You can use the Oracle Privileged Account Manager command line tool to perform many of the same tasks you perform from the Oracle Privileged Account Manager's Console.
Note:
Globalization support for the Oracle Privileged Account Manager command line tool is not available for this release. The command line tool messages and help are only provided in English.
This appendix describes how to launch and use the command line tool. The topics include:
Use the following steps to launch the Oracle Privileged Account Manager command line tool:
Open a command window and change directory to ORACLE_HOME
/opam/bin
.
At the prompt, type one of the following commands to launch the Console:
On UNIX systems, type: opam.sh
On Windows systems, type: opam.bat
Invoking the command line tool, automatically connects you to the Oracle Privileged Account Manager server.
You can invoke the Oracle Privileged Account Manager command line tool from a remote client by providing the Oracle Privileged Account Manager server's URL (running on the same machine or on a different machine) in the -url
option.
Note:
For security purposes, the Oracle Privileged Account Manager server only responds to SSL traffic.
When you provide the Oracle Privileged Account Manager server target to the Oracle Privileged Account Manager command line tool (or to Oracle Privileged Account Manager's web-based Console), you must provide the SSL endpoint as https://hostname:sslport/opam.
By default, webLogic responds to SSL on port 7002. The default Oracle Privileged Account Manager server SSL port is 18102. You can use the WebLogic console to check the port for your particular instance.
This section describes the commands that you can use with the Oracle Privileged Account Manager command line tool.
The topics in this section include
Use the following syntax to issue any of the Oracle Privileged Account Manager commands:
[-url <url>] -u <username> [-p <password>] [-debug] -x <opam-command>
where:
Option | Description |
---|---|
-url <url> |
Provide the URL address for the Oracle Privileged Account Manager server. Note: If you do not specify a URL for this option, it defaults to |
-u <username> |
Provide your log-in user name. |
-p <password> |
Provide your log-in password. |
-debug |
Run the debugger. |
-x <opam-command> |
Run the specified Oracle Privileged Account Manager command. |
For example:
-url https://hostname:sslport/opam -u <username> [-p <password>] [debug] -x addtarget -targetname <targetname> -host <hostname> -port 22 -organization <organization>
addaccount
CommandUse the addaccount
command to add a privileged account.
Command Syntax:
[-url <url>] -u <username> [-p <password>] [-debug] -x addaccount <options>
The following table describes the options you can use with this command:
addtarget
CommandUse the addtarget
command to add a target.
Command Syntax:
[[-url <url>] -u <username> [-p <password>] [-debug] -x addtarget <options>
Oracle Privileged Account Manager supports multiple target types, and the parameters they require can vary. These parameters should be discovered at run time, before you execute an addtarget
command.
For example,
Execute the following command to see a list of supported target types:
sh opam.sh –url <OPAM url> -u <security admin user> -p <security admin user password> -x addtarget –help
For example, if https://hostname:sslport/opam is the Oracle Privileged Account Manager server URL, execute the following command:
sh opam.sh -url https://hostname:sslport/opam -u sec_admin -p welcome1 -x addtarget -help
Execute the following command to see a list of the required and optional attributes for a specified target type:
sh opam.sh –url <OPAM url> -u <security admin user> -p <security admin user password> -x addtarget –targettype <any supported target type> –help
For example, to see a list of attributes for the LDAP target type with https://hostname:sslport/opam as the Oracle Privileged Account Manager server URL, execute the following command:
sh opam.sh -url https://hostname:sslport/opam -u sec_admin -p welcome1 -x addtarget -targettype ldap -help
The following table describes the parameters required for LDAP targets.
Note:
You must specify all multi-valued attributes in this format: value1|value2|...
Option | Description |
---|---|
-targetname <targetname> |
Provide a name for the target. |
-targettype <ldap | unix | database> <type-specific attributes> |
Specify a target type and provide any type-specific attributes. |
-domain <domain> |
Provide a domain name. |
-host <host> |
Provide the host name. |
-port <port> |
Provide the TCP/IP port number used to communicate with the LDAP server. |
-ssl <ssl> |
Optional. Specify to connect to the LDAP server using SSL. |
-principal <principal> |
Provide the distinguished name with which to authenticate to the LDAP server. |
-credentials <credentials> |
Provide the principal's password. |
-baseContexts <baseContexts> [Multi-Valued] |
Specify one or more starting points in the LDAP tree to use when searching the tree. Searches are performed when discovering users from the LDAP server or when looking for groups in which the user is a member. |
-accountNameAttribute <accountNameAttribute> |
Specify the attribute that holds the account's user name. |
[-description <description>] |
Provide a description of the target. |
[-organization <organization>] |
Provide the organization name. |
[-uidAttribute <uidAttribute>] |
Provide the name of the LDAP attribute that is mapped to the |
[-accountSearchFilter <accountSearchFilter>] |
Optional. Provide an LDAP filter to control which accounts are returned from the LDAP resource. If you do not specify a filter, then only accounts that include all specified object classes will be returned. (Defaults to |
[-passwordAttribute <passwordAttribute>] |
Optional. Specify the name of the LDAP attribute that holds the password. When changing a user's password, Oracle Privileged Account Manager sets the new password to this attribute. (Defaults to |
[-accountObjectClasses <accountObjectClasses>] [Multi-Valued] |
Specify the objectclass or objectclasses to use when creating new user objects in the LDAP tree. When entering more than one objectclass, put each entry on its own line and do not use commas or semicolons to separate multiple object classes. Some objectclasses may require that you specify all objectclasses in the class hierarchy. (Defaults to |
checkin
and checkout
CommandsUse the checkin
command to check in privileged accounts and the checkout
command to check out privileged accounts.
Note:
The checkout
operation also provides a password for you to use.
Command Syntax:
[-url <url>] -u <username> [-p <password>] [-debug] -x checkin <options>
[-url <url>] -u <username> [-p <password>] [-debug] -x checkout <options>
The following table describes the options you can use with these commands:
Option | Description |
---|---|
-accountid <account id> |
Identify the account to be checked-out or checked-in. |
[-help] |
Optional. Displays usage options for this command. |
displayallaccounts
CommandUse the displayallaccounts
command to display a listing of all accounts.
Command Syntax:
[-url <url>] -u <username> [-p <password>] [-debug] -x displayallaccounts <options>
The following table describes the options you can use with this command:
Option | Description |
---|---|
[-help] |
Optional. Displays usage options for this command. |
displayallgroups
CommandUse the displayallgroups
command to display a listing of all groups.
Command Syntax:
[-url <url>] -u <username> [-p <password>] [-debug] -x displayallgroups <options>
The following table describes the options you can use with this command:
Option | Description |
---|---|
[-help] |
Optional. Displays usage options for this command. |
displayalltargets
CommandUse the displayalltargets
command to display a listing of all targets.
Command Syntax:
[-url <url>] -u <username> [-p <password>] [-debug] -x displayalltargets <options>
The following table describes the options you can use with this command:
Option | Description |
---|---|
[-help] |
Optional. Displays usage options for this command. |
displayallusers
CommandUse the displayallusers
command to display a listing of all users.
Command Syntax:
[-url <url>] -u <username> [-p <password>] [-debug] -x displayallusers <options>
The following table describes the options you can use with this command:
Option | Description |
---|---|
[-help] |
Optional. Displays usage options for this command. |
displaycheckedoutaccounts
CommandUse the displaycheckedoutaccounts
command to display a listing of a user's checked out accounts.
Command Syntax:
[-url <url>] -u <username> [-p <password>] [-debug] -x displaycheckedoutaccounts <options>
The following table describes the options you can use with this command:
Option | Description |
---|---|
[-help] |
Optional. Displays usage options for this command. |
displaydomaintree
CommandUse the displaydomaintree
command to display a domain tree.
Command Syntax:
[-url <url>] -u <username> [-p <password>] [-debug] -x displaydomaintree <options>
The following table describes the options you can use with this command:
Option | Description |
---|---|
[-help] |
Optional. Displays usage options for this command. |
displaytargettypetree
CommandUse the displaytargettypetree
command to display a target type tree.
Command Syntax:
[-url <url>] -u <username> [-p <password>] [-debug] -x displaytargettypetree <options>
The following table describes the options you can use with this command:
Option | Description |
---|---|
[-help] |
Optional. Displays usage options for this command. |
export
and import
CommandsUse the export
command to export data stored in Oracle Privileged Account Manager, such as targets and accounts, to XML format. Use the import
command to import data to OPAM from XML file. These options are useful for performing
Bulk operations, such as querying or loading large volumes of data
Back-up and recovery operations, such as periodically backing up Oracle Privileged Account Manager data to XML
Migration operations, such as exporting data from one Oracle Privileged Account Manager instance and importing it to another instance
Note:
You must be an administrator with the Security Administrator Admin Role to use these commands.
The export
command exports all Oracle Privileged Account Manager data; including targets, accounts, policies, and grants.
Note:
Exporting accounts also exports the passwords for those accounts. For added security, you can export the passwords in an encrypted format by using the -encpassword
and -enckeylen
options.
Be sure to note the encryption password and encryption key length because you must provide that same password for decryption during the import operation.
You can create an import XML file from previously exported data or you can manually create the file. If you previously exported the XML file with an encryption password, then you must provide the same password for decryption during import.
Command Syntax:
[-url <url>] -u <username> [-p <password>] [-debug] -x export <options>
[-url <url>] -u <username> [-p <password>] [-debug] -x import <options>
The following table describes the options you can use with the export
and import
commands:
Option | Description |
---|---|
-f <export file> |
Specify an export file name. |
-encpassword <encryption password> |
Specify a password to use when encrypting/decrypting account passwords. |
-enckeylen <key length for password encryption> |
Specify the minimum key length for an encryption/decryption password. (Defaults to 128 bits) |
-log <log file location> |
Specify a file name and location for the log file. (Defaults to |
[-help] |
Optional. Displays usage options for this command. |
The XML schema for an import or export file is located in the following file:
ORACLE_HOME/opam/jlib/OPAMBulkTool.xsd
The following example shows some sample XML definitions of Oracle Privileged Account Manager elements.
Example A-1 Sample XML Definition of Oracle Privileged Account Manager Elements
<?xml version="1.0" encoding="UTF-8" standalone="no"?> <OPAMData xmlns="http://www.example.org/OPAMBulkTool" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.example.org/OPAMBulkTool OPAMBulkTool.xsd"> <usagepolicy> <name value="Accounting Usage Policy"/> <status value="active"/> <description value="null"/> <globaldefault value="n"/> <dateorduration value="duration"/> <expiremin value="30"/> <expiredate value="08/08/2088"/> <expiretime value="11:30am"/> <timezone value="America/Los_Angeles"/> <usagedays> <day fromtime="12:0am" totime="12:0am" value="monday"/> <day fromtime="12:0am" totime="12:0am" value="tuesday"/> <day fromtime="12:0am" totime="12:0am" value="wednesday"/> <day fromtime="12:0am" totime="12:0am" value="thursday"/> <day fromtime="12:0am" totime="12:0am" value="friday"/> <day fromtime="12:0am" totime="12:0am" value="saturday"/> <day fromtime="12:0am" totime="12:0am" value="sunday"/> </usagedays> </usagepolicy> <passwordpolicy> <name value="Accounting Password Policy"/> <status value="active"/> <description value=""/> <globaldefault value="n"/> <changepassevery value="30-days"/> <changepasscheckout value="y"/> <changepasscheckin value="y"/> <passwordlength max="20" min="8"/> <minalphabets value="1"/> <minnumeric value="1"/> <minalphanumeric value="2"/> <specialchars max="5" min="1"/> <repeatedchars max="1" min="0"/> <minuniquechars value="1"/> <minuppercasechars value="1"/> <minlowercasechars value="1"/> <startwithchar value="n"/> <accountnameaspass value="n"/> </passwordpolicy> <target> <type name="database"/> <name value="AccountsDB"/> <attributes> <attributeName name="domain" value="Accounting"/> <attributeName name="host" value="localhost"/> <attributeName name="jdbcUrl" value="jdbc:oracle:thin:@dbhost:1521:orcl"/> <attributeName name="loginUser" value="system"/> <attributeName name="loginPassword" value="welcome1"/> <attributeName name="dbType" value="Oracle"/> <attributeName name="description" value="Accounting Database"/> <attributeName name="organization" value="Accounting"/> <attributeName name="connectionProperties" value=""/> </attributes> </target> <account> <name value="ACCT_DBA"/> <target name="AccountsDB"/> <passwordpolicy name="Accounting Password Policy"/> <grantee> <user name="johndoe"/> <user name="janedoe"/> </grantee> <shared value="false"/> <status value="checkedIn"/> </account> </OPAMData>
getglobalconfig
CommandUse the getglobalconfig
command to view the OPAM Global Config configuration entry, which enables you to access and manage various Oracle Privileged Account Manager server properties.
Command Syntax:
[-url <url>] -u <username> [-p <password>] [-debug] -x getglobalconfig <options>
The following table describes the options you can use with this command:
Option | Description |
---|---|
[-help] |
Optional. Displays usage options for this command. |
Note:
You use the modifyglobalconfig
command to modify the server properties. Refer to modifyglobalconfig
Command for more information.
grantgroupaccess
CommandUse the grantgroupaccess
command to give a group access to a privileged account.
[-url <url>] -u <username> [-p <password>] [-debug] -x grantgroupaccess <options>
The following table describes the options you can use with this command:
Option | Description |
---|---|
-accountid <account id> |
Identify the account to which the group is granted access. |
-groupname <group name> |
Identify the group to be given access. |
[-help] |
Optional. Displays usage options for this command. |
grantuseraccess
CommandUse the grantuseraccess
command to give a user access to a privileged account.
Command Syntax:
[-url <url>] -u <username> [-p <password>] [-debug] -x grantuseraccess <options>
The following table describes the options you can use with this command:
Option | Description |
---|---|
-accountid <account id> |
Identify the account to which the user is granted access. |
-userid <user id> |
Identify the user to be given access. |
[-help] |
Optional. Displays usage options for this command. |
modifyglobalconfig
CommandUse the modifyglobalconfig
command to manage the following Oracle Privileged Account Manager server properties in the OPAM Global Config configuration entry:
policyenforcerinterval. Interval (in seconds) in which Oracle Privileged Account Manager checks accounts and then automatically checks-in the accounts that have exceeded the expiration time defined in the Usage Policy. (Default is 3600 seconds)
passwordcyclerinterval. Interval (in seconds) in which Oracle Privileged Account Manager checks and then resets the password for any accounts that have exceeded the maximum password age defined in the Password Policy. (Default is 3600 seconds)
Note:
to access these properties, you must use the getglobalconfig
command to view the OPAM Global Config configuration entry. Refer to getglobalconfig
Command for more information.
Command Syntax:
[-url <url>] -u <username> [-p <password>] [-debug] -x modifyglobalconfig <options>
The following table describes the options you can use with this command:
Option | Description |
---|---|
-propertyname <property name> |
Specifies which server property to be modified. |
-propertyvalue <property value> |
Specifies the interval (in seconds). |
[-help] |
Optional. Displays usage options for this command. |
For example,
-x modifyglobalconfig -propertyname policyenforcerinterval -propertyvalue 600
removeaccount
CommandUse the removeaccount
command to remove a privileged account.
Command Syntax:
[-url <url>] -u <username> [-p <password>] [-debug] -x removeaccount <options>
The following table describes the options you can use with this command:
Option | Description |
---|---|
-accountid <account id> |
Identify the account to be removed. |
[-help] |
Optional. Displays usage options for this command. |
removegroupaccess
CommandUse the removegroupaccess
command to remove a group's access to a privileged account.
[-url <url>] -u <username> [-p <password>] [-debug] -x removegroupaccess <options>
The following table describes the options you can use with this command:
Option | Description |
---|---|
-accountid <account id> |
Identify the account where access is being removed. |
-groupname <group name> |
Identify the group whose access is being removed. |
[-help] |
Optional. Displays usage options for this command. |
removetarget
CommandUse the removetarget
command to remove a target.
Command Syntax:
[-url <url>] -u <username> [-p <password>] [-debug] -x removetarget <options>
The following table describes the options you can use with this command:
Option | Description |
---|---|
-targetid <target id> |
Identify the target to be removed. |
[-help] |
Optional. Displays usage options for this command. |
removeuseraccess
CommandUse the removeuseraccess
command to remove a user's access to a privileged account.
Command Syntax:
[-url <url>] -u <username> [-p <password>] [-debug] -x removeuseraccess <options>
The following table describes the options you can use with this command:
Option | Description |
---|---|
-accountid <account id> |
Identify the account where access is being removed. |
-userid <user id> |
Identify the user whose access is being removed. |
[-help] |
Optional. Displays usage options for this command. |
resetpassword
CommandUse the resetpassword
command to manually reset the password for an account you have checked out. When you execute this command, Oracle Privileged Account Manager returns the account details and prompts you to enter a new password.
Note:
For most users, if the account has already been checked back in, you will get an error.
If you are an administrator with the Security Administrator or User Manager Admin Role, you can use this command to reset a password for both checked out and checked-in accounts.
Command Syntax:
[-url <url>] -u <username> [-p <password>] -x resetpassword -accountid <accountid>
No options are used with this command.
retrieveaccount
CommandUse the retrieveaccount
command to get information about a privileged account, such as which target the account is on. This information does not include passwords.
Command Syntax:
[-url <url>] -u <username> [-p <password>] [-debug] -x retrieveaccount <options>
The following table describes the options you can use with this command:
Option | Description |
---|---|
-accountid <account id> |
Identify the account to be retrieved. |
[-help] |
Optional. Displays usage options for this command. |
retrievegrantees
CommandUse the retrievegrantees
command to get information about the grantees on a privileged account.
Command Syntax:
[-url <url>] -u <username> [-p <password>] [-debug] -x retrievegrantees <options>
The following table describes the options you can use with this command:
Option | Description |
---|---|
-accountid <account id> |
Identify from which account the grantees are to be retrieved. |
[-help] |
Optional. Displays usage options for this command. |
retrievegroup
CommandUse the retrievegroup
command to get information about groups on a privileged account.
Command Syntax:
[-url <url>] -u <username> [-p <password>] [-debug] -x retrievegroup <options>
The following table describes the options you can use with this command:
Option | Description |
---|---|
-groupname <group name> |
Provide the name of the group to retrieve. |
[-help] |
Optional. Displays usage options for this command. |
retrievetarget
CommandUse the retrievetarget
command to get information about a target.
Command Syntax:
[-url <url>] -u <username> [-p <password>] [-debug] -x retrievetarget <options>
The following table describes the options you can use with this command:
Option | Description |
---|---|
-targetid <target id> |
Identify the target to be retrieved. |
[-help] |
Optional. Displays usage options for this command. |
retrieveuser
CommandUse the retrieveuser
command to get information about a user.
Command Syntax:
[-url <url>] -u <username> [-p <password>] [-debug] -x retrieveuser <options>
The following table describes the options you can use with this command:
Option | Description |
---|---|
-userid <user id> |
Identify the user to be retrieved. |
[-help] |
Optional. Displays usage options for this command. |
searchaccount
CommandUse the searchaccount
command to search for an account.
Command Syntax:
[-url <url>] -u <username> [-p <password>] [-debug] -x searchaccount <options>
The following table describes the options you can use with this command:
Option | Description |
---|---|
-accountid <account id> |
Identify the account to search for. |
[-help] |
Optional. Displays usage options for this command. |
For example, the following search will return all targets:
https://<host name>:<port>/opam/target/search?
Whereas, the following search will return all targets whose type contains ldap
and org
:
https://<host name>:<port>/opam/target/search?type=ldap&org=us
searchgroup
CommandUse the searchgroup
command to search for a group.
Command Syntax:
[-url <url>] -u <username> [-p <password>] [-debug] -x searchgroup <options>
The following table describes the options you can use with this command:
Option | Description |
---|---|
[-groupname <group name>] |
Optional. Provide the name of the group to search for. |
[-description <description>] |
Optional. Provide a description of the group. |
[-accountname <account name>] |
Optional. Provide the name of the account to search. |
[-targetname <target name>] |
Optional. Provide the name of the target to search. |
[-help] |
Optional. Displays usage options for this command. |
searchtarget
CommandUse the searchtarget
command to search for a target.
Command Syntax:
[-url <url>] -u <username> [-p <password>] [-debug] -x searchtarget <options>
The following table describes the options you can use with this command:
Option | Description |
---|---|
[-targettype <ldap | solaris | oracledb>] |
Optional. Identify the type of target to search for as LDAP, Solaris, or Oracle DB. |
[-domain <domain>] |
Optional. Provide a domain to search. |
[-targetname <target name>] |
Optional. Provide the target name to search for. |
[-help] |
Optional. Displays usage options for this command. |
searchuser
CommandUse the searchuser
command to search for a user.
Command Syntax:
[-url <url>] -u <username> [-p <password>] [-debug] -x searchuser <options>
The following table describes the options you can use with this command:
Option | Description |
---|---|
[-userid <user id>] |
Optional. Search for the user by the user ID. |
[-firstname <first name>] |
Optional. Provide the user's first name. |
[-lastname <last name>] |
Optional. Provide the user's last name. |
[-accountname <account name>] |
Optional. Provide the name of the account to search. |
[-targetname <target name>] |
Optional. Provide the name of the target to search. |
[-help] |
Optional. Displays usage options for this command. |
showpassword
CommandUse the showpassword
command to view the password for an account you have checked out. When you execute this command, Oracle Privileged Account Manager returns the account details and the password.
Note:
If the account has already been checked back in, you will get an error.
If you are an administrator with the Security Administrator or User Manager Admin Role, you can use this command to view a password for both checked out and checked-in accounts.
Command Syntax:
[-url <url>] -u <username> [-p <password>] -x showpassword -accountid <accountid>
No options are used with this command.