6 Working with Targets

This chapter describes the different tasks you can perform when working with targets in Oracle Privileged Account Manager.

This chapter includes the following sections:

Section 6.1, "What Are Targets?"
Section 6.2, "Adding and Configuring Targets in Oracle Privileged Account Manager"
Section 6.3, "Searching for Targets"
Section 6.4, "Opening a Target"
Section 6.5, "Managing a Target's Service Account Password"
Section 6.6, "Removing Targets from Oracle Privileged Account Manager"

Note:

You can also use Oracle Privileged Account Manager's command line tool or Oracle Privileged Account Manager's RESTful interface to perform many of the tasks described in this chapter.

If you prefer using these interfaces instead of the Oracle Privileged Account Manager Console, refer to Appendix A, "Working with the Command Line Tool" or Appendix B, "Working with Oracle Privileged Account Manager's RESTful Interface" for instructions.
You must be an Oracle Privileged Account Manager administrator with the Security Administrator Admin Role to add, edit, or remove targets.

6.1 What Are Targets?

A target is a software system that contains, uses, and relies on user, system, or application accounts.

You cannot create targets in, or delete targets from, your environment by using Oracle Privileged Account Manager. Rather, Oracle Privileged Account Manager manages existing targets that were provisioned using other mechanisms.

When you "add" a target in Oracle Privileged Account Manager, you are creating a reference to that target. In effect, you are registering the target and asking Oracle Privileged Account Manager to manage it. When you "remove" a target from Oracle Privileged Account Manager, you are only removing that reference.

Oracle Privileged Account Manager supports database, LDAP, lockbox, SAP UM, SAP UME, SSH, UNIX, and Windows target types.

A lockbox target provides password vault-like functionality in Oracle Privileged Account Manager. That is, it provides a secure mechanism for storing the passwords (or any kind of sensitive information) associated with privileged accounts in your deployment. This target type is different from the other conventional Oracle Privileged Account Manager target types in the following ways:

Oracle Privileged Account Manager does not interact with lockbox target systems. There is no connectivity to, or operations performed against, these systems.
Oracle Privileged Account Manager does not manage the password lifecycle or reset passwords associated with accounts on lockbox targets.
Password modifications are handled out-of-band and updated into Oracle Privileged Account Manager as an administrative action. Therefore, Oracle Privileged Account Manager does not randomize the passwords; but rather, they stored as given by the administrator.

A lockbox target may be preferable when you want to centrally store and securely grant privileged account passwords without having Oracle Privileged Account Manager automatically manage those accounts on the target systems. For example, if you want to control how and when the passwords on the those target systems are modified, as opposed to allowing Oracle Privileged Account Manager do so.

Additionally, a lockbox target may be useful when an appropriate ICF connector is unavailable for a specific target type, but you still want to manage access to that system through Oracle Privileged Account Manager.

6.2 Adding and Configuring Targets in Oracle Privileged Account Manager

This section discusses the following topics:

Section 6.2.1, "Adding a Target"
Section 6.2.2, "Configuring a Target"
Section 6.2.3, "Configuring Custom Attributes for a Target"
Section 6.2.4, "Copying Third-Party JARs"

6.2.1 Adding a Target

Note:

When adding a target of any Target Type (except lockbox), you must configure a service account (also called an unattended account) with privileges that enable that account to

Search for accounts on the target system
Modify the passwords of accounts on the target system

You must never use the same account as a service account and as a privileged account to be managed by Oracle Privileged Account Manager.

For additional information about service accounts, see the description for attended and unattended accounts in Section 1.2.1, "Features" and refer to Chapter 7, "Working with Service Accounts."

Note:

If you are using Oracle Privileged Account Manager on IBM WebSphere, refer to the "Differences When Adding Targets to Oracle Privileged Account Manager on IBM WebSphere" section in the Oracle Fusion Middleware Third-Party Application Server Guide for Oracle Identity and Access Management for information about this topic.

Perform the following steps to add a target that Oracle Privileged Account Manager can manage:

Log in to Oracle Privileged Account Manager.
Select Targets from the Administration accordion to open the Targets page.
Click Add, which is located on the Search Results table toolbar, to open a new Target. A new "Untitled" page is opened, which will contain the three following tabs:

Note:
Only the General tab is active at this point. The Privileged Accounts and Member-of tabs do not become active until you create and save the target.
- General
  
  This tab generally contains three areas which are used to specify their respective parameters for the target. The three areas are:
  - Basic Configuration
  - Advanced Configuration
  - Custom Attributes
- Privileged Accounts
  
  This tab lists the privileged accounts currently being managed on the target and enables you to add, open, and remove the accounts that are managed by that target.
- Member-of
  
  This tab contains a table listing the different resource groups, which the privileged account is a member of.
On the General tab, select the Target Type drop-down list to select a target type (database, ldap, lockbox, sapum, sapume, ssh, unix, or windows), and then set the remaining configuration parameters and custom attributes.
Note:
When you set the target type, the new "Untitled" page refreshes and the parameters change based on your selection.
- Refer to Section 6.2.2, "Configuring a Target" for information about configuration parameters for each target type.
- Refer to Section 6.2.3, "Configuring Custom Attributes for a Target" for information about configuring custom attributes for a target.
- Refer to Section 6.2.4, "Copying Third-Party JARs" for information about copying third-party jars for a target.
After setting the target configuration parameters, click Test to check the configuration of the target.

If the configuration is valid, a "Test Succeeded" message is displayed.
Click Save to add your new target on the Oracle Privileged Account Manager server.

Oracle Privileged Account Manager automatically assigns a Target GUID and you can view this read-only value at the bottom of the Basic Configuration parameters section.

You can now associate this target with a privileged account. For detailed instructions, refer to Section 9.2, "Adding Privileged Accounts into Oracle Privileged Account Manager."

6.2.2 Configuring a Target

The following sections describe the available parameters for each target:

Section 6.2.2.1, "Configuring the Database Target"
Section 6.2.2.2, "Configuring the LDAP Target Type"
Section 6.2.2.3, "Configuring the Lockbox Target Type"
Section 6.2.2.4, "Configuring the UNIX Target Type"
Section 6.2.2.5, "Configuring the Windows Target Type"
Section 6.2.2.6, "Configuring the SSH Target Type"
Section 6.2.2.7, "Configuring the SAP UM Target Type"
Section 6.2.2.8, "Configuring the SAP UME Target Type"

Note:

You must specify all of the required attributes indicated by an asterisk (*) symbol.

6.2.2.1 Configuring the Database Target

When you select the "database" target type, the following regions are displayed:

Basic Configuration:

This region contains the basic configuration parameters for which the values can be specified while creating a database target type. Refer to Table 6-1 for the description of these parameters.
Advanced Configuration:

This region contains the optional advanced configuration parameters for which values can be specified while creating a database target type. Refer to Table 6-2 for the description of these parameters.

Table 6-1 Basic Configuration Parameters for the Database Target Type

Parameter Name	Description
Name	Enter a name for the new target.
Description	Enter a description for this target.
Organization	Enter the name of an organization to associate with the target.
Domain	Enter the domain of the target server.
Password Policy	Select a Password Policy to apply to the target's service account. Oracle Privileged Account Manager uses this policy to auto-generate passwords.
Connector Server	Select a connector server from the drop-down list to specify the connector server to be used. Default is `None.`
Enable Password Rollover	Enable this box to allow Oracle Privileged Account Manager to automatically change (rollover) the service account password for this target to a randomized value according to the Expire password after setting that is specified in the assigned Password Policy. Note: Password rollover for target service accounts is similar to password expiration for privileged accounts. If a password has not been changed by the expiration date configured in the associated Password Policy, then Oracle Privileged Account Manager will automatically change the password to a randomized value.
Host	Enter the host name of the target server.
Database Connection URL	Enter the JDBC URL used to identify the target system location. For example, Oracle:jdbc:oracle:thin:@<host>: <port>:<sid> Note: Oracle Privileged Account Manager supports the Oracle, MSSQL, Sybase, and MySQL database types. Refer to the Oracle Identity Manager Connector Guide for Database User Management for information about special options that are supported.
Admin User Name (Service Account)	Enter the administrator' name to use when connecting to this target. Note: If you are using the `sys` user name, you must enter `internal_logon=sysdba` in the Connection Properties field, which is located in the Advanced Configuration area. This entry is not required for "system."
Admin User Password (Service Account Password)	Enter the user's password.
Database Type	Select the type of database (Oracle, MSSQL, Sybase, or MySQL) for which the connector will be used. If you select an Oracle database target, then no driver jar is required. For other target systems, you must copy third-party jars. Refer to Section 6.2.4.1, "Copying Third-Party JARs for the Database Target" for more information.
Member-of Resource Group	Search for and select a resource group with which this target can be associated.

The following table discusses the optional advanced configuration parameter:

Table 6-2 Advanced Configuration Parameters for the Database Target Type

Parameter Name Description

Parameter Name	Description
Connection Properties	Enter connection properties to use while configuring a secured connection. These properties must be name-value pairs given in following format: `prop1=val1#prop2=val2`

Connection Properties

Enter connection properties to use while configuring a secured connection.

These properties must be name-value pairs given in following format: prop1=val1#prop2=val2

6.2.2.2 Configuring the LDAP Target Type

When you select the "ldap" target type, the following regions are displayed:

Basic Configuration

This region contains the basic configuration parameters for which values can be specified while creating an ldap target type. Refer to Table 6-3 for the description of these parameters.
Advanced Configuration

This region contains the optional advanced configuration parameters for which values can be specified while creating an ldap target type. Refer to Table 6-4 for the description of these parameters.

Table 6-3 Basic Configuration Parameters for the LDAP Target Type

Parameter Name	Description
Name	Enter a name for the new target.
Description	Enter a description for this target.
Organization	Enter the name of an organization to associate with the target.
Domain	Enter the domain of the target server.
Password Policy	Select a Password Policy to apply to the target's service account. Oracle Privileged Account Manager uses this policy to auto-generate passwords.
Connector Server	Select a connector server from the drop-down list to specify the a connector server to be used. Default is `None.`
Host	Enter the host name of the target server.
TCP Port	Enter the TCP/IP port to use when communicating with the LDAP server. You can use the up/down arrow icons to increment this value.
SSL	Enable this box to use Secure Socket Layer (SSL) when connecting to the LDAP server. Note: For SSL connectivity, you must import an SSL certificate to the J2EE container hosting Oracle Privileged Account Manager. For more information, refer to Section 17.1, "Configuring Oracle Privileged Account Manager to Communicate With Target Systems Over SSL."
Principal (Service Account)	Enter the distinguished name (DN) to use when authenticating to the LDAP server. For example, cn=admin
Password (Service Account Password)	Enter the user's password.
Base Contexts	Enter one or more starting points in the LDAP tree to use when searching the tree for users on the LDAP server or when looking for groups where the user is a member. Use a pipe (\|) to separate values.
Account User Name Attribute	Enter the attribute to be used as the account's user name. (Default is `uid`).
Member-of Resource Group	Search for and select a resource group with which this target can be associated.

The following table discusses the optional advanced configuration parameters:

Table 6-4 Advanced Configuration Parameters for the LDAP Target Type

Parameter Name	Description
Uid Attribute	Enter the name of the LDAP attribute that is mapped to the Uid attribute.
LDAP Filter for Retrieving Accounts	Enter an LDAP filter to control which accounts are returned from the LDAP resource. If you do not specify a filter, Oracle Privileged Account Manager returns only those accounts that include all of the specified object classes.
Password Attribute	Enter the name of the LDAP attribute that holds the password. When changing a user's password, Oracle Privileged Account Manager sets the new password to this attribute
Account Object Classes	Enter one or more object classes to use when creating new user objects in the LDAP tree. Type each object class on its own line. Do not use commas or semicolons to separate entries. Some object classes require you to specify them in their class hierarchy, using a pipe (\|) to separate the values.

6.2.2.3 Configuring the Lockbox Target Type

When you select the "lockbox" target type, the Basic Configuration region is displayed. This region contains the basic configuration parameters for which values can be specified while creating a lockbox target type. Refer to Table 6-5 for the description of these parameters.

Table 6-5 Basic Configuration Parameters for the Lockbox Target Type

Parameter Name	Description
Name	Enter a name for the new target.
Description	Enter a description for this target.
Organization	Enter the name of an organization to associate with the target.
Domain	Enter the domain of the target server.
Host	Enter the host name of the target server.
Member-of Resource Group	Search for and select a resource group with which this target can be associated.

Note:

You can add configuration parameters to this list by editing the opam-config.xml file as described in Section 3.2.3, "Consuming ICF Connectors."

6.2.2.4 Configuring the UNIX Target Type

When you select the "unix" target type, the following regions are displayed:

Basic Configuration

This region contains the basic configuration parameters for which values can be specified while creating a unix target type. Refer to Table 6-6 for the description of these parameters.
Advanced Configuration

This region contains the optional advanced configuration parameters for which values can be specified while creating a unix target type. Refer to Table 6-7 for the description of these parameters.

Table 6-6 Basic Configuration Parameters for the Unix Target Type

Parameter Name	Description
Name	Enter a name for the new target.
Description	Enter a description for this target.
Organization	Enter the name of an organization to associate with the target.
Domain	Enter the domain of the target server.
Password Policy	Select a Password Policy to apply to the target's service account. Oracle Privileged Account Manager uses this policy to auto-generate passwords.
Connector Server	Select a connector server from the drop-down list to specify a connector server to be used. Default is `None.`
Enable Password Rollover	Enable this box to allow Oracle Privileged Account Manager to automatically change (rollover) the service account password for this target to a randomized value according to the Expire password after setting that is specified in the assigned Password Policy. Note: Password rollover for target service accounts is similar to password expiration for privileged accounts. If a password has not been changed by the expiration date configured in the associated Password Policy, then Oracle Privileged Account Manager will automatically change the password to a randomized value.
Host	Enter the host name of the target server.
Port	Enter the port (Default port is `22`) used to connect with the UNIX server. You can use the up/down arrow icons to increment this value. Note: Only the SSH protocol is supported.
Login User (Service Account)	Enter the user name to use when connecting to this target.
Login User Password (Service Account Password)	Enter the user's password.
Login Shell Prompt	Enter the shell prompt to display when you log in to the target. For example, `$` or `#`. Note: When using sudo authorization, the prompts for the login user and the sudo root account may be different. For example, jdoe's shell prompt might be `$`, but that prompt may change to `#` after a sudo to root. In such cases, you must specify both symbols within square brackets `[ ]`. The default value, `[$#%>~]`, consists of all the commonly used UNIX shell prompts and will work for most situations.
Sudo authorization	Enable this box if the user requires sudo authorization. Do not enable this box for the root user. Note: When using sudo authorization, the UNIX connector requires that certain conditions must be met in the target system, such as a specific configuration in the sudoers file. For information about these conditions, refer to "Creating a Target System SUDO User Account for Connector Operations" in the Oracle Identity Manager Connector Guide for UNIX.
Member-of Resource Group	Search for and select a resource group with which this target can be associated.

The following table discusses the optional advanced configuration parameters:

Table 6-7 Advanced Configuration Parameters for the Unix Target Type

Parameter Name	Description
Command timeout	Specify how long (in milliseconds) to wait for the command to complete before terminating that command.
Password Expect Expressions	Specify the expressions displayed on the target when setting the user's password. For example, if the `Enter password` and `Re-enter password` expressions are displayed when you run the `passwd` command, then the value for this field can be `enter password,re-enter password`. Note: You can provide a regular expression here. Use a comma to separate the two expressions.
Pre-password expectExpression	When you run the `passwd` command on some targets, prompts can be displayed before the password prompts appear. Specify the prompt expression and the expected input value, using a comma to separate these values.
sudo password expectExpression	Specify the password prompt to be displayed when running a command in sudo mode. (Default value is `password`) Note: This is the prompt you will receive when you type sudo -v after sudo has been setup, if you are using a sudo user.If you see a different prompt such as the following where oracle is the user: `[sudo] password for Oracle:` Then it is a dynamic prompt and you must change it to default static prompt so that the connector can expect the prompt to enter the password.The default password prompt can be setup using a sudo user by adding the following command in the "Defaults" section: `Defaults passprompt="password:"`

6.2.2.5 Configuring the Windows Target Type

When you select the "windows" target type, the Basic Configuration region is displayed. This region contains the basic configuration parameters for which values can be specified while creating a windows target type. Refer to Table 6-8 for the description of these parameters.

Table 6-8 Basic Configuration Parameters for the Windows Target Type

Parameter Name	Description
Name	Enter a name for the new target.
Description	Enter a description for this target.
Organization	Enter the name of an organization to associate with the target.
Domain	Enter the domain of the target server.
Password Policy	Select a Password Policy to apply to the target's service account. Oracle Privileged Account Manager uses this policy to auto-generate passwords.
Connector Server	Select a connector server from the drop-down list to specify a connector server to be used. Default is `None.` Note: A Windows target requires a connector server with a Windows Connector installed on it. Refer to Section 5.4, "Managing a Connector Server" for more information about configuring a connector server.
Enable Password Rollover	Enable this box to allow Oracle Privileged Account Manager to automatically change (rollover) the service account password for this target to a randomized value according to the "Expire password after" setting that is specified in the assigned Password Policy. Note: Password rollover for target service accounts is similar to password expiration for privileged accounts. If a password has not been changed by the expiration date configured in the associated Password Policy, then Oracle Privileged Account Manager will automatically change the password to a randomized value.
Host	Enter the host name of the target server.
Administrators Account	Enter the user name of the Administrator account. Note: The format for AdminName can be any of the following: `MachineName\Username` `DomainName\Username` You can give IP Address of the machine as Hostname if the AdminName is given in the format DomainName\Username.
Administrators Password	Enter the password of the Administrator account.
Member-of Resource Group	Search for and select a resource group with which this target can be associated.

6.2.2.6 Configuring the SSH Target Type

When you select the "ssh" target type, the Basic Configuration region is displayed. This region contains the basic configuration parameters for which values can be specified while creating an ssh target type. Refer to Table 6-9 for the description of these parameters.

Note:

Some examples of network devices that support SSH are routers, firewalls, and hypervisors. Refer to Appendix C, "Working with the SSH Connector" for detailed information on how to add customizations to work with your specific network device.

The customization process involves creating scripts and framing regular expressions. Refer to the following sections for detailed information about these steps:

Table 6-9 Basic Configuration Parameters for the SSH Target Type

Parameter Name	Description
Name	Enter a name for the new target.
Description	Enter a description for this target.
Organization	Enter the name of an organization to associate with the target.
Domain	Enter the domain of the target server.
Password Policy	Select a Password Policy to apply to the target's service account. Oracle Privileged Account Manager uses this policy to auto-generate passwords.
Connector Server	Select a connector server from the drop-down list to specify a connector server to be used. Default is `None.`
Enable Password Rollover	Enable this box to allow Oracle Privileged Account Manager to automatically change (rollover) the service account password for this target to a randomized value according to the Expire password after setting that is specified in the assigned Password Policy. Note: Password rollover for target service accounts is similar to password expiration for privileged accounts. If a password has not been changed by the expiration date configured in the associated Password Policy, then Oracle Privileged Account Manager will automatically change the password to a randomized value.
Host	Enter the host name of the target server.
Manage Privilege Mode Password	Enable this box to allow Oracle Privileged Account Manager to manage the Privilege Mode Password of this target for Cisco devices. Note: The privilege Mode Password is used by some Cisco devices to enter privilege mode where privileged commands can be executed. If this option is selected, an account called "PRIVILEGE_MODE_ACCOUNT" will be created under the target in Oracle Privileged Account Manager. Security Administrators can use this account to manage the privilege mode password of that Cisco device. For example, when the password of this account is reset, the privilege mode password of the Cisco device will also be reset. When the password is reset on this account, the script defined for UPDATE_ACCOUNT operation will be used to reset the privilege mode password on the Cisco device. Refer to the Section C.2, "Creating Scripts" and Section C.4.1.1, "Contents Of the Script Files" for detailed information about scripts.
Port	Enter the port (default port is `22`) used to connect with the SSH server. You can use the up/down arrow icons to increment this value. Note: Only the SSH protocol is supported.
Login User Name (Service Account)	Enter the user name to use when connecting to this target.
Password (Service Account Password)	Enter the password of the user that is used to connect to this target.
Properties File Path	Enter the full path of the .properties file.
Search Regex	Enter the regex (regular expression) that must be used to fetch users, roles, or both from the user search output obtained from the target.
Login Shell Prompt	Enter the shell prompt to display when you log in to the target. For example, `$` or `#`.
Privilege Mode Password	This field is optional. Enter the password of the privilege mode, to access the privilege mode. Specify a value for this parameter only if you are using Cisco, else, you can ignore this field.
Member-of Resource Group	Search for and select a resource group with which this target can be associated.

6.2.2.7 Configuring the SAP UM Target Type

When you select the "sapum" target type, the following regions are displayed:

Basic Configuration

This region contains the basic configuration parameters for which values can be specified while creating an sapum target type. Refer to Table 6-10 for the description of these parameters.
Advanced Configuration

This region contains the optional advanced configuration parameters for which values can be specified while creating an sapum target type. Refer to Table 6-11 for the description of these parameters.

Note:

You must copy third-party jars for this target. Refer to Section 6.2.4.2, "Copying Third-Party JARs for the SAPUM and SAPUME Targets" for more information.

Table 6-10 Basic Configuration Parameters for the SAPUM Target Type

Parameter Name	Description
Name	Enter a name for the new target.
Description	Enter a description for this target.
Organization	Enter the name of an organization to associate with the target.
Domain	Enter the domain of the target server.
Password Policy	Select a Password Policy to apply to the target's service account. Oracle Privileged Account Manager uses this policy to auto-generate passwords.
Connector Server	Select a connector server from the drop-down list to specify a connector server to be used. Default is `None.`
Enable Password Rollover	Enable this box to allow Oracle Privileged Account Manager to automatically change (rollover) the service account password for this target to a randomized value according to the Expire password after setting that is specified in the assigned Password Policy. Note: Password rollover for target service accounts is similar to password expiration for privileged accounts. If a password has not been changed by the expiration date configured in the associated Password Policy, then Oracle Privileged Account Manager will automatically change the password to a randomized value.
Host	Enter the host name of the target server.
User	Enter the name of the service account.
Password	Enter the password of the service account.
SAP System Number	Enter the system number of the SAP target. The default value is `00.`
Client	Enter name of the SAP client setting. The default value is `000.`
SAP Destination Name	Enter a unique resource name that defines the destination which must be created.
Master System	Enter the RFC destination value that is used to identify the SAP system.
Dummy Password	Enter the dummy password for the connector to use during a Create User provisioning operation
Member-of Resource Group	Search for and select a resource group with which this target can be associated.

The following table discusses the optional advanced configuration parameters:

Table 6-11 Advanced Configuration Parameters for the SAPUM Target Type

Parameter Name	Description
CUA Mode	Password propagation from master to child systems
Password Propagate to Child System	Password propagation from master to child systems

6.2.2.8 Configuring the SAP UME Target Type

When you select the "sapume" target type, the following regions are displayed:

Basic Configuration

This region contains the basic configuration parameters for which values can be specified while creating an sapume target type. Refer to Table 6-12 for the description of these parameters.
Advanced Configuration

This region contains the optional advanced configuration parameters for which values can be specified while creating an sapume target type. Refer to Table 6-13 for the description of these parameters.

Note:

You must copy third-party jars for this target. Refer to Section 6.2.4.2, "Copying Third-Party JARs for the SAPUM and SAPUME Targets" for more information.

Table 6-12 Basic Configuration Parameters for the SAPUME Target Type

Parameter Name	Description
Name	Enter a name for the new target.
Description	Enter a description for this target.
Organization	Enter the name of an organization to associate with the target.
Domain	Enter the domain of the target server.
Password Policy	Select a Password Policy to apply to the target's service account. Oracle Privileged Account Manager uses this policy to auto-generate passwords.
Connector Server	Select a connector server from the drop-down list to specify a connector server to be used. Default is `None.`
Enable Password Rollover	Enable this box to allow Oracle Privileged Account Manager to automatically change (rollover) the service account password for this target to a randomized value according to the "Expire password after" setting that is specified in the assigned Password Policy. Note: Password rollover for target service accounts is similar to password expiration for privileged accounts. If a password has not been changed by the expiration date configured in the associated Password Policy, then Oracle Privileged Account Manager will automatically change the password to a randomized value.
Host	Enter the host name of the target server.
UME URL	Enter the URL of the SPML service.
User Id	Enter the name of the service account.
Password	Enter the password of the service account.
Dummy Password	Enter the dummy password for the connector to use during a Create User provisioning operation
Member-of Resource Group	Search for and select a resource group with which this target can be associated.

The following table discusses the optional advanced configuration parameters:

Table 6-13 Advanced Configuration Parameters for the SAPUME Target Type

Parameter Name Description

Parameter Name	Description
Logon Name Initial Substring	Enter a set of characters to support full reconciliation for the English language. For other languages, enter all characters of that language. Sample value: abcdefghijklmnopqrstuvwxyz1234567890
Log SPML Request	Enter "yes" to print the SPML request. The default value is `no.`

Logon Name Initial Substring

Enter a set of characters to support full reconciliation for the English language. For other languages, enter all characters of that language.

Sample value: abcdefghijklmnopqrstuvwxyz1234567890

Log SPML Request

Enter "yes" to print the SPML request. The default value is no.

6.2.3 Configuring Custom Attributes for a Target

Custom attributes are optional parameters that can be used to store custom attributes and values. You can use these parameters to store additional information about the target. For example, you can define the data center name for a Unix target, define the Oracle Home path for a Oracle database target, and so on. You can use these attributes to provide more information about target systems to administrators. The custom attributes can also be used to pass such additional information to plug-ins.

You can configure a custom attribute by adding a new row and specifying values for the Attribute Name and Attribute Value columns. For multivalued attributes, you must add another row with the same Attribute Name and specify the next value in the Attribute Value column.

You can configure custom attributes for any target type by adding a new row and specifying a value in the "Attribute Name" column, and clicking Save.

6.2.4 Copying Third-Party JARs

This section discusses the procedure to copy third-party jars for the Database, SAPUM, and SAPUME targets. Depending on the target that you are configuring, perform one of the following procedures:

Section 6.2.4.1, "Copying Third-Party JARs for the Database Target"
Section 6.2.4.2, "Copying Third-Party JARs for the SAPUM and SAPUME Targets"

6.2.4.1 Copying Third-Party JARs for the Database Target

If you select an Oracle database target, then no driver jar is required. For other target systems, you must copy one of the following third-party jars:

For MSSQL: Copy sqljdbc4.jar.
For MySQL: Copy mysql-connector-java-5.1.20-bin.jar.
For Sybase: Copy jconn4.jar.

You can use one of the following options to copy the jars:

Option 1: Copy the third-party jars to the WebLogic domain /lib directory, as described in the "Adding JARs to the Domain /lib Directory" section in Oracle Fusion Middleware Developing Applications for Oracle WebLogic Server.

Option 2: Modify the connector jars to include the third-party jars as follows:

Make a back-up copy of the DBUM connector bundle, which is available in the following location:
```
ORACLE_HOME/connectors/dbum/bundle/
org.identityconnectors.dbum-1.0.1116.jar
```
Create a temporary/lib folder and place the third-party jars in this folder.

Update the bundle with the third-party jar as shown below:

jar -uvf org.identityconnectors.dbum-1.0.1116.jar lib/JAR_NAME

Delete the temporary/lib folder.
Restart all Oracle Privileged Account Manager processes for all changes to take effect.

For more information, refer to the "Installing the Connector on the Connector Server" section of the Oracle Identity Manager Connector Guide for Database User Management.

6.2.4.2 Copying Third-Party JARs for the SAPUM and SAPUME Targets

Note:

Ensure that you are using version 3.0.2 or later of the sapjco3.jar file. To download files from the SAP Web site, you must have access to the SAP service marketplace with Software Download authorization.

To download and copy the third-party jars and external code files to the required locations:

Download the SAP Java connector file from the SAP Web site as follows:
1. Open the SAP Java Connector page by selecting Application Platform, Connectivity, Connectors, SAP Java Connector, and Tools & Services.
2. On the SAP Java Connector page, links for files that you can download are displayed on the right pane. Click the link for the SAP JCo release that you want to download.
3. In the dialog box that is displayed, specify the location in which you want to save the file.
From the saved location, extract the contents of the file that you download.
Copy these third-party jars to the WebLogic domain /lib directory, as described in the "Adding JARs to the Domain /lib Directory" section of Oracle Fusion Middleware Developing Applications for Oracle WebLogic Server.
Copy the RFC files into the required directory on the Oracle Identity Manager host computer, and then modify the appropriate environment variable so that it includes the path to this directory:
- On Microsoft Windows:
  
  Copy the sapjco3.dll file into the winnt\system32 directory. Alternatively, you can copy these files into any directory and then add the path to the directory in the "PATH" environment variable.
- On Solaris and Linux:
  
  Copy the libsapjco3.so file into the /usr/local/jco directory, and then add the path to this directory in the LD_LIBRARY_PATH environment variable.
On a Microsoft Windows platform, ensure that the msvcr80.dll and msvcp80.dll files are in the c:\WINDOWS\system32 directory. If required, both files can be downloaded from various sources on the Internet.
If you are using IBM WebSphere Application Server, perform the following steps:
1. Copy the following files to WEBSPHERE_HOME/AppServer/lib:
  - libsapjco3.so
  - sapidoc3.jar
  - sapjco3.jar
  For example, copy the preceding files to the /home/shareuser/R2PS1ST1WAS/IBM/WebSphere/AppServer/lib location.
2. Update the PROFILE_HOME/bin/setupCmdLine.sh file as shown in the following example:
  
  WAS_CLASSPATH="$WAS_HOME"/properties:"$WAS_HOME"/lib/startup.jar:"$WAS_HOME"/lib/bootstrap.jar:"$WAS_HOME"/lib/lmproxy.jar:"$WAS_HOME"/lib/urlprotocols.jar:"$WAS_HOME"/lib/sapjco3.jar:"$WAS_HOME"/lib/sapidoc3.jar:"$JAVA_HOME"/lib/tools.jar
Restart the server for the changes in the environment variable to take effect.
To check if SAP JCo is correctly installed in a command window, run one of the following commands:
```
java –jar JCO_DIRECTORY/sapjco3.jar
java –classpath JCO_DIRECTORY/sapjco3.jar com.sap.conn.jco.rt.About
```
In the preceding commands, JCO_DIRECTORY is the location where the sapjco3.jar file was copied.

Figure 6-1 shows the dialog box that is displayed. The JCo classes and JCo library paths must be displayed in this dialog box.

Figure 6-1 Dialog Box Displayed on Running the SAP JCo Test

Description of ''Figure 6-1 Dialog Box Displayed on Running the SAP JCo Test''

6.3 Searching for Targets

If you have administrator privileges, you can search for targets using the following criteria or a combination of these items:

Name
Type (All, database, ldap, lockbox, sapum, sapume, ssh, unix, or windows)
Host
Domain
Description
Password Age
Privilege

To search for a target, perform the following procedure:

Select Targets in the Administration accordion.
When the Targets tab is displayed, use the Search portlet parameters to configure your search. For example,
- To search for all LDAP targets, select ldap from the Type menu.
- To search for all available targets, do not specify any search parameters.
Click Search.

Review your search results in the Search Results table.

6.4 Opening a Target

You can open a target to review and edit the target's configuration parameters and its associated privileged account parameters.

Use one of the following methods to open a target:

Click Name (an active link) in the Search Results table.
Select the target's Row number, then click Actions and select the Open option from the drop-down list.

The Target: TargetName page opens where you can access the target and privileged account information.

6.5 Managing a Target's Service Account Password

Oracle Privileged Account Manager provides several options for managing a target's service account passwords, including:

Showing passwords
Viewing password history
Resetting passwords
Enabling password rollover

Administrators with the Security Administrator Admin Role can perform these password management tasks by using the Oracle Privileged Account Manager Console, command line tool, or REST API.

Note:

For information about managing passwords by using the Console, refer to Section 7.3, "Managing Service Account Passwords."
For command line instructions, refer to Section A.5, "Working with Targets."
For REST API instructions, refer to Section B.6, "Target Resource."

Oracle Privileged Account Manager audits password management actions to keep a track of password access.

Note:

The procedures for showing and resetting a privileged account password are different from the procedures described in this section. Refer to Section 9.8, "Managing Privileged Account Passwords" for information.

6.6 Removing Targets from Oracle Privileged Account Manager

To remove a target, select the target from the Search Results table and then click the Remove icon.

WARNING:

When you remove a target, you also remove all information about the target that is stored in Oracle Privileged Account Manager (including privileged accounts).

Before removing a target, it is critical that you first capture all relevant information from that target. For example, save the target's service account password and any current passwords that are associated with the privileged accounts on the target.