This chapter provides background information about OPAM service accounts, including an example for creating those accounts.
The topics in this chapter include:
Before adding a target to Oracle Privileged Account Manager, you must configure an OPAM service account (also called an unattended account) for that target. OPAM service accounts (service accounts) enable Oracle Privileged Account Manager to connect to and manage target systems.
You use an OPAM service account to configure the credentials for a target system.
Note:
Service accounts do not apply for lockbox-type targets.
You must never use the same account as a service account and a privileged account to be managed by Oracle Privileged Account Manager.
A service account must have sufficient privileges to perform all Oracle Privileged Account Manager-related operations on the target system, such as:
Searching for and viewing details about the accounts in the target, which is used for all operations such as looking up and adding privileged accounts on the system to Oracle Privileged Account Manager, locating the account during checkout, etc.
Changing account passwords in the target, which is used for operations involving password changes such as checkout, check-in, resetpassword, etc.
Changing self password, which is used for resetting target service account passwords and changing the password of the service account itself.
This section provides information about creating a service account to use when connecting to a target system.
Note:
Never use the same account as both a service account and a privileged account to be managed by Oracle Privileged Account Manager.The methods for creating a service account and assigning privileges to that account depend on the target system. For example, the steps for creating accounts and assigning roles on an Oracle Database system are different from the steps for a UNIX operating system.
The following examples illustrate two methods for creating a service account:
Note:
These examples are only provided as a reference. You can achieve the same result by using other means.Use SQLPLUS and connect as the sys user.
Run the following commands to create the opamsrvc account:
connect sys/<password> as sysdba create user opamsrvc identified by <password>; grant connect, alter user, select on dba_users to opamsrvc
Use Linux and connect as root.
Run the following commands to create the opam_service account:
$ useradd -d /home/opam_service -m -g root -G bin,daemon,sys,adm,disk,wheel
-o -u 0 opam_service
$ passwd opam_service
Oracle Privileged Account Manager uses a target system account for performing reconciliation and provisioning operations. On all supported target systems, this account must be either the root user or sudo user.
To create a target system user account with the minimum permissions required to perform connector operations, perform the following procedure:
If SUDO is not installed on the target system, then install it from the installation media.
Use the visudo command to edit and customize the /etc/sudo file according to your requirements.
Note:
If you cannot use thevisudo command to edit the sudoers file, then:
Enter the following command:
chmod 777 /etc/sudoers
Make the required changes in the sudoers file.
Enter the following command:
chmod 440 /etc/sudoers
For example, if you have a group named mqm on the Linux server and require all members of the group to act as SUDO users with all possible privileges, then the sudoers file must contain the following line:
mqm ALL= (ALL) ALL
This example is only a sample configuration. If you need other group members or individual users to be SUDO users with specific privileges, then edit this file as was done for the sample value mqm.
Therefore, the SUDO user must have the privileges required to run these commands.
Edit the same sudoers file so that the SUDO user stays validated for 10 minutes after being validated once. You may need to increase the timeout if the reconciliation operation takes longer than 10 minutes and if you encounter errors such as "Permission denied". At the beginning of each operation, the connector validates the user using sudo -v option so that the operation stays validated for a maximum of 10 minutes. After carrying out the operation, the connector runs the sudo -k to kill the validation.
Add the following line under the # Defaults specification header:
Defaults timestamp_timeout=10
This is a prerequisite for this connector to work successfully.
Edit the same sudoers file so that every time a command is run in SUDO Admin mode, the SUDO user is prompted for the password. Add the following line under the # Defaults specification header:
Defaults timestamp_timeout=10
This is a prerequisite for this connector to work successfully.
Create a SUDO user as follows:
Enter the following command:
useradd -g group_name -d /home/directory_name -m user_name
In this command:
- group_name is the SUDO users group for which there is an entry in the /etc/sudoers file.
- directory_name is the name of the directory in which you want to create the default directory for the user.
In the .bash_profile file, which is created in the /home/directory_name directory, add the following lines to set the PATH environment variable:
PATH=/usr/sbin:$PATH export PATH
In the sudo user's .bashrc, .cshrc, or .kshrc file, which is created in the sudo user's home directory, add the following line to change the prompt end character from $ (dollar sign) to # (pound sign):
PS1="[\\u@\\h:\\w]#"
The encrypted passwords in the shadow file contain $ (dollar sign), which matches the default prompt end character. You must change the prompt end character to ensure that changes made to the shadow file are reconciled correctly.
Login with the sudo user.
Run the sudo -k command on the target system to clear the validation.
Run the sudo -v command on the target system and ensure that the password prompt is displayed.
The connector would not work if the sudo user is not prompted for password at this step.
Oracle Privileged Account Manager provides the following options for managing a target's service account passwords:
Administrators with the Security Administrator Admin Role can perform these password management tasks by using the Oracle Privileged Account Manager Console, command line tool, or REST API.
Note:
For command line instructions, refer to Section A.5, "Working with Targets."
For REST API instructions, refer to Section B.6, "Target Resource."
The procedures for showing and resetting a privileged account password are different from the procedures described in this section. Refer to Section 9.8, "Managing Privileged Account Passwords" for information.
Oracle Privileged Account Manager audits password management actions to keep track of password access.
If necessary, you can review the stored password for a target's service account by using the Show Password option, located above the Search Results table on the Targets page.
Note:
This command is not applicable for the lockbox target type and it will return an "Operation not supported" error message.
If someone changes a target's service account password from a location other than the current Oracle Privileged Account Manager instance, such as from another Oracle Privileged Account Manager instance in a different domain, the Show Password feature cannot display the new password and connections to the target will fail.
To resolve this situation, you must update the password in Oracle Privileged Account Manager by editing the target from the Console or from the command line.
Use the following steps:
Select Targets in the Administration accordion.
When the Targets tab is displayed, use the Search portlet to locate the target.
Select the target row number and then click Show Password.
The Show Current Password dialog box is displayed and it provides the following information about the target's service account password:
Target Name
Service Account Name
Current Password
Password Change Time
When you are finished, click Close.
Use the Password History option to view the password history for a target's service account.
Note:
Password History is not available for lockbox targets.To view a target's password history,
Select Targets in the Administration accordion to open the Search Targets page, and then click Search.
Select the row number of the target.
When the Password History icon becomes active, click Password History.
The Show Password History dialog box is displayed with the Target Name, and the Password in clear text, and the Modification Time (date and time of the password reset).
When you are finished click Close.
If necessary, you can manually reset the stored password for a target's service account by using the Reset Password option, located above the Search Results table.
Note:
The Reset Password option is not applicable for the lockbox target type or the ldap target type and, if selected, it will return an "Operation not supported" error message.Use the following steps:
Select Targets in the Administration accordion.
When the Targets tab is displayed, use the Search portlet to locate the target.
Select the target row number and then click Reset Password.
The Reset Password dialog box is displayed and provides the following information about the target's service account password:
Target Name
Service Account Name
This dialog box also contains two options for resetting the password:
New Password: Type a new password into the space provided.
Generate password automatically: Enable the checkbox to automatically generate a password, according to the account's Password Policy.
Type a new password or enable the checkbox, and then click Reset.
In Oracle Privileged Account Manager, the service account for a target is governed by the password policy assigned to the target.
Password rollover for a target's service account is similar to password expiration for privileged accounts. If you enable password rollover for the service account, and the password has not been changed by the expiration date configured in the associated Password Policy, then Oracle Privileged Account Manager will automatically change the password to a randomized value.
Note:
Refer to Section 6.2, "Adding and Configuring Targets in Oracle Privileged Account Manager" for information about enabling password rollover for the different target types.