Skip Headers
Oracle® Fusion Middleware Administrator's Guide for Oracle Privileged Account Manager
11g Release 2 (11.1.2)

Part Number E27152-05
Go to Documentation Home
Home
Go to Table of Contents
Contents
Go to Index
Index
Go to Feedback page
Contact Us

Go to previous page
Previous
Go to next page
Next
PDF · Mobi · ePub

A Working with the Command Line Tool

You can use the Oracle Privileged Account Manager command line tool to perform many of the same tasks you perform from the Oracle Privileged Account Manager's Console.

Note:

You can also use Oracle Privileged Account Manager's Console or RESTful interface to perform many of the tasks described in this appendix.

If you prefer using these interfaces instead of the Oracle Privileged Account Manager command line tool, see Chapter 5, "Configuring and Managing Oracle Privileged Account Manager" or Appendix B, "Working with Oracle Privileged Account Manager's RESTful Interface" for instructions.

Note:

Globalization support for the Oracle Privileged Account Manager command line tool is not available for this release. The command line tool messages and help are only provided in English.

This appendix describes how to launch and use the command line tool. This information is organized into the following sections:

Note:

The information provided in these sections is essentially the same whether you are using Oracle Privileged Account Manager on WebLogic or on IBM WebSphere; however, there are a few minor differences.

Refer to "Differences When Using the Oracle Privileged Account Manager Command Line Tool and REST Interfaces on IBM WebSphere" in the Oracle Fusion Middleware Third-Party Application Server Guide for Oracle Identity and Access Management for more information.

A.1 Launching the Command Line Tool

Use the following steps to launch the Oracle Privileged Account Manager command line tool:

  1. Open a command window and change directory to ORACLE_HOME/opam/bin.

  2. At the prompt, type one of the following commands:

    • On UNIX, type: opam.sh

    • On Windows, type: opam.bat

    Invoking the command line tool, automatically connects you to the Oracle Privileged Account Manager server.

    You can invoke the Oracle Privileged Account Manager command line tool from a remote client by providing the Oracle Privileged Account Manager server's URL (running on the same machine or on a different machine) in the -url option.

Note:

For security purposes, the Oracle Privileged Account Manager server only responds to SSL traffic.

When you provide the Oracle Privileged Account Manager server target to the Oracle Privileged Account Manager command line tool (or to Oracle Privileged Account Manager's web-based Console), you must provide the SSL endpoint as https://hostname:sslport/opam.

By default, the WebLogic Admin Server (where the Oracle Privileged Account Manager Console runs) responds to SSL on port 7002 (In IBM WebSphere, the port is 8002). The default Oracle Privileged Account Manager server SSL port is 18102 for both WebLogic and IBM WebSphere. You can use the WebLogic console to check the port for your particular instance.

A.2 Oracle Privileged Account Manager Commands

This section describes the commands that you can use with the Oracle Privileged Account Manager command line tool.

The topics in this section include

A.2.1 Issuing Commands

Use the following syntax to issue any of the Oracle Privileged Account Manager commands:

Note:

When entering commands

  • On UNIX, type: opam.sh

  • On Windows, type: opam.bat

[-url <url>] -u <username> [-p <password>] [-debug] -x <opam-command>

where:

Option Description

-url <url>

Provide the URL address for the Oracle Privileged Account Manager server.

Note: If you do not specify a URL for this option, it defaults to https://hostname:18102/opam.

-u <username>

Provide your log-in user name.

-p <password>

Provide your log-in password.

-debug

Enable the debugger log.

-x <opam-command>

Run the specified Oracle Privileged Account Manager command.


For example:

-url https://hostname:sslport/opam -u <username> [-p <password>] [-debug] 
-x checkout -targetname <targetname> -accountname <accountname>

Note:

  • On a Windows system, you must use double quotes (") instead of single quotes (') for parameters that contain spaces. For example,

    opam.bat -u sec_admin -p passwd -x showtargetpassword 
    
    -targetname "oracle db"
    
  • On a UNIX system, you can use double quotes (") or single quotes (') for parameters that contain spaces.

A.2.2 addaccount Command

Use the addaccount command to add a privileged account.

Note:

You must never use the same account as the service account and as a privileged account to be managed by Oracle Privileged Account Manager.

Command Syntax:

[-url <url>] -u <username> [-p <password>] [-debug] -x addaccount <options>

The following table describes the options you can use with this command:

Option Description

[-targetid <target id>]

Optional. Specify the target GUID value of a configured target.

Note: When you configure a target, Oracle Privileged Account Manager automatically assigns a unique target GUID. Refer to Section 5.1.2.2, "Adding Targets to Oracle Privileged Account Manager" for more information.

[-targetname <target name>]

Optional. Specify the target name of a configured target.

[-password <account password>]

Optional. Specify a default value for the account password.

Note: This field becomes a required field if the target type is lockbox.

[-description <account description>]

Optional. Provide a description of the account.

-accountname <accountname>

Provide a name for the new account.

[-force <true/false>]

Optional. Enables or disables the requirement for connection validation.

  • true: Skips connection validation.

  • false: Enforces connection validation. (Default setting).

[-help]

Optional. Displays usage options for this command.


Note:

  • You use either <targetid> or <targetname> to identify the target. Both values are unique.

  • You can use -password to set up an account password.

A.2.3 addpasswordpolicy Command

Use the addpasswordpolicy command to add a Password Policy.

Command Syntax:

[-url <url>] -u <username> [-p <password>] [-debug] -x addpasswordpolicy <options>

The following table describes the options you can use with this command:

Option Description

-policyname <policy name>

Provide a name for the new Password Policy.

-policystatus <active/disabled>

Specify the Password Policy status.

[-description <policy description>]

Optional. Provide a description of the Password Policy.

[-passwordchangedurationunit <minutes/hours/days>]

Optional. Specify the password age unit.

[-passwordchangedurationvalue <password change duration value>]

Optional. Specify the password age value.

[-changeoncheckin <true/false>]

Optional. Specify whether to change the password when checking in the account using this Password Policy.

[-changeoncheckout <true/false>]

Optional. Specify whether to change the password when checking out the account using this Password Policy.

[-passwordcharsmin <password minimum chars number>]

Optional. Specify the minimum character length restriction for the Password Policy.

[-passwordcharsmax <password maximum chars number>]

Optional. Specify the maximum character length restriction for the Password Policy.

[-passwordalphabeticmin <password minimum alphabetic chars number>]

Optional. Specify the minimum number of alphabetic characters required for the Password Policy.

[-passwordnumericmin <password minimum numeric chars number>]

Optional. Specify the minimum number of numeric characters required for the Password Policy.

[-passwordalphanumericmin <password minimum alphanumeric chars number>]

Optional. Specify the minimum number of alphanumeric characters required for the Password Policy.

[-passworduniquemin <password minimum unique chars number>]

Optional. Specify the minimum number of unique characters required for the Password Policy.

[-passworduppercasemin <password minimum uppercase chars number>]

Optional. Specify the minimum number of uppercase characters required for the Password Policy.

[-passwordlowercasemin <password minimum lowercase chars number>]

Optional. Specify the minimum number of lowercase characters required for the Password Policy.

[-passwordspecialmin <password minimum special chars number>]

Optional. Specify the minimum number of special characters required for the Password Policy.

[-passwordspecialmax <password maximum special chars number>]

Optional. Specify the maximum number of special characters allowed for the Password Policy.

[-passwordrepeatedmin <password minimum repeated chars number>]

Optional. Specify the minimum number of repeated characters allowed for the Password Policy.

[-passwordrepeatedmax <password maximum repeated chars number>]

Optional. Specify the maximum number of repeated characters allowed for the Password Policy.

[-startingchar <true/false>]

Optional. Specify whether the first character of the generated password can be a numeric character. If you specify true, then the password cannot start with a number.

[-isaccountnameallowed <true/false>]

Optional. Specify whether the generated password can be identical to the account name.

[-requiredchars <required chars>]

Optional. Specify characters that are required in the generated password. Use the comma (,) symbol to separate the characters. For example, a,b,c.

[-allowedchars <allowed chars>]

Optional. Specify characters that are allowed in the generated password. Use the comma (,) symbol to separate the characters. For example, a,b,c.

[-disallowedchars <disallowed chars>]

Optional. Specify characters that are not allowed in the generated password. Use the comma (,) symbol to separate the characters. For example, a,b,c.

[-help]

Optional. Displays usage options for this command.


A.2.4 addtarget Command

Use the addtarget command to add a target.

Command Syntax:

[[-url <url>] -u <username> [-p <password>] [-debug] -x addtarget <options>

Oracle Privileged Account Manager supports multiple target types, and the parameters they require can vary. These parameters should be discovered at run time, before you execute an addtarget command.

For example,

  • Execute the following command to see a list of supported target types:

    sh opam.sh –url <OPAM url> -u <security admin user> 
    
    -p <security admin user password> -x addtarget –help
    

    For example, if https://hostname:sslport/opam is the Oracle Privileged Account Manager server URL, execute the following command:

    sh opam.sh -url https://hostname:sslport/opam -u sec_admin -p welcome1 
    
    -x addtarget -help
    
  • Execute the following command to see a list of the required and optional attributes for a specified target type:

    sh opam.sh –url <OPAM url> -u <security admin user> 
    
    -p <security admin user password> -x addtarget 
    
    –targettype <any supported target type> –help
    

    For example, to see a list of attributes for the LDAP target type with https://hostname:sslport/opam as the Oracle Privileged Account Manager server URL, execute the following command:

    sh opam.sh -url https://hostname:sslport/opam -u sec_admin -p welcome1 
    
    -x addtarget -targettype ldap -help
    

The following table describes the parameters required for LDAP targets and the options you can use with this command.

Note:

You must specify all multi-valued attributes in this format: value1|value2|...

Option Description

-targetname <targetname>

Provide a name for the target.

-targettype <ldap | unix | database> <type-specific attributes>

Specify a target type and provide any type-specific attributes.

-domain <domain>

Provide a domain name.

-host <host>

Provide the host name.

-port <port>

Provide the TCP/IP port number used to communicate with the LDAP server.

-ssl <ssl>

Optional. Specify to connect to the LDAP server using SSL.

-principal <principal>

Provide the distinguished name with which to authenticate to the LDAP server.

-credentials <credentials>

Provide the principal's password.

-baseContexts <baseContexts> [Multi-Valued]

Specify one or more starting points in the LDAP tree to use when searching the tree.

Searches are performed when discovering users from the LDAP server or when looking for groups in which the user is a member.

-accountNameAttribute <accountNameAttribute>

Specify the attribute that holds the account's user name.

[-description <description>]

Optional. Provide a description of the target.

[-organization <organization>]

Optional. Provide the organization name.

[-uidAttribute <uidAttribute>]

Optional. Provide the name of the LDAP attribute that is mapped to the UID attribute. (Defaults to uid)

[-accountSearchFilter <accountSearchFilter>]

Optional. Provide an LDAP filter to control which accounts are returned from the LDAP resource.

If you do not specify a filter, then only accounts that include all specified object classes will be returned. (Defaults to (uid=*))

[-passwordAttribute <passwordAttribute>]

Optional. Specify the name of the LDAP attribute that holds the password.

When changing a user's password, Oracle Privileged Account Manager sets the new password to this attribute. (Defaults to userpassword)

[-accountObjectClasses <accountObjectClasses>] [Multi-Valued]

Optional. Specify the objectclass or objectclasses to use when creating new user objects in the LDAP tree.

When entering more than one objectclass, put each entry on its own line and do not use commas or semicolons to separate multiple object classes.

Some objectclasses may require that you specify all objectclasses in the class hierarchy. (Defaults to "top|person|organizationalPerson|inetOrgPerson")

[-force <true/false>]

Optional. Enables or disables the requirement for connection validation.

  • true: Skips connection validation.

  • false: Enforces connection validation. (Default setting).


A.2.5 addusagepolicy Command

Use the addusagepolicy command to add a Usage Policy.

Command Syntax:

[-url <url>] -u <username> [-p <password>] [-debug] -x addusagepolicy <options>

The following table describes the options you can use with this command:

Option Description

-policyname <policy name>

Provide a name for the new Usage Policy.

-policystatus <active/disabled>

Specify the Usage Policy status.

[-description <policy description>]

Optional. Provide a description of the Usage Policy.

-dateorduration <date/duration>

Set an expiration time based on date or duration.

[-expireddateminutesfromcheckout <minutes to expiration>]

Optional. Specify the number of minutes until expiration. When a checked-out account with this Usage Policy exceeds the specified duration, Oracle Privileged Account Manager automatically checks-in that account.

Note: This field becomes a required field if you specify duration for the -dateorduration attribute.

[-expireddate <expiration date>]

Optional. Specify the expiration date. When an account with this Usage Policy meets this expiration date, Oracle Privileged Account Manager automatically checks-in that account.

Note: This field becomes a required field if you specify date for the -dateorduration attribute.

Use the following three options to specify at what time the access expires on the expiration date:

  • [-expireddatehour <expiration hour in expire time>]

  • [-expireddateminutes <expiration minutes in expire time>]

  • [-expireddateamorpm <am/pm>]

Note: These fields become required fields if you specify date for the -dateorduration attribute.

  • Optional. Specify an hour. For example, specify 5 if the expiration time should be 5:00.

  • Optional. Specify the minutes. For example, specify 30 if the expiration time should be 5:30.

  • Optional. Specify whether the expiration time is a.m. or p.m.

-timezone <time zone>]

Specify a time zone for the Usage Policy, including the timezone region.

For example, (GMT -6:00) America/Chicago.

-usagedates <dates information of usage policy>]

Specify the usage dates information for the policy by using the pipe (|) symbol to separate days and the colon (:) symbol to separate times.

For example, monday:12:0:am:12:0:am|tuesday:1:15:am:2:35:pm

[-help]

Optional. Displays usage options for this command.


A.2.6 checkin Command

Use the checkin command to check in privileged accounts.

Command Syntax:

[-url <url>] -u <username> [-p <password>] [-debug] -x checkin <options>

The following table describes the options you can use with this command:

Option Description

[-accountid <account id>]

Optional. Identify the account to be checked-in.

([-accountname <account name>] and [-targetname <target name>])

Optional. Identify the account to be checked-in.

Note: The (<accountname> and <targetname>) combination forms a unique pair that can be used to identify a specific account.

[-force <true/false>]

Optional. Enables or disables the ability to force check-in a privileged account.

A force check-in enables administrators with the User Manager Admin Role to check-in privileged accounts that have been checked-out by other users.

  • true: Enables force check-ins.

  • false: Disables force check-ins.

[-userid <userid>]

Optional. Specifies which user is to be force checked-in.

Oracle Privileged Account Manager allows multiple users to check out an account at the same time. By providing a userid, the force check-in only applies to the specified user.

[-help]

Optional. Displays usage options for this command.


Note:

You use either <accountid> or the (<accountname> and <targetname>) combination to identify the account.

A.2.7 checkout Command

Use the checkout command to check out privileged accounts.

Note:

The checkout operation also provides a password for you to use.

Command Syntax:

[-url <url>] -u <username> [-p <password>] [-debug] -x checkout <options>

The following table describes the options you can use with this command:

Option Description

[-accountid <account id>]

Optional. Identify the account to be checked-out.

([-accountname <account name>] and [-targetname <target name>])

Optional. Identify the account to be checked-out.

Note: The (<accountname> and <targetname>) combination forms a unique pair that can be used to identify a specific account.

[-help]

Optional. Displays usage options for this command.


Note:

You use either <accountid> or (<accountname> and <targetname>) to identify the account.

A.2.8 displayallaccounts Command

Use the displayallaccounts command to display a listing of all accounts.

Note:

You must be an administrator with the User Manager Admin Role or the Security Administrator Admin Role to successfully run this command.

Command Syntax:

[-url <url>] -u <username> [-p <password>] [-debug] -x displayallaccounts <options>

The following table describes the options you can use with this command:

Option Description

[-help]

Optional. Displays usage options for this command.


A.2.9 displayallgroups Command

Use the displayallgroups command to display a listing of all groups.

Note:

You must be an administrator with the User Manager Admin Role to successfully run this command.

Command Syntax:

[-url <url>] -u <username> [-p <password>] [-debug] -x displayallgroups <options>

The following table describes the options you can use with this command:

Option Description

[-help]

Optional. Displays usage options for this command.


A.2.10 displayalltargets Command

Use the displayalltargets command to display a listing of all targets.

Note:

You must be an administrator with the User Manager Admin Role, the Security Administrator Admin Role, or the Security Auditor Admin Role to successfully run this command.

Command Syntax:

[-url <url>] -u <username> [-p <password>] [-debug] -x displayalltargets <options>

The following table describes the options you can use with this command:

Option Description

[-help]

Optional. Displays usage options for this command.


A.2.11 displayallusers Command

Use the displayallusers command to display a listing of all users.

Note:

You must be an administrator with the User Manager Admin Role to successfully run this command.

Command Syntax:

[-url <url>] -u <username> [-p <password>] [-debug] -x displayallusers <options>

The following table describes the options you can use with this command:

Option Description

[-help]

Optional. Displays usage options for this command.


A.2.12 displaycheckedoutaccounts Command

Use the displaycheckedoutaccounts command to display a listing of a user's checked out accounts.

Command Syntax:

[-url <url>] -u <username> [-p <password>] [-debug] -x displaycheckedoutaccounts <options>

The displayed result includes the count parameter at the end of the listing, which denotes the number of accounts that have been checked out.

The following table describes the options you can use with this command:

Option Description

[-help]

Optional. Displays usage options for this command.


A.2.13 export Command

Use the export command to export data stored in Oracle Privileged Account Manager, such as targets and accounts, to XML format. This option and the "import Command" are useful for performing the following operations:

  • Bulk operations, such as querying or loading large volumes of data, which includes creating, modifying, and deleting targets, accounts, policies, and grants

  • Back-up and recovery operations, such as periodically backing up Oracle Privileged Account Manager data to XML

  • Migration operations, such as exporting data from one Oracle Privileged Account Manager instance and importing it to another instance

Note:

You must be an administrator with the Security Administrator Admin Role to use these commands.

The export command exports all Oracle Privileged Account Manager data; including targets, accounts, policies, and grants.

Note:

Exporting accounts also exports the passwords for those accounts. For added security, you can export the passwords in an encrypted format by using the -encpassword and -enckeylen options.

Be sure to note the encryption password and encryption key length because you must provide that same password for decryption during the import operation.

Command Syntax:

[-url <url>] -u <username> [-p <password>] [-debug] -x export <options>

The following table describes the options you can use with the export command:

Option Description

-f <export file>

Specify an export file name.

[-encpassword <encryption password>]

Optional. Specify a password to use when encrypting the account passwords to the exported file.

[-enckeylen <key length for password encryption>]

Optional. Specify the minimum key length for an encryption or decryption password. (Defaults to 128 bits)

[-log <log file location>]

Optional. Specify a file name and location for the log file. (Defaults to opamlog_<timestamp>.txt)

[-noencrypt <true/false>]

Optional. Specify whether to provide an encryption password. (Defaults to false)

  • true: Skip the encryption password and export the output file in clear text.

  • false: Encrypt the output file with the encryption password.

[-help]

Optional. Displays usage options for this command.


The XML schema for an export file is located in the following file:

ORACLE_HOME/opam/jlib/OPAMBulkTool.xsd

The following example shows some sample XML definitions of Oracle Privileged Account Manager elements.

Example A-1 Sample XML Definition of Oracle Privileged Account Manager Elements

<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<OPAMData xmlns="http://www.example.org/OPAMBulkTool"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.example.org/OPAMBulkTool OPAMBulkTool.xsd">
  <usagepolicy>
    <name value="Accounting Usage Policy"/>
    <status value="active"/>
    <description value="My Usage Policy"/>
    <globaldefault value="n"/>
    <dateorduration value="duration"/>
    <expiremin value="30"/>
    <expiredate value="08/08/2088"/>
    <expiretime value="11:30am"/>
    <timezone value="America/Los_Angeles"/>
    <usagedays>
      <day fromtime="12:0am" totime="12:0am" value="monday"/>
      <day fromtime="12:0am" totime="12:0am" value="tuesday"/>
 
     <day fromtime="12:0am" totime="12:0am" value="wednesday"/>
      <day fromtime="12:0am" totime="12:0am" value="thursday"/>
      <day fromtime="12:0am" totime="12:0am" value="friday"/>
      <day fromtime="12:0am" totime="12:0am" value="saturday"/>
      <day fromtime="12:0am" totime="12:0am" value="sunday"/>
    </usagedays>
  </usagepolicy>
  <passwordpolicy>
    <name value="Accounting Password Policy"/>
    <status value="active"/>
    <description value=""/>
    <globaldefault value="n"/>
    <changepassevery value="30-days"/>
    <changepasscheckout value="y"/>
    <changepasscheckin value="y"/>
    <passwordlength max="20" min="8"/>
    <minalphabets value="1"/>
    <minnumeric value="1"/>
    <minalphanumeric value="2"/>
    <specialchars max="5" min="1"/>
    <repeatedchars max="1" min="0"/>
    <minuniquechars value="1"/>
    <minuppercasechars value="1"/>
    <minlowercasechars value="1"/>
    <startwithchar value="n"/>
    <accountnameaspass value="n"/>
    <passwordhistorydays value="30"/>
  </passwordpolicy>
  <target>
    <type name="database"/>
    <name value="AccountsDB"/>
    <attributes>
      <attributeName name="domain" value="Accounting"/>
      <attributeName name="host" value="localhost"/>
      <attributeName name="jdbcUrl" value="jdbc:oracle:thin:@dbhost:1521:orcl"/>
      <attributeName name="loginUser" value="system"/>
      <attributeName name="loginPassword" value="welcome1"/>
      <attributeName name="dbType" value="Oracle"/>
      <attributeName name="description" value="Accounting Database"/>
      <attributeName name="organization" value="Accounting"/>
      <attributeName name="connectionProperties" value=""/>
    </attributes>
  </target>
  <account>
    <name value="ACCT_DBA"/>
    <target name="AccountsDB"/>
    <description value="Accounts Database"/>
    <passwordpolicy name="Accounting Password Policy"/>
    <grantee>
      <user name="johndoe usagepolicy="Accounting Usage Policy "/>
      <user name="janedoe usagepolicy="Default Usage Policy "/>
    </grantee>
    <shared value="false"/>
  </account>
</OPAMData>

A.2.14 filedecryption Command

Use the filedecryption command to decrypt an encrypted Oracle Privileged Account Manager configuration file.

Command Syntax:

[-url <url>] -u <username> [-p <password>] [-debug] -x filedecryption 

-f <encrypted file> -df <destination file> [-encpassword <decryption password>] <options>

The following table describes the options you can use with this command:

Option Description

-f <file with encrypted data>

Specify the encrypted Oracle Privileged Account Manager configuration file.

-df <file to write decrypted data>

Specify where to write the decrypted file.

[-encpassword <encryption/decryption password>]

Optional. Specify the password to use when decrypting the data.

[-enckeylen <Key length for encryption/decryption password>]

Optional. Specify the minimum key length for an encryption/decryption password. (Defaults to 128 bits)

[-force <true/false>]

Optional. Enables or disables the requirement for connection validation.

  • true: Skips connection validation.

  • false: Enforces connection validation. (Default setting)

[-log <log file location>]

Optional. Specify a file name and location for the log file.
(Defaults to opamlog_<timestamp>.txt)

[-help]

Optional. Displays usage options for this command.


A.2.15 getglobalconfig Command

Use the getglobalconfig command to view the OPAM Global Config configuration entry, which enables you to access and manage various Oracle Privileged Account Manager server properties.

Command Syntax:

[-url <url>] -u <username> [-p <password>] [-debug] -x getglobalconfig <options>

The following table describes the options you can use with this command:

Option Description

[-help]

Optional. Displays usage options for this command.


Note:

You use the modifyglobalconfig command to modify the server properties. Refer to modifyglobalconfig Command for more information.

A.2.16 getserverstatus Command

Use the getserverstatus command to get the status for an Oracle Privileged Account Manager instance.

Command Syntax:

[-url <url>] -u <username> [-p <password>] [-debug] -x getserverstatus <options>

The following table describes the options you can use with this command:

Option Description

[-help]

Optional. Displays usage options for this command.


A.2.17 grantgroupaccess Command

Use the grantgroupaccess command to give a group access to a privileged account.

[-url <url>] -u <username> [-p <password>] [-debug] -x grantgroupaccess <options>

The following table describes the options you can use with this command:

Option Description

[-accountid <account id>]

Optional. Identify the account to which the group is granted access.

([-accountname <account name>] and [-targetname <target name>])

Optional. Identify the account to which the group is granted access.

Note: The (<accountname> and <targetname>) combination forms a unique pair that can be used to identify a specific account.

-groupname <group name>

Identify the group to be given access.

[-help]

Optional. Displays usage options for this command.


Note:

You use either <accountid> or (<accountname> and <targetname>) to identify the account.

A.2.18 grantuseraccess Command

Use the grantuseraccess command to give a user access to a privileged account.

Command Syntax:

[-url <url>] -u <username> [-p <password>] [-debug] -x grantuseraccess <options>

The following table describes the options you can use with this command:

Option Description

[-accountid <account id>]

Optional. Identify the account to which the user is granted access.

([-accountname <account name>] and [-targetname <target name>])

Optional. Identify the account to which the user is granted access.

Note: The (<accountname> and <targetname>) combination forms a unique pair that can be used to identify a specific account.

-userid <user id>

Identify the user to be given access.

[-help]

Optional. Displays usage options for this command.


Note:

You use either <accountid> or (<accountname> and <targetname>) to identify the account.

A.2.19 import Command

Use the import command to import data to Oracle Privileged Account Manager from an XML file. This option and the "export Command" are useful for performing the following operations:

  • Bulk operations, such as querying or loading large volumes of data, which includes creating, modifying, and deleting targets, accounts, policies, and grants

  • Back-up and recovery operations, such as periodically backing up Oracle Privileged Account Manager data to XML

  • Migration operations, such as exporting data from one Oracle Privileged Account Manager instance and importing it to another instance

Note:

You must be an administrator with both the Security Administrator Admin Role and the User Manager Admin Role to use these commands.

If the account status is checked-in, users do not have to provide status when importing data to Oracle Privileged Account Manager.

You can create an import XML file from previously exported data or you can manually create the file. If you previously exported the XML file with an encryption password, then you must provide the same password for decryption during import.

In addition to object creation, you can also use the import command to update and delete objects. Refer to reference for more information.

Command Syntax:

[-url <url>] -u <username> [-p <password>] [-debug] -x import <options>

The following table describes the options you can use with this command:

Option Description

-f <import file>

Specify an import file name.

[-encpassword <encryption password>]

Optional. Specify a password to use when decrypting account passwords from the exported file.

[-enckeylen <key length for password encryption>]

Optional. Specify the minimum key length for an encryption/decryption password. (Defaults to 128 bits)

[-force <true/false>]

Optional. Enables or disables the requirement for connection validation.

  • true: Skips connection validation.

  • false: Enforces connection validation. (Default setting)

[-log <log file location>]

Optional. Specify a file name and location for the log file. (Defaults to opamlog_<timestamp>.txt)

[-noencrypt <true/false>]

Optional. Specify whether to decrypt the imported file. (Defaults to false)

  • true: Skip the encryption password. The system will import the file in clear text.

  • false: Use the encryption password to decrypt the import file, and then load the decrypted data into the system.

[-help]

Optional. Displays usage options for this command.


The XML schema for an import file is located in the following file:

ORACLE_HOME/opam/jlib/OPAMBulkTool.xsd

The following examples show some sample XML definitions of Oracle Privileged Account Manager elements.

Example A-2 Data Creation

<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<OPAMData xmlns=http://www.example.org/OPAMBulkTool
xmlns:xsi=http://www.w3.org/2001/XMLSchema-instance
xsi:schemaLocation="http://www.example.org/OPAMBulkTool OPAMBulkTool.xsd">
  <usagepolicy>
    <name value="Accounting Usage Policy"/>
    <status value="active"/>
    <description value="My Usage Policy"/>
    <globaldefault value="n"/>
    <dateorduration value="duration"/>
    <expiremin value="30"/>
    <expiredate value="08/08/2088"/>
    <expiretime value="11:30am"/>
    <timezone value="America/Los_Angeles"/>
    <usagedays>
      <day fromtime="12:0am" totime="12:0am" value="monday"/>
      <day fromtime="12:0am" totime="12:0am" value="tuesday"/>
      <day fromtime="12:0am" totime="12:0am" value="wednesday"/>
      <day fromtime="12:0am" totime="12:0am" value="thursday"/>
      <day fromtime="12:0am" totime="12:0am" value="friday"/>
      <day fromtime="12:0am" totime="12:0am" value="saturday"/>
      <day fromtime="12:0am" totime="12:0am" value="sunday"/>
    </usagedays>
  </usagepolicy>
  <passwordpolicy>
    <name value="Accounting Password Policy"/>
    <status value="active"/>
    <description value=""/>
    <globaldefault value="n"/>
    <changepassevery value="30-days"/>
    <changepasscheckout value="y"/>
    <changepasscheckin value="y"/>
    <passwordlength max="20" min="8"/>
    <minalphabets value="1"/>
    <minnumeric value="1"/>
    <minalphanumeric value="2"/>
    <specialchars max="5" min="1"/>
    <repeatedchars max="1" min="0"/>
    <minuniquechars value="1"/>
    <minuppercasechars value="1"/>
    <minlowercasechars value="1"/>
    <startwithchar value="n"/>
    <accountnameaspass value="n"/>
    <passwordhistorydays value="30"/>
  </passwordpolicy>
  <target>
    <type name="database"/>
    <name value="AccountsDB"/>
    <attributes>
      <attributeName name="domain" value="Accounting"/>
      <attributeName name="host" value="localhost"/>
      <attributeName name="jdbcUrl" value="jdbc:oracle:thin:@dbhost:1521:orcl"/>
      <attributeName name="loginUser" value="system"/>
      <attributeName name="loginPassword" value="welcome1"/>
      <attributeName name="dbType" value="Oracle"/>
      <attributeName name="description" value="Accounting Database"/>
      <attributeName name="organization" value="Accounting"/>
      <attributeName name="connectionProperties" value=""/>
    </attributes>
  </target>
  <account>
    <name value="ACCT_DBA"/>
    <target name="AccountsDB"/>
    <description value="Accounts Database"/>
    <passwordpolicy name="Accounting Password Policy"/>
    <grantee>
      <user name="johndoe usagepolicy="Accounting Usage Policy "/>
      <user name="janedoe usagepolicy="Default Usage Policy "/>
    </grantee>
    <shared value="false"/>
  </account>
</OPAMData>

Example A-3 Data Modification: Modify An Account Password Policy

<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<OPAMData xmlns="http://www.example.org/OPAMBulkTool" 
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
    xsi:schemaLocation="http://www.example.org/OPAMBulkTool OPAMBulkTool.xsd">
  <account operation="modify">
    <name value="account2"/>
    <target name="lockbox_target1"/>
    <passwordpolicy name="test-pass-policy"/>
    <shared value="true"/>
  </account>
</OPAMData>

Example A-4 Data Modification: Modify A Password Policy

<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<OPAMData xmlns="http://www.example.org/OPAMBulkTool" 
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
    xsi:schemaLocation="http://www.example.org/OPAMBulkTool OPAMBulkTool.xsd">
<passwordpolicy operation="modify">
    <name value="test policy"/>
    <status value="active"/>
    <description value="test"/>
    <globaldefault value="n"/>
    <changepassevery value="45-hours"/>
    <changepasscheckout value="n"/>
    <changepasscheckin value="n"/>
    <passwordlength max="20" min="5"/>
    <minalphabets value="0"/>
    <minnumeric value="0"/>
    <minalphanumeric value="0"/>
    <specialchars max="5" min="0"/>
    <repeatedchars max="10" min="0"/>
    <minuniquechars value="0"/>
    <minuppercasechars value="0"/>
    <minlowercasechars value="0"/>
    <startwithchar value="y"/>
    <requiredchars value="a,b,c,d,e"/>
    <allowedchars value="a,b,c,d,e,f,g,h"/>
    <disallowedchars value="z,-,x"/>
    <accountnameaspass value="y"/>
  </passwordpolicy>
</OPAMData>

Example A-5 Data Deletion: Delete a Target

<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<OPAMData xmlns="http://www.example.org/OPAMBulkTool" 
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
    xsi:schemaLocation="http://www.example.org/OPAMBulkTool OPAMBulkTool.xsd">
  <target operation="delete">
    <type name="lockbox"/>
    <name value="lockbox_target1"/>
  </target>
</OPAMData>

Example A-6 Data Deletion: Delete an Account

<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<OPAMData xmlns="http://www.example.org/OPAMBulkTool" 
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
    xsi:schemaLocation="http://www.example.org/OPAMBulkTool OPAMBulkTool.xsd">
<account operation="delete">
    <name value="account3"/>
    <target name="lockbox_target1"/>
</account>
<account operation="delete">
    <name value="account4"/>
    <target name="lockbox_target1"/>
</account>
</OPAMData>

A.2.20 modifyaccount Command

Use the modifyaccount command to modify a privileged account.

Command Syntax:

[-url <url>] -u <username> [-p <password>] [-debug] -x modifyaccount <options>

The following table describes the options you can use with this command:

Option Description

[-accountid <account id>]

Optional. Identify the account to be modified.

([-accountname <account name>] and [-targetname <target name>])

Optional. Identify the account to be modified.

Note: The (<accountname> and <targetname>) combination forms a unique pair that can be used to identify a specific account.

-propertyname <propertyname>

Specify the name of the property that you want to modify.

Note: To modify an account's Credential Store, you must specify -propertyname keymap. Where you must provide the keymap property value in the following format:

-propertyname keymap [map][key][host:port][user][password]

For example,

[map][key][t3:\/\/localhost:7001][weblogic][abc123]

-propertyvalue <propertyvalue>

Specify the property value that you want to modify.

[-help]

Optional. Displays usage options for this command.


Note:

You use either <accountid> or (<accountname> and <targetname>) to identify an account.

A.2.21 modifyglobalconfig Command

Use the modifyglobalconfig command to manage the following Oracle Privileged Account Manager server properties in the OPAM Global Config configuration entry:

  • policyenforcerinterval. Interval (in seconds) in which Oracle Privileged Account Manager checks accounts and then automatically checks-in the accounts that have exceeded the expiration time defined in the Usage Policy. (Default is 3600 seconds)

  • passwordcyclerinterval. Interval (in seconds) in which Oracle Privileged Account Manager checks and then resets the password for any accounts that have exceeded the maximum password age defined in the Password Policy. (Default is 3600 seconds)

  • tdemode. Flag to request that Oracle Privileged Account Manager use Transparent Data Encryption (TDE) mode or non-TDE mode. For more information, refer to Section 7.2, "Securing Data On Disk."

Note:

To access these properties, you must use the getglobalconfig command to view the OPAM Global Config configuration entry. Refer to getglobalconfig Command for more information.

You can also manage these server properties from the Console. Refer to fSection 4.3, "Managing an Oracle Privileged Account Manager Server." for more information.

Command Syntax:

[-url <url>] -u <username> [-p <password>] [-debug] -x modifyglobalconfig <options>

The following table describes the options you can use with this command:

Option Description

-propertyname <property name>

Specify the server property to be modified:

  • policyenforcerinterval

  • passwordcyclerinterval

  • tdemode

-propertyvalue <property value>

Specify the new property value:

  • For policyenforcerinterval
    and passwordcyclerinterval: Specify the interval (in seconds).

  • For tdemode: Specify true for TDE mode or false for non-TDE mode. (Default is TDE mode.)

[-help]

Optional. Displays usage options for this command.


For example,

-x modifyglobalconfig -propertyname policyenforcerinterval -propertyvalue 600

or

-x modifyglobalconfig -propertyname tdemode -propertyvalue true

See Also:

getglobalconfig Command

A.2.22 modifypasswordpolicy Command

Use the modifypasswordpolicy command to modify a Password Policy.

Command Syntax:

[-url <url>] -u <username> [-p <password>] [-debug] -x modifypasswordpolicy <options>

The following table describes the options you can use with this command:

Option Description

-policyname <policy name>

Specify the Password Policy to be modified.

-propertyname <property name>

Specify the property name that you want to modify.

-propertyvalue <property value>

Specify the property value that you want to modify.

[-help]

Optional. Displays usage options for this command.


A.2.23 modifytarget Command

Use the modifytarget command to modify a target.

Command Syntax:

[-url <url>] -u <username> [-p <password>] [-debug] -x modifytarget <options>

The following table describes the options you can use with this command:

Option Description

[-targetid <targetid>]

Optional. Specify the target GUID value of the target to be modified.

Note: When you configure a target, Oracle Privileged Account Manager automatically assigns a unique target GUID. Refer to Section 5.1.2.2, "Adding Targets to Oracle Privileged Account Manager" for more information.

[-targetname <targetname>]

Optional. Specify the name of the target to be modified.

-propertyname <propertyname>

Specify the name of the property that you want to modify.

-propertyvalue <propertyvalue>

Specify the property value that you want to modify.

[-force <true/false>]

Optional. Enables or disables the requirement for connection validation.

  • true: Skips connection validation.

  • false: Enforces connection validation. (Default setting).

[-help]

Optional. Displays usage options for this command.


Note:

You use either <targetid> or <targetname> to identify a target. Both values are unique.

A.2.24 modifyusagepolicy Command

Use the modifyusagepolicy command to modify a Usage Policy.

Command Syntax:

[-url <url>] -u <username> [-p <password>] [-debug] -x modifyusagepolicy <options>

The following table describes the options you can use with this command:

Option Description

-policyname <policy name>

Specify the Usage Policy to be modified.

-propertyname <property name>

Specify the property name that you want to modify.

-propertyvalue <property value>

Specify the property value that you want to modify.

[-help]

Optional. Displays usage options for this command.


A.2.25 removeaccount Command

Use the removeaccount command to remove a privileged account.

Command Syntax:

[-url <url>] -u <username> [-p <password>] [-debug] -x removeaccount <options>

The following table describes the options you can use with this command:

Option Description

[-accountid <account id>]

Optional. Identify the account to be removed.

([-accountname <account name>] and [-targetname <target name>])

Optional. Identify the account to be removed.

Note: The (<accountname> and <targetname>) combination forms a unique pair that can be used to identify a specific account.

[-help]

Optional. Displays usage options for this command.


Note:

You use either <accountid> or (<accountname> and <targetname>) to identify the account.

A.2.26 removegroupaccess Command

Use the removegroupaccess command to remove a group's access to a privileged account.

[-url <url>] -u <username> [-p <password>] [-debug] -x removegroupaccess <options>

The following table describes the options you can use with this command:

Option Description

[-accountid <account id>]

Optional. Identify the account where access is being removed

([-accountname <account name>] and [-targetname <target name>])

Optional. Identify the account where access is being removed.

Note: The (<accountname> and <targetname>) combination forms a unique pair that can be used to identify a specific account.

-groupname <group name>

Identify the group whose access is being removed.

[-help]

Optional. Displays usage options for this command.


Note:

You use either <accountid> or (<accountname> and <targetname>) to identify the account.

A.2.27 removepasswordpolicy Command

Use the removepasswordpolicy command to remove a Password Policy.

Command Syntax:

[-url <url>] -u <username> [-p <password>] [-debug] -x removepasswordpolicy <options>

The following table describes the options you can use with this command:

Option Description

-policyname <policy name>

Specify the Password Policy to remove.

[-help]

Optional. Displays usage options for this command.


A.2.28 removetarget Command

Use the removetarget command to remove a target.

Command Syntax:

[-url <url>] -u <username> [-p <password>] [-debug] -x removetarget <options>

The following table describes the options you can use with this command:

Option Description

-targetid <target id>

Specify the target GUID value of the target to be removed.

Note: When you configure a target, Oracle Privileged Account Manager automatically assigns a unique target GUID. Refer to Section 5.1.2.2, "Adding Targets to Oracle Privileged Account Manager" for more information.

[-targetname <target name>]

Optional. Specify the name of the target to be removed

[-help]

Optional. Displays usage options for this command.


Note:

You use either <targetid> or <targetname> to identify the target. Both values are unique.

A.2.29 removeusagepolicy Command

Use the removeusagepolicy command to remove a Usage Policy.

Command Syntax:

[-url <url>] -u <username> [-p <password>] [-debug] -x removeusagepolicy <options>

The following table describes the options you can use with this command:

Option Description

-policyname <policy name>

Specify the Usage Policy to remove.

[-help]

Optional. Displays usage options for this command.


A.2.30 removeuseraccess Command

Use the removeuseraccess command to remove a user's access to a privileged account.

Command Syntax:

[-url <url>] -u <username> [-p <password>] [-debug] -x removeuseraccess <options>

The following table describes the options you can use with this command:

Option Description

[-accountid <account id>]

Optional. Identify the account where access is being removed.

([-accountname <account name>] and [-targetname <target name>])

Optional. Identify the account where access is being removed.

Note: The (<accountname> and <targetname>) combination forms a unique pair that can be used to identify a specific account.

-userid <user id>

Identify the user whose access is being removed.

[-help]

Optional. Displays usage options for this command.


Note:

You use either <accountid> or (<accountname> and <targetname>) to identify the account.

A.2.31 resetpassword Command

Use the resetpassword command to manually reset the password for an account you have checked out. When you execute this command, Oracle Privileged Account Manager returns the account details and prompts you to enter a new password.

Note:

For most users, if the account has already been checked back in, you will get an error.

If you are an administrator with the Security Administrator Admin Role, you can use this command to reset a password for both checked out and checked-in accounts.

Command Syntax:

[-url <url>] -u <username> [-p <password>] -x resetpassword 

The following table describes the options you can use with this command:

Option Description

[-accountid <account id>]

Optional. Identify the account to be reset.

([-accountname <account name>] and [-targetname <target name>])

Optional. Identify the account to be reset.

Note: The (<accountname> and <targetname>) combination forms a unique pair that can be used to identify a specific account.

[-password <account password>]

Optional. Provide a new password for the account.

[-autogen <true/false>]

Optional. Use to automatically generate a password, according to the account Password Policy.

  • true: Enable the system to automatically generate passwords.

  • false: Disable the system's ability to automatically generate passwords. Users must specify passwords. (Default setting)

[-help]

Optional. Displays usage options for this command.


Note:

  • You use either <accountid>, (<accountname> and <targetname>) to identify the account.

  • If you use <accountid> or (<accountname> and <targetname>), you must use -password or -autogen.

A.2.32 resettargetpassword Command

Use the resettargetpassword command to manually reset a target service account password. When you execute this command, Oracle Privileged Account Manager returns the target service account details and prompts you to enter a new password.

Note:

  • You must be an administrator with the Security Administrator Admin Role to execute this command.

  • This command is not applicable for the lockbox or ldap target types and will return an "Operation not supported" error message.

Command Syntax:

[-url <url>] -u <username> [-p <password>] -x resettargetpassword  

The following table describes the options you can use with this command:

Option Description

[-targetid <target id>]

Optional. Identify the target to be reset.

[-targetname <target name>])

Optional. Identify the target to be reset.

[-password <account password>]

Optional. Provide a new password for the target.

[-autogen <true/false>]

Optional. Use to automatically generate a password, according to account Password Policy.

  • true: Enable the system to automatically generate passwords.

  • false: Disable the system's ability to automatically generate passwords. Users must specify passwords. (Default setting)

[-help]

Optional. Displays usage options for this command.


Note:

  • You use either <targetid> or <targetname> to identify the target.

  • You use either <password> or <autogen> to create a new password for the target.

A.2.33 retrieveaccount Command

Use the retrieveaccount command to get information about a privileged account, such as which target the account is on. This information does not include passwords.

Command Syntax:

[-url <url>] -u <username> [-p <password>] [-debug] -x retrieveaccount <options>

The following table describes the options you can use with this command:

Option Description

[-accountid <account id>]

Optional. Identify the account to be retrieved.

([-accountname <account name>] and [-targetname <target name>])

Optional. Identify the account to be retrieved.

Note: The (<accountname> and <targetname>) combination forms a unique pair that can be used to identify a specific account.

[-targetname <target name>]

Optional. Identify the account to be retrieved.

[-help]

Optional. Displays usage options for this command.


Note:

You use either <accountid> or (<accountname> and <targetname>) to identify the account.

A.2.34 retrievegrantees Command

Use the retrievegrantees command to get information about the grantees on a privileged account.

Command Syntax:

[-url <url>] -u <username> [-p <password>] [-debug] -x retrievegrantees <options>

The following table describes the options you can use with this command:

Option Description

[-accountid <account id>]

Optional. Identify from which account the grantees are to be retrieved.

([-accountname <account name>] and [-targetname <target name>])

Optional. Identify from which account the grantees are to be retrieved.

Note: The (<accountname> and <targetname>) combination forms a unique pair that can be used to identify a specific account.

[-help]

Optional. Displays usage options for this command.


Note:

You use either <accountid> or (<accountname> and <targetname>) to identify the account.

A.2.35 retrievegroup Command

Use the retrievegroup command to get information about a group.

Note:

You must be an administrator with the User Manager Admin Role to successfully run this command.

Command Syntax:

[-url <url>] -u <username> [-p <password>] [-debug] -x retrievegroup <options>

The following table describes the options you can use with this command:

Option Description

-groupname <group name>

Provide the name of the group to retrieve.

[-help]

Optional. Displays usage options for this command.


A.2.36 retrievepasswordpolicy Command

Use the retrievepasswordpolicy command to retrieve a Password Policy.

Command Syntax:

[-url <url>] -u <username> [-p <password>] [-debug] -x retrievepasswordpolicy <options>

The following table describes the options you can use with this command:

Option Description

-policyname <policy name>

Specify the Password Policy to be retrieved.

[-help]

Optional. Displays usage options for this command.


A.2.37 retrievetarget Command

Use the retrievetarget command to get information about a target.

Command Syntax:

[-url <url>] -u <username> [-p <password>] [-debug] -x retrievetarget <options>

The following table describes the options you can use with this command:

Option Description

-targetid <target id>

Specify the target GUID value of the target to be retrieved.

Note: When you configure a target, Oracle Privileged Account Manager automatically assigns a unique target GUID. Refer to Section 5.1.2.2, "Adding Targets to Oracle Privileged Account Manager" for more information.

[-targetname <target name>]

Optional. Specify the name of the target to be retrieved.

[-help]

Optional. Displays usage options for this command.


Note:

You use either <targetid> or <targetname> to identify the target. Both values are unique.

A.2.38 retrieveusagepolicy Command

Use the retrievepolicy command to retrieve a Usage Policy.

Command Syntax:

[-url <url>] -u <username> [-p <password>] [-debug] -x retrieveusagepolicy <options>

The following table describes the options you can use with this command:

Option Description

-policyname <policy name>

Specify the Usage Policy to be retrieved.

[-help]

Optional. Displays usage options for this command.


A.2.39 retrieveuser Command

Use the retrieveuser command to get information about a user.

Note:

You must be an administrator with the User Manager Admin Role or the Security Administrator Admin Role to successfully run this command.

Command Syntax:

[-url <url>] -u <username> [-p <password>] [-debug] -x retrieveuser <options>

The following table describes the options you can use with this command:

Option Description

-userid <user id>

Identify the user to be retrieved.

[-help]

Optional. Displays usage options for this command.


A.2.40 searchaccount Command

Use the searchaccount command to search for an account.

Command Syntax:

[-url <url>] -u <username> [-p <password>] [-debug] -x searchaccount <options>

The following table describes the options you can use with this command:

Option Description

[-targettype <ldap | unix | oracledb>]

Optional. Identify the account to search for.

[-domain <account domain>]

Optional. Identify the account to search for.

[-targetname <target name>]

Optional. Identify the account to search for.

[-help]

Optional. Displays usage options for this command.


Note:

You can use any combination of -targettype, -domain, or -targetname to identify the account. If you do not provide any of these options, the search returns all accounts.

For example, the following search will return all targets:

https://<host name>:<port>/opam/target/search?

Whereas, the following search will return all targets whose type contains ldap and org:

https://<host name>:<port>/opam/target/search?type=ldap&org=us

A.2.41 searchgroup Command

Use the searchgroup command to search for a group.

Note:

You must be an administrator with the User Manager Admin Role to successfully run this command.

Command Syntax:

[-url <url>] -u <username> [-p <password>] [-debug] -x searchgroup <options>

The following table describes the options you can use with this command:

Option Description

[-groupname <group name>]

Optional. Provide the name of the group to search for.

[-description <description>]

Optional. Provide a description of the group.

[-accountname <account name>]

Optional. Provide the name of the account to search.

[-targetname <target name>]

Optional. Provide the name of the target to search.

[-help]

Optional. Displays usage options for this command.


A.2.42 searchtarget Command

Use the searchtarget command to search for a target.

Command Syntax:

[-url <url>] -u <username> [-p <password>] [-debug] -x searchtarget <options>

The following table describes the options you can use with this command:

Option Description

[-targettype <ldap | solaris | oracledb>]

Optional. Identify the type of target to search for as LDAP, Solaris, or Oracle DB.

[-domain <domain>]

Optional. Provide a domain to search.

[-targetname <target name>]

Optional. Provide the target name to search for.

[-help]

Optional. Displays usage options for this command.


A.2.43 searchuser Command

Use the searchuser command to search for a user.

Note:

You must be an administrator with the User Manager Admin Role to successfully run this command.

Command Syntax:

[-url <url>] -u <username> [-p <password>] [-debug] -x searchuser <options>

The following table describes the options you can use with this command:

Option Description

[-userid <user id>]

Optional. Search for the user by the user ID.

[-help]

Optional. Displays usage options for this command.


A.2.44 showpassword Command

Use the showpassword command to view the password for an account that you have checked out. When you execute this command, Oracle Privileged Account Manager returns the account details and the password.

Note:

If the account has already been checked back in, you will get an error.

You must be an administrator with the Security Administrator Admin Role to successfully run this command.

Command Syntax:

[-url <url>] -u <username> [-p <password>] -x showpassword -accountid <accountid>

The following table describes the options you can use with this command:

Option Description

[-accountid <account id>]

Optional. Identify the account for which the password is being retrieved.

([-accountname <account name>] and [-targetname <target name>])

Optional. Identify the account for which the password is being retrieved.

Note: The (<accountname> and <targetname>) combination forms a unique pair that can be used to identify a specific account.

[-help]

Optional. Displays usage options for this command.


Note:

You use either <accountid> or (<accountname> and <targetname>) to identify the account.

A.2.45 showpasswordhistory Command

Use the showpasswordhistory command to view the password history for an account that you have checked out, checked in, or reset the password. When you execute this command, Oracle Privileged Account Manager returns the password history.

Note:

You must be an administrator with the Security Administrator Admin Role to successfully run this command.

Command Syntax:

[-url <url>] -u <username> [-p <password>] -x showpasswordhistory -accountid <accountid> <options>

The following table describes the options you can use with this command:

Option Description

[-accountid <account id>]

Optional. Identify the account to search for.

[-accountname <account name>]

Optional. Provide the name of the account to search.

[-targetname <target name>]

Optional. Provide the name of the target to search.

[-help]

Optional. Displays usage options for this command.


A.2.46 showtargetpassword Command

Use the showtargetpassword command to view the password for a target service account. When you execute this command, Oracle Privileged Account Manager returns the target service account details and the password.

Note:

  • You must be an administrator with the Security Administrator Admin Role to execute this command.

  • This command is not applicable for the lockbox target type and will return an "Operation not supported" error message.

Command Syntax:

[-url <url>] -u <username> [-p <password>] -x showtargetpassword  

The following table describes the options you can use with this command:

Option Description

[-targetid <target id>]

Optional. Identify the target for which the password is being reset.

[-targetname <target name>])

Optional. Identify the target for which the password is being reset.

[-help]

Optional. Displays usage options for this command.


Note:

You use either <targetid> or <targetname> to identify the target.