This chapter describes how you can configure and manage agents to work with Oracle Privileged Account Manager. The procedure to do so is described in the following sections:
An agent is a specifically designed tool that is deployed on a target, which is configured to perform a particular set of actions such as recording user actions. This section discusses the following topics:
Section 8.1.1, "What is an Oracle Privileged Account Manager Agent for Windows?"
Section 8.1.2, "Architecture and Functionality of the OPAM Agent"
In Oracle Privileged Account Manager, all actions that are performed during a session checkout can be monitored using the Oracle Privileged Account Manager session monitoring feature. This feature records all the activities that a user performs during the privileged session checkout.
In this context, the Oracle Privileged Account Manager Agent for Windows targets (OPAM Agent) works specifically with Windows targets to enable Oracle Privileged Account Manager to monitor the actions performed by a user on a Windows target, during session checkout.
The OPAM Agent is deployed directly on the Windows target. This agent runs the "OPAMAgentService" windows service on the target. This service then uses the "OpamAgentCapturer" child process to record user actions on the target. The service then converts the user actions into a video format and sends it securely to the Oracle Privileged Account Manager server periodically.
The OPAM Agent also sends metadata corresponding to the user's activity to the Oracle Privileged Account Manager server. The video data is saved into a database on the server. The metadata enables quick retrieval of relevant session recording videos. The playback for recorded videos is supported on HTML-5 compliant versions of the Chrome, Mozilla Firefox, Internet Explorer, and Safari browsers.
Figure 8-1 shows the end-to-end flow of session recording using the OPAM Agent.
Figure 8-1 End-to-End Flow of Session Recording
Figure 8-2 shows the session recording replay flow for videos recorded using the OPAM Agent.
Figure 8-2 Session Recording Replay Flow
The following sections describes the procedure to deploy the OPAM Agent on a Windows target:
Section 8.2.1, "Reviewing the Supported Components and Important Notes for Installation"
Section 8.2.6, "Monitoring the End-to-End Flow of the Session Recording Process"
Section 8.2.7, "Un-installing and Deregistering the OPAM Agent"
Note:
This procedure to deploy an OPAM Agent on a Windows target that is described in the following sections, assumes that the you have the following account-accesses and information:Administrator privileges on the Windows machine.
Security Administrator privileges on the Oracle Privileged Account Manager Server where the Windows target needs to be registered.
The OPAM Server URL.
The Connector Server name as configured in the Oracle Privileged Account Manager Server.
The OPAM Agent is supported on the following Operating Systems:
Table 8-1 Supported Components
Component | Requirement |
---|---|
Microsoft Windows Client Operating System |
You can use one of the following versions of the Microsoft Windows Client Operating System:
|
Microsoft Windows Server Operating System |
You can use one of the following releases of the Microsoft Windows Server Operating System:
|
.NET Version |
4.5 or above |
This section is applicable while installing the OPAM Agent on the Microsoft Windows 2008 R2, Microsoft Windows 2012 Server, and Microsoft Windows 2012 Server R2 targets. The procedure outlined below has to be performed prior to installing the OPAM Agent and might require a restart of the system.
Note:
No special preinstallation steps are needed for Microsoft Windows 7, Microsoft Windows 8, and Microsoft Windows 8.1This section describes the actions you must perform on the Windows Server, before you begin to install the OPAM Agent. It describes the following topics:
Depending on how you choose to enable the Desktop Experience, perform one of the following procedures to enable the Desktop Experience on the Microsoft Windows 2008 R2 operating system.
Using the Initial Configuration Tasks Wizard
In the Customize This Server section, click Add features.
Select the Desktop Experience check box and click Next.
Complete the wizard by clicking Install.
Open the Server Manager and click Start. Navigate to Administrative Tools, and click Server Manager.
Note:
You can also open Server Manager by typing the following at a command prompt:servermanager.msc
In the Features Summary section, click Add features.
Select the Desktop Experience check box and click Next.
Complete the wizard by clicking Install.
You must install Media Foundation components on Microsoft Windows Server 2012 and Microsoft Windows Server 2012 R2 as described in the following procedure:
Open the Server Manager and click Start. Navigate to Administrative Tools, and click Server Manager.
Note:
You can also open Server Manager by typing the following at a command prompt:servermanager.msc
In Server Manager, navigate to the "Add Roles and Features" wizard. Continue to click the Next button in the wizard, till you reach "Select installation type."
In the "Select installation type" step, select Role-based or feature-based installation, and click Next.
In the "Select destinations server" step, select Select a server from the server pool. Choose the desired machine and click Next.
In the "Select features" page, select Media Foundation and click Install.
Restart the server.
Note:
This feature requires to be configured initially. Once the configuration is complete, restart the server for the changes to take effect.The OPAM Agent for Microsoft Windows is packaged as a binary installer named "OPAMAgentInstaller.msi." This is a standard Microsoft Windows installer.
Perform the following procedure to install the OPAM Agent:
Copy the "OPAMAgentInstaller.msi" installer to the Windows host from the following location:
$ORACLE_HOME/opam/tools
Double-click OPAMAgentInstaller.msi (the installer) to run it.
In the installation wizard, read the License Agreement and click Next. This will install the OPAM Agent binaries into the following location:
C:\Program Files\OPAMAgent
Note:
You can also install OPAMAgentInstaller.msi by typing the following at a command prompt:msiexec /i OpamAgentInstaller.msi
This section discusses the following topics:
Section 8.2.4.1, "Registering the OPAM Agent with the Oracle Privileged Account Manager Server"
Section 8.2.4.2, "Updating the Target Key in Oracle Privileged Account Manager"
After installation, you must set up the OPAM agent. The "OpamAgentUtility.exe" file is used to setup the OPAM agent.
You must have "Administrator" privileges on the system within which you want to deploy the agent. Navigate to the following location from the command prompt:
C:\Program Files\OPAMAgent\
This location contains the "OpamAgentUtility.exe" file. This executable program can perform the following actions:
Note:
Depending on the action you want to perform, run one or more of the commands described in this section.To register the OPAM Agent, you must run the OpamAgentUtility.exe -r
command.
To update the client key into the Oracle Privileged Account Manager Server, you must run the OpamAgentUtility.exe -u
command.
Run the OpamAgentUtility.exe -d
command only when you want to deregister the OPAM Agent.
Registering the OPAM Agent: When you run the "OpamAgentUtility" with the -r
option as described in the following sample code, the OPAM Agent is registered:
Sample command: OpamAgentUtility.exe -r
For more information about registering the OPAM Agent, refer to Section 8.2.4.1, "Registering the OPAM Agent with the Oracle Privileged Account Manager Server."
Updating the key of the Target in the Oracle Privileged Account Manager server: When you run the "OpamAgentUtility" with the -u
option as described in the following sample code, the auto-generated key of the Windows target is updated in the Oracle Privileged Account Manager server.
Sample command: OpamAgentUtility.exe -u
For more information about updating the key of the target, refer to Section 8.2.4.2, "Updating the Target Key in Oracle Privileged Account Manager."
Deregistering the OPAM Agent: When you run the "OpamAgentUtility" with the -d
option as described in the following sample code, the OPAM Agent is deregistered.
Sample command: OpamAgentUtility.exe -d
For more information about uninstalling and deregistering the OPAM Agent, refer to Section 8.2.7, "Un-installing and Deregistering the OPAM Agent."
Running the OpamAgentUtility.exe
command without any options will list the usage information for this executable.
The logging information from this executable file is available in the following location:
C:\ProgramData\Opam\OpamAgentUtility_
Year_Month_Day_Hour_Minute_Second
.log
In this location, "Year_Month_Day_Hour_Minute_Second" is a placeholder text in the name of the log file. It represents the format of the timestamp at which the log file was created.
Before using the OPAM Agent on the Target, you must register the Agent with the Oracle Privileged Account Manager server.
To register the Agent:
Run the OpamAgentUtility.exe -r
command in the command prompt. The executable program will prompt for credentials to proceed with the registration.
To check for credentials, run the OpamAgentUtility.exe
command to refer the usage information.
The credentials can be provided using the interactive query or as command line arguments, as described in the usage information.
The executable program will start the OPAM Agent on the Windows target after it has successfully registered with the Oracle Privileged Account Manager server. If the registration is unsuccessful, check the log files as described in Section 8.2.4, "Setting up the OPAM Agent."
If the OPAM Agent was installed successfully, the service manager window will show the status of the "OPAMAgentService" service as "started." This is illustrated in the following screenshot:
If the Windows target, on which the OPAM Agent was deployed, is configured in Oracle Privileged Account Manager, then the registration process will automatically associate the agent with the specified target.
The OPAM Agent uses an auto generated key to secure communication with the Oracle Privileged Account Manager server. You can update the key of the OPAM Agent to recreate a new auto-generated key.
Note:
Before you update the key, you must check if the Windows target, on which the OPAM Agent was configured, has been added to Oracle Privileged Account Manager.If this target has not been added to Oracle Privileged Account Manager, you must manually add the target. To do so, refer to Section 6.2, "Adding and Configuring Targets in Oracle Privileged Account Manager" for more information.
Perform the following procedure to update the Windows target key in Oracle Privileged Account Manager:
Open the "Command Prompt" as an "Administrator" on the system and navigate to the following location:
C:\Program Files\OPAMAgent\
Run the following command and provide the necessary credentials to update the key of the target into the Oracle Privileged Account Manager server:
OpamAgentUtility.exe -u
This section discusses logging information for the OPAM Agent. For information about Runtime Logs and Register-Time Logs, refer the following sections:
The following is the primary log location:
C:\ProgramData\Opam
Note:
The preceding location is referred to as the "OPAM log folder" in this section.The OPAMAgentService writes into the Windows Event History and this log is called "MyNewLog". It can be viewed using the Windows Event Viewer.
A directory is created in the OPAM log folder, for each checked-out session. The directory is named after the "username" of the user who checks-out the session. The runtime logs for these actions are stored in the following location:
C:\ProgramData\Opam\USERNAME\logs
Runtime logs are maintained for the following executables:
OPAMAgentService.exe
These logs are named in the OpamAgentService_
Year_Month_Day_Hour_Minute_Second
.log
format.
In this format, "Year_Month_Day_Hour_Minute_Second" represents the format of the timestamp at which the log file was created.
OpamAgentCapturer.exe
These logs are named in the OpamAgentCapturer_
Year_Month_Day_Hour_Minute_Second
.log
format.
In this format, "Year_Month_Day_Hour_Minute_Second" represents the format of the timestamp at which the log file was created.
Register-time logs are logs for the actions associated with the "OpamAgentUtility.exe" program. These logs are also stored under the OPAM log folder. Register-time logs are named in the following format:
OpamAgentUtility_
Year_Month_Day_Hour_Minute_Second
.log
In this format, "Year_Month_Day_Hour_Minute_Second" represents the format of the timestamp at which the log file was created.
Logs for uninstallation or deregistration, and the OPAM Agent key update are also stored in register-time logs.
Note:
Because of format of the log file, the logs from registration and de-registration of the OPAM Agent could be in different log files.You can monitor the end-to-end flow of the session recording process in the following situation, if the following actions are performed in sequence:
In Oracle Privileged Account Manager, an end user who is granted access to the Windows account, checks-out the password for the Windows account.
The end-user then logs in to the Windows target using the checked-out password.
The end user then performs certain actions on the Windows targets and logs out.
In the described situation, all session activity is now recorded as a video and stored securely on the Oracle Privileged Account Manager server. You can monitor the actions performed during this session checkout using the Checkout History Reports page from the console. Refer to Section 15.5, "Working with Checkout History Reports" for detailed information.
Note:
In addition, any other sessions started directly on the Windows target without checking out the password from Oracle Privileged Account Manager will also be recorded by the OPAM Agent, and can be viewed in the Checkout History Reports page.The value for the "username" column will show as None
in the Checkout History Reports table for such sessions.
You can uninstall the OPAM Agent from the target. This will remove any run-time data (except logs) and remove the binaries stored in the following location:
C:\Program Files\OPAMAgent\
Perform the following procedure to uninstall the OPAM Agent:
Login to the Windows target as an Administrator.
Navigate to the Control Panel and click Add or Remove Programs.
Select OPAMAgent from the list and click Uninstall. Follow through the steps in the wizard to complete the un-installation process.
Note:
You can also uninstall the "OPAMAgentInstaller.msi" by typing the following in a command prompt:msiexec /x OpamAgentInstaller.msi
You can also deregister the OPAM Agent without un-installing it from the target. Perform the following procedure to do so:
Login to the Windows target as an Administrator.
Open a command prompt and navigate to the following location:
C:\Program Files\OPAMAgent\
To complete the deregistration process, run the OpamAgentUtility.exe -d
command and provide values for the prompted parameters.
Note:
The deregistration process will only remove the run-time data as described in this section.