5 Configuring and Managing the Servers

This chapter provides information that administrators must know to configure and manage an Oracle Privileged Account Manager server and an Oracle Privileged Session Manager (Session Manager) server.

This chapter includes the following sections:

Note:

If you are using Oracle Privileged Account Manager on IBM WebSphere, refer to "Differences in Configuring and Managing the Servers" in the Oracle Fusion Middleware Third-Party Application Server Guide for Oracle Identity and Access Management for information about this topic.

5.1 Understanding the Servers

This section provides a high-level overview of the following servers:

5.1.1 Oracle Privileged Account Manager Server

The Oracle Privileged Account Manager server implements the core functionality of Oracle Privileged Account Manager and makes authorization decisions that determine:

  • Which targets and privileged accounts are exposed to administrators and end-users

  • Which operations administrators and end-users can perform on targets, privileged accounts, and policies

In addition, the Oracle Privileged Account Manager server

  • Supports Usage and Password Policies for accounts

  • Enforces its authorization decisions

  • Supports authentication by using the SAML-based Oracle Security Token from OPSS Trust Services and HTTP-Basic Authentication

  • Supports different Admin Roles for the Oracle Privileged Account Manager server

Note:

For security purposes, the Oracle Privileged Account Manager server only responds to SSL traffic.

When you add the Oracle Privileged Account Manager server target to the Oracle Privileged Account Manager user interface or to the Oracle Privileged Account Manager command line tool (CLI), you must provide the SSL endpoint as https://hostname:sslport/opam.

By default, WebLogic responds to SSL using port 7002 on the Admin Server and port 18102 on the Managed Server. You can use the WebLogic console to check the port for your particular instance.

The following figure illustrates the Oracle Privileged Account Manager server architecture.

Figure 5-1 Server Architecture

Diagram showing OPAM server architecture

5.1.2 Oracle Privileged Session Manager Server

The Oracle Privileged Session Manager creates a single access point to target resources and enables you to manage privileged sessions to the target system through

  • Session Initiation by

    • Providing a single control point for privileged access

    • Never exposing privileged credentials

    • Supporting any compliant, third-party clients (such as Putty, OpenSSH, etc.)

  • Session Control by providing control through policy-based and administrator-initiated session termination and lockout.

  • Session Monitoring and Auditing by maintaining historical records (transcripts) to support forensic analysis and audit data

The following figure illustrates how the Oracle Privileged Session Manager relates to the Oracle Privileged Account Manager server.

Figure 5-2 How Session Manager Relates to the Oracle Privileged Account Manager Server

Figure showing how OPSM relates to the OPAM server

5.2 Managing an Oracle Privileged Account Manager Server

This section provides information administrators need to manage an Oracle Privileged Account Manager server, which includes the following topics:

5.2.1 Before You Begin

  • You must be an Oracle Privileged Account Manager administrator with the Application Configurator Admin Role to add and manage an Oracle Privileged Account Manager server.

  • The procedures described in this chapter reference information and instructions contained in the following Oracle publications. If necessary, review the referenced concepts, terminology, and procedures before you begin configuring the Oracle Privileged Account Manager server.

5.2.2 Configuring a Connection to the Oracle Privileged Account Manager Server

When you log into Oracle Privileged Account Manager, the Oracle Privileged Account Manager Server URL is automatically detected by default.

Use the following steps to configure a new connection to the Oracle Privileged Account Manager server from the Oracle Privileged Account Manager Console:

  1. Open Oracle Privileged Account Manager by logging in to:

    http://managedserver_host:managedserver_port/oinav/opam

    Note:

    You must log in as a user with the Application Configurator Admin Role, or the Server Configuration page will not be accessible.

    For more information about this, and other, Admin Roles refer to Section 2.3.1, "Administration Role Types" and Section 3.3.4, "Assigning the Application Configurator Role to a User."

  2. When the Oracle Privileged Account Manager Console displays, select Server Connection from the Configuration accordion.

  3. When the Server Connection page displays, notice that the Oracle Privileged Account Manager Server URL is displayed as the Auto-Detect URL.

    To add a different server, enter that server's Host name and SSL Port number.

    Note:

    You must provide a fully qualified host name for the Host value. Using localhost can cause problems, such as described in Section C.3.13, "Cannot Open Session Recordings."

  4. Click the Test button to test the connection settings.

    If the server configuration tested successfully, you should see a "Test Succeeded" message.

  5. Click the Apply button to save this connection information.

5.2.3 Managing Oracle Privileged Account Manager Server Properties

You can use the Console or properties in the OPAM Global Config configuration entry to define server-level behavior for activities such as scheduler intervals, timeouts, etc. The available server properties are explained in detail in Section 5.2.3.1.

You can manage server properties defined in the OPAM Global Config configuration entry from two locations:

5.2.3.1 From the Console

Use the following steps to manage the Oracle Privileged Account Manager server properties from the Oracle Privileged Account Manager Console:

  1. Open Oracle Privileged Account Manager by logging in to:

    http://managedserver_host:managedserver_port/oinav/opam

    Note:

    You must log in as a user with the Application Configurator Admin Role, or the Server Configuration page will not be accessible.

    For more information about this, and other, Admin Roles refer to Section 2.3.1, "Administration Role Types" and Section 3.3.4, "Assigning the Application Configurator Role to a User."

  2. When the Oracle Privileged Account Manager Console displays, select Server Configuration from the Configuration accordion.

  3. When the Server Configuration page displays, you can modify any of the following server property options:

    • Usage policy enforcement interval in seconds. Specify an interval (in seconds) in which Oracle Privileged Account Manager checks accounts and then automatically checks-in the accounts that have exceeded the expiration time defined in the Usage Policy. (Default is 3600 seconds)

    • Password policy enforcement interval in seconds. Specify an interval (in seconds) in which Oracle Privileged Account Manager checks and then resets the password for any accounts that have exceeded the maximum password age defined in the Password Policy. (Default is 3600 seconds)

    • Target connection timeout in seconds. Specify an interval (in seconds) in which Oracle Privileged Account Manager allows an ICF connector to wait for a response from the target system to which it is connecting.

      The default value for this setting is 20 seconds, but in some deployments where network latency is high and target systems take longer to respond, you may need to increase this value.

    • Require TDE enabled backend. Check this box to enable Oracle Privileged Account Manager to use Transparent Data Encryption (TDE) mode. (Default is TDE mode enabled.)

      Enabling TDE ensures that all sensitive information stored by Oracle Privileged Account Manager (such as account passwords) is encrypted on disk.

      Unchecking the box disables TDE mode.

      Note:

      Oracle strongly recommends that you enable TDE mode for enhanced security.

      Refer to Section 2.4.6, "Hardening the Back-End Oracle Privileged Account Manager Database" for more information about using TDE mode.

  4. When you are finished, click the Apply button to save these configuration settings.

5.2.3.2 From the Command Line

To access the OPAM Global Config configuration entry and modify these server properties, use the getconfig and the modifyconfig commands from the command line.

Note:

Refer to Section A.2.1, "getconfig Command" and Section A.2.3, "modifyconfig Command" for detailed information about using these commands.

Refer to Section 15.2, "Securing Data On Disk" for more information about enabling or disabling TDE mode from the command line.

5.3 Managing the Oracle Privileged Session Manager Server

This section provides information administrators need to manage a Session Manager Server, which includes the following topics:

5.3.1 Before You Begin

  • You must be an administrator with the Application Configurator Admin Role or the Security Administrator role to view the Session Manager Configuration page.

  • Only administrators with the Application Configurator Admin Role can modify any of the settings on the Session Manager Configuration page.

5.3.2 Configuring a Connection to the Oracle Privileged Session Manager Server

Use the following steps to configure the Oracle Privileged Session Manager server from the Oracle Privileged Account Manager Console:

  1. Open Oracle Privileged Account Manager by logging in to:

    http://managedserver_host:managedserver_port/oinav/opam

  2. When the Oracle Privileged Account Manager Console displays, select Session Manager Configuration from the Configuration accordion.

    Use the properties on the Session Manager Configuration page to configure the Session Manager. Refer to Section 5.3.3, "Managing the Oracle Privileged Session Manager Properties" for instructions.

Note:

You cannot run two instances of Oracle Privileged Session Manager on the same machine.

5.3.3 Managing the Oracle Privileged Session Manager Properties

Use the following steps to manage the Session Manager properties from the Oracle Privileged Account Manager Console:

Note:

  1. Open Oracle Privileged Account Manager and navigate to the Session Manager Configuration page as described in Section 5.3.2, "Configuring a Connection to the Oracle Privileged Session Manager Server."

  2. When the Server Configuration page displays, configure the following options:

    • Session Monitoring Update Interval in seconds. Specify an interval (in seconds) in which Session Manager checks all checked-out sessions and updates their transcripts. Session Manager automatically terminates any sessions that have exceeded the expiration time defined in the Usage Policy. (Default is 60 seconds.)

    • Oracle Privileged Account Manager URLs. Use this table to manage an array of Oracle Privileged Account Manager servers to which Session Manager can connect:

      Note:

      Notice that the Oracle Privileged Account Manager Server URL is displayed by default in the first row of the table, as the Auto-Detect URL.

      Clicking the Add button removes the Auto-Detect URL. After adding one or more rows to the table, you must click Remove and remove all rows to use the Auto-Detect URL instead. The Auto-Detect URL only displays when the table is empty.

      The Oracle Privileged Account Manager Server URL is multi-valued to allow for High Availability (HA).

      Session Manager maintains the server list and, when required, uses it on a round-robin basis for connections to Oracle Privileged Account Manager. Connection attempts are made against all configured servers until one succeeds or all configured URLs are exhausted.

      • To add one or more Oracle Privileged Account Manager Server URLs, click Add.

        When the new row is displayed in the table, enter the URL of an Oracle Privileged Account Manager server into the blank field. For example,

        https://<opamserver_host>:<port>/opam
        
      • To delete one or more Oracle Privileged Account Manager Server URLs from the table, select the row and click Remove.

    • SSH Configuration. Use the following options to configure the connection details to be displayed for session checkouts:

      • Listener Port: Provide the reserved SSH port on which the Session Manager listener protocol is listening. The value must be greater than 1024 and it defaults to 1122.

      • Session Checkout Instructions: Enter an instruction message to be displayed when users check out a session. This message should describe the information a user must provide to connect to the Session Manager server by using a regular SSH client.

        For example:

        ssh -p <port> <opamuser>:<targetname>:<accountname>@<sessionmgrhost>Use opam password on password prompt
        
  3. When you are finished, click the Apply button to save these configuration settings.

Note:

For the detailed instructions you need to check out and check in sessions, refer to Section 12.7, "Checking Out Privileged Account Sessions."