8 Configuring and Managing Agents

This chapter describes how you can configure and manage agents to work with Oracle Privileged Account Manager. The procedure to do so is described in the following sections:

8.1 What is an Agent?

An agent is a specifically designed tool that is deployed on a target, which is configured to perform a particular set of actions such as recording user actions. This section discusses the following topics:

8.1.1 What is an Oracle Privileged Account Manager Agent for Windows?

In Oracle Privileged Account Manager, all actions that are performed during a session checkout can be monitored using the Oracle Privileged Account Manager session monitoring feature. This feature records all the activities that a user performs during the privileged session checkout.

In this context, the Oracle Privileged Account Manager Agent for Windows targets (OPAM Agent) works specifically with Windows targets to enable Oracle Privileged Account Manager to monitor the actions performed by a user on a Windows target, during session checkout.

8.1.2 Architecture and Functionality of the OPAM Agent

The OPAM Agent is deployed directly on the Windows target. This agent runs the "OPAMAgentService" windows service on the target. This service then uses the "OpamAgentCapturer" child process to record user actions on the target. The service then converts the user actions into a video format and sends it securely to the Oracle Privileged Account Manager server periodically.

The OPAM Agent also sends metadata corresponding to the user's activity to the Oracle Privileged Account Manager server. The video data is saved into a database on the server. The metadata enables quick retrieval of relevant session recording videos. The playback for recorded videos is supported on HTML-5 compliant versions of the Chrome, Mozilla Firefox, Internet Explorer, and Safari browsers.

Figure 8-1 shows the end-to-end flow of session recording using the OPAM Agent.

Figure 8-1 End-to-End Flow of Session Recording

Description of Figure 8-1 follows
Description of ''Figure 8-1 End-to-End Flow of Session Recording''

Figure 8-2 shows the session recording replay flow for videos recorded using the OPAM Agent.

Figure 8-2 Session Recording Replay Flow

Description of Figure 8-2 follows
Description of ''Figure 8-2 Session Recording Replay Flow''

8.2 Deploying the OPAM Agent on a Windows Target

The following sections describes the procedure to deploy the OPAM Agent on a Windows target:

Note:

This procedure to deploy an OPAM Agent on a Windows target that is described in the following sections, assumes that the you have the following account-accesses and information:

  • Administrator privileges on the Windows machine.

  • Security Administrator privileges on the Oracle Privileged Account Manager Server where the Windows target needs to be registered.

  • The OPAM Server URL.

  • The Connector Server name as configured in the Oracle Privileged Account Manager Server.

8.2.1 Reviewing the Supported Components and Important Notes for Installation

The OPAM Agent is supported on the following Operating Systems:

Table 8-1 Supported Components

Component Requirement

Microsoft Windows Client Operating System

You can use one of the following versions of the Microsoft Windows Client Operating System:

  • Microsoft Windows 2008 R2

  • Microsoft Windows 7

  • Microsoft Windows 8

  • Microsoft Windows 8.1

Microsoft Windows Server Operating System

You can use one of the following releases of the Microsoft Windows Server Operating System:

  • Microsoft Windows 2012 Server

  • Microsoft Windows 2012 Server R2

.NET Version

4.5 or above

8.2.1.1 Important Notes for Installation on Microsoft Windows Server

This section is applicable while installing the OPAM Agent on the Microsoft Windows 2008 R2, Microsoft Windows 2012 Server, and Microsoft Windows 2012 Server R2 targets. The procedure outlined below has to be performed prior to installing the OPAM Agent and might require a restart of the system.

Note:

No special preinstallation steps are needed for Microsoft Windows 7, Microsoft Windows 8, and Microsoft Windows 8.1

8.2.2 Setting Up the Windows Server

This section describes the actions you must perform on the Windows Server, before you begin to install the OPAM Agent. It describes the following topics:

8.2.2.1 Enabling Desktop Experience for Microsoft Windows Server 2008 R2

Depending on how you choose to enable the Desktop Experience, perform one of the following procedures to enable the Desktop Experience on the Microsoft Windows 2008 R2 operating system.

Using the Initial Configuration Tasks Wizard

  1. In the Customize This Server section, click Add features.

  2. Select the Desktop Experience check box and click Next.

  3. Complete the wizard by clicking Install.

Using the Server Manager

  1. Open the Server Manager and click Start. Navigate to Administrative Tools, and click Server Manager.

    Note:

    You can also open Server Manager by typing the following at a command prompt:

    servermanager.msc

  2. In the Features Summary section, click Add features.

  3. Select the Desktop Experience check box and click Next.

  4. Complete the wizard by clicking Install.

8.2.2.2 Enabling Media Foundation Components For Microsoft Windows 2012 Server and Microsoft Windows 2012 Server R2

You must install Media Foundation components on Microsoft Windows Server 2012 and Microsoft Windows Server 2012 R2 as described in the following procedure:

  1. Open the Server Manager and click Start. Navigate to Administrative Tools, and click Server Manager.

    Note:

    You can also open Server Manager by typing the following at a command prompt:

    servermanager.msc

  2. In Server Manager, navigate to the "Add Roles and Features" wizard. Continue to click the Next button in the wizard, till you reach "Select installation type."

  3. In the "Select installation type" step, select Role-based or feature-based installation, and click Next.

  4. In the "Select destinations server" step, select Select a server from the server pool. Choose the desired machine and click Next.

  5. In the "Select features" page, select Media Foundation and click Install.

  6. Restart the server.

    Note:

    This feature requires to be configured initially. Once the configuration is complete, restart the server for the changes to take effect.

8.2.3 Installing the OPAM Agent

The OPAM Agent for Microsoft Windows is packaged as a binary installer named "OPAMAgentInstaller.msi." This is a standard Microsoft Windows installer.

Perform the following procedure to install the OPAM Agent:

  1. Copy the "OPAMAgentInstaller.msi" installer to the Windows host from the following location:

    $ORACLE_HOME/opam/tools

  2. Double-click OPAMAgentInstaller.msi (the installer) to run it.

  3. In the installation wizard, read the License Agreement and click Next. This will install the OPAM Agent binaries into the following location:

    C:\Program Files\OPAMAgent

Note:

You can also install OPAMAgentInstaller.msi by typing the following at a command prompt:

msiexec /i OpamAgentInstaller.msi

8.2.4 Setting up the OPAM Agent

This section discusses the following topics:

After installation, you must set up the OPAM agent. The "OpamAgentUtility.exe" file is used to setup the OPAM agent.

You must have "Administrator" privileges on the system within which you want to deploy the agent. Navigate to the following location from the command prompt:

C:\Program Files\OPAMAgent\

This location contains the "OpamAgentUtility.exe" file. This executable program can perform the following actions:

Note:

Depending on the action you want to perform, run one or more of the commands described in this section.

  • To register the OPAM Agent, you must run the OpamAgentUtility.exe -r command.

  • To update the client key into the Oracle Privileged Account Manager Server, you must run the OpamAgentUtility.exe -u command.

  • Run the OpamAgentUtility.exe -d command only when you want to deregister the OPAM Agent.

Running the OpamAgentUtility.exe command without any options will list the usage information for this executable.

The logging information from this executable file is available in the following location:

C:\ProgramData\Opam\OpamAgentUtility_Year_Month_Day_Hour_Minute_Second.log

In this location, "Year_Month_Day_Hour_Minute_Second" is a placeholder text in the name of the log file. It represents the format of the timestamp at which the log file was created.

8.2.4.1 Registering the OPAM Agent with the Oracle Privileged Account Manager Server

Before using the OPAM Agent on the Target, you must register the Agent with the Oracle Privileged Account Manager server.

To register the Agent:

  1. Run the OpamAgentUtility.exe -r command in the command prompt. The executable program will prompt for credentials to proceed with the registration.

  2. To check for credentials, run the OpamAgentUtility.exe command to refer the usage information.

    The credentials can be provided using the interactive query or as command line arguments, as described in the usage information.

The executable program will start the OPAM Agent on the Windows target after it has successfully registered with the Oracle Privileged Account Manager server. If the registration is unsuccessful, check the log files as described in Section 8.2.4, "Setting up the OPAM Agent."

If the OPAM Agent was installed successfully, the service manager window will show the status of the "OPAMAgentService" service as "started." This is illustrated in the following screenshot:

Surrounding text describes opam_agent_status.gif.

If the Windows target, on which the OPAM Agent was deployed, is configured in Oracle Privileged Account Manager, then the registration process will automatically associate the agent with the specified target.

8.2.4.2 Updating the Target Key in Oracle Privileged Account Manager

The OPAM Agent uses an auto generated key to secure communication with the Oracle Privileged Account Manager server. You can update the key of the OPAM Agent to recreate a new auto-generated key.

Note:

Before you update the key, you must check if the Windows target, on which the OPAM Agent was configured, has been added to Oracle Privileged Account Manager.

If this target has not been added to Oracle Privileged Account Manager, you must manually add the target. To do so, refer to Section 6.2, "Adding and Configuring Targets in Oracle Privileged Account Manager" for more information.

Perform the following procedure to update the Windows target key in Oracle Privileged Account Manager:

  1. Open the "Command Prompt" as an "Administrator" on the system and navigate to the following location:

    C:\Program Files\OPAMAgent\

  2. Run the following command and provide the necessary credentials to update the key of the target into the Oracle Privileged Account Manager server:

    OpamAgentUtility.exe -u

8.2.5 Logging Information for OPAM Agent

This section discusses logging information for the OPAM Agent. For information about Runtime Logs and Register-Time Logs, refer the following sections:

The following is the primary log location:

C:\ProgramData\Opam

Note:

The preceding location is referred to as the "OPAM log folder" in this section.

The OPAMAgentService writes into the Windows Event History and this log is called "MyNewLog". It can be viewed using the Windows Event Viewer.

8.2.5.1 Runtime Logs

A directory is created in the OPAM log folder, for each checked-out session. The directory is named after the "username" of the user who checks-out the session. The runtime logs for these actions are stored in the following location:

C:\ProgramData\Opam\USERNAME\logs

Runtime logs are maintained for the following executables:

  • OPAMAgentService.exe

    These logs are named in the OpamAgentService_Year_Month_Day_Hour_Minute_Second.log format.

    In this format, "Year_Month_Day_Hour_Minute_Second" represents the format of the timestamp at which the log file was created.

  • OpamAgentCapturer.exe

    These logs are named in the OpamAgentCapturer_Year_Month_Day_Hour_Minute_Second.log format.

    In this format, "Year_Month_Day_Hour_Minute_Second" represents the format of the timestamp at which the log file was created.

8.2.5.2 Register-Time Logs

Register-time logs are logs for the actions associated with the "OpamAgentUtility.exe" program. These logs are also stored under the OPAM log folder. Register-time logs are named in the following format:

OpamAgentUtility_Year_Month_Day_Hour_Minute_Second.log

In this format, "Year_Month_Day_Hour_Minute_Second" represents the format of the timestamp at which the log file was created.

Logs for uninstallation or deregistration, and the OPAM Agent key update are also stored in register-time logs.

Note:

Because of format of the log file, the logs from registration and de-registration of the OPAM Agent could be in different log files.

8.2.6 Monitoring the End-to-End Flow of the Session Recording Process

You can monitor the end-to-end flow of the session recording process in the following situation, if the following actions are performed in sequence:

  1. In Oracle Privileged Account Manager, an end user who is granted access to the Windows account, checks-out the password for the Windows account.

  2. The end-user then logs in to the Windows target using the checked-out password.

  3. The end user then performs certain actions on the Windows targets and logs out.

In the described situation, all session activity is now recorded as a video and stored securely on the Oracle Privileged Account Manager server. You can monitor the actions performed during this session checkout using the Checkout History Reports page from the console. Refer to Section 15.5, "Working with Checkout History Reports" for detailed information.

Note:

In addition, any other sessions started directly on the Windows target without checking out the password from Oracle Privileged Account Manager will also be recorded by the OPAM Agent, and can be viewed in the Checkout History Reports page.

The value for the "username" column will show as None in the Checkout History Reports table for such sessions.

8.2.7 Un-installing and Deregistering the OPAM Agent

You can uninstall the OPAM Agent from the target. This will remove any run-time data (except logs) and remove the binaries stored in the following location:

C:\Program Files\OPAMAgent\

Uninstalling the OPAM Agent

Perform the following procedure to uninstall the OPAM Agent:

  1. Login to the Windows target as an Administrator.

  2. Navigate to the Control Panel and click Add or Remove Programs.

  3. Select OPAMAgent from the list and click Uninstall. Follow through the steps in the wizard to complete the un-installation process.

Note:

You can also uninstall the "OPAMAgentInstaller.msi" by typing the following in a command prompt:

msiexec /x OpamAgentInstaller.msi

Deregistering the OPAM Agent

You can also deregister the OPAM Agent without un-installing it from the target. Perform the following procedure to do so:

  1. Login to the Windows target as an Administrator.

  2. Open a command prompt and navigate to the following location:

    C:\Program Files\OPAMAgent\

  3. To complete the deregistration process, run the OpamAgentUtility.exe -d command and provide values for the prompted parameters.

Note:

The deregistration process will only remove the run-time data as described in this section.