Skip Headers
Oracle® Fusion Middleware Administrator's Guide for Oracle Privileged Account Manager
11g Release 2 (11.1.2)

Part Number E27152-05
Go to Documentation Home
Home
Go to Table of Contents
Contents
Go to Index
Index
Go to Feedback page
Contact Us

Go to previous page
Previous
Go to next page
Next
PDF · Mobi · ePub

3 Getting Started with Administering Oracle Privileged Account Manager

You can administer Oracle Privileged Account Manager from the Console, from the command line, and by using Oracle Privileged Account Manager's RESTful interface.

This chapter describes how to perform basic administration tasks, and it includes the following topics:

Before You Begin

This chapter assumes that you have installed and configured Oracle Privileged Account Manager as described in Oracle Fusion Middleware Installation Guide for Oracle Identity and Access Management.

Reading the "Configuring Oracle Privileged Account Manager" chapter in the Oracle Fusion Middleware Installation Guide for Oracle Identity and Access Management might be particularly helpful.

Note:

In this guide, when you are instructed to start the WebLogic Admin Server or various Managed Servers, refer to "Starting or Stopping the Oracle Stack" in the Oracle Fusion Middleware Installation Guide for Oracle Identity and Access Management for instructions.

3.1 Getting Started after Installing 11g Release 2 (11.1.2)

After installing 11g Release 2, Oracle recommends:

3.2 Understanding ICF Connectors in Oracle Privileged Account Manager

Oracle Privileged Account Manager enables you to secure, share, audit, and manage administrator-identified account credentials. To provide these capabilities, Oracle Privileged Account Manager must be able to access and manage privileged accounts on a target system.

Connectors enable Oracle Privileged Account Manager to interact with target systems, such as LDAP or Oracle Database, and to perform Oracle Privileged Account Manager-relevant administrative operations on those systems.

Oracle Privileged Account Manager leverages connectors that are compliant with the ICF standard. By using this standard, you separate Oracle Privileged Account Manager from the mechanism it uses for connecting to targets. Therefore, in addition to connectors provided by vendors such as Oracle, you are free to build, test, and deploy your own ICF connectors into Oracle Privileged Account Manager.

This section describes how Oracle Privileged Account Manager consumes these ICF connectors. The topics include:

For more information about the Identity Connector Framework, refer to "Understanding the Identity Connector Framework" in the Oracle Fusion Middleware Developer's Guide for Oracle Identity Manager.

3.2.1 About ICF Connectors

Oracle Privileged Account Manager ships with the following ICF-compliant connectors that were developed by Oracle:

  • Database User Management (DBUM) Connector

  • Generic LDAP Connector

  • Oracle Identity Manager Connector for UNIX

These connectors enable Oracle Privileged Account Manager to manage privileged accounts on a range of target systems belonging to the preceding types.

Oracle Privileged Account Manager can also use customer-created, ICF-compliant connectors, which empowers you to manage your proprietary systems by using Oracle Privileged Account Manager.

Note:

If you are only interested in using the connectors that ship with Oracle Privileged Account Manager, no further action is required because these connectors come pre-configured out-of-the-box.

If you want to use other Oracle connectors or a custom connector, refer to Section 7.3, "Adding New Connectors to an Existing Oracle Privileged Account Manager Installation" for more information.

For more information about the Identity Connector Framework, refer to "Developing Identity Connectors" in the Oracle Fusion Middleware Developer's Guide for Oracle Identity Manager.

3.2.2 Locating the Oracle Privileged Account Manager Connector Bundles

Because ICF connectors are generic, and useful in numerous contexts, a given Oracle installation puts all connector bundles into a single location on the file system. All components (such as Oracle Privileged Account Manager) that rely on these connector bundles can access them from this location:

ORACLE_HOME/connectors

The connectors that are pushed into ORACLE_HOME/connectors are actually shipped with Oracle Identity Manager. Of all the connectors in this directory, only the following three connectors are certified with Oracle Privileged Account Manager for this release:

  • org.identityconnectors.dbum-1.0.1116.jar

  • org.identityconnectors.genericunix-1.0.0.jar

  • org.identityconnectors.ldap-1.0.6380.jar

Note:

If you obtain any new ICF connectors from Oracle, you must place them in the location specified in the instructions provided.

Storing custom third-party connectors is at your discretion; however, you must ensure they can be read by Oracle Privileged Account Manager at run time.

3.2.3 Consuming ICF Connectors

Oracle Privileged Account Manager consumes ICF connectors by using the opam-config.xml file. The contents of this file provide the following information to Oracle Privileged Account Manager:

  1. Where to pick up the ICF connector bundle (on the file system)

  2. Which configuration attributes are relevant for the Oracle Privileged Account Manager use-cases

  3. How to render the Oracle Privileged Account Manager Console when configuring connectivity to a target system using a particular connector

You will find the opam-config.xml file in the ORACLE_HOME/opam/config directory. The out-of-the-box image is configured to pick up and use the connector bundles that ship with the Oracle Identity Management Suite.

The opam-config.xsd file (also located in the ORACLE_HOME/opam/config directory) describes the schema for opam-config.xml. If you make any changes to
ORACLE_HOME/opam/config/opam-config.xml file, verify them with the opam-config.xsd file.

Caution:

Be sure to back-up the original opam-config.xml file before attempting to edit that file.

3.3 Starting Oracle Privileged Account Manager

This section provides some high-level information about starting and working with Oracle Privileged Account Manager's Console. The topics include:

The procedures described in this section reference information and instructions contained in the following Oracle publications. If necessary, review the referenced concepts, terminology, and procedures before starting these procedures.

Table 3-3 Reference Publications

For Information About Refer to

Admin Roles

"Assigning a Common Admin Role" in the Oracle Fusion Middleware Administrator's Guide for Oracle Identity Navigator, Section 2.3.1, "Administration Role Types," and Section 3.3.4, "Assigning the Application Configurator Role to a User"

Supported identity and policy store configurations for Oracle Privileged Account Manager and Oracle Identity Navigator

System Requirements and Certification" in the Oracle Fusion Middleware Administrator's Guide for Oracle Identity Navigator

Oracle WebLogic Server concepts and terminology

Oracle Fusion Middleware Oracle WebLogic Server Administration Console Online Help and Oracle Fusion Middleware Securing Oracle WebLogic Server

Creating a default authenticator in Oracle WebLogic Server

Oracle Fusion Middleware Oracle WebLogic Server Administration Console Online Help and Oracle Fusion Middleware Securing Oracle WebLogic Server

Configuring an identity store in your environment

Your vendor product documentation

Configuring Oracle Virtual Directory with the LDAP-based server

"Creating LDAP Adapters" in Oracle Fusion Middleware Administrator's Guide for Oracle Virtual Directory

Configuring the OVD authenticator in Oracle WebLogic Server

Oracle Fusion Middleware Oracle WebLogic Server Administration Console Online Help

Connecting the Node Manager to WLST

"Node Manager Commands" in the Oracle Fusion Middleware WebLogic Scripting Tool Command Reference

Associating a policy store using WLST

"Setting a Node in an Oracle Internet Directory Server" and "reassociateSecurityStore" sections in the Oracle Fusion Middleware Application Security Guide

Associating a policy store using Enterprise Manager

"Reassociating with Fusion Middleware Control" in the Oracle Fusion Middleware Application Security Guide

Using the idmConfigTool command

Oracle Fusion Middleware Integration Overview for Oracle Identity Management Suite


Note:

3.3.1 Starting WebLogic

Before you can start Oracle Privileged Account Manager, you must start the WebLogic servers and console.

Note:

  1. Connect the Node Manager to WLST by running the nmConnect command.

    See "Node Manager Commands" in the Oracle Fusion Middleware WebLogic Scripting Tool Command Reference for instructions.

  2. Start the WebLogic Admin Server. For example,

    On UNIX, type

    MIDDLEWARE_HOME/user_projects/domains/DOMAIN_NAME/bin/startWebLogic.sh
    

    On Windows, type

    MIDDLEWARE_HOME\user_projects\domains\DOMAIN_NAME\bin\startWebLogic.bat
    
  3. Start the Oracle Privileged Account Manager Managed Server.

  4. Open a browser and start the WebLogic Console from the following location:

    http://adminserver_host:adminserver_port/console

3.3.2 Configuring an External Identity Store for Oracle Privileged Account Manager

This section describes how to configure a new, external identity store for Oracle Privileged Account Manager.

Note:

If you are using IBM WebSphere, you must configure a registry rather than an external identity store. Refer to "Configuring a Registry" in the Oracle Fusion Middleware Third-Party Application Server Guide for Oracle Identity and Access Management for instructions.

You must configure a domain identity store before you can view users when searching from the Oracle Identity Navigator Access Privileges pane. To configure the identity store as the main authentication source, you must configure the Oracle WebLogic Server domain where Oracle Identity Navigator is installed.

You can configure the domain identity store using Oracle Internet Directory or Oracle Virtual Directory with a supported LDAP-based directory server. You configure the identity store in the WebLogic Server Administration Console.

Note:

To configure the Oracle Internet Directory authenticator in Oracle WebLogic Server:

  1. Log in to Oracle WebLogic Server Administration Console, and click Lock & Edit in the Change Center.

  2. In Oracle WebLogic Server Administration Console, select Security Realms from the left pane and click the realm you are configuring. For example, the default realm is myrealm.

  3. Select the Providers tab, then select the Authentication subtab.

  4. Click New to launch the Create a New Authentication Provider page and complete the fields as follows:

    • Name: Enter a name for the authentication provider. For example, MyOIDDirectory.

    • Type: Select OracleInternetDirectoryAuthenticator from the list.

    Click OK to update the authentication providers table.

  5. In the authentication providers table, click the newly added authenticator.

  6. In Settings, select the Configuration tab, then select the Common tab.

  7. On the Common tab, set the Control Flag to SUFFICIENT.

    Setting the Control Flag attribute for the authenticator provider determines the ordered execution of the Authentication providers. The possible values for the Control Flag attribute are:

    • REQUIRED - This LoginModule must succeed. Even if it fails, authentication proceeds down the list of LoginModules for the configured Authentication providers. This setting is the default.

    • REQUISITE - This LoginModule must succeed. If other Authentication providers are configured and this LoginModule succeeds, authentication proceeds down the list of LoginModules. Otherwise, control is returned to the application.

    • SUFFICIENT - This LoginModule need not succeed. If it does succeed, return control to the application. If it fails and other Authentication providers are configured, authentication proceeds down the LoginModule list.

    • OPTIONAL - This LoginModule can succeed or fail. However, if all Authentication providers configured in a security realm have the JAAS Control Flag set to OPTIONAL, the user must pass the authentication test of one of the configured providers.

  8. Click Save.

  9. Select the Provider Specific tab and enter the following required settings using values for your environment:

    • Host: The host name of the Oracle Internet Directory server.

    • Port: The port number on which the Oracle Internet Directory server is listening.

    • Principal: The distinguished name (DN) of the Oracle Internet Directory user to be used to connect to the Oracle Internet Directory server. For example: cn=OIDUser,cn=users,dc=us,dc=mycompany,dc=com.

    • Credential: Password for the Oracle Internet Directory user entered as the Principal.

    • Group Base DN: The base distinguished name (DN) of the Oracle Internet Directory server tree that contains groups.

    • User Base DN: The base distinguished name (DN) of the Oracle Internet Directory server tree that contains users.

    • All Users Filter: LDAP search filter. Click More Info for details.

    • User From Name Filter: LDAP search filter. Click More Info for details.

    • User Name Attribute: The attribute that you want to use to authenticate (for example, cn, uid, or mail). For example, to authenticate using a user's email address you set this value to mail.

    • Enable Use Retrieved User Name As Principal.

  10. Click Save.

  11. From the Settings for myrealm page, select the Providers tab, then select the Authentication tab.

  12. Click Reorder.

  13. Select the new authenticator and use the arrow buttons to move it into the first position in the list.

  14. Click OK.

  15. Click DefaultAuthenticator in the Authentication Providers table to display the Settings for DefaultAuthenticator page.

  16. Select the Configuration tab, then the Common tab, and select SUFFICIENT from the Control Flag list.

  17. In the Change Center, click Activate Changes.

  18. Restart Oracle WebLogic Server.

  19. Verify your configuration and set-up by confirming that the users present in the LDAP directory (Oracle Internet Directory or Oracle Virtual Directory) can log in to Oracle Privileged Account Manager with no issues.

To use Oracle Virtual Directory as the domain identity store, you must do the following:

3.3.3 Preparing the Identity Store

If you want to use an external LDAP server to serve as an identity store, you should seed it with the necessary Oracle Privileged Account Manager users and groups.

You prepare the identity store by performing the following tasks:

3.3.3.1 Extending the Directory Schema for Oracle Privileged Account Manager

Pre-configuring the identity store extends the schema in Oracle Internet Directory.

To pre-configure the identity store, you must perform the following tasks on IDMHOST1:

  1. Set the environment variables: MW_HOME, JAVA_HOME, and ORACLE_HOME.

    Set ORACLE_HOME to IAM_ORACLE_HOME

  2. Create a properties file, called extend.props, with the following contents:

    IDSTORE_HOST: idstore.mycompany.com
    IDSTORE_PORT: 389
    IDSTORE_BINDDN: cn=orcladmin
    IDSTORE_USERNAMEATTRIBUTE: cn
    IDSTORE_LOGINATTRIBUTE: uid
    IDSTORE_USERSEARCHBASE: cn=Users,dc=mycompany,dc=com
    IDSTORE_GROUPSEARCHBASE: cn=Groups,dc=mycompany,dc=com
    IDSTORE_SEARCHBASE: dc=mycompany,dc=com
    IDSTORE_SYSTEMIDBASE: cn=systemids,dc=mycompany,dc=com
    

    Where:

    • IDSTORE_HOST and IDSTORE_PORT are, respectively, the host and port of your identity store directory.

      • If you are using a non-OID directory, then specify the Oracle Virtual Directory host (which should be IDSTORE.mycompany.com).

      • If your identity store is in Oracle Internet Directory, then
        IDSTORE_HOST should point to Oracle Internet Directory, even if you are fronting Oracle Internet Directory with Oracle Virtual Directory.

    • IDSTORE_BINDDN is an administrative user in the identity store directory.

    • IDSTORE_USERSEARCHBASE is the location in the directory where users are stored.

    • IDSTORE_GROUPSEARCHBASE is the location in the directory where groups are stored.

    • IDSTORE_SEARCHBASE is the location in the directory where users and groups are stored.

    • IDSTORE_SYSTEMIDBASE is the location of a container in the directory where users can be placed when you do not want them in the main user container. While this situation rarely occurs, one example is an Oracle Identity Manager reconciliation user who is also used as the bind DN user in Oracle Virtual Directory adapters.

    • IDSTORE_USERNAMEATTRIBUTE is the LDAP attribute that contains the username. This attribute is usually CN.

    • IDSTORE_LOGINATTRIBUTE is the LDAP attribute that contains the user's Login name.

  3. Configure the identity store by using the idmConfigTool command, which is located at:

    IAM_ORACLE_HOME/idmtools/bin
    

    Note:

    When you run the idmConfigTool command, it creates or appends to the idmDomainConfig.param file. This file is generated in the same directory where you run the idmConfigTool command.

    To ensure that you append to the same file each time you run the tool, always run idmConfigTool from the following directory:

    IAM_ORACLE_HOME/idmtools/bin
    
    • On Linux, the command syntax is:

      idmConfigTool.sh -preConfigIDStore input_file=configfile 
      
    • On Windows, the command syntax is:

      idmConfigTool.bat -preConfigIDStore input_file=configfile 
      

    For example:

    idmConfigTool.sh -preConfigIDStore input_file=extend.props
    

    When the command runs, you are prompted to enter the password of the account that you are using to connect to the identity store.

    Sample command output, when running the command against Oracle Virtual Directory:

    Enter ID Store Bind DN password:
    May 25, 2011 2:37:18 PM oracle.ldap.util.LDIFLoader loadOneLdifFile
    INFO: -> LOADING: /u01/app/oracle/product/fmw/iam/idmtools/templates/oid/
    idm_idstore_groups_template.ldif
    May 25, 2011 2:37:18 PM oracle.ldap.util.LDIFLoader loadOneLdifFile
    INFO: -> LOADING: /u01/app/oracle/product/fmw/iam/idmtools/templates/
    oid/idm_idstore_groups_acl_template.ldif
    May 25, 2011 2:37:18 PM oracle.ldap.util.LDIFLoader loadOneLdifFile
    INFO: -> LOADING: /u01/app/oracle/product/fmw/iam/idmtools/templates/
    
    oid/systemid_pwdpolicy.ldif
    May 25, 2011 2:37:18 PM oracle.ldap.util.LDIFLoader loadOneLdifFile
    INFO: -> LOADING: /u01/app/oracle/product/fmw/iam/idmtools/templates/
    oid/idstore_tuning.ldif
    May 25, 2011 2:37:18 PM oracle.ldap.util.LDIFLoader loadOneLdifFile
    INFO: -> LOADING: /u01/app/oracle/product/fmw/iam/idmtools/templates/oid/
    oid_schema_extn.ldif
    May 25, 2011 2:37:19 PM oracle.ldap.util.LDIFLoader loadOneLdifFile
    INFO: -> LOADING: /u01/app/oracle/product/fmw/iam/oam/server/oim-intg/schema/
    OID_oblix_pwd_schema_add.ldif
    May 25, 2011 2:37:19 PM oracle.ldap.util.LDIFLoader loadOneLdifFile
    INFO: -> LOADING: /u01/app/oracle/product/fmw/iam/oam/server/oim-intg/schema/
    OID_oim_pwd_schema_add.ldif
    May 25, 2011 2:37:19 PM oracle.ldap.util.LDIFLoader loadOneLdifFile
    INFO: -> LOADING: /u01/app/oracle/product/fmw/iam/oam/server/oim-intg/schema/
    OID_oblix_schema_add.ldif
    May 25, 2011 2:37:34 PM oracle.ldap.util.LDIFLoader loadOneLdifFile
    INFO: -> LOADING: /u01/app/oracle/product/fmw/iam/oam/server/oim-intg/schema/
    OID_oblix_schema_index_add.ldif
    The tool has completed its operation. Details have been logged to
    automation.log
    
  4. A file named automation.log is created in the directory from where you ran the tool. Check this log file for any errors or warnings and correct them.

    Note:

    In addition to creating users, the idmConfigTool creates these groups:

    • OrclPolicyAndCredentialWritePrivilegeGroup

    • OrclPolicyAndCredentialReadPrivilegeGroup

See Also:

Oracle Fusion Middleware Integration Overview for Oracle Identity Management Suite for more information about the idmConfigTool command.

3.3.3.2 Creating Users and Groups for Oracle Privileged Account Manager

If you plan to implement Oracle Privileged Account Manager in your topology, you must seed the identity store with the users and groups that are required by Oracle Privileged Account Manager.

Note:

The use of apm and APM in the following procedure is appropriate for setting up the users and groups required by Oracle Privileged Account Manager.

To create the necessary users and groups, perform the following tasks on IDMHOST1:

  1. Set the environment variables: MW_HOME, JAVA_HOME, and ORACLE_HOME.

    Set ORACLE_HOME to IAM_ORACLE_HOME.

  2. Create a properties file, called apm.props with the following contents:

    IDSTORE_HOST: idstore.mycompany.com
    IDSTORE_PORT: 389
    IDSTORE_BINDDN: cn=orcladmin
    IDSTORE_USERNAMEATTRIBUTE: cn
    IDSTORE_LOGINATTRIBUTE: uid
    IDSTORE_USERSEARCHBASE: cn=Users,dc=mycompany,dc=com
    IDSTORE_GROUPSEARCHBASE: cn=Groups,dc=mycompany,dc=com
    IDSTORE_SEARCHBASE: dc=mycompany,dc=com
    POLICYSTORE_SHARES_IDSTORE: true
    IDSTORE_APMUSER: opamadmin
    

    Where

    • IDSTORE_HOST and IDSTORE_PORT are, respectively, the host and port of your identity store directory.

      • If you are using a non-OID directory, then specify the Oracle Virtual Directory host (which should be IDSTORE.mycompany.com).

      • If your identity store is in Oracle Internet Directory, then
        IDSTORE_HOST should point to Oracle Internet Directory, even if you are fronting Oracle Internet Directory with Oracle Virtual Directory.

    • IDSTORE_BINDDN is an administrative user in the identity store Directory.

    • IDSTORE_USERNAMEATTRIBUTE is the LDAP attribute that contains the username. This attribute is usually CN.

    • IDSTORE_LOGINATTRIBUTE is the LDAP attribute that contains the user's Login name.

    • IDSTORE_USERSEARCHBASE is the location in the directory where users are stored.

    • IDSTORE_GROUPSEARCHBASE is the location in the directory where groups are stored.

    • IDSTORE_SEARCHBASE is the location in the directory where users and groups are stored.

    • POLICYSTORE_SHARES_IDSTORE

      • If your Policy and identity stores are in the same directory, set to true.

      • If your Policy and identity stores are not in the same directory, set to false.

    • IDSTORE_APMUSER is the name of the user you want to create as your Oracle Privileged Account Manager administrator.

    In addition to creating the users, this command assigns the users to the groups created in Section 3.1, "Getting Started after Installing 11g Release 2 (11.1.2)."

  3. Configure the identity store by using the idmConfigTool command, which is located at:

    IAM_ORACLE_HOME/idmtools/bin
    

    Note:

    When you run the idmConfigTool command, it creates or appends to the idmDomainConfig.param file. This file is generated in the same directory where you run the idmConfigTool command.

    To ensure that you append to the same file each time you run the tool, always run idmConfigTool from the following directory:

    IAM_ORACLE_HOME/idmtools/bin
    
    • On Linux, the command syntax is:

      idmConfigTool.sh -prepareIDStore mode=APM input_file=configfile 
      
    • On Windows, the command syntax is:

      idmConfigTool.bat -prepareIDStore mode=APM input_file=configfile 
      

    For example:

    idmConfigTool.sh -prepareIDStore mode=APM input_file=apm.props
    

    When the command runs, you are prompted to enter the password of the account that you are using to connect to the identity store.

    Sample command output:

    Enter ID Store Bind DN password :
    Feb 18, 2013 10:10:35 PM oracle.ldap.util.LDIFLoader loadOneLdifFile
    INFO: -> LOADING:  /u01/app/oracle/product/fmw/iam/common/templates/
    oinav_template_oid.ldif
    *** Creation of APM User ***
    Feb 18, 2013 10:10:35 PM oracle.ldap.util.LDIFLoader loadOneLdifFile
    INFO: -> LOADING:  /u01/app/oracle/product/fmw/iam/idmtools/templates/
    oid/oam_user_template.ldif
    Enter User Password for opamadmin:
    Confirm User Password for opamadmin:
    The tool has completed its operation. Details have been logged to
    automation.log
    
  4. A file named automation.log is created in the directory from where you ran the tool. Check this log file for any errors or warnings and correct them.

See Also:

Oracle Fusion Middleware Integration Overview for Oracle Identity Management Suite for more information about the idmConfigTool command.

3.3.4 Assigning the Application Configurator Role to a User

After installation, you do not have any users present with administrator roles. You must select a user and grant that person the Application Configurator role by using Oracle Identity Navigator.

Note:

Refer to "Assigning a Common Admin Role" in Oracle Fusion Middleware Administrator's Guide for Oracle Identity Navigator for instructions.

The Application Configurator user can have other roles in addition to this role. For more information about other Admin Roles, see Section 2.3.1, "Administration Role Types."

When the Application Configurator user logs in by using the following URL, that user will see a empty screen with a Configure OPAM link.

http://adminserver_host:adminserver_port/oinav/opam

The Application Configurator user can use this link to let the Oracle Privileged Account Manager Console know where Oracle Privileged Account Manager server is running by providing the Oracle Privileged Account Manager server's host and port.

When the Oracle Privileged Account Manager Console can successfully communicate with the Oracle Privileged Account Manager server, the Oracle Privileged Account Manager Console will be populated with content.

Note:

Oracle Privileged Account Manager administrators and users will probably never have to use the Oracle Identity Navigator interface except during the initial set-up of Oracle Privileged Account Manager.

3.3.5 Invoking Oracle Privileged Account Manager's Web-Based Console

You can access Oracle Privileged Account Manager's Console by opening a browser window and entering the following URL:

http://adminserver_host:adminserver_port/oinav/opam

When the Oracle Privileged Account Manager page displays with the Sign In screen, log in with the appropriate administrator or end user credentials.

Note:

If you prefer using Oracle Privileged Account Manager's command line tool or Oracle Privileged Account Manager's RESTful interface, refer to Appendix A, "Working with the Command Line Tool" or Appendix B, "Working with Oracle Privileged Account Manager's RESTful Interface" (respectively) for detailed information about using those interfaces.

3.4 Navigating Oracle Privileged Account Manager's Console

When you log in to Oracle Privileged Account Manager, the Console displays.

Access to certain features in the Console is based on your administration role (Admin Role) and credentials. For example, Figure 3-1 shows all of the features available in Oracle Privileged Account Manager. However, the Administration, Reports, and Configuration accordions, described later in this section, are not available to end users or to users with the Security Administrator role.

Figure 3-1 Oracle Privileged Account Manager Console (Full Privileges View)

Figure of Console when logged-in with full Admin privileges

Figure 3-2 shows the Console when you log in as a Self-Service user with no administrator privileges.

Figure 3-2 Oracle Privileged Account Manager Console (Self-Service View)

Figure of Console when logged-in as Self-Service user

Note:

Refer to Section 2.3, "Understanding Oracle Privileged Account Manager Authorization" for more information about Admin Roles.

This section provides a high-level overview of the Oracle Privileged Account Manager Console. The topics in this section include:

Tip:

Hover your mouse over elements in the Oracle Privileged Account Manager interface (such as parameter fields or information icons Sample information icon) to see helpful prompts.

3.4.1 Working with the Home Accordion

The Home accordion contains the following nodes:

  • My Accounts: Select this node to access the My Accounts page where you can view, search, check out, check in, and show passwords for any accounts where you are a grantee.

  • My Checked-out Accounts: Select this node to access the My Checked-out Accounts page where you can view your checked out accounts, view the password for those accounts, and check in those accounts.

Clicking either node opens a new page on the right side of the Console. Use these pages to manage your accounts.

Note:

  • The My Accounts page is displayed by default when any user logs in, regardless of privileges.

  • For detailed information about working with the My Accounts page or with the My Checked-out Accounts page, refer to Section 5.2, "Working with Self-Service."

3.4.2 Working with the Administration Accordion

Based on your Admin Role and credentials, the Administration accordion contains some or all of the following nodes:

  • Accounts: Select to open the Accounts page, where you can search, open, add, and remove accounts.

  • Targets: Select to open the Targets page, where you can search, open, add, and remove targets.

  • Password Policies: Select to open the Password Policies page, where you can search, open, create, and delete Password Policies.

  • Usage Policies: Select to open the Usage Policies page, where you can search, open, create, and delete Usage Policies.

  • User Grantees: Select to open the User Grantees page, where you can search, open, and view information about individual user grantees.

  • Group Grantees: Select to open the Group Grantees page, where you can search, open, and view information about a group of grantees.

Clicking any of these nodes opens a new page on the right side of the Console. Use these pages to configure and manage Oracle Privileged Account Manager.

Note:

3.4.3 Working with the Reports Accordion

Based on your Admin Role and credentials, the Reports accordion contains some or all of the following nodes:

  • Deployment Reports: Select to open the Deployment Reports page, where you can view information about how targets and privileged accounts are currently deployed.

  • Usage Reports: Select to open the Usage Reports page, where you can view information about how privileged accounts are being used in your deployment.

  • Failure Reports: Select to open the Failure Reports page, where you can view information about the current state of target and account failures.

Note:

For detailed information about these Reports, see Section 5.1.5, "Working with Reports."

3.4.4 Working with the Configuration Accordion

The Configuration accordion contains the following nodes, which represent the common global configuration properties that apply to all Oracle Privileged Account Manager servers in a cluster:

  • Server Connection: Select this node to configure a connection to the Oracle Privileged Account Manager server.

  • Server Configuration: Select this node to manage the

    • Usage Policy scheduler interval

    • Password Policy scheduler interval

    • Target connection timeout in seconds

    • Oracle Database TDE Mode (Transparent Data Encryption)

Note:

For more information about these settings, see Section 4.3.2, "Managing Oracle Privileged Account Manager Server Properties."

3.4.5 Working with the Search Portlet

You use Oracle Privileged Account Manager's Search portlet to search for accounts, targets, policies, users, and groups.

Figure 3-3 Example Search Portlet

Example OPAM Search Portlet

You configure searches by using one or more of the parameters displayed in a Search portlet. The available parameters depend on the type of search. The following table describes the different search parameters:

Table 3-4 Search Portlet Parameters

Parameter Name Description Search Type

Account Name

Enter one or more letters of the account name for which you are searching.

My Accounts, Accounts

Target Name

Specify one or more letters of the target name on which to search.

My Accounts, Accounts, Targets, Users, Groups

Target Type

Specify All (to search all target types), ldap, unix, database, or lockbox.

My Accounts, Accounts, Targets

Domain

Specify the domain on which to search.

My Accounts, Accounts, Targets

Host Name

Specify the name of the host on which to search.

Targets

Policy Name

Specify one or more letters of the policy name for which you are searching.

Password Policies, Usage Policies

Policy Status

Specify whether to search for All policies or limit the search to only Active or only Disabled policies.

Password Policies, Usage Policies

User Name

Specify one or more letters of the user's name for which you are searching.

User Grantees

Group Name

Specify one or more letters of the group name for which you are searching.

Group Grantees


The general steps for performing a search are as follows:

  1. Select the appropriate node in the Home or Administration accordion.

    For example, to search for an account, select Accounts.

  2. Use the Search portlet parameters to configure your search.

    • For example, to search for a list of the accounts on a particular LDAP target, enter one or more letters of the target's name, select LDAP from Target Type menu, and then click Search.

    • To search for all available results, do not specify any search parameters.

  3. Click Search.

    The results are displayed in the Search Results table.

    Note:

    You can use the Status menu, located above the Search Results table, to filter the search results based on the account status. See Table 3-5 in Section 3.4.6, "Working with a Search Results Table" for more information.

  4. To perform another search, click Reset.

3.4.6 Working with a Search Results Table

You can use the drop-down menus and icons located along the top of the different Search Results tables to perform various tasks.

Figure 3-4 Example Search Results Table

Example Search Results table

The following table describes these features:

Note:

The availability of these features change, based on your role (privileges) and what type of search was performed. See Section 2.3.1, "Administration Role Types" for more information.

Table 3-5 Search Results Table Features

Feature Name Search Type Description

Actions

My Accounts,
My Checked-out Accounts, Accounts, Targets, Password Policies, Usage Policies, User Grantees, Group Grantees

Click to select an action from a drop-down menu.

Note: The options on the Actions menu duplicate the task icons displayed above the table.

View

My Accounts,
My Checked-out Accounts, Accounts, Targets, Password Policies, Usage Policies, User Grantees, Group Grantees

Use this drop-down menu to control how the columns are displayed in the Search Results table.

  • Columns > Show All: Displays all columns in the table.

  • Columns > Column Name: Click a column name to display or hide that column in the table. The columns are displayed (checked) by default.

  • Columns > Manage Columns: Provides a dialog that enables you to display or hide columns.

  • Reorder Columns: Select this option and the Reorder Columns dialog displays. Use this dialog to select the columns and shift their order in the table.

Status

My Accounts, Accounts

Choose an option from the menu to control how the search results are displayed:

  • Checked-in Accounts: Lists only those accounts that are currently checked-in.

    Note: If you are viewing the account as an administrator, Checked-in Accounts are accounts that can be checked out by any user who has been granted access to that account. If you are viewing the account as a grantee, Checked-in Accounts means you can check out the account.

  • Checked-out Accounts: Lists only those accounts that are currently checked-out.

  • All: Lists all accounts on the target.

Add

Accounts, Targets

Click to add a new account or target to the Oracle Privileged Account Manager repository.

Open

My Accounts, Accounts, Targets, Password Policies, Usage Policies, User Grantees, Group Grantees

Click to open the selected account, target, policy, user grantee, or group grantee.

Remove

Accounts, Targets

Click to remove the selected account or target from the Oracle Privileged Account Manager repository.

Show Password

My Accounts,
My Checked-out Accounts, Accounts, Targets

Click to open the Show Current Password dialog where you can view the current password information about a selected account or target service target.

  • For Accounts, this dialog lists the current Account Name and Password.

  • For Targets, this dialog lists the current Target Name, Service Account Name, Current Password, and Password Change Time.

Reset Password

Accounts, Targets

Click to open the Reset Password dialog where you can manually reset the password for a selected account or target service account.

  • For Accounts, this dialog lists the current Account Name and Target Name. Type a password in the New Password field ti create a new password for the account.

  • For Targets, this dialog lists the current Target Name and Service Account Name. You can either type a password in the New Password field or enable the Generate password automatically checkbox to automatically generate a new password.

Force Check In

Accounts only

Click to check-in privileged accounts that have been checked-out by other users.

Create Password Policy

Password Policies only

Click to create a Password Policy. See Section 5.1.2.2, "Adding Targets to Oracle Privileged Account Manager" for more information.

Create Usage Policy

Usage Policies only

Click to create a Usage Policy. See Section 5.1.2.2, "Adding Targets to Oracle Privileged Account Manager" for more information.

Delete

Password Policies, Usage Policies

Click to delete a selected policy from the Oracle Privileged Account Manager repository.

Check-In

My Checked-out
Accounts only

Click to check in the selected checked-out account. See Section 5.1.3.6, "Checking In Privileged Accounts" for more information.

Refresh

My Accounts, My Checked-out Accounts, Accounts

Click to re-display (refresh) the Search Results.