This chapter describes how to finish configuring Oracle Privileged Account Manager after installation.
Note:
You can manage Oracle Privileged Account Manager from the Console, from the command line, and by using Oracle Privileged Account Manager's RESTful interface.
For information for starting and using the Oracle Privileged Account Manager Command Line Tool (CLI), refer to Appendix A, "Working with the Command Line Tool."
For information for starting and using the Oracle Privileged Account Manager RESTful interface, refer to Appendix B, "Working with Oracle Privileged Account Manager's RESTful Interface."
This chapter includes the following sections:
Section 3.2, "Understanding ICF Connectors in Oracle Privileged Account Manager"
Section 3.4, "Administering Oracle Privileged Account Manager"
Section 3.5, "Working with Oracle Privileged Account Manager Self-Service"
Note:
If you are using Oracle Privileged Account Manager on IBM WebSphere, refer to "Differences in Getting Started with Administering Oracle Privileged Account Manager" in the Oracle Fusion Middleware Third-Party Application Server Guide for Oracle Identity and Access Management for information about this topic.
This chapter assumes that you have installed and configured Oracle Privileged Account Manager 11g Release 2 (11.1.2) as described in Oracle Fusion Middleware Installation Guide for Oracle Identity and Access Management.
Before starting the final configuration steps needed to start Oracle Privileged Account Manager, Oracle recommends the following:
Read the "Configuring Oracle Privileged Account Manager"chapter in the Oracle Fusion Middleware Installation Guide for Oracle Identity and Access Management.
Review Table 3-1 to understand the default application URLs for various interfaces that you use to manage Oracle Privileged Account Manager in this release:
Table 3-1 Default Application URLs
Interface | Default URL |
---|---|
Oracle Identity Navigator |
http://managedserver_host:managedserver_port/oinav/ |
Oracle WebLogic Server Administrative Console |
http://adminserver_host:adminserver_port/console/ |
Oracle Privileged Account Manager Console |
http://managedserver_host:managedserver_port/oinav/opam |
Oracle Privileged Account Manager Server |
http://managedserver_host:managedserver_sslport/opam |
Review Table 3-2 to understand the various default ports for Oracle Privileged Account Manager in this release:
Port Type | Default Port | Description |
---|---|---|
Oracle Privileged Account Manager Server |
18102 |
The default SSL-enabled port for the WebLogic Managed Server on which the Oracle Privileged Account Manager server is deployed. |
Oracle Privileged Account Manager Console |
|
The WebLogic Managed Server port on which the Oracle Privileged Account Manager Console is available by default. |
Oracle Privileged Session Manager (SSH) |
1222 |
The default WebLogic Managed Server port on which Oracle Privileged Session Manager listens for SSH traffic. |
WebLogic Admin Console |
|
The default WebLogic Admin Server ports on which the WebLogic Admin Console is available. |
Review Table 3-3 to become familiar with the common directory variables that are used throughout this book:
Note:
For additional information about these directories, and other common directories used in most Oracle Identity and Access Management installations and configurations, refer to "Identifying Installation Directories" in the Oracle Fusion Middleware Installation Guide for Oracle Identity and Access Management and "Understanding Oracle Fusion Middleware Concepts and Directory Structure" in the Oracle Fusion Middleware Installation Planning Guide for Oracle Identity and Access Management.
Table 3-3 Common Directories Used in Oracle Privileged Account Manager
Common Name | Description |
---|---|
Provide the location of your Oracle Middleware Home directory. The Middleware Home contains the Oracle WebLogic Server home and one or more Oracle Home directories. |
|
Provide the location of the Oracle Home directory where the Oracle Privileged Account Manager files were installed. An Oracle home resides within the directory structure of the Middleware home. |
|
Provide the location used by your WebLogic server. |
|
Provide the top-level directory of the domain. |
|
Provide the location of the Oracle BI Domain. |
Review "Starting or Stopping the Oracle Stack" in the Oracle Fusion Middleware Installation Guide for Oracle Identity and Access Management, and use these instructions whenever this guide instructs you to start or stop the Oracle WebLogic Administration Server (Admin Server) or any of the various Managed Servers.
Oracle Privileged Account Manager enables you to secure, share, audit, and manage administrator-identified account credentials. To provide these capabilities, Oracle Privileged Account Manager must be able to access and manage privileged accounts on a target system.
Connectors enable Oracle Privileged Account Manager to interact with target systems, such as LDAP or Oracle Database, and to perform Oracle Privileged Account Manager-relevant administrative operations on those systems.
Oracle Privileged Account Manager leverages connectors that are compliant with the Identity Connector Framework (ICF) standard. By using this standard, you separate Oracle Privileged Account Manager from the mechanism it uses for connecting to targets. Therefore, in addition to connectors provided by vendors such as Oracle, you are free to build, test, and deploy your own ICF connectors into Oracle Privileged Account Manager.
This section describes how Oracle Privileged Account Manager consumes these ICF connectors. The topics include:
Note:
For more information about the Identity Connector Framework, refer to "Understanding the Identity Connector Framework" in the Oracle Fusion Middleware Developer's Guide for Oracle Identity Manager.
Oracle Privileged Account Manager ships with the following ICF-compliant connectors that were developed by Oracle:
Database User Management (DBUM) Connector
Generic LDAP Connector
Oracle Identity Manager Connector for UNIX
These connectors enable Oracle Privileged Account Manager to manage privileged accounts on a range of target systems belonging to the preceding types.
Oracle Privileged Account Manager can also use customer-created, ICF-compliant connectors, which empowers you to manage your proprietary systems by using Oracle Privileged Account Manager.
Note:
If you are only interested in using the connectors that ship with Oracle Privileged Account Manager, then no further action is required because these connectors come pre-configured out-of-the-box.
If you want to use other Oracle connectors or a custom connector, then refer to Section 15.3, "Adding New Connectors to an Existing Oracle Privileged Account Manager Installation" for more information.
For additional information about developing ICF-compliant connectors, refer to "Developing Identity Connectors" in the Oracle Fusion Middleware Developer's Guide for Oracle Identity Manager.
Because ICF connectors are generic, and useful in numerous contexts, a given Oracle installation puts all connector bundles into a single location on the file system. All components (such as Oracle Privileged Account Manager) that rely on these connector bundles can access them from this location:
ORACLE_HOME/connectors
The connectors that are pushed into ORACLE_HOME
/connectors
are actually shipped with Oracle Identity Manager. Of all the connectors in this directory, only the following three connectors are certified with Oracle Privileged Account Manager for this release:
Oracle Privileged Account Manager consumes ICF connectors by using the opam-config.xml
file. The contents of this file provide the following information to Oracle Privileged Account Manager:
Where to pick up the ICF connector bundle (on the file system)
Which configuration attributes are relevant for the Oracle Privileged Account Manager use-cases
How to render the Oracle Privileged Account Manager Console when configuring connectivity to a target system using a particular connector
You will find the opam-config.xml
file in the ORACLE_HOME
/opam/config
directory. The out-of-the-box image is configured to pick up and use the connector bundles that ship with the Oracle Identity Management Suite.
The opam-config.xsd
file (also located in the ORACLE_HOME
/opam/config
directory) describes the schema for opam-config.xml
. If you make any changes to
ORACLE_HOME
/opam/config/opam-config.xml
file, verify them with the opam-config.xsd
file.
Caution:
Be sure to back-up the original opam-config.xml
file before attempting to edit that file.
This section provides some high-level information about starting and working with Oracle Privileged Account Manager. The topics include:
The procedures described in this section reference information and instructions contained in the following Oracle publications. If necessary, review the referenced concepts, terminology, and procedures before starting these procedures.
Table 3-4 Reference Publications
Note:
If you are using Oracle Privileged Account Manager on IBM WebSphere, you must start IBM WebSphere and perform some configuration steps before assigning the Application Configurator and invoking the Oracle Privileged Account Manager Console.
For more information about these tasks, refer to "Starting Oracle Privileged Account Manager on IBM WebSphere" in the Oracle Fusion Middleware Third-Party Application Server Guide for Oracle Identity and Access Management.
Oracle Privileged Account Manager administrators and users will probably never have to use the Oracle Identity Navigator interface except during the initial set-up of Oracle Privileged Account Manager.
Before you can start Oracle Privileged Account Manager, you must start the WebLogic servers and console.
Note:
For detailed information about starting WebLogic and Managed Servers, refer to "Starting or Stopping the Oracle Stack" in the Oracle Fusion Middleware Installation Guide for Oracle Identity and Access Management.
You must have the appropriate Administration Role and credentials to start the server. Refer to Section 2.3.1, "Administration Role Types" for more information.
Connect the Node Manager to WLST by running the nmConnect
command.
Refer to "Node Manager Commands" in the Oracle Fusion Middleware WebLogic Scripting Tool Command Reference for instructions.
Start the WebLogic Admin Server. For example,
On UNIX, type
MW_HOME/user_projects/domains/DOMAIN_NAME/bin/startWebLogic.sh
On Windows, type
MW_HOME\user_projects\domains\DOMAIN_NAME\bin\startWebLogic.bat
Start the Oracle Privileged Account Manager Managed Server.
Open a browser and start the WebLogic Console from the following location:
http://adminserver_host:adminserver_port/console
This section describes how to configure a new, external identity store for Oracle Privileged Account Manager.
Note:
If you are using IBM WebSphere, you must configure a registry rather than an external identity store. Refer to "Configuring a Registry" in the Oracle Fusion Middleware Third-Party Application Server Guide for Oracle Identity and Access Management for instructions.
You must configure a domain identity store before you can view users when searching from the Oracle Identity Navigator Access Privileges pane. To configure the identity store as the main authentication source, you must configure the Oracle WebLogic Server domain where Oracle Identity Navigator is installed.
You can configure the domain identity store using Oracle Internet Directory or Oracle Virtual Directory with a supported LDAP-based directory server. You configure the identity store in the WebLogic Server Administration Console.
Note:
Oracle Privileged Account Manager can use any LDAP directory that is supported by Oracle WebLogic Server, as its identity store.
For more information about configuring an identity store, refer to "Configuring the Identity Store Service" in the Oracle Fusion Middleware Application Security Guide.
For information about other supported identity stores, refer to "System Requirements and Certification" in the Oracle Fusion Middleware Administrator's Guide for Oracle Identity Navigator.
To configure the Oracle Internet Directory authenticator in Oracle WebLogic Server:
Log in to Oracle WebLogic Server Administration Console, and click Lock & Edit in the Change Center.
In Oracle WebLogic Server Administration Console, select Security Realms from the left pane and click the realm you are configuring. For example, the default realm is myrealm
.
Select the Providers tab, then select the Authentication subtab.
Click New to launch the Create a New Authentication Provider page and complete the fields as follows:
Name: Enter a name for the Authentication provider. For example, MyOIDDirectory
.
Type: Select OracleInternetDirectoryAuthenticator from the list.
Click OK to update the Authentication providers table.
In the Authentication providers table, click the newly added authenticator.
In Settings, select the Configuration tab, then select the Common tab.
On the Common tab, set the Control Flag to SUFFICIENT.
Setting the Control Flag attribute for the authenticator provider determines the ordered execution of the Authentication providers. The possible values for the Control Flag attribute are:
REQUIRED - This LoginModule must succeed. Even if it fails, authentication proceeds down the list of LoginModules for the configured Authentication providers. This setting is the default.
REQUISITE - This LoginModule must succeed. If other Authentication providers are configured and this LoginModule succeeds, authentication proceeds down the list of LoginModules. Otherwise, control is returned to the application.
SUFFICIENT - This LoginModule need not succeed. If it does succeed, return control to the application. If it fails and other Authentication providers are configured, authentication proceeds down the LoginModule list.
OPTIONAL - This LoginModule can succeed or fail. However, if all Authentication providers configured in a security realm have the JAAS Control Flag set to OPTIONAL
, the user must pass the authentication test of one of the configured providers.
Click Save.
Select the Provider Specific tab and enter the following required settings using values for your environment:
Host: The host name of the Oracle Internet Directory server.
Port: The port number on which the Oracle Internet Directory server is listening.
Principal: The distinguished name (DN) of the Oracle Internet Directory user to be used to connect to the Oracle Internet Directory server. For example: cn=OIDUser,cn=users,dc=us,dc=mycompany,dc=com.
Credential: Password for the Oracle Internet Directory user entered as the Principal.
Group Base DN: The base distinguished name (DN) of the Oracle Internet Directory server tree that contains groups.
User Base DN: The base distinguished name (DN) of the Oracle Internet Directory server tree that contains users.
All Users Filter: LDAP search filter. Click More Info for details.
User From Name Filter: LDAP search filter. Click More Info for details.
User Name Attribute: The attribute that you want to use to authenticate (for example, cn, uid, or mail). For example, to authenticate using a user's email address you set this value to mail.
Click Save.
From the Settings for myrealm page, select the Providers tab, then select the Authentication tab.
Click Reorder.
Select the new authenticator and use the arrow buttons to move it into the first position in the list.
Click OK.
Click DefaultAuthenticator in the Authentication providers table to display the Settings for DefaultAuthenticator page.
Select the Configuration tab, then the Common tab, and select SUFFICIENT from the Control Flag list.
In the Change Center, click Activate Changes.
Restart Oracle WebLogic Server.
Verify your configuration and set-up by confirming that the users present in the LDAP directory (Oracle Internet Directory or Oracle Virtual Directory) can log in to Oracle Privileged Account Manager with no issues.
To use Oracle Virtual Directory as the domain identity store, you must do the following:
Configure Oracle Virtual Directory with an LDAP-based server as described in "Creating LDAP Adapters" in Oracle Fusion Middleware Administrator's Guide for Oracle Virtual Directory.
Configure the OVD authenticator in Oracle WebLogic Server as described in Oracle Fusion Middleware Oracle WebLogic Server Administration Console Online Help.
You must enable the Use Retrieved User Name As Principal option when configuring authenticators in Oracle WebLogic Server, as described in the preceding step 9.
Note:
If you are using an SSL-enabled identity store, follow the steps described in "SSL for the Identity Store Service" in the Oracle Fusion Middleware Application Security Guide.
If you want to use an external LDAP server to serve as an identity store, you must seed the identity store with the necessary Oracle Privileged Account Manager users and groups.
If you are using an Oracle Internet Directory directory or a third-party directory that is fronted by Oracle Virtual Directory as the identity store, then you can use the idmConfigTool to prepare the directory. When using the idmConfigTool, you must also extend the schema. Refer to Section 3.3.3.1, "Using the idmConfigTool to Prepare the Directory" for more information.
If you're using a different directory, then you must manually prepare that directory. Refer to Section 3.3.3.2, "Manually Preparing the Directory" for more information.
If you are preparing an Oracle Internet Directory directory or a third-party directory fronted by OVD as an identity store, then you can use the idmConfigTool to perform the following tasks:
Extend the Directory Schema for Oracle Privileged Account Manager
Create Users and Groups for Oracle Privileged Account Manager
Pre-configuring the identity store extends the schema in Oracle Internet Directory.
To pre-configure the identity store, you must perform the following tasks on IDMHOST1:
Set the environment variables: MW_HOME
, JAVA_HOME
, and ORACLE_HOME
.
Set ORACLE_HOME
to IAM_HOME
Create a properties file, called extend.props
, with the following contents:
IDSTORE_HOST: idstore.mycompany.com IDSTORE_PORT: 389 IDSTORE_BINDDN: cn=orcladmin IDSTORE_USERNAMEATTRIBUTE: cn IDSTORE_LOGINATTRIBUTE: uid IDSTORE_USERSEARCHBASE: cn=Users,dc=mycompany,dc=com IDSTORE_GROUPSEARCHBASE: cn=Groups,dc=mycompany,dc=com IDSTORE_SEARCHBASE: dc=mycompany,dc=com IDSTORE_SYSTEMIDBASE: cn=systemids,dc=mycompany,dc=com
Where:
IDSTORE_HOST
and IDSTORE_PORT
are, respectively, the host and port of your identity store directory.
If you are using a non-OID directory, then specify the Oracle Virtual Directory host (which should be IDSTORE.mycompany.com
).
If your identity store is in Oracle Internet Directory, then
IDSTORE_HOST
should point to Oracle Internet Directory, even if you are fronting Oracle Internet Directory with Oracle Virtual Directory.
IDSTORE_BINDDN
is an administrative user in the identity store directory.
IDSTORE_USERSEARCHBASE
is the location in the directory where users are stored.
IDSTORE_GROUPSEARCHBASE
is the location in the directory where groups are stored.
IDSTORE_SEARCHBASE
is the location in the directory where users and groups are stored.
IDSTORE_SYSTEMIDBASE
is the location of a container in the directory where users can be placed when you do not want them in the main user container. While this situation rarely occurs, one example is an Oracle Identity Manager reconciliation user who is also used as the bind DN user in Oracle Virtual Directory adapters.
IDSTORE_USERNAMEATTRIBUTE
is the LDAP attribute that contains the username. This attribute is usually CN
.
IDSTORE_LOGINATTRIBUTE
is the LDAP attribute that contains the user's Login name.
Configure the identity store by using the idmConfigTool
command, which is located at:
IAM_HOME/idmtools/bin
Note:
When you run the idmConfigTool
command, it creates or appends to the idmDomainConfig.param
file. This file is generated in the same directory where you run the idmConfigTool
command.
To ensure that you append to the same file each time you run the tool, always run idmConfigTool
from the following directory:
IAM_HOME/idmtools/bin
On Linux, the command syntax is:
idmConfigTool.sh -preConfigIDStore input_file=configfile
On Windows, the command syntax is:
idmConfigTool.bat -preConfigIDStore input_file=configfile
For example:
idmConfigTool.sh -preConfigIDStore input_file=extend.props
When the command runs, you are prompted to enter the password of the account that you are using to connect to the identity store.
Sample command output, when running the command against Oracle Virtual Directory:
Enter ID Store Bind DN password: May 25, 2011 2:37:18 PM oracle.ldap.util.LDIFLoader loadOneLdifFile INFO: -> LOADING: /u01/app/oracle/product/fmw/iam/idmtools/templates/oid/ idm_idstore_groups_template.ldif May 25, 2011 2:37:18 PM oracle.ldap.util.LDIFLoader loadOneLdifFile INFO: -> LOADING: /u01/app/oracle/product/fmw/iam/idmtools/templates/ oid/idm_idstore_groups_acl_template.ldif May 25, 2011 2:37:18 PM oracle.ldap.util.LDIFLoader loadOneLdifFile INFO: -> LOADING: /u01/app/oracle/product/fmw/iam/idmtools/templates/ oid/systemid_pwdpolicy.ldif May 25, 2011 2:37:18 PM oracle.ldap.util.LDIFLoader loadOneLdifFile INFO: -> LOADING: /u01/app/oracle/product/fmw/iam/idmtools/templates/ oid/idstore_tuning.ldif May 25, 2011 2:37:18 PM oracle.ldap.util.LDIFLoader loadOneLdifFile INFO: -> LOADING: /u01/app/oracle/product/fmw/iam/idmtools/templates/oid/ oid_schema_extn.ldif May 25, 2011 2:37:19 PM oracle.ldap.util.LDIFLoader loadOneLdifFile INFO: -> LOADING: /u01/app/oracle/product/fmw/iam/oam/server/oim-intg/schema/ OID_oblix_pwd_schema_add.ldif May 25, 2011 2:37:19 PM oracle.ldap.util.LDIFLoader loadOneLdifFile INFO: -> LOADING: /u01/app/oracle/product/fmw/iam/oam/server/oim-intg/schema/ OID_oim_pwd_schema_add.ldif May 25, 2011 2:37:19 PM oracle.ldap.util.LDIFLoader loadOneLdifFile INFO: -> LOADING: /u01/app/oracle/product/fmw/iam/oam/server/oim-intg/schema/ OID_oblix_schema_add.ldif May 25, 2011 2:37:34 PM oracle.ldap.util.LDIFLoader loadOneLdifFile INFO: -> LOADING: /u01/app/oracle/product/fmw/iam/oam/server/oim-intg/schema/ OID_oblix_schema_index_add.ldif The tool has completed its operation. Details have been logged to automation.log
A file named automation.log
is created in the directory from where you ran the tool. Check this log file for any errors or warnings and correct them.
Note:
In addition to creating users, the idmConfigTool
creates these groups:
OrclPolicyAndCredentialWritePrivilegeGroup
OrclPolicyAndCredentialReadPrivilegeGroup
Oracle Fusion Middleware Integration Overview for Oracle Identity Management Suite for more information about the idmConfigTool
command.
If you plan to implement Oracle Privileged Account Manager in your topology, you must seed the identity store with the users and groups that are required by Oracle Privileged Account Manager.
Note:
The use of apm
and APM
in the following procedure is appropriate for setting up the users and groups required by Oracle Privileged Account Manager.
To create the necessary users and groups, perform the following tasks on IDMHOST1:
Set the environment variables: MW_HOME
, JAVA_HOME
, and ORACLE_HOME
.
Set ORACLE_HOME
to IAM_HOME
.
Create a properties file, called apm.props
with the following contents:
IDSTORE_HOST: idstore.mycompany.com IDSTORE_PORT: 389 IDSTORE_BINDDN: cn=orcladmin IDSTORE_USERNAMEATTRIBUTE: cn IDSTORE_LOGINATTRIBUTE: uid IDSTORE_USERSEARCHBASE: cn=Users,dc=mycompany,dc=com IDSTORE_GROUPSEARCHBASE: cn=Groups,dc=mycompany,dc=com IDSTORE_SEARCHBASE: dc=mycompany,dc=com POLICYSTORE_SHARES_IDSTORE: true IDSTORE_APMUSER: opamadmin
Where
IDSTORE_HOST
and IDSTORE_PORT
are, respectively, the host and port of your identity store directory.
If you are using a non-OID directory, then specify the Oracle Virtual Directory host (which should be IDSTORE.mycompany.com
).
If your identity store is in Oracle Internet Directory, then
IDSTORE_HOST
should point to Oracle Internet Directory, even if you are fronting Oracle Internet Directory with Oracle Virtual Directory.
IDSTORE_BINDDN
is an administrative user in the identity store Directory.
IDSTORE_USERNAMEATTRIBUTE
is the LDAP attribute that contains the username. This attribute is usually CN
.
IDSTORE_LOGINATTRIBUTE
is the LDAP attribute that contains the user's Login name.
IDSTORE_USERSEARCHBASE
is the location in the directory where users are stored.
IDSTORE_GROUPSEARCHBASE
is the location in the directory where groups are stored.
IDSTORE_SEARCHBASE
is the location in the directory where users and groups are stored.
POLICYSTORE_SHARES_IDSTORE
If your Policy and identity stores are in the same directory, set to true
.
If your Policy and identity stores are not in the same directory, set to false
.
IDSTORE_APMUSER
is the name of the user you want to create as your Oracle Privileged Account Manager administrator.
In addition to creating the users, this command assigns the users to the groups created in Section 3.1, "Before You Begin."
Configure the identity store by using the idmConfigTool
command, which is located at:
IAM_HOME/idmtools/bin
Note:
When you run the idmConfigTool
command, it creates or appends to the idmDomainConfig.param
file. This file is generated in the same directory where you run the idmConfigTool
command.
To ensure that you append to the same file each time you run the tool, always run idmConfigTool
from the following directory:
IAM_HOME/idmtools/bin
On Linux, the command syntax is:
idmConfigTool.sh -prepareIDStore mode=APM input_file=configfile
On Windows, the command syntax is:
idmConfigTool.bat -prepareIDStore mode=APM input_file=configfile
For example:
idmConfigTool.sh -prepareIDStore mode=APM input_file=apm.props
When the command runs, you are prompted to enter the password of the account that you are using to connect to the identity store.
Sample command output:
Enter ID Store Bind DN password : Feb 18, 2013 10:10:35 PM oracle.ldap.util.LDIFLoader loadOneLdifFile INFO: -> LOADING: /u01/app/oracle/product/fmw/iam/common/templates/ oinav_template_oid.ldif *** Creation of APM User *** Feb 18, 2013 10:10:35 PM oracle.ldap.util.LDIFLoader loadOneLdifFile INFO: -> LOADING: /u01/app/oracle/product/fmw/iam/idmtools/templates/ oid/oam_user_template.ldif Enter User Password for opamadmin: Confirm User Password for opamadmin: The tool has completed its operation. Details have been logged to automation.log
A file named automation.log
is created in the directory from where you ran the tool. Check this log file for any errors or warnings and correct them.
Oracle Fusion Middleware Integration Overview for Oracle Identity Management Suite for more information about the idmConfigTool
command.
Use the following steps to manually prepare your directory:
Identify the group container that you will be using for the Oracle Privileged Account Manager Admin Roles in your LDAP Directory. (The group container is the "Group Base DN" on your Weblogic Authenticator Configuration.)
Refer to "Configuring Authentication Providers" in the Oracle Fusion Middleware Securing Oracle WebLogic Server for more information.
Create the Oracle Privileged Account Manager Admin Roles in the LDAP group container that you identified in Step 1.
If necessary, refer to Section 2.3.1, "Administration Role Types" for a list of the roles that must be created and their purpose.
Assign the appropriate users to these roles.
For example, Section 3.3.4, "Assigning the Application Configurator Role to a User" describes how to assign a role by using Oracle Identity Navigator. However, you can also assign roles by using other mechanisms (such as an LDAP Browser, a provisioning system such as Oracle Identity Manager, etc.) that can update the LDAP Directory.
After installation, you do not have any users present with administrator roles. You must select a user and grant that person the Application Configurator role by using Oracle Identity Navigator.
Note:
Refer to "Assigning a Common Admin Role" in Oracle Fusion Middleware Administrator's Guide for Oracle Identity Navigator for instructions.
The Application Configurator user can have other roles in addition to this role. For more information about other Admin Roles, refer to Section 2.3.1, "Administration Role Types."
When the Application Configurator user logs in by using the following URL, that user will see a empty screen with a Configure OPAM link.
http://managedserver_host:managedserver_port/oinav/opam
The Application Configurator user can use this link to let the Oracle Privileged Account Manager Console know where Oracle Privileged Account Manager server is running by providing the Oracle Privileged Account Manager server's host and port.
When the Oracle Privileged Account Manager Console can successfully communicate with the Oracle Privileged Account Manager server, the Oracle Privileged Account Manager Console will be populated with content.
Note:
Oracle Privileged Account Manager administrators and users will probably never have to use the Oracle Identity Navigator interface except during the initial set-up of Oracle Privileged Account Manager.
You are now ready to start using Oracle Privileged Account Manager.
For information about invoking and working with the Oracle Privileged Account Manager Console, refer to Chapter 4, "Starting and Using the Oracle Privileged Account Manager Console."
If you prefer using the Oracle Privileged Account Manager Command Line Tool (CLI), refer to Appendix A, "Working with the Command Line Tool."
If you prefer using the Oracle Privileged Account Manager RESTful interface, refer to Appendix B, "Working with Oracle Privileged Account Manager's RESTful Interface."
The following table describes the basic workflows that are performed by Oracle Privileged Account Manager administrator users based on their different Admin Roles.
Note:
An administrator with the Application Configurator Admin Role should have already configured a connection to the Oracle Privileged Account Manager servers. Refer to Section 5.2.2, "Configuring a Connection to the Oracle Privileged Account Manager Server" for more information.
Table 3-5 Administrator Workflows Based on Admin Roles
Note:
For more information about these Admin Roles, refer to Section 2.3.1, "Administration Role Types."
The following steps describe the basic workflow of a Self-Service user with no administrator privileges:
View accounts
Search for an account
Check out accounts
View checked-out accounts
Check in accounts
Check out a session
View checked out sessions
Check in a session
View an account password
Note:
Refer to Chapter 12, "Working with Self-Service" for detailed information about how to perform these tasks.