This chapter explains how to configure Oracle Privileged Account Manager.
It includes the following topics:
Optional: Enabling TDE in Oracle Privileged Account Manager Data Store
Configuring Oracle Privileged Account Manager in a New WebLogic Domain
Getting Started with Oracle Privileged Account Manager After Installation
For an introduction to the Oracle Privileged Account Manager, see "Understanding Oracle Privileged Account Manager" in Administering Oracle Privileged Account Manager.
Before you start configuring Oracle Privileged Account Manager, note that IAM_HOME is used to refer to the Oracle Home directory that includes Oracle Identity Manager, Oracle Access Management, Oracle Adaptive Access Manager, Oracle Entitlements Server, Oracle Privileged Account Manager, Oracle Access Management Mobile and Social, and Oracle Mobile Security Suite. You can specify any path for this Oracle Home directory.
Table 8-1 lists the tasks for configuring Oracle Privileged Account Manager.
Table 8-1 Configuration Flow for Oracle Privileged Account Manager
No. | Task | Description |
---|---|---|
1 |
Optional: Enable TDE in OPAM data store. |
For more information, see Section 8.4, "Optional: Enabling TDE in Oracle Privileged Account Manager Data Store" |
2 |
Run the Oracle Fusion Middleware Configuration Wizard to configure your Oracle Identity and Access Management products in a new or existing WebLogic domain. |
For more information, see Section 8.5, "Configuring Oracle Privileged Account Manager in a New WebLogic Domain". |
3 |
Configure the Database Security Store. |
For more information, see Section 8.6, "Configuring the Database Security Store." |
4 |
Complete the post-installation tasks. |
Complete the following post-installation tasks: |
Oracle Privileged Account Manager can operate with Oracle Database TDE (Transparent Data Encryption) mode. You can choose to either enable or disable the TDE mode. Oracle strongly recommends to enable the TDE mode for enhanced security.
This section includes the following topics:
For information about enabling Transparent Data Encryption (TDE) in the database for Oracle Privileged Account Manager, refer to one of the following procedures, depending on the Oracle Database version you are using:
To enable TDE in Oracle Database Release 11.2, refer to the "Enabling Transparent Data Encryption" topic in the Oracle Database Advanced Security Administrator's Guide.
To enable TDE in Oracle Database Release 12.1, refer to the "Configuring Transparent Data Encryption" topic in the Oracle Database Advanced Security Guide.
For more information, see "Securing Stored Data Using Transparent Data Encryption" in the Oracle Database Advanced Security Administrator's Guide.
After enabling TDE in the database for Oracle Privileged Account Manager, you must enable encryption in OPAM schema, as described in Section 8.4.2, "Enabling Encryption in OPAM Schema".
To enable encryption in the OPAM schema, run the opamxencrypt.sql
script with the OPAM schema user, using sqlplus or any other client.
IAM_HOME
/opam/sql/opamxencrypt.sql
Example:
sqlplus DEV_OPAM/welcome1 @IAM_HOME/opam/sql/opamxencrypt.sql
This topic describes how to configure Oracle Privileged Account Manager in a new WebLogic administration domain. It includes the following sections:
Perform the configuration in this topic if you want to configure Oracle Privileged Account Manager in a new WebLogic domain.
Performing the configuration in this section deploys Oracle Privileged Account Manager on a new WebLogic domain.
The configuration in this section depends on the following:
Oracle WebLogic Server 11g Release 1 (10.3.6)
Installation of the Oracle Identity and Access Management 11g software.
Database schemas for Oracle Privileged Account Manager. For more information, see Section 3.2.5, "Creating Database Schemas Using the Oracle Fusion Middleware Repository Creation Utility (RCU)".
Perform the following steps to configure Oracle Privileged Account Manager in a new WebLogic administration domain:
Start the Oracle Fusion Middleware Configuration Wizard by running the IAM_HOME/
common/bin/config.sh
script (on Linux or UNIX) or IAM_HOME\
common\bin\config.cmd
(on Windows).
The Welcome screen of the Oracle Fusion Middleware Configuration Wizard appears.
Note:
IAM_HOME
is used as an example here. You must run this script from your Oracle Identity and Access Management Home directory that contains Oracle Identity Manager, Oracle Access Management, Oracle Adaptive Access Manager, Oracle Entitlements Server, Oracle Privileged Account Manager, Oracle Access Management Mobile and Social, and Oracle Mobile Security Suite.On the Welcome screen, select Create a new WebLogic domain, and click Next. The Select Domain Source screen appears.
On the Select Domain Source screen, ensure that the Generate a domain configured automatically to support the following products: option is selected. Select Oracle Privileged Account Manager - 11.1.2.0.0 [IAM_HOME].
Note:
When you select the Oracle Privileged Account Manager - 11.1.2.0.0 [IAM_HOME] option, the following options are also selected, by default:Oracle Platform Security Service 11.1.1.0 [IAM_HOME]
Oracle JRF 11.1.1.0 [oracle_common]
Oracle OPSS Metadata for JRF 11.1.1.0 [oracle_common]
Click Next. The Specify Domain Name and Location screen appears.
Enter a name and a location for the domain to be created, and click Next. The Configure Administrator User Name and Password screen appears.
Note:
The default locations for the domain home and application home areMW_HOME
/user_projects/domains
and MW_HOME
/user_projects/applications
, respectively. However, it is recommended that you create your domain and application home directories outside of both the Middleware home and Oracle home.Configure a user name and a password for the administrator. The default user name is weblogic
. Click Next.
The Configure Server Start Mode and JDK screen appears. Choose a JDK from the Available JDKs and select a mode under WebLogic Domain Startup Mode. Click Next.
On the Configure JDBC Component Schema screen, select a component schema, such as the OPAM Schema or the OPSS Schema, that you want to modify.
You can set values for Schema Owner, Schema Password, Database and Service, Host Name, and Port. Click Next. The Test JDBC Component Schema screen appears.
If the test fails, click Previous, correct the issue, and try again.
After the test succeeds, click Next. The Select Optional Configuration screen appears.
On the Select Optional Configuration screen, you can configure the following:
Administration Server
Managed Servers, Clusters and Machines
Deployments and Services
RDBMS Security Store
Select the desired options, and click Next.
Optional: Configure the following Administration Server parameters:
Name
Listen address
Listen port
SSL listen port
SSL enabled or disabled
Optional: Configure Managed Servers, as required.
Note:
The default Managed Server name where Oracle Privileged Account Manager is deployed isopam_server1
.
For more information, see "Configure Managed Servers" in Oracle Fusion Middleware Creating Domains Using the Configuration Wizard.
Optional: Configure Clusters, as required.
For more information about configuring clusters for Oracle Identity and Access Management products, see the "Configuring High Availability for Oracle Identity and Access Management Components" topic in the High Availability Guide.
Optional: Assign Managed Servers to clusters, as required.
Optional: Configure Machines, as needed. This step is useful when you want to run the Administration Server on one machine and Managed Servers on another physical machine.
Tip:
Before configuring a machine, use theping
command to verify whether the machine or host name is accessible.Optional: Assign the Administration Server to a machine.
Optional: Assign the Managed Server to a machine.
Optional: Select Deployments, such as applications and libraries, and Services to target them to a particular cluster or server.
Optional: Configure RDBMS Security Store, as required.
On the Configuration Summary screen, you can view summaries of your configuration for deployments, application, and service. Review the domain configuration, and click Create to start creating the domain.
By default, a new WebLogic domain to support Oracle Privileged Account Manager is created in the MW_HOME
\user_projects\domains
directory (on Windows). On Linux or UNIX, the domain is created in the MW_HOME
/user_projects/domains
directory, by default.
After configuring Oracle Privileged Account Manager in a new WebLogic administration domain and before starting the Oracle WebLogic Administration Server, you must configure the Database Security Store by running the configureSecurityStore.py
script. For more information, see Chapter 11, "Configuring Database Security Store for an Oracle Identity and Access Management Domain."
After installing and configuring Oracle Privileged Account Manager, you must start the Oracle WebLogic Administration Server, as described in Appendix C, "Starting the Stack".
After installing and configuring Oracle Privileged Account Manager, you must run the opam-config.sh
script (on Linux or UNIX) or opam-config.bat
script (on Windows).
Before executing the script, ensure that the WebLogic Administration Server is running. For more information on starting the Oracle WebLogic Administration Server, see Appendix C, "Starting the Stack".
Note:
If you are extending a domain, ensure that the WebLogic Administration Server is restarted before running theopam-config.sh
script (on Linux or UNIX), or opam-config.bat
script (on Windows).Set up ANT_HOME
, ORACLE_HOME
, JAVA_HOME
and the permgen
size.
For example:
On Windows:
set ORACLE_HOME= ##set Oracle_Home here## set ANT_HOME=MW_HOME\modules\org.apache.ant_1.7.1 set JAVA_HOME=MW_HOME\jdk160_14_R27.6.4-18 set ANT_OPTS=-Xmx512M -XX:MaxPermSize=512m
On Linux or UNIX:
set ORACLE_HOME ##set Oracle_Home here## set ANT_HOME $MW_HOME/modules/org.apache.ant_1.7.1 set JAVA_HOME $MW_HOME/jdk160_14_R27.6.5-32 set ANT_OPTS "-Xmx512M -XX:MaxPermSize=512m"
Note:
On 64-bit platforms, when you install Oracle WebLogic Server using the generic jar file, JDK is not installed with Oracle WebLogic Server. You must install JDK separately, before installing Oracle WebLogic Server. In this case, you must specify theJAVA_HOME
location accordingly.Go to IAM_HOME
/opam/bin
directory and run the opam-config.sh
script (on Linux or UNIX) or opam-config.bat
script (on Windows). Provide the following information, when prompted:
Oracle WebLogic Administration user name
Oracle WebLogic Administration password
Oracle WebLogic Administration Server URL
Oracle WebLogic Domain Name
Note:
Oracle WebLogic Domain Name is case sensitive. You must provide the same value that you defined during domain creation.Oracle Middleware Home
Note:
Oracle Middleware Home is case sensitive. You must provide the same value that you defined during domain creation.The log file for opam-config
script will be created in DOMAIN_HOME/opam-config.log
.
If the above directory does not exist, then the log file for opam-config
script will be created in IAM_HOME
/opam/config/opam-config.log
.
The log file location will be printed on the screen after the script is executed.
Note:
After running theopam-config.sh
script (on Linux or UNIX) or opam-config.bat
script (on Windows), you must restart the Oracle WebLogic Administration Server, as described in Appendix C, "Starting the Stack".You must start the Oracle Privileged Account Manager Managed Server, as described in Appendix C, "Starting the Stack".
After you complete the installation process, you do not have any users present with administrator roles. You must select a user and grant that user the Application Configurator role.
Note:
For more information, see "Assigning the Application Configurator Role to a User" in Administering Oracle Privileged Account Manager.For information about the Administration Roles that the Application Configurator user can have, see "Administration Role Types" in Administering Oracle Privileged Account Manager.
Note:
Oracle Privileged Account Manager can operate with Oracle Database TDE (Transparent Data Encryption) mode. You can choose to either enable or disable the TDE mode. Oracle strongly recommends to enable the TDE mode for enhanced security.If you want to disable TDE mode, you must set the flag tdemode
to false
.
Note:
The steps described in this section are required only if you choose to skip Section 8.4, "Optional: Enabling TDE in Oracle Privileged Account Manager Data Store".Complete the following steps to disable TDE mode:
Set the environment variables ORACLE_HOME
and JAVA_HOME.
Run the following script:
On Windows:
ORACLE_HOME\opam\bin\opam.bat -url OPAM_Server_URL -x modifyglobalconfig -propertyname tdemode -propertyvalue false -u OPAM_APPLICATION_CONFIGURATOR_USER -p Password
where OPAM_Server_URL
is of the form https://
OPAM_Managed_Server_Hostname
:OPAM_Managed_Server_SSL_port
/opam
On Linux or UNIX:
ORACLE_HOME/opam/bin/opam.sh -url OPAM_Server_Url -x modifyglobalconfig -propertyname tdemode -propertyvalue false -u OPAM_APPLICATION_CONFIGURATOR_USER -p Password
where OPAM_Server_URL
is of the form https://
OPAM_Managed_Server_Hostname
:OPAM_Managed_Server_SSL_port
/opam
Note:
TDE mode can be enabled or disabled at any point after installing and configuring Oracle Privileged Account Manager. For more information on changing the TDE mode at a later time, refer to the "Securing Data On Disk" topic in Administering Oracle Privileged Account Manager.When the Application Configurator user logs in using the following URL:
http://opam-managedserver-host:opam-managedserver-nonsslport/oinav/opam
the Oracle Privileged Account Manager Console autodetects the connection settings for the Oracle Privileged Account Manager server, and the Oracle Privileged Account Manager Console is populated with content.
To modify the server connection settings, the Application Configurator user can go to the Configuration option on the left pane, and click on Server Connection. On the Server Connection tab, the user can provide a new host and port.
After completing the installation process, including post-installation steps, you can verify the installation and configuration of Oracle Privileged Account Manager as follows:
Ensure that the Oracle Privileged Account Manager Server is up and running, using the following URL:
https://opam-managedserver-host:opam-managedserver-sslport/opam
You will be prompted to enter a user name and password. Enter your WebLogic username and password. The following result should be displayed:
{
ServerState: {
Status: "Oracle Privileged Account Manager Server is up!",
StatusCode: 0
},
Requestor: "WebLogic_username",
RequestorGroups: [
"Administrators"
]
}
Log in to the Administration Console for Oracle Privileged Account Manager using the URL:
http://opam-managedserver-host:opam-managedserver-nonsslport/oinav/opam
When you access this Administration Console running on the OPAM Managed Server, you are prompted to enter a user name and password. Note that you must have Administrator's role and privileges.
Verify the Oracle WebLogic Server Administration Console. If the installation and configuration of Oracle Privileged Account Manager are successful, this console shows opam_server1
,which is the default Managed Server, in running mode.
In the Domain Structure pane, click Deployments. The following applications should be listed in the Deployments table, and the state must be Active
:
oinav
opam
opamsessionmgr
After installing Oracle Privileged Account Manager, refer to the "Getting Started with Administering OPAM" chapter in Administering Oracle Privileged Account Manager.