This chapter provides background information about OPAM service accounts, including an example for creating those accounts.
The topics in this chapter include:
Before adding a target to Oracle Privileged Account Manager, you must configure an OPAM service account (also called an unattended account) for that target. OPAM service accounts (service accounts) enable Oracle Privileged Account Manager to connect to and manage target systems.
You use an OPAM service account to configure the credentials for a target system.
Note:
Service accounts do not apply for lockbox-type targets.
Never use the same account as a service account and a privileged account to be managed by Oracle Privileged Account Manager.
A service account must have sufficient privileges to perform all Oracle Privileged Account Manager-related operations on the target system, such as:
Searching for and viewing details about the accounts in the target, which is used for all operations such as looking up and adding privileged accounts to the system, locating the account during checkout, etc.
Changing account passwords in the target, which is used for operations involving password changes such as checkout, check-in, resetpassword, etc.
Changing self password, which is used for resetting target service account passwords and changing the password of the service account itself.
This section provides information about creating a service account to use when connecting to a target system.
Note:
Never use the same account as both a service account and a privileged account to be managed by Oracle Privileged Account Manager.
The methods for creating a service account and assigning privileges to that account depend on the target system. For example, the steps for creating accounts and assigning roles on an Oracle Database system are different from the steps for a UNIX operating system.
The following examples illustrate two methods for creating a service account:
Note:
These examples are only provided as a reference. You can achieve the same result by using other means.
Use SQLPLUS and connect as the sys user.
Run the following commands to create the opamsrvc account:
connect sys/<password> as sysdba create user opamsrvc identified by <password>; grant connect, dba to opamsrvc
Use Linux and connect as root.
Run the following commands to create the opam_service account:
$ useradd -d /home/opam_service -m -g root -G bin,daemon,sys,adm,disk,wheel -o -u 0 opam_service $ passwd opam_service
Oracle Privileged Account Manager provides the following options for managing a target's service account passwords:
Administrators with the Security Administrator Admin Role can perform these password management tasks by using the Oracle Privileged Account Manager Console, command line tool, or REST API.
Note:
For command line instructions, refer to Section A.4, "Working with Targets."
For REST API instructions, refer to Section B.5, "Target Resource."
The procedures for showing and resetting a privileged account password are different from the procedures described in this section. Refer to Section 8.8, "Managing Privileged Account Passwords" for information.
Oracle Privileged Account Manager audits password management actions to keep track of password access.
If necessary, you can review the stored password for a target's service account by using the Show Password option, located above the Search Results table on the Targets page.
Note:
This command is not applicable for the lockbox target type and it will return an "Operation not supported" error message.
If someone changes a target's service account password from a location other than the current Oracle Privileged Account Manager instance, such as from another Oracle Privileged Account Manager instance in a different domain, the Show Password feature cannot display the new password and connections to the target will fail.
To resolve this situation, you must update the password in Oracle Privileged Account Manager by editing the target from the Console or from the command line.
Use the following steps:
Select Targets in the Administration accordion.
When the Targets tab displays, use the Search portlet to locate the target.
Select the target row number and then click Show Password.
The Show Current Password dialog displays and provides the following information about the target's service account password:
Target Name
Service Account Name
Current Password
Password Change Time
When you are finished, click Close.
Use the Password History option to view the password history for a target's service account.
Note:
Password History is not available for lockbox targets.
To view a target's password history,
Select Targets in the Administration accordion to open the Search Targets page, and then click Search.
Select the row number of the target.
When the Password History icon becomes active, click the icon.
The Show Password History dialog displays with the Target Name, and the Password in clear text, and the Modification Time (date and time of the password reset).
When you are finished click Close.
If necessary, you can manually reset the stored password for a target's service account by using the Reset Password option, located above the Search Results table.
Note:
The Reset Password option is not applicable for the lockbox target type or the ldap target type and, if selected, it will return an "Operation not supported" error message.
Use the following steps:
Select Targets in the Administration accordion.
When the Targets tab displays, use the Search portlet to locate the target.
Select the target row number and then click Reset Password.
The Reset Password dialog displays and provides the following information about the target's service account password:
Target Name
Service Account Name
This dialog also contains two options for resetting the password:
New Password: Type a new password into the space provided.
Generate password automatically: Enable the checkbox to automatically generate a password, according to the account's Password Policy.
Type a new password or enable the checkbox, and then click Reset.
When you create a service account for a target, the service account is governed by the target's Password Policy.
Password rollover for a target's service account is similar to password expiration for privileged accounts. If you enable password rollover for the service account, and the password has not been changed by the expiration date configured in the associated Password Policy, then Oracle Privileged Account Manager will automatically change the password to a randomized value.
Note:
Refer to Section 6.2, "Adding Targets to Oracle Privileged Account Manager" for information about enabling password rollover for the different target types.