":{
            "uid":"sec_admin",
            "lastname":"sec_admin",
            "dn":"uid=sec_admin,ou=people,ou=myrealm,dc=base_domain",
            "expiryTime":1338765551,
            "checkoutTime":1338333551,
            "timezone":"America\/Los_Angeles"
         }
      }
   ]
}

Where:

  • uid is the user's unique identifier.

  • lastname is the user's last name.

  • dn is the distinguished name of the user.

  • expiryTime is the expiration time of the check out session. This parameter value is the UNIX time.

  • checkoutTime is the time at which the account was checked out. This parameter value is the UNIX time.

  • timezone indicates the time zone applicable to expiryTime and checkOutTime.

B.2.13 Show Password

Use this API to retrieve and display the password associated with an account.

URI

https://opam_server_host:opam_ssl_port/opam/account/{accountUID}/showpassword

Method

PUT

Body


Returns on Success

Status code 200 and JSON representation of account token


Example B-20 Sample JSON Representation of Account Token

{
   "accountToken":{
      "accountName":"lucie",
      "accountUID":"3f74a85e39e64432ba917a2e60fa15aa",
      "accountPassword":"GJN8p2ol"
   }
}

Where:

  • accountUID is the account's unique identifier.

  • accountName is the name of the account.

  • accountPassword is the account password.

B.3 UI Resource

The APIs described in this section include:

B.3.1 Search Accounts

Use this API to search accounts using one or more of the following search request parameters:

  • type

  • domain

  • org

  • name

  • accountname

All of these parameters are optional.

URI

https://opam_server_host:opam_ssl_port/opam/ui/allaccounts/search?param1=val1&param2=val2

Method

GET

Body


Returns on Success

Status code 200 and JSON representation of account collection


Example B-21 Sample JSON Representation of Account Collection

{
   "AccountCollection":[
      {
         "account":{
            "uri":"https:\/\/opam_server_host:opam_ssl_port\/opam\/account\
/3740553e999a4f6aa8e8f9286d320cb4", "accountUID":"3740553e999a4f6aa8e8f9286d320cb4", "accountName":"sherlock", "status":"checkedOut", "targetUID":"9bbcbbb087174ad1900ea691a2573b61", "targetName":"hhsharma-ldap", "targetType":"ldap", "domain":"berkeley", "disabled":"false", "grantees":{ "users":[ ], "roles":[ ] } } }, { "account":{ "uri":"https:\/\/opam_server_host:opam_ssl_port\/opam\/account\
/c11066278022489aad758aec69d9727d", "accountUID":"c11066278022489aad758aec69d9727d", "accountName":"himanshu", "status":"checkedIn", "targetUID":"9bbcbbb087174ad1900ea691a2573b61", "targetName":"hhsharma-ldap", "targetType":"ldap", "domain":"berkeley", "disabled":"true", "grantees":{ "users":[ ], "roles":[ ] } } }, { "account":{ "uri":"https:\/\/opam_server_host:opam_ssl_port\/opam\/account\
/154034fc5b5548caad7721e198815709", "accountUID":"154034fc5b5548caad7721e198815709", "accountName":"lucie", "status":"checkedIn", "targetUID":"9bbcbbb087174ad1900ea691a2573b61", "targetName":"hhsharma-ldap", "targetType":"ldap", "domain":"berkeley", "disabled":"true", "grantees":{ "users":[ ], "roles":[ ] } } } ], "count":3 }

Where:

  • disabled indicates the user's grant access to the account.

    • If set to true, the user has grant access to the account.

    • If set to false, the user is an administrator who can view the account, but cannot check out the account.

For all other attribute definitions, refer to Section B.1, "Target Resource" and Section B.2, "Account Resource."

B.3.2 Get All Checked Out Accounts

Use this API to retrieve a list of all accounts that have been checked out by the logged in user.

URI

https://opam_server_host:opam_ssl_port/ui/allaccounts/mycheckedout

Method

GET

Body


Returns on Success

Status code 200 and JSON representation of account collection


Example B-22 Sample JSON Representation of Account Collection

{
   "AccountCollection":[
      {
         "account":{
            "uri":"https:\/\/opam_server_host:opam_ssl_port\/opam\/account\
/3740553e999a4f6aa8e8f9286d320cb4", "accountUID":"3740553e999a4f6aa8e8f9286d320cb4", "accountName":"sherlock", "status":"checkedOut", "targetUID":"9bbcbbb087174ad1900ea691a2573b61", "targetName":"hhsharma-ldap", "targetType":"ldap", "domain":"berkeley", "policyname":"Default Usage Policy", "policyid":"usagepolicy1", "expiryTime":1338765551, "timezone":"America\/Los_Angeles", "grantees":{ "users":[ ], "roles":[ ] } }, "count":1 } ] }

For attribute definitions, refer to Section B.1, "Target Resource" and Section B.2, "Account Resource."

B.4 User Resource

The APIs described in this section include:

B.4.1 Get a User

Use this API to retrieve a user.

URI

https://opam_server_host:opam_ssl_port/opam/user/{uid}

Method

GET

Body


Returns on Success

Status code 200 and JSON representation of user


Example B-23 Sample JSON Representation of User

{
   "user":{
      "uid":"opamuser1",
      "lastname":"opamuser1",
      "usertype":"End-User",
      "opamrole":[
 
      ],
      "dn":"uid=opamuser1,ou=people,ou=myrealm,dc=base_domain",
      "accounts":[
         {
            "accountUID":"3740553e999a4f6aa8e8f9286d320cb4",
            "accountName":"sherlock",
            "targetType":"ldap",
            "targetName":"hhsharma-ldap",
            "targetDomain":"berkeley"
         },
         {
            "accountUID":"154034fc5b5548caad7721e198815709",
            "accountName":"lucie",
            "targetType":"ldap",
            "targetName":"hhsharma-ldap",
            "targetDomain":"berkeley"
         }
      ]
   }
}

For attribute definitions, refer to Section B.1, "Target Resource" and Section B.2, "Account Resource."

B.4.2 Search Users

Use this API to search for users. This API is a contains search, using one or more of the following parameters:

  • firstname

  • lastname

  • UID (unique identifier)

  • mail

URI

https://opam_server_host:opam_ssl_port/opam/user/search/{searchKeyWord}

Method

GET

Body


Returns on Success

Status 200 and JSON representation of users


Example B-24 Sample JSON Representation of Users

{
   "users":[
      {
         "user":{
            "uid":"opamenduser1",
            "firstname":"opamenduser1",
            "lastname":"opamenduser1",
            "dn":"uid=opamenduser1,ou=people,ou=myrealm,dc=base_domain"
         }
      },
      {
         "user":{
            "uid":"opamenduser2",
            "lastname":"opamenduser2",
            "dn":"uid=opamenduser2,ou=people,ou=myrealm,dc=base_domain"
         }
      },
      {
         "user":{
            "uid":"opamuser1",
            "lastname":"opamuser1",
            "dn":"uid=opamuser1,ou=people,ou=myrealm,dc=base_domain"
         }
      }
   ]
}

For attribute definitions, refer to Section B.1, "Target Resource" and Section B.2, "Account Resource."

B.4.3 Advanced Search for Users

Use this API to search for users. This API is a contains search, using one or more of the following parameters:

  • uid

  • lastname

  • firstname

All of these parameters are optional.

URI

https://opam_server_host:opam_ssl_port/opam/user/advancedsearch?param1=val1&param2=val2

Method

GET

Body


Returns on Success

Status 200 and JSON representation of users


Example B-25 Sample JSON Representation of Users

{
   "users":[
      {
         "user":{
            "uid":"OracleSystemUser",
            "lastname":"OracleSystemUser",
            "dn":"uid=OracleSystemUser,ou=people,ou=myrealm,dc=base_domain"
         }
      },
      {
         "user":{
            "uid":"weblogic",
            "lastname":"weblogic",
            "dn":"uid=weblogic,ou=people,ou=myrealm,dc=base_domain"
         }
      },
      {
         "user":{
            "uid":"app_config",
            "lastname":"app_config",
            "dn":"uid=app_config,ou=people,ou=myrealm,dc=base_domain"
         }
      },
      {
         "user":{
            "uid":"sec_admin",
            "lastname":"sec_admin",
            "dn":"uid=sec_admin,ou=people,ou=myrealm,dc=base_domain"
         }
      },
      {
         "user":{
            "uid":"user_manager",
            "lastname":"user_manager",
            "dn":"uid=user_manager,ou=people,ou=myrealm,dc=base_domain"
         }
      },
      {
         "user":{
            "uid":"sec_auditor",
            "lastname":"sec_auditor",
            "dn":"uid=sec_auditor,ou=people,ou=myrealm,dc=base_domain"
         }
      },
      {
         "user":{
            "uid":"opamenduser1",
            "firstname":"opamenduser1",
            "lastname":"opamenduser1",
            "dn":"uid=opamenduser1,ou=people,ou=myrealm,dc=base_domain"
         }
      },
      {
         "user":{
            "uid":"opamenduser2",
            "lastname":"opamenduser2",
            "dn":"uid=opamenduser2,ou=people,ou=myrealm,dc=base_domain"
         }
      },
      {
         "user":{
            "uid":"opamuser1",
            "lastname":"opamuser1",
            "dn":"uid=opamuser1,ou=people,ou=myrealm,dc=base_domain"
         }
      }
   ]
}

For attribute definitions, refer to Section B.1, "Target Resource" and Section B.2, "Account Resource."

B.5 Group Resource

The APIs described in this section include:

B.5.1 Get Group

Use this API to retrieve a group.

URI

https://opam_server_host:opam_ssl_port/opam/group/{name}

Method

GET

Body


Returns on Success

Status code 200 and JSON representation of group


Example B-26 Sample JSON Representation of Group

{
   "group":{
      "name":"opamgroup1",
      "dn":"cn=opamgroup1,ou=groups,ou=myrealm,dc=base_domain",
      "description":"",
      "users":[
         {
            "uid":"opamenduser1",
            "firstname":"opamenduser1",
            "lastname":"opamenduser1",
            "dn":"uid=opamenduser1,ou=people,ou=myrealm,dc=base_domain"
         },
         {
            "uid":"opamuser1",
            "lastname":"opamuser1",
            "dn":"uid=opamuser1,ou=people,ou=myrealm,dc=base_domain"
         }
      ],
      "groups":[
         {
            "group":{
               "name":"opamsubgroup1",
               "dn":"cn=opamsubgroup1,ou=groups,ou=myrealm,dc=base_domain",
               "description":""
            }
         },
         {
            "group":{
               "name":"opamsubgroup2",
               "dn":"cn=opamsubgroup2,ou=groups,ou=myrealm,dc=base_domain",
               "description":""
            }
         }
      ],
      "accounts":[
         {
            "accountUID":"c11066278022489aad758aec69d9727d",
            "accountName":"himanshu",
            "targetType":"ldap",
            "targetName":"hhsharma-ldap",
            "targetDomain":"berkeley"
         }
      ]
   }
}

For attribute definitions, refer to Section B.1, "Target Resource" and Section B.2, "Account Resource."

B.5.2 Search Groups

Use this API to search for groups. This API is a contains search, using the group name parameter.

URI

https://opam_server_host:opam_ssl_port/opam/group/search/{searchKeyWord}

Method

GET

Body


Returns on Success

Status 200 and JSON representation of groups


Example B-27 Sample JSON Representation of Groups

{
   "groups":[
      {
         "group":{
            "name":"opamgroup1",
            "dn":"cn=opamgroup1,ou=groups,ou=myrealm,dc=base_domain",
            "description":"",
            "users":[
               {
                  "uid":"opamenduser1",
                  "firstname":"opamenduser1",
                  "lastname":"opamenduser1",
                  "dn":"uid=opamenduser1,ou=people,ou=myrealm,dc=base_domain"
               },
               {
                  "uid":"opamuser1",
                  "lastname":"opamuser1",
                  "dn":"uid=opamuser1,ou=people,ou=myrealm,dc=base_domain"
               }
            ]
         }
      },
      {
         "group":{
            "name":"opamgroup2",
            "dn":"cn=opamgroup2,ou=groups,ou=myrealm,dc=base_domain",
            "description":"",
            "users":[
               {
                  "uid":"opamenduser1",
                  "firstname":"opamenduser1",
                  "lastname":"opamenduser1",
                  "dn":"uid=opamenduser1,ou=people,ou=myrealm,dc=base_domain"
               },
               {
                  "uid":"opamuser1",
                  "lastname":"opamuser1",
                  "dn":"uid=opamuser1,ou=people,ou=myrealm,dc=base_domain"
               }
            ]
         }
      },
      {
         "group":{
            "name":"opamsubgroup1",
            "dn":"cn=opamsubgroup1,ou=groups,ou=myrealm,dc=base_domain",
            "description":"",
            "users":[
 
            ]
         }
      },
      {
         "group":{
            "name":"opamsubgroup2",
            "dn":"cn=opamsubgroup2,ou=groups,ou=myrealm,dc=base_domain",
            "description":"",
            "users":[
 
            ]
         }
      },
      {
         "group":{
            "name":"OPAM_APPLICATION_CONFIGURATOR",
            "dn":"cn=OPAM_APPLICATION_CONFIGURATOR,ou=groups,ou=myrealm,dc=base_domain",
            "description":"OPAM_APPLICATION_CONFIGURATOR",
            "users":[
               {
                  "uid":"app_config",
                  "lastname":"app_config",
                  "dn":"uid=app_config,ou=people,ou=myrealm,dc=base_domain"
               }
            ]
         }
      },
      {
         "group":{
            "name":"OPAM_SECURITY_ADMIN",
            "dn":"cn=OPAM_SECURITY_ADMIN,ou=groups,ou=myrealm,dc=base_domain",
            "description":"OPAM_SECURITY_ADMIN",
            "users":[
               {
                  "uid":"sec_admin",
                  "lastname":"sec_admin",
                  "dn":"uid=sec_admin,ou=people,ou=myrealm,dc=base_domain"
               }
            ]
         }
      },
      {
         "group":{
            "name":"OPAM_SECURITY_AUDITOR",
            "dn":"cn=OPAM_SECURITY_AUDITOR,ou=groups,ou=myrealm,dc=base_domain",
            "description":"OPAM_SECURITY_AUDITOR",
            "users":[
               {
                  "uid":"sec_auditor",
                  "lastname":"sec_auditor",
                  "dn":"uid=sec_auditor,ou=people,ou=myrealm,dc=base_domain"
               }
            ]
         }
      },
      {
         "group":{
            "name":"OPAM_USER_MANAGER",
            "dn":"cn=OPAM_USER_MANAGER,ou=groups,ou=myrealm,dc=base_domain",
            "description":"OPAM_USER_MANAGER",
            "users":[
               {
                  "uid":"user_manager",
                  "lastname":"user_manager",
                  "dn":"uid=user_manager,ou=people,ou=myrealm,dc=base_domain"
               }
            ]
         }
      }
   ]
}

For attribute definitions, refer to Section B.1, "Target Resource" and Section B.2, "Account Resource."

B.5.3 Advanced Search for Groups

Use this API to search for users whose request parameters could be groupname. All of the parameters are optional.

URI

https://opam_server_host:opam_ssl_port/opam/group/advancedsearch?param1=val1&param2=val2

Method

GET

Body


Returns on Success

Status 200 and JSON representation of groups


Example B-28 Sample JSON Representation of Groups

{
   "groups":[
      {
         "group":{
            "name":"AdminChannelUsers",
            "dn":"cn=AdminChannelUsers,ou=groups,ou=myrealm,dc=base_domain",
            "description":"AdminChannelUsers can access the admin channel.",
            "users":[
 
            ],
            "accounts":[
 
            ]
         }
      },
      {
         "group":{
            "name":"Administrators",
            "dn":"cn=Administrators,ou=groups,ou=myrealm,dc=base_domain",
            "description":"Administrators can view and modify all resource attributes 
and start and stop servers.", "users":[ { "uid":"weblogic", "lastname":"weblogic", "dn":"uid=weblogic,ou=people,ou=myrealm,dc=base_domain" } ], "accounts":[ ] } }, { "group":{ "name":"AppTesters", "dn":"cn=AppTesters,ou=groups,ou=myrealm,dc=base_domain", "description":"AppTesters group.", "users":[ ], "accounts":[ ] } }, { "group":{ "name":"CrossDomainConnectors", "dn":"cn=CrossDomainConnectors,ou=groups,ou=myrealm,dc=base_domain", "description":"CrossDomainConnectors can make inter-domain calls from
foreign domains.", "users":[ ], "accounts":[ ] } }, { "group":{ "name":"Deployers", "dn":"cn=Deployers,ou=groups,ou=myrealm,dc=base_domain", "description":"Deployers can view all resource attributes and deploy applications.", "users":[ ], "accounts":[ ] } }, { "group":{ "name":"Monitors", "dn":"cn=Monitors,ou=groups,ou=myrealm,dc=base_domain", "description":"Monitors can view and modify all resource attributes
and perform operations not restricted by roles.", "users":[ ], "accounts":[ ] } }, { "group":{ "name":"Operators", "dn":"cn=Operators,ou=groups,ou=myrealm,dc=base_domain", "description":"Operators can view and modify all resource attributes and
perform server lifecycle operations.", "users":[ ], "accounts":[ ] } }, { "group":{ "name":"OracleSystemGroup", "dn":"cn=OracleSystemGroup,ou=groups,ou=myrealm,dc=base_domain", "description":"Oracle application software system group.", "users":[ { "uid":"OracleSystemUser", "lastname":"OracleSystemUser", "dn":"uid=OracleSystemUser,ou=people,ou=myrealm,dc=base_domain" } ], "accounts":[ ] } }, { "group":{ "name":"OPAM_APPLICATION_CONFIGURATOR", "dn":"cn=OPAM_APPLICATION_CONFIGURATOR,ou=groups,ou=myrealm,dc=base_domain", "description":"OPAM_APPLICATION_CONFIGURATOR", "users":[ { "uid":"app_config", "lastname":"app_config", "dn":"uid=app_config,ou=people,ou=myrealm,dc=base_domain" } ], "accounts":[ ] } }, { "group":{ "name":"OPAM_SECURITY_ADMIN", "dn":"cn=OPAM_SECURITY_ADMIN,ou=groups,ou=myrealm,dc=base_domain", "description":"OPAM_SECURITY_ADMIN", "users":[ { "uid":"sec_admin", "lastname":"sec_admin", "dn":"uid=sec_admin,ou=people,ou=myrealm,dc=base_domain" } ], "accounts":[ ] } }, { "group":{ "name":"OPAM_USER_MANAGER", "dn":"cn=OPAM_USER_MANAGER,ou=groups,ou=myrealm,dc=base_domain", "description":"OPAM_USER_MANAGER", "users":[ { "uid":"user_manager", "lastname":"user_manager", "dn":"uid=user_manager,ou=people,ou=myrealm,dc=base_domain" } ], "accounts":[ ] } }, { "group":{ "name":"OPAM_SECURITY_AUDITOR", "dn":"cn=OPAM_SECURITY_AUDITOR,ou=groups,ou=myrealm,dc=base_domain", "description":"OPAM_SECURITY_AUDITOR", "users":[ { "uid":"sec_auditor", "lastname":"sec_auditor", "dn":"uid=sec_auditor,ou=people,ou=myrealm,dc=base_domain" } ], "accounts":[ ] } }, { "group":{ "name":"opamgroup1", "dn":"cn=opamgroup1,ou=groups,ou=myrealm,dc=base_domain", "description":"", "users":[ { "uid":"opamenduser1", "firstname":"opamenduser1", "lastname":"opamenduser1", "dn":"uid=opamenduser1,ou=people,ou=myrealm,dc=base_domain" }, { "uid":"opamuser1", "lastname":"opamuser1", "dn":"uid=opamuser1,ou=people,ou=myrealm,dc=base_domain" } ], "accounts":[ ] } }, { "group":{ "name":"opamgroup2", "dn":"cn=opamgroup2,ou=groups,ou=myrealm,dc=base_domain", "description":"", "users":[ { "uid":"opamenduser1", "firstname":"opamenduser1", "lastname":"opamenduser1", "dn":"uid=opamenduser1,ou=people,ou=myrealm,dc=base_domain" }, { "uid":"opamuser1", "lastname":"opamuser1", "dn":"uid=opamuser1,ou=people,ou=myrealm,dc=base_domain" } ], "accounts":[ ] } }, { "group":{ "name":"opamsubgroup1", "dn":"cn=opamsubgroup1,ou=groups,ou=myrealm,dc=base_domain", "description":"", "users":[ ], "accounts":[ ] } }, { "group":{ "name":"opamsubgroup2", "dn":"cn=opamsubgroup2,ou=groups,ou=myrealm,dc=base_domain", "description":"", "users":[ ], "accounts":[ ] } } ] }

For attribute definitions, refer to Section B.1, "Target Resource" and Section B.2, "Account Resource."

B.6 Usage Policy Resource

The APIs described in this section include:

B.6.1 Create a Usage Policy

Use this API to create a Usage Policy.

URI

https://opam_server_host:opam_ssl_port/opam/usagepolicy

Method

POST

Body

JSON representation for Usage Policy creation

Returns on Success

Status code 201


Example B-29 Sample JSON Representation for Usage Policy Creation

{
   "usagepolicy":{
      "policystatus":"active",
      "policyname":"Default Usage Policy",
      "description":"Default Usage Policy",
      "dateorduration":"duration",
      "expireddateminutesfromcheckout":7200,
      "expireddate":"08\/08\/2088",
      "expireddatehour":0,
      "expireddateminutes":0,
      "expireddateamorpm":"am",
      "timezone":"America\/Los_Angeles",
      "usagedates":[
         {
            "day":"saturday",
            "fromhour":"12",
            "fromminutes":"0",
            "fromamorpm":"am",
            "tohour":"12",
            "tominutes":"0",
            "toamorpm":"am"
         },
         {
            "day":"wednesday",
            "fromhour":"12",
            "fromminutes":"0",
            "fromamorpm":"am",
            "tohour":"12",
            "tominutes":"0",
            "toamorpm":"am"
         },
         {
            "day":"sunday",
            "fromhour":"12",
            "fromminutes":"0",
            "fromamorpm":"am",
            "tohour":"12",
            "tominutes":"0",
            "toamorpm":"am"
         },
         {
            "day":"friday",
            "fromhour":"12",
            "fromminutes":"0",
            "fromamorpm":"am",
            "tohour":"12",
            "tominutes":"0",
            "toamorpm":"am"
         },
         {
            "day":"tuesday",
            "fromhour":"12",
            "fromminutes":"0",
            "fromamorpm":"am",
            "tohour":"12",
            "tominutes":"0",
            "toamorpm":"am"
         },
         {
            "day":"thursday",
            "fromhour":"12",
            "fromminutes":"0",
            "fromamorpm":"am",
            "tohour":"12",
            "tominutes":"0",
            "toamorpm":"am"
         },
         {
            "day":"monday",
            "fromhour":"12",
            "fromminutes":"0",
            "fromamorpm":"am",
            "tohour":"12",
            "tominutes":"0",
            "toamorpm":"am"
         }
      ]
   }
}

For attribute definitions, refer to Section B.1, "Target Resource" and Section B.2, "Account Resource." All parameters are optional, except policyname.

B.6.2 Retrieve a Usage Policy

Use this API to retrieve a Usage Policy.

URI

https://opam_server_host:opam_ssl_port/opam/usagepolicy/{policyid}

Method

GET

Body


Returns on Success

Status code 200 and JSON representation of Usage Policy


Example B-30 Sample JSON Representation of Usage Policy

{
   "usagepolicy":{
      "policyid":"usagepolicy1",
      "policystatus":"active",
      "policyname":"Default Usage Policy",
      "description":"Default Usage Policy",
      "globaldefault":"y",
      "dateorduration":"duration",
      "expireddateminutesfromcheckout":7200,
      "expireddate":"08\/08\/2088",
      "expireddatehour":0,
      "expireddateminutes":0,
      "expireddateamorpm":"am",
      "timezone":"America\/Los_Angeles",
      "usagedates":[
         {
            "day":"saturday",
            "fromhour":"12",
            "fromminutes":"0",
            "fromamorpm":"am",
            "tohour":"12",
            "tominutes":"0",
            "toamorpm":"am"
         },
         {
            "day":"wednesday",
            "fromhour":"12",
            "fromminutes":"0",
            "fromamorpm":"am",
            "tohour":"12",
            "tominutes":"0",
            "toamorpm":"am"
         },
         {
            "day":"sunday",
            "fromhour":"12",
            "fromminutes":"0",
            "fromamorpm":"am",
            "tohour":"12",
            "tominutes":"0",
            "toamorpm":"am"
         },
         {
            "day":"friday",
            "fromhour":"12",
            "fromminutes":"0",
            "fromamorpm":"am",
            "tohour":"12",
            "tominutes":"0",
            "toamorpm":"am"
         },
         {
            "day":"tuesday",
            "fromhour":"12",
            "fromminutes":"0",
            "fromamorpm":"am",
            "tohour":"12",
            "tominutes":"0",
            "toamorpm":"am"
         },
         {
            "day":"thursday",
            "fromhour":"12",
            "fromminutes":"0",
            "fromamorpm":"am",
            "tohour":"12",
            "tominutes":"0",
            "toamorpm":"am"
         },
         {
            "day":"monday",
            "fromhour":"12",
            "fromminutes":"0",
            "fromamorpm":"am",
            "tohour":"12",
            "tominutes":"0",
            "toamorpm":"am"
         }
      ],
      "accounts":[
         {
            "account":{
               "uri":"https:\/\/opam_server_host:opam_ssl_port\/opam\/account\
/c11066278022489aad758aec69d9727d", "accountUID":"c11066278022489aad758aec69d9727d", "accountName":"himanshu", "status":"checkedIn", "targetName":"hhsharma-ldap", "targetType":"ldap", "targetUID":"9bbcbbb087174ad1900ea691a2573b61", "domain":"berkeley", "grantees":{ "users":[ ], "roles":[ { "role":{ "name":"Administrators", "usagepolicy":"usagepolicy1", "usagepolicyname":"Default Usage Policy", "description":"Administrators can view and modify all resource
attributes and start and stop servers." } }, { "role":{ "name":"opamgroup1", "usagepolicy":"usagepolicy1", "usagepolicyname":"Default Usage Policy", "description":"" } }, { "role":{ "name":"opamgroup2", "usagepolicy":"usagepolicy1", "usagepolicyname":"Default Usage Policy", "description":"" } } ] } } }, { "account":{ "uri":"https:\/\/opam_server_host:opam_ssl_port\/opam\/account\
/3740553e999a4f6aa8e8f9286d320cb4", "accountUID":"3740553e999a4f6aa8e8f9286d320cb4", "accountName":"sherlock", "status":"checkedOut", "targetName":"hhsharma-ldap", "targetType":"ldap", "targetUID":"9bbcbbb087174ad1900ea691a2573b61", "domain":"berkeley", "grantees":{ "users":[ { "user":{ "uid":"sec_admin", "usagepolicy":"usagepolicy1", "usagepolicyname":"Default Usage Policy", "lastname":"sec_admin", "dn":"uid=sec_admin,ou=people,ou=myrealm,dc=base_domain" } }, { "user":{ "uid":"opamenduser1", "usagepolicy":"usagepolicy1", "usagepolicyname":"Default Usage Policy", "firstname":"opamenduser1", "lastname":"opamenduser1", "dn":"uid=opamenduser1,ou=people,ou=myrealm,dc=base_domain" } }, { "user":{ "uid":"opamenduser2", "usagepolicy":"usagepolicy1", "usagepolicyname":"Default Usage Policy", "lastname":"opamenduser2", "dn":"uid=opamenduser2,ou=people,ou=myrealm,dc=base_domain" } }, { "user":{ "uid":"opamuser1", "usagepolicy":"usagepolicy1", "usagepolicyname":"Default Usage Policy", "lastname":"opamuser1", "dn":"uid=opamuser1,ou=people,ou=myrealm,dc=base_domain" } } ], "roles":[ ] } } }, { "account":{ "uri":"https:\/\/opam_server_host:opam_ssl_port\/opam\
/account\/154034fc5b5548caad7721e198815709", "accountUID":"154034fc5b5548caad7721e198815709", "accountName":"lucie", "status":"checkedIn", "targetName":"hhsharma-ldap", "targetType":"ldap", "targetUID":"9bbcbbb087174ad1900ea691a2573b61", "domain":"berkeley", "grantees":{ "users":[ { "user":{ "uid":"opamuser1", "usagepolicy":"usagepolicy1", "usagepolicyname":"Default Usage Policy", "lastname":"opamuser1", "dn":"uid=opamuser1,ou=people,ou=myrealm,dc=base_domain" } }, { "user":{ "uid":"opamenduser2", "usagepolicy":"usagepolicy1", "usagepolicyname":"Default Usage Policy", "lastname":"opamenduser2", "dn":"uid=opamenduser2,ou=people,ou=myrealm,dc=base_domain" } } ], "roles":[ ] } } } ] } }

Where:

  • usagepolicy is a usagepolicy JSON object.

  • policyid is the Usage Policy's unique identifier.

  • policystatus is set to active or disabled.

  • policyname is a name of the policy

  • description is a description of the policy.

  • globaldefault indicates whether the policy is the global default policy or not.

  • dateorduration indicates how the expiration time is calculated.

    • If set to date, then expireddate, expireddatehour, expireddateminutes, and expireddateamorpm are used.

    • If set to duration, then expireddateminutesfromcheckout is used.

    Where:

    • expireddate is the date of expiration.

    • expireddatehour.hour are integer values between 0 and 12.

    • expireddateminutes.minutes are integer values between 0 and 60.

    • expireddateamorpm is a.m. or p.m.

    • expireddateminutesfromcheckout are minutes from checkout.

  • timezone is a time zone for the Usage Policy.

  • usagedates is an array, where each value represents the check out time for individual days.

  • day is a day of the week, where acceptable values are sunday, monday, tuesday, wednesday, thursday, friday, and saturday.

Use the following attributes to indicate a range from and to:

  • fromhour is an integer value between 0 and 12.

  • fromminutes is a n integer value between 0 and 60.

  • fromamorpm is a.m. or p.m.

  • tohour is a n integer value between 0 and 12.

  • tominutes is a n integer value between 0 and 60.

  • toamorpm is a.m. or p.m.

B.6.3 Update a Usage Policy

Use this API to update a Usage Policy. You can update all attributes, except policyid, and you can update multiple attributes at a time.

URI

https://opam_server_host:opam_ssl_port/opam/usagepolicy/{policyid}

Method

PUT

Body

JSON representation of Usage Policy modification

Returns on Success

Status code 200


Example B-31 Sample JSON Representation of Usage Policy Modification

{
   "modifications":[
      {
         "modification":{
            "usagedates":[
               {
                  "day":"saturday",
                  "fromhour":"12",
                  "fromminutes":"0",
                  "fromamorpm":"am",
                  "tohour":"12",
                  "tominutes":"0",
                  "toamorpm":"am"
               },
               {
                  "day":"wednesday",
                  "fromhour":"12",
                  "fromminutes":"0",
                  "fromamorpm":"am",
                  "tohour":"12",
                  "tominutes":"0",
                  "toamorpm":"am"
               }
            ]
         }
      },
      {
         "modification":{
            "expireddatehour":2
         }
      }
   ]
}

Where:

  • modifications are an array of modification JSON objects.

  • modification is a JSON object representing a single attribute.

You must update the usagedates and expireddatehour attributes on the target. Their value is updated to the value provided with them.

B.6.4 Delete a Usage Policy

Use this API to delete a Usage Policy.

URI

https://opam_server_host:opam_ssl_port/opam/usagepolicy/{policyid}

Method

DELETE

Body


Returns on Success

Status 200


B.7 Password Policy Resource

The APIs described in this section include:

B.7.1 Create a Password Policy

Use this API to create a Password Policy.

URI

https://opam_server_host:opam_ssl_port/opam/passwordpolicy

Method

POST

Body

JSON representation for Password Policy creation

Returns on Success

Status code 201


Example B-32 Sample JSON Representation for Password Policy Creation

{
   "passwordpolicy":{
      "policystatus":"active",
      "policyname":"Default Password Policy",
      "description":"Default Password Policy",
      "passwordchangedurationunit":"days",
      "passwordchangedurationvalue":30,
      "changeoncheckin":"y",
      "changeoncheckout":"y",
      "passwordcharsmin":8,
      "passwordcharsmax":8,
      "passwordalphabeticmin":1,
      "passwordnumericmin":1,
      "passwordalphanumericmin":2,
      "passworduniquemin":1,
      "passworduppercasemin":1,
      "passwordlowercasemin":1,
      "passwordspecialmin":0,
      "passwordspecialmax":0,
      "passwordrepeatedmin":0,
      "passwordrepeatedmax":1,
      "startingchar":"n",
      "isaccountnameallowed":"n",
      "requiredchars":[
         "a",
         "h",
         "j"
      ],
      "allowedchars":[
         "b",
         "t",
         "y",
         "p",
         "u",
         "r",
         "o",
         "k",
         "1",
         "2",
         "=",
         "M",
         "a",
         "h",
         "j"
      ],
      "disalloweddchars":[
         "7",
         "8",
         "l"
      ]
   }
}

All attributes are optional, except policyname.

B.7.2 Retrieve a Password Policy

Use this API to retrieve a Password Policy.

URI

https://opam_server_host:opam_ssl_port/opam/passwordpolicy/{policyid}

Method

GET

Body


Returns on Success

Status code 200 and JSON representation of Password Policy


Example B-33 Sample JSON Representation of Password Policy

{
   "passwordpolicy":{
      "policyid":"passwordpolicy2",
      "policystatus":"active",
      "policyname":"Default Password Policy",
      "description":"Default Password Policy",
      "globaldefault":"y",
      "passwordchangedurationunit":"days",
      "passwordchangedurationvalue":30,
      "changeoncheckin":"y",
      "changeoncheckout":"y",
      "passwordcharsmin":8,
      "passwordcharsmax":8,
      "passwordalphabeticmin":1,
      "passwordnumericmin":1,
      "passwordalphanumericmin":2,
      "passworduniquemin":1,
      "passworduppercasemin":1,
      "passwordlowercasemin":1,
      "passwordspecialmin":0,
      "passwordspecialmax":0,
      "passwordrepeatedmin":0,
      "passwordrepeatedmax":1,
      "startingchar":"n",
      "isaccountnameallowed":"n",
      "requiredchars":[
         "a",
         "h",
         "j"
      ],
      "allowedchars":[
         "b",
         "t",
         "y",
         "p",
         "u",
         "r",
         "o",
         "k",
         "1",
         "2",
         "=",
         "M",
         "a",
         "h",
         "j"
      ],
      "disalloweddchars":[
         "7",
         "8",
         "l"
      ],
      "accounts":[
         {
            "account":{
               "uri":"https:\/\/opam_server_host:opam_ssl_port\/opam\/account\
/3740553e999a4f6aa8e8f9286d320cb4", "accountUID":"3740553e999a4f6aa8e8f9286d320cb4", "accountName":"sherlock", "status":"checkedOut", "targetName":"hhsharma-ldap", "targetType":"ldap", "domain":"berkeley", "grantees":{ "users":[ ], "roles":[ ] } } }, { "account":{ "uri":"https:\/\/opam_server_host:opam_ssl_port\/opam\/account\
/c11066278022489aad758aec69d9727d", "accountUID":"c11066278022489aad758aec69d9727d", "accountName":"himanshu", "status":"checkedIn", "targetName":"hhsharma-ldap", "targetType":"ldap", "domain":"berkeley", "grantees":{ "users":[ ], "roles":[ ] } } }, { "account":{ "uri":"https:\/\/opam_server_host:opam_ssl_port\/opam\/account\
/154034fc5b5548caad7721e198815709", "accountUID":"154034fc5b5548caad7721e198815709", "accountName":"lucie", "status":"checkedIn", "targetName":"hhsharma-ldap", "targetType":"ldap", "domain":"berkeley", "grantees":{ "users":[ ], "roles":[ ] } } } ] } }

Where:

  • passwordpolicy is a passwordpolicy JSON object.

  • policyid is the policy's unique identifier.

  • policystatus is the policy's status, where acceptable values are active or disabled.

  • policyname is the policy name

  • description is a description of the policy.

  • globaldefault indicates whether the policy is a global default or not.

  • dateorduration indicates how the expiration time is calculated.

    • If set to date, then expireddate, expireddatehour, expireddateminutes, and expireddateamorpm are used.

    • If set to duration, then expireddateminutesfromcheckout is used.

    Where:

    • expireddate is the date of expiration.

    • expireddatehour.hour are integer values between 0 and 12.

    • expireddateminutes.minutes are integer values between 0 and 60.

    • expireddateamorpm is a.m. or p.m.

    • expireddateminutesfromcheckout are minutes from checkout.

  • timezone is a time zone for the Usage Policy.

  • usagedates is an array, where each value represents the check out time for individual days.

  • day is a day of the week, where acceptable values are sunday, monday, tuesday, wednesday, thursday, friday, and saturday.

For other attribute definitions, refer to Section B.2, "Account Resource."

B.7.3 Delete a Password Policy

Use this API to delete a Password Policy.

URI

https://opam_server_host:opam_ssl_port/opam/passwordpolicy/{policyid}

Method

DELETE

Body


Returns on Success

Status 200


B.7.4 Update a Password Policy

Use this API to update a Usage Policy. You can update all of the attributes, except policyid, and you can update multiple attributes at a time.

URI

https://opam_server_host:opam_ssl_port/opam/passwordpolicy/{policyid}

Method

PUT

Body

JSON representation for Password Policy modification

Returns on Success

Status code 201


Example B-34 Sample JSON Representation of Password Policy Modification

{
   "modifications":[
      {
         "modification":{
            "disalloweddchars":[
               "4",
               "6"
            ]
         }
      },
      {
         "modification":{
            "passwordalphabeticmin":2
         }
      }
   ]
}

Where:

  • modifications is an array of modification JSON objects.

  • modification is a JSON object representing a single attribute.

You must update the disalloweddchars and passwordalphabeticmin attributes on the target. These attribute values are updated to the values provided with them.

B.8 Policy Resource

The APIs described in this section include:

B.8.1 Search for Policies

Use this API to search for the accounts. This API is a contains search, using one or more of the following parameters:

  • policystatus

  • policyname

  • accountname

All of the parameters are optional.

URI

https://opam_server_host:opam_ssl_port/opam/policy/search?param1=val1&param2=val2

Method

GET

Body


Returns on Success

Status code 200 and JSON representation of policies


Example B-35 Sample JSON Representation of Policies

{
   "usagepolicies":[
      {
         "policyname":"Default Usage Policy",
         "policyid":"usagepolicy1",
         "policystatus":"active",
         "globaldefault":"y"
      }
   ],
   "passwordpolicies":[
      {
         "policyname":"Default Password Policy",
         "policyid":"passwordpolicy2",
         "policystatus":"active",
         "globaldefault":"y"
      }
   ]
}

Where:

  • usagepolicies are an array of Usage Policies.

  • passwordpolicies are an array of Password Policies.

  • policyname is the policy name.

  • policyid is the policy's unique identifier.

  • policystatus is the policy status, where acceptable values are active or disabled.

B.8.2 Get Default Policies

Use this API to get the Default Usage Policy and Default Password Policy.

URI

https://opam_server_host:opam_ssl_port/opam/policy/default

Method

GET

Body


Returns on Success

Status code 200 and JSON representation of policies


Example B-36 Sample JSON Representation of Policies

{
   "usagepolicies":[
      {
         "policyname":"Default Usage Policy",
         "policyid":"usagepolicy1",
         "policystatus":"active"
      }
   ],
   "passwordpolicies":[
      {
         "policyname":"Default Password Policy",
         "policyid":"passwordpolicy2",
         "policystatus":"active"
      }
   ]
}

Where:

  • usagepolicies is an array of Usage Policies.

  • passwordpolicies is an array of Password Policies.

  • policyname is the policy name.

  • policyid is the policy's unique identifier.

  • policystatus is the policy status, where acceptable values are active or disabled.

This attribute only returns the default policies, Default Usage Policy and Default Password Policy.

PKvdggPKA^EOEBPS/basic_logging.htm Managing Oracle Privileged Account Manager Auditing and Logging

6 Managing Oracle Privileged Account Manager Auditing and Logging

This chapter describes how to configure and use Oracle Privileged Account Manager's auditing and logging functionality.

The topics in this chapter include:

6.1 Understanding Oracle Privileged Account Manager Auditing

Oracle Privileged Account Manager audits all security events that occur under its purview, which gives you better visibility into how privileged accounts are used within your organization and enables you to effectively manage sensitive information.

Specifically, the Oracle Privileged Account Manager audit logger logs any events that modify entity states; such as when you add, modify, or remove new accounts, targets, or policies.

The following table describes all of the event categories and event types for which an audit can be generated:

Table 6-1 Audited OPAM Events

Event CategoryEvent TypesDescription

Account Management


Events related to managing principal accounts

Note: A principal can be an end-user or a pseudo-user (a service within the system).


Add Account

Adding users, groups, or any other principal accounts


Change Password

Changes to user passwords


Disable Account

Disabling users, groups, or any other principal accounts


Enable Account

Enabling users, groups, or any other principal accounts


Modify Account

Modifying account attributes


Query Account

Queries to a user's account


Remove Account

Removing users, groups, or any other principal accounts

Policy Management


Events related to managing policies


Create Policy

Creating policies


Delete Policy

Deleting policies


Modify Policy

Modifying policies


Query Policy

Querying policies

Target Management


Events related to managing targets


Add Target

Adding targets


Modify Target

Modifying targets


Query Target

Querying targets


Remove Target

Removing targets


Logging these audit events creates a processing history that allows reporting tools to gather statistics, as described in Section 6.1.2, "Understanding Oracle Privileged Account Manager Audit Reports."

6.1.1 Configuring Auditing in Oracle Privileged Account Manager

You can configure Oracle Privileged Account Manager to save audit events into a database or a file. When a database is not available, Oracle Privileged Account Manager saves its audit logs into this file,

DOMAIN_HOME/servers/<opamserver>/logs/auditlogs/opam#11.1.2.0.0

You can also configure Oracle Privileged Account Manager to deploy audit reports in BI Publisher (version 11.1.1.5.0 or higher), and you can use BI Publisher to view audit events in the database.

The following topics provide instructions for configuring auditing in Oracle Privileged Account Manager:

6.1.1.1 Configuring File-Based Auditing in Oracle Privileged Account Manager

Use the following steps to configure Oracle Privileged Account Manager:


Note:

These instructions assume you have already installed a WebLogic server.


  1. Open a command window and change directory (cd) to

    DOMAIN_HOME/config/fmwconfig/
    
  2. Edit the jps-config.xml file by changing the audit.filterPreset parameter from None to All, Medium, or Low depending on the type of events to be audited.


    Note:

    See Section 6.1.1.4, "Setting the Audit Logging Levels" for more information.


    For example,

    <serviceInstance location="./audit-store.xml" provider="audit.provider" name="audit.db">
    <property name="audit.filterPreset" value="All"/>
    <property name="audit.maxDirSize" value="0"/>
    <property name="audit.maxFileSize" value="104857600"/>
    <property name="audit.loader.jndi" value="jdbc/AuditDB"/>
    <property name="audit.loader.interval" value="15"/>
    <property name="audit.loader.repositoryType" value="File"/>
    <property name="auditstore.type" value="file"/> </serviceInstance>
    
  3. Restart the Oracle Privileged Account Manager server.

    After the server restarts, audit logs will start appearing in this location:

    DOMAIN_HOME/servers/<opamserver>/logs/auditlogs/opam#11.1.2.0.0
    

6.1.1.2 Configuring Database-Based Auditing in Oracle Privileged Account Manager

This section describes how to configure database-based auditing in Oracle Privileged Account Manager.

Prerequisites

If you want to generate audit reports from a database and BI Publisher, then you must install

To configure database-based auditing:

  1. Download the Repository Creation Utility .zip file from Oracle Technology Network (OTN):

    http://www.oracle.com/technology/

  2. Run./rcu to load the audit schema into the database.

    By default, this step creates the dev_iau user in the database and loads tables under this user.

  3. Log in to the WebLogic Server Administrative Console to configure WebLogic.

    http://adminserver_host:adminserver_port/console

  4. Navigate to Services > Data Sources.

    Click New to create a new data source.

  5. Enter the following information to create a JDBC data source.

    1. Type jdbc/AuditDB in the Name field.

    2. Leave the JNDI Name field blank.

    3. Select Oracle's Driver (Thin) for instance connections that are Versions 9.0.1 and later.

    4. Leave Transaction Options set to the default setting.

    5. Specify the DB name, host, and listener port.

    6. Specify the Audit DB user (for example, dev_iau) and apply it to both the Admin and Managed servers.

    7. Test the connection and apply it to both the Admin and Managed Servers.


    Note:

    Refer to "Create JDBC Data Sources" in the Oracle Fusion Middleware Oracle WebLogic Server Administration Console Online Help for more information about creating a JDBC data source and deploying it on a server.


  6. Edit the jps-config.xml file, located in
    DOMAIN_HOME/config/fmwconfig/jps-config.xml, as follows:

    1. Change the <property value="File" name="audit.loader.repositoryType"/> parameter to <property value="Db" name="audit.loader.repositoryType"/>.

    2. Change the audit.filterPreset parameter from None to All, Medium, or Low depending on the type of events to be audited.


      Note:

      See Section 6.1.1.4, "Setting the Audit Logging Levels" for more information.


      For example,

      <serviceInstance location="./audit-store.xml" provider="audit.provider" name="audit">
      <property name="audit.filterPreset" value="All"/>
      <property name="audit.maxDirSize" value="0"/>
      <property name="audit.maxFileSize" value="104857600"/>
      <property name="audit.loader.jndi" value="jdbc/AuditDB"/>
      <property name="audit.loader.interval" value="15"/>
      <property name="audit.loader.repositoryType" value="Db"/>
      <property name="auditstore.type" value="file"/> </serviceInstance>
      
  7. Restart the Oracle Privileged Account Manager server.

6.1.1.3 Deploying Oracle Privileged Account Manager Audit Reports in BI Publisher

This section describes how to deploy Oracle Privileged Account Manager audit reports in BI Publisher, a component used to manage and deliver reports.

Use the following steps:

  1. Install and configure Oracle Business Intelligence Publisher (BI Publisher) version 11.1.1.5.0 or higher if it is not already installed.

    Refer to "Configuring Oracle Business Intelligence Publisher" in the Oracle Fusion Middleware Administrator's Guide for Oracle Identity Navigator for instructions.

  2. After installing BI Publisher, locate the following directory in the WebLogic domain:


    Note:

    BI Publisher can be deployed on the same host or in a different domain.


    BI_DOMAIN_HOME/config/bupublisher/repository/Reports
    
  3. Locate the opam_product_BIP11gReports_11_1_1_6_0.zip file in the following directory:

    ORACLE_HOME/opam/reports
    

    Unzip this file into the Reports folder noted in step 2.

  4. To set up the catalog and configure data sources, open a browser window and enter the URL for BI Publisher.

    The format for this URL is

    http://hostname: port/xmlpserver/

    For example

    http:/localhost:7001/xmlpserver/

  5. When the BI Publisher login page displays, log in as a user with WebLogic privileges and click Sign In.

  6. Set up the catalog as follows:

    1. Select Administration > System Maintenance > Server Configuration.

    2. Open the Catalog dialog, select the BI Publisher - File System from the Catalog Type menu, and enter the following path in the Path field:

      BI_DOMAIN_HOME/config/bupublisher/repository/Reports
      
    3. Log in as an administrator.

    4. Click Catalog to open the Shared Folder/ Oracle Privileged Account Manager folder.


      Note:

      If this folder does not display, restart the application from the WebLogic console.


  7. One JDBC (Oracle Privileged Account Manager JDBC) connection is required for Oracle Privileged Account Manager reports. Use the following steps to define an Oracle Privileged Account Manager JDBC connection and define the data sources:

    1. Click the Administration link found on the right side of the BI Publisher page.

      The BI Publisher Administration page displays. (Note the Data Sources section on this page.)

    2. Click the JDBC Connection link found in the Data Sources section.

    3. When the Data Sources page displays, click Add Data Source in the JDBC section to create a JDBC connection to your database.

    4. On the Add Data Source page, enter the following information:

      Data Source Name

      Oracle Privileged Account Manager JDBC

      Driver Type

      Select a driver type to suit your database (for example, Oracle 10g or Oracle 11g).

      Database Driver Class

      oracle.jdbc.driver.OracleDriver (Define a driver class to suit your database.)

      Connection String

      Provide the database connection details.
      For example, hostname:port:sid.

      User name

      Provide the Oracle Privileged Account Manager Audit DB user name.

      Password

      Provide the Oracle Privileged Account Manager Audit DB user password.


      If the connection to the database is established, a confirmation message is displayed indicating the success.

    5. Click Apply.

      You should see this newly defined connection (Oracle Privileged Account Manager JDBC) in the list of JDBC Data Sources.

    6. Navigate to Oracle Privileged Account Manager Audit Reports.

      The Catalog page is displayed as a tree structure on the left side of the page with details on the right.

    7. Expand Shared Folders and select the Oracle Privileged Account Manager folder to view all of the objects in that folder.

  8. Use Oracle Identity Navigator to configure a connection to the BI Publisher server.

    Refer to "Creating a Connection to BI Publisher" in the Oracle Fusion Middleware Administrator's Guide for Oracle Identity Navigator for the necessary instructions.

When you configure the connection successfully, the My Reports section of the Oracle Identity Navigator Dashboard page will contain the link, Click here to create reports. In addition, users with the Security Auditor role can now perform the following tasks:

  • View Oracle Identity Management BI Publisher reports and audit reports


    Note:

    Oracle Privileged Account Manager provides a set of out-of-the box audit reports that are integrated with BI Publisher 11g and the Oracle Fusion Middleware Audit Framework. Oracle Privileged Account Manager generates these reports based on audit events logged in the audit store. Refer to Section 6.1, "Understanding Oracle Privileged Account Manager Auditing" for more information.


  • Select and add reports to the My Reports list

  • View and run any reports for which you have access privileges

You can now navigate in BI Publisher and use the Oracle Privileged Account Manager 11g BI reports.

6.1.1.4 Setting the Audit Logging Levels

To change the amount of audit logging provided by Oracle Privileged Account Manager, use the following steps:

  1. Open a command window and change directory (cd) to

    DOMAIN_HOME/config/fmwconfig/
    
  2. Locate the jps-config.xml file.

  3. Change the audit.filterPreset parameter from None to one of the following settings:

    • All: Logs all event types.

    • Medium: Logs all event types in the PolicyManagement and TargetManagement categories, and the following event types in the AccountManagement category:

      • ChangePassword

      • CheckinAccount

      • CreateAccount

      • DeleteAccount

      • DisableAccount

      • EnableAccount

      • ModifyAccount

      • QueryAccount

    • Low: Logs the following event types

      • In the AccountManagement category: ChangePassword, CheckinAccount, CreateAccount, DeleteAccount, DisableAccount, EnableAccount, and ModifyAccount

      • In the PolicyManagement category: CreatePolicy, DeletePolicy, and ModifyPolicy

    • In the TargetManagement category: CreateTarget, DeleteTarget, and ModifyTarget

    For example,

    <serviceInstance location="./audit-store.xml" provider="audit.provider" name="audit">
    <property value="All" name="audit.filterPreset"/>
    <property value="0" name="audit.maxDirSize"/>
    <property value="104857600" name="audit.maxFileSize"/>
    <property value="jdbc/AuditDB" name="audit.loader.jndi"/>
    <property value="15" name="audit.loader.interval"/>
    <property value="File" name="audit.loader.repositoryType"/>
    <property value="file" name="auditstore.type"/> </serviceInstance>
    
  4. Restart the Oracle Privileged Account Manager server.

    After the server restarts, audit logs will start appearing in the following location:

    DOMAIN_HOME/servers/<opamserver>/logs/auditlogs/opam#11.1.2.0.0
    

6.1.2 Understanding Oracle Privileged Account Manager Audit Reports

Oracle Privileged Account Manager supplies a set of default audit reports that are integrated with BI Publisher 11g and the Oracle Fusion Middleware Audit Framework. Oracle Privileged Account Manager generates these reports based on the audit events logged in the audit store.

The default audit report types include:

  • Error and Exception reports, such as authentication and authorization failures

  • User Activities reports, including account check-out and check-in history

  • Operational reports, including grantee assignments and any targets, accounts, and policies that have been added, edited, or removed

  • All Events reports, including all audit events that have been logged in the audit store

Oracle Privileged Account Manager audit reports can show who checked out an account and on which system it was checked out, justifications, requests for a system that is already checked out, and requests for a system to which a user does not have privileges.

For example, the following figure shows a typical Oracle Privileged Account Manager audit report as viewed in BI Publisher.


Note:

You can view Oracle Privileged Account Manager audit reports in BI Publisher.


Figure 6-1 Example Oracle Privileged Account Manager Audit Report

Figure showing example audit report

Notice that this report provides the following information:

  • Category: Event category

  • Event: Type of event that occurred

  • User ID: User that initiated the event

  • Status: Event results, where 1 is success and 0 is a failure

  • Target: Target on which the event occurred

  • Resource ID: Resource identifier

  • Time: Date and time the event occurred

6.2 Understanding Oracle Privileged Account Manager Logging

The Oracle Privileged Account Manager generic logger takes care of all logs not recorded by the audit logger, which includes debugging statements and exception messages. Processing tools can use these logs to diagnose problems that occur within the Oracle Privileged Account Manager server.

Oracle Privileged Account Manager-related log files are stored in the following locations:

DOMAIN_HOME/servers/adminserver/logs
DOMAIN_HOME/servers/opamserver/logs

6.2.1 Configuring Basic Logging

To change the out-of-the-box logging for Oracle Privileged Account Manager,

  1. Manually edit the opam-logging.xml file, which is located in the following directory:

    DOMAIN_HOME/config/fmwconfig/opam
    
  2. Restart the OPAM server (usually the Managed Server).


Note:

For more information about implementing logging functionality and setting log levels, refer to "Logging Custom WLST Commands" in the Oracle Fusion Middleware WebLogic Scripting Tool Command Reference and "Managing Log Files and Diagnostic Data" in the Oracle Fusion Middleware Administrator's Guide.


6.2.2 Example Logging Data

This figure shows some example logging data as viewed from the WebLogic console.

Figure 6-2 Example Logging Report

Figure showing example logging report

Notice that this report provides the following information:

  • Date and timestamp when the event occurred

  • Subsystem on which the event occurred

  • Message severity

  • Message ID

  • Message describing the operation that was performed

PK{PKA^EOEBPS/part_adv_adm.htm/ Advanced Administration

Part III

Advanced Administration

This part provides information about performing advanced administration tasks for Oracle Privileged Account Manager, and it contains the following chapters:

PK4a4/PKA^EOEBPS/und_security.htm Understanding Oracle Privileged Account Manager Security

2 Understanding Oracle Privileged Account Manager Security

This chapter describes how Oracle Privileged Account Manager authenticates and authorizes different types of users by using the authentication and authorization framework provided in the Oracle Privileged Account Manager server.

In addition, this chapter explains various methods that you can use to further secure Oracle Privileged Account Manager in your deployment environment.

The topics include:

2.1 Overview

The authentication and authorization framework provided in the Oracle Privileged Account Manager server provides the following features and functionality:

  • Supports OPSS-Trust tokens and HTTP-Basic Authentication

    You can also configure the Oracle Privileged Account Manager user interface to work alongside Oracle Single Sign-On (SSO).

  • Leverages the Java Authentication & Authorization Service (JAAS) for authentication


    Note:

    Oracle Privileged Account Manager authentication relies on JAAS support in WebLogic. Refer to "WebLogic Security Service Architecture" in Oracle Fusion Middleware Understanding Security for Oracle WebLogic Server for more information.


  • Defines different Oracle Privileged Account Manager-specific Admin Roles and their Oracle Privileged Account Manager-specific responsibilities

  • Enforces authorization decisions that determine

    • Which targets and privileged accounts are exposed to an administrator or to an end-user

    • Which operations (such as add, modify, check-in, and check-out) an end-user or an administrator can perform on targets, privileged accounts, and policies

  • Supports Usage Policies and Password Policies for privileged accounts

2.2 Understanding Oracle Privileged Account Manager Authentication

SAML-based token authentication is provided by using the OPSS trust service in WebLogic Server. The OPSS Policy Store stores all of the meta data required by the authorization decision engine.

The following figure illustrates Oracle Privileged Account Manager authentication.

Figure 2-1 Trust-Based Authentication in Oracle Privileged Account Manager

Figure illustrating trust-based authentication in OPAM

Trust Service instances are typically configured to securely propagate user identities from the client application to the Oracle Privileged Account Manager server as part of the Oracle Privileged Account Manager installation and configuration process.

Oracle Privileged Account Manager requires authentication when

  • Users and clients interact with Oracle Privileged Account Manager's web-based user interface and Oracle Identity Navigator

  • Users and clients interact directly with the Oracle Privileged Account Manager server

In both cases, Oracle Privileged Account Manager supports the following authentication modes, over SSL, out of the box:

  • HTTP Basic-Authentication

  • OPSS-Trust Service Assertions

In addition, Oracle Privileged Account Manager and Oracle Identity Navigator can support ADF-based authentication for UI-based interactions, which is done transparently against the domain-specific ID Store.

2.2.1 Authentication for the Oracle Privileged Account Manager Graphical User Interface

The Oracle Privileged Account Manager web-based user interface, or Console, supports the same authentication mechanisms as Oracle Identity Navigator and you can configure the interface with Oracle Single Sign-On (SSO).

When a user interacts with the Oracle Privileged Account Manager Console and Oracle Identity Navigator, the following occurs:


Note:

Oracle Privileged Account Manager administrators and users will probably never have to use the Oracle Identity Navigator interface except during the initial set-up of Oracle Privileged Account Manager.


  1. The user authenticates against the Oracle Privileged Account Manager Console and Oracle Identity Navigator by using ADF authentication.

  2. The Oracle Privileged Account Manager Console and Oracle Identity Navigator call the OPSS-Trust Service to request a token that asserts the identity of the user logged into the Oracle Privileged Account Manager Console.

  3. Now, whenever the Oracle Privileged Account Manager Console and Oracle Identity Navigator make RESTful calls to the Oracle Privileged Account Manager server to execute Oracle Privileged Account Manager functionality, the Oracle Privileged Account Manager Console and Oracle Identity Navigator present the generated token to the Oracle Privileged Account Manager server.

  4. Because the OPSS Trust Service Asserter is configured by default, the Asserter examines the token presented in the previous step, validates the token, and then asserts that the identity performing the RESTful call against the Oracle Privileged Account Manager server is the one contained in the token.

    This process is called identity propagation. An end-user only authenticates against the Oracle Privileged Account Manager Console and Oracle Identity Navigator, but the Oracle Privileged Account Manager Console and Oracle Identity Navigator can securely convey to the Oracle Privileged Account Manager server the identity for which they are making a request.

    The important point to note about identity propagation is that it removes the need for end users to authenticate themselves against the Oracle Privileged Account Manager Console, Oracle Identity Navigator, and the Oracle Privileged Account Manager server.


    Note:

    If you deploy your own client applications against the Oracle Privileged Account Manager server, then you must have identity propagation. In such a context, it is recommended that you use OPSS-Trust Service based Identity Assertions. For more information, see the Oracle Fusion Middleware Security Guide.


2.2.2 Authentication for the Oracle Privileged Account Manager Server

The Oracle Privileged Account Manager server only exposes RESTful interfaces and supports HTTP-Basic Authorization or OPSS-Trust. In addition, the Oracle Privileged Account Manager server requires that all communication with that server occurs over an SSL-secured channel.

The Oracle Privileged Account Manager command line tool client uses HTTP Basic-Authentication over SSL to connect to, and authenticate against, the Oracle Privileged Account Manager server.

2.3 Understanding Oracle Privileged Account Manager Authorization

This section describes Oracle Privileged Account Manager authorization.

The topics include:

2.3.1 Administration Role Types

Common Admin Roles are a set of predefined, standardized application roles for securing administrative access to Oracle Identity Management applications. These roles encapsulate the common administrative tasks across the Oracle Identity Management suite.


Note:

For more information about Common Admin Roles, including the responsibilities of each role and the skills and expertise required to perform that role, see "Common Admin Roles" in the Oracle Fusion Middleware Administrator's Guide for Oracle Identity Navigator.


Oracle Privileged Account Manager uses Admin Roles to manage access to targets and privileged accounts and to control which operations administrators can perform. Specifically, the Oracle Privileged Account Manager server renders different user interface components based on the Admin Role assigned to the user logging in.

Only administrators who are assigned the Oracle Privileged Account Manager-specific Common Admin Roles can administer Oracle Privileged Account Manager.


Note:

Authorized administrators must configure and assign roles from the Administration tab in the Oracle Identity Navigator Console. Refer to "Configuring Enterprise Roles" in the Oracle Fusion Middleware Administrator's Guide for Oracle Identity Navigator for detailed information.


The following table describes the Common Admin Roles that are specific to Oracle Privileged Account Manager.

Table 2-1 Supported Admin Roles

Admin RoleAccess Rights

Application Configurator
(OPAM_APPLICATION_CONFIGURATOR)

Configure Oracle Privileged Account Manager servers.

Security Administrator
(OPAM_SECURITY_ADMIN)

  • Manage targets (add, edit, and remove targets).

  • Manage accounts (add, edit, and remove accounts).

    Note: This role cannot assign grantees to privileged accounts.

  • Manage Password and Usage Policies (create, edit, and delete policies).

  • Assign Password and Usage Policies to accounts.

    Note: This role can only apply a Usage Policy at the account level.

Security Auditor
(OPAM_SECURITY_AUDITOR)

  • Open and review Oracle Privileged Account Manager reports.

  • View Oracle Privileged Account Manager Audit reports in the Oracle Identity Navigator Reports portlet.

User Manager
(OPAM_USER_MANAGER)

  • Assign end users with grants to privileged accounts.

  • Manage Usage Policies (create, edit, and delete Usage Policies).

  • Assign Usage Policies to grants.

    Note: The relationship between an account and a grantee (end user) of that account is called a grant. The User Manager can assign different Usage Policies to different grantees of the same account.

    This role cannot assign Password Policies to accounts.


After installation, the default administrator is the weblogic user (also known as the bootstrap user) who is a member of the Administrators group. You must use the weblogic user to create and assign users to the Oracle Privileged Account Manager Admin Roles described in Table 2-1. Those users can then perform the administration tasks described in this table.


Note:

Although it is possible for the default administrator to assign all those roles to himself or herself, this is not typical.


After installation, you can use the weblogic user, as the bootstrap user, to map the users from the domain identity store to the Oracle Privileged Account Manager Common Admin Roles detailed in Table 2-1. Users mapped to the Security Administrator role can assign the Common Admin Roles to other users, and can later replace the weblogic user in your environment. After you complete the initial user mapping, replace the default administrator user by mapping the Security Administrator role to at least one administrator user defined in your domain identity store.

2.3.2 End Users

Oracle Privileged Account Manager End Users or Enterprise Users are not assigned any roles, so they have limited access to Oracle Privileged Account Manager user interface components. These users are only entitled to perform certain tasks; which includes viewing, searching, checking out, and checking in privileged accounts for which they have been granted access.


Note:

Refer to Section 5.2, "Working with Self-Service" for more information.


2.4 Securing Oracle Privileged Account Manager

You can implement the recommendations described in this section to further secure Oracle Privileged Account Manager in your deployment environment.

The topics include:

2.4.1 Securing the Network Channel

As part of its normal functionality, Oracle Privileged Account Manager performs remote password resets on target systems. Because these passwords allow access to those systems as privileged identities (Oracle Privileged Account Manager manages privileged accounts and identities) you must ensure that these remote password resets occur over a secured network channel.

After being reset, Oracle Privileged Account Manager propagates these passwords to end users who are requesting access to the target system as a privileged account. Again, you must ensure that these newly reset passwords are propagated to the end users over a secured channel.

Considering these points, there are two aspects of an Oracle Privileged Account Manager deployment that must be closely examined and secured:

2.4.1.1 Connecting to Target Systems

Oracle Privileged Account Manager leverages ICF connectors to communicate with target systems. These connectors are highly flexible and they can be configured in several ways. To allow flexibility in testing (and even production), Oracle Privileged Account Manager does not mandate that this connectivity always occurs over a secure channel.

Except for the Generic UNIX targets, which mandates SSH, the Generic LDAP and Generic DB targets allow connections through both secured (encrypted) and clear channels. Therefore, it is important for an Oracle Privileged Account Manager administrator to consider all relevant factors when deciding what type of channel to use when connecting to target systems.

Oracle recommends always using secured channels to mitigate the risk of password compromise due to packet sniffing. If the target system (either LDAP or DB) supports SSL and is listening on an SSL port, then Oracle Privileged Account Manager can communicate with that target over SSL.

Consult your target systems' product documentation for information about configuring your targets so that they are listening on an SSL port. To configure Oracle Privileged Account Manager to communicate through SSL, refer to Section 3.3.2, "Configuring SSL Communication in Oracle Privileged Account Manager." Securing these connections through SSL ensures that the password reset operations performed by Oracle Privileged Account Manager occur in a secure manner.

2.4.1.2 Securing the End User Interface

There are two primary interfaces open to an Oracle Privileged Account Manager end user:

Oracle Privileged Account Manager's Console is hosted in Oracle Identity Navigator. However, Oracle Identity Navigator is also used for other purposes, so it can be deployed with SSL enabled or disabled.

If you deploy Oracle Identity Navigator with SSL disabled, even if Oracle Identity Navigator communicates with the Oracle Privileged Account Manager server over an SSL secured channel, then the connectivity between Oracle Identity Navigator (for example, the Oracle Privileged Account Manager Console) and the end user browser is not secured, which can cause security concerns.

Oracle recommends that if you use Oracle Identity Navigator to serve the Oracle Privileged Account Manager Console, you must deploy Oracle Identity Navigator in an SSL (and only SSL) -enabled mode.


Note:

For more information about configuring SSL for Oracle Identity Navigator, see "Configuring Secure Socket Layer" in the Oracle Fusion Middleware Administrator's Guide for Oracle Identity Navigator.


Because the Oracle Privileged Account Manager server mandates SSL connectivity, the Oracle Privileged Account Manager command line tool always uses SSL and communicates over a secure channel. Consequently, when the Oracle Privileged Account Manager server propagates a password to an end user through the command line tool, it always uses a secured channel and prevents compromises from packet sniffing.

2.4.2 Securing Shared Accounts

Oracle Privileged Account Manager enables you to specify whether a privileged account is shared or not shared. This section defines shared accounts, explains some security considerations, and describes how to improve security for a shared account.

2.4.2.1 What is a Shared Account?

By default, Oracle Privileged Account Manager allows only one user to check out an account at a time. If a second user tries to check out an already checked-out account, an error message displays stating the account is already checked out.

Oracle Privileged Account Manager also enables you to configure a shared account, which enables multiple users to check out the account at the same time.

When multiple users check out a shared account, Oracle Privileged Account Manager shares the password generated by the first user instead of generating a new password for each user. (Setting a new password would affect the existing check out.) Oracle Privileged Account Manager does not reset that password until all users have checked in the account and the last person has checked in the password.

Oracle recommends that you designate an account as shared only if there are compelling business reasons to do so. For example, sharing a database account might be advantageous if that account that is being administered by multiple people.

2.4.2.2 Security Limitations

When you configure a shared account, keep in mind the following security limitations:

  • Users can still use the password after checking in an account because Oracle Privileged Account Manager does not reset the password until the last user checks it in.

  • Sharing accounts presents a problem with achieving a fine-grained audit. Oracle Privileged Account Manager can provide an audit trail that shows when the account was checked out and which users had access to that account at any given time. However, if multiple end users have the same privileged account checked out at the same time, then Oracle Privileged Account Manager cannot isolate the actions taken by an individual end user.

2.4.2.3 How to Secure the Account

If you do have a compelling reason for sharing an account, its useful to take the following steps to secure that account:

  1. Configure the Usage Policy to automatically check-in the privileged account after a specified period of time. Automatic check-ins ensure that shared privileged accounts get checked-in and that passwords get cycled in a timely manner.

  2. Limit the number of users to whom you assign the privileged account and try to further segregate these users by specifying when they can access the account. You can configure the Usage Policy to specify which days of the week and what times of the day a user can access an account. These limitations can minimize overlapping checkouts, which improves Oracle Privileged Account Manager's ability to audit.


Note:

For more information about configuring a Usage Policy, refer to Section 5.1.1.4, "Modifying the Default Usage Policy" or Section 5.1.1.6, "Creating a Usage Policy."


2.4.3 Enabling Password Resets

Oracle Privileged Account Manager allows you to configure the Password Policy for a privileged account so that Oracle Privileged Account Manager automatically resets the privileged account's password when the account is checked-out, checked-inK, in both cases, or in neither case.

At a minimum, Oracle recommends that you configure and apply a Password Policy to reset the privileged account's password on check-in. Resetting the password on check-in prevents end users from using that account after checking it in because the password they used is no longer associated with that privileged account. This feature is one of the fundamental innovations in Oracle Privileged Account Manager and should be used.


Note:

For more information about configuring and working with Password Policies, refer to Section 5.1.1, "Working with Policies."


2.4.4 Avoiding Assignments through Multiple Paths

In addition to directly assigning privileged accounts to end users, Oracle Privileged Account Manager allows you to assign privileged accounts to groups. For example, you might want to create a "Data Center Product UNIX Administrators" group and give that group access to certain privileged accounts.

When designing your deployment, it is important to ensure that a given end user is granted access to a privileged account through only one path (either directly or through a single group). When Oracle Privileged Account Manager discovers multiple grant paths, it picks the first path retrieved from its back-end, which leads to non-deterministic behavior. This behavior can cause the effective Usage Policy to be different from the intended Usage Policy.


Note:

For more information about granting privileged accounts, see Section 5.1.4, "Working with Grantees."


2.4.5 Defining Richer Password Policies

The primary purpose of an Oracle Privileged Account Manager's Password Policy is to ensure the success of an Oracle Privileged Account Manager-initiated password reset that occurs against a target system.

At a minimum, Oracle Privileged Account Manager requires the effective Password Policy on a privileged account to describe the Password Policy being enforced on the target system. However, Oracle Privileged Account Manager administrators are not restricted to this requirement. You can define a much richer Password Policy in Oracle Privileged Account Manager that generates more complex and secure passwords during Oracle Privileged Account Manager reset operations.


Note:

For more information about configuring and working with Password Policies, refer to Section 5.1.1, "Working with Policies."


PKXFPKA^EOEBPS/whatsnew.htmt What's New in This Guide?

What's New in This Guide?

This chapter introduces the new features of Oracle Privileged Account Manager and provides pointers to additional information.

New Features for 11g Release 2 (11.1.2)

Oracle Privileged Account Manager 11g Release 2 (11.1.2) includes the following features:

PKETE8PKA^EOEBPS/glossary.htm!6 Glossary

Glossary

account

An account on a target.

ADF

Oracle Application Development Framework. An end-to-end development framework, built on top of the Enterprise Java platform, that provides integrated infrastructure solutions for the various layers of an application and an easy way to develop on top of those layers.

authentication provider

A security provider that manages and enforces authentication rules.

For more detailed information, refer to "Configuring Authentication Providers" in the Oracle Fusion Middleware Securing Oracle WebLogic Server.

BI Publisher

An Oracle reporting product that can create and manage formatted reports from different data sources.

bootstrap user

A default administrator (weblogic user) who is a member of the Administrators group. This user can create and assign users to Oracle Privileged Account Manager Admin Roles and can map users from the domain identity store to Oracle Privileged Account Manager Common Admin Roles.

Credential Store Framework

See CSF.

CRUD

Create, Read, Update, and Delete. Basic functions of persistent storage or a database.

CSF

Credential Store Framework. An OPSS component that primarily provides secure storage for credentials.

DOMAIN_HOME

An environment variable that is usually

MIDDLEWARE_HOME/user_projects/domains/<domain_name>

Grantee

A user, group, or role that has been granted access to a privileged account.

ICF

Identity Connector FrameWork. A component that provides basic provisioning, reconciliation, and other functions required by all Oracle Identity Manager and Oracle Waveset connectors.

Identity Connector FrameWork

See ICF.

identity propagation

Process in which the OPSS Trust Service Asserter examines and validates a token, and then asserts that the identity performing a RESTful call against the Oracle Privileged Account Manager server is the one contained in the token.

JSON representation

JavaScript Object Notation. A lightweight, human-readable data format that is taken from JavaScript and used to exchange information between a browser and a server.

ldifmigrator tool

Oracle Internet Directory Data Migration Tool. Converts LDIF files output from other directories or application-specific repositories into a format recognized by Oracle Internet Directory.

Oracle Privileged Account Manager client

Component that resides with the Oracle Privileged Account Manager target to provide passwords to the system for unattended connections.

Oracle Privileged Account Manager server

Component that handles password requests, generates passwords, protects the password keystore, etc.

Oracle Privileged Account Manager target

Component that has its privileged passwords managed by Oracle Privileged Account Manager.

OPSS

Oracle Platform Security Services. A standards-based, portable, integrated, enterprise-grade security framework for Java Standard Edition (Java SE) and Java Enterprise Edition (Java EE) applications.

Oracle Application Development Framework

See ADF.

Oracle Internet Directory Data Migration Tool

See ldifmigrator tool.

Oracle Platform Security Services

See OPSS.

Password Policy

Captures the password construction requirements enforced by a specific target on an associated privileged account. Administrators use this policy to construct the password value that Oracle Privileged Account Manager uses to reset a password on a privileged account. Every privileged account managed by Oracle Privileged Account Manager has an associated Password Policy.

privileged account

An account on a target that is deemed "privileged" in a deployment and is under Oracle Privileged Account Manager's purview. Accounts are usually privileged when

  • They are associated with elevated privileges

  • They are used by multiple end-users on a task-by-task basis

  • Their use must be controlled and audited

Repository Creation Utility

Oracle Repository Creation Utility. An application that you can use to create a schema and load a repository into the database.

Representational State Transfer

See REST.

resources

Representation of targets and accounts.

REST

Representational State Transfer. Software architecture style for distributed hypermedia systems like the World Wide Web. Conforming to REST constraints is otherwise known as being RESTful.

SAML

Security Assertion Markup Language. An XML-based open standard product provided by the OASIS Security Services Technical Committee that enables the exchange of authentication and authorization data between security domains.

Security Assertion Markup Language

See SAML

service account

An account that Oracle Privileged Account Manager uses when it connects to a target system and to perform all Oracle Privileged Account Manager-related operations (such as discovering accounts, resetting passwords, and so forth) on that target system, Service accounts require some special privileges and properties. Service accounts are sometimes referred to as unattended accounts.

shiphome

The directory where you downloaded and extracted Oracle Privileged Account Manager.

target

A software system that contains, uses, and relies on accounts (user, system, or application).

unattended accounts

See service account.

Usage Policy

Defines the constraints around when and how a grantee can use a privileged account. Each privileged account managed by Oracle Privileged Account Manager has an associated Usage Policy.

PK&6!6PKA^EOEBPS/part_und_opam.htmJ Understanding Oracle Privileged Account Manager

Part I

Understanding Oracle Privileged Account Manager

This part contains introductory and conceptual information about Oracle Privileged Account Manager, and it includes the following chapters:

PK?PKA^EOEBPS/img/tree_nodes.gif#GIF89ac95;D{m0am}bm|2!Y$[(^,`0e3gKnSqe|q}ApBqEsFvFtHuxYccefijooxpqrwx؇txz{~}030#!!"#3243566Aoovdfggrjŀ܀܇ކ݈ވމވތߔ᫸Σ婿Ɵމם!,c9_ H*,eÇ4Hŋ3jȱNj@II"O\rdʇinبA 8s|0O82JTN\JByyG:t`!W"(KVɀ/!2%@9G׻S&aDXt=xb 5(ye `E:u̩*Q dOL9ABω"˔.TD\a:v㕑'Ga3or6B8kl`J >zSKIZ6B8nX0+X X|qGk=lg U(2B`\PF_{,!VS< bDXr {/2Xy4HBAC2L).{ 6G >yD8B{P~E{0vA[̅ըPhJS[)%1b~]Pj{ 3p:= 1NORq(q"찬M~|jْn +)Rt殓,3R1;ܳ?7k;PKPKA^E"OEBPS/img/audit_report_example.gifGIF89a} -)20 / 13(/1- Nn)N0s-I)i+3L.(o0@:@\Fp0GP.Rn:~yO L3U* M/1nc,s-r,(BIM*OT9jf/Gc;jXGPF2Wa-qGuT(}p9NPNKRe[dQJjxlSGrShukRuvu.:"8FMe/O$Y:j(gYn+vFCH\PlRpfSmsorNwc~7{YOKjvzso95/0;;OGQlqgjI@TOejjw]iq09(6 =$GM$km0RY(kl.LDXkvQomOInT{a((88] mx(rABBVVggww\zo22SwuHmSrzڋ؏3٣5/5ӑI͛tЫRѭoKQkt\q“ȏ娧©ɨָ·˱УďǧϘثḉԎԯϯ¢ǨǸ̴ұضѶⶌ༮ླùіɨʴԩԵǩ˹Шѻ؍ͳ!,} H*\ȰÇ#JHŋ3jȱǏ CIɓ(S\ɲ˗0cʜI͛8sɳϟ@ JѣH*]ʴӧPJJիXjʵׯ`GlسhӪ]˶{Knj;w!xc !kvw߶y fsE5rF!%Y>d4!ރ u X=Q CAH>jU#ևx1ta{U(@).#Wx\5'#HD> "Hb9 FlFaCWި5b9`` B;"&j棐F*qqAJd@CZYo2ZRfBcߤj[! ٶbhIDc> re;9.A){)fKǡ!8z8~6 @.b¤bgݕ e*'bэberm14$lC1J[rjf" HLc1Τ{D]2\ޑvW%k-<٧Ȩ5F-dmhlp-tmx|߀.n'7>ޤ=  N<ӓ4XP蔿s2s1 #Kp>AՉWGaPO'93 |@8NBѫ#$?LA乷Wp@ Da|o0= EAe0A1<$@}fk6A5x: L0" TE y2$8, Aݡ @FuHl'TB]a'hт`  )E` GZH%@)LBi 9o#,ׂ$|ܣB$/-p`;9 u Dp/@(׉`3J{Rԁb @&x^ 6 *Jr .{s`V `̸MqaΊ ( !FTDqB#hՈd=I?2< 1?01(VBuj&T~`WÂh Cm02 @@C G C@Z4o a>NOM Nd(D@EB9x}%Xy- 0K98O@ Jpd8B%S}p@:K21e 0H !j "pS*u vz8G=pؕLuO 1F(#ew*>i^G&vz"Pм gA0mV x)k@ DkF]t䡄nNDbl%8~R5(Wࣣ@l|<5jR烂UQl@A,,FFr0^T@| ^%XNs^?8aa(B 0Snq3|QR )[= @h(g!f0 ji"պ5윏w es[ ƹP2v=@R6D;_d 9MLC@]"tchVYQ)  Aybz 0;#6F Dѻ} "?@uZ 2P | VǺX0Vhk9!Uj28u1a4ؠfd0sx#iR<onrRGA<":D;{@urT1nv,B8jj|?$F.Zy Ji\@y<2tulW*>74OE1{:Oh3`u@P qy섷/#ꯓsB1;|\/Hr_9nD-qm@B?GlC?!|'7]C99@FF0 3~W8 ֶdWMmX&xP(h] ,w6x5p  88DXFxHJL؄NR8TXVxXZ\؅^`b8dXfxhjl؆npr8tXvxxzȅ~8Xx؈؇/8Xx؉xRXxȊ؊XHx؋8ĸRŘΈHx̨ظH؍xxhȋ긎؎x8؋xHD` X@ P P يx@p@P y y p ň Y PP,9ڈ P 9m+0 3B9  ,`eHc N2 U`u蘋rMP (Iw0*fk(yYPD)8+3 lڠX@p@ $3+  i p  P_ioupih܀ =8 @13YPذYp @Ir9SI I0ٟ yPi؀mz0 @ ` +Z5ZX2 H9@+ 4` m/@p H ЕF_U @ t 30 VPE+LDz˰°Oz  K?0f )ۀ @@ B LV7P0zd(Pd]] Ӧx`P ^$% p^*pLؐNpPV@ šИmj:t*ڮIZ,E9Z pP 14p PV`]2hZ21 ܠaگ)P [P ۰]`Q{li9@ PP@hzڍ ,0W=ik KP9P 8: k 0+p kS SYuP Tŀ @ci Q0 lkJ9m@z2жikต[娍K@ pKYx:2Z6`kMɛ g gg+^a0"+> ʦ3Z:@ `  *P xd7ڙ[[o˯IN@k@0\+. 0/tyJjk@q`*E @l8Lyl0hzR h, - m; 0UA|S;r 8 7{@W -0*F[n9k L|h  y|jO@4K,UV@xN̤Z4 `, A 3L^e@\пNI[*3ƜX8Lr`ܙ a<; P<04   nP,H/,q )L{9 `zG[v 0 L0  =zZ], \lzG MzΉi }q4K\ LӃϛ(Zj+)֦ьPy%){YL)v\;( Pys-x ؓH]=Ûxْxx-{؅ 8Y ș֞ ؘ`Σʳ͸͎݉rMxĶ]͉MM-x]] =]}>R\S)#AbTK!hw"n%'N)+;4-7$mHa?{:N$=63~4~?ENC.G$K6AN $ = _)@ YnQ>9c1 BM~:]Ank"Cn.Xn` v#js7Q\r ~ P` ^* a q zO>C1>`y,0tDY?:4`.4kI~OBNPhQ \q bZ~do"pQF:T\fh0ԐY`  35 awuB6@Gu@_ nN`c`/ L9~w0gb4H?/w-cT/~\ 0Y9#E^>|J× ܚrMvAx9hػbNsVJnM$SN=}TB}iF"PLzU2(7 )2 .C:d u"4Cކ'Lzi E.W,nBP4Z(҃·IF5@-a0̭BOKx@+ʯaǖ= F|pD,U Q]!zg7@zN#Ir' ! FB$+bAK٠#4ZO< "Ay8e!`qZLCI'2J(ElG lK|a '|1D,Auœ̉CFR( 4K"8_heL .'|@)5,om-5J&5 |RV蕕422DbQjBQ]ƌ3dQ8dÆs w%tmA@X5I$Ej`*NBEmu͇V2h\ V.`NYt}3Q(`yG[Tgpe{LzrGOuji,$Q 8]1~ʁ c9θ t3m6H#&̘v$Ib.9(#לD8e-ډf:r'es@ _ sL:-i8i`|D9̓r =?v  .w |FJTK+i^xMgI J#  ΐ)v")(R`i9:@ @@"8Շ 4$(H0H?63H20"_"Y@pA h)p@$pީO[,~̹4Vp >@Z5{V.1 KKT7>ȑ_O┃pYF !Mtd׃-)up!5jXN01K(PyL< (mLa*UI>@ &v7N?%NFhӒT E"( 1qW ؎*Ϝ$;*aʃ`fZA0ØoFh(JH* h!(&5 ]&|Evq \'I-*bۙ!ӡdcTI8b9ݩ4R~vxN j$9USWÐ%Gv RNpܗ '1=e;)XEhP K zӱ)kZn3P#h0b7w*B!eGCAV|! "KUQm0x!7ա:R) ~Ӂ=<Jp UBMAF@i<0ĠhUAIF 0.aȺJG3KV0 P0x8?! bi 4rHqa kMf $Uԓ-KN.+Iz XCT<)t KwIG-yRe)V>F tx%dP8 Lh1DՏ}u%Zs|n!8C$٥: fgӭa;vUcX 1mbVq.q=␾h Eu8y\&{# |ܣy}c9Ӿ~4=g \DN෿}V'!GN&|yP<1EDZ %?W&Oy_h=B<%w cST?zÖg/=ԂS~?~i{7/SSևxL~'~/?/;uJ;(._=<)Q(? 7"cf=8ˉi$vNhの}6=8DKþĩE/<,# Q(IE+*0Y1! }2C=D d|e?fRgL jIJ7-˽ɝ`ʦ䵒'yʀ,Je$ʩDʫJɪfʯ$KL˯T%d^ĵF<@˷C4̻ˑKB$Ik<<;`tDŽȔɤʴ$4DTdtׄؔ٤Ť$4NܬĴ7üG$E4ETN 괽Ψ{ʿN ŽJDO~lOtO5\glCdIDLPfm )ŞXUX zH b|[+0Uw @ډ'Z%.zy`P|U )٩aQ05ѪZ!`H:PX!h? tZ\L΃W- 5 0 @bax#+`)&4- c] ,$+(mm0!1 8i-x0 Y@ h_ ݐAW&tBuHh ɲɎ 9 !tX lI{TMbX  y ) BP]_bNt)(bH$+-f"+>4Y618I:<F]*CɇD6GKɔMO VSIUz_r؀))#b-z)&` QЁ{`Dwd1zPut*a92 p*T!fIen/dF<qsIƮA-ᙫ!9ږZ㳧@[(į1u+`^a)e 8eAt@!ahWg|`k\ͮ-0:Qq91@Q.hayagv3T~b},O"y G(@ aLZ$ф2X,)Us  x'{8-jczא!!8 AN P2d˒") -#1Zg<6Zʴ###?źFH,jnT|VU[v83>|(VV X\:Z[%`a"8dZfk&gk¦|6o'HI:cv3x''NL^O )Fnd3ٖr?p@84Gw,֖)* G;!:2o Y檑5)"jlv9"H\+2+z+;+,oIOgppʀ7,b biGh' ` ,ۂ~ʀ&6&-ҳ*J8.Qyb.z.:D˙]lrB/ɪv5/q0r0[4RxHVKt.2d70n;1xu3 toB$ 0N2#S/*SN_ۡOԾN2;4[6+79:w+Gh]߫PCKNwG}i:iHSH`u`wua;mɉqfzzufĜ_{ϩ 6cSd[f{h[ijFYlmn783q#7snW״xo*#xwCu+¶8iY%# z8뉞O78 ɑ=99 NJTGܠgI+zds::[CQiy`WIq?;C|Lӻ#ʹs_ Σ{ z0| @t&a}|UoQ'?}{QsK~x]P1-\9 vK=OQdJP@U-T5@]pu/q>+h H;!Ĉ_h"ƌ7r#G G,i$ʔ*r%̘2?iSf͛:iVܹ1g SEXwT!uV*R|Jç@flOZ+RXzi.-"oQPѲ'Òvi0=3nqᐋSɘ!k tPyr!P aAxQA3,&pT9F-! 4\R44Rnra<;o.og&=|㏧=cBUS`"=X@L> x@PAA!Sȣ13=!@8Х1(1$9 XăNbٷO:#7_E䣑C&Z HPf~IfP%P=l82jOP腖T@0aM.y*5yBjV:gC}_f_a 0 >y!!tU( 0-ceE>[hShN^4Ex g:ӳx)KDJf+=I&XȀ@CA"o%o&'F 0E9v2a 0oZQko+&2!h->P*CUbCAģV4AZ1{\4ulrD7]}0Dm[5T3-Qa'jckvl$sOvnMw}w7Nii6߉3xL,B^9KS9{9衋>:饛~:ꩫ:뭻:>;~;;; ?<+<;uꏀxs–@l { 4ArL. `AP,4VT"n!-(gHpG2HᖒH wh!F ?y,a ȣabAfh #V &dF<) Z -P!,&y*|@E)0SR @~I%)*#6&\Pp! `*EN j(DqJ*q ~9q  -oHАe0h& l!CqT=3F@ fAYS,uXWbUL"\(H11o|h7WDF@V(Zrw9J>qn,^"S*X)KDӅ y)!8-#)oh*,Ks T*^ѢpSSUJQ)ᔪLCw3  |/MX[|:gB> +6@@f +( M8E(`hs20ƶQ tkZҍC1g9q׼ <52 s416` QBwı Gp:6L 4mi4)(SyZ;@;,!7@]oѨL=F\1-(kknX&u pwj,VXA FXM%2l HA=.+̸a<33b7P`0M<3>1 i_2CO T`:6;{5լN+6s(&*S+6STc@pz5UN{R uC)U7BҐ/o497(Ppc\u|_"yX ~ gþzAXcbCOTDY< R @tI5[|*s3ҟOO _#Ck` ]WbVC+hN3 3 ̟%SihH+E,B@' ]Y1Гq`%(芝얆ᒫF8T_hW(ȃ  aB2 8:q8t|HЙN S}A8EAP EkʅF$S><CEyCᱰ̛A`#S8B!|Jكҹ_Xe__ * DzA.RC%D=-f@pQ,$,- 1"VA䜃=@X4v|%r<ǷJ% Ԫ% 1bhCC~ ĜɼIԞzB<@Ë-=6@8G< h<E:9ȋl hԦAȌ0st]'Y kfDqpTЌmٍ4إMؚhEgا,v'C vVmD;LLu ~f)FN)V^)BOd)v~))( )x葦iiEJɩ(ih\)  5j*)fJXFjD~jg uC P8RIP!\&VI}Mc`QACsj4BCA+S+,D9q+ު<̑A(k!k5:9 kQBi+QD5ճF,L+>0C SAȃ+tZqDC0>xkAT,_Q !RYt"1#(FD$U%eel(`~D A.iCBLd C&!@:S`]Lnr121n@Q>X6i7ySi=8=;<`E?@A@+}A%1TJDI-PTR\0=]]KiL,diŜJiYH>l0e tp₀0p@GXq X*%պmHeeAX ^ M 9A|e@)Aw2ceVdV0afqg(Vr:֊llіm!nnl$o0>qq!W.Wsa&tIS_s}Wjxyz{|՗~]@yݘX5XE؄UgbKCĀYG"C%LAAl1TqYY0p1ב)3 ِц]YQsMY͚MYea٘-2"A3;<xAs8 #eMadCG #QAKiID@*8h1t|7Kl_M|A "Z>8c`rbPA(T@0"MMld]=@HB(AOU``OEa "Áv м:HdC R.jfV`zv{a|""6FVmazJ".!qH£!׬RJ@i!~~dUsA!b׋J3a!$.K%J`&r`z b|mVʽD% /y1-J@£4=J/f) OfY m{~&@bN/akU*&JO3B9 'F8aGP&U(b aACyh'^$àN}T\QX,x+G<3^r]R\=]y`AZ@+[f59*=WŌGF(dY m+䫤1>5/ɰTÞco\{>xqLJ{EN\9LVhL``saSO< O2I\LA0g4y4h 1ѐ*gBS; Ї@ CGSz⛯|<.̑ k@z.d@km F0  /TM#uR1t2 - p J)`Q>_Ϯ0鬓 ?" #!P0'Q 4 X OMt.r4#e8 AE (_a<e#X UZeu0a˳҂(h.Q(=P3ZD\tb/I ו WI&'dc( ?x0MDMJD6ڬkD0 Yḏd7fyvAڡgR^YZ*1g~G{T6aTfv|bJZ):8G歋>m KfjF{{EV[곛..o攋kh{Nl.AG8ƿ }G&;ֱuag.t.0Q-؁v av=/nGz}b`s,dk/?_ٯ0}ٻlGSs S|0jg@P \!%P8@ ͂tA6O#4aJxB0[ Bz3tjhC;I!qꐈ+O"1|KDWEɐ[{U<Ƒ)b\uFl4# C) RboQ$ D΍d[r)ߌbW(SF\j"=(X/4e!قa qXA u#2+ՇJ` +(LC"mLf.Q5 M$ _0zT9(NFrZ@yCТC3:ۈO}̧:s9 e<8ФtiH΋GQquÚDtdAJĕo|i oT)8cƠq<QSԧCMRJ̩*RTT+U5dmu[WΕu]W}_X5aX.uc!YQe1YngAZю%Y*N/UjY [Ž-k? VܚloHkf6Ugp[bUsJ\`soTRt=m?;bnY[7* [92?rO /^bD9i|51ŘNxŀW ÿnpz{wxX̓/ [0"Ya#.^3hq9rG,dӑ2Y.Tbpy1b`yP x9A% LE}}:;aMr-wMkp;Q t#XC!nB ștePX"l<u& -l '1 ]0pl(*i`=ˀw,)*!a"&2 Cd2N)FGc*6  @B4C( L҂oOy'C\ b`wV /2ȉJ`6Ҕ0/.G4Q? nL cn/^C-M`!;a `4&jF0pln`l `7 fz> ^Xza 0& I%4b^Q" b6@L!H`x3F6, Cs9B,@` @@S+6PD6'fO:% (D8CXE93:%Dp9'&If7J8R"7E{jndȑ93LDdB 5%΄A>Z<3=4.;-# HIؚv`ed4t&lLWZB]6N-$%P` 80m`V&3 dQD4dc a"fFRtTcJc@~7_P#2-6AU &s:@$ 1.2E5"wV%z#'!!=`7~\" tH$ 1%z7H`JP;L%%-TEU$`4tY~>#tD33 68]T*{*gԠZoMb6\Q*Ab*H[BWyX4Isb ~H`|c?6KH,h,pdL֢-bHyC_zb/WC002*2"c2H!83"4^QQC5ba?7OL-?:P2F;C<<=c2o>?:³DD@$ F[oĝ@B&0c8CDc$DPDW>naD;ʖFF֕+zGHBadI$jM_$K\t/UV|R8p;@a r$`$E@ ^O)eS?y6mN&\e?%]^T]Ђ^E)*s_t`87```}/tfa aQ%(f0$Vz#LjefqPoF8$qfYƃXCjeYtam8dT,8L*x 9|wNx.$9u*s$zg/,/}'8XB~gȉGpuDSe*$p~a Vv@$6YXK-u=0lYG, jBlk/$iYvmyKETNS t9O Gʲl2$xKw09 Ǭ.bb~ܨRA`D8-`rx 9xG3/ *@ p1j#e1 Jr 2Ӿv !":jr /9%[*_Ty(Uh$ B'ҞQ$2z&/d7A9}ZкdY8l9/T, Ԡ%Ѭ7$&'TS9T= ;z[ǫ{W%e"58, TrW Zo1>!~"Sq N 5; {#ٔ|lS @htApGN)rWja'8su{x|{5u |*a5TnB8x+9IB¸2{ Z{-$3a )|/<ğ_G|u3٨TA<z˲[ǁq;Jkȉȍȑ<ɕ|əɝ(ɥ|ʩʭʱ<˵|ˡőxkyo պƹ9\S<ٜͺܻA5DO..(h4p!ݎCdˡAzaѼ*L+^)t`a^ynN .˘zˇ]!jb.-j4=2 6 p8F%T֎wOhrhB|Fo7ӛNރ#z%`CA@$(p/p1 f@7 0Jxqx jA_ N( ֐/@Z_*[&֏.5 @LаO K5 Jb@@2vr K3%%baX4kڼ4Yb ,627`9NrņKe; 0<6Njۺ)6w7޽o 8 "e|`80|F!0KRřTA3&'Ab`v] ehe(4ȝX1Ҹu3@'ԡN DS5^fba]UJ–{/3Y7YqXd]&2dJ`'3,2U .xcFJMc2ϨN2IRa9TPJ(*R>LugFȸbӀ(<9b9 d,CN+Ve2r6%Ն ێ=.E<舂@1=TMG8 h=$3l`iΓ;ޡhIV[> ]FJi9  LVv 菜40LUjqQl3Am4Ѕ9:h鮽>ɦY`S\$3%9]!1^|͈၌kXՐ2Π[꺎ʜ%.߂ p``C~]֐<@^ni@ގI:J(@f +S'Ǡ!FzimS#õLg ?8{( 68TdӁCP1`=hpoi2SL2̑\D>f=HD`sS5uQ[,+u2TrFQ`4h9`4RC VɕmR! J]"Yz! >[wGTb .Q7i=hbXv&X,ZIx@&,䄚T-I=(({H'gnb-j' &QmMRؚ4B`yK GWo.s۠Ciz]7R^}o.h+wn/}S.~߳o|( n0viQuJ #*8ق81O({ŊZq]<^)61+6N~ yD.$+yLn (KyT,ky\ 0yd.3yln 8yt<9;c/q <]: =u5E=f)J]]AAڐo'L72'h02q0D&T~Qԕ(.#'0hP9/6x'*| (P:@>CID p)x` pzKe 4wFs+@ Š p@ ]r4o`6 $vpUrIhFtӀp @ @hlonP}P _zPWovu؆ HG%a8P RU(W pX v([`[ 8 eH1@ט3e$Q ÐUA4&w?;HUPA2 j`n(XB a{g#M1vWU53`BP?+p k۲Ot#y~u%钰's%zs0A7 * yH4 `7H)&N`kppF2>HG_V9PQP0MGD S SsYIq%A[`cpgꑙG ㇎%?5%[L rP&F8 IyJ/1:?CQG]YPA0xiX![Q"i|tE %:F1 yI :@:h%h`9.##.Y @SqTa#6j8zA*>RIY|`t1:eȡAց~#(ltgFX!@0 zb""E5h?:\ %Q#rrRB*d.Vr.6>S l k3 b#1p4PjCL5e焛z &$e5h&l&p)s2Yw""4Oa'CE5RS(A=J 젇Z5J(8cH~P5UN2` iy[pJPhq pXcA'^pz|WU1"T0NXۈ4! &pH1/)Akw)r*I5zuU*y*UUۨ,,B,Ƃ,Q,,H2"2-ג-b٭.J3A#p51DorP; 0Ad[?؃hY˅\,跅宵euY煎e`u.>gqJpX.ܑ\e\Y%]cl~kQ] I1M4{낁lpp>#_^ŋ`jlx6w_b\`+6oeg~iٞ>kNin~FnhonNt#V`oiNkljbaw %?Tv8 ~ OU?=?t_ ?RJ9D@Pb*/mCER-qHrxPU_c|..8;eg{zOl1Jz.Ux= 0M{iooUePo/^̕(N͕,/{D>ȦO8wc/?kYklۏ`z/$XA .dC%NXE5n|!E$Y2G)UdK1eΤYM9u)O>%ZQI. SQ ZTWRW\%[ɬgծe֪XpΥKTn]%m_\0P‡/ΛqZƑ: rejrgx9&]z谟Mn,jzUkm۹[杻6ލgJ|)ÍVHϥ[n^T;]ʃNd7^ӍTxصѮnV1T][# \ i?ӏ?ޑAYY iyae=r6GCCzD|?QWp9B|zdsYnŢ,T@ .%)E|.|X|ǖ\/"PBTJӤ{^AM^%j  ݒga<i&pa{JjOL5SE+t x/-s:@FKjXV*]GʵXɨ:V$MPxD/I 9UT 0u4i D@y*tpg쑇 La=@ izͩ@ xgK _dY"YT蠌q d2Oj(ʓT'?XOd55׻%$|w 8$@@Z#P(@yQbiuH5$s>PǒYc]PDA횵ec58adpBH9i4k!|49OpQ ^UeJfH1yTۜtPT6];SG غ,eY30;Fr9%;3Uo|2vP{{GJ\{Tw(?Eg,ǧkդƩ[KZ)e^٣|s9H/(?3]/<~ x1 ZޱGpЎ&0EDT>F1l, bi Ah d*=2{q@|{\Bf*"`HjP81\q/E}b 1a/QxGѾE؀s(H?<~8t3L!D|F5={a&F.0T-$~@##&##8Xv:X}Y|݄DЕ  B6MØD 1AQr@ ґԁerPx!(ؼrpG8J>=µPe&dP _CHu=1jhNЅQtU9ϙu `kuX0FqlHi h 8`6ePHs&[y=H1Puz /\0^AaclY-( hUJ@ }lkWmq@jL@P,U$'x|ⶹ"P`<Ԃs 0Ez @6_Sq^PR@#6D@:pcn:bxX H@#*h"Wz0 [V;0>1QkC04OM HwAX5` ܸ\ RGc2yEZ]SESOG,e݀ZhMZ$A~L̖h~u tڃ^u[Bd:"{=d-,andX  bK殦`!Ubd8\ kyq@Q((fN0@8WU;10az72అr̰啰1`X96 ɉ: 1o5CRQcbӯ%Jw9&grd@ 4ˠ[f1qx  e>Dqj\y4>?9<ЋB (|'߅%ۣTF# C"pKxe0' 5yRxs T7LA@$ {@(Sb" ,J! @ R `!b#f@,[bK)UeP~ +H@"+c#YR5G+SnЏf)+>1 8#iKیt Jȟ԰+2;J؁R`r B;3$<bh{8bɇ1#B, eA_ၻy'Q@$|#W1 # ȭ7"y@% 8.*铀 $@2;9Q(S{!ځL`ɂ[!D0D#?1 Xw„X4v#J#?y!q/D0ԟ ?h\}܁)Pc:54x26N/ܱ>B˔?Ц)z:0bS@9:8`3[3Ёz $E< qo:,W)-W᭜̇JЁH#4$H9#: +&G|0~4/* řTrB#̋uGi#< `!D| KTH3G $5qBKh?pI*y<# p Gb/(B( XX6H!"aXo4L[0 |B٤MZ0!PH4"ED<@MQ"3KBTJxA@Ld4=lbaM8bF J'{̀*Ȓ4%Z2Ϋ,K&D,! , d | X6=+.㻀s0rPO(;'ǩ&ox7,5H0@Жc-(h(WQ?A*R*?24 Їs(S9 JlQNaSy!Q)Q-ـR92lYQs\H%]T \#*lx ^aevaِa h#ɑ|#=IU0ٞ;:5@ u :sXL"afѢr8HY 7.FR%wBtB*H TTEMnmN^L_>*a8o ^oPolsy ]!6ފ 4xU㕁=uTeGXĆ>z|Wy!lwAW_D!dlNYʄKsŌ5b59HG gKBy/?{| M(BEShlRE+WPС0l@s7I?Q8%ѝZTB7|BW{}tBw{tc/ ݒVe[fnp&}U |Ggw;O-4oc?a7`?}h@D&pWo?'i76rȓqxo "Lp!ÆB(q"Ŋ_"ǎ?1$ɒGLʉ,MRa u /P,i)4ˡF"X4)ӦN\ Q*ԪVZ͊5ѭNYKV ]{HˇZHݹxu4@|8 6p#,{;G]Z|S5W?3 z4i.Zi՜[kkyf"8,C:`R) $@SP򁺡O.CStchz/ tvFϯ?"~'6GԚ(9CS-ȥN#Oc8N Z06|gh ffHG_S~3ety@@L9OtSA1t|RlT:i*mVT~fۚN hϾH)wLhH- i3>Yݓ2Y1(1 >l]H#M ^`%@)`ؑjB!G 2̃ (F)ƆaK!QabdaEY:Z+#1`EAM4|<("W"L[,;x !rL9\B8&i"BTqhi<0=-$8H5c>DIrbdTK,2%BET+RJ^4h%UZq@)08fLA)$ȌG5x!!C8ylFA9:|\;aBgKA{ɞS#H= <żD0C :4р\` xCD%7HZth,&`|JmT \Z&D1 :P&4P҉L[3tb/YG|Eؠs—|.|g(CTnK"r<` {_C[$Ԟ20Ă' o70]p$oH%t8: 2rM(@G&jp+/r@ ߔ!A j  epi8 pa)~+J\k9Ub=D[5t0uxv>.Vw:xϻ`suX0n^h`=w=F- >A@ @>|c t 0q r@PY  vt]Kd $hyFKَ < CA*OCuS}>AxBf)_:1V1@XGmp<Bԕ\AW͉%˹\ExAB>HD|:hQIA5E0ܵF\(c1C',@ ^c\-X3 JB0ܔ6F3 g@ZyY f&jMv '0AS(d'v| 1` /#2Md%؀2 =BM<#6 y@gɘH@xL6*}@$(ەzt1BH@wA 0 %@qgrb>^e4 ,b6qA8(8@$ fz`fѥ敱6fwQ3ef-ov!VaezXuZTPA zPX>A% 0YɀÙ 1:fnȃX]wXMIq@žڬ)@ZLi>iq^u, ^bA ^Iǎ 9Ay(2$ $g@&dA'@aL)AlLbFn#@TҲ*u yC8\_%mx0*+C,$,-x*C$0L>x>*.-$A\G H%@ ڞv%fR)tSZUBR3nT&q\LJ%DΎ̢AP.H^ ?Swge:ڢ8NZmj^@C L؃'L pnUh7T  A@= @ĥsKڊ]!@C( a0D%D p@ ( ȋhϯK4 ˁD̯dg1P,BZn_ '՚h/(v @J2pSon:K@DEb\rXJ!@apq@jrq0ݲpɣV!Z(Ӏ8h '27ҋ \ڑܲ j q=p"2 2szCYBLB=(̘CcT\LD7tAHc@tX*:XHBgM1LA\L,C uQH_b5B4 EBPuD }S`9ɢq>ȟ5bcH;hu IT3IlF`4P(6ugafDj,[RUܑ/B==C bn6f 5Q(B\hqbEVC@Z\70vvMp0yww ÀףEQo1i9Z }tAX5c؅d8j4E!ldƜsL|vېvل5OY畀_MQI@4Ճ^]|%WzxBy1-!fTwAA{HoՉ[bM[awl8I6A'@SGR@/zF(.;cJAH`lÎ<H@-%^"9[mwJcbH #r5W:_owvfy8-0(ܞo>3  #IpAw+:'pߢ*q`[Cvskτ9@yJAʶ1T"8xkA:b>{Hqr4"ȀyFD+v$l7WOg9]@"8(1K3c#X4q/}JAø91,7an,?_2 Sq3C=y G{oOŗ/6RAu ]=> JD(d+L?6K_x}iC}Q=Wï=׽;ɏ=콳=w>Ѓwܳ'>k[9O}}A-S=J``@tS2UDCC|S;=b)sPࣾ8#ڸ[ZAZ<5pC*etC>x6B"VAܘZCdhg>8)Ebe]DYWUQQ{+R1b3hŋ 6tbD)VxcF 5vdH#IBLdI+YLf|/eHė$ @怒 P QP.Mn9' =-@/Oe\d3 ]8j@իg;p4#\ `E JL`&e3ghѣ&}uj-VkةeϖY;6G6PF |tqO^.i`>sY?,) )kws$!O/!( hϺ1(?A Qd rG#t |!@ N1ԑB9`.Mݼ  ;ibѕt[]^v\~Wl 2FwՋ,nk|ӚoKL|_,|5c  a23x%,` CES<`|t=A`LaLv/X'4 -:i XCVx!nj)/Xœ hY^,|#C -kB0Mbod>'ЃD;#L `.DA!J*33,Uc| /@7amUH`Ҫ [V*ΪJ PP i f0b 1a\0=9\@_T `>]/ӈqn8@->!x;rQ eh - ZP(@At7^3\B)Ġ6'qo||b]l{|Y+\8 ̲Su̎~ u8ӌuIcj/v'<4A/ّ8| &i?<́e3c HAq/ G1F׿^v>,3Q 22E^${I5h \@aȡ+B䀄),crP!.spLa7 ꁔF,G?|4M/9aM@?= `bzF af-, ί B,"HJ a"JbO, L@20rOTz 1G2'PCz{/a&O VM@ F֡6 %v(zv 㥰υXpIHZa"BFd1r*!B >aӠ2 D D /P _:!$@ q(E $A:(.RTm~. G-͌=b.Q.-i1FIQ ( EX$-D,vDp$ܠ2>-0k G(q4sNn# 2  3Gg3;F#AC-mPP` QjF3-^ гId3 u23laa$K~@\fb0ơAw@;v1UV:  tb \q4;P^J As>:*ZAރ=mIU@x(FM;Vmt D!ԩp Vn`JoSS9 ơW!4DW%`nSKjE(t0SC G S$^`aڀl sE Q'EP3 ,`!$œiT[MuL pIܖDܲNJ!bovʍ*/X)<`+Id څvHG@Գ'Fba[0ʯ/23]d-~mO5s-Gu]@5)A]L @``v^!^^^ʲ75U%ҵ֕b bJꤜJ` ( N!Fb̀N7kzP!fOrh@H\@iN`E0S0Ui)8=%Uyb`ǵc,$bSK"F ?+ 1ti "X!H"!GLhZn qpcqo ̀6! o 6!!gM<7o5u͋8cFW./DDzv w%tx)hvͤZןw:qsA7Hx=*,yy{s"z;d|'i{+{yԄבҷ~~WW ؀X{fuW|5 '|۷|,*0Akp>XtGyYJNחӅꆩƁ-Kjjzsj,Q#t(Dz#͔z[ ǼW5xl8h'd\aʌXiN A ɒp !w˞΍BuA̘!؁pSnX |Xa4'!ȒlɪʚX˸ 9uLl"άgԌV!`nMU 9U t"*DD,5lz1#b#*Xb7 m4Xm. ou "b!O:71eP"`EoۂmfeFM@ R,zT$> K6`2!  ԡ)@I[^pZc'< d ]mujrmvh / ,ؐx0wڪڲ!Mjg H:gm NAh"Nր >! :Z':nP\l|ސQFMjt#:qEt -NJ(uA:6ni@&x!Nꨎݬ!6|Ta뼀\GSXZ{虀[*; RX7b3Tp? h'q!x(H%Tf AwD ܜA ^±qۖo#b.P4k@M35`AINa (C ֽ ՁyB5:) DM< 3[pšW=М4  \HLh0: pBLvC  ?26 א|0:3Fp0m5m !cM)W@pg@ (% Ot ̢8~ c(S6@ 29EbSL,b`p(.?Q;_lIo L3_E?1DC%C4p6{.z ءt4#B!p@dj R`.S[$ =`=V` hE>  J X%@4^ri=|g3vb(%_>yg!, 81sdar'āa(A:8u9C8L {v%85jRԍzg K&@]y@] ->3u62l Qn *1b>L2,ɰ' q esS N¯"'NJPa|IEZ{ES9eȏ* Łcj"~aN:uY6@B&s<_@rV\s+6 di4 6 hD2Svu]xV&ӌ`IݡEQ O H BhNWaХ~)IU4Z ` OH9J `+b)(Ey4g O|kI VNJu!RB) c( !*¨F(-@0<dɓ\`VhU~0:S2C5EcZ&;XfC,)X>0ॱ0@tBk{<)c1hB0h0=2dlTCi%kLeXpa3&pՓSlcF;tX\!0 6< :L15Nt9bDF+-6>iL1 /!F:#pu߈}NHb^1R=tq/8ES``8jf%SZ2S!=s s[q1nX)2_P\R=oLoqcg&er%A0`k@<,්0^b1J4#?KI'f@<`/y}C':Cb5H 8āOapL2 ϱ KPVysl@P=z >8 c4I cj#r„@<%!XjHF({HNVNH1cˀa|A#0@ =e3C%dМ9آ,/* }B&Y}2π K('`rhqF kFRMXBM/̓hG%0(Uxh2'Y`JaHU*9(KDrr-?T02_DQ,À<\3یQcyl[hfMHj*}3w^&΢'4I;&ԣ >8kiB[Zi#[%ֲC=8kֶG&5K>F۲1f5nT7 -n)#fHik*FMw(n8UzbW]jӎw(|kWU ppWUpnvu\\w#`5m(Jn02-K/+}X1ȱI< (*-r>w&NU T8h*W)Ñ_0\+W@sL%͸}3,b0x-<}>Є,h.ѐi?Oҽ{4'fMoe~ႏkӖ4WdUgp4ehZ VQp&M>.a=?7fNq8ks)(XGvn=srhv+sP@#.@\w7yp>&` $S395[g x=)"f(F4MzSv\͉G%cq?dLs.uA@ArGU98g ] )sn<Wﹶ;kC䂧3ދJ7;.w ^/<~Ϲ;%[Gy7}M.=9/|GU;ЏO[Ͼ{OOϿ8Xgyȗwzzŗ{x|ǀHeEp(n{!' *c%dG+hl7y6؀x?{8ȃz0s_"ݰ cLCkgӠe8C!ƀpFЃ`ZiescjC&j % j ghmm(h#p ex #|Yx(j@Zsh8 mahh he֊P qa Bd8Ue@, ` F䠌 J  ʨ$2 @\r%%sk&2.@V_2鸅`bz$w]b&"h“"<dfZ (`_0[ƢG7/p[ P%tb7sБ."4(1&@)PR  0UbU,O*V$9 4 5p/DŽpFI@0)a-YU+UK,r (P:VWpp5apWYE./`$ FSY'@I؉ه@ 0!q @ ƀp &`!IX P a̰mС @ VF pmԉֹ `=b,3Q`gh1 y 'qZ)rRȟȚyeuUՔm z[m Π0꠯GPtP zAࡶɢi!u)Rmp;#*Wb=k?@h9TM(3 6[z'j"paa]QFCŰ` UhvA<'$$I$#Ni }XWAzڝl$\1hOP'! %"`]: Q7mxnX~< `*1v%j  , `ŀplXMŞ!Vj8@a-+%: ZJ#;qJ$2)hr39PU %`'S0AYip/`O/PH ۰-$0 AQ J@p:r 0*A;]zj.5'Wp&P2uHYo6;%*xaUkh%0g <kL+F08U9l`MpJPQԳ: ʯ_^hrJA P @.y@0`TRba1[k@\ppHp,')'Y pUEaVr 3B7иnd5 [F;Zx AIPkU0 b;6;p!2 +rP b$ aKsVsѺSM 8Qp k /J c1$V+Y[#[|igM^`MP0, oi8B*6ns%= !P 835 q%l#~` TH;[_,#BQW"1gi+%W4l4)m ӻ] 5BD6yXp;@U2!Vro1;ᐝޥN"d£-"r sK1p: AR,.!LDBl,s@J  "c`/; BQ>U6Pop[0WNtl;c!P$V06aq ǰ; B14Rd\#ÛD\oJls1vy4sS:6]Uɝ\D l&³Qͬ{xkTTMWM*Z ( E *(Gbu1E#~`6P#rA65Yr"$!q"^qPՆJpWm\^m`-!\M?$CR$G$±$1%q:Ur%h4;\mxNi4&usR'w+RDNp?Fc-p'F%j3f( NgXʐ:C.(*`<$?*k,e1ա-/(0cvrQ'p* ": j|e}x+KCam.B&d#8mQ///s0 0 0 <SM$1116(lF)2 Ձ{SE0@X^E_\ELThe!dVC;t8#9@$!t;+g]V7w7{/5-T8Dd҂6TmC6oe993:Dn^@Mg];Hb#<~@@  l>KDo)I6_D*#B^C$94-?C; DdD c E+xa"&,E@(U:ΌGIFr-)P">8P,z$Vn@y@#jt# Ĩ'@ ãd V󌗍2,հ'jq-A xF}X`܎^EŌS/>{ūq>sC3f3:5b0ww93T|1W6IG[a־%h:|?xt~yvר/ͫrm5S/v ZK 3n@hxˎLʹ{[@0C ?i0 D9|8_+EF@&_qz42I%I&2J)5 4>-R5PKJ3DM7DM8I5N=s>.zǘ5yeGq'"r5OM|@?}PPG%"Q/ROUT[]U&q$>aQ@W#H.750y΀@0566ZV+TY[%#|eJ gJY֥)]UaSsJRR_^bӥ2jԹx9QJ|8bG[8yT8wP!ԑ'V\oZnqNrgp}V蒹5'r(!G@"hQZ,,„#* paj')<)`+`sgJP-( r8dc- (cV(Aqay^fG/RgItԅ&uȹ|ˡDss8Ʃ|0A ,|m[ 30fi~ꞂQx + 8}vHyt c$ylLH @:U`2 XNkMPL#R>DO@b ^!R9a 8؞*q#}p% 0A}(@a &[\4[%,zFY?-(9K薇0pEG9,p G@M'2Qid qA2`%R5g0?EH8@!m74+eFйNTE`4/(`C0@F1@D07|A 4GO% XC 0FZ YPu]YsؐFb32!4t0iAs 8/US]xUQe}I_VM^y`BmJP8  0@2 HlԴօq@X  ɵ$O T 9ȣU&8oIPb_: rmb(a|%j|Ĭ (r尜y.E@<-w9_fKt/( QH#^ՈW!+ 5%/_\ɃJX+j ݋^咙C8,vx#.r|HVI.+-bъv/IheǞS`ȡ(`OtĈx2-a~LEfqۃvv@c QP2)f dg&Tl`d |P -$.>uP+ 4 Nq/6_r@uY%,2E87CDwz~E6nE+ccsYnbQ̆%hH4T*i&qeCP:.=NHM3$x$]v;l">eu"_-#w1yCsQړ,Kyח'RHxMU|`%EKrt;D:y+p"+`A5o:K}UIJ2x+eF#10PyDC2bҭPz<= :38`Ȁ)LPFrK6'P&h0 P@ @Є)c@Yy@+>? f8] ͨ&.:@> M -a% ɟ.j@<4) ָ?|@$%y0)37r t OxÇ8| N<ەcȨ" SC{5TED)_܊ az0۹ЁB^d ݹ (Vs} 8H8@s)h8t*6DkGD+0 ݐ M p;g2FƫC1üLɩH#H 8`X=G,K8+0PA/ɖl ߪ UZRc|ЄQ08IR8ZΤjHTڧuMZi+<$da(-!k`S+.N-Yɮ5|Q?|H/  -‡*ZvS% (C56V୏I\!R`zYrH_vخ3Υ.51~Q٠ȥ횘x M39)Q!ga,(xHZcwX^(ȄI32F0gd*#Q4TOtMVʽ*_|" .ȿ8u؏ yAQ`[@`y @(|'*iag7Ş:(ڻ MЧ@H#`??)bx۞:CeCO(105/Z=~1" `0hS @ 64 9@:a= UBeqq{V{d Sl9l6s )-P H 90K|IZ9c8<3=ꚩSɜȷ Pۀ3uD(tp bQEC0 d0v^+(8T1ehC̍bHfthNUMeBA&Adeإ6S.C+QX@m[=6TK5i/蠤ۋꅖH0j"q0V+.Pڠ0&9%gdqNH H/إ8`HZ&3Pf|82qf8Fk6êO@Yyuh PآHDl9C@iހ <j6U% q盱l-:[(/V.c4 : 0;XiHo%<dxux`IsȆ ()n. qCo j7ϊCIEȕ1Qm p3;V \7379tnS9b3ȟһ o޳4Nop _ vȮNXT̐*x7e"g p'llytp^ PFH'p32. Eg{qHS= x psuPa8P x#|ȃ $qM rSKTO&`609fC"Ȍ@aEY]uSQ .x'0Bu]tvhϵ.=oQl q"'|4QгHxp| !`+YH {% R_H&'e s4ޡoCXW3c^vapxz "{=y= Dv v' X^aVO`!iGʈp- 6п0$ H(2Ptmup{|.g1;k{@E2M#`땒slv,0b`|p( =BCLħ 2,ɰ/_9(b'ėALk58H@:*Wl%̘-_D@6 0r9tG>sʤ ,Nާ<(S uLќ`RtړGŧQUA153ɐ6qV< h7* c |H7-0V¡?;2u U*Uǘs{,8:05?E9H9-[mb z!՝){B'o *K5BM卓|!}ebe! =@xϭՖ @ J81 \hFeCaɳlס`EM=%J%DXp1Æ~Lz;Va>~`RdY;l>t%+ceXr-d9꧀:^zXi0e8BcxBAfqɩ9 ]54sQN#6WRT<ܘApD~T@A S9Y@>tFi@:OayRy16fe BQN`'P@B8E9G GT@wǬPO 0l @8{Qƒ '2XdܸjjO`q @RTqN'0˴R/z3{@Ȑi2d J!@!]Hawq-S{'E v؊0 r I/tg3k+a@r`٠]80ļS@[P^@7jnX#GqK>TǺ/TN|tߩ(˝$<DSQO2AM=JJ% ͅc PC#Ј%8Bt/g~{y)9'Ń,VxW4,ꂆtm%m\I=ȷMdD=Ƹ5=G-#ȨE/v%`AF;R䍍b> ȘQq0)>IFRIA'%* e>B0"=@Ƅ#*U {%mJtْ74&HK[rrx"^ҒO|=`f(3pr: )J*l8 Mqd>yr =#}Ӟԧ`"K͟|(DЈRC5ыRFycˏS4<.; $-5L>Odj=R詄z|<٬Q1z0&mp@R9ZlUYhAh,u HGi<HT56g"I{DCi_"+tET_> E*BRI,t;(*Q.*=d/_޵[p8=|ȈE^ё=M @ NqMAFDQz]RI>YK7)sHaK AD%DK`@?BcMa=\C7p@-|4~G4gc1,1)B-P65H5*=I$f$HJCX>[hAe`>LCF.$3u#4$1dP&B61P%gg[h&CT$eLXA*^Vof*h%]2sD{p'@]:T’*p\>!>]T h>z,"N> >Ԡ~|0rd0&CBu:\Chx(gKeRcEV.pPv!YZ:Uޤ1eE8P( Z)~H  x tKo@ D@#!u  < T jAbLhD%TB< ,' tAjl)w Ɨ@iVpЖmmnVNiAP(@u l@k=to-8:-D@n |)xA N0 C9ģ(ݤC>k̷=ai>D@1kZBWvþ tY'A ɗt;l(UxpP@=pshx'P誰Bt$$mh8C PblJ(ŶOV$Txnl0 @-@+("t>Eފ0ܭztmRDTAy´Ѧ:h#|HP0h GPEt~ŝ&+uB̚*X!EH+Jcix@A<|+A~hMESXE "(kD ȃ.ԃ73gȀ(̈EHlC6SA~omxi|BDr.B $C9pDa<@<,cB0&.ltrU RW{W|ERD[/uvPkAp F]RHG );Te',뢪ݙB@MfCZO>AO (HH9(,'/1=?!z 1XЊ]&E8o nsr>p Lkhg߭P@Bs Als7B2`CC@p.D$b ^ItX(Hր 8DBBǘHCH@$QAD 2%J 42& dssH$'Cmp 5EB;4F4֘Љ}X(BtM>oݤ Ct+EB %I5 0udZX 8[N>0@C[׀VnmI=u*D`S>t00* E,Am}:SOϮicOk>A @C%gsU _{@xu ~`PINr>U'OZAJ_@آv07 \bBQZsvJ(zK&0bei|1#xEpW]QCTwF8PJyG8AYix(AQŊfDHr҈lɎ 7DɔTlIz|I SəIqIlƝɞ'$ P C9_ʣ DߍcJ% ʫԟlԢ 9?xRIC lܮa I-?{@¯Tg$4DĴ h ǤLؐDŽ6sn!*1nEQ=k8vԍ:/yQ-SKJy KD4E-y&-?@8p >{&Tx/ /NȐcG>9BKxoc{*[ &A|B̩0[snjN8 ʙ 4%.bL̩N K'S(w }Xb#N(݉Y͋)ž<9<¨מG|F14$')4 #~M-V} ZNWH&G HT)#DCi ` PxT 7nY@۸1 i-6Ҥ M諴L,*+sk\7<'&h8A\;U1c94%t=qvƒtCBwz7/zp鵏NG_/O_o__@48. t!A N1A 6yҸ1/+4F&{jဦw:p#a ?<i7M i xĿЈ}غ(*B:ǘ'vowp4h C1@NslZEIbG)G<9Aa:~:ɝ` X**ɔX؉'W K**JaJ$/ $!8|`O@ NyaF{,Ng& Yf33/^5xa!/Ȅ$:X ;`h/ҙ&HgЉ?$@((B%PeE-ә$.P /|BA̡S @,S4d{\a‡&POKf`y"LD-fT-yF:P{5tu+\* XfV8Zۊ0__Ъ]9 ,p@ċ{KM<Π 'JHkOEgOg, H쒨qTL;v|RgB>+6``&̲jM Lr|  r q^f^YjLr5DG7ǂ11le@>1pfXA dAՠ0u!1@䀄#90@@#.8,l# xA^P. yJf/P jR!+dzA@恆 +^j%@$]hh'e( S:.A ı`Ӟ?jưS$,^ 6Pf ù6FE8y=p)A>t6UA E?R 1EUY>E'3e\beJ m5]m1r&zs7mB^ڶ xDb zBqB(/$g#+0D :i%ʂqD4(hFQ,/&lup,*"Gct*dt=# HgI%@"/FEkD#1#?7d _c?b4x !n֏>vp!'nv9.DXeaV HAeeQh d)$iB)!8 %6v>)Ahj`QI<^)lipiVU!T@ UB#nz\>W Qq›@4I9Q.V6<TO+t-+JBT pt\`!T$ ^*Ʃ-'`zw}iF&z`u n |/^>!^K`DF2px ԡĀ`]mW956 fLʠ+!j &.*|DX8L TJ!Zbj2\ulIdh§Jր [! `jjHxm jAzT6_ loA](cfXaI qĬ>HHLK|TX˵f+m]#\-XDvZꓩ|`).p@X4@o \w"aw%F m(Ao-+o PDnϯaAg.1AJAAgրըL # )乢kF!^oKL*+(K+&+rZI˿ Xr&jE 6Ȍ_,>m"m`O jf* J a&wTCV`4Mq&z J!bVDltŖ̑p#P"m҆L8-9?-^ Մ =w<#PjrӞT$E= r ΑР_;M`%6 ~Pg@Mhmx6㚌S`@*ے J!NDTA`;'r;A ;TFT o-v~!،'٢ ר{ۺ- Aa~lQ--l"+RNaaTa߄I@ n< ^Lt@fBVƥ .OQAu6@ 2EΥU >!2! .*2@a\ɏ"^v~\( pzWx!bn.h "_n J#G)< \U%" J\lP]5.c+ @Ϥ` 7q _=@GP^yy(R@!-,ZŖEm} Ǐ=ֽi^74-Vf @_3HPo?OSn/v4zNOoG:5A$=JK0j߀ 4 z~ `ɞA+@I,:a&@ ."df=P&5=p 'zо^u)^E-Q u74=180^(al `\/c8 a$!"@3MeeR~[ A^8`L C}q*E-3g $2@ ;Ya,IvA P ` ۿP~)԰ ЪX| |6( 4g1!iqbŁ B%#r  d/1aO {  s:} 5ԩTB}ªTN1 =yfx7:QK'\up.4P@3_&aǖ-c$\d>;Cȓ2*=K?Jzr$ mƎ!M={/3"#+-\_:p\{,8: _0vś|dK&BUwfz{9?5p97I%5]MN~1@@P%6\Dv8 >jVNx8 & (F2x8 ȣ:iD 6`p  C~@_e,߁=ĉ6@`XMޘpfZ0^N3d6.D>V>DI AM ,,@EX>^1<Ѓ9vi>ghd2Xꐓ]SP3@:AN_ЙU94@PU 09PTS\]sO,ҚS؁2aN|$c/Y_P>&l/2O@`ǬE离nb-r-1Yžb`4$0W(Ef1 !ryH 4jᒌqOaTAneYGA]A 0wC5qaN$Ⰲ*4FDdbU+*BqVyb ܃%ԢH%XaJ;/Ќ2 x"cH|J(}`SDЋ]dU hlx['R4`fLjQ(:}R1`e+uE-_` *1bF>h9Gd6̒#3Le:f jRL8ˉ_3lILxsgiOş(π:-Ӡ UDȑ_tRԫj1Ӭbj=/R- B 464k9jW5,HNGB P a @!}%58$,e U^Y5[tZOY$%Pf -mzۣ6m~( XކMʍ^;ݎUҝ&tJxp5$~nt͋i luKr6')_7T/YN%0fP#؟]0N Stp~lafx ްo1lO 3/|bv8uIb 3f$x< yD.$+yLn (KyT,ky\ O3d.ό4yln 8yfY5Fq|gz+t] O8etl9 C4{gJǶӯ4I_T]];jIxño]=iBHsFu*QKXY!k,IG?J92 P ~W>pSapW(+y_q֗q!8@ 0rp ` P 1 0 0Š  U)@ GfUԐ VńShPVPwb!lan1 >؂p vm/lr8p#!Ȃ.2HB (A"x )DUVu` +@x B*R4PPP }4x؈tP-qx@U"mv|7؊$=k`$`{qfG3 'Љ "9h%BP kpl>hb;rB700 Fn̘lV ` у $Tߘ~؉q0qOp!`%@0oVw3r)Q`]1ɑّ0X msp8Mь]U插a%`Z \Y < ..rp` 1!H0’u<9P0W<9p0@+0{]Py=/ !q4R 0 %} 3`ט]0 Еb)2e9gkcW`5P 0 XrEW9+2P񁗈9&IP"7p`  ^I P:0i y7#43P*iÀzٝ yjڒ z9a2 *QWpP.p, $ ` 0Z~au< j! < me0 BkpI  0@Eje@0{ }6;a7 )(A)roJIxrP rKС7jq}1~'p +xcr6i% o i@ /⏋0 e1a %YMni ~` ^A抮irv,U(' P`p#냫jzA v]?RIX P [2MCqM,xhgmPÈi Dj*1Pp\k 0&:}C["''{%  71]:v1P"a*Ā 6Pop[>*"O @&ZrjQL `{ %ץ@%b% Ԫ PZ*I+47]Z2~02 (+=@p䐔+*ѲWk[ `kqR5/u2DS E sY/(-S<(+!iJ€w~6, .J޹+ @3  ނÿ >L|0o$ "8` _%d @G:ډ4CD g^A ;螧 2$ptJoԴ01(s,V{i 4215I'w`4& bq(eA9ͯa~r(m4J)b:)ۛ*s;*yUӮ+rеr++ +Nvэs3P 8:S2p00`%B .r,^S$s-ٲ-1"=8"qc<1]/39s5 `8 X~S0 i?388@35 >>5tj!aUfZ5p54.[5(f3)^fcC^g8aKS vT !!@@p7S*c6/7S:'תsM >>y[dnbjrUyAgʾ\kzBFJ씸l{s_͘ݽ㇒~󦨪bdgҕ lustv  gsİdvPf{" !(+/Dj.5=Kp坻ؾиֶۛq8;?h~B[t]q╲Sl001оhx!'-ꬽlvAaߟS_k><>NNSZ|!,*H*\ȰÇ#JHŋ3jȱǏ CIɓ(S\ɲ˗0cʜI͛8sɳϟ@ JѣH*]ʴӧPJJիXjʵׯ`ÊKٳhӪ]˶۷ L+^̸"?Ld23̹331CMtӨS^װ_ӘM۸R}{ޣȓ+_nsУKNzhp:ݕO^ӫWߥ{[˟>bp߇5h$|4`36cVƅFt!'xB("?,‹!t# 48 <#`AvY$jզoY͓O2 TiXb͖ߴΗ(!m4` Tlěo r`xĞ|şrj(F@a6Σ8;>aBNhHcpI'`ꩨê j뭸Ȯ*ʯb `hzlX 06Jأ Y)de3VF ;feifi/Ȓg| <,0@l0!# H!G\Wcwq ,2ȚlrKt˘,4?(EG;7spyL2 C 28*lt3 pKe`*fu'Zj*jݵ7| ;":{R7fVmVљ{.Vn- ' |p„0C\_,|'/'2lsE%Am4KTqb[/ LzL >P#6q*uÛo^-X*&uhYr8aKG\V(3Tr69ρ.tdJg)uwZZ:ɮ`b<6<xK`ּ&>"Y 'P,x/wm@^0~tB* pWD@*h jK7!8ϵKtWZ9POk 0{sC qD,x$okb8(Ngճ"Eq{ ͇> k[c_bb`MUq}_ X dA)Rqk*ALr43sX:!(CBӡn_ס;ĝji n%/QK`S1F40ALgȬLl_ GM3^}ifG?o*9 @z&q HZMtW Cy66򡪋h&JvFkQ~Lo/ LbBmiD^:Ř&ÊGˢME#DS<-5l^@tc/[ίs|9?BSP+}`P$aG8෿ | hEpj$ X@@L$I B`-%AH̙ BI75rW fQ2Lh_7V[TBB @آg0F:X.ѰUb!X*>heZ3WE5`ܦTVZ֎]*kvJX#- T0V!@oq["`DrC 0H!G@X H"Q*Gh& :%J[zB_4׌P9R B%lMnl 8*jۭƁ-ඁ[dP}%mf%׈),pAh׹)x>*W,ϋVugٕWށ `F?t*A3H{DM*e͊)= U5"f) jPxWU;s}2gZ}W}+Ntcs, HB^^XgHpgXQwȉ3 6z ȊHRK%7g @{W ЃA8=sV \ S YOgKsTTDlč\ub]f: k DVdfvp[HmjWOeSVeWv wMHfTh6x׈sp )'pJ2t$GC>;vhXXztR$'IDD2`4 XL34 ?Gq54Epn@xtkMiKX'I5dh⍀U@n~![dG#\ѕ#aeׅp0f,P(.yPdR xtJjc6:p ;%p ipg X sX %9Dp ~+{-I{e{ s`s87v!Ex E Y>dF  t6NYU1 }I~dI! THV%AXO[A5aC%g' J/Ы]bb(t3yR,ʎH5Ԫ_%K"%D6p mUvspuQ0;PG (zg[': @$,*L+ЩT4LP|0 ,"MBYR&[yñ1: p P;78y[ZU){UΚUj#.80Ig Zl%o:賨ipI_{Z_8*HV&ʯp (Kf{03L?HY 840>5/[g6a ` 0L! P T)"{UĬ,3AR(rմYTɹJ0 `@kRE/;M{pȜʼͨPc\pZU[@Y'!)OW# vxf7Ǟ ȆiY3t8t a "w w@ ~@  ; _0ʥū2<5 E˰UsYd f'K<Kc黾+h#+l|,$Ҭ(Ҳ;^ +$ȃ b݋l 0pГ Ч @`mʴ`6$ʭټ;v4;> p{!藪t+Kx>`}p6qr8';= aGԶ&˥lSmъAXDi,6ʭ~L eό[jP;t ~{ }}Ѥ,(ʩ,҈M%rrAs=x4㰋уEq< >E'LW%D xAM,AwI۶NPM ܍DǝKܘaܧoHx<]yzpp` mM|- 2<ߵW߷rC0 vf PnlTf\eGP$pn6-/szs2 ؈Tڌu^+OO}HQ!޿K][ :@[hϐ0x;P \z} -f/l؇ ǔ  ePh`h. E#bTt#|S`Mt^pQ SmΟ˝/;3n9-  0ȵ`C^}䪮0Y@ O&56\?rp0v8 0 C 0f fF*`75EepnbC:C/g}+4¿{U2xo*.ng^kP|=^``o-0( `&M]Ep  /~mUE1}naC`%j?/A|ޞH/-T ?__ȟʿ?_O xЮl? 00 P x :)f qPMiJO߆OEB_L,lsB%STqD#0M J\i3 L5męSN=}A*PEȑTT>ATU^* ]|FX*]Æ l}ŋ4W/ ]؅ {DLӀLC2ez\&9s6'=r%˖/4@jdٲDܾD \|Ap<\9B͛@?SXdP!`0@wg|FRĨJ`pU,-6Q2@DP%dA0B ]'J! 7ܰ 8PCm4%8boJ*d*˨K SL22͵d͹B#N93;Գ#>Ա5D9c4I)K]TMeO{ 5Q!(SSUFV3#o^ Y0YeՏ? Am[(rH&O`Nj>,ʈݱ A}fس'F=&+(3ةgˮ0yDM7tYNBffpTP(g̀aЈӒn`馝 NEj:kNMU[lZmMֲePf 5p { %NqXr8 y}d(dS] enJSJdG;Je+]XFfdm.2/+W$` sAH =#1jeh2OjSՈ}Ê>| YH|?-tsx]- LA'Ip.=.rqg~%/9bHC]3ĥ Ygâ0:!m2 qwjQS|ON)P<7+ٟ3!e'MD$IqiLW KX$0hnB~(jvd$N()}rܻN*d $&clfYjƊtԲX׈L];g@$&Z!y0IoF4aԨVaMz[/bs1 ʣHA BAI"PӦ.Q'5`Aԥ>uWWzֵ.w>Anr=6% 7wٝ3B¼qHA i#(GHu@hDz(Bf$qHT$ t<7Hb'OVmK:|bgMo'ԁ8#z7Z$M$CG~|7G~5Du$c7\P`jn2'qtA2D`Ap:$| PP&4(+s06 U8*A,Xk[!},c:H" y3[ `;3C;[;~뷡*[b?/* X#5 PJJ2#!(G1B IcDh*HHs*ҫ5+S b50@;9[S\^x1JFz6NxA#>S3Bc#8 p wpY) l҇AY x9Jұ)Ҙ V1A|9[=@TyAZ*,ġHL=MDNvtAARܾ ʝr$Lۋ:"vK/`BD9IF[Hy#1, iTBdCDT~*,#c,^(pIt<:uv|ǚoGQD ,ES!T7B8S&$lT*șEZ"ᙅd! GAuȤhAFR9'mAQ=ILIWPu8TD  >ɿLGy7z &! ʶ.V,ʸX&ȼ`:aʂ2mBa,ZJJtf\9hJ; Kk,IOT4<A^؆)T˽LGjd$L33̞ܩJREs̀S4EP?=R@KA%]'(RE!B"$8N;ѥ,Qd$'H)MS=U8MMBELDE'Y>[UxURzW{=Tl.a͒ ؊F,¡LָT/̗*STOPU5uƮ QPYUVSWEt%uevwה{eCE ק V]Vf̄}Vh=H.zXOm ͈H6m@䔌59}2u=%RA5@mA Y5YBY5[zuY}%~W+Қ}VPJT%HMVZrV=Mp>;]91S Rm#!=O [۽)۳%]\J[WWa ҂G[HmXօdץ[-M"mV*$Qfa4qNPgD\QVX1X2~^A0M`+O~e]eeۃ>hf覦~hUQh*⋞2YK v"'O]2%i.g>Tvְ`iXv]+l-ņ~HSEmĎ"UAfjꨆhgξN_jJNb|V]ό+~^knb^gv#W&X䎫S!ł{^~찍nje~{̞|j#mYf>Qp]E\i֥< .Ws=א Y0O&˾QjꬶLn~bh]E`Q \~oԼmUkHS Ym8VW?Rc.pN n'"_pYO*FWUVqU$nq?jߊ %rMo1]nm&GRnJrrOqor/r(s1a2/OZg~',2`-k" Gr&NM<,sVo?b0 >[Rv>u=?ZUwt]^M^Z##0+UNyGfoyy~w7f 'lijprVDLv7&ch؄#0wZzC3^'7z{Gz'}{ldn{Ӧ{:fNjgFGt)u>wZX1Z߄B \vctahXw7#|a'}y??vtׇ{fO o,qe3*Z7\g A,H„y0lĈ Mq|:ɪ) l%2gҬiSf(v'РB-j(ҤJ2OR:֬Zb +ذbǒ >j֭rݨkWkְashH&!f0n<ËȑP^Ŋ̚W<ܙ1Faeh݃lٲ1mܺ'yo%•i839O%Ko7hPB%G u;|G6TS#j:K7 8 95u * TTRY5!WjUbV3k[%]uW_6Xa)cyd TvfyhiZkFm[o7\q!\sAGuewyWxy."4Q-G`c }W"'mP8(N:9x(*(PF„Z8jxVZֈqh^|"ac(Yeَ@9kFK曓'T:gtXj]v%a.4&eֲ 6lrzl|  C+@*(h {/C9hNZš!x,⋩X7bjxjBY񊛯M qL`Yu:+JKmeR/:?}+L4Q7/V/ Zjm h_~5,X+[*g;Z r#' ƶj7s63eNs>K3 }ҙ /?J9EuV_ZLp!vJWce6`'vblO\c瘱Ƥqǯd{$*r/`,:ONyї#99饛ꩫ!]hb/Lݎ;;V crMl1ոx'J{'=q q= t"ߛ\ć[ ct:}`aԉfǿ-;b$FYw6fJWL^V.9+; -͌fĞGXBB|SZʰvt kh/D@ "jW#Jw̍+YEQxvB񬈼HP[=12YwҜf/IE=pd$[> epY*gO2q)940AYC `Gz"t̜Mq*X[tԧO}jx +&Q"df EhnUJUmnW%èFQ+m!=҉x ;[ WծE*A3CCa \%}}n kX4c[eDG28rC+)Q fiMnqRWaV2cʂmoַutoS16N׾.ׯͅ. rxԵ/pܽkY# FtfyDyn%{+zy\G?_տ EqJN/@Ƙʴpì>v1KAx..h}biM>0W'3 7_2_=$٭o\} (T22bDC[沗/f1}0#d3`#^s@frvq`̻HGU`{E vғU-YKJ7 ̅8Yң=QhDCpvJ]K|9իfufBĒ5|Ꚁ2~?;Xj}_WN4O-Ae:XYv;@"5rӽ3ݩ>ˠkf@g]8eŃiRug*65in8hZq !]H_Õ5nK` NpDN,{5 ꣩v?_YͰQ?hh97 zC]-ШpU#M4P̊ xbx$p1xwʝu;w'm6r>3udzԻ`']GNho޵!P:pM[i>_*ώwo 8W Uפ0P!yʛqR-ޮi]SMWiyHȁ)e!1; !"`ZW$A`w!^C]u 2Ia­M qA|Ƞ=X :A-:%-!*Sl.%%L"%V%^%B`$ށ'~"(()h!@MTVU`桠-ñ j(Bm2!qC*XC 1R @!6L5^#6bl#7v#78:>Zc5T*A^$H,$DADdDvActWFRlG~d#49^E`U)+bFU]DK"( hya4؀؀22<34.E @ \e 4VAX6c;bgkFF)4K4 @^f&h!< E"Z$>>Z ?c]A@ dAA&$C6C:DNdE`WhdpGd#lI"ryh9K5}ypyI "OQb*h%h94@,|+R6%1(@%vT*EUbeVneW~$:#Y%]e% ĥs ] ^%_%`b`fԣ=racbVZe6cddvd*$C:$Df&Efg\FndGGi&*MiKؠWdANp 3%)1(LC+@t22BRv>)!lgRt'VjepWy%z{§|@]n~_bh(,͍c $<(".$bnEzfzmjY"}(LfmR]z(%oFt.#4*q"^bxXz) % %}]⧚BA_&Da))b&a*ԞFheZfj&RV.hvAhUQqSl2ϊ"shPkFKՁoڨ*( ))*-*y*Qw^ixj)ry~)]+*+V+>jrkc+czȸBfdkej鸫2+Ihh+J &d!BA®új28T:)vjQplA2xȞɮg籾g'BF봲)`:EϷ*Nem5Tá«GJ/@ӌA@I|]l>]+rh?\!,6lB,@)Lƭ:Zeg^㖞c'^F(Bᚩإ0n@f+ެ/}+Ϯi&+\)8)\+(C@P.Bt,8@.njB%)]җmfz^N@o2,>쫺B/,c6DTحfx΃d|@.;Bp8n"D]'^楴&tBlj+t R++)%WC@"$8%t%D8,cps$r0nQ*&a*0v*|B%T@o# ( c![B58!Hp""!,$&hJ2Pr%jhɮkfv.,)؂̨JoA' `,T 03z5,b$]cy@?h_jr5H4J@c;$c8xf(Y'vik. 9w@@:AlCy6XÕ{pS0{wr7sGtKsX,(*@K#4&H7997ہ)XDÃ!DG_umA3+P&>_|j"|:s"@ BB/z(gb_ګga  wG-'C hA%".4>y{{oFp5A #!&f |VY?$dȔU^Y(RKK LrV',aSR -NF;Z:= jRZeMk?)p 9@ `A$Q}UXU@ (ܢlDk GhV1@ʢ HUM7D$ЀШDq9YΪ.tKHq-[ȃap|:رvl$nw0`#Q’<`Te kdE =  ʷ$BM`r-$" ؀EL 1(x΢bhѲ!-izjӞAQjOPA `0 pLA( >A EJ0Up"1#!!u'N8@B% NL5l$7=C7 >Ta( ltب$*P0.kdL NxSg=d^.]Mu;;+# ϒSN-E΃ŤwX9Ju- ]?rnreP_]Rb|_H@NL5'mnDԚp`+'b( dBmh;B n`(J 8 Lt N8 &P̟ Hb&ɣzl[P=MF۠ ItQ 0\pҴkt iѧٖPU?[_A^tU~O`+.@.h7=RY~! W,]A@) W'-6싛%Cdd(X(iYEu U@\ VH&s5Op*h6ϨAt@ݴOf Ɲkg#LePN7:j#3.niT+NĂ*7I"in?*"HG.C% 8 8<VU'{ 0D1@0qݑ{,؈^+⾶PqaXKs`,KdVCIgLY)dpY M@[&C 5s714(݄ E@p lAn~߶A-Юn خን6dq"qoPEI#2tMsoE}URkU`3m' uqXVZs ]mwwϝ%X6K`QіJxk_)2bWqir/I!@&o=q@&_--=+D@2ew=@H`1ASU H@6h8 чɣ*$fTi$Wz-7o,89Q{n^B:i褊 " `N-  FD0ay< ,FTNHD!.AM5B..A2VLhj`,۴*@+oj0j,@`jt`-AJV ! (-at0NR1 0%f @Rhr,vO \ZnXlU(F^#Ai 2at$Whv(@(H8د$/Ҧ\(|_!@A *LM`Bh a Ndm446&m&a#DAQPQ آ|rB,믪! mMrN)'`'t`ظ:@ ~X,($b1f~ ɖ1>H2$C2&TT"E3AF)>$&UPr5Tr%Y6a teWz&o'sM:^~R@ ҡ@נšr:*D* IMxpAN, 4` ,b00zVv,-2>IPR$& .!%0.lpbtR30N`An-*tJ,A:@(:Ot0A!7Tt@қj333ASTRRTV$U5U%[ bfr7mɫq\夣.:KsK_:;C `02 Ef46r=>sO*j(!0A  qC5aP~0@a,5BRj@g0%tBg,6 -U O!`((`R%%` 51FEy@mF%n|$Qr^6cVIIsR'wJ'{t\KKL PL+D`!2,<! lTjZ2ptCO`5>T($( MPeT-"hf tfQTKuV'Ҡ`Xa- !D)@ $@-ffA|X%e1YE#YC$5lHo577{к83\\\]KB]oq,CBaX- p b_`Kc,k`[ aVaa2bq!SBr^%N !>5TQVhxpeNIOȂl.di3fF4jjZUHHkZ7zClv¾\Um\Vܖ$6n%ڵ* &yemmt4hk5qwOw.6r-E;Er2LqcCv q/DJTC50 tMki&)juT:iVjXwTBET< Tz7kvotZgcx[tl{FxJ=6m7zٶzGzyGLsQ{'ė|WpYS}}7>WP WMW1r!vLt KL *StOS%t)u͍uƁ(O/xv"m=Ffwi@TwS5HXHZ$NpyA{X\x >-*w apx$%1-/E`h1`f,0rL?ӑxtt %K'yP`F> vσEV2HHȀ"`ԠDp"ȇVZEf(:Tᢴodb!qS 4Yppl@ Y\NGx%XFKuIٔE͈}'&gxmnJ$ay}T':%ThX\ ii n(x()ꚞnʎ:! LکJ!ʈH`UʯhS@& ̡ AOG +A/@TAC rv: ҡ |zz:LK-DJ|)#3:z˧0Txف}: غ P  aDCuRf#&aӦ F2RnP>TA5ran* L̡td T@JNnxƉc! vT@0 @BRRiiU bʏ*\Ňno8 /k Gv*ATA[a؍ 8 &b\Yv̸} p| 6)ULq "… Ey1bD7PX1r#ȑ"?,Gʕ*[|2&LV4ڼ3Ν<{AJСD=4.L:} *>jX'V\z a˚[%Z3ڦpIH`H8ww*XQ$R"+VH>jĈa,d1`sI=:[V[H8A%M`E*"pܮHvkӦ̕q0tH*G4$Lu),"+D)Ԙ (x&Ƞ."^a?T~HTT"F5U]UV*fA.##`A6* ‰ >BlqBI&dhV!Ee[xZ*; | 9>f>̐Xne AeI gd@*[N-$B*i5GiWDr$S`#I)W`$@&Tpũ 7zЊx",ix(`d,88 mZ,^-F@mH"U'.c3X#@8$F"M2lUIe[j%bI /Lb4i睝٧2hȑJ:)MA&Ht*0ĥ""p" p7,C&K}>аNMuV_}!PNxu6U(X.z춋><;oCyd'/N p[\a"<†7&O\e\CsܱDž&hȎrܜˢ.ͦ*7:N{P'5ֺ{YD^OQaU6np=vߍw{\`8C[ $I9ˆs9̑: p|]xn l<o]{G mi6MhOJܛ|h=}_5e~\LYJQ,f pD`6A GrIX0{zW _>04D\സbH!GDI&Bq4LjrbPł2#Ǧ1/{8ֳ[ WBQxCI\ ?D~-(bGB2L5)INjs 'A)JQeL%5""pi)9ԥK"5 & DȤ2ALg66J04YkjtuG?j5o~3 %)9`JKyDkJXqgظBѭ`-is"ұ~;)JɉJsylggNڒwxӟaaQyxL2Ll3?U zhtƃʢ<5OvJ E]I{7]-kvV͌+j v5B2a]y=T=\P Pb"7c5(b[D#2v9zdUaJee-몢$ zՋb% Qh\Z_v2rkk)O't-W3b >.a\.Ѝ9^<7ahFlyqg>9o-R5u}t3>.GBuUzhmMT-dkjnݶ|ȹO;w҃=xZA]_]8.Oa GWzk?XzOw&xѕFޝgxU̞8#u_<ӵ|TyG}w}ٷ} x5}~cI{R~g.KFM~OuBplh@%y|cTe6eyHXs7-@AЀ ?MwgJdp~g{7qVwuŇuu+yq\ahG2D4?6i!:<؃@(E7{w0{?fl!xGXg>w|X'?^hGHhl؆npw7tH_vt|Vmpׁx(uxG|3LKFy|Jyf7HkDɨ؉.6[GA|y~&KL臇[&hԦq[qH9o YP{p XȨ ،;oc5Uwo @ gp<0YwIKɔmRITkuH/hGQxdJV숅YȈӒ.\a 5uYy~ K KGI)ɨىqfkRIExNWɍ[{'|bi8sxaH)@=`}ɛ ҰpvbHIřlj͸}uh"A|ؑ83IU8yyXmGu1Iy ?yڐK@) P N@}FizPCjQ I8󠖹K88GV&ɋ8(t*z0 렛@8*7< <? )DMyʩSɠU" {p u=a)q١(kɖm`Оvij0g u [ ND@7~*h7ȹϘzwѺw j":7Nw$SPhOکceiq=@v {3+NJ :ڀ ܈rsi\O'Hjc:(CӠ @Yz {ʘ KkϊҪCh~7@[Y)SىK!9[h|^* viPP<9/u 4k@<泐ACKD˰SIJLڤ VԹvu**TPCa[W_P- N q9 @ v{{˷j˻٘HK+[O˸%ڇ~VW[ yj≮`bZ j7ʺJr~ 0@ k\820+L[Jk:k/TBΫSԥ^隽?݋`0 i۫Yrླm(E7;;Wdܸ{kB X+|Ok`'vc`\tp5J{V Z`,0/ 1<4}6y: u 0rZ<ҟ\ ;P 1-m}(6}5:=m;8A"<ȄRK]O7HLdє칡k!lcf m l֣ q}sMt}C}Fd<#[SJVDƝML͎W: xP'e< fڣPڦϩ uzڮ-|= ؁mȴߺx}ѐ-HY` dүP4龡-(-rm;=[~M"m۷=;|ߕ#[i [LP 9> (M8 `S;o;W~λmޅ=iĉ7ߌgߟJ,͹9|٫ 0 ` `^; g=]zXMoOP.@  5Bv=P<^i^> ~ nsk:.釛AXn6 #Α%na.+R=եixՔ68b=}@pf@.NN).{ȈћJ~HUmCGp-ٳ. @lIn..ׯ]ɳE`ݕ}P;_]- n8o(6$O'+>X5ĆUj, AP` GNuP`&kX\^o<,=5PD]{μۼ=׌U` S 8>?ݽP( N%H5O/(2 /c_C/?o//OoP`JŨVA(9%kL0PӲ1ׁ)lؐ.z$D$I(d?P̤YM9uOA% @$I.e*SQNUY^ ׯĎ%Yi9`[[yg_ `a*/^lı5kذ9Qr5'@&gСC ]ڴ TVkW̦]{ܹuMFPŔ)$`./Zpj?S˒ HH\#H姤_?e Eg:) @T+"A"<-.Ґ0 ClD731$26Ӭ3D 4g@ r|͵\t7߀#.8sLs9:p r"(Ǖ/kL4$tM83 )Գ*A%B /P 5CLd E#"2Op13epqy Hۄ8s{I ԑ2 *z(p2Lܣ4U66tYhݩ;]jOlj?t,Am0E MLR(tL73OA5TQG-uQMUX5H^nu^K04vzXvecCZkKV*[ڶo W-B 5D=Huu7RxUWELY|FmԀykUee^pt2_b;ځo2V;cc{i2n|;8# `ȣYb+!@ge-O~f Oԏ$CATm##9J^2'C9R%5iPRT&{)孙Bn@Y@+ت@*fRqp 8@(z`H 4:@ p d ) 02G(P5p쳚B; ?렼%ȅ\P>KH!Ȇj8 и뱐@h@4@@4)(csAqLj Q%SB>|{q"(ȫ"8,(,D.>/ 3(K(nA,7ˡt*UH!N*$M۱>C@tA$Dm`CD*6%(H|i&KLM&q>4P E,U RBX+P@Hp5G(GxńEŠER?@!+,p` aP(H@JIhICPk ^FDBDC !) AIlvlǩ{xGN(G{PԍUԇHHU@AHHU<`U`H*xP*7H>ZÂ:[l1pTsJnH7+XUUhf8.8OgƝIc;!rlJtay$ziBBOʫ4*|J2`RʺlPRC^ptDe tSBss%p)`&˿,IΜM$pGFd \4\ԙJMw|zۼͩ7I#ES04K #(V5 PHlЇ*(AȍTs0t[EBFu꜐Ss?:|(LʤUx}ؑY҉\ɫ؋=܌ʍ ,˅Ց ,3ءm\%#6ۆ,L @78Szaf=+Ҹhi푦(ԍ A*G [꽰=ۼL;ӻ^1C9?-Lی Љ90 Q09%\-ՠ-M P])U - b\ *ncoۯm]TZ]ཛྷ%5^|D!Z#a2^veF}r}Uu7h;hd_ S0͉90m_ YUA‹[]&,=@VF:psF}ƐMmgMBzaf&ι*XaR, #e8R ղC}(2]_,e048{b(be 3>Lc5X6nc `_U2;? 6y6vf&v3X/n͐ǣ}aUڥ(e&STNZѼDie$^p&[FJb]_8〆i.i>iNi^in6hHQ0uؘҲ0`0kթ?`.Аe@% 0%ED>aH]aJna[iNhQ,h>hJeUy lP\P _%(D@hIh!_ C@f6朰{0eiiІhXL %A΄@j{-u* 23 ZY:V̅qd:yTkda&6uEe!I!P963(ClGbb&<ǞlK/HSlfi\ RmLs56g _D! S#pJ{faNkdXuX(+ E FG߉HC[lPH8k3 @L/0, xo%X)U&XߏZuB^6<_'&Rs ?Py *t Q6FO M4ӦN@Eb*ժVg`ͪuV/^*P 88Qp 8Z ~],Ŋ†#NC,/cnd}s<ppÎ>r3638TI$H уD6' Gf$ΟC.}:u "}޿/~@b !D;2R}toBP_~ hi W0Pj[TTRewsNɃe/7^׌9W a-`XC[eӣgvR]իw5j^C]{uh%\jͶnClDܜR8?>FAADEHLisUbcHkGapENCLISQ\JJLLRRww{{PSVhUU]]ZZ]]``ccffnnrrw f8#JWghӂօՈ؜ɔٔٔݚ܌ΪŌ১歭ſ!, H*\ȰÇ@Hŋ3jȱǏ CIɓ(EJLɲ˗0cʜ˕8sɳϟ@ JѣH*]ʴӧPJJիXjʵׯ`ÊK,ρb]˶۵ʝKݻx˷߿ LÈ+^7.ǐ#K1ˉ-cLX3ύMt?D*U +WŒ){ƭ[sޝ9u N|ȏ+O|ПKN}دk}࿋O~>>ˏ/|'`uOfhBJ)6LlhÍ7ۅ=[a ~(b$hb(x)047c8~wcB٩Nz:jꦧ꩕:嬨*ުk뮿 "kl.묲6VKfkn  :긡k:;oޫ ,[n˰ [so{lnWg23,p"(2B 2fNn$tO;vkԣʯP*?[uRS-2M6vlo rtmw|m/j]5\ ׋o=jօ뻵ޘߙ8ГsNG uvm/pí:w-9~:Ծŗy߳n+չ07ki;<)2E{N,K⧯쟯/o H#̇>&[AZ% >`68RPT QBJ/gh^Wc,q8@*R*t"XEC:r{b8"{(2 ۜcawDUc!eKW2?se-iCXf0iIbL2f:Ќ4IjZ̦6ir8m)^s,/g[<9t:N~ӝ47iU?΀&'8Q\ӡ$88$c۰x8^hC'JN}Dњ8ͩNwӞ.])AITq *>iӦt AOS-jMNf(X)TBTS%hLTjj@mmPh%N:yԯ^׾ ְaM M_X&s,d5zhCKњ=jSպ}lcKڶnsK',%e{26c8wn+RncvleJZvnlkz+.Unjw5/}_A^'O ! 8G*1 ¾GIy{a"qK2,"FN2&3N2,*SV2evͭi bøgnql2Y3vq:wxs=f 8+FŌ? oN e>І1 Ǚd/WZ5M<:6 GP*cLu~MyۻƵ]h#Ϧk_ϖvw=p#^m}š[.65r&C~_6={08cpN<VcRg]\Mu=pOqRxmKUԻkqhOpNxϻ;t=f?| ?vgz[;Կ~?Xu7|7_xÓ7x'^m|C‹=ǽNN01.'cO[ϾG~{ۺ?uE2Bz4cWx u؀zk{Hw8{wgx7=ŧ`Ȱ&,0284X6x8:<؃>@B8DXFxHJ8.NPRxM8VUxZ8Y^'hdXfxhjl؆npr8tXvxxz|؇~8Xx؈('p؉8Xx؊8Xx؋8ȋ(;Sʸ،θp8Xxؘڸ؍8Xx蘎긎؎XxH(️9 xϸ )9Yyyّ) 9$I ` Px0 ɐ:Ɍ&y>@B9DɎ=yA-EP9G8TiW) p   @8;Vnpr='Ksٖٗ~ 8ɍ) ` a lpٙ&@`T`zT9mIh숛3Cb pp)ٌЌyُPәؙڹAp9.pțCꩍɝיYxxi숟)ih*)Y ppʙ 4Щy* "z#)@ֈ ʛ X#zٍZ=J)!j6z8 9Rpjٜ<9b*ٟ`jcZbj>prz# *:JiF 4 ٞ 3XyɟdBoj@ʣyIj *Y )Y RPZʥةڣm Úhʏuz|z)JS@}4꧃8ĊeꟘ_Z:y暪ߊL *z ˱*&{(;uڢ֊*&j z雄J3):ڱX@ZJCD꯳JQ˙E*P{; { + |Z*ʴG+Mnxz{%p*v ;{8*ضaZI+pۦlKzYڨc4{ Mx 0 0xi[k[A{M%[{t ʻ:ߩy:JI2[k=[+këkv;ڬ@K [3۵r `uju+ [,&g@ࢄK׋Wk#lz<+k"t:%9=ĩ#̵tr | J.ڹ"˟9d\tIY!JJk]ܟ[LH9 ~|ijw ڪ{x̽ɉ [t@ۻlkclƬqz*l|'OA )Y y@0̄@{pw0 Uʩ\l<ͳ9i ,(,zˡipppʨlt, i`c0dν{ ݗ Ї)k;S "=$]&}(*,m-Y /i1Y7i|c(P@B=D]F}HJLNPR=T]V}XZ\^?b=d]f-a}j k]nV]` `K9p-ׄ]؆}؈؊،E=؎ْ-ِ=ه]ٖ]ؘr] Q~>ٰ۲=۴]۶]֛ ԕK=P Թ=omj]ȭ) +c[ gwدޏԼ1 /: mO=K]Ie - }ԼZ 1`bD >YMK3c)ڹ׽ӭmuxn%@Bٕ`?`0 EA#~ԏ#PU.lG}EC-]\~@}Wgnm>,/m:%%:։ޘGIZ/ #iQQM>Yen>NPhk$nNq0^4~`^;`>젎ȞۘmH Q4gB~bN>N~ո^_.ԞǞn"^ڮ>O>֞٭t.z.ž#_~(m2@Z PZPN^ >/8T$NԛKII=A=8.A@?1>nn.<^#?JB|hmԌ0/`a 7>:NMF_y>HyOKOHmoobdx?ÂDϟv_^p/0AC?/^_>F"o ݯ 9_`֯] ףA kPQNrU ٲm̥7ހ}=V%G$$ɕ'MD $K4eęSN=}TPEETRM>UgȜ:C˧=:؄s@ɱeMZfےM{\pś$U5ci`}cK?}r\>˖ݹM2lW^4P!C%RqǏ]R1'>xr͝?]t>!֮ڵ{vrl!{6O7d]<‡Yv?p%Ϗ(mF 2#<(#o_*VkJz(*(NDѷ[>c&qeF&G2H!.:蠇J.l ECq<)Ӌ2pH/wNILk|FbS0sTSM:+ҩRKγO BTc͵6CBDMţv3SM7SO',2IB2pSU5 uU0-՞s5(Yk 0?MDJԨҎn V\eYguْbD k7Zm'ol[9nt4P @m2s_x΀n_q2]3\ybe8c7Ў?n*Efd _X%\DB#o9gwg:h&hF:ifi:jj:kk;l޺ݔWcGvRcAn;ooJ.|>O:SF#AUrNMO'ԟmEUGZѐ4a-Յ[=k`JV’ՠf}MgX)ZSڕHMd3Yճm^KQժX> [~eW+>TլVtye1$"z, G֙c}ntIJOVc)3vբO%:J^mz՛^Uv=]k誶}`[ Es{ѸwHo7\q ݙVwv6 >01/'ciϪ-}Q/ [2pY_,6ټzT5\_,K4gp @bur+`6-V2<0:of<-j8Kƶɝ}yoE~)n¥Tw:[^-}X1c۵b? ҉w fHWз$4WZR\Yz.XCڝkmbAzR V(akz$lB+quYQ"Hz +=?f"%Xpz 퍸?pXC2*Bی :wNq\,pҦ\ó[Ovh@.c.o{%w;"1Nxn?xsl?5xW֒ԧB߯C2|UzIZL2tz~Wޢ}?|=+AUъS~<TJ?ohC|:vRt`TKyv8_/ oq8 ? +pH@/>|9+J(r Z@`?l@?4? P(<,@$ǢI7q3I 9 t'[̊TQ?#,L>) 0/0$HLB6%SB0$1$?0A.< đF\B⸏6|D7|(Lt= '@ -[C-$AFėD9DĐC,E/XEcC3>_@^Ѕ]@>P @GxE\6r4GOz' ,?1@Vb4?@E6FpEG`E YUlHdC\f|hjƘ qƂ\6}Ł<ǔTIv,)dGSL+)E?)DC$?Pn85E<Ũ]Ļfٓ_ē sJ{ aFgd hFjFHa&EF4ȵtA\ɷK"AvtNDI<bsE,¢ArDI6Kd$ƅ ̽ʿHJJˍ|@mHl̴dql t;IdMBaJ,[ADq̃I$o$BdRImJdaLd H MlF4dL4IB|O4$Q@ ǩ,|>4TO2QB<5-I[<.d MBTEȯNA ֌UQQSEmAQ ь K.%"eIkI>#xҠXХ <5=ld0hSĽtQ-Q,Q)8SH9:Q4R-:@A%B5CEDUEeF횊NlS|әcKԌTZ:+{Z>T -:KSEU24m`gpWXYZ[ZOuN0HϤ 5T5cM _5%mX!UV6VReBlVQR~pq%r5sEtUWtuwUA7%VS|Yq(h&po]׃E؄UXum׾V zXdwyұD}؎ +W؇Up|`ٖuٗ٘ٙٚYmXh']Wxaa-Ulآ5ћ0Np-x&҆{ګڬ{(Zگ۱%[CwXNX^>-֣ۺ}*Wp&`,HX{@UEpe]\ɥ}m\ͥܳ-.*u!%k[z ZkՍ S5!ٽTi|P)hM OMإiU9w@UuX^e}^E^^m^^,·mJ0#+Hc ]0ֺ0 ًW1+jK2ߜC/X(q`g6-m`tx ǭ` ` `t ``ś_${]4- Z_uW-E'W+n'c2eb:3" 0h_*( q m@263F@cV2V6vcN89c95c3f!k&iAs*#6l] u3)1 ۯIfpKط2Kc*bF-IS+kU8#xX%@# !؀<1ي.+цq@b6bFfc.q8qXfevfffeVci&hnkNki.gln>vGE+S,S2Q_aN(ALA[NOQƭDwVc5WeYZ Ȫ2NK1j i6钦v\g>>^vi&5g66[[5$c2~ay5gV J]3+1#i5}L$!e\J6cC 3mk6ill6li(ivᅖaҶS5rjgh27lhխ%h6K"G[Ⰶm~W&k@HkF4h 6ㆆ8n.nfnvnNnfv&F4 dNt&ߋZ3Tfmfdnk N + ϖ.Na$0Ng>6k赮2.`cg pvpǭp w??gq.Jo-/J:oRZbK]n7Іj&mu@ ~5b5k_kh^`)qc #16g(374G5W6g7w898wq)g^4 j"i)]#j~*VE40ϝѦj%{%׾LO,gZmG%m0Q'R7SGTWUgV_; LG[E]_ =ehMT}b HP?%mghijklvX7oE=yjK_glVx!]um{|vnu'D]v'Su$҆YPgwx^ӓu/ԃ7GyxxTx/XM74z֝^=R3gzyMznm;zsԫ{S;U;3;<żd?GHwJuK{Gįc$ŗK='|xK+=ͧR;gyG}tOzuR֬]LALMX;3Eŏ!e60G%RȺ{LL2_ @~ĉQ; ,S͠R0{GW}WD8Az,(P 2l!ĈJhQ"En#Ȑ"G,i$ʇerh"T3'ϋ?Mi(҅+bTQӤWU*VKr͚훿B~bc Ak+F(RT*lٶnɛ7`nDHQb +6)P*ԡF=*Rԥ2N}*T*թRV*Vխr^*X*ֱf=+ZV~"f[yRWv+^׽~+`+=,b2},d#+R6,f3"ֲe= BV=bqւ%\MҶ-nsV-p>=.r2}.svԭu;[ꐠ!*_WfW=/zӫ7mn:@%{+귴`)0 x a+ Spbj0C,&>1M\_jxÅm B0 `3xbli,!Fv^(4 ZǑSV2WG\] f8Eq5I<9ӹvta*bpBbqj>4E3ю~4eʹ˕\fYk1\ 8Ԧ>50`NP&#|=r](k` >v'LEv67}4 ,X ۶^ n{6 ;]( MBoj70p+o!pe6w;C{αyP<:!_}nڮ-aޘxbqW[zm@> Vl&q{Xө wPV; puc[:չvg^x^Es|uf1רϹBxCnbȬBjߖlX_X@ V`NXC]`:@/Г^=O_pӯ>WQңW}QOѣv]{ֵ;NOܵ<;nn{8;g᫟N?lͷׯ~k>b?Y_.^)`!1Ul N` ө 6 `` `!&!. ʼn[^ `E!~ӕ ݹܥ`\DYeaaJaa! r  ""a""vaV"%.&*"!#rbb$"bY (b` &( b `/e֖6:#22"cC2C32#4:36RcM3f2f5V1Fc7n3:a")nc'o0[b #!-]c("#d%$&$$B£a:b"£:F$C2&bCnd&;G$>"D&b*:dDDZ+ b-n̝=b/c>U0ԍ5Q%Re$eQ.RR42T2%Q6#UNSjUvQc]JFbdAN< P*#Or?N#\!"$YD_X YEf:cF^!%"J'~_'_zbbQfMfH^!%LLfB<$A -bN.me Ro&pR 'p.p'q'r&r*gp>o%'R'df!IgZanc.Π)_]xI $AK6f>fg2d*EI&E~}fGV$GDir%&|(d:'}ca>djjƃ @ &NΝ`m$0O6@((4@色(芢(ըJX#(;&mu.xƤ'ޱa{J_dnAfXjbb&c"h6|:^~ivh}j"Dh2hGN(U+kM&%([68FN*3b\Z^*n*e~ꨆ*))udZnc=֙aUiB'A6eziy`*`+ªb摦b粢_BfbkBaR+B cikERV&h2+iWҤM&m$P nk oҠ18,&,.6,>F,>FzD汶r' 6]e#y\!Baj`Ū̎VͶʫk2,j6-&.-6>-:mj֌j.GB.#Zz:ֹVgbfdJ܊_@ Т6Ђ.&..6>.:ԂVښm-YXׂRiB-閮_...~[F..Nn!_r׆Znٞ.&ޙ6FN/V^/fb/[b^vm~.ْ/c/=/֯jo~kB ز웥//'S:?0GO0W_0c}imoX.o`,0 p  O KX 现[0011'/1/ ] L]1gqDٔss11pG1plu1SÔRUq1 cE2QQ%2"'1"O2%W2&1D S0%1#/2? $S'*Q4KoI v wĉ`3'tp/[򠔍̠8G7Qq0QpNcW"IMOg5VPm5$0HK rK[KKN=<ɣ۬s@ljP 4PxQ6Ɣ3 s3aPc{ekAd_ w}w5 J5j%'@5u^W@!Ѵ\@WrvlLDOyd6wՎU4tlw<JINˠ5`C [6xEsӸv=GRe/fHmnw3DOQ7q8?K|{c4#ō V6r d3WOGX_7iOocw7gVM@z#ۄ7F6%vv w✍p{l3rw{HwGquCY#x(h?=-DYI =A[vF5x28o= <c'x"#\Sf7Oq vP4(> 3'+/!gr1m9!7OK"6CQ  0uS'$@dRmoTǹXs5pUXrAŢ:#OCS!S;}q,EAw(빮{6zH|7g+;+o_{sDC?y1#K;XS;/ǻk6(?w;y;<2 < }rTj}W7?z?෢b\Ci;U0Cxݴbzk6`uY>+?+=#@ 7P ",8 C$hP"Ŋ *\cGA9dI';fc(.Wl $͘5;ҴYL.%G -^heSOX1iFVbbF_~W_z…ѠD+F(RT*lٶnɛ7`_}  !E_[,gcː%[sgϟA=tiӧQxc +:puƄ7ZM+R }VܩoszΕBWO̊3@hkVriv֗r.~%;]C66Ϲ׾v`&ի"&mE;X"$p{Uҿ/VMVv+|{xD F:\;Ka!d%%ӗʖ+[-oWf1C!\-|zuL Vݰ\򖵼bcv2nfvtuggzo 9?zLMH'71^4O)Ϭv5akY2M3,>Ә5+ Vv’3g=SSZWN1e gO^m=Wғ5_;9 ϬMv-jfew9}ہM͒Txͽa6V8aqswBc㬮='gܜvxJG<6_nriG R[[.{E7:tZ\\<3;p`Ry~tKV\&1 KW>UMYGX _$!>,]]ތ:͎mOBtj6ݗ"|t巎o+^xdB}p-ln#o7^zgڹ֔ (81ղW#Rke,U􉭯zθƨUN#=*='G?ai>o{언/Ooo+TRN@$Ort!7`0jP0m& K Rhpd H n4KE̡ N >ɿ@ rpva` 0p 1 @ !/jf 0=M KaAaAA əڐA q.A1EqIMQ1UqY]a1Q7t 1}FQHk1;q}O&1 qsPqٱ<qpڑjqyqvő1Pjr ,'qzv O!'MM"#=2D{[p [g#W\r>#%!z"-20Ɍgc8)X3#(#pCQG6cFr$dҁr% HT2hf+{^*3$2pjRqw!q#Uc(./DpL{P>f`S,2$rG.1=';8H2 V̲Z11u/' '5gtTFt*(V415aS9f[XPc]Bv^`9*vl7r4&2S%$@nts'R8dTe8r&7w3rڥa2ײxH4;FdD_.#o2+c>34fs\Pl7klatIckf<h5Eyt #=5C2Efv$CU`4dO9Fm3fD6D7v`pk,39*-tiFAGd_fjH\Mt9m=E]4>IEcZFMIB/;Pxt h`"HItKe*tM%+۔Ii8=C,AT84"yFVJDAsB2&54 $ TIa5GMNQ5U)?Ne?Qo&I&D'SAۑA91I#J_&glJ*wKIg<;3=EE˴ATYfZRU6eDdFQh&R%|CT@/UuN@PeAhf_T95gHvjjnrS7S=som2~HnT41tc9[=6?p QAD{Puzfffwww›???rfx233kqwف޻]afUxBhFWhޢ@fUhz䪼MQUſEkUUU"""hDDDD`{ܝ䲽yIolcmvȫv?Wmrvy "ϰ˷X|.03Y|@]y...aTm___DcQSUQ[coooYrPrh~tLj=LZOOOgkyŽφPsazbfkahmפhKkx{~!,=;H*\ȰÇ#JHŋ3jȱǏ CIɓ(S\ɲ˗0cʜI͛8sɳϟ@ /\ ӣHk|zTP!2kâU:mZCj\ńmWxB [@]"Dj:oX'ͻoӧYf9Dc0 j!?!@A0(lᦴV8[c֮˴\-t{,X^A"e  =}n/~!P jXؼ0 -W8a; ԟw Q7Ԁ}FZZY5X]Y`B  m9 jP G_oL"AaF AB6ݎ=(܏ /g"ɛ]xWS !e]x?Iee0ڔ&ifA`!%ScAeTY UVjgO}&e9bjA\覜v駠*ꨤjꩨꪬi4"m(@m L2I.o2>ф ڊ BK13O hpM4qG K,MROd-ނ{$80C:fTP$!.<0#{%`Rp!ǫ~p"7%oH@@'q׼p>q?CBl Ϝ+ /,꜋% 4!BI?=R4lh4j3gv4s5ZA/x#F{Ksلݏ.´2!3xuw83>6RG6\f4V]m|yn*oD-䔫b+9F L.{Ԅ>0/SH* ظC pιʇzS>7hێ\atī{gmkk* ր_Fq p[`w;wAJ C2s,Ap M RЂ!Ȁ:8 Zd1\V@ЄRCaUȊ 0CQ4Nl$36V,\ F//,O4_yhF4n0/aa̶GJB98c8XBA+QA7sXtVBF+yI!bEs(B<ʦqt#s ?! /0AH4d1K1mqc#w_ Ct#D`WظĶHrcnL,"A dFd &gHHS:r:9mS7Q퓜o_x'tojt6㙂3hCC0#)WQu4h lQxsC Mr>XP!SHEz! PfbZ7:l(l\AJhlY!8EU, ݀ 򑊓(`I(f5Yx6,x*)(X\V-kc%<GFU˫" \8.\ې5 aw{cw兩6^=,!uY K) w#&AG6 vBX< CΗ QS W80= b(V1/ vHB"=LA ,X&P_,_Q a}lc&;Re.{b2+ (@r\&?9S򕳼.9)s 4+$3fslh8'zΌLf>v=QO[v[ax(pYP5aC`'@8QJpi,֜?~qo8P_wrdl w l0  p Sgku7yVf6 Ȁ0@ x lgdt_'wRqdbp(~s|nD&6'w>zs<Ѓ`l trAgE!P p{b' H=X텆[XPXV$;P| DȆh]6RP@By^HwzZ$p vy]v/b'ՃRVjh]'@ p +hx8\ Pd8`\vsH 1"XW @7HjP 6ҨhQp|;򌰥xSt (nRi=Ȋۦ 8,(ps ֍؏\4)woya @}we PcؑY]AѧP79 03(`Ɛ p *0Ϡ  `R=[i a9eyk9 } Y鄞vT@ ,pBCxuȘ= MCHXf0$9,Y 9s 1P%IV$Po5p~Xy|` H›h s v蚧Zp&q찉鞸YŐ Yٚ{ qp* ֟ڞsy R;ؠ)tj (H q 1ٔx 0'z `yi <:*]0A( kУ d*RJ )k R(VbjyihkZ ' ˰ Pi q cᧀ*jʨqZZ& cJ^@0 Z  !@_dpz Z\ PA Ȋ  aZԭe czʮᮜ%ZTZįI 1Fd ? Ѱ;K4;.**![#*%ˮ'*) +k*-/K*1{3+*5[7 *9˩;)^P :K_^PD=)K M(EK_Y1" {@_kiW )#r;t[v{xz{;j-d[{{[ո$6 +BPPpVXa{M0!p)[pE+aW@p Qpf`r;; ̠ ,Ѻ+)@+{V+Ļ>ȫK#Kqj+ڻp۽k;˻;۾ ;kV*; [ <Ks =J)a Kk|A!$ &/|1L3⛻#>'(AĆpMdYq н+`p pþQ˼T ěń*Z L1:, ;`tQK}\뺈K\Lܿe0  X Ʊ0 Q  `f 0S,|bL< ɓmp  H;b 0-P¥͈cl2,\ h   !  hPh h ̼r+Їͅгܿ;0hlpl`Y컋Qp hpF58=Y0%';@MgZ ,ӏpұ ; ້p j9 Ph[M] =(&A֊<ȅ|ȉ\΍, `țl-x=Ԩ G70 /Pբ рzC+n]`bLPa:mP`u-@ Pة`ȋgdB0}=]}`%M]Ĵ3LÜMO[{-MG-A$=]1<ɔ6|ä;tv̾fd]{#.m>6% +.~)79#r,@"F6 ;{rl N 95!Bag ^nZpvL4a{;<"N@޻n儮>>&|N..OL2KK8 71!κP2ʾ.9a6)]>^:+Cq AQm)Oˬ>q"A=A5Z޵ NN_ 0((  #!%)'+/-15o3?7o;O9=OA/?C/GE?I@*K/MoQS/B,UW'Q(:B$\)A u)nB_ 2  1%r_$$l!a`P"j_ɡL- (io !/$GA)'?"$/ p_/D*B`"bP9"`@}?_bo"A$) q[1c"_(b @X:XE3G!EȁI)SQ hPBĊ/ &̟*iA ʜH1fω JE*WnMiW_J(A3kƥ L@$)ӡ@ P 0j͙yք(4Ȭ%:2ט`08 ;HbDô2ؠ]`ԈwByLz#'g~rs#CG_԰-E5 0 s i@2NEy0_Yf.#CpAt#NA +B"2 7C/0į:$D1ELdE-[1F\DoTiFAʱ tD#HI'2Jң)l.K-K-L1CJ3\3 (ߔS+;<<\`gZ; 5),m%O N:yFu9XxS,2HxTةV 2Pw24V8 \2HGvW:S\PɲZe{VhqV8G۰wA|p pse!dp(wz y|W_~X` ^X a'XN]u`5tMn7Kd[NOBuQsQhv砇Nh0VZj駣vz꭫j,(Z묱:me!E~gYnRnJcpF\{qIrȭܪ+n5GIq ߪsϷSW}u[wu[avgvsw!zw(> 7&R v裏w^߳b?>b`|7|W(#P퍷:‰ "7P ` F@)Dps(OtZ1PsH`;ԯx<`Jp`-A4ah?! k@#0`)q xF%KaWDJQ4 C.FЋsE1Rh$d!?6, cHEЎwܢV'YGXHPOKl[EN +E/b"; CyddSH1|`wHAYJa(I\Qt"G!W$L~Ŗ$D72s`GWRLcIAE#+bZφ}&L 9QvnFPO|D ih@ia4D9vґ,5f3Pl$Hk4(j0iCԒG # Jha'>pA |@Ʒ/;1-5ʁsY-ÎNtNaXZַ3@H> `;XyR_ ԝͪV%xXдAX"@l * d{K |s݁jDRӔhP-J-Jy#ֵ[պU% 0|`@!/*GHiՎpkpKږOӂ.q  A~ XdC-h18 U7%dl;فYKܖpP< s8VpwQYEبHFfZAh UA|8pJ6Hc@V@E XD?pse;ܑI҉[=F %] b|+y~&>  ' XP4Y$ͼY$"LۣAw?0 & .AiZg4 .8hh ːT"=&TRloǴ\ykj:zgXX`v`u/$:ʲCi̒y`H5Q .{[5ߤMyذ@Jr97ΚsF"HPLQk|O^yX\ξey Ԍ[7?;{ֶA?EX p:"bGJ_s8l_]+@]z^Ou~|9ޱAj;>e鬃g<"8x0O__v_ܿܞ+nzW7~d5~WK ` v #K72kҢZh@W!O>R+6ҭ*`C.{(Pḝ'h_:n:lB,18-zۉK`ذtR+i'E{4M#$$ 06$ @BʫhBc|(sX+1B&|B I*e{R#(I)#3@1.XMc4ک"kB|'DS #' -B/TUĀLEj-lEB#UFrrQH[Jl|'cFOt)7j,"|F.)[傢bBFl\w‚D| tQ*a)'GtL|}C!G\&r\$bt$vt|+`HG`HtZDc,=|Ȏd9WȈ)RlкHmBId,f3HqZɓɜftP"JĦ$V_dJqJ+0ʣǜTwJiJ&*KD JɶDt󣅲8LLL\LlL|Ll#LʬL˼L,LG$LMTLeH؉Op嬈8 02%04A=TP`N;U 0uҠxR-icyTň<=XX8/4U xF!Qx,LkU#փ ( >)!P5pcQ WW8~V -@΀]@ԑN}R t5FQ Xp֗ Xh,n]hȈU@!QYO V{EPT{},UYWS XNhUQmYPL Vz "m菅}s۟86L " Z5S5 h50>ʭ\˽\\\\ ] }(]=ӵ]]m]~J`ݤAK~I'&\)r) #fZA%AO|E+|/*=Ũo"Aa٫}<*jy'ޏ_%ڟBGG+ރzŐ,mGZU%w'm_UThXSCS z8г ).ɔ^ޢ o `1h0 O ᳍PEeKC ㉴ZJQ/Ͳ ҩ"(2!`B*"Au B-2(WPx%͂ؐ؉ MT/ ʭ=0;,"r:BB+@1V:A?40_Krz `@ `T= 0` /?6f+K 3)-2dh{X!Pe/iSYH*330^-8 k( E2B3K51z8%>jk!0&6PpE(1SvA;Pa RE2lL P@ a ݟֱh趪6ڶ-G/fdHLB=g'P:v{DWpeDTH1Wbc#Lmg;>9ֈ254dڹ+© 5⋞A(3h40浰" 1@ 1 #%acvOf!f<7{ë-Ӱ985!+AX&b̖7i ^8C1^ȁDhYP>_\:^ fٛE\Pij?8԰bF6k2<CL>Ug-D $WNan3$oa bEL#B!$"b,mb k%B+sG (08 @"A[ f&q\K ^{Ge4,!P%`J4GE,VBselޘEŔgh-t*ɷ$D\G,N6"fޅZ,=ȜLHmG8_O/`?o/"9ȱH4m ^`!vAcuadG|`ur"|DapWs7wt_wuot`j)P_#HJʛKfu\|/YܞJmxU7xD0xxLMNDNOy_yDyoN=LyyyNSQѲ%  XzX eWzxX@ n[%S{˩YIeh T5xm Y^'Fh[ =Vwg`[̟TT h]yeU( ؍T~E(R꘍%'ʿP5}x@gW7 _@JSp~iX u^dmz>X]V}p٧h X,h 2l!Ĉ'RhQ!B XG0jA2h@G$2/7  !:nƁ&TҝO%h*֬ZrR-h!e,Ԩ!fK ЂA/L`VR0l(($1" Ԧjj'ٮ7sX+g)fmaHP*ീ^) 5ؓFحP{ВeASnz.!9[C\}/o<ĪmӯoY? 8 _ *| l!8m$QPo50\y@-8~"bWhBb&'WNdgZKeтt5H"Af\*5Ў95:^xݴXIYjYZmh.- .0m@EEm[9Bm'_CK@PYF$XRT]vu}YbH&seВTnff$AI@F$I9)*J*2'0&Ero+rE$pAoeD<ՂhM Hju(h.'myƻ//o٫\[tUB\j21 U|11[#w,2!xC 0L3/ 5s67lt;O (M?Aq\q[Km5S]0vgL@fݶU k6qϽ4}7 >8~8+8;PKw |00PKA^E"OEBPS/img/search_results_table.gifTSGIF89ai" &&&333788=[:>I99u\gt1g6>Nn0J}exf.t5eCsLuUgX<{h}j!GGGNU^`^Y~`Ejid`ityxw23<ABNR#F:[(O%Y(W*Z5Z6l(^.b3f=oDDKKPOTT\[MaGgIqXx^{lwgyr~h~L}cbfofo8w~|YKGZehgczu=8?>FAZCen!w$~%GLisUb]acHiEapDMISQ\KKRRsxyy%6QVhHVdXXbbhhrrw&4)*;?O~h@YCRlʹ ޕb_¶efs8#qsJWgÁԊυݛȏ捹竸ά۵Ųߣͦ‰Ĺ㪪œَݒſڣߖ!,iH*\ȰÇ#JHŋ3jȱǏ CIɓ(S\ɲ˗0œI͛8sɳϟ@ JT̢H*]ʴӧPJJ*ȣVjʵׯ`Ê+ٳhӪ]˶۷p_Kݻx\ ܷÈ+^AV9ɓk̹Ϡ9:lOG3tװc˞MhץW.֭}MPuoᦍFrУKNԮ1[p⼳7߾qξ;f~5aҨ?6\|h5_x~G5z 8`v &5wމEjq7a-(4hI#['z'a}0wxH&UآqݩX ҧaƈܒ\v-di$lfj)t bv|Άg*xI衈&V.裐FSVj饘^馜v)F Ljꩨꪬ꫰*묳"K :j׮.ϰk&6F;if2PD2&l}z׸, +3N8,2[L1CAB=7-A3 C+Vb+UH<3E%O a5@ 31]蒫vl8#k<8K/V+0D ,p O;T##;ApDq&t- PSk72|նC2|0@{7MR(Ѭ 7:=oګL0C4Csz Ҏ6k+ ;!YIypmw@7ϮS, L74;Դ|K6p '7A_DяT>vkQނԾ2S@ _*>,kخphBu$`%iDLl`ְF5&P8T!{,ho%PH7|H"z Gd; k(M1%D_ ^8g$ҷm$.vmt`E(hĠ8J* O"pBp.Iὲ!/bĀ nِ( wƲ'!MNbX=3CbQ"Ȁn;4np+ -h:U'N/4qv\=~Q?Ⱦ[F*%Kr(M],tO|0D=`!i~n/{`^?8 .|CFaV@׽p&A`AXA JXb}}:Fm5U]\ZĪN(B0kRaKt2.U }S/Rf}\}( PRx`4~v7CBQ% x  nqqhà-0؂t,C*?Sulbԧz\n+uHq:8p CEWUB \  (oCtu]=' ypq"Gɀ/ PuF/8m Qmy XXA \@?]L ,(nApa!x∰vk }Џ9Yy ("YT!oqّ! X&y(*,ْ.0294Y6y8:<ٓ>@B9DYFyHJLٔN A 0TYVyT 踕\ٕ^` bYf9@dyDj[lٖ! 1  vYvyxI I)9ɘ)Y)ٙ ٘9陡陦ٙIYY) é)Iiˉٛǹѩɜ yIᩘ0⹝yI鞾9YI)iɞ)號iٟɝŹ zz*j9ɠz)*zٗ1:1yɣ>@AڣCBzDFLNZPQڤSRzTV\^Z`Z]jdzejڦi牦rʦo:D:vZtf{nʧ/@3ʗ1Z!ژ:Zzک:Zzکڪ ZJtwY:ǺڬʬڬjZٺڭ:Zz暮躮ڮ:ZIژگ:[暯ZךJ گۊ֪  Jz * 1/[1: < >۳@BD;F[:5;ꊱZZͪjY{\]{K[!습9+[ʚb.+d_KZ!κ6[κ ʬP{ ZqŚKk:6۹[{ۺ;[{[K;뻜K{ț +˻[ ҫa+۽ й[˸ vپ+[ +ۻK8 i ޻ <,̿|;"|ܛ|̻д\z#̼|Ћ ܽ+<1 Þ;k<,92 @l-L,˹k䋾0K [:[6kܻjl8kv|yǖg\oqlǂLȃ\Ȉ|ȊlȌȍȎɐ<ɏ\ɒlɔ|ɚɜɞɟɠ<ʢ\ʡ|ʤjL}zqʽl}˛]}]Sņ C>ؤؘ=ߖmH]٨MRdm-VHS>]bnad~lhnp>o^rnqt~|x~>^n~茮0QN]>^K.#~刾>褞e^K.kn٭P~U騾t.a.ߕ單`d>Mn[^崎̓ھܾn}={C mp.NAn ?_!?n^^+?4_)/(!10*o>?CO2F /QJR?S?莲<k/O@>\xz|~o9os~_<"?Hho%O;vM?1W/CnO^?_ȿՏOO]K /?O>DxPA .tć%ZxQcF=nH%C$Ҥ|TLsL4eySʖ8P!{t'](TEVR=]NVXeŒ70mվe m\s[7]}د` FLXʼn?vdȔ%W|Yeh9ghѥC&sj֦[^Z6ُcZwa^"\pōG\r͝?]tխ_Ǟ]vݽ^x͟G^zo͕;ǟ_~0@$@D0AdA0B 'B /0C 7C?Cfn馛oǝrޙgz'GwG2H!$H#D2I%dI'2J)J+J-K/K1 sL3,L5tgDh9EyeGJsM?4PA%PCPEeDQHtR?یO8Q\;GFzRKOE5UUWeUQS# YxU[oT\uW4}5LK<1[|1z\z6Zi`5 =pC=PhMr\r4"b Jk |W]s#XߘEm٦[=Aӵ,+㌅}sSPs$5` yf!k[9ȞyɠoG YѱmhǟvǪ;jɫܺh1&sܺks k"Vc]7+1-|Mlp~|R,n:=fwZm~Ԯ\I˭FZ]EG>}]7X:픗}\w,v~_u~{sGG>?G^囷^>巏~{'zu.^_}SQmgi+ur:XRЖ5I퀗@Fߖn7}Bjc `+@(LۺbuSWZR/}N|ӣq|B"'#2xKw%VJ(!f|G0U?dF+lo4#аh qFi4Vr`_Qql<卑FNHF 2c.,&ïHn,dG]eD*Fg'%Ғe0FJŤgIYBǴi ]^1Ҵ#h(`da:E6k9 @O2ڴ؞KdQN$} )ACKY4GPlWrBlfWh.)c3_='eRT_XM_Ki5/գb=΢:iN6rY#* OɌj|jIGL"4\9y&P\ MfCp%Gˊ]ZRNϖg6Ѹ""\MѼe/{Q:ZS BdR 3WՍqjK)϶EXW궰]sKZF*ہQf%6ԝa5L_5#-"`5J?:sW;}+cBJR{HZs+TdQ]ζӵ-ﺬ R ַ7$[׮ӟ ~Yہ^Se>2vP>yX[r/=U$T[ُ~%\_ؗF6ul~'U)= VbX7 ARZur:ߩB.UO*SJCA2L%ZYl! Bugmդg-$ǁq^۝/KR7cڲдJό[%Q/鉥F4t1Y4aNJ*G:nv7V9sou=l6BdDƶƲeVʞt=nrFwսnvw=t7;ׯAU/x>pGxp7x%>qWx5q;yE>r_%GOro|-q:Lhcs?zЅ>tGw8씾t7Ozԥ>u;%HձsoyC,^G{վv?ۉ>uryr3c7m~G|w}x&@'@{8++M B(-|8/T8081Bӹ}0oC@V 8:8;dwȊ!̇z> |>B@D ?ELDB,D DnmCm,mq$sFtFsLosqtG|mszG{tGmD`Y0<:PkRT> || sڱ+HHHH|(ȎHa=Y;it8jFzGw{IyɝGByD{ILqGqIBIʞzG;,8$8dHࣽ==0-,{˶HHZHܝ˹KKKEd˃k˽K˿K$L´tDŽE HKļLKKL{˿El$M̤ЄLICJ-+1 (8KQ˟N;$jܺ;ɴL茑y$DJNNNLxKdόOϡCjLDN N ܺ9ȏ+L\'Z͌ͻ ML Ѭ =  LQ^PQ 5QQQM}Q-̮Q R-ش?M{PMIm;TRN/C 93E4MP\S7ES6e7S583;m>uϻ"PPʎC1R$S3R|T͔-7m!JAPACQ TCUeU1 UEAQR5L M -U`Xa]`c]ׅ=ڤݦۧ[1krr %L^a .bI brW!6bFb"VbB,*nb&.%_׍Un]YuX,Kܪ ۡL$` ڕ-Qd&a1Q4eFfm\Odjd[iOEo6P<_kE>qɌ6Ȋgg;ze.$e)]vfYf^f[.h.hh6>hF~vhfYl؃_HEV͊_cc󥸔9>Ysi|f٬::-HXwq&6FVfvꨆꧾ;i6F1-ݣ&ָXXPk^mjp빦뺶k l; 6fT8ɦʶlkX8K{V6lfvmlaLmٛ]i³&6FVfn~lꭞbw`Pf snhVfvi6v\'7GWgw '7pG/qgppq !p'#G$7p#Wg&'w3)-./?,6,`?4W56w+s8<=>s',3YY?Gt"DEgtwGwp+LM-r2%X%(t-t'wpL_qU/pYuu 0JKWqߩcGd_s&AoA58]\O vve7qa'v7v/ww _uveuoxz^o~oaqowp'7xgr2v5,U\x wx?xxtoulyv|4t_ws/ayLݙypyvy7Gz9?pg,pT s%xZmwkWuzW'_rz7{{tw{mor}_ygo|{z/z|6G,0υTȅf{jnzgW}7pw|zu|y?oԯ}GX٧g~-G}`ȏ|b}/~˷Wgrx'\Px~~]~ؿ\,h „ 2l!D~ X0&ŏ A$IqcF(S81cΔ9fĜ:w>|SϘAm sMDy2uԨPj*V(F`7z՘رM6m-ܸrҭk.޼t_dEI,kxE G\zЙ&/UZt2z7sv۵lKfey#[ڡO03#laǘi(Rˎo;*VɷVj0-k&-ڷs;x| ɂE0~(Q[ΧܽVsZIE'taPlC-V~wF_|eJUa. 8K>9[~9k9{9衋>:饛~:ꩫ:;:>;^;ߞ;;}\zMN8>#?=[=k=Os?>{_>oS?|Tw(<'< >=c Rr .AipTf-pGǏ%|! c(|s`7HJ!ֹp3сfoo@Wz-rTYlCsaH׵Qru动;fn2 t28M{} `q#>d V1OQAbyE V%^ N ',x()!_!!b"&$6%&,_0_,n_.B_&+b B")1F;t2MB L5FG_,b+f6nM 'B,;b!/)r+N]#ɣ-#ab;rc01:;R #b^XG(B"?8BNbD:CVcEZ$,Z5n$GG~$Hb,t"y)0b10LMdNdH_bYj<^Q%Rv afca6:fd>&l>fM"f@@_3Z -ҺgeJbeQo gfJr.g+_‚J~/JLLruVai&sfeZ&qS*T'fbh'SVVw|'mb'}ʦu&2MI$%V&reP^c\gqFhxN(6,tdu~gw&fdKK~VQf,&]9h5.\6y*_|%:f'mTlzX(Օ"5q&N(v)j9#gg~:vhmzgnf֩zz&Ebi&gT}!)'i&>3͕4i{BdhB橜%Q`8B*&k2)vej*rh&|jjrh&*)Aa"pk6yfj.%GhD*f`eA >䉲9hL+}ReV&2$p'P2>eCⰆ[J>kWjV^dB+BXv`!=R迦R! 8 ,R*!^"nbʬ-">!&,-J_zn_?,.g nN=϶>-ٖ-F ^%R4D31Yɦ--ޢ ߪ&׾-.&..6>.Fr \+u-Ț"D뾮aNUnV./,>4Eau\nV/ڐ]ZP/1oa}"~/ZUݵY=6i޶umnҭbF,M/]6QcK1(/aw]giGޯoZ+rS)0ȅpo4wN]pܝ0M1wN /rUQJ\`UM׼C0.TXKdYmzܓXmpjqR911Ty^r"a7$:qə/s"[["Z^ن11+[dAb-x=VdXMeV5e҉r#*S3)iM5r)uZ {mU Zs:1x=xӸeXE9}11#s ZAYs5oVBkg7S情^ִQ933IYճ 3=sqG?lHtuuVK7MK3A3m'48*-pIo5V4K;4R5C 0sN2ŵsI*;1I3RDo$-s3qH(+Us5dϐԚu;}[eZ{eZbc TWHW]\uWP5<ꖯnmqU \2pd7wۿo']f4_pL/crXiρ1]ܐ0twXGy_#/%G WwW&sw%OZ9'`^8N:;7oS ]ŁэWfπgݑ {𥯀7/oٝ]ڝޮ}PqN@rWV"IT8ۃ8/auφU'9*y8`N9W_9go9w - d*(KjЮ9 l99:+Ҷd9:/+N):O:_c9a#^9Esg^ߥscsz:Ӻ:ߺ:磧e[؞/M <Ђ)p!N̷C̯|<;<F|Hbƹ{Zj<7')x)*x|e编 C΃>=C̋Sۃͳ=ܣ}ڷ|܃=Z"&js~b 2ErW>H6 64!jjC=ԃا>C}@꯾Ͼ~C>>C=~>"]JmgR~<k>#j&:'W[ Z>C|т-7&@*j ?<@̳W= PXp…&,X='HF-<(b~'Q]7%QG&UTP1)iUAӺU+-n_u;˗O>}'/ά{.z)jaÇ'VqcǏ!GiLLu\"FL@RjQG=}iԪWOmyk 7}wἉNq۽+I*wj+F,q1+x‡ҧ-lڋ /#QLQYlU̥:6QBDJ$Z+0j4$Ƙމ'(yr)R*J.K*tҺ1ĺ7S/&؄DD3?O%'{T! M  AfǝR}2lk.;$1TQMlSQMUUY%myBdD,PW^mrxqaMvd]Y"XbtUJmk=S4?T9ͫ)9uQdDUuW}!MQHaA2 /p鯻\Rލ9?vU%XIvq\5@F_N}'qYt6gyY蠅盉YuB8DIܩ݌)&ub*|6$4׀Eu`H v%Pӷǭ}"=wj /LH.#2RH~ 5RU)=1Ԕ5iiRs&6Mn&%SkJ1qr{:.|<P*L@1p [H wChE1zQfhGAQdUNt:Ls|lAb%6Qb-vacϘ5qbw=L?r#'3>mZRosi򕱜e-o]kde1kf3f-מM\,YŸY}hAd~='Sәk||&1}nqW3m,Yp7<*_[~b=q^2ndb\?yɽh y0dzlg/xgwm灛L ps5.|+m] x>36| x<︉]xO,0U('Qˇ߭\߱x ^Տ0|x`rTo{'.ۿ7aFHNP Oo~o@O<&&pIoHa a/XZh/n6/݄0O[!pepgo퐰Ap 1*>PlkM-HCr|c /.PP 00N$q =p/ ŘU 뢰= y - G )qUofP S1͢ΦBp(< CW0ӮG-,үѐo  Bq} p =1QEPKQ P;S#ݑf 9x I qr!` NxJ! .P?_q2rNqpa/I"m9#bk,Vpt2)C*" MԯK.&Q,uOm*q*nJrr/-..ݲ< .r/ &M4-l1l~)Լ--2Қպ2`+1xԊ-um4-(s T3&C6mJa`3)6 RȆ\/Nf3܂RԊ2:ז:-; ‹kKRP;3=1;h= >>3?s???4@t@ @s f-&sϴA!+BgBBCŨ+2L:aBEtDJCIdLR4~V~Xa\ZDmFC'GۧFGHԻ9< HI'xT\MќpBH1;SdtLt G"tTjH[NK1trPA[GLcN˴Pqtq dHe f))AgSY~"1#z씰tTRH(Sa2U6\PiuLeaP`zbJ4)PXE4VCЅY]@U4XTTC Ϥϒ䋺c@$@\]Pku]!tqΙ*oQ Q1g`iTaf>lH@պ^S9Յ>5=jȋo!j7\lHmw\q6ehk-޾4-`\[HNH;x!Gy4Mzf 'vc5wȉv=5pXpn(_6|6yEceՀ5w,OȸuIi3 WEUu}.qx[ͧfT+5TԔUD>X*)XO*U`a`sIYKo(1HBu9۩DD@y9yɹ+ ;PKn{YSTSPKA^EOEBPS/img/search_portlet.gifzGIF89a 333=[uV`itMan{²µŶɺʷǸȺ˼νϼͽξϿЫ!,  H*\ȰÇ#JHŋ3jȱǏ CIIR\ɲ˗0cʜI͛8sɳϟ@ JѣH*]ʴqPJJիXjʵׯ`ÊKٳhӪ]˶۷pʝKWnx˷߿ LÈ+^̸ǐ#KL˘3kޜYg<"ӨS^ͺװc˞M۸sͻ NȓӾ.^άe:6j`ËOӫ_Ͼ˟OϿab/P5 ^SJMD(Vhfv ($h(,0(4hb`P2K/\3͏ӐDiH&L6PF)TViXf\v`)dihfb8BK0H#4Xax|矀*蠄j衈&袌6裐F*餔Vj饘fiNL&HͨHȩꪬ꫰*무j뭸뮼+k&첾JABR`bfv+k覫+koR@@!L[+l' 7G,Wlgw ,$l(o,щR"̰l8<@-DmH'L7PG-TWmXg\wM dJahw{/o'7G/90{ȴsM䧯o~ HL:tXȰ+.A y#!Nr$ cP7! M@ H"HL&:PH*ZX̢8Q ` #2AhtQy{#Gqv_:_AUңT0gSB5}JVz Pֶp\ZԨJȫ^;E T5kBֿd'KZ6v6zneGKҚMjlmlEͭnw pKMr΍tKͮv. xKMz^뢷|kͯ~j0F+&;X ~'LFΰ{ { mCLX#>Wb058FgsX;, H&&SxN )[2ej`3w,2ٹd>,4VpL:xγ>π}MBЈN*'MJ[Ҙδ7N{Ӡt+RԨNM=j*odAZָεw^Ml[z.f;>[|ζn{Mrٖv|vۭnS; X~NO]{'NC6Qcseשc\ O99rX,OW{xsz\17y\{nΞA9mʜ#)y}>W0tK}SeRC^|3|=꽿{ށ?w3o׻]=c4g}/{՗'>6O{(}yW`g{7{'uuduW}GzWvۇaWTH}HXŗw(q7~qw`P|/G}g~wv`vXaXRP7}rw}$(v{rw{(` ZGb?%!6e OwEŅ^R%kM_b{k+^r8tXvxxz|؇~ux_XxK~ofe8'xF؉m[Z8xUhhM8Ȋg^kVdj8ih^xZR @I=:.'@fm8HkH^hZR  Pw089v7MXxCH)|)ٔO}sQ=@PzBz>L&l)~iyK}i_NGu'X ( v5`>`bgxzJ׆TXQ.p~Y5P4>ydIzbvCH{7~JY{ Lhכ{0H9+Dy6dIa^ N{it̙MJy=Q&p||p11*C hݩb]MiYywt{iOwpxxpF`D0"*d$>*ɡfW(`@ZtAuXFPE#%?ƝiHOjzCZɀBT ?0v:@@0/ @b9a]NNZtMQ77%@بVc6 )Y f`]jYتȑ䪲:Z LKĺZǚ*ڬЊ ZjfךeڭjedZJd皮cڮjcbZjbQMگQ6 ۰ K [+ & ";$[&{',۲T; p8:<۳>)B;D0ZKJZpNPR;T[VVZO{$K Pf{hjf+l)r;tk^M`+z+N~?;[+[){ wMyMP +빜;){kۺK dI{KW +㻼 #›7)ۼ[ϋ+˼:o ;K7勾[ Kߛ{᛾;ዽTܻ \?,l \<, |L$TP (*P ),\+){3 3\C0L/,:"DZHT@ LN@ QS,VUPO\U^~ >^~`_   q4^6~8:<>@B>D^F~HJLNPR>T^V~Xq  )  , jlnpr>t^v~xz|~>^~b芾莞 c~阞难>^~ꨞꪾ>^~븞뺾>^~;PKk$PKA^EOEBPS/img/csf_mapping.gif/GIF89aKǑ???WWW"""333fffDDDYVWwwwUUU{֩nnnkqw !"̪ݖrvyQSU񱶻\\\]afABD韟KJKԔPTW123ϣrtw*** !# .03=AD`cfMQUݚ013qqqbdfoswzzz䗘RRR!""㜣DŽ223urs>:;defɘ:p>B74Nd]fV]ov10)eE`p w= /[ +h2gr e0]N' w,~7 J;቗nS/N)wzXakgcq+9+6а褟Ee}  n>; \F+K,m 8 <"z3o]s^@d)~I S> R`Œv(L 1,>M`wcЋ @᱂$,!P"(yXD@8}_0Q0a`(A$0{D~BKD<׸%؁@H9 XPBt 3ڂe1'ܳ@ t$$J)̤&7Nz '!<tt5M`ۅaa0@@A|V)ibƇS^&#8.lvW(ΐC%$ T~ D%2 y1שdFE EAD;r5䓟,@ds>"#yMBІ:=h&9wBE r4=);;gl?92 /rtN0fJoŪP5ԂI\ TtU1{E@g&1 X2VIsT4OԨVVLgMX! 9pH@Bu! m+˘[kƐ(w4%)x~ 3VfPk%Oɂ MrN\h BШրA+L &>(ĉ#UT8z %`>% tb @K:n{lNv"z/ nVhAp>! K`F[xWǡ b+(Q%C֡]tE?!h_j6( QB\a< RCa^9!(<}`ߟO߲V 'u0}R @ pvՖ}}av6~M!~_of~k PS4tpHKl\ 0c0F'@Y 0}T p hz}}Rc6b+P ,2p V  m`Ni,cPu?q>G p| mQ@ rcSHP4ibCE]0h$VbUWg0qWftF&m}/Ј_SIx8wISZ6]HtC d&vYm@yF(]eŊ2x?QSS.aVc6c,GȘsm:&^\q&%qֈ1SV߸dvlOtRWBP(703sqh?4wgtFeheօe62exW^"yc)A4{q* QP.(oX_yp` )q&wq. B7F⒔IS-F]JU瘒ڵ,YiʈY)83V=Bfɑ1w s$$Xu B!ep,) r ,&Zv cO5֗~0鐃ibq/^%> B:D FzF Lʤ_aPVzXZfm[!bOÔ.#!%4$#<72ܢ7 qs6rTxz\a_C#GdZY9iJ('JQjɖ_"IQ -ŽO|Hj~øˏ6;[׋˽ދ)! {Œ* <~0 +X3K?M;-9;L~e'k|r at JZP @ *ŭ;۫X|+-1&|dܾf~` V*<V0 `HV 1og cK@# G Wx P ` UUJz\zzQ `;pyUTB(μjE6Ȱ j[l^"˸3 `p`Pϲq~ :p`͖!p{˾,T= a Hȼ|z5?yx`%J+/ތV@| \ f`к7D(G1G$4@B4NtBqδr-tm{-z{A pS<'˪| Mo .;_ axH px,V}Ҳ ] 2}{P"t,s|P\Ӄ$( 􎯵9WJ~WҸկ V* F&XJ 0g=C  cpG#-ܴC WצֆFj5848 80Q  N. <0,<? y O@0n0DP`S ; 0O Ѧ}[ڭ=yfpVҖp|00f(`N}9=g Ƚ@ H91 x x|L҇@: 3ssAPu{s{,A Cd= # 0-.R @ yj D` =O0 ӠuM`ʪK^` uQy-˥d] %0`p=w9 {Bx{j|] ֭!Չ Cp%xspg{~ tp*{}uĦj I@S%~ y0 ?0 Ok Pg޽ +_ J>ԞpPN@v>UnWn*͕ plBp/^/<2

kZۛ@ ,xu[~q|cϖ02Q/AzXfX0w] x#bp9Q^FqiQDc=ʰjGǍ(p&gbRNWby,ki@[&S(ԠvL sC>'#6/Ys8OR5֍!ce0]ʰSAd&OO3Y'0/ů3 8f?,2 `0dע˝}2rDCl<q20ZM9FF2f$p.2,׌)pάY3Q1*^ -؀ߛE7:1<LdH[6ft)Fիfu]jm \/C.E)k`{&6Iqldeb2@c8E͂ ._  x\f#0fwz#k4џv׹,( '-'W`xqAD\x)g<x=B#Dž,L~r$0 8zg]CwoBpbIW)p70H*G5Ix!Y1݈5I@z25~X5l-O[wg].)twA/Èx7ޮ0Gcʫ7W1n;A7s$~;]i_>!St}_׼}fvf@FC ޖo|tvYC7G@ு!c:=Z0R\?_N֋Ϯۃܓ㽾W >Ck41FR6m6S>S<㾅y<d,؀`س;AAd:;[Ol/3芧&Zx?1 ׃?-?@/BDC10d;A\0Gr?`4!9̀94C1Fócd d::BE\DFG|DHDIIdzD&DMDNDODMԃ85jxBL-DUlEf EYEZE[E\u\E_E@g G`WwZGvGBG{tG|G+F } D~HoG\-)d,^% =D`[d@WKT%񩽨ʅ:;pNugԾ|(6*VPviC8>6`9aK 4JCOBP%0H=PH0hG3xW`1 KPf# e#-ȃh*ܴɛQ -aPWH A u!գEд%:LP( APNxxx-U.m/mH041S2hTG}THTITJTKH6]҅ՈJζԬ$CDUT[ <˸ xќSRe Q S-R0F%!G25Y=ZUn}6w#g݅a<"8%*ũ #ɥM]*˽Ù?:1;7HXe ]3637k394;ps.;#% &[a훩' ZI^\<1 ۀ__0< )L\%![:Mb\bM>>˹  C]=^9#9,>cЀv8II.KdLdMdN?P_U]:fۀla 7V2 @\4Ļk` _,fc,x奚[ұ\hbꕱ_:t1:"K=LC@d]eu~gfgrgx筕燢g{}gg~hE~h>8e^h{&hf2h. Ȃ-# qeh ӋAsKu "iei&an aw $QAԐz) :(;EN~e@Y57!na"-"18#5x#9#=#A 9$Ey$;PK} //PKA^E$OEBPS/img/logging_report_example.gifGIF89aG -*'./ 0 /,%-/3Om+L'u#P7l3:G)+t JO-b p44I2G26z8RQNsmEll9EQ:Nf.tO0nqLQ.M1K6-ml7o-m.,TWPL QG5PyMo5pNhI3mlll5INULWiUiTXesiRJh\gmgVmnl61-74827930IVjk3U7W2l6vMUtg(\#\/k/tn-K[LRVtUxoYoYlwquKLSQMvGzt{tq/7 SJ7dgVj '/3-6502!̥ORWPvwrtRIPWtopmbӜo65ZLQ2l l3NH3jm*PM\gnQsmQJTglRtn2PTF0nv+WI8fw%k^\}2TsPsNsPpDٙ7͒PՏoβSαqQxTk0nˌ͕鼟ˡʦ“̴☕͔ȶ隸ИΕϳӸ˒۝ͭδ帓ǻ̵ՙϳؙҷ!,G HzV\ȰC JH"B3jqǏ1Iɓ(S\ɲ˗?vp&͔6oN̩#Ϟ@ Jѣe4ΥNC#!riԯ`ÊKvNeUpCnWk˷/̳>mTw4EVzSPT/kU)@d9#Y E~S^͚/ v=MD,㱃[VDxÍ2DI^9~ںػE[l=ad<jC,]3 e%PW%~ο ~]wVD $o6Si`g`6͗|Y $hbjf4EWc CGDgUV\q9x!!7ʑŇTUэ'F)Lm'|Qx\IDFTi$G)CRNXRp~;XTdMz9v}nV]U!GTITF*7(R\f(A<؛@92t>ZO$Cgni JJV[J9fj!|NR*j塼IUs.;nXP88.5AFah=CVn\HUلVh@.\֧9<W} ѭ'豞*IU}.~}\[r(\O 7'V=s>Aa&~ps=IYE~fmQ/wZ-CV=ufl1 ҈3KG:%aR7d-5ky=o,Qm_BбBN2Dɲ4&M:t5Y'QySB֧ І:4--(kzNJ(Cю'BhPDzHoSіTD )KBRYt9;%ҞT&1LRh4sӦ:u'APoVc2SծDTiPիheX%֜,ciZӵ$(ylʪB=jSv%zUIbH da;JUc,VGflfGKvDՒرlgKͭnw pKMr:ЍtK]ͮvp xMoyfw| ͯ~[_pl38~'L [p wXE (NW/>pW;e WWNp.{l`Nf-sx^>3~6x _},0w}£V ztcnoLv>y+jd{O^7{,pxqusdve'oX~vto{ Nf=NX3 /ؤ4? /Pza-`_[qECu?]^OaNu#=gN+oGq^}w!(Wr1Rtnq\F l>>'M[v=7"*o>2O~كGp1^"9}wryvG Xe `` ]~ׅt}zlg^?Wz;fu x:_p@ P ]=7zs{<8t8qVzh@sǶhI8C0u hpNnBWr<%h#pusvza_(Gois{ Ѓ c^h\_ (@ @ |7]j.ׇo&jV |ׁ%Sxr~'~k{Ɗ kpk{nx`^ ~%ٵh1h@i؈]8n&G v@ fop 0XgVh~vX E~Hdh`i`̷}Ht)xlȊhoڰz{@Gk.Vhxlbzi CXqs%s D7zY ^Θ=Yilm XhH839ņ{#pXoF8:{w W)Fko閽y )(jMj}Horpt]f߈8'7fp "if2F M8 'ȓ@ @*Y)xمkEHɆt %}V})؁ s}hlIqzٜЩ^ džǐkohEWzٜ~T8N~F&jɶmGhЋ&9E` xքw6(tĆt0ٛvr_ PwXfY9"Z wIq]HlikX)ɢɠơ駠1Xh#Q&j`v[m@X1jڦ8切x{8 * 'Xrz*I玠{۷h s0r0Ej}e ,Kz褰)il& g@P]*ɩ*, Ƣg蝩c(G幒:P{Gz︆`{ijHiFx{:?׉k. 0yjXB*jEU Xz6^m[sÊkߺz)q*}ZG+it_]{' x]{ڧX&~)c!m:~'InNp0 tf'0;vm8s~p+y?{ǰD{fƥ6lsȞ3u !@VjgZ ia:W᷶z˶o+Zg#+X{ {۸kr:W hʃ;h)ȸywAvKtK`pfh(rO꺧z~+{Wg;[[;keG m뭩 lsV06kxxMI 6K_ RH țk {s=𨢠{ڸ}h)\g⊥ sܿh)U9۾0<̲&衵څv&{1kBLTܼ'HK ¾˼S\d|3l}o[ܢzOܹQܻc\txW|l3,dz {DŽ NJ+,/\ȌlVq|d}ܛǐ<~\ȖL)Ʉ\յʬʮʰ˲<˴\˶|˸L]]۵ٵJZʜ,̼|]Ƽ |||l|^՜Bflڜόl,||\<,| ] mˌ ElǼmݜMml/2}L<]Dfk6 >.:M?MLE}B<]YM"X=S[<#l fh 3;\\kH]w ^M֚g-׎ Ru- PϜmׄkr=y_Т=פHc,-YM۱Y]ҜԔ-֨mqmՏٖmŒ7]\}ڊ]m՝J}!ׁM=,i|՘m޸ ީ p g"mm-{ҥ}ܒ}ޭ|P NRMmߌMQ-֯+]٦= ӭ1-5NZ~}=^m^0-߈},.܇}ՠ^- >YC峝W6d~Jnbkmge<>ļڌMOn҄/h~.~ݍ^Ѽ]|H=hߥM`]n8rpDؘ mNy~N ^M>ۼQ.? }ܺN>~Nnts>q0V\h=NM@~I>^u~ ?]-/ަ^~㫎"Ѱn̈́ V~ ۣn} AߋZ~Hخo쵭Ln[N'}~W]~q-̼H .l{]2}=>0=^ڍZ?ءč=O덯UO>nQ쇝))mw~qcKJ =n*<痟D!`d/e?o~k?~o]k?  o o@ <྅ >t1Ĉ 60F!6D1vpF+Sj,ʖ3%҄F2Ydɡ?5ꓠJE"dZWo5FˈC^:5E~g̒h=]S.F:6(Ӟg=.߶@_e_.?7.Gď=2O5/k9DOonfՒ. J #5>^ Uc}~+ o[i3?/z˶c̺guf'/}tz͡^om~nϾP @o;%B#~͚lBjȼsϴBHEk@s2O#f j l:"[$1,J6DѺ[-K/ij+/:5n)P|H9A:ӹ\ aLE“>*פOܮQ=sR֌SpN9PAcpQ羔Qh1}dlVoRQZDsT EIJ*R2;kc>sC5LwLE26p-\_L휜5 60 rQ"l\dX $5m߰v_XiE 5"KF8S半> 61fyʋɸ%P 0iM1l _(j!K2:,2KB)FH,Lm&>n̥+5W:f(ToHZ2Vbͫms]QL$ $8, pؘU~'hUAf =md 39*”^ޢӬ 0+!DB>0$(#M(OR1+T'+852m\}vB_t2uQLɤ'~D?&jv&8MFSMmNuZ*8I 0/~asgdd*Qu)' PV󏥜l|$L ymjBWG-ZR\,^ãHlFߊONJNEqQ?)ԠCA `$1͘Rr3eUS5:"{E?:H|95*xꑑ.ĆzRo5ޕ]rJK1rdUIofto7{ʖbl#F3zb6A#lEC:GօHx_oed?|!&r[>h@p|8=Dؖ!]ViA$T/~qAh!$ Y+Ȳ5_>h?ِz͚]h@5A>Y0iALHH 2r 10oJtB+D:L$ɗbRTdh% bxuMdWX;8 bi6%EX4w*TBJ9Hvq%^vz*J_ư9gzܷ-,ц>e#-oy%zF YA}ZS{*ƇAsۣٓ mL:AtҲ$yӉ̶+  W)=A"7Q=s^90"a/ڤ< xIFipNeT|fLed^F{CD6Mh7=؊}A+/bUIrp>u!mxvΜ~<9Mj\pˬ$tmc'GWJt FLC F53tnEN# f]"JUj44'Wyʏr{ր{,9Z]Z(1[Z9TxЂ2q rSeƏK>;:$+>:UK%#ۃ.]c?{е6 |6r"}lĕ ǯD]+@R/䦏Ԫ J?7h's2V? aO0s0RB6KR9OTJW5,#44 !tD<#.cP?"0R#^#=6 :|Ċf$a#l˿K ȵ#I! HC)|HTEt"̯KF>7ٍ K ̬REj Z7CM0I{/Y\Bϣy4dK|:y5'~SFc:" >:B2| Ϛ|>GJMFN(l68E M4|;#2:(L<;OHO !;k ;t$#;!=P32+7HAQoRaJU>S m(@# ʂG@ѣD60 2CbM= 54z 932Y":l|=ɑSpZQ"!'A_֭#0vjӾjGE#Aȼ"Sԋ^ڰ$KRJ388uv@Wv<T?Eō=7&º4}{H]6YR 44A.2o".2H)!5֑6-֒EٓUYLY]YZݙXG 0M-2'KN[CeӡtMBaTW"`BXS.ݗޢתwWSZxZ@ڎWl>pHIǝAZ**QɓrZZx*,d%$’ٖٗ=\euE`5ƍه Z=5T4#5e=BM$5-M5ZZ 8Zޮ]%ӷpE}0LGNEASJ82U}SYAץ e7b{*\b\U\]^m_\_ e%W?Ŭ2uqZތXE@CvSi]]^ܵ ` -۞ SxQ"rXnE-c]©1Zb+`Ǖ5\ F%$V ]Z,!=`E? L1bn)*15 a V6.^8~4c=SXyc oMIWb)dcט]-D5 Dۤd%EG4f]MdMdONOS.ŀb+Q`RmLfZPi?]_]FSSRf:drmfyl™ff֣m.Xِ'$,ҽbM!%&=*9rxcvFJ'~F- V }F3V&hv6Th.h:NV)V:f>~Ɗ.>Ingr]xeF<&e9U}uen3Pi|Ŗfx5TDZ9 QkTH  tچ^a ` dci.đ;a[>mF뺖Y"rT%0HsU#A[a[nmh {ũbAhRXlRl̞l~ж'&mmNmfm5$~lm6g!vXL2*9GE454uv"ȈZ&[2/TEn/kn onr%iظs E9.@9UD'tD'#aTuBECzSHgIgB?/7!#4us2bu%N݃brd6\n(Â,_W6u$Z`WvdfgwlgOiY S/4 7w`rfZbvwEbw>l xGr&+wyOu_w)wwx~{/x?wxOx_x|x{xwxxojYY'G2gkOх_lp }Q2zѣO_VgzpǢz{'W_ "|Z^.{tw?|O|Ï{{oŗȧǯ)R|PvGʷކ}'-|ȷ|gӇחէ}ׯ}շwٗ }'~~o}w~~Z/{?zg{'G/OwO7*B+,h „ !Ĉ9h"ƌ7r#Ȑ"G, ʔ*Wl%̘2gҬi&Μ:w'РB-j(ҤJnhrӧOJHǫXr+ذbjXٱP2L۸rҭkۅy;/Zz.l0b.l%'l2f̔)׳ˠ3.m4ߦM6kԲgӮVauշ‡W <~&9 [t ޾y#7wd׳ox:v*op;u(< جUy *87@\xqwMDz x"$7- O r_u6Zz"AJ` -՘_Ay8〤є U)$Yj ~$ANrH"H`j&)Ou`4n(#6AtHfޛpZ2*]Ǐ"Lߑ4ކ&>)%J/Jn*e*:-f>$hHYbzثbѯ+BQ%Ѳpyj, ljTԪ-r".nP =lSL9Jn00Nieho(Ehe>]9e)y8u7uf~o { !}sADO^"BTGȍN5C65c9~:Op`0V /\UTm4>!MjphHa?o, $c| kYF$0y׼AhNYpSZ;og-6tgxa4ح&q:7H6@!q0P<O(쐿)xcXJPUbt2:-;6G~@a{]H `:Y`cL5&&I^)<*E/uЃ>@{CL G%}ȁ3҇$ȝL1QBEҐBvHqQ >NѩrV\%ɲ`-kAEBl BOI0҅2T@) l>"!H _ ТsO#HR#>(Lj-Na(T}(S E'˵0_I>uku($ťISq^|GK &,Ez#-,'Cj{ӕKh>mC=ѽskK&Lc >K%*:>AՈ#_.Vz)ӎ: iPފ6]&cuB> 5뽜FuhgA6q/\ G!oR,ZuTIxaNk$ًE|haB~ F)Ki6[yKUWKӱFgt.b WX1L8u9>u q u^ dzԽ@2|QFbS/ / ESTKEqPb桘agI>sor-iyxfI9A%0MV 9h>4 6ƶ|&t13gɷ!ӈQ]hC.XNiugSfvcMQ/jH&A`[;׃$)mUWY 0>6å#Wm;jEOkl;–T4nיe]m\w?xŶ]pWkxoQ86oI 8ȃ2[9ʧS<O9>Ď9U>s!cgѫa\]Z-N|BJ$(x%zӜO?{Fw~P ɥq{~{ymndQO6___R, 6> FN V^ *Blt  rAB`A ֠ ` Ơ" `B ` D``:6`v!zn!֠a~`Zja*!a!JaC0a `E.!& "!Nb2a BF%v"!$ N !!V:Z!a,b"- b- +΢-c/*,Na+c.1$"#Fc)Za` 2*c5*+ޢ&F3!/b,b*9Z)J+'~e%eA6D2:*&VfQaHadRdjb$.re%rG"9dfZa% T%\#B &7'/U.H{Zgn*xgag^dq2ybgHVtj꤂.fF:rffڣ7hfrFnʣN}#b^FSpH2ʤd:hs$pw&((rhTisB'R(nuJh~"Uj'kʡ;Vd x?d[ڧ^Fb"KF[qg){%%'gDf2霆hrnh.g*n~&*>>j$:Ÿ$`iĐ/lo #wk 6f^i))(d'}q'?h |:")U2*U&+Tj'Zr`8 -x)dApjM`f Vk⪐z&i+>icf%~"(Hj_j( :*',f.l2v& PoL>: JJZ(j)瘶(ƧZjæ7.%[_辺*2,+sJgj"B-Ji1"Zl>JDfwb˚#kzv')ښ'B%*2h-M-2B,uJ@`P-v* L%-֩*X -s&kGc[l'-B֮kJ+.n&*dcudGZ-#eɞ|"ȍ+ mmfqZúk#_jolƮ))βݦ&6jenl"*"⤢\n+včZ"/ ?jk&z럒i0.,ov $ncF˾hAM%6&*rpMmbn&j2m:tp:-e-V-'Z/SAfN0 6>")M/b0vo7q%܎.nDo -J j/֡n'+1:e/0"s+jo#lg`ک21%C)rڎ6+ ꒢6kk!k!/&0 'cYm c*#-o2,ұDz4[35W ~s /c5*2171l&30^r(6/)jtA7Br)[r9b+s@Ӧf5s"Wzm rd) nq:ckR"lݪ/2ᅡf3nt6[&&qA0 R,"V33(Hcۚ"V5޾3V2V??O@7L""wo3>;Bh޸7a7hwr\]c7õuN*g z.nW26xz(ft~{"[J8dn_wpt4WiyS/lQ"U䌕_n֊8e2DqD,s~/iox`p2M1935wv+yw3y[/6g0MyOx޾ o^z-qxxs4]V:~b;(DwM#xk7mctfu;;u1;c˻6b|M ubE.0 C-W8C(uSjdcbrPe *jnZ&xW 'a6Rv0NY]n?./z9ϼ!C;ߜ>Pa8n/"x) ?0;k$ ThN{Jzy >n< q`NOLh O'=zQ8r|heMfN}gI;ػ*k'zw~[Ni"NO\OlC-n8ga8֍Ǘx ,<{>fO9n 䌓ՠʓnV9d"E 1^xƉAlHK=JNO"Dh͉ogQqUIN1F}ly_lK *ģ'ylR$Df-CyoڶJ] ܗ>EFZHJyOebRҊT-~<%7Eg--#$ay#x,֔M[Uu^ock Ti{ܹEF`F}I ^keգxjz嫧~~ˏ%jGAz //䃐?6B+԰cȷ9LG*kF %$/{,Vį}˦j)G9KI.07 _[ %{YqFj\̚$dhM^J$Zz :jc:sD|nZC4.b;{EqI-C7KQ+0RKuGD]EXZgUUqu++r}'Lbp؟.|Tw6# |L1)P]5U.& yw QǷh-'Ij:0_LC`~@2L,3|jc0SPm*ۆ, CV/LLOdžTۗkN yн\ohh*ܦC-#L][!A}6ҧ8z?rN[m.lF5vfER|RFiQ@Wb1z_ɟ+tjzSR/7{'i6،8|6>cS B]"8)?2󚍸=e$ǢUZZVu>۽_U/NjΡ CWK% (Nƚ4QifQBl\ؽ7QiHrblCA6vpud%n%S>j$BNS~k$Į"\1$ d4э+"6W"eY)=/R e3)[]iH1>K"RL@t73F6fF8N1yQˈL([vxC`2 %u:Y0 fThIlM#,: 4AhPRJmBP$PCqYbvQMHJFjL%ҼB*K *MZ$)1"|ZAKCBJ7#zƦQY5dR 2 /~av< O@H9a~o%a9bUERoV;*C^8t{hLڑ1Mt-g}Yֳ]j!J>F4fKؐ VkzOeE!ibxp"$ԫiBQ#vZ®J `zYYTUխNժiձ26io]k]6׻$tE J֢TIOgD#+H_3eeǷگ%{Wⶶ-QƖ/^OZø9y ״b0Lbd͐X# jN[{^7FKגXK{Ö=fq^f8y|g@ӯV}TJS3•Q܉ ʕXkѻc]Rg,]OSŲmuws{w[foO"L;ؔ{&X!GDnky?#PS u}LJZmi\X2FmW򔿚9]㖇]5_Ӝ؀-vAnmLO,NCΗ3гf{/3[6;h۷ZE,>sj!Uu Ww޸n]潦9m÷Ǐ6-sg>畟] sb/?-& IYU=C.mp۔.7ځ}={ig>-_iӊ涻M%#[mrn󿽩d\?ޞTOhF$BNӒ+m/뢧؏L| t y˺/X"C Y ;K KPG =  ]p|dzL)hP0TTEȨ/lp k/08OCQK1ejۮ?(#BMi"rC72Ddb# 9-p/v 趠JGnOwqqqVY*@ X @4FhˆŐb /RMr"Oo%7ь#2#1P"=2$A[#E^`Xp"z;(a8 Q\b pNYO^-| Q#9lN Ëҏh2-++RrM+;0,2,Qr)- R+,*ۑYb`d(4eqҖ \,.j/ e!H3223.#374*4I1M3ђ3a3l4)qJCK8n5npx5V4AF,43i"iU8ʨs:oS䰓;ų9;S931bÚh:"+^ iOmM8T$s=,Vӡ ԳmғAő{TA#4@CSCՍCCA)/-4C֤?'TB+TD4?> u L MI(}I^4$0z+HoI1霰|4HtIϖSIJIrKJqtJK;AS?BT(/&7"3"PoM7'KV~?G|*EP'PAOMQR UQUO)QtR3R/S7US/RuP-TG5T1U<UW5SSAUcTVqV4WyW}~5X&X5 5YuYYY5ZuZZV. QW[7 \U,5\u\5]u]k[ϕ]]5^^u^^u___U\tѬ`L;YVa04bg`6c+Vc1vc=cAva?VdCbKbQcIveMbd5VY6eGMfUAuf6g[6hmVf}Vehgviih6d c#i)i;kg6jvli6lmlٖlmvlS`_ '`_nuoonpo ppp7qw_wU#Zrur-83Y1ws=sA7tEwtIt9 P7uUwuYu]ua7vewvivmvq7wuwwyw}w7xwxxx7ywxsyMWs Wz7{w{{yzW|-|G|7}w}ٷ}|Ytr7wUXYXtZ |7x~wzs#}w18~wׂ5xI!؃WMa8ׅՆ9Wy}x{Qx"@n""?p$2 Wu?x77/"8+Sw'|Az{Xxٸ}$6XCex 88ymAj؋O%tZUx)ݸh(ؓWyWx-QX88͘G9WoXs9yX%X2:9?#PZBquFؗ/%68 mA|!vhM89#Y{չyixZiO8:tt}:%ڗ| z| z5zI9;}#I:+/!Yzk8S]mz8,#bCx"~:e:iڨᘌYV&M⭢ӣAW+[uE9WX?YڬqZ:! חﺰZ(vet z {ᙦA"TCǯ=W9s3[z[kXљ!!Iab}Qv2<)25Õ=@2b :F'hݤ[-+FØeq[bd@s]<۸`cdF&##6&{(5 >|l;+Ba5LW| ԇΡ {yVL1`Cضȹa f܈53P7W&Άiտ#x;-7LWbϱYL}%]Љ#Ѝ<`8R\>Z|ΓUZ܇ "!ljMN爋ifs`NAϣE"|bռc`ԉ\F:]ڡk)c5`Ca>ٕb>SĉCy1|4z2xGN!Ź뻉ۍ KȘ]?B^c+ە`Fb/>|z3Ω\C|@1:o) Y&Ay5gdz.@ԏcE1{9YQ$a9L oXș׈1H{ޏD:My^ m\]ig`"a">лZa A({ ?"^|qa8>s%9X9c L ɺ$GX =!"h,=zDg۳dOkHD4<)Ξi}US t(UEU ـV!PKKXvBP4Ugγ`^E>x3R%6 gVeNgz&MA_D9$6DcIdER`kEZԎXv9aW D&Hu(+"IvfV^6!fA(xRD(ZχiN7Wh&h+G5RCz^{()J斞ZbFCT`I e)MS& S6:+ QJ./H:M$d(\}b%Q㌴l%I;HJ7V6sn[,85nD,FBs 1t *p :XzD;f&<u5R}U|q{Hs~@a{JC7r##\)`)Q\1&Mr #IJ"1Vd=)DP&r,)'A B Sjģ!HLemB\r/8cQR޴uoJt DhO5lr~HhLt8`f8JjFMd6 xsEtg XH{s'=D}rP"4Є*4f:υJt NP e#G+ Ґ>#*ҔThv\6r4>[ZNT0OZMH1r -2\ zȞrG*PU/-HHXU%AI:L ׸zoT$ bbNTV\Xv[LHWWIbJ )̎gs4%$%$1tq]f- M0F ù̜O`zײ-q $=Wuej5EVq]C$ad탸Im=)q׺nN9wto{+^-b˖=nGR+8j^.x‰m0hSxp0 J$Nx,n_ x4ox< yD.$Ra2)8Y"ȓ#ee*C9\Е!2e0aƲǜ/Oȓe5ÙgF.yMLj6 ];ZΊhHKuo|O{ʯyO>'eĿҤ<ܗ}z^S<%ԗ{摏}a?y+>Coۭw|t3iƳ}u+}9f>ן}7}ǽ_粯~Fٞu>wOxzqp keUvva|~7tIWl`xgxo'|yy§~jr~&ryGmG{woFȗw<8xQewyck)W+i}V8,o*~qw/8i2v؂Ah~jw{V(fWgy;؃x(z׆V~|u0aXRWP^u÷l+jN|r_v`؀iH~gw~@{XtwaXth0x|>lorL2 xgPV`|L8TȊX6kX(adxbr؋熜%~z@vvfOׁhdtouw&e (cqT>cTyrXHr#zsgte5uǍ(3؆؉觀්7(W;iDVq=5=kv3^(rVVy(kbGwq`tI@:ۻL[lE 'w pi[:{ZꈁZ [y `:+-KhZzy. uEƴxZkMǝkik; DIJOyVIY:۶DD9;Ī-ʷّJ'{~Ƣ+ļ'za={ ,7{6)ŋ}U׏˥( }+j, 靾9Vv ^B*iQV-X=e pws^ݍef0?6CԎSx^mI!퐴fC5sZ~-N 3pY)PԮWuR *pN~*0*g;eRڅR~x*̊'ǹč;rbCq, }0++%bi!K)M#Gor0"ϸ0nZdrSc M#2:q_r/uOu&PQFqamQAbJoa ʡ)S)o*RolÌ޻F tß//lf"ϰψK6!2.鷟m6ތ틨Tƿ5>XS,©6ȕTϿ~LQ jrN#ybsYxZŴ6oC4$W_zÁ>ݛq#^cjv.?#ҜѮI_7"S:\IhQf1uѯ_f]5lܪi^5o۲ϊsы9.UCm:bB,?dj*ݞP1*;޿ҸEh!,R,iAjP!3p˲"O;ƖB3Fj vb2ex(Ĩc0̣@J 'tE3C? },h{飆,g,+J#:+7 N:SO?t 3m)R9 .ɤ|\970=R^p2P1%P4+V{ BeE0'PidMR`E~iW$HX "ḻnIIvi.˴3~H래*KR_w\: B)=`tF('Ino0#acf}N^mf~yΗ չsc5l8Q!瀱Q7KtBI@n 6=tgAs?oo/n]ƍ׶5}5ӳ:oq*$PO[U olj3r}h|A_\Cmb~&DkD]Z:TfNϹ!V/NCoij飗hZ=uygYhWzao[<_?y)'FEXE#lm?x@'Um_6x]ߦcq 5קP0,ZHp8ܡ- HB%S!IQf/|e, W0mnH: VN͑Z2'dOnlcgz>utc숊c DZ Fcc NpjdHG( nSq)$bV8vB2郤#ݙ=ѠD:PFqw,;t$qg3HjSs-A/+]g+Neβq{)dHu)^^)SLFTeKyG09-jP9T*OEjTyk’?=j*B",57goG.ϔBh@H EiуV+b2}lc)TM%'W~J7yK♱cuFUSU򈼴j1:Me֨>-p Ԇ&ur}[_fՋ)O+XC+튞S"V+^2wofy%X̾ld+Y—mD+_W,`4ݢt=jfeR]Υj5xN.ոE+T螘U1;,nnoAU70okf0f8wld))M,a69He1<+SYZ0-2b3l2d^3۬/PeObMtbGeĖǘ#^8Ap3,:BzS=%Z+͗kWfNoӡ.SOG=e+촲ȿh j7UW5K˽qS5<[,9ٮAMC٠3--j;;؞mTS֎iVvUM$Zw)K+Yd[7킷NÝ:|7,BY{N")+YHػoj Xq4jNf9'㼸Ak<ߢC<;nȜr֢G@&&䌎j5sS zߎ[&KoNo=C=*&xo>&ۇx'n3{i\%R$? T@=ح7w<3^n)q'.!_mO>o <͇#PB;}YϮE -@bƷ\/$蓖yJ}NiY>ܨqi+ X+b.A$V:4,kA4 =ÿ2@|=:,tC@X!pP کՓwUȚxۃPWcd216c F ` gIՋPcPPb>P{a6Ic6c zPz؆s eP+p0 _pie\ՓMb&aՀ8^[\r* hUUIX =NM c3fDU Gvdp|60N\;x/؇S!Ba^.* *VuقcXEgiuZف>Y+0 !p \hg:~(*FXu&p[ZU>ΚM Z`W\ч#qlmW{^؇& o$Y yb7NniM(*fRŠ_k·{ؘnvgXHIg F(O؂X_exeY%% b}_PheWg qVՐ0H[Y 9NחXd!XMi=;ck Ϙg^ E gՇHއ枹kX*CFmPfTp|j*_6eanqkHCig9>י0RYh_66裸a 7&{ :o%n * Y"BhUvm8~ kw .Qo;;> Un8^ pu%f~nG}Gcd(ŕ)}V|~ 1fCVcoNhs3x]!_xpVc^U⩥p;F{X G%A`ڐF8G^%8~ ?҈C8?OqnX5`_ɖt.TFoNwcZ.Xlqㅐ]VcqQwU (^z&X~PH19Nm ZՇcVWEfO7Wwio?t7h$AtLM%cGsP]K~i,u i@SuWF]e5k!Wu%3xc!4&d鮨U6c(k8!yϚ5?viW#n}y㨾S!fy~oWzO]6q|TRpx%xFf^qc{5ܵ%Jy}U_&ਭ\WZT'ڬ{6_o{q.U]xh0ժІLkWV7{|OWܓ_lFb;iho|W}wO VpGY x}sV}=|7n~~^_ pVNx 5=~ӝZoxYCdX4g-` ?Ah%"Ŋ/b̨qcƉ? ѣȒ&Alw0†,SqT6+|x2ʖ{&[Yrœ/-z4o7Lz5֮}NH AB!0b(lc߼ yrq>-}:u#nJeb `wo}鸷1ԄWϯN5! 6Hr6B͇Xф!rءE4<$$/s y! W!eDcL6z c>.reX8洣SR)AH"DH rAIjUf8bzI:XJ}9^&Diwf02Ռ砗bVlYYuu>U)]ڪ+ؘaի:WP zڤ92g*UmU2[R`I ۵߂۟[碛ۮ[⛯ۯ\X0-0$5QS41 c<M1F o >"?3u!VyrM4GY9FL$]NKNw jX әy.)?ɼ쵡Δk_ ȏ2|ܠI0uhxDJ!^GNbHZ=MaNqVEmi2Lk"Pu6d^Y:\U 7\BOGܓ~h8,e[]&mw[0fTztGVjk b5,NƵ5f%pi`\jS -%$$6{B{kԵ0h+&$aaW^{7U$hc2x@[coqN&ڊ[IrEdGA+'{QMn J>O ΅DӺᅠMeZ2шngвנ}uGF;8|%#11^FD<,2"!n,?Y9:$3Ye纷F}n:n45 < F yif{.ֵHuD#t98F(vGvq"T@fIڹ&P{`zy.\pyc#E.6hVi'֤Zc -q0[ҍdoW˼k'dbr~@nH/o~I3Oac#>WY{l~7nۺCބpVg;K{Nt6c΁q}]q<3Aᚎ_Ő U=1=[9EIڝ؇\]٭`QAa %Y>QuಕU  E+-F=rUyYD, Μry_VB[4Q;`}ހ`eU%!5 ]ASݚ \=Xp-^ڕ(R`X%[5B/- "$Ңٟ:֗a UIut@Da!U eqQ0\eP!ϭZEu]lATҟ -0$pfMz\Xu]X$:YbbaaьfO@r ND~>>Q# F-dL^͞"$4lبS٧qQ#aC99ڥTra1` ;],&WUý# e`T- \M]z 0&$R.}Y>8eldU#,%ZՎ,6Yb^T%$U\GKUlRh>;-V%3FaEX֍`&%fQ!aZ3 VN9l u_ʴG^b9Y!^ 2 ɕ9zo9l2eV%zbSQ =/1CTgRfS1%c>Zdf]>1i bZIA>j?z:#M!M)h)(M!n(ңlv!}%\.^~H55ǤpBDDj!'(& Jpi&\T 5FbdHwqu2f$NW.[zt$l)xJML%&A>C;=PC3C>lÑJ)nP5*]*})TL¤:VIPHq@LcARLYCBd*BCqxXjjkn kCRR64*LLT{h(+M m+mhmk'x[RLA0DUUNP+zjdd#qU+E6uIHEV"Q7xʠj k-&S~!0A9=l ihxdx-1p@B$/<w>0윲0mAlq /h hZD0ҒH2ThEFP"Tx|Wo%b)UΒ:&,9$1iۢC N|-"l|-6 'dm$e^u^Vre}BC=6tlvl>CxժΙ:Tl2%-́&3D>p,j^ bbC{/^ASB$  b\|R&&!$lE*Bv}4"\jGq䁻!, L=B0Dmyo.UY/.B^#/,@ G$x4.V4x, or#f+qX¦ pqGua/RD¾SӰ"F.p0dCXv́o$z /Cdv uIqop¾nÉLJB~=C/,8/ \#LL,Y^(鬶cCqXpmvzǥ"m'qF/%W%06nlfZ(l{)N=n-"P4LA'' tD|tچruݦMB ft@qB詜00܃rY1P50S/C fafr#3gzq^OxX8 /-g1-##< S7{@f!n9SAqĮBW@t>߃/0w=^, 15CC>c0ҤC;*%B )0hqv8Otڦ<3 7e|0C%Oo&C5&S2*r21]?;ȤG*cIrV_*.g)-U!sL#*gU+%.ױV ;x#DDZ{muE$ '!;g ϭdc3Nj%N_;lA1/@a3/5Ʊf86RbS_nԤđv>0 .ǬR洧n@|~w*SNOρyu[0CS_oT?Tmuó! ]/2Ex1;27=@/0ZZ'zOv.@- ""8AyYI"aA_o^̣Ә._;S{D;C~zv57dUSX9s86Mg,]# D}WAlB2!F3"xq=:4h/Zo}AZ5sEh!ʄ%/nlqSMVD92IR>uU6bձ_-*mnũTzn]P/UZ#vw0_\fLW0_͍բUjqA|sfMx ӨO獨2EŬp{ 3 {9g߁^0俓SNx_N~qAKF~xBe,#;rId+%El.;>#R#J4-BВPrm?)UˮrG'2,Fe\h Hxd/K EX,(5S(FM f5I$ɳXOfC4N}DQ3OTBTSG1wS`jhi-Wy`&P-":=&%Kbg3H_1>;=4,Ju+xĐ+1ݫygΑ2,E66FUa=ZvێDqΖ3No̳NH̪Od7*ujdkƱv4P=;24jU6uHy>n;j8][DIF^gMC2^xGMZ8:ǁr`;uog;麧6Vou'viǞcif{7F^Ȝ7T;m.V4K1e[mAU飍~9u_vi<\qN>|[e$XMTBVo綼:, v9P}C_u~)#\f:fjwmbғ dFYN(ٰjի2rՊյaqj]ӫRW#Iqu[npxm]i|"x:K[Ow6GoQG8W^~>kNyH:0"#ɏCcfH!Rj"b fGY)HC^Ov%X5wQrC10ϛp,V񍰓֞zɽbnGk[ 1GF0r2]:lXX90td:8"Ah1A3kZ݌[L%=Yi%.8rV7ano7Wqt?vɭsCOpcMl=Z3]uVW4{W=0^wo_]l{>݅v;='k90%_75-,y_y{/?m&N$vToZ=WٳbWOC}q{QOԍ6_`Vs<Z~Miӹ$]Zm~TO 8N!&07/9;GPK0O ;PK|iTPKA^EOEBPS/img/trust_based_auth.gif9GIF89a7YVWǑ󪱻fffMQU{혯ƜHmsvyrvyWWW򃅈kqw333RvexCiϲDDD{www"""]afBTeQSU.03UUU=AD# r "ΌA]yi@fŌX|c䚹b助Vy̡L`s:Tl̼m~r{LHI`gn0,-ursS]d՟>:;[\]OSWfmTvoswrtwDcLjۈYrhou]:L\pVSTA>?QNOoxWep^zYVV:78mPsWlWY]wIdgl؄IFFՋt!,7H*\ȰÇ#JHŋ3jȱǏ CIɓ(S\ɲ˗0cʜI͛8sɳϟ@ JѣH*]ʴӧPJJիXjʕ`ÊKٳhX˶ pʝ 7ݻݻCW Lt˽(a*UY-# "ciPFԔnzeIb' )YDjBfn)g1]b+HJ*(RrZ?njW'MF{ڦj:(JNʠm@Fjlyv괕V{iOm&@cɶ&b`*^-Qھfwkuzj/NX,g>!bKT6f\qf.T6  ˖:W$'Ufoqe,2&|LolB3sǀ&"Ϣ*)®Sf]5% Lq,B5 A !s/*(qH'}Ґw>x'xeKnYx=ݹZX:Њ't0wSu_ߖ-u[f!(.epYp9{^'p00/G%/ֹ(xUf|(t $nd @,ÁaVSռN88, " YX*-σ"߶KqHYm S9yNH[FWt z5 P0]pA lDMs5FE*(LǶ7^P3 Go`Az vN*jl; ~~M\ҋdwWxͬ89Nk|FőbPkX .[+ 7UW;4y,Sնp2[sNT l.D4"^ / m e^_ ^ 9Oeb˘ۂ5+vMY԰+Z(QQZ/&D+sLw>SNhHyKi+[^(b٪s}(&) xz ʆnc`9 jPvJ˴MJɉȟ;ȵ(;@dI:89( \@*X=HqK8H)Zc0[d˙ZХםu*2!#߄=.1X[@Ḣ[@k[TѺ[d8ݐq}44A iP9 ;; køU`ip`01i @iн{ի {Yq ھY1G`H < | ",c`@*,0|#\Í`xWqm<+DS&N2!%l}mfqVo+D ,r 5vmcj@\n_*.GL! j/ 7R4G|ŊyCx v$"=b)Mjƻil/:F$iYœ ˧34T'n1z@<[ e@;]iiU>%~fp]p`UQFc&w!b1=3]K+}7*/smlM+#^i=GP2ke`SNb-~br:~h|0,C)qac/Sf^6tֱtFH.90[g~vozut2,6j*7 l։.<PhQ;.s4GvrZWlh. x^к>ūb)ln,Lu\knIqZޡl3k^N Ͽ|ԥ.2rjrpöt GO/=͈ DJWmg"ީpWsWfpQ7 3_:<1^1)o,/'I>>߁t{qLr}>b1d2.x48yOb <=46NW:NwbO||ׄ7ls>׻v9>w80>.҂2RdYM<5S' 3MR@1Bq>WeorCwvjz~so==c\@K]F74 9{sc02!B.@C*V8(D':QF{u` LDRJ-]aƃ-Lh`Æ |1 5PA@^P*^:V]:yRX,cҬy3Ξ?eP J,jT2VA*M ^-҇ (9A.˙7S ) %(uْKL&0 #NAahNGF?_y͜:cUnHśW^z^zܿ_|o_~0@$8A0B|\:t,%tL$p D$qS ͆l:m'mfHA2H*ڭ7:"DIJ2J)J 2K0n2L3D3M5dM7߄38ى@ L²0;%Lt `,EcQQTS-<%XG:!.3n0D9gV[o=V@̬|*'&ؖj:xrkQu UN8!6ඉ[Q8%LČED`L2 CI =IH'P ^XxMOKQKmh}SKRAn4Zt/>IN1/ir"lж[X5،ts1Fٙ6^-?&ضsK8Vep92 sX \p!4ݔ̀&m zCQrcw׶`@9Vd.sr;joƙ'D%Z%&Vhecsfy:rngjjR$lSh5GwDXq1`S wyWv'z~=B=z^\ڃ2o v99'\YCKqYVʃs/ad?.+QMŌ~ƔՀ;;p/XCs9ung-hMH?ìeu3:.{! 19σm Vsb A샤 &4h)l!XF1fM81=0d}SBn2,5BJ] f(pb̠csk"7;1+y"1 jO72{zxG14 HUz$UĒ2%LI JyJEHY:ՙp'b3$L6؄ %VɝEGd9ҘLZs6TRb^'Jj0N`):=P̒ #R,W *< 7h5x()l"3L`f8:s()?{޳,L B!UQd195 LJL $3Y:NS"HGQv4 1DlM\l3 dE I-Q;}H}4yS$} eUW&nS"a$k Rck [LZAl,ࠃ_AUl׾~"<_0%6׹Rt4]qd*meWf&0z]3z\`zQV9`a.,a 5ЂpD?KTͨD)p5awqEq8C~"S `wj-8EV SD*zR+ &Fj,@+EI!'nKQw5}RD&L_2^Bq)G9m6[q[T _1zO=hBJx_ "I₫@a,Oޔet[ q@ӵbB.#h/7c>se=kD6ޜڧ}O!0e8ϭp4hWφvզsTUA`i w7 :=[6o;Kִx= j1`l=[h>pD w*6 TXm|+ Y= lJ Bܺ0%KP߾7/Gz[Huj5,en3s{׽{`qhЃT<#vӾ0#>#P otͶJAd\;Λ*&'x$kA H{{E^% yDHRaoODaw)@&7,Q :TkJ{̡}۵woA̻5^}@~H}G~ˬ; ~s3LN{'`j;)*ҙz?1 &=<ȿ[?i{@#@4AYC A? ľ@ Cc?9^ƒ<#$'# 7*pǪ>S;)b@'âŁ#3B$DÁ.ĽG@,('2 ˜,̜_6 #Ȑ,(04MO2( L#KԂLTK,͌KJM1 AL:0΍K K% I1XLO΍؁|M̻-(PI-O-OcNpJm΍ːK% ̒ɱTLOmO]  LX4Ḵ4$u̦t$# ɮ"-ͿĀ(ILE(݊ԈJKDRҐ(0ML%ɖS9ӿTNX |LڬFEPS0)p$|L QHHT95(0?SQ́S䂒KWB MeʍxP^mRJJL UNDK=Muָ˺˼,TdS ULLT1ȁSdHq%TkRխH2Ȏ\P)JHIZZ];͜\dDRQuT,QR\1פKJ 4°V"$vǵ >O#MTвSk\%V͈KkTU~]H8S(ȁELpS\ƯJr̜`Qcݞ}R`id/.ۡ܁,5RבU،ۚ8b`>3 ,[6J.uI׊X ܍y;vYRuťgZh12;xQ׉m)05AڐVN:{ei3ii fO0ij!huV>vj6 xDG|Έj~k>j6k^V뱆붞'hvkvkkÎk&l^;G` kʞ˞쌨llΈUmNmF&FkOlVmfm׾m>ގmm^mlFUTeچP`%nݧ]n꤮&# ogVonf^.noneoQFGXoO'wnpmp ڗvn -'>WqNqg? po??X!'"7#G$W%g"')XqGr㛂:D)"~B U;C.O// T[2Wn.q qkYJuh†=-Lh`9 XpU)ZI+Х{ȼz/C'.ـĊ3n1Ȓo9TnPe D@]^atE FVUY)!)e/l}Zjt[na D9Wy#AD(|&FSbK-Y[dDSVyi 0Akd!A cNaT (0f0`0ES?2/t /n:7 (8ѣJڨ4Pj)T U& ^}wPAP\@X W;,b):bxթ:+뮼k[ѱ{.-,moZm_1l;kܚzk .D +p_;q^hn*節o nB|r/2-g$117Ko *z*!<2:饛~:꩓{~b>;Q߾;۞ ?<'l;|C?=&k===>壿>>?4??%LK($lQ| = &K6p+! `"Dp k(p oX\ "$ A/1%|` (RKxp! eD 0̸(DA(R1iSlpN A"'8Q/1c,HP ]D>a^24#OIVx@.,uEGlªSq`DOM:ȡulF2hV Vc TA8F- 5/i `c)kX,iIirғL^JQv6Ȇ"("uDε=T*A4ЖH-ENk{J\eYkf-,mm ~݇ PΝ-`{!V`uyhw B!| g6 zŰG"`ڗ=Z C8zz~0EC|aN`0ȇ % }xG:&)Y 7x1)l3*1 `? Pȁ n#d4 |zV&<o_|4o.\'[WۍW˄q-f2jfi:;֕¥ AyԊ6uS i%3 ?bݝLc sPѤ^9O Ea]b2>7ӭu~wd$9@"6{R3ՏtlNd73 oC k~g;qv#bD9&oe|J" l bؒ>q$H@Jð]"/96<q}ԁ`?:2!A$S:܃Gı:L{(C%8}@" ؐ:@oI&v<2mh`E.@ # Ao-/m~y(sm^*."/D }etaP/$u~ص@-/xAxuݓ=#APGx<q\5];x>fF p9ƍ3x7Ai ^=#__ 0@2 VD fY18p@%P@q4\=!~P%)m+C$^6 ;P+ / ?& 6=`A  1-b#ʡ5]'j2"$ " "\ "+2_!}-ba /Ƣ/"B#'B! 2%3f! :c^'$6atb5"5`"+'*|6#n92Y: أ33,(_Y0DB?8Adx/P!cǽB22LDB*d10Ej /8M$NN$OO$P@B hDA$4eP %@ C@@D (AUB@TJ%U (PBeQ@SR6].SMeQeB(Z.p$X%@eU (Wp`V`V%aBR64@T %i6V] @^Ve$pp꧄N(V^(fn(v~M;PKWyc/99PKA^EOEBPS/img/opam_deploy_fmw.gifcNGIF89aBYVWWWW⇇rvy詰# 333UUU"""fffDDDwww̨{ "MQU\afurskqw.03 !"PRUABD>:;LHIݢ󮴻nrvqtw123=ADݩsvy~`cfbdf!!"^bf0130,-023萔/13|>AD̶gdepsw󪲻լNRU.13RSU̓!"]]]tuw?BD)%&NQU223]afuvw-)*~}~defҘ734:78HFGjii+'({xwxOMNSPPURS&"#`^^rqq!""401WUUruy䅅!,BH*\ȰÇ#JHŋ3jȱǏ CIɓ(S\ɲ˗0cʜI͛8sɳϟ@ JѣH*]ʴӧPJJիXjʵׯ`ÊKlNytHk} @-[pҵ+oݸ:>,a?FqŐ/Od˕3ܙf͇woomײcmuܷyxfYNسk߾9'?, >~@0 l`<@  !+,(d) $@!@ @D ^0C/p_H tbuv% `z !CG K@>T9(=0!8D{@; =(z(ww)Tyуc` "2)cZre"i *ˬ*Z:8!;^i[ҋoZڠVjah.YnwKߖ,0ৼU(li+m:xloNx-]E  VXb ^:)8,я˲Ɓ"9(a9ꈤ;Pi.`)::sN/ Uhv6k'L2ZD.Wng9-sO!OQ騟밻G=C̐5\2 o'< ,A"H@ 0xkpAd7@`c T'"303 JƻrOyLG=/zӫ}/|+ҷ/~w;L!g=i{ėA @( %/bcNzA ~GB$2i\v(6*37PAO|D 13 ̈BVa@p5A n0_$bq?Bw e|R Wy j. l $Р.A@E,5Ty7x;E<.\&' ARSxQ@p* Q@ '<DB e!7D5/CKn}Y?q %Xz UCF+$Jg4 |1( 1+Aƻj [b9РWAP1 _p68p>ApC(8-DbW J׺U#- N*xOgN)TxB@' ̂j)8xBd`QB^@:1Pl.8` `` (0ҪU!愫rB"N @  BR x[vA >!hP(4`C$j P!>a C&|܄8qW&0 }u)`ݖ @ $*z.جQ&A@~ ` !Z,x38kS*eKyXe@H1@{ +,l<5 @ m!؞bm(`*B !!99 u֮Xy" @75KK$f1e/V fdzbe&s+fL\H1|c*$  肩Xp "/ 0-43@f@Cu؛nv}{Mp|&|^oGx#-K?k=O_ѳp{R<"07"ZE9bo`E Zg+6aT!{ݷ^*XGJ6 | /lo"շyHc/7#W@'/DgCtC޷EE?D~g\4|Α BTTA94~@Dha13rsVtEXc$|hGzTq>2RPU$&o{Ȃs}G|K>NDQ$r,~//4 A$Rxx})9Çz-# h AqNҊX#" 1 qZ Xxؘڸx p蘎؎( v ;>@0":6bDb/6jB0H8?" hbF`?#T$&@ b&)'a#a"h$G$c"-Ah3 B 9+`&l&D2@:N"CxNPR9TYVyXZ锾p";R b,;`#"(좒p3;ch9${%, ;Z3&$CP"b07c)ep#rp)}&2"p4Y$"G**;43$K)"((2(MDиKY.WX8#;p(s+$'$F3r(Xs-2.XTƛ~"?'|),3ȹ*ʩ-~1p($-[/z6A/B#=0I+b*. 0\s ..)y1 b0ʞ*C`#R"’u I",) "8_z#ȝ)@6-9&#9 uh%+ ç^@$;,&S 6qTJ'F'Ѳ-3#="%iA@+)+ i) CBQki*dȳ)5>MSY$y\[egi3##(Xt->pLb38+D26Rb*CQP1a9¸+$2+}7ѱ(4c&sӊ @жO!'6@p[5;=a@!#ڐ ++Y 3м.b/2J BK;Kƫ_ S'"b>dKb LXk{+>$j1UY1P/ ,HQ$abJ/(#*<($<&\xr ?qku`dfAӵDʥleVK] ^7G=^B] ~nD\4~VtҔ-#==ms߂_ d|/MM߻ЩdC#\Tg'Q4sMWE"^G$>}W,^nl+|]gi>knmٿݶ,[%s  [SV-FJ>?ʃJ7ԜoM2=Y><mDcnEN&?HQmmT|l}HM,љ,[k |ҍ iNÌ8p@'Ƥ{awfC eZ$~V~&~}q${֡'SONE}.H ~#M3NѾr I-f [-jE* څ5YwR4HJLN=6<#l@&^Jֺ|IuNF!DP VO(WnD]OnQ]Pل>g,@^ Q.2.0].TjX0 kISN[.Ձ~w/lk[kP~پO^ BF .TH C]<"%.Hx@"E50l?d1P %k4I1`#L]pU:d `kH %P BGH%kŲeAD@"^ ŀAPY]NtZbO.Z Z_=Y5<7n,TBGpG,XDH2cϿN;;hE5` 9 1pt*Q 6`.QT# be*R7 L$^Β(Uғ욼2)%0$-_0Y%[F¡3I.5:'DȊB脆~dYfiT*+C h˹Zx%XdG'\ *)XTvR(< h9:QTJGxb% LPC{@edaCp/ڬG:+=Y!K_4¦ /*x&±j7n BOQ/+&PT \7)n..AcP=cFu)G-dT\WCx.ZF>0 CUTb9ġ/!Bm&! F "bٽLo f|(*=RS-\<*`a#x0 7)M%ix}|t5?4ӬU4XjL№>%ٵ:@BkfAȋ+8l8 _(D!rH'OWY&\'x .= NXs?-=^: uOAb[(u4:hb/Oq J0h<-(66܀:N;=aFֶƵΐ W:՝OWT{yC|Mmb./X)XcHe)!q@t@AV%Tc&A^C\sIe fpa yWH>{u=3XBv䀕\*VD 8% 0q^+ut*O ĝi{}Sn,ETCP S_]}/Yլz~k)]? 0_ð6b;;[ Λp¯W9@|^3x 3l3 &@ӣ#n^Z>9:<?CP%Q>,{6 QY[(3%h%( DA( AH PJB c?''(Cʺ23=45t5PU)EEc@_Bb+S@CpCFS +Aa)ƱλPМ MЄ7*87A؉ 808H989K%299(EPBXJ N!<j$[Xd)ܝB b@(I)S0{ pLiԊ @5>@ʛx9*88%(KhC38X5W$ PUTCP @QQ(]?dFT5"ɕ @<@mDC,?6 G9ɬȔB\Fn BƛɱL̾qJtcWIMyD@&p2ż Q,HpЄII5r_#ƼeΫ CD͔BGlv|G*X% ߌGHI80K XHD@BQ Xˉ4%RLTM -#360+ԴRT -TQ;ìS]̡RՁhUb]DΊY>O-m@(fc>fdNUXff^Fxfhfif7fkflfmN:nb]NeJWr>gr!uN]]ghg-lupg@gv~g}&/h(WhІG0Xh&Lxڇhsiznh6fiv阆i胖iІꍶ5aNj^jnj~jjn>og6}b'NWM).S~k~׸߻߹'(M]~vH]Ħ^&Ŏ.쫖lukllmmo5aނ Նض6۠lL׍eu2X̮[mmI^ᾧVncdn5oNo=nc ou+gjDofo]oocz]VCv ^pkMLMp}pS.Iqq/q?q/q\qOq?q/&mbp5ck _  *̰{Q8؂-Xppw- !" ͠U|mryrkY)*+kpf/~rL%t:pXl%oCAbq +߂-kCT02pm71FtH`F5DXvZ–Sٖt+tMe2.P'u6uT ULlu&u5u;=_bԇvS/ņefɰ44>(szZr\F>j^T'(/lpc$gutFc*6q *ǁy_ow+[r(so> =eQB%pwLM^ .}op[폿<:%1dO_>7) Oi Oe$(A_rSWt؄Ov1èi (aaz 11?0 9ѴW#a{.Wl{rpopEV1)C })i󈉠HRȰV*h(#19(5i֧븿'J/.r^VF}`$"^"DX(A' 0` 8%B|Xs`@% T0g'РB-:ѤJ2 ISLHjTXr婵`ǒ%+ jתmRN@h.Q *|D@* $,8e KC)rQ#DT.8U> `%L5WYճgM2W+7nIx Oy<Eb0ۻ[I,0<X4tq"1SG)KhjL)ZQVrR.PptbYu!]qTL]]Mg@bUt]ta2hy EOTAD/EI F}QU$8i/` &%VMXVIarԙo uJH>ItY(E R P)uDz%J$6h>х>!`@}TK"nYZ^$ $EFYkRW@%Pԭ1l':F&Dp-fi l)ourO2Ҋ@0|]k@l[e ?F`1%'$$uS 3JA=1ŧmQjN߃{BA4C"33U+>n&A (zZBWB\?q)8! S.|! c(4/y͉{uˡqhP]E<8xXDqj?$LT eiD-^5d,XDh?1͋E"A qcucK2*jcء,qN<4;0!?ȠqCZPT.*ed*-dedHk!C B&LT8RmSթVUWjVUr5_XJֱzkUk[֮ٚz z{⪒ٍDoCd-k X OB '+AJz X*`,+fx5{J%3N~2dQ} 28o}^vb`U*0e/x!@Pb `vn  a'6?dFX wEMbhD+z1iȂ3\40}` m0 pnWpT"B!Oe^=Ş\PD,uEU(5c5ΐ`]Ё<@v+`,&pC$BJA0֙$MX";ZPT#wq61X4Rd *BLAyb_@ve++FMP@vM\%;n,ǖ>K*BZ(Jnu,>F6k^ϴ#C2 Ŷ+$llଯ l~ӠRO촚M(l.lJHlzj.-\]2^b-i-&Oƭ헔mv+nڪNOʭ,-fbݮz-ᚬ"bR.'FckT. jpn6lᴦ-zmGE솭.S z+k .*fn,*\fUrBoP#*ή<nZnΚk/.;.o6Q%S@..٪r+&\.)Ê.^/ "kfOH=  |OA},aLAJ́*!1MX3˞ LqPp~`,.(|jl@{ASA"4Fď+!BR@&KVj/ :O0.F$.`r ($$A$DB("T3\+%ر08 Bp *"C80MT2@]&;B'Ě,!cb>?r 6,Ǿ2bƲ,K/# r.p&0/)N#P$s AFNS Oϱ7PR18.5; *er<0hȁ 34d8/9\5/5@ A}G8 <1-@"J(B8D8! QECZNUkEڿ MAjS{/Þq lt#AAAB!7߱Q4jLN{5 s(!"t|51B!BB3@@ر5߾5aD#,G^g o4vA!|"7!!0@? 1-$:70688x@CA8Ǹ8Ը8s+| zD2 %AP7DQg1$ptO~-Eu,JaSiWK PMP)*Å3·19$ ~||A W3x#!wg8YT70L:::u16v22D(%Ly8M47%p:oLPmO%Գ5 A11'2TC5ԃSr4,FAמB`B˩4ah볤7 @!H`ssƗ/4~$LLm(z {ip|/2##|s8(:PSJ4dɖ2Ř9 HD5P Sd'}Ak((,!"!ƿ7#1#s#|4[ s162_<L!\|'7˄8!-  2p_&c 5Q<?(`GjFi<վs7jAFcQƠbqZy蔓^Y/ S>F$10HlG<_?'tA, cZF[?a'bkbjAԙ@*bHؐ{6d 2bl&|f֧xv"Ç%\b A!"A@@L0Bn|PH8Hd.# *a $#9Dm)p| D'fjWV<~px Lb $~s'lQ-g/x͵Op85DNf0Da r0pA5q\ %)P\" CЀŜBl8E"0X !B|(Ǖ1ekF(y.6K(Fu p \0CiJ ;b@C]~$ن b2S65,f@5 @Oha$0I5%!{,! Pa yg*@x^ K G\~m KYMp86@ލphNƌ9ي"dtc8D(1cF3j2OEy )FJU48" ((JWh P 4Vzt^?&4"Q)E%LeB*>!kU[he-FCnZPg2<*BB+QP10 hmB++5BxΤ# I/[\V ZHA`TDH] 0A_!YbKX`C$%!kh@!Hf&n񜺼X@0>a c@A1JQ=- BW n&Pp]+W s}(#É \(K$ UzkVw1 X4n  zpI'REe "_cJ >\.)&CE)a1amn8yNqOud̎ĝ.IdEpoi V$\r<ьY̡fg<j/iesi%mhWQXt[;OD@>٨o7zӤuiZE_C:up $MMcҟUB/W/[һhGZNoӞ&wOvnyO^p]'z͎ޣkPФjp@ v!>jwkD[іv˜1p~k G9ͪNl43s@ȟjW 2MηufssGzG ȹՓ^l/`س&@>G;7֐zyd9nu'} bh l. [>Ixg,нn\>PS|q[0$|H40.mWp$[}E?9ٕ|?n_}.(P  P2J0 /Xd+C1_abZ_cPgka2{gB~a0PBO Э# $V  .P Ʉ  P ӰS C@ ߐ  -Pd ?:`cx`>#?@-'A3q;Q?C1Gq; $cckboQw 50QSKAQmfd#LLRq?q1bi R 2S8 # r! !2!2""1"/"9R"+r#EߑMI$U2%%G%&g$U26Z s#v'u'K('|(())(?Z[+#F+2+2,2r,,R,-R-Ӳ,ג,͒--.r.$2**@))/ /30 s0 03&'2+2/33S373;3?4CS4G4K4O51 ;PK&{MhNcNPKA^EOEBPS/img/architecture.gif(|׃GIF89aUTUa͇i{~???誱tuwA]y풫Ź[agڣш>AD@fGlfff|KpDiORU勒rvyDDD"""mrwܑ333Ruq曹Z~ooooxz[}䟟񕗙__`Tx/13@Ui͘džMNOv{Otꦸ{XWWƿAO[ !"alv4=D ///܂dimhLmCdmrzXk|]s㶶`dg`wwwDHI`wTZ\fʓNe{6:;;FOQVXc08=ZxXym}!,H*\ȰÇ#JHŋ3jȱǏ CIɓ(S\ɲ˗0cʜI͛8sɳϟ@ JѣH*]ʴӧPJJիXjʵׯ`ÊKٳhӪ]˶۷pʝKݻx˷ߦq %ke4)CJ 0K˘3Ƣ́CB#BI1Wf̐$) `'lQ>͸s: Amjլ]a }ln&ri' (B@|f)]J(pae^ХEO:fVJ8R馼֟XH&ꃫX:++܊؂C&&iۚ|:죰l(J!C[:Z☤&gfh+a03JBi"PJ 4g8e(>馍 ΤF!Q8@&Ihl҈ru:ܲPqX-CXg|\ dJIS .KVH-!)@@TP8D=3A֌E#&~=n#Jߚ*kKSQˍD t C@ `"@]]2МJqD=TV U%Bic5! 6XdC2!:|etU Fs 'PL02\ ">&TQtG c*oG%a!:dN8GO+hBъf!-iJKҘִSP zx~Fo~B @}tRCq aQWЇ@"-* B1 3\a$O;Ѓ.F?:ғ./i0̞v17p uN<dʾ4 0 c@;7zΩcA}ozp71H=2$a"l=?{3C~mk#X.nNY΄l.!CU:V(u)#j@~.QR,QwÙv>z~RwtxoWyM4O9C($DTpTqG#5P p Vd|ƀs|xwg*W}bޠ f%v u=WPCD,;Kw:GK%zVn8vCX8?ze8v5 =+ wtUL&;X{ 1M v (m HwxW|r|sbԁ!aBXtot:CuL PztdPI7 SD0j;50 8Xhw7n煫&$ttU->Ag7EDxksO5` pG'yrޘV^p`0%xBY` {u i/Wnv c2Up f"9Xȍؐ) `2-Z09LEP'<)W Ʌ -w`My4 l QV i\ $ 0@ CFhY|@k)` Op xIY ܠ Аe ~gVq w0 zJ zO0ĩ: p L-|o@ c! 6&}l Ȗ֘dh @ Y` ' M0ii0v:y *y:ZzJ }`c&owj=6@ɕiy y C Ϡ8:ڌ B:DZFzHJLڤB  * &vY(hV}𝨣Nlڦnj}?!F$}Ї;)m[Z$_څ(&5ApB 4Vr:Q[y t{q#8_j_ :ZU Iz?VR:zy@IZ*>xa:aJJ8 q:B)  *:Qd8`3` z&ɢ* N c~p p &j('ii^ i_1+ UPɮ ۥ:xנ ` mf,.a1` 3 Y;;+0g S y]JL N;[MS{<[>8`PZq_'xpPy BIv :@ ]6+}뷘^!FuPpzpr X `` _a cbd~]yd O ` ` 1) _O` &|\9{ p *POaJ >O,pb-:Fk ph{ |faiJ 뛸9 ̷!,f#'%/g o˥ 8 cQ=lI 8`Ӻlk$K|MO.`${4Zç)acP3|D\ @LCD8XI6c=pvdȈ7m6]?Mqa@l%;vX8ݣ?@7`.Byn"D-y/~n[Q :݌Ν?1V-Eq\QNF^I(;1Sc>SP?C:q꬞.}D.l/yKd7w<]^}7:,w5 WQBPdKz!v^n7[gȇ^`SzJv̸nNT補ܠ oPA 0v#@<SpXs} />o}:yNᝨ O1y@8FdNl+@FNP @8Y]aDZo^i/S_WT/qoOsVO84~ _ _Rp y?{/pbhk_cI  I!`/_O?v_OBP!+2(@oP4-0@rؿءOLP +a/%QS"*dX`… 'B0IEؑH%MDRJ-]SL5mędС^4i F$ZQKĚUV& F:*"N ;ҫ[ݾW\umw$΢KUfU;6D[تe"2禊YhҥO2Vݳ'#UZ,fͱ 7d+<ڤB֩/r͝T<'O$wo싥IoKӠ$ݿ_[>}Iţ60*%}¿qġxD G"AS9xHR,G 0 Hx1ք4PrA"(+3 n,4P%TJ!DKZ ! G "͡ESMIk0(" C ZW pR|3$V]!UDPRGJ\\6^yupysP %)"U%|8*L_*o̦*4SXe+SNÞ"((0as.ue~hdGE@[  !Q*MI%m,]¥1UC-`MekQ6G=ŗ%UT|mi9-ivo$JXZJQUƽi\]bKfia'#ͳSqEvVP,ㄳ6/S{uu ]ݼ=P3鑊N Fg  o:j݅%{?1#acWǬKh %a[&A(rAHY`g.`MЫ` \)s .U H$*J̴TD{>T\0N` uҶ&,sdf2[X(T ΓbWKeJ\dܪp(CρQDp=È6֫ (KAwQ'PAKzNEDkɀRK+lDNEK>'W8+*GyrO}FKT,`Ӟ[ѲG1YsOxϚm<J(E hN')^QEkF+](QzQ<0RhJ53-PGUzjt-%Lu0? T&5hY~:ԧԨO= U2BejQSU$ЭBuZahԓ5Mq+P8 te-IW֕b_kKM ը$4+q+HxTBHх:muD1%B`ALjX5`Z'A Oa'L$a-؈Op su$ŧF**FS~pv5[{ P"Vȩ&d \8+hBo@+ @?J @DŽ:#|Y,TLV ׳ ht@qu |w? -ZT%02"8WZjlێ8' q"Ȉ&K ^a3$x(,ځ|zT5Mak/Kžmbvxs@&ZA=hdЇ6t3hF7яsaFzYT]_td *(DP@G*\PDM傡ɥ>,q GF'GyU0ր< AzZ.qHEC\x75?YYZnh a~VB 4a C%*~@ /. Kc\'@Bs8q P4%Kf մ-B͛78,kgӺ{i8A@ 6-F#D ֘ @s{Wpb&u3 wˁ:?ۿ?KNj<;9h8Pм0l+6tC84T ̳”a * 'Q/382EQ$E; P !pU عpu A=6':3B$kBʻ}ȋj# ŢA+Ɲ◶/CҬ0ksĬXA.[.C; ~<+8>Æs<,@8CDtǶG̒ C d9q9{X9>]@,I5оiz,!xY,ףb:!\":烾h#9V٢ ]sȸK%HFK̒z?~ (<?4r[HjrHɜLڢ,`IVcP%P3p}93h" 3X9rؔMҤ^ҙ[A9J9Fy Nʥ dJl܂:"ld>N8p`PP'|*uH&O,7O˸PO<<=PE>S>OE|87~Ѕ1Gx$r8PH*Ʉ'MYUZ0aE˗TI_=dTF]>gtN@FP0HR%uZum rR;*ɼRR|8 ;< O p<T+"x=Ÿ>}E;AɌ-IIɛ9BʡN!UV0ZC8؝TYTHLQR56*QúgUKW%RXeYE%[ E(-WsE.`K(+=ϓ?\Oc]Y\VlVËiUfm<~'8AWq !5rRu-)ePI\YDʊw>#9QQ{X3Pa,!PQҼ,@RZu uPQ$>cJLU$>sՋ+RVΏURWh )s(TK!tOFÕ(ٿRtVV>x<с,H F?RԲ8(UUx]ĒUQݔcY:Qz@$y(٦P\!%Y" [Ay$AѡđAIE%IE4Ft\e\UUh i$KP ]0q0*ӽމQU%Zቼ*kT@,]Ge 8eLiClU03]"A0dޛ`<a0a*Wuzq^-ԝYZɊ [dT, ܵ3Ȅ!0XkN"̺#|Ư\BX=\'-a++0*/1fa aMKZЀTVUfVvV&cL!8"Z#.Z XT0%DlWFdneZx^hށC> 5FeT*i[ʗ׬pźͶGcѬ N&<"NFZеJKշ8YiL@hdwk>0.s =e~e?#NfH.0[Ѐ4u)* u@S7.h0Zfv.W!RcX+QVs5r~$*AhW@?EQf( dfѮV,EGv.h8h-$8 1fqj衆a8FxlsϿL]bELl8&`f )iX,>NɎҤj8`vFQ>YJ$M#Z9}ɠB9ˋ0DFBN eU!NnhI6hւ8.~u즀1 6 uZ .|OL>,?@ ț% Nm#>HW5] ڃ=#R%4qc~7Q/Tn`#EY6a>thozvh펶oƅ`>`CwI.%~4W<gp('"*O W`h%p $A M;s龶(߸`=q` % S]6XaXUk kNo΂,H8Uyh%gr%dsd8larl<0VOp uujrd'Wpށ, BA[/5PR,S$T w " Ҋ sHq _+kO 8tS6fg!Nq.P!?RKxTxIY%O]XhYXh[o\-pr=,p`Ca,s@0v@g'vL6o^H$,%6:9 EyAqI?)F720`w3ǥ؁XʭNHk/1 ҅xOl z?]gOCs@vOyŇ|M^,@5`M<p/|_bD`IR[C$2.}yey l#p5X PelB (` > =OS T&ecy\ E`q^ưE-;t C0E2MrR1}(FF< F1.`e+[ b3`,s-'i7߭Ц#A&ɫ Lqe_1Ff,+XG  & O+' tc|LW0뻒"ӂC /T!%Pb û{׺9^3,/k0hT+)lԄ5p`AҎg#0 ^Li춗m:/m+ f'ik[]Ό׽F0 9כp5n%ۗLԫ"xB 2h_=DujFE|_\0šάߏ$D_e [ThEa^ش.<\霒aP&2p*0,2#RF  &^e S &(B !AD:<,f"&(&<&L1|,T""=P >H: *]F}\]a.bbW(/9 .p($x" !E 8U ,f]!!81"Ha--Q I5RWFbBBJC>/EN$dU"$O 5@2&z]{?$@|A-IA$ ̤.#N"ʕIAe =<@y}?ד]& XFX^C6\YQ$^5* &< %_.`ژjذ_a$EWcRXdC4!fmH @$m@0 `0i*MburRYEatbW6<h @$\e:Z"eϽ[2-x:@~t8Zd&m mw`x"3 B ZQp&eq>Y10(]:(w`(ujh ߁h^U12\8h1  d5Hze g705 hIШF'])"$|))j(蚚(m<\8h B6RZ䅾[/|C7`7+sf"h&F*t)6EU*靔() LbQ>Z?:42P*&*T62򠧊ĥn"hV1Ejj|^?矶% _`%@@]|`9+ * +++\jz~1`() QN9$77@<%H`#ʉ]+:*q):+;SkT@GR&D1@ A2(C6H dXC "4?B A |&(5@ghUɮ,~vlvɞmҨʎ!!hS[ PbQ-L;<.?A("@fJBf"Oƈv hcmmܞ܎ڬ2G:c+Q%4ᇄ)K߇DWAgo>o}~ǰa觾濁>)\W>[~>+~7~C>3~yr7G`8b+1Ŕ+ 08cYd"LL1;Fe S9!pDDGM(JppI$ 0\`GEIe@(z7A$+?"C+w3Z:w@oBGD4 gH#/dp5`Ã:!̣Pр>ICg?:: "H DŽA:5PYtwH! O 9A"JC7i 1I; 9" "*:l*R3,5))ah3UlWuV?׸Ճ~rUaf.QGۜ7~3 *+IgȰ+_ۥI)ƵU:]3"V\^{ @vSH;%D"ɤmbLp%89282qDšڻR6/}KH:l`|+91ZǖQ a.%Ouڮbfn$3LhZA Z85 lS[M7B w$+&sDMх$ iUFZ= XM~*dݔ?yІI,~%T^ d`}&4+X(,Q0t7"e H}TBY3i Ħ?Mc X? l:G yӾ 6fhsFV@lNsD)g qoAjy_ǵmA !!wn1Pw^ukyp,t!!|#%8 5u6|MYO+@ a X>12L0u pbn5ep- 4!n/js,mNj@~l , k<@45@hup8G\cyq-%cF 20 rɓ5 7922s D]V̗LfD/%x[%RN@/ {LXxk7mF|!Mn*ga.s:p6zl,} T0EgR%E$ϲVſ-"eUPV"# (@pq>N @L<ܲ&yٞ1yozzߋp{z <dg.0 Hs{kIZ0&C}r\__X "b0(E@Nv|o Ӭ,h,X$% nBSPhRBG&R|xZ4%~FuFJ‡ ^G1OЊh Px/~!nN(P0v&?;/fJ"o" F 2c4ư%nPc MBnd}0(*nܔ߮n ONR .pS=C#8uN.0 %HB+RZRnW/!%wb6!ΧB4g P p  ' f+}'",{ CmF~Q q)PӸ `>®+$n<Yr`#$:4%)o@b#&H;ز$ N)r./ oӸ -"0A "<|q|\Y`0&%/#S2|<:9O-4 *$ Q).r~avr7sH;M"ʯ! =4@ʱ3bA Nۀ' -`= .&/ Z00m02˾4jP, ]B =1ꖳFCB%zG3;,<@^`. sHba "xL4dA '4B|(ܔ<0 4Q@I1|8#@BpB.3O U *G:r  >D.)  $q7.@tf%rnhb.M3"K*n,8a/-ւ`bmW/0`o5.qiG5SKQ_5OVtJg, tc3%X4n@O"OiQ &U/qdqQwIpi JQTR/kL%V?j5tm&x 4nL4op0GOw 2?,pOVwE|W'WRr]=4>/`w! PhBO?"2g%`-`G H79,-Ws}SwraRr\~A5yMtKi͖|5B&b,5Sp"7#f,O}93'܁u#x Rcsy[8se,A9#U$ cf[%.${8b."L73]"ZBw&+{"HGx2sKYs 6a1n ")hq )<*`{ sPy#> $@"aX0g5x!#$f׷5[1T(` Dal,A X1N#9H┩"I@xkM뷚)7Kelϊt@ $gYA `5yrWy'Tݡ N F  'yRLaٚ+Wg!Ad 8=}sb 8 AxW):WmE `UnZ+sZ+wT N؞'z/Z7y F9.(R3 WtNa .@CLUbL*٪*Ku"Kxah`5]@^ N XH pDRz0A( Յcù?/LXiq@ AT @ Ava|@L[y}{ۗCm'ڵ8#zK^`h$ m:4 |!<%\chZ& !Z 2=x@ޠ^o `>>) N.!`᝾i>~پ۾ k~~tjc ~**?ެ )쟞C `@ 48Rt ` Y]^u  _H Az~~ Q~c_?> fmuC?Q y^_!]?" G8D…Vxhĉ!*V$ci:v74Ǐ,@̙4kڼ3Ν<{ 4СDPѥL:} 5ԩ;5֭\zEX.dDC`脣 E<2%˖PbR 8i*yŌ;njɔ ji1m;nȑn<#ʽ}۾;x QOD+|w D@1OA@}hE\d<1 iǝw%{n8y~b7':w"e: _ԲbV(D yVtk1XCl͖N>PNIp$~eb"'r@_b~ EU-% $*Z|a2bEfD| LE!O1`0 0|$MV j>I)UPqFMB00 9dpWzebp"Cb'Yl vJ cْ%i@ـ<#@+ )D@>yŶç+ .g MT`QUAmveDѢirlHr.c'X|Q "#+ c4ʺ 0AH! 9-#t) ֚bqآ ӄE3-g 3R} vF}̕1^% 20-:-E#r감F?dt)@Q=dGFk y}~."0M9l<VQL D(pv#g V& : '_KPruy!3B ъ7s)O4#U_=)"5HN랇@Ȏ*Ý0RBj<@@okg`!$IP4,ey) L"G2UXaE_32@D`#``ȋ^a0$Ѐ+4vD hŃ*`ac%[:S)S-j![taFDG$P ,)IR8EV! '( N:">iu"_i0Je3i"MX; zpoyvD1B,?sHuJVƕfad6a+ƌ- #ؖ, dP7Vc' "#ӌGQtХ.v!k\{J*P*V$j"!2@-L~Rp.r:(A N#TBP- *-jS*jԤ6-=LIg*:>bNkbBRuajS+̱43BP Jjju@ *QɊW5|Yԙ6&\ *t * ٛ5Y+iTj؉ 9iح,e'䲔nPja9HXUlj ʖ]seB@tOEX-jCefH)P-]g%f8 5q玵mtK4]p y3Y>3`%(@_pҸֹoG_7ŕ/T]ȏ]urBfp#`@)ȏ#p XDd";}SbuZyUʐq+򉲤As^ )$\3QDdfX$Oe'%Є2<_)Қu` Ĥ#'yODذa{rcMf2j!q]rҼhe!@b/ Zp=^Vz=iS=U?7 4Xlk{( p{ܣύt qk+ jwɏ@4)AdO^ uh 2Җή,c13{4M]gBIKxA;!wntD-es)Vw4sZ6Jg:`F]ioknsf:|wcv32gCp/ӣ%/q{TwΝʙ{1wٙ]#+qk|i|\Ŀl[?MctPHI͗M 9~헦>VIOpe& ~}[Y0 weI"!0ZFJ /$G}eF~BrE!! G1)S1hd,d+0e" #y@HCC(a/~3\)TX)Q&"W`xLI9  %!y;}Q/wTAG|Whs "WtMX y yWZYѕ5xWxϖj~Y_ :ԙ9♳))U #VqN!YT*&VY06"o0 AgGUuќ)Q&y9 IB*s&ɞRi\wԟ_@7!@ *Ty@5X@ q8uQ~fyJBI13 +YBJ/ *ȢJZB=*~94VLT3ZWSrbe}_rc:$ 8ȈĦMW*墲I8qJ 訏 *Qajj,VRtwzݱ-p1 {Xbwxv-A!T¹K!Gexkf[01kO2۹xF($|+zțƹ||a+@$+y@PH!ƛWsLD׼u wЩI | * *I LSb %ǫH"-Hfpa MŻ]p JZ)*;ܛé XQH#:2oT7f*""S ag_p ̛tbUr0ÙOuB2'F8!'7S }eie#&C`h(j]u%QkCHar.]}B(1Ȃ'"ɡ$ \JMpb+NW-hi#l2_IJ,"rԨh],#8,-݂.vh4E yR5 M9UÝ *e̟LXhs34F2C&+2,kY2Ѩ]u9#/s2'&"&BNc4d4B cl*p3M0=H: 3%sdFkf=i]hd m/#2(É38+&"M&-a40R FtZFkڲUׅCOCe %Ă&y|3ŬLع8ѿr&̌V8,TP'G%7ÏD!0jC " >5f}*mm! ]Mmߏ7-t =^}~ Q-ՄkxofE d L&VoSEPg'hHkY ɂR"a%5W@UwYM,J"[HGSM)~i~GVNX^wwF˧c~fS1&8_o.IS=ŽPw]wej'X[kޚ d>n~}ac.0M~z~ꚞ^UMÇyu m^7eUu7Ahޘ絞wj՞TS>>NMa.O,>jN!/%N.nza-^b~r ̾l^7%'B9U$Y_No~S]^ek_btDo':y;.\oAb_.a!er_U_2!4{/zh\!qoO_jw{qL{OziojA_$_bOVoouM.dO_ӏ,ZwϑP@ 0KQ/|ؾum]wWҒH@4R!HqR0i*7LcǏ 4j# %ɓBpŊ8§@ &#C$Rh?v I$ʔ+[xsf͛9 sС}iӋ5JU$.&Qd -IvOh$\8a[o8n]̙5oUСE&]ix XM"mܹuU7_-%VFUtF|#"Rw5:yDGThBW#&n0<Ⲙc=:K+{"- <8^-6}>?02|,5kF*p긿tM0b4H$T;<DR@Ŗf  [VqħX L" CIxdi]|MBn͝ piSf8H!6XqNOYOf -DmH'K/ ;93%C|Ahp13V%7&uYhvZjZlY~H[pwa600ңX86SGE Ș~ZSjLd0Ty՗HRTV0jUip+&fL#V)KVMbCS(؛vИLS !Hs>{NwڟҵK3{p6p DU\D$إXV ŚjYV%WtH5i۾(!rK;6\;ZB씲iz?gq%ewE,LZRDeZ{2y]V9N&-VRR2 F~0ցp O#*')W\A"4hHu e)O9Ð3xu>->rEV.!RkawqF~hGs;@%xlR8Y7GGZq Lm{k6i.CQzzخNb,X8 QpnڅR}ti,`Ov'y5. U 'Av=E^>}02*|6M~#Z89 >P|Z:/v-r Ec!60es˽yt̀ksGnj2Gp s9p$#!(.aE;lٿ\r^jS^#x J'%|)L0@K'S$!0\6oz\ݻ6ԖcJxٷWSHU<#O2y0@b["爫->V:=h`jMS߉ _6(j?}Ҧ+z sE8A "0" 4Q);#ԋ$`q;",SɉHi) `;=h88Ѷy0k" 2 ʚ [?'|i?x?Pঙ+3>y0ئ:3Q'UfPyt1r<2GQR¶S 'Ӓ0*/,B&ycj l@73gPy">(\l o@ ˲PHDuNla9Y8/JaHFx?f"`CdTŽl3f[U3wȀ*b5`I%tP;ç);=:zDnTQeD<q$[K̚IȌLt9l #X)тzQ\x6ya"# ƼAp ]0p7lBX3BdL$̄ 6ST[H*\ǜL}k"'6q.L $LIT*q(NNMs1LUN$ςOԫDKDNO#82O' НdGTôSjMٌI P  O QX+тP+ PׄQ ;OJPcQ4DPl75RFURJ!u"ѿRO%Q4uB U-SP6 S1O!JUE=LNpT@#T ҏl}S2QGU%[S+-7TO-S:U&?5U_UT` &D8UUf%VNX5ZUn 0\= rgVVpGbRJ=VOEH]WrQsIi=tyPcuWEn Ua WkeWlusUeEN;EX<s ւq~ןW|ԋ^X-"VR،XMa]y-we/UqYz5WjِٜX5Y( R uWU3IUZb|CZ5ҞYQ5?-֖ڣ=[ŠBm[}[[[[[[[[\-݂5\]ܹE\}\Dʭ\˽\\\̽̐\]-]ӭ\Э =]m]u$Pu]ڭͅ]]]]] ^^-^=^M^]^m^}^^^^^ ;PK $y-|(|PKA^EOEBPS/und_opam.htmms Understanding Oracle Privileged Account Manager

1 Understanding Oracle Privileged Account Manager

This chapter introduces you to Oracle Privileged Account Manager. The topics in this chapter include

1.1 What is Oracle Privileged Account Manager?

Oracle Privileged Account Manager manages privileged accounts that are not being managed by any other Oracle Identity Management components.

Accounts are considered "privileged," if they can access sensitive data, can grant access to sensitive data, or can both access and grant access to that data. Privileged accounts are your company's most powerful accounts and they are frequently shared.

Accounts come under Oracle Privileged Account Manager's purview if they are associated with elevated privileges, are used by multiple end-users on a task-by-task basis, and must be controlled and audited.

For example, these accounts require security and may fall under compliance regulations:

  • UNIX root, Windows administrator, and Oracle Database SYSDBA system accounts

  • Application accounts, such as the database user accounts used by an application server when it connects to a Human Resources application

  • Traditional shared and elevated privilege user accounts, such as system administrators and database administrators

Administrators determine which accounts are privileged within a particular deployment, and they must configure Oracle Privileged Account Manager to manage those accounts.

While Oracle Privileged Account Manager most commonly manages shared and elevated privileged accounts, administrators can also use it to manage passwords for any type of account. For example, if an employee is on extended leave and you have a business reason for allowing another employee to access the system using that person's email account, Oracle Privileged Account Manager can manage that privilege.

1.2 Why Use Oracle Privileged Account Manager?

Oracle Privileged Account Manager enables you to administer and provide better security for privileged accounts and passwords that are traditionally difficult to manage for several reasons.

First, privileged accounts generally have more access rights than a regular user's account. Because these accounts are not typically associated with one specific employee, they are often difficult to audit with existing tools and processes. Consequently, when employees leave the company, they might retain privileged account passwords that are still in use, which is a very serious compliance and security issue.

Also, changing privileged account passwords on a regular basis is difficult. If many people depend on the account, changing the password and notifying everyone requires a coordinated effort.

Finally, you typically do not want to store passwords in a central or well-known location, such as an external repository (like LDAP) or in application configuration files, because you cannot control access to those passwords.

Oracle Privileged Account Manager delivers a complete solution for securely managing privileged accounts and passwords because it provides

  • Centralized password management for privileged and shared accounts, including UNIX and Linux root accounts, Oracle Database SYSDBA, application accounts, and LDAP admin accounts

  • Interactive, policy-based account check-out and check-in

    Oracle Privileged Account Manager requires all authorized users to check out an account before using it, and then to check that account back in when they are finished with it. Oracle Privileged Account Manager audits account check outs and check ins by tracking the real identity (the person's name) of every shared administrator user at any given moment in time. By using this information, Oracle Privileged Account Manager can provide a complete audit trail that shows who accessed what, when, and where.

  • Automatic password changes using the Identity Connector Framework (ICF)

    Oracle Privileged Account Manager modifies passwords when they are checked out and checked in (when configured to do so). Consequently, when a user checks out a password and then subsequently checks it back in, that user can no longer use the previously checked out password.

    In addition, Oracle Privileged Account Manager can change application privileged account passwords at specified intervals, such as every 90 days, with no changes to those applications and Oracle Privileged Account Manager synchronizes those passwords on the target systems. For example, Oracle Privileged Account Manager can update service and scheduled task credentials.

  • User and group management and workflow integration using Oracle Identity Manager

1.2.1 Features

Oracle Privileged Account Manager's key features include:

  • Multiple access points, including the Oracle Privileged Account Manager web-based user interface (called the Console), RESTful APIs, and Oracle Privileged Account Manager's command line tool (CLI)

    Oracle Privileged Account Manager's simple RESTful APIs can access Oracle Privileged Account Manager functionality from applications and scripts.

  • Administrator and Self-Service user interfaces that are accessed from Oracle Privileged Account Manager's web-based user interface

  • Integration with Oracle technologies, including

    • Oracle Platform Security Services (OPSS) Policy Store for storing metadata and authorizing functionality

    • Oracle Platform Security Services (OPSS) Trust Service to authenticate and propagate identities from the Oracle Privileged Account Manager user interface to the Oracle Privileged Account Manager server

    • Credential Store Framework (CSF) to securely store passwords to target systems and privileged accounts, and to enable regular updates to application privileged account passwords for compliance, with no changes to applications running in Oracle WebLogic Server (WLS)

    • Identity Connector Framework (ICF) to connect to targets and to discover, update, or discover and update the passwords for privileged accounts on those systems

    • Oracle Wallet to manage public key security

  • Support for multiple target types; including operating systems, databases, LDAP directories, and Oracle Fusion Middleware applications

    In addition, because ICF is an open standard, you can write your own connectors against other types of targets for which Oracle has not yet created an ICF connector.

    For more information about ICF and about developing your own connector, see "Understanding the Identity Connector Framework" and "Developing Identity Connectors Using Java" or "Developing Identity Connectors Using .Net" in the Oracle Fusion Middleware Developer's Guide for Oracle Identity Manager.

  • Advanced reporting capabilities

    • Oracle Privileged Account Manager's out-of-the box audit reports are integrated with Oracle Business Intelligence Publisher 11g (BI Publisher) so you know who is using your privileged accounts. BI Publisher also enables you to create and manage formatted reports from different data sources.

    • The Oracle Fusion Middleware Audit Framework logs audit events in a centralized database. Oracle Privileged Account Manager uses these events to generate audit reports.

    • Events related to privileged account access roll up into Oracle Identity Manager and Oracle Identity Analytics for audit and attestation.

  • Policy-driven access to privileged accounts

  • Ability to manage attended (a person is present) and unattended (no person is present) accounts

    An unattended account, also called a service account, is an account that Oracle Privileged Account Manager uses when it connects to a target system. For example, this is the account and password you must provide when adding and registering a new target system.

    Oracle Privileged Account Manager uses service accounts to perform all Oracle Privileged Account Manager-related operations (such as discovering accounts, resetting passwords, and so forth) on that system, which is why service accounts must have some special privileges and properties. End users are not expected to ever use service accounts.

1.2.2 Functionality

In addition to the functionality described in Section 1.2, "Why Use Oracle Privileged Account Manager?," Oracle Privileged Account Manager

  • Associates privileged accounts with targets

  • Grants users and roles access to privileged accounts, and removes that access

  • Provides role-based access to passwords maintained in the Oracle Privileged Account Manager password request system

  • Provides password check out and check in to control access to accounts

  • Eliminates the potential of having unmanaged privileged accounts when your unattended applications use client-certificate authentication

  • Resets passwords to a random value on check in and check out by default

    You can configure Oracle Privileged Account Manager to automatically check in privileged accounts after a specified time to protect against users who check out that privileged account and do not bother to explicitly check in the account.

    You can also constrain how long users can check out a privileged account.

  • Manages password resets on supported targets

  • Makes authorization decisions to determine

    • Which targets, privileged accounts, and policies are exposed to an end user or administrator

    • Which operations (add, modify, check-in, and check-out) end users and administrators can perform

  • Associates policies with privileged accounts

  • Performs and supports Create, Read, Update, Delete, and Search (CRUDs) operations on targets, privileged accounts, and policies

    This core functionality is exposed through Oracle Privileged Account Manager's RESTful APIs. Check ins, check outs, and so forth are also supported through the RESTful interface.

  • Uses Oracle's common auditing, logging, and reporting to monitor and report access

  • Oracle Privileged Account Manager offers multiple high availability capabilities

1.2.3 Architecture and Topology

The following diagram illustrates Oracle Privileged Account Manager's architecture and topology:

Figure 1-1 Oracle Privileged Account Manager Architecture and Topology

Figure showing OPAM’s architecture and topology

As you examine this figure, it is important to note the following points:

1.2.4 Oracle Privileged Account Manager-Managed CSF Credentials

The Credential Store Framework (CSF) is an OPSS component that primarily provides secure storage for credentials. For example, many applications use CSF as a mechanism for storing application credentials.

Oracle Privileged Account Manager enables administrators to identify account credentials to be secured, shared, audited, and managed. In addition, Oracle Privileged Account Manager supports account lifecycle management activities such as periodic password modification.

Though many application developers use CSF to store application credentials for required targets (such as RDBMS and LDAP), there are certain aspects about how CSF is used that can potentially be improved, including:

  • Applications storing their credentials in CSF do not expect these credentials to be shared. Therefore, a given instance of CSF can have multiple references to the same credential. For example, multiple applications could be relying on the same physical credential and yet have multiple logical references.

  • Periodically modifying application credentials is necessary to satisfy compliance and internal IT policy requirements. However, modifying credentials (on the target and thereafter the CSF reference) remains a manual task, which is further complicated by the fact that there may be multiple references to the same credential in CSF. So, you must change the password or credential on the target and then manually update all references to that password in CSF.

    Oracle Privileged Account Manager can automate this process, but automating the periodic modification of credentials is also complicated by the potential for multiple references that cannot be accurately traced.

Oracle Privileged Account Manager leverages its account lifecycle management feature to empower lifecycle management of application credentials stored in CSF.

1.2.4.1 Provisioning

If you decide that Oracle Privileged Account Manager will manage a particular account credential, then that credential must be provisioned through Oracle Privileged Account Manager. The following figure illustrates this provisioning process.

Figure 1-2 Oracle Privileged Account Manager Provisioning Process

Figure illustrating OPAM’s provisioning process

The administrator

  1. Adds an Oracle Privileged Account Manager target (if required).

  2. Adds the Oracle Privileged Account Manager privileged account or credential to the target, which must include the necessary CSF mappings.


    Note:

    CSF mappings are the mechanism by which a specific credential instance is uniquely identified within CSF.


    The Oracle Privileged Account Manager server stores the CSF mappings along with its representation of the Privileged Account. The Oracle Privileged Account Manager server creates instances of the credential in CSF that correspond to the provided mappings.

1.2.4.2 Lifecycle Management

An account provisioned as described in Section 1.2.4.1, "Provisioning" can have an associated Password Policy that governs password construction, periodic modification requirements, and so forth.

Oracle Privileged Account Manager normally honors and performs actions on the policy. However, whenever an administrator modifies an account credential that has associated CSF-mappings, Oracle Privileged Account Manager also updates the credential instances stored in CSF with those mappings. This update ensures that all relevant parties have access to the latest credential and allows the seamless management of password lifecycle events such as periodic modification.

1.2.4.3 Application Consumption

Using Oracle Privileged Account Manager to manage an application's credentials places no additional burden on that application. The only process change that occurs is that the credential must first be provisioned through Oracle Privileged Account Manager into Oracle Privileged Account Manager and CSF.

Oracle Privileged Account Manager pushes the credential to CSF with the administrator-provided mappings. If those mappings remain constant, the application can continue to access the credentials directly through CSF.

1.3 How Oracle Privileged Account Manager is Deployed in Oracle Fusion Middleware

The following figure illustrates how Oracle Privileged Account Manager is deployed within Oracle Fusion Middleware.

Figure 1-3 Oracle Privileged Account Manager Deployed Within Oracle Fusion Middleware

Figure showing how OPAM is deployed in FMW

As you examine this figure, note the following points:

  • All components are deployed within a single WebLogic domain.

  • Oracle Identity Navigator and the Oracle Privileged Account Manager web-based user interface are both deployed in the WebLogic Admin Server.

  • The OPSS ID Store and the OPSS Security Store (which includes the Policy Store and Credential Store) are WebLogic domain-wide constructs, so there is one of each per domain.

    Oracle Privileged Account Manager simply works with what is configured for that domain. You are not required to use an Oracle Privileged Account Manager-specific configuration to use these constructs and services. In addition, Oracle Privileged Account Manager abstracts out the use of these constructs and services so that you do not have to understand what goes on "under the covers" in great detail.

PKTmmPKA^E OEBPS/loe.htm! List of Examples

List of Examples

PKOA?PKA^EOEBPS/basic_server_adm.htm y Adding and Managing an Oracle Privileged Account Manager Server

4 Adding and Managing an Oracle Privileged Account Manager Server

This chapter provides information that administrators must know to add, configure, and manage an Oracle Privileged Account Manager server.

The topics in this chapter include


Note:


4.1 Overview

The Oracle Privileged Account Manager server is a component that handles password requests, generates passwords, and protects the password keystore.

The Oracle Privileged Account Manager server implements the core functionality of Oracle Privileged Account Manager and makes authorization decisions that determine:

  • Which targets and privileged accounts are exposed to administrators and end-users

  • Which operations administrators and end-users can perform on targets, privileged accounts, and policies

In addition, the Oracle Privileged Account Manager server

  • Supports usage and password policies for accounts

  • Enforces the authorization decisions mentioned

  • Supports authentication by using the SAML-based Oracle Security Token from OPSS Trust Services and HTTP-Basic Authentication

  • Supports different Admin Roles for Oracle Privileged Account Manager server


Note:

For security purposes, the Oracle Privileged Account Manager server only responds to SSL traffic.

When you add the Oracle Privileged Account Manager server target to the Oracle Privileged Account Manager user interface or to the Oracle Privileged Account Manager command line tool (CLI), you must provide the SSL endpoint as https://hostname:sslport/opam.

By default, WebLogic responds to SSL using port 7002 on the Admin Server and port 18102 on the Managed Server. You can use the WebLogic console to check the port for your particular instance.


The following figure illustrates the Oracle Privileged Account Manager server architecture.

Figure 4-1 Server Architecture

Diagram showing OPAM server architecture

4.2 Before You Begin

You must be an Oracle Privileged Account Manager administrator with the Application Configurator Admin Role to add and manage an Oracle Privileged Account Manager server.

The procedures described in this chapter reference information and instructions contained in the following Oracle publications. If necessary, review the referenced concepts, terminology, and procedures before you begin configuring the Oracle Privileged Account Manager server:

Table 4-1 Reference Publications

For Information AboutRefer to

Admin Roles

Section 2.3.1, "Administration Role Types"


Supported identity and policy store configurations for Oracle Privileged Account Manager and Oracle Identity Navigator

Section 1.7, "System Requirements and Certification" in the Oracle Fusion Middleware Administrator's Guide for Oracle Identity Navigator

Oracle WebLogic Server concepts and terminology

Oracle Fusion Middleware Oracle WebLogic Server Administration Console Online Help and Oracle Fusion Middleware Securing Oracle WebLogic Server

Creating a default authenticator in Oracle WebLogic Server

Oracle Fusion Middleware Oracle WebLogic Server Administration Console Online Help and Oracle Fusion Middleware Securing Oracle WebLogic Server

Configuring an identity store in your environment

Your vendor product documentation

Configuring Oracle Virtual Directory with the LDAP-based server

"Creating LDAP Adapters" in Oracle Fusion Middleware Administrator's Guide for Oracle Virtual Directory

Configuring the OVD authenticator in Oracle WebLogic Server

Oracle Fusion Middleware Oracle WebLogic Server Administration Console Online Help

Associating a policy store using WLST

"Setting a Node in an Oracle Internet Directory Server" and "reassociateSecurityStore" sections in the Oracle Fusion Middleware Application Security Guide

Associating a policy store using Enterprise Manager

"Reassociating with Fusion Middleware Control" in the Oracle Fusion Middleware Application Security Guide

Managing the Oracle Privileged Account Manager server

Section 4.4, "Managing an Oracle Privileged Account Manager Server"




Note:

Oracle Privileged Account Manager administrators and users will probably never have to use the Oracle Identity Navigator interface except during the initial set-up of Oracle Privileged Account Manager.


4.3 Configuring an External Identity Store for Oracle Privileged Account Manager

This section describes how to configure a new, external identity store for Oracle Privileged Account Manager.

The topics in this section include:

4.3.1 Configuring the External Identity Store

You must configure a domain identity store before you can view users when searching from the Oracle Identity Navigator Access Privileges pane. To configure the identity store as the main authentication source, you must configure the Oracle WebLogic Server domain where Oracle Identity Navigator is installed.

This section describes how to configure the domain identity store using Oracle Internet Directory or Oracle Virtual Directory with a supported LDAP-based directory server. You configure the identity store in the WebLogic Server Administration Console.


Note:


To configure the Oracle Internet Directory authenticator in Oracle WebLogic Server:

  1. Log in to Oracle WebLogic Server Administration Console, and click Lock & Edit in the Change Center.

  2. In Oracle WebLogic Server Administration Console, select Security Realms from the left pane and click the realm you are configuring. For example, the default realm is myrealm.

  3. Select the Providers tab, then select the Authentication subtab.

  4. Click New to launch the Create a New Authentication Provider page and complete the fields as follows:

    • Name: Enter a name for the authentication provider. For example, MyOIDDirectory.

    • Type: Select OracleInternetDirectoryAuthenticator from the list.

    Click OK to update the authentication providers table.

  5. In the authentication providers table, click the newly added authenticator.

  6. In Settings, select the Configuration tab, then select the Common tab.

  7. On the Common tab, set the Control Flag to SUFFICIENT.

    Setting the Control Flag attribute for the authenticator provider determines the ordered execution of the Authentication providers. The possible values for the Control Flag attribute are:

    • REQUIRED - This LoginModule must succeed. Even if it fails, authentication proceeds down the list of LoginModules for the configured Authentication providers. This setting is the default.

    • REQUISITE - This LoginModule must succeed. If other Authentication providers are configured and this LoginModule succeeds, authentication proceeds down the list of LoginModules. Otherwise, control is returned to the application.

    • SUFFICIENT - This LoginModule need not succeed. If it does succeed, return control to the application. If it fails and other Authentication providers are configured, authentication proceeds down the LoginModule list.

    • OPTIONAL - This LoginModule can succeed or fail. However, if all Authentication providers configured in a security realm have the JAAS Control Flag set to OPTIONAL, the user must pass the authentication test of one of the configured providers.

  8. Click Save.

  9. Select the Provider Specific tab and enter the following required settings using values for your environment:

    • Host: The host name of the Oracle Internet Directory server.

    • Port: The port number on which the Oracle Internet Directory server is listening.

    • Principal: The distinguished name (DN) of the Oracle Internet Directory user to be used to connect to the Oracle Internet Directory server. For example: cn=OIDUser,cn=users,dc=us,dc=mycompany,dc=com.

    • Credential: Password for the Oracle Internet Directory user entered as the Principal.

    • Group Base DN: The base distinguished name (DN) of the Oracle Internet Directory server tree that contains groups.

    • User Base DN: The base distinguished name (DN) of the Oracle Internet Directory server tree that contains users.

    • All Users Filter: LDAP search filter. Click More Info for details.

    • User From Name Filter: LDAP search filter. Click More Info for details.

    • User Name Attribute: The attribute that you want to use to authenticate (for example, cn, uid, or mail). For example, to authenticate using a user's email address you set this value to mail.

    • Enable Use Retrieved User Name As Principal.

  10. Click Save.

  11. From the Settings for myrealm page, select the Providers tab, then select the Authentication tab.

  12. Click Reorder.

  13. Select the new authenticator and use the arrow buttons to move it into the first position in the list.

  14. Click OK.

  15. Click DefaultAuthenticator in the Authentication Providers table to display the Settings for DefaultAuthenticator page.

  16. Select the Configuration tab, then the Common tab, and select SUFFICIENT from the Control Flag list.

  17. In the Change Center, click Activate Changes.

  18. Restart Oracle WebLogic Server.

  19. Verify your configuration and set-up by confirming that the users present in the LDAP directory (Oracle Internet Directory or Oracle Virtual Directory) can log in to Oracle Privileged Account Manager with no issues.

To use Oracle Virtual Directory as the domain identity store, you must do the following:

4.3.2 Configuring Enterprise Roles

You must create enterprise roles in the domain