This chapter describes issues associated with Oracle Privileged Account Manager.
This information includes the following topics:
Oracle Privileged Account Manager 11g Release 2 (11.1.2.3.0) has the following key new features:
Section 9.1.3, "Support for Windows Session Recording Using the Windows Agent"
Section 9.1.10, "Improved UI in the Oracle Privileged Account Manager Console"
Support has been added for the use of connector servers. Users can configure and manage connector servers in Oracle Privileged Account Manager to work with different connectors and their associated targets.
Support has been added for the use of additional targets. Users can configure Oracle Privileged Account Manager to use and work with the Windows, SSH, SAP UM, and SAP UME targets.
Oracle Privileged Account Manager provides a session recording playback for Windows targets. This feature is capable of reading the session data from the Oracle Privileged Account Manager Server and replaying it as a video. This enhanced session recording functionality makes it possible to replay the session even from the execution of a specific event of interest. For every event, a clickable link is provided, which enables the user to play the session video from that point. This functionality is made available through the use of an agent configured for Windows targets. This agent for Windows targets or Windows agent is deploy directly on the target with which Oracle Privileged Account Manager interacts. The agent enables the recording and playback of events.
Oracle Privileged Account Manager provides a session transcript for SSH sessions. The transcript contains a region where the transcript text is loaded and another region which contains an outline of all the commands issued to the target system along with the timestamps. Each command in the outline is clickable link and when clicked, it points to the relevant region of the transcript where the command was used or occurs.
Oracle Privileged Account Manager provides the ability to directly copy a password to a clipboard when an account is checked out. Therefore, the need to display the password on the screen in plain text is reduced. A user can click a button in the UI to copy the password to the clipboard. The user can also clear the copied password from the clipboard using the clear clipboard functionality, after the password has been used.
Oracle Privileged Account Manager provides support for administrators to create, modify, and delete resource groups which contain a group of resources. This allows administrators to delegate their administration privileges on resource groups to other users and roles. Oracle Privileged Account Manager also provides support for managing delegated administration in Oracle Privileged Account Manager interfaces such as REST APIs, Oracle Privileged Account Manager Console, and the Oracle Privileged Account Manager command line tool.
Oracle Privileged Account Manager provides enhanced reporting capabilities that present data visualizations such as bar graphs and pie charts, comprehensive reports about account name, target name, target type, user, checkout type, checkout date, recording and other vital data about actions performed in Oracle Privileged Account Manager.
Oracle Privileged Account Manager provides additional filtering rules to help the manageability of and reduce the logic required in plug-in implementation. The support for retry operations also provides fault tolerance during network unavailability, host down, and similar situations. While configuring plug-ins, the display of required custom attributes and defaults using the create-like function enables users to create similar or configure new plug-ins easily.
Oracle Privileged Account Manager provides support for administrators to limit the actions that a user with access to a session is capable of performing. These limits or constraints can be applied at different levels. The constraints holds control over SSH or SCP sessions, Interactive or Non-Interactive modes within SSH sessions, and command-level actions. Administrators can specify replacements for commands and also enable these constraints by configuring or extending the usage policies.
The user interface (UI) of the Oracle Privileged Account Manager console has been improved to present a simplified design and minimalistic design elements. The new UI enables ease of access and clear presentation of data. The UI also features changes within the console to accommodate the addition of new features within this release of Oracle Privileged Account Manager.
This section describes general issues and workarounds. It includes the following topics:
Section 9.2.1, "No Translation (Messages or Help) Support for OPAM Command Line Tools"
Section 9.2.2, "Deprecated Features for Oracle Privileged Account Manager Restful API"
Section 9.2.4, "Unlimited Tablespace Privilege Missing When Using Oracle Database 12.1"
Section 9.2.5, "Session Checkout Does Not Appear In "My Checkouts""
Section 9.2.6, "A User With an Application Configurator Role Cannot Duplicate an Active Plug-In"
Oracle Privileged Account Manager command-line tool messages and help were not translated in the Oracle Privileged Account Manager 11.1.2.0.0 release.
Translation support for the Oracle Privileged Account Manager command-line tool messages and help will be provided after the 11.1.2.0.0 release.
The following table lists the Oracle Privileged Account Manager RESTful APIs that were available in the Oracle Fusion Middleware 11g Release 2 (11.1.2.1.0) release and then deprecated in 11g Release 2 (11.1.2.2.0). In addition, this table lists the new, equivalent APIs and provides links to topics in the Oracle Fusion Middleware Administrator's Guide for Oracle Privileged Account Manager that describe how to use the new APIs.
| Deprecated API (11gr2 11.1.2.1.0) | New API (11gr2 11.1.2.2.0) | Refer to This Topic |
|---|---|---|
Show Service Account Password in the Target Resource |
Show Service Account Password in the Target Resource |
"Show Service Account Password" in the "Target Resource" section. |
Show Password in the Account Resource |
Show Password in Account Resource |
"Show Password" in the "Account Resource" section. |
Show Password History in the Account Resource |
Show Password History in Account Resource |
"Show Password History" in the "Account Resource" section. |
Search Accounts in the UI Resource |
Search Accounts in Account Resource |
"Search Accounts" in the "Account Resource" section. |
Search Assigned Accounts in the UI Resource |
Search Assigned Accounts in Account Resource |
"Search Assigned Accounts" in the "Account Resource" section. |
Get All Checked Out Accounts in the UI Resource |
Get All Checked Out Accounts in Account Resource |
"Get All Checked Out Accounts" in the "Account Resource" section. |
To prevent thread counts from continuously increasing as Oracle Privileged Session Manager session checkouts progress, you must implement the following idle connection timeouts for each Unix target node so that when a connection has been idle for 20 minutes, it will be closed:
ClientAliveInterval 600 ClientAliveCountMax 2
Where the ClientAliveInterval value is in seconds.
For example, on Linux, you must edit the /etc/ssh/sshd_config file to add these parameters.
Note:
For more information about theClientAliveInterval and ClientAliveCountMax keywords, refer to the sshd_config UNIX man page.Oracle Privileged Account Manager operations fail with a database error when you use Oracle Database 12.1.0.1 or higher. This error is displayed in the Oracle Privileged Account Manager server logs and is similar to the following:
<Error> <oracle.idm.opam> <BEA-000000> <OPAMSQLManager.executeUpdateStatementSQLException occurred SQLErrorCode=1950 SQLErrorMesg=ORA-01950: no privileges on tablespace 'DEV_OPAM_BINSTORE'>
Oracle Database removed the Unlimited Tablespace privilege that was assigned to the Resource DB role, starting with the 12.1 release. The removal of this privilege has caused issues for Oracle Privileged Account Manager operations. For a description of the Oracle Database 12.1 release changes, refer to the following:
http://docs.oracle.com/cd/E16655_01/network.121/e17607/release_changes.htm#DBSEG941
Workaround: Login to Oracle Database using SQLPLUS as the SYS user. Run the following SQL command to grant unlimited tablespace to the Oracle Privileged Account Manager schema user:
grant unlimited tablespace to <opam_schema>;
For example, if the Oracle Privileged Account Manager schema name is dev_opam, then you would run the following command:
grant unlimited tablespace to dev_opam;
Session Checkouts will not appear in the My Checkouts list unless you use the same (case sensitive) username to log in to the Oracle Privileged Account Manager GUI Console that you used to initiate the session.
When user logs in as with the app_config role and duplicates an existing active plug-in, it is not possible to save the new plug-in. This is because the status active is carried over and is not an option to change. The user who logs in with the app_config role does not have the privilege to change the status.
Workaround: To duplicate as a user with Application Configurator role, you must manually create a new plug-in and copy or type the required values.
After upgrading Oracle Privileged Session Manager from Release 2 Patchset 1 (R2PS1) to Release 2 Patchset 3 (R2PS3), issues occur while configuring OPAM Session manager and configuring OPAM Console Application if any name other than "opam_server1" is used for the server managed by Oracle Privileged Account Manager (OPAM-managed server).
The Oracle Privileged Account Manager GUI Console and Oracle Privileged Account Manager session manager will not be deployed on the OPAM-managed server. There is no functional loss from pre-upgrade state. However, the new session manager functionality will not be available and the Oracle Privileged Account Manager console application will be available only on the Admin Server.
Workaround: Perform the following procedures to workaround this issue:
To deploy the Session Manager application from the Oracle Privileged Account Manager GUI Console, perform the following procedure:
Login to Weblogic console.
Click Deployments and then click Install.
Add the following:
$ORACLE_HOME/opam/modules/opamsessionmgr.ear_11.1.2/
Select opamsessionmgr.ear.
Select OPAM Managed Servers as deployment targets.
Click Finish.
To target the oinav application on an OPAM-managed server, perform the following procedure:
Login to Weblogic console.
Click Deployments and expand OINAV(11.1.1.3.0).
Click the Targets tab, select OINAV(11.1.1.3.0) Enterprise Application and click Change Targets.
Select OPAM Managed Servers and click Yes.
This section describes configuration issues and their workarounds. It includes the following topic:
Section 9.3.1, "Use Absolute Paths While Running configureSecurityStore.py With -m Join"
Section 9.3.2, "The configureSecurityStore.py Script Fails on Windows 8.1 64-Bit"
The Configure Security Store fails to create the policy store object when using variables such as ORACLE_HOME and MW_HOME while running wlst.sh using configureSecurityStore.py with -m join.
Always use absolute paths for ORACLE_HOME and MW_HOME while running the command for -m join.
The "configureSecurityStore.py" script fails on Windows 8.1 Enterprise 64-bit during the installation of Oracle Privileged Account Manager.
To work around this issue, after configuring the Oracle Privileged Account Manager domain with the "config.bat" batch file, apply Patch 17342539. To obtain the patch, go to following URL, click Patches and Updates, and search for the patch number:
You must download and extract the contents within the patch, and perform the procedure provided in the "README.txt" file. After performing the procedure, rerun "configureSecurityStore.py" script file.
There are no documentation errata items for the Oracle Fusion Middleware Administrator's Guide for Oracle Privileged Account Manager 11g Release 2 (11.1.2.3.0), Part Number E52312-01.