Skip Headers
Oracle® Fusion Middleware Administrator's Guide for Oracle Privileged Account Manager
11g Release 2 (11.1.2)

Part Number E27152-02
Go to Documentation Home
Home
Go to Table of Contents
Contents
Go to Index
Index
Go to Feedback page
Contact Us

Go to previous page
Previous
Go to next page
Next
PDF · Mobi · ePub

A Working with the Command Line Tool

You can use the Oracle Privileged Account Manager command line tool to perform many of the same tasks you perform from the Oracle Privileged Account Manager's Console.

Note:

Globalization support for the Oracle Privileged Account Manager command line tool is not available for this release. The command line tool messages and help are only provided in English.

This appendix describes how to launch and use the command line tool. The topics include:

A.1 Launching the Command Line Tool

Use the following steps to launch the Oracle Privileged Account Manager command line tool:

  1. Open a command window and change directory to ORACLE_HOME/opam/bin.

  2. At the prompt, type one of the following commands to launch the Console:

    • On UNIX systems, type: opam.sh

    • On Windows systems, type: opam.bat

    Invoking the command line tool, automatically connects you to the Oracle Privileged Account Manager server.

    You can invoke the Oracle Privileged Account Manager command line tool from a remote client by providing the Oracle Privileged Account Manager server's URL (running on the same machine or on a different machine) in the -url option.

  3. Note:

    For security purposes, the Oracle Privileged Account Manager server only responds to SSL traffic.

    When you provide the Oracle Privileged Account Manager server target to the Oracle Privileged Account Manager command line tool (or to Oracle Privileged Account Manager's web-based Console), you must provide the SSL endpoint as https://hostname:sslport/opam.

    By default, webLogic responds to SSL on port 7002. The default Oracle Privileged Account Manager server SSL port is 18102. You can use the WebLogic console to check the port for your particular instance.

A.2 Oracle Privileged Account Manager Commands

This section describes the commands that you can use with the Oracle Privileged Account Manager command line tool.

The topics in this section include

A.2.1 Issuing Commands

Use the following syntax to issue any of the Oracle Privileged Account Manager commands:

[-url <url>] -u <username> [-p <password>] [-debug] -x <opam-command>

where:

Option Description

-url <url>

Provide the URL address for the Oracle Privileged Account Manager server.

Note: If you do not specify a URL for this option, it defaults to https://hostname:18102/opam.

-u <username>

Provide your log-in user name.

-p <password>

Provide your log-in password.

-debug

Run the debugger.

-x <opam-command>

Run the specified Oracle Privileged Account Manager command.


For example:

-url https://hostname:sslport/opam -u <username> [-p <password>] [debug] 
-x addtarget -targetname <targetname> -host <hostname> -port 22 
-organization <organization>

A.2.2 addaccount Command

Use the addaccount command to add a privileged account.

Command Syntax:

[-url <url>] -u <username> [-p <password>] [-debug] -x addaccount <options>

The following table describes the options you can use with this command:

Option Description

-targetid <target id>

Identify the target GUID value of a configured target.

-accountname <accounttname>

Provide a name for the new account.

[-help]

Optional. Displays usage options for this command.


A.2.3 addtarget Command

Use the addtarget command to add a target.

Command Syntax:

[[-url <url>] -u <username> [-p <password>] [-debug] -x addtarget <options>

Oracle Privileged Account Manager supports multiple target types, and the parameters they require can vary. These parameters should be discovered at run time, before you execute an addtarget command.

For example,

  • Execute the following command to see a list of supported target types:

    sh opam.sh –url <OPAM url> -u <security admin user> 
    
    -p <security admin user password> -x addtarget –help
    

    For example, if https://hostname:sslport/opam is the Oracle Privileged Account Manager server URL, execute the following command:

    sh opam.sh -url https://hostname:sslport/opam -u sec_admin -p welcome1 
    
    -x addtarget -help
    
  • Execute the following command to see a list of the required and optional attributes for a specified target type:

    sh opam.sh –url <OPAM url> -u <security admin user> 
    
    -p <security admin user password> -x addtarget 
    
    –targettype <any supported target type> –help
    

    For example, to see a list of attributes for the LDAP target type with https://hostname:sslport/opam as the Oracle Privileged Account Manager server URL, execute the following command:

    sh opam.sh -url https://hostname:sslport/opam -u sec_admin -p welcome1 
    
    -x addtarget -targettype ldap -help
    

The following table describes the parameters required for LDAP targets.

Note:

You must specify all multi-valued attributes in this format: value1|value2|...

Option Description

-targetname <targetname>

Provide a name for the target.

-targettype <ldap | unix | database> <type-specific attributes>

Specify a target type and provide any type-specific attributes.

-domain <domain>

Provide a domain name.

-host <host>

Provide the host name.

-port <port>

Provide the TCP/IP port number used to communicate with the LDAP server.

-ssl <ssl>

Optional. Specify to connect to the LDAP server using SSL.

-principal <principal>

Provide the distinguished name with which to authenticate to the LDAP server.

-credentials <credentials>

Provide the principal's password.

-baseContexts <baseContexts> [Multi-Valued]

Specify one or more starting points in the LDAP tree to use when searching the tree.

Searches are performed when discovering users from the LDAP server or when looking for groups in which the user is a member.

-accountNameAttribute <accountNameAttribute>

Specify the attribute that holds the account's user name.

[-description <description>]

Provide a description of the target.

[-organization <organization>]

Provide the organization name.

[-uidAttribute <uidAttribute>]

Provide the name of the LDAP attribute that is mapped to the UID attribute. (Defaults to uid)

[-accountSearchFilter <accountSearchFilter>]

Optional. Provide an LDAP filter to control which accounts are returned from the LDAP resource.

If you do not specify a filter, then only accounts that include all specified object classes will be returned. (Defaults to (uid=*))

[-passwordAttribute <passwordAttribute>]

Optional. Specify the name of the LDAP attribute that holds the password.

When changing a user's password, Oracle Privileged Account Manager sets the new password to this attribute. (Defaults to userpassword)

[-accountObjectClasses <accountObjectClasses>] [Multi-Valued]

Specify the objectclass or objectclasses to use when creating new user objects in the LDAP tree.

When entering more than one objectclass, put each entry on its own line and do not use commas or semicolons to separate multiple object classes.

Some objectclasses may require that you specify all objectclasses in the class hierarchy. (Defaults to "top|person|organizationalPerson|inetOrgPerson")


A.2.4 checkin and checkout Commands

Use the checkin command to check in privileged accounts and the checkout command to check out privileged accounts.

Note:

The checkout operation also provides a password for you to use.

Command Syntax:

[-url <url>] -u <username> [-p <password>] [-debug] -x checkin <options>
[-url <url>] -u <username> [-p <password>] [-debug] -x checkout <options>

The following table describes the options you can use with these commands:

Option Description

-accountid <account id>

Identify the account to be checked-out or checked-in.

[-help]

Optional. Displays usage options for this command.


A.2.5 displayallaccounts Command

Use the displayallaccounts command to display a listing of all accounts.

Command Syntax:

[-url <url>] -u <username> [-p <password>] [-debug] -x displayallaccounts <options>

The following table describes the options you can use with this command:

Option Description

[-help]

Optional. Displays usage options for this command.


A.2.6 displayallgroups Command

Use the displayallgroups command to display a listing of all groups.

Command Syntax:

[-url <url>] -u <username> [-p <password>] [-debug] -x displayallgroups <options>

The following table describes the options you can use with this command:

Option Description

[-help]

Optional. Displays usage options for this command.


A.2.7 displayalltargets Command

Use the displayalltargets command to display a listing of all targets.

Command Syntax:

[-url <url>] -u <username> [-p <password>] [-debug] -x displayalltargets <options>

The following table describes the options you can use with this command:

Option Description

[-help]

Optional. Displays usage options for this command.


A.2.8 displayallusers Command

Use the displayallusers command to display a listing of all users.

Command Syntax:

[-url <url>] -u <username> [-p <password>] [-debug] -x displayallusers <options>

The following table describes the options you can use with this command:

Option Description

[-help]

Optional. Displays usage options for this command.


A.2.9 displaycheckedoutaccounts Command

Use the displaycheckedoutaccounts command to display a listing of a user's checked out accounts.

Command Syntax:

[-url <url>] -u <username> [-p <password>] [-debug] -x displaycheckedoutaccounts <options>

The following table describes the options you can use with this command:

Option Description

[-help]

Optional. Displays usage options for this command.


A.2.10 displaydomaintree Command

Use the displaydomaintree command to display a domain tree.

Command Syntax:

[-url <url>] -u <username> [-p <password>] [-debug] -x displaydomaintree <options>

The following table describes the options you can use with this command:

Option Description

[-help]

Optional. Displays usage options for this command.


A.2.11 displaytargettypetree Command

Use the displaytargettypetree command to display a target type tree.

Command Syntax:

[-url <url>] -u <username> [-p <password>] [-debug] -x displaytargettypetree <options>

The following table describes the options you can use with this command:

Option Description

[-help]

Optional. Displays usage options for this command.


A.2.12 export and import Commands

Use the export command to export data stored in Oracle Privileged Account Manager, such as targets and accounts, to XML format. Use the import command to import data to OPAM from XML file. These options are useful for performing

  • Bulk operations, such as querying or loading large volumes of data

  • Back-up and recovery operations, such as periodically backing up Oracle Privileged Account Manager data to XML

  • Migration operations, such as exporting data from one Oracle Privileged Account Manager instance and importing it to another instance

Note:

You must be an administrator with the Security Administrator Admin Role to use these commands.

The export command exports all Oracle Privileged Account Manager data; including targets, accounts, policies, and grants.

Note:

Exporting accounts also exports the passwords for those accounts. For added security, you can export the passwords in an encrypted format by using the -encpassword and -enckeylen options.

Be sure to note the encryption password and encryption key length because you must provide that same password for decryption during the import operation.

You can create an import XML file from previously exported data or you can manually create the file. If you previously exported the XML file with an encryption password, then you must provide the same password for decryption during import.

Command Syntax:

[-url <url>] -u <username> [-p <password>] [-debug] -x export <options>
[-url <url>] -u <username> [-p <password>] [-debug] -x import <options>

The following table describes the options you can use with the export and import commands:

Option Description

-f <export file>

Specify an export file name.

-encpassword <encryption password>

Specify a password to use when encrypting/decrypting account passwords.

-enckeylen <key length for password encryption>

Specify the minimum key length for an encryption/decryption password. (Defaults to 128 bits)

-log <log file location>

Specify a file name and location for the log file. (Defaults to log.txt)

[-help]

Optional. Displays usage options for this command.


The XML schema for an import or export file is located in the following file:

ORACLE_HOME/opam/jlib/OPAMBulkTool.xsd

The following example shows some sample XML definitions of Oracle Privileged Account Manager elements.

Example A-1 Sample XML Definition of Oracle Privileged Account Manager Elements

<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<OPAMData xmlns="http://www.example.org/OPAMBulkTool"
 xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
 xsi:schemaLocation="http://www.example.org/OPAMBulkTool OPAMBulkTool.xsd">
  <usagepolicy>
    <name value="Accounting Usage Policy"/>
    <status value="active"/>
    <description value="null"/>
    <globaldefault value="n"/>
    <dateorduration value="duration"/>
    <expiremin value="30"/>
    <expiredate value="08/08/2088"/>
    <expiretime value="11:30am"/>
    <timezone value="America/Los_Angeles"/>
    <usagedays>
      <day fromtime="12:0am" totime="12:0am" value="monday"/>
      <day fromtime="12:0am" totime="12:0am" value="tuesday"/>
      <day fromtime="12:0am" totime="12:0am" value="wednesday"/>
      <day fromtime="12:0am" totime="12:0am" value="thursday"/>
      <day fromtime="12:0am" totime="12:0am" value="friday"/>
      <day fromtime="12:0am" totime="12:0am" value="saturday"/>
      <day fromtime="12:0am" totime="12:0am" value="sunday"/>
    </usagedays>
  </usagepolicy>
  <passwordpolicy>
    <name value="Accounting Password Policy"/>
    <status value="active"/>
    <description value=""/>
    <globaldefault value="n"/>
    <changepassevery value="30-days"/>
    <changepasscheckout value="y"/>
    <changepasscheckin value="y"/>
    <passwordlength max="20" min="8"/>
    <minalphabets value="1"/>
    <minnumeric value="1"/>
    <minalphanumeric value="2"/>
    <specialchars max="5" min="1"/>
    <repeatedchars max="1" min="0"/>
    <minuniquechars value="1"/>
    <minuppercasechars value="1"/>
    <minlowercasechars value="1"/>
    <startwithchar value="n"/>
    <accountnameaspass value="n"/>
  </passwordpolicy>
  <target>
    <type name="database"/>
    <name value="AccountsDB"/>
    <attributes>
      <attributeName name="domain" value="Accounting"/>
      <attributeName name="host" value="localhost"/>
      <attributeName name="jdbcUrl" value="jdbc:oracle:thin:@dbhost:1521:orcl"/>
      <attributeName name="loginUser" value="system"/>
      <attributeName name="loginPassword" value="welcome1"/>
      <attributeName name="dbType" value="Oracle"/>
      <attributeName name="description" value="Accounting Database"/>
      <attributeName name="organization" value="Accounting"/>
      <attributeName name="connectionProperties" value=""/>
    </attributes>
  </target>
  <account>
    <name value="ACCT_DBA"/>
    <target name="AccountsDB"/>
    <passwordpolicy name="Accounting Password Policy"/>
    <grantee>
      <user name="johndoe"/>
      <user name="janedoe"/>
    </grantee>
    <shared value="false"/>
    <status value="checkedIn"/>
  </account>
</OPAMData>

A.2.13 getglobalconfig Command

Use the getglobalconfig command to view the OPAM Global Config configuration entry, which enables you to access and manage various Oracle Privileged Account Manager server properties.

Command Syntax:

[-url <url>] -u <username> [-p <password>] [-debug] -x getglobalconfig <options>

The following table describes the options you can use with this command:

Option Description

[-help]

Optional. Displays usage options for this command.


Note:

You use the modifyglobalconfig command to modify the server properties. Refer to modifyglobalconfig Command for more information.

A.2.14 grantgroupaccess Command

Use the grantgroupaccess command to give a group access to a privileged account.

[-url <url>] -u <username> [-p <password>] [-debug] -x grantgroupaccess <options>

The following table describes the options you can use with this command:

Option Description

-accountid <account id>

Identify the account to which the group is granted access.

-groupname <group name>

Identify the group to be given access.

[-help]

Optional. Displays usage options for this command.


A.2.15 grantuseraccess Command

Use the grantuseraccess command to give a user access to a privileged account.

Command Syntax:

[-url <url>] -u <username> [-p <password>] [-debug] -x grantuseraccess <options>

The following table describes the options you can use with this command:

Option Description

-accountid <account id>

Identify the account to which the user is granted access.

-userid <user id>

Identify the user to be given access.

[-help]

Optional. Displays usage options for this command.


A.2.16 modifyglobalconfig Command

Use the modifyglobalconfig command to manage the following Oracle Privileged Account Manager server properties in the OPAM Global Config configuration entry:

  • policyenforcerinterval. Interval (in seconds) in which Oracle Privileged Account Manager checks accounts and then automatically checks-in the accounts that have exceeded the expiration time defined in the Usage Policy. (Default is 3600 seconds)

  • passwordcyclerinterval. Interval (in seconds) in which Oracle Privileged Account Manager checks and then resets the password for any accounts that have exceeded the maximum password age defined in the Password Policy. (Default is 3600 seconds)

Note:

to access these properties, you must use the getglobalconfig command to view the OPAM Global Config configuration entry. Refer to getglobalconfig Command for more information.

Command Syntax:

[-url <url>] -u <username> [-p <password>] [-debug] -x modifyglobalconfig <options>

The following table describes the options you can use with this command:

Option Description

-propertyname <property name>

Specifies which server property to be modified.

-propertyvalue <property value>

Specifies the interval (in seconds).

[-help]

Optional. Displays usage options for this command.


For example,

-x modifyglobalconfig -propertyname policyenforcerinterval -propertyvalue 600

See Also:

getglobalconfig Command

A.2.17 removeaccount Command

Use the removeaccount command to remove a privileged account.

Command Syntax:

[-url <url>] -u <username> [-p <password>] [-debug] -x removeaccount <options>

The following table describes the options you can use with this command:

Option Description

-accountid <account id>

Identify the account to be removed.

[-help]

Optional. Displays usage options for this command.


A.2.18 removegroupaccess Command

Use the removegroupaccess command to remove a group's access to a privileged account.

[-url <url>] -u <username> [-p <password>] [-debug] -x removegroupaccess <options>

The following table describes the options you can use with this command:

Option Description

-accountid <account id>

Identify the account where access is being removed.

-groupname <group name>

Identify the group whose access is being removed.

[-help]

Optional. Displays usage options for this command.


A.2.19 removetarget Command

Use the removetarget command to remove a target.

Command Syntax:

[-url <url>] -u <username> [-p <password>] [-debug] -x removetarget <options>

The following table describes the options you can use with this command:

Option Description

-targetid <target id>

Identify the target to be removed.

[-help]

Optional. Displays usage options for this command.


A.2.20 removeuseraccess Command

Use the removeuseraccess command to remove a user's access to a privileged account.

Command Syntax:

[-url <url>] -u <username> [-p <password>] [-debug] -x removeuseraccess <options>

The following table describes the options you can use with this command:

Option Description

-accountid <account id>

Identify the account where access is being removed.

-userid <user id>

Identify the user whose access is being removed.

[-help]

Optional. Displays usage options for this command.


A.2.21 resetpassword Command

Use the resetpassword command to manually reset the password for an account you have checked out. When you execute this command, Oracle Privileged Account Manager returns the account details and prompts you to enter a new password.

Note:

For most users, if the account has already been checked back in, you will get an error.

If you are an administrator with the Security Administrator or User Manager Admin Role, you can use this command to reset a password for both checked out and checked-in accounts.

Command Syntax:

[-url <url>] -u <username> [-p <password>] -x resetpassword -accountid <accountid>

No options are used with this command.

A.2.22 retrieveaccount Command

Use the retrieveaccount command to get information about a privileged account, such as which target the account is on. This information does not include passwords.

Command Syntax:

[-url <url>] -u <username> [-p <password>] [-debug] -x retrieveaccount <options>

The following table describes the options you can use with this command:

Option Description

-accountid <account id>

Identify the account to be retrieved.

[-help]

Optional. Displays usage options for this command.


A.2.23 retrievegrantees Command

Use the retrievegrantees command to get information about the grantees on a privileged account.

Command Syntax:

[-url <url>] -u <username> [-p <password>] [-debug] -x retrievegrantees <options>

The following table describes the options you can use with this command:

Option Description

-accountid <account id>

Identify from which account the grantees are to be retrieved.

[-help]

Optional. Displays usage options for this command.


A.2.24 retrievegroup Command

Use the retrievegroup command to get information about groups on a privileged account.

Command Syntax:

[-url <url>] -u <username> [-p <password>] [-debug] -x retrievegroup <options>

The following table describes the options you can use with this command:

Option Description

-groupname <group name>

Provide the name of the group to retrieve.

[-help]

Optional. Displays usage options for this command.


A.2.25 retrievetarget Command

Use the retrievetarget command to get information about a target.

Command Syntax:

[-url <url>] -u <username> [-p <password>] [-debug] -x retrievetarget <options>

The following table describes the options you can use with this command:

Option Description

-targetid <target id>

Identify the target to be retrieved.

[-help]

Optional. Displays usage options for this command.


A.2.26 retrieveuser Command

Use the retrieveuser command to get information about a user.

Command Syntax:

[-url <url>] -u <username> [-p <password>] [-debug] -x retrieveuser <options>

The following table describes the options you can use with this command:

Option Description

-userid <user id>

Identify the user to be retrieved.

[-help]

Optional. Displays usage options for this command.


A.2.27 searchaccount Command

Use the searchaccount command to search for an account.

Command Syntax:

[-url <url>] -u <username> [-p <password>] [-debug] -x searchaccount <options>

The following table describes the options you can use with this command:

Option Description

-accountid <account id>

Identify the account to search for.

[-help]

Optional. Displays usage options for this command.


For example, the following search will return all targets:

https://<host name>:<port>/opam/target/search?

Whereas, the following search will return all targets whose type contains ldap and org:

https://<host name>:<port>/opam/target/search?type=ldap&org=us

A.2.28 searchgroup Command

Use the searchgroup command to search for a group.

Command Syntax:

[-url <url>] -u <username> [-p <password>] [-debug] -x searchgroup <options>

The following table describes the options you can use with this command:

Option Description

[-groupname <group name>]

Optional. Provide the name of the group to search for.

[-description <description>]

Optional. Provide a description of the group.

[-accountname <account name>]

Optional. Provide the name of the account to search.

[-targetname <target name>]

Optional. Provide the name of the target to search.

[-help]

Optional. Displays usage options for this command.


A.2.29 searchtarget Command

Use the searchtarget command to search for a target.

Command Syntax:

[-url <url>] -u <username> [-p <password>] [-debug] -x searchtarget <options>

The following table describes the options you can use with this command:

Option Description

[-targettype <ldap | solaris | oracledb>]

Optional. Identify the type of target to search for as LDAP, Solaris, or Oracle DB.

[-domain <domain>]

Optional. Provide a domain to search.

[-targetname <target name>]

Optional. Provide the target name to search for.

[-help]

Optional. Displays usage options for this command.


A.2.30 searchuser Command

Use the searchuser command to search for a user.

Command Syntax:

[-url <url>] -u <username> [-p <password>] [-debug] -x searchuser <options>

The following table describes the options you can use with this command:

Option Description

[-userid <user id>]

Optional. Search for the user by the user ID.

[-firstname <first name>]

Optional. Provide the user's first name.

[-lastname <last name>]

Optional. Provide the user's last name.

[-accountname <account name>]

Optional. Provide the name of the account to search.

[-targetname <target name>]

Optional. Provide the name of the target to search.

[-help]

Optional. Displays usage options for this command.


A.2.31 showpassword Command

Use the showpassword command to view the password for an account you have checked out. When you execute this command, Oracle Privileged Account Manager returns the account details and the password.

Note:

If the account has already been checked back in, you will get an error.

If you are an administrator with the Security Administrator or User Manager Admin Role, you can use this command to view a password for both checked out and checked-in accounts.

Command Syntax:

[-url <url>] -u <username> [-p <password>] -x showpassword -accountid <accountid>

No options are used with this command.