6 Working with Targets

This chapter describes the different tasks you can perform when working with targets in Oracle Privileged Account Manager.

This chapter includes the following sections:

Section 6.1, "What Are Targets?"
Section 6.2, "Adding Targets to Oracle Privileged Account Manager"
Section 6.3, "Searching for Targets"
Section 6.4, "Opening a Target"
Section 6.5, "Managing a Target's Service Account Password"
Section 6.6, "Removing Targets from Oracle Privileged Account Manager"

Note:

You can also use Oracle Privileged Account Manager's command line tool or Oracle Privileged Account Manager's RESTful interface to perform many of the tasks described in this chapter.

If you prefer using these interfaces instead of the Oracle Privileged Account Manager Console, refer to Appendix A, "Working with the Command Line Tool" or Appendix B, "Working with Oracle Privileged Account Manager's RESTful Interface" for instructions.

Note:

You must be an Oracle Privileged Account Manager administrator with the Security Administrator Admin Role to add, edit, or remove targets.

6.1 What Are Targets?

A target is a software system that contains, uses, and relies on user, system, or application accounts.

You cannot create targets in, or delete targets from, your environment by using Oracle Privileged Account Manager. Rather, Oracle Privileged Account Manager manages existing targets that were provisioned using other mechanisms.

When you "add" a target in Oracle Privileged Account Manager, you are creating a reference to that target. In effect, you are registering the target and asking Oracle Privileged Account Manager to manage it. When you "remove" a target from Oracle Privileged Account Manager, you are only removing that reference.

Oracle Privileged Account Manager supports database, LDAP, lockbox, and UNIX target types.

A lockbox target provides password vault-like functionality in Oracle Privileged Account Manager. That is, it provides a secure mechanism for storing the passwords (or any kind of sensitive information) associated with privileged accounts in your deployment. This target type is different from the other, conventional Oracle Privileged Account Manager target types in the following ways:

Oracle Privileged Account Manager does not interact with lockbox target systems. There is no connectivity to, or operations performed against, these systems.
Oracle Privileged Account Manager does not manage the password lifecycle or reset passwords associated with accounts on lockbox targets.
Password modifications are handled out-of-band and updated into Oracle Privileged Account Manager as an administrative action. Therefore, Oracle Privileged Account Manager does not randomize the passwords; but rather, they stored as given by the administrator.

A lockbox target may be preferable when you want to centrally store and securely grant privileged account passwords without having Oracle Privileged Account Manager automatically manage those accounts on the target systems. For example, if you want to control how and when the passwords on the those target systems are modified, as opposed to allowing Oracle Privileged Account Manager do so.

Additionally, a lockbox target may be useful when an appropriate ICF connector is unavailable for a specific target type, but you still want to manage access to that system through Oracle Privileged Account Manager.

6.2 Adding Targets to Oracle Privileged Account Manager

Note:

When adding a target of any Target Type (except lockbox), you must configure a service account (also called an unattended account) with privileges that enable that account to

Search for accounts on the target system
Modify the passwords of accounts on the target system

You must never use the same account as a service account and as a privileged account to be managed by Oracle Privileged Account Manager.

For additional information about service accounts, see the description for attended and unattended accounts in Section 1.2.1, "Features" and refer to Chapter 7, "Working with Service Accounts."

Note:

If you are using Oracle Privileged Account Manager on IBM WebSphere, refer to "Differences When Adding Targets to Oracle Privileged Account Manager on IBM WebSphere" in the Oracle Fusion Middleware Third-Party Application Server Guide for Oracle Identity and Access Management for information about this topic.

Use the following steps to add a target for Oracle Privileged Account Manager to manage:

Log in to Oracle Privileged Account Manager.
Select Targets from the Administration accordion to open the Targets page.
Click Add, located in the Search Results table toolbar to open a new Target: Untitled page displays with two tabs:.
- General. Contains two areas with parameters used to specify Basic Configuration and Advanced Configuration information for the target.
- Privileged Accounts. Lists the privileged accounts currently being managed on the target and enables you to add, open, and remove the accounts that are managed by that target.
On the General tab, use the Target Type menu to select a target type (database, ldap, lockbox, or unix), and then set the remaining configuration parameters.
Note:

When you set the target type, the Target: Untitled page refreshes and the configuration parameters change, based on your selection.

The following sections describe the available parameters for each target type:
You must specify all of the required attributes (indicated by an
asterisk * symbol).
After setting the target configuration parameters, click Test to check the target's configuration.

If the configuration is valid, a "Test Succeeded" message displays.
Click Save to add your new target on the Oracle Privileged Account Manager server.

Oracle Privileged Account Manager automatically assigns a Target GUID and you can view this read-only value at the bottom of the Basic Configuration parameters section.

You can now associate this target with a privileged account. For instructions, proceed to Section 8.2, "Adding Privileged Accounts into Oracle Privileged Account Manager."

6.2.1 database Target Type Parameters

When you select the database target type, the basic and advanced configuration parameters display. These parameters are described in the following tables:

Table 6-1 Basic Configuration Parameters for the database Target Type

Parameter Name	Description
Target Name	Enter a name for the new target.
Description	Enter a description for this target.
Organization	Enter the name of an organization to associate with the target.
Domain	Enter the domain of the target server.
Password Policy	Select a Password Policy to apply to the target's service account. Oracle Privileged Account Manager uses this policy to auto-generate passwords.
Enable Password Rollover	Enable this box to allow Oracle Privileged Account Manager to automatically change (rollover) the service account password for this target to a randomized value according to the Expire password after setting that is specified in the assigned Password Policy. Note: Password rollover for target service accounts is similar to password expiration for privileged accounts. If a password has not been changed by the expiration date configured in the associated Password Policy, then Oracle Privileged Account Manager will automatically change the password to a randomized value.
Host	Enter the host name of the target server.
Database Connection URL	Enter the JDBC URL used to identify the target system location. For example, Oracle:jdbc:oracle:thin:@<host>: <port>:<sid> Note: Oracle Privileged Account Manager supports the Oracle, MSSQL, Sybase, and MySQL database types. Refer to the Oracle Identity Manager Connector Guide for Database User Management for information about which special options are supported.
Admin User Name (Service Account)	Enter the administrator's name to use when connecting to this target. Note: If you are using the `sys` user name, you must enter `internal_logon=sysdba` in the Connection Properties field, which is located in the Advanced Configuration area. This entry is not required for "system."
Admin User Password (Service Account Password)	Enter the user's password.
Database Type	Select the type of database (Oracle, MSSQL, Sybase, or MySQL) for which the connector will be used. If you select an Oracle database target, then no driver jar is required. For other target systems, you must copy one of the following third-party jars: For MSSQL: Copy the `sqljdbc4.jar`. For MySQL: Copy the `mysql-connector-java-5.1.20-bin.jar`. For Sybase: Copy the `jconn4.jar`. You can use one of the following options to copy the jars: Option 1: Copy these third-party jars to the WebLogic domain `/lib` directory, as described in "Adding JARs to the Domain /lib Directory" in Oracle Fusion Middleware Developing Applications for Oracle WebLogic Server. Option 2: Modify the connector jars to include the third-party jars as follows: Make a back-up copy of the DBUM connector bundle, which is available in ORACLE_HOME/connectors/dbum/bundle/ org.identityconnectors.dbum-1.0.1116.jar Create a `temporary/lib` folder and put the third-party jars in that folder. Update the bundle with the third-party jar: jar -uvf org.identityconnectors.dbum-1.0.1116.jar lib/JAR_NAME Remove the `temporary/lib` folder. Restart all Oracle Privileged Account Manager processes for the change to take effect. For more information, refer to "Installing the Connector on the Connector Server" in the Oracle Identity Manager Connector Guide for Database User Management.

The following Advanced Configuration parameter is optional:

Table 6-2 Advanced Configuration Parameters for the database Target Type

Parameter Name Description

Parameter Name	Description
Connection Properties	Enter connection properties to use while configuring a secured connection. These properties must be name-value pairs given in following format: `prop1=val1#prop2=val2`

Connection Properties

Enter connection properties to use while configuring a secured connection.

These properties must be name-value pairs given in following format: prop1=val1#prop2=val2

6.2.2 ldap Target Type Parameters

When you select the ldap target type, the basic and advanced configuration parameters display. These parameters are described in the following tables:

Table 6-3 Basic Configuration Parameters for the ldap Target Type

Parameter Name	Description
Target Name	Enter a name for the new target.
Description	Enter a description for this target.
Organization	Enter the name of an organization to associate with the target.
Domain	Enter the domain of the target server.
Password Policy	Select a Password Policy to apply to the target's service account. Oracle Privileged Account Manager uses this policy to auto-generate passwords.
Host	Enter the host name of the target server.
TCP Port	Enter the TCP/IP port to use when communicating with the LDAP server. You can use the up/down arrow icons to increment this value.
SSL	Enable this box to use Secure Socket Layer (SSL) when connecting to the LDAP server. Note: For SSL connectivity, you must import an SSL certificate to the J2EE container hosting Oracle Privileged Account Manager. For more information, refer to Section 15.1, "Configuring Oracle Privileged Account Manager to Communicate With Target Systems Over SSL."
Principal (Service Account)	Enter the distinguished name (DN) to use when authenticating to the LDAP server. For example, cn=admin
Password (Service Account Password)	Enter the user's password.
Base Contexts	Enter one or more starting points in the LDAP tree to use when searching the tree for users on the LDAP server or when looking for groups where the user is a member. Use a pipe (\|) to separate values.
Account User Name Attribute	Enter the attribute to be used as the account's user name. (Default is `uid`.)

These Advanced Configuration parameters are optional:

Table 6-4 Advanced Configuration Parameters for the ldap Target Type

Parameter Name	Description
Uid Attribute	Enter the name of the LDAP attribute that is mapped to the Uid attribute.
LDAP Filter for Retrieving Accounts	Enter an LDAP filter to control which accounts are returned from the LDAP resource. If you do not specify a filter, Oracle Privileged Account Manager returns only those accounts that include all of the specified object classes.
Password Attribute	Enter the name of the LDAP attribute that holds the password. When changing a user's password, Oracle Privileged Account Manager sets the new password to this attribute
Account Object Classes	Enter one or more object classes to use when creating new user objects in the LDAP tree. Type each object class on its own line. Do not use commas or semicolons to separate entries. Some object classes require that you specify them in their class hierarchy, using a pipe (\|) to separate the values.

6.2.3 lockbox Target Type Parameters

When you select the lockbox target type, only the following basic configuration parameters display:

Table 6-5 Basic Configuration Parameters for the lockbox Target Type

Parameter Name	Description
Target Name	Enter a name for the new target.
Description	Enter a description for this target.
Organization	Enter the name of an organization to associate with the target.
Domain	Enter the domain of the target server.
Host	Enter the host name of the target server.

Note:

You can add configuration parameters to this list by editing the opam-config.xml file as described in Section 3.2.3, "Consuming ICF Connectors."

6.2.4 unix Target Type Parameters

When you select the unix target type, the basic and advanced configuration parameters display. These parameters are described in the following tables:

Table 6-6 Basic Configuration Parameters for the unix Target Type

Parameter Name	Description
Target Name	Enter a name for the new target.
Description	Enter a description for this target.
Organization	Enter the name of an organization to associate with the target.
Domain	Enter the domain of the target server.
Password Policy	Select a Password Policy to apply to the target's service account. Oracle Privileged Account Manager uses this policy to auto-generate passwords.
Enable Password Rollover	Enable this box to allow Oracle Privileged Account Manager to automatically change (rollover) the service account password for this target to a randomized value according to the Expire password after setting that is specified in the assigned Password Policy. Note: Password rollover for target service accounts is similar to password expiration for privileged accounts. If a password has not been changed by the expiration date configured in the associated Password Policy, then Oracle Privileged Account Manager will automatically change the password to a randomized value.
Host	Enter the host name of the target server.
Port	Enter the port used to connect with the UNIX server. You can use the up/down arrow icons to increment this value. Note: Only the SSH protocol is supported. (Default port is `22`)
Login User (Service Account)	Enter the user name to use when connecting to this target.
Login User Password (Service Account Password)	Enter the user's password.
Login Shell Prompt	Enter the shell prompt to display when you log in to the target. For example, `$` or `#`. Note: When using sudo authorization, the prompts for the login user and the sudo root account may be different. For example, jdoe's shell prompt might be `$`, but that prompt may change to `#` after a sudo to root. In such cases, you must specify both symbols within square brackets `[ ]`. The default value, `[$#%>~]`, consists of all the commonly used UNIX shell prompts and will work for most situations.
Sudo authorization	Enable this box if the user requires sudo authorization. Do not enable this box for the root user. Note: When using sudo authorization, the UNIX connector requires that certain conditions must be met in the target system, such as a specific configuration in the sudoers file. For information about these conditions, refer to "Creating a Target System SUDO User Account for Connector Operations" in the Oracle Identity Manager Connector Guide for UNIX.
Target Name	Enter a name for the new target.
Description	Enter a description for this target.

The following Advanced Configuration parameters are optional:

Table 6-7 Advanced Configuration Parameters for the unix Target Type

Parameter Name	Description
Command timeout	Specify how long (in milliseconds) to wait for the command to complete before terminating that command.
Password Expect Expressions	Specify the expressions displayed on the target when setting the user's password. For example, if the `Enter password` and `Re-enter password` expressions are displayed when you run the `passwd` command, then the value for this field can be `enter password,re-enter password`. Note: You can provide a regular expression here. Use a comma to separate the two expressions.
Pre-password expectExpression	When you run the `passwd` command on some targets, prompts can be displayed before the password prompts appear. Specify the prompt expression and the expected input value, using a comma to separate these values.
sudo password expectExpression	Specify the password prompt to be displayed when running a command in sudo mode. (Default value is `password`)

6.3 Searching for Targets

If you have administrator privileges, you can search for targets using the following criteria or a combination of these items:

Target Name
Target Type (All, database, ldap, lockbox, or unix)
Host Name
Domain
Description

To search for a target,

Select Targets in the Administration accordion.
When the Targets tab displays, use the Search portlet parameters to configure your search. For example,
- To search for all LDAP targets, select ldap from the Target Type menu.
- To search for all available targets, do not specify any search parameters.
Click Search.

Review your search results in the Search Results table.

6.4 Opening a Target

You can open a target to review and edit the target's configuration parameters and its associated privileged account parameters.

Use one of the following methods to open a target:

Click the Target Name (an active link) in the Search Results table.
Select the target's Row number and then click the Open icon.

The Target: TargetName page opens where you can access the target and privileged account information.

6.5 Managing a Target's Service Account Password

Oracle Privileged Account Manager provides several options for managing a target's service account passwords, including:

Showing passwords
Viewing password history
Resetting passwords
Enabling password rollover

Administrators with the Security Administrator Admin Role can perform these password management tasks by using the Oracle Privileged Account Manager Console, command line tool, or REST API.

Note:

For information about managing passwords by using the Console, refer to Section 7.3, "Managing Service Account Passwords."
For command line instructions, refer to Section A.4, "Working with Targets."
For REST API instructions, refer to Section B.5, "Target Resource."

Oracle Privileged Account Manager audits password management actions to keep track of password access.

Note:

The procedures for showing and resetting a privileged account password are different from the procedures described in this section. Refer to Section 8.8, "Managing Privileged Account Passwords" for information.

6.6 Removing Targets from Oracle Privileged Account Manager

To remove a target, select the target from the Search Results table and then click the Remove icon.

WARNING:

When you remove a target, you also remove all information about the target that is stored in Oracle Privileged Account Manager (including privileged accounts).

Before removing a target, it is critical that you first capture all relevant information from that target. For example, save the target's service account password and any current passwords that are associated with the privileged accounts on the target.