This chapter describes how to finish configuring Oracle Privileged Account Manager after installation.
Note:
You can manage Oracle Privileged Account Manager from the Console, from the command line, and by using Oracle Privileged Account Manager's RESTful interface.For information about starting and using the Oracle Privileged Account Manager Console, refer to Chapter 4, "Starting and Using the Oracle Privileged Account Manager Console."
For information about starting and using the Oracle Privileged Account Manager Command Line Tool (CLI), refer to Appendix A, "Working with the Command Line Tool."
For information for starting and using the Oracle Privileged Account Manager RESTful interface, refer to Appendix B, "Working with Oracle Privileged Account Manager's RESTful Interface."
This chapter includes the following sections:
Section 3.2, "Understanding ICF Connectors in Oracle Privileged Account Manager"
Section 3.4, "Administering Oracle Privileged Account Manager"
Section 3.5, "Working with Oracle Privileged Account Manager Self-Service"
Note:
If you are using Oracle Privileged Account Manager on IBM WebSphere, refer to "Differences in Getting Started with Administering Oracle Privileged Account Manager" in the Oracle Fusion Middleware Third-Party Application Server Guide for Oracle Identity and Access Management for information about this topic.This chapter assumes that you have installed and configured Oracle Privileged Account Manager 11g Release 2 (11.1.2.3) as described in Oracle Fusion Middleware Installation Guide for Oracle Identity and Access Management.
Before starting the final configuration steps needed to start Oracle Privileged Account Manager, Oracle recommends the following:
Read the "Configuring Oracle Privileged Account Manager"chapter in the Oracle Fusion Middleware Installation Guide for Oracle Identity and Access Management.
Review Table 3-1 to understand the default application URLs for various interfaces that you use to manage Oracle Privileged Account Manager in this release.
Table 3-1 Default Application URLs
| Interface | Default URL |
|---|---|
|
Oracle WebLogic Server Administrative Console |
http://adminserver_host:adminserver_port/console/ |
|
Oracle Privileged Account Manager Console |
http://managedserver_host:managedserver_port/oinav/opam |
|
Oracle Privileged Account Manager Server |
https://managedserver_host:managedserver_sslport/opam |
Review Table 3-2 to understand the various default ports for Oracle Privileged Account Manager in this release.
| Port Type | Default Port | Description |
|---|---|---|
|
Oracle Privileged Account Manager Server |
18102 |
The default SSL-enabled port for the WebLogic Managed Server on which the Oracle Privileged Account Manager server is deployed. |
|
Oracle Privileged Account Manager Console |
|
The WebLogic Managed Server port on which the Oracle Privileged Account Manager Console is available by default. |
|
Oracle Privileged Session Manager (SSH) |
1222 |
The default port on which Oracle Privileged Session Manager listens for SSH traffic" |
|
WebLogic Admin Console |
|
The default WebLogic Admin Server ports on which the WebLogic Admin Console is available. |
Review Table 3-3 to become familiar with the common directory variables that are used throughout this guide.
Note:
For additional information about these directories, and other common directories used in most Oracle Identity and Access Management installations and configurations, refer to "Identifying Installation Directories" in the Oracle Fusion Middleware Installation Guide for Oracle Identity and Access Management and "Understanding Oracle Fusion Middleware Concepts and Directory Structure" in the Oracle Fusion Middleware Installation Planning Guide for Oracle Identity and Access Management.Table 3-3 Common Directories Used in Oracle Privileged Account Manager
| Common Name | Description |
|---|---|
|
Provide the location of your Oracle Middleware Home directory. The Middleware Home contains the Oracle WebLogic Server home and one or more Oracle Home directories. |
|
|
Provide the location of the Oracle Home directory where the Oracle Privileged Account Manager files were installed. An Oracle home resides within the directory structure of the Middleware home. |
|
|
Provide the location used by your WebLogic server. |
|
|
Provide the top-level directory of the domain. |
|
|
Provide the location of the Oracle BI Domain. |
Review the "Starting or Stopping the Oracle Stack" section in Oracle Fusion Middleware Installation Guide for Oracle Identity and Access Management, and use these instructions whenever you are instructed in this guide, to start or stop the Oracle WebLogic Administration Server (Admin Server) or any of the various Managed Servers.
Oracle Privileged Account Manager enables you to secure, share, audit, and manage administrator-identified account credentials. To provide these capabilities, Oracle Privileged Account Manager must be able to access and manage privileged accounts on a target system.
Connectors enable Oracle Privileged Account Manager to interact with target systems, such as LDAP or Oracle Database, and to perform Oracle Privileged Account Manager-relevant administrative operations on those systems.
Oracle Privileged Account Manager leverages connectors that are compliant with the Identity Connector Framework (ICF) standard. By using this standard, you separate Oracle Privileged Account Manager from the mechanism it uses for connecting to targets. Therefore, in addition to connectors provided by vendors such as Oracle, you are free to build, test, and deploy your own ICF connectors into Oracle Privileged Account Manager.
This section describes how Oracle Privileged Account Manager consumes these ICF connectors. It includes the following topics:
Note:
For more information about the Identity Connector Framework, refer to "Understanding the Identity Connector Framework" in the Oracle Fusion Middleware Developer's Guide for Oracle Identity Manager.Oracle Privileged Account Manager ships with the following ICF-compliant connectors that were developed by Oracle:
Database User Management (DBUM) Connector
Generic LDAP Connector
Oracle Identity Manager Connector for UNIX
SSH Connector
SAP Connector
Windows Local Accounts Connector
These connectors enable Oracle Privileged Account Manager to manage privileged accounts on a range of target systems belonging to the preceding types.
Oracle Privileged Account Manager can also use customer-created, ICF-compliant connectors, which empowers you to manage your proprietary systems by using Oracle Privileged Account Manager.
Note:
If you are only interested in using the connectors that ship with Oracle Privileged Account Manager, then no further action is required because these connectors come pre-configured out-of-the-box.If you want to use other Oracle connectors or a custom connector, then refer to Section 17.3, "Adding New Connectors to an Existing Oracle Privileged Account Manager Installation" for more information.
For additional information about developing ICF-compliant connectors, refer to "Developing Identity Connectors" in the Oracle Fusion Middleware Developer's Guide for Oracle Identity Manager.
Because ICF connectors are generic, and useful in numerous contexts, a given Oracle installation puts all connector bundles into a single location on the file system. All components (such as Oracle Privileged Account Manager) that rely on these connector bundles can access them from this location:
ORACLE_HOME/connectors
The connectors that are available in ORACLE_HOME/connectors are shipped with Oracle Identity Manager. Of all the connectors in this directory, only the five following connectors are certified to work with Oracle Privileged Account Manager for this release:
org.identityconnectors.genericunix-1.0.0.jar
org.identityconnectors.ldap-1.0.6380.jar
org.identityconnectors.sap-2.0.0.jar
org.identityconnectors.sapume-1.0.1.jar
The following connectors that are certified to work only with Oracle Privileged Account Manager are available in the ORACLE_HOME/opam-connectors location:
org.identityconnectors.ssh-1.0.1115.jar
WindowsLocalConnector-1.0.0.0.zip
Oracle Privileged Account Manager consumes ICF connectors by using the opam-config.xml file. The contents of this file provide the following information to Oracle Privileged Account Manager:
Where to pick up the ICF connector bundle (on the file system)
Which configuration attributes are relevant for the Oracle Privileged Account Manager use-cases
How to render the Oracle Privileged Account Manager Console when configuring connectivity to a target system using a particular connector
You will find the opam-config.xml file in the ORACLE_HOME/opam/config directory. The out-of-the-box image is configured to pick up and use the connector bundles that ship with the Oracle Identity Management Suite.
The opam-config.xsd file (also located in the ORACLE_HOME/opam/config directory) describes the schema for opam-config.xml. If you make any changes to
ORACLE_HOME/opam/config/opam-config.xml file, verify them with the opam-config.xsd file.
Caution:
Be sure to back-up the originalopam-config.xml file before attempting to edit that file.This section provides high-level information about starting and working with Oracle Privileged Account Manager. This section includes the following topics:
Section 3.3.2, "Configuring an External Identity Store for Oracle Privileged Account Manager"
Section 3.3.4, "Assigning the Application Configurator Role to a User"
The procedures described in this section reference information and instructions contained in the following Oracle publications. If necessary, review the referenced concepts, terminology, and procedures before starting these procedures.
Table 3-4 Reference Information
Note:
If you are using Oracle Privileged Account Manager on IBM WebSphere, you must start IBM WebSphere and perform some configuration steps before assigning the Application Configurator and invoking the Oracle Privileged Account Manager Console.For more information about these tasks, refer to "Starting Oracle Privileged Account Manager on IBM WebSphere" in the Oracle Fusion Middleware Third-Party Application Server Guide for Oracle Identity and Access Management.
Before you can start Oracle Privileged Account Manager, you must start the WebLogic servers and console.
Note:
For detailed information about starting WebLogic and Managed Servers, refer to "Starting or Stopping the Oracle Stack" in the Oracle Fusion Middleware Installation Guide for Oracle Identity and Access Management.
You must have the appropriate Administration Role and credentials to start the server. refer to Section 2.3.1, "Administration Role Types" for more information.
Connect the Node Manager to WLST by running the nmConnect command.
Refer to "Node Manager Commands" in the Oracle Fusion Middleware WebLogic Scripting Tool Command Reference for instructions.
Start the WebLogic Admin Server. For example,
On UNIX, type
MW_HOME/user_projects/domains/DOMAIN_NAME/bin/startWebLogic.sh
On Windows, type
MW_HOME\user_projects\domains\DOMAIN_NAME\bin\startWebLogic.bat
Start the Oracle Privileged Account Manager Managed Server.
Open a browser and start the WebLogic Console from the following location:
http://adminserver_host:adminserver_port/console
This section describes how to configure a new, external identity store for Oracle Privileged Account Manager.
Note:
If you are using IBM WebSphere, you must configure a registry rather than an external identity store. Refer to "Configuring a Registry" in the Oracle Fusion Middleware Third-Party Application Server Guide for Oracle Identity and Access Management for instructions.You can configure the domain identity store using Oracle Internet Directory or Oracle Virtual Directory with a supported LDAP-based directory server. You configure the identity store in the WebLogic Server Administration Console.
Note:
Oracle Privileged Account Manager can use any LDAP directory that is supported by Oracle WebLogic Server, as its identity store.
For more information about configuring an identity store, refer to "Configuring the Identity Store Service" in the Oracle Fusion Middleware Application Security Guide.
For information about other supported identity stores, refer to "System Requirements and Certification" in Oracle Fusion Middleware Administrator's Guide for Oracle Identity Navigator.
To configure the Oracle Internet Directory authenticator in Oracle WebLogic Server:
Log in to Oracle WebLogic Server Administration Console, and click Lock & Edit in the Change Center.
In Oracle WebLogic Server Administration Console, select Security Realms from the left pane and click the realm you are configuring. For example, the default realm is myrealm.
Select the Providers tab, then select the Authentication subtab.
Click New to launch the Create a New Authentication Provider page and complete the fields as follows:
Name
Enter a name for the Authentication provider. For example, MyOIDDirectory.
Type
Select OracleInternetDirectoryAuthenticator from the list.
Click OK to update the Authentication providers table.
In the Authentication providers table, click the newly added authenticator.
In Settings, select the Configuration tab, then select the Common tab.
On the Common tab, set the Control Flag to SUFFICIENT.
Setting the Control Flag attribute for the authenticator provider determines the ordered execution of the Authentication providers. The following are the possible values for the Control Flag attribute:
REQUIRED: This LoginModule must succeed. Even if it fails, authentication proceeds down the list of LoginModules for the configured Authentication providers. This setting is the default.
REQUISITE: This LoginModule must succeed. If other Authentication providers are configured and this LoginModule succeeds, authentication proceeds down the list of LoginModules. Otherwise, control is returned to the application.
SUFFICIENT: This LoginModule need not succeed. If it does succeed, return control to the application. If it fails and other Authentication providers are configured, authentication proceeds down the LoginModule list.
OPTIONAL: This LoginModule can succeed or fail. However, if all Authentication providers configured in a security realm have the JAAS Control Flag set to OPTIONAL, the user must pass the authentication test of one of the configured providers.
Click Save.
Select the Provider Specific tab and enter the following required settings using values for your environment:
Host: Specify the host name of the Oracle Internet Directory server.
Port: Specify the port number on which the Oracle Internet Directory server is listening.
Principal: Specify the distinguished name (DN) of the Oracle Internet Directory user to be used to connect to the Oracle Internet Directory server. For example: cn=OIDUser,cn=users,dc=us,dc=mycompany,dc=com.
Credential: Specify the password for the Oracle Internet Directory user entered as the Principal.
Group Base DN: Specify the base distinguished name (DN) of the Oracle Internet Directory server tree that contains groups.
User Base DN: Specify the base distinguished name (DN) of the Oracle Internet Directory server tree that contains users.
All Users Filter: Specify the LDAP search filter that is used to show all the users below the User Base DN. Click More Info for details.
User From Name Filter: Specify the LDAP search filter used to find the LDAP user by name. Click More Info for details.
User Name Attribute: Specify the attribute that you want to use to authenticate, such as, cn, uid, or mail. For example, to authenticate using a user's email address you set this value to mail.
Use Retrieved User Name As Principal: Select the check box to enable "Use Retrieved User Name As Principal."
Note:
refer to Section 20.3.6, "Grantee Cannot Perform a Checkout" for additional information.Click Save.
From the Settings for myrealm page, select the Providers tab, then select the Authentication tab.
Click Reorder.
Select the new authenticator and use the arrow buttons to move it into the first position in the list.
Click OK.
Click DefaultAuthenticator in the Authentication providers table to display the Settings for DefaultAuthenticator page.
Select the Configuration tab, then the Common tab, and select SUFFICIENT from the Control Flag list.
Note:
The SUFFICIENT control flag will allow both users from an external ID store and a default authenticator to login. If it is not preferred, then this option must be switched to one of the other options. Also, if you choose SUFFICIENT, ensure that the attribute used as the user name attribute has unique values across the identity stores.refer to Section 20.3.24, "A User is Able to Access the Grants of Another User" for more information.
In the Change Center, click Activate Changes.
Restart Oracle WebLogic Server.
Verify your configuration and set-up by confirming that the users present in the LDAP directory (Oracle Internet Directory or Oracle Virtual Directory) can log in to Oracle Privileged Account Manager with no issues.
To use Oracle Virtual Directory as the domain identity store, you must do the following:
Configure Oracle Virtual Directory with an LDAP-based server as described in the "Creating LDAP Adapters" section of Oracle Fusion Middleware Administrator's Guide for Oracle Virtual Directory.
Configure the OVD authenticator in Oracle WebLogic Server as described in Oracle Fusion Middleware Oracle WebLogic Server Administration Console Online Help.
You must enable the "Use Retrieved User Name As Principal" option when configuring authenticators in Oracle WebLogic Server, as described in Step 9 of the preceding procedure.
Note:
If you are using an SSL-enabled identity store, follow the steps described in "SSL for the Identity Store Service" in the Oracle Fusion Middleware Application Security Guide.If you want to use an external LDAP server to serve as an identity store, you must seed the identity store with the necessary Oracle Privileged Account Manager users and groups.
The procedure in this section enables you to preconfigure Oracle Unified Directory (OUD) or Oracle Internet Directory (OID) for using as your LDAP Identity store.
Note:
The data used in the examples below is sample data. Follow the examples and replace them with appropriate data according to your LDAP server configuration.You must complete the following steps to preconfigure the Identity Store:
Create a new .ldif file and name it OPAMGroups.ldif. Add the following entries to this file and save the .ldif file:
dn: cn=IDMSuite,dc=mycompany,dc=com objectclass: orclContainer objectclass: top cn: IDMSuite dn: cn=IDMRoles,cn=IDMSuite,dc=mycompany,dc=com objectclass: orclContainer objectclass: top cn: IDMRoles dn: cn=components,cn=IDMRoles,cn=IDMSuite,dc=mycompany,dc=com objectclass: orclContainer objectclass: top cn: components dn: cn=OPAM,cn=components,cn=IDMRoles,cn=IDMSuite,dc=mycompany,dc=com objectclass: orclContainer objectclass: top cn: OPAM dn: cn=OPAM_APPLICATION_CONFIGURATOR,cn=OPAM,cn=components,cn=IDMRoles,cn=IDMSuite,dc=mycompany,dc=com objectclass: groupOfUniqueNames objectclass: top cn: OPAM_APPLICATION_CONFIGURATOR dn: cn=OPAM_USER_MANAGER,cn=OPAM,cn=components,cn=IDMRoles,cn=IDMSuite,dc=mycompany,dc=com objectclass: groupOfUniqueNames objectclass: top cn: OPAM_USER_MANAGER dn: cn=OPAM_SECURITY_ADMIN,cn=OPAM,cn=components,cn=IDMRoles,cn=IDMSuite,dc=mycompany,dc=com objectclass: groupOfUniqueNames objectclass: top cn: OPAM_SECURITY_ADMIN dn: cn=OPAM_SECURITY_AUDITOR,cn=OPAM,cn=components,cn=IDMRoles,cn=IDMSuite,dc=mycompany,dc=com objectclass: groupOfUniqueNames objectclass: top cn: OPAM_SECURITY_AUDITOR
Add the OPAM Admin Role groups into Oracle Unified Directory Server using the ldapadd command format as described in the following example:
ldapadd -h <OUD Server> -p <OUD port> -D <OUD Admin ID> -w <OUD Admin password> -c -f ./OPAMGroups.ldif
The following is a sample code for this format:
ldapadd -h localhost -p 3938 -D "cn=Directory Manager" -w "passcode1" -c -f ./OPAMGroups.ldif
If you encounter an authentication error, repeat the command using -x with the simple bind option, as described in the following example:
x -D "cn=Directory Manager" -w "password1" -c -f ./OPAMGroups.ldif
After successful installation, there are no users with administrator roles.
In order to assign an OPAM Admin Role to a user, ensure that the user is a member of the respective OPAM LDAP groups which were created in Section 3.3.3, "Preparing the Identity Store." Assign the Application Configurator role to a user by making the user the member of the OPAM_APPLICATION_CONFIGURATOR role.
Note:
The Application Configurator user can have other roles in addition to this role. For more information about other Admin Roles, refer to Section 2.3.1, "Administration Role Types."When the Application Configurator user logs in by using the following URL, that user will see a empty screen with a Configure OPAM link.
http://managedserver_host:managedserver_port/oinav/opam
The Application Configurator user can use this link to let the Oracle Privileged Account Manager Console know where Oracle Privileged Account Manager server is running by providing the Oracle Privileged Account Manager server's host and port.
When the Oracle Privileged Account Manager Console can successfully communicate with the Oracle Privileged Account Manager server, the Oracle Privileged Account Manager Console will be populated with content.
You are now ready to start using Oracle Privileged Account Manager.
For information about invoking and working with the Oracle Privileged Account Manager Console, refer to Chapter 4, "Starting and Using the Oracle Privileged Account Manager Console."
If you prefer using the Oracle Privileged Account Manager Command Line Tool (CLI), refer to Appendix A, "Working with the Command Line Tool."
If you prefer using the Oracle Privileged Account Manager RESTful interface, refer to Appendix B, "Working with Oracle Privileged Account Manager's RESTful Interface."
The following table describes the basic workflows that are performed by Oracle Privileged Account Manager administrator users based on their different Admin Roles.
Note:
An administrator with the Application Configurator Admin Role should have already configured a connection to the Oracle Privileged Account Manager servers. Refer to Section 5.2.2, "Configuring a Connection to the Oracle Privileged Account Manager Server" for more information.Table 3-5 Administrator Workflows Based on Admin Roles
Note:
For more information about these Admin Roles, refer to Section 2.3.1, "Administration Role Types."The following steps describe the basic workflow of a Self-Service user with no administrator privileges:
View accounts
Search for an account
Check out accounts
View checked-out accounts
Check in accounts
Check out a session
View checked out sessions
Check in a session
View an account password
Note:
Refer to Chapter 14, "Working with Self-Service" for detailed information about how to perform these tasks.