This chapter describes the different tasks you can perform when working with targets in Oracle Privileged Account Manager.
This chapter includes the following sections:
Section 6.2, "Adding Targets to Oracle Privileged Account Manager"
Section 6.6, "Removing Targets from Oracle Privileged Account Manager"
Note:
You can also use Oracle Privileged Account Manager's command line tool or Oracle Privileged Account Manager's RESTful interface to perform many of the tasks described in this chapter.
If you prefer using these interfaces instead of the Oracle Privileged Account Manager Console, refer to Appendix A, "Working with the Command Line Tool" or Appendix B, "Working with Oracle Privileged Account Manager's RESTful Interface" for instructions.
Note:
You must be an Oracle Privileged Account Manager administrator with the Security Administrator Admin Role to add, edit, or remove targets.
A target is a software system that contains, uses, and relies on user, system, or application accounts.
You cannot create targets in, or delete targets from, your environment by using Oracle Privileged Account Manager. Rather, Oracle Privileged Account Manager manages existing targets that were provisioned using other mechanisms.
When you "add" a target in Oracle Privileged Account Manager, you are creating a reference to that target. In effect, you are registering the target and asking Oracle Privileged Account Manager to manage it. When you "remove" a target from Oracle Privileged Account Manager, you are only removing that reference.
Oracle Privileged Account Manager supports database, LDAP, lockbox, and UNIX target types.
A lockbox target provides password vault-like functionality in Oracle Privileged Account Manager. That is, it provides a secure mechanism for storing the passwords (or any kind of sensitive information) associated with privileged accounts in your deployment. This target type is different from the other, conventional Oracle Privileged Account Manager target types in the following ways:
Oracle Privileged Account Manager does not interact with lockbox target systems. There is no connectivity to, or operations performed against, these systems.
Oracle Privileged Account Manager does not manage the password lifecycle or reset passwords associated with accounts on lockbox targets.
Password modifications are handled out-of-band and updated into Oracle Privileged Account Manager as an administrative action. Therefore, Oracle Privileged Account Manager does not randomize the passwords; but rather, they stored as given by the administrator.
A lockbox target may be preferable when you want to centrally store and securely grant privileged account passwords without having Oracle Privileged Account Manager automatically manage those accounts on the target systems. For example, if you want to control how and when the passwords on the those target systems are modified, as opposed to allowing Oracle Privileged Account Manager do so.
Additionally, a lockbox target may be useful when an appropriate ICF connector is unavailable for a specific target type, but you still want to manage access to that system through Oracle Privileged Account Manager.
Note:
When adding a target of any Target Type (except lockbox), you must configure a service account (also called an unattended account) with privileges that enable that account to
Search for accounts on the target system
Modify the passwords of accounts on the target system
You must never use the same account as a service account and as a privileged account to be managed by Oracle Privileged Account Manager.
For additional information about service accounts, see the description for attended and unattended accounts in Section 1.2.1, "Features" and refer to Chapter 7, "Working with Service Accounts."
Note:
If you are using Oracle Privileged Account Manager on IBM WebSphere, refer to "Differences When Adding Targets to Oracle Privileged Account Manager on IBM WebSphere" in the Oracle Fusion Middleware Third-Party Application Server Guide for Oracle Identity and Access Management for information about this topic.
Use the following steps to add a target for Oracle Privileged Account Manager to manage:
Log in to Oracle Privileged Account Manager.
Select Targets from the Administration accordion to open the Targets page.
Click Add, located in the Search Results table toolbar to open a new Target: Untitled page displays with two tabs:.
General. Contains two areas with parameters used to specify Basic Configuration and Advanced Configuration information for the target.
Privileged Accounts. Lists the privileged accounts currently being managed on the target and enables you to add, open, and remove the accounts that are managed by that target.
On the General tab, use the Target Type menu to select a target type (database, ldap, lockbox, or unix), and then set the remaining configuration parameters.
Note:
When you set the target type, the Target: Untitled page refreshes and the configuration parameters change, based on your selection.
The following sections describe the available parameters for each target type:
You must specify all of the required attributes (indicated by an
asterisk *
symbol).
After setting the target configuration parameters, click Test to check the target's configuration.
If the configuration is valid, a "Test Succeeded
" message displays.
Click Save to add your new target on the Oracle Privileged Account Manager server.
Oracle Privileged Account Manager automatically assigns a Target GUID and you can view this read-only value at the bottom of the Basic Configuration parameters section.
You can now associate this target with a privileged account. For instructions, proceed to Section 8.2, "Adding Privileged Accounts into Oracle Privileged Account Manager."
When you select the database target type, the basic and advanced configuration parameters display. These parameters are described in the following tables:
Table 6-1 Basic Configuration Parameters for the database Target Type
Parameter Name | Description |
---|---|
Target Name |
Enter a name for the new target. |
Description |
Enter a description for this target. |
Organization |
Enter the name of an organization to associate with the target. |
Domain |
Enter the domain of the target server. |
Password Policy |
Select a Password Policy to apply to the target's service account. Oracle Privileged Account Manager uses this policy to auto-generate passwords. |
Enable Password Rollover |
Enable this box to allow Oracle Privileged Account Manager to automatically change (rollover) the service account password for this target to a randomized value according to the Expire password after setting that is specified in the assigned Password Policy. Note: Password rollover for target service accounts is similar to password expiration for privileged accounts. If a password has not been changed by the expiration date configured in the associated Password Policy, then Oracle Privileged Account Manager will automatically change the password to a randomized value. |
Host |
Enter the host name of the target server. |
Database Connection URL |
Enter the JDBC URL used to identify the target system location. Oracle:jdbc:oracle:thin:@<host>: <port>:<sid> Note: Oracle Privileged Account Manager supports the Oracle, MSSQL, Sybase, and MySQL database types. Refer to the Oracle Identity Manager Connector Guide for Database User Management for information about which special options are supported. |
Admin User Name |
Enter the administrator's name to use when connecting to this target. Note: If you are using the |
Admin User Password |
Enter the user's password. |
Database Type |
Select the type of database (Oracle, MSSQL, Sybase, or MySQL) for which the connector will be used. If you select an Oracle database target, then no driver jar is required. For other target systems, you must copy one of the following third-party jars:
You can use one of the following options to copy the jars: Option 1: Copy these third-party jars to the WebLogic domain Option 2: Modify the connector jars to include the third-party jars as follows:
For more information, refer to "Installing the Connector on the Connector Server" in the Oracle Identity Manager Connector Guide for Database User Management. |
The following Advanced Configuration parameter is optional:
When you select the ldap target type, the basic and advanced configuration parameters display. These parameters are described in the following tables:
Table 6-3 Basic Configuration Parameters for the ldap Target Type
Parameter Name | Description |
---|---|
Target Name |
Enter a name for the new target. |
Description |
Enter a description for this target. |
Organization |
Enter the name of an organization to associate with the target. |
Domain |
Enter the domain of the target server. |
Password Policy |
Select a Password Policy to apply to the target's service account. Oracle Privileged Account Manager uses this policy to auto-generate passwords. |
Host |
Enter the host name of the target server. |
TCP Port |
Enter the TCP/IP port to use when communicating with the LDAP server. You can use the up/down arrow icons to increment this value. |
SSL |
Enable this box to use Secure Socket Layer (SSL) when connecting to the LDAP server. Note: For SSL connectivity, you must import an SSL certificate to the J2EE container hosting Oracle Privileged Account Manager. For more information, refer to Section 15.1, "Configuring Oracle Privileged Account Manager to Communicate With Target Systems Over SSL." |
Principal |
Enter the distinguished name (DN) to use when authenticating to the LDAP server. For example, cn=admin |
Password |
Enter the user's password. |
Base Contexts |
Enter one or more starting points in the LDAP tree to use when searching the tree for users on the LDAP server or when looking for groups where the user is a member. Use a pipe (|) to separate values. |
Account User Name Attribute |
Enter the attribute to be used as the account's user name. |
These Advanced Configuration parameters are optional:
Table 6-4 Advanced Configuration Parameters for the ldap Target Type
Parameter Name | Description |
---|---|
Uid Attribute |
Enter the name of the LDAP attribute that is mapped to the Uid attribute. |
LDAP Filter for Retrieving Accounts |
Enter an LDAP filter to control which accounts are returned from the LDAP resource. If you do not specify a filter, Oracle Privileged Account Manager returns only those accounts that include all of the specified object classes. |
Password Attribute |
Enter the name of the LDAP attribute that holds the password. When changing a user's password, Oracle Privileged Account Manager sets the new password to this attribute |
Account Object Classes |
Enter one or more object classes to use when creating new user objects in the LDAP tree. Type each object class on its own line. Do not use commas or semicolons to separate entries. Some object classes require that you specify them in their class hierarchy, using a pipe (|) to separate the values. |
When you select the lockbox target type, only the following basic configuration parameters display:
Table 6-5 Basic Configuration Parameters for the lockbox Target Type
Parameter Name | Description |
---|---|
Target Name |
Enter a name for the new target. |
Description |
Enter a description for this target. |
Organization |
Enter the name of an organization to associate with the target. |
Domain |
Enter the domain of the target server. |
Host |
Enter the host name of the target server. |
Note:
You can add configuration parameters to this list by editing the opam-config.xml
file as described in Section 3.2.3, "Consuming ICF Connectors."
When you select the unix target type, the basic and advanced configuration parameters display. These parameters are described in the following tables:
Table 6-6 Basic Configuration Parameters for the unix Target Type
The following Advanced Configuration parameters are optional:
Table 6-7 Advanced Configuration Parameters for the unix Target Type
Parameter Name | Description |
---|---|
Command timeout |
Specify how long (in milliseconds) to wait for the command to complete before terminating that command. |
Password Expect Expressions |
Specify the expressions displayed on the target when setting the user's password. For example, if the Note: You can provide a regular expression here. Use a comma to separate the two expressions. |
Pre-password expectExpression |
When you run the |
sudo password expectExpression |
Specify the password prompt to be displayed when running a command in sudo mode. (Default value is |
If you have administrator privileges, you can search for targets using the following criteria or a combination of these items:
Target Name
Target Type (All, database, ldap, lockbox, or unix)
Host Name
Domain
Description
To search for a target,
Select Targets in the Administration accordion.
When the Targets tab displays, use the Search portlet parameters to configure your search. For example,
To search for all LDAP targets, select ldap from the Target Type menu.
To search for all available targets, do not specify any search parameters.
Click Search.
Review your search results in the Search Results table.
You can open a target to review and edit the target's configuration parameters and its associated privileged account parameters.
Use one of the following methods to open a target:
Click the Target Name (an active link) in the Search Results table.
Select the target's Row number and then click the Open icon.
The Target: TargetName page opens where you can access the target and privileged account information.
Oracle Privileged Account Manager provides several options for managing a target's service account passwords, including:
Showing passwords
Viewing password history
Resetting passwords
Enabling password rollover
Administrators with the Security Administrator Admin Role can perform these password management tasks by using the Oracle Privileged Account Manager Console, command line tool, or REST API.
Note:
For information about managing passwords by using the Console, refer to Section 7.3, "Managing Service Account Passwords."
For command line instructions, refer to Section A.4, "Working with Targets."
For REST API instructions, refer to Section B.5, "Target Resource."
Oracle Privileged Account Manager audits password management actions to keep track of password access.
Note:
The procedures for showing and resetting a privileged account password are different from the procedures described in this section. Refer to Section 8.8, "Managing Privileged Account Passwords" for information.
To remove a target, select the target from the Search Results table and then click the Remove icon.
WARNING:
When you remove a target, you also remove all information about the target that is stored in Oracle Privileged Account Manager (including privileged accounts).
Before removing a target, it is critical that you first capture all relevant information from that target. For example, save the target's service account password and any current passwords that are associated with the privileged accounts on the target.