This chapter describes the different tasks you can perform when working with targets in Oracle Privileged Account Manager.
This chapter includes the following sections:
Section 6.2, "Adding and Configuring Targets in Oracle Privileged Account Manager"
Section 6.6, "Removing Targets from Oracle Privileged Account Manager"
Note:
You can also use Oracle Privileged Account Manager's command line tool or Oracle Privileged Account Manager's RESTful interface to perform many of the tasks described in this chapter.
If you prefer using these interfaces instead of the Oracle Privileged Account Manager Console, refer to Appendix A, "Working with the Command Line Tool" or Appendix B, "Working with Oracle Privileged Account Manager's RESTful Interface" for instructions.
You must be an Oracle Privileged Account Manager administrator with the Security Administrator Admin Role to add, edit, or remove targets.
A target is a software system that contains, uses, and relies on user, system, or application accounts.
You cannot create targets in, or delete targets from, your environment by using Oracle Privileged Account Manager. Rather, Oracle Privileged Account Manager manages existing targets that were provisioned using other mechanisms.
When you "add" a target in Oracle Privileged Account Manager, you are creating a reference to that target. In effect, you are registering the target and asking Oracle Privileged Account Manager to manage it. When you "remove" a target from Oracle Privileged Account Manager, you are only removing that reference.
Oracle Privileged Account Manager supports database, LDAP, lockbox, SAP UM, SAP UME, SSH, UNIX, and Windows target types.
A lockbox target provides password vault-like functionality in Oracle Privileged Account Manager. That is, it provides a secure mechanism for storing the passwords (or any kind of sensitive information) associated with privileged accounts in your deployment. This target type is different from the other conventional Oracle Privileged Account Manager target types in the following ways:
Oracle Privileged Account Manager does not interact with lockbox target systems. There is no connectivity to, or operations performed against, these systems.
Oracle Privileged Account Manager does not manage the password lifecycle or reset passwords associated with accounts on lockbox targets.
Password modifications are handled out-of-band and updated into Oracle Privileged Account Manager as an administrative action. Therefore, Oracle Privileged Account Manager does not randomize the passwords; but rather, they stored as given by the administrator.
A lockbox target may be preferable when you want to centrally store and securely grant privileged account passwords without having Oracle Privileged Account Manager automatically manage those accounts on the target systems. For example, if you want to control how and when the passwords on the those target systems are modified, as opposed to allowing Oracle Privileged Account Manager do so.
Additionally, a lockbox target may be useful when an appropriate ICF connector is unavailable for a specific target type, but you still want to manage access to that system through Oracle Privileged Account Manager.
This section discusses the following topics:
Note:
When adding a target of any Target Type (except lockbox), you must configure a service account (also called an unattended account) with privileges that enable that account toSearch for accounts on the target system
Modify the passwords of accounts on the target system
You must never use the same account as a service account and as a privileged account to be managed by Oracle Privileged Account Manager.
For additional information about service accounts, see the description for attended and unattended accounts in Section 1.2.1, "Features" and refer to Chapter 7, "Working with Service Accounts."
Note:
If you are using Oracle Privileged Account Manager on IBM WebSphere, refer to the "Differences When Adding Targets to Oracle Privileged Account Manager on IBM WebSphere" section in the Oracle Fusion Middleware Third-Party Application Server Guide for Oracle Identity and Access Management for information about this topic.Perform the following steps to add a target that Oracle Privileged Account Manager can manage:
Log in to Oracle Privileged Account Manager.
Select Targets from the Administration accordion to open the Targets page.
Click Add, which is located on the Search Results table toolbar, to open a new Target. A new "Untitled" page is opened, which will contain the three following tabs:
Note:
Only the General tab is active at this point. The Privileged Accounts and Member-of tabs do not become active until you create and save the target.General
This tab generally contains three areas which are used to specify their respective parameters for the target. The three areas are:
Basic Configuration
Advanced Configuration
Custom Attributes
Privileged Accounts
This tab lists the privileged accounts currently being managed on the target and enables you to add, open, and remove the accounts that are managed by that target.
Member-of
This tab contains a table listing the different resource groups, which the privileged account is a member of.
On the General tab, select the Target Type drop-down list to select a target type (database, ldap, lockbox, sapum, sapume, ssh, unix, or windows), and then set the remaining configuration parameters and custom attributes.
Note:
When you set the target type, the new "Untitled" page refreshes and the parameters change based on your selection.Refer to Section 6.2.2, "Configuring a Target" for information about configuration parameters for each target type.
Refer to Section 6.2.3, "Configuring Custom Attributes for a Target" for information about configuring custom attributes for a target.
Refer to Section 6.2.4, "Copying Third-Party JARs" for information about copying third-party jars for a target.
After setting the target configuration parameters, click Test to check the configuration of the target.
If the configuration is valid, a "Test Succeeded
" message is displayed.
Click Save to add your new target on the Oracle Privileged Account Manager server.
Oracle Privileged Account Manager automatically assigns a Target GUID and you can view this read-only value at the bottom of the Basic Configuration parameters section.
You can now associate this target with a privileged account. For detailed instructions, refer to Section 9.2, "Adding Privileged Accounts into Oracle Privileged Account Manager."
The following sections describe the available parameters for each target:
Note:
You must specify all of the required attributes indicated by an asterisk (*
) symbol.When you select the "database" target type, the following regions are displayed:
Basic Configuration:
This region contains the basic configuration parameters for which the values can be specified while creating a database target type. Refer to Table 6-1 for the description of these parameters.
Advanced Configuration:
This region contains the optional advanced configuration parameters for which values can be specified while creating a database target type. Refer to Table 6-2 for the description of these parameters.
Table 6-1 Basic Configuration Parameters for the Database Target Type
Parameter Name | Description |
---|---|
Name |
Enter a name for the new target. |
Description |
Enter a description for this target. |
Organization |
Enter the name of an organization to associate with the target. |
Domain |
Enter the domain of the target server. |
Password Policy |
Select a Password Policy to apply to the target's service account. Oracle Privileged Account Manager uses this policy to auto-generate passwords. |
Connector Server |
Select a connector server from the drop-down list to specify the connector server to be used. Default is |
Enable Password Rollover |
Enable this box to allow Oracle Privileged Account Manager to automatically change (rollover) the service account password for this target to a randomized value according to the Expire password after setting that is specified in the assigned Password Policy. Note: Password rollover for target service accounts is similar to password expiration for privileged accounts. If a password has not been changed by the expiration date configured in the associated Password Policy, then Oracle Privileged Account Manager will automatically change the password to a randomized value. |
Host |
Enter the host name of the target server. |
Database Connection URL |
Enter the JDBC URL used to identify the target system location. Oracle:jdbc:oracle:thin:@<host>: <port>:<sid> Note: Oracle Privileged Account Manager supports the Oracle, MSSQL, Sybase, and MySQL database types. Refer to the Oracle Identity Manager Connector Guide for Database User Management for information about special options that are supported. |
Admin User Name (Service Account) |
Enter the administrator' name to use when connecting to this target. Note: If you are using the |
Admin User Password (Service Account Password) |
Enter the user's password. |
Database Type |
Select the type of database (Oracle, MSSQL, Sybase, or MySQL) for which the connector will be used. If you select an Oracle database target, then no driver jar is required. For other target systems, you must copy third-party jars. Refer to Section 6.2.4.1, "Copying Third-Party JARs for the Database Target" for more information. |
Member-of Resource Group |
Search for and select a resource group with which this target can be associated. |
The following table discusses the optional advanced configuration parameter:
When you select the "ldap" target type, the following regions are displayed:
Basic Configuration
This region contains the basic configuration parameters for which values can be specified while creating an ldap target type. Refer to Table 6-3 for the description of these parameters.
Advanced Configuration
This region contains the optional advanced configuration parameters for which values can be specified while creating an ldap target type. Refer to Table 6-4 for the description of these parameters.
Table 6-3 Basic Configuration Parameters for the LDAP Target Type
Parameter Name | Description |
---|---|
Name |
Enter a name for the new target. |
Description |
Enter a description for this target. |
Organization |
Enter the name of an organization to associate with the target. |
Domain |
Enter the domain of the target server. |
Password Policy |
Select a Password Policy to apply to the target's service account. Oracle Privileged Account Manager uses this policy to auto-generate passwords. |
Connector Server |
Select a connector server from the drop-down list to specify the a connector server to be used. Default is |
Host |
Enter the host name of the target server. |
TCP Port |
Enter the TCP/IP port to use when communicating with the LDAP server. You can use the up/down arrow icons to increment this value. |
SSL |
Enable this box to use Secure Socket Layer (SSL) when connecting to the LDAP server. Note: For SSL connectivity, you must import an SSL certificate to the J2EE container hosting Oracle Privileged Account Manager. For more information, refer to Section 17.1, "Configuring Oracle Privileged Account Manager to Communicate With Target Systems Over SSL." |
Principal (Service Account) |
Enter the distinguished name (DN) to use when authenticating to the LDAP server. For example, cn=admin |
Password (Service Account Password) |
Enter the user's password. |
Base Contexts |
Enter one or more starting points in the LDAP tree to use when searching the tree for users on the LDAP server or when looking for groups where the user is a member. Use a pipe (|) to separate values. |
Account User Name Attribute |
Enter the attribute to be used as the account's user name. |
Member-of Resource Group |
Search for and select a resource group with which this target can be associated. |
The following table discusses the optional advanced configuration parameters:
Table 6-4 Advanced Configuration Parameters for the LDAP Target Type
Parameter Name | Description |
---|---|
Uid Attribute |
Enter the name of the LDAP attribute that is mapped to the Uid attribute. |
LDAP Filter for Retrieving Accounts |
Enter an LDAP filter to control which accounts are returned from the LDAP resource. If you do not specify a filter, Oracle Privileged Account Manager returns only those accounts that include all of the specified object classes. |
Password Attribute |
Enter the name of the LDAP attribute that holds the password. When changing a user's password, Oracle Privileged Account Manager sets the new password to this attribute |
Account Object Classes |
Enter one or more object classes to use when creating new user objects in the LDAP tree. Type each object class on its own line. Do not use commas or semicolons to separate entries. Some object classes require you to specify them in their class hierarchy, using a pipe (|) to separate the values. |
When you select the "lockbox" target type, the Basic Configuration region is displayed. This region contains the basic configuration parameters for which values can be specified while creating a lockbox target type. Refer to Table 6-5 for the description of these parameters.
Table 6-5 Basic Configuration Parameters for the Lockbox Target Type
Parameter Name | Description |
---|---|
Name |
Enter a name for the new target. |
Description |
Enter a description for this target. |
Organization |
Enter the name of an organization to associate with the target. |
Domain |
Enter the domain of the target server. |
Host |
Enter the host name of the target server. |
Member-of Resource Group |
Search for and select a resource group with which this target can be associated. |
Note:
You can add configuration parameters to this list by editing theopam-config.xml
file as described in Section 3.2.3, "Consuming ICF Connectors."When you select the "unix" target type, the following regions are displayed:
Basic Configuration
This region contains the basic configuration parameters for which values can be specified while creating a unix target type. Refer to Table 6-6 for the description of these parameters.
Advanced Configuration
This region contains the optional advanced configuration parameters for which values can be specified while creating a unix target type. Refer to Table 6-7 for the description of these parameters.
Table 6-6 Basic Configuration Parameters for the Unix Target Type
Parameter Name | Description |
---|---|
Name |
Enter a name for the new target. |
Description |
Enter a description for this target. |
Organization |
Enter the name of an organization to associate with the target. |
Domain |
Enter the domain of the target server. |
Password Policy |
Select a Password Policy to apply to the target's service account. Oracle Privileged Account Manager uses this policy to auto-generate passwords. |
Connector Server |
Select a connector server from the drop-down list to specify a connector server to be used. Default is |
Enable Password Rollover |
Enable this box to allow Oracle Privileged Account Manager to automatically change (rollover) the service account password for this target to a randomized value according to the Expire password after setting that is specified in the assigned Password Policy. Note: Password rollover for target service accounts is similar to password expiration for privileged accounts. If a password has not been changed by the expiration date configured in the associated Password Policy, then Oracle Privileged Account Manager will automatically change the password to a randomized value. |
Host |
Enter the host name of the target server. |
Port |
Enter the port (Default port is Note: Only the SSH protocol is supported. |
Login User (Service Account) |
Enter the user name to use when connecting to this target. |
Login User Password (Service Account Password) |
Enter the user's password. |
Login Shell Prompt |
Enter the shell prompt to display when you log in to the target. For example, Note: When using sudo authorization, the prompts for the login user and the sudo root account may be different. For example, jdoe's shell prompt might be |
Sudo authorization |
Enable this box if the user requires sudo authorization. Do not enable this box for the root user. Note: When using sudo authorization, the UNIX connector requires that certain conditions must be met in the target system, such as a specific configuration in the sudoers file. For information about these conditions, refer to "Creating a Target System SUDO User Account for Connector Operations" in the Oracle Identity Manager Connector Guide for UNIX. |
Member-of Resource Group |
Search for and select a resource group with which this target can be associated. |
The following table discusses the optional advanced configuration parameters:
Table 6-7 Advanced Configuration Parameters for the Unix Target Type
Parameter Name | Description |
---|---|
Command timeout |
Specify how long (in milliseconds) to wait for the command to complete before terminating that command. |
Password Expect Expressions |
Specify the expressions displayed on the target when setting the user's password. For example, if the Note: You can provide a regular expression here. Use a comma to separate the two expressions. |
Pre-password expectExpression |
When you run the |
sudo password expectExpression |
Specify the password prompt to be displayed when running a command in sudo mode. (Default value is Note: This is the prompt you will receive when you type sudo -v after sudo has been setup, if you are using a sudo user.If you see a different prompt such as the following where oracle is the user: Then it is a dynamic prompt and you must change it to default static prompt so that the connector can expect the prompt to enter the password.The default password prompt can be setup using a sudo user by adding the following command in the "Defaults" section:
|
When you select the "windows" target type, the Basic Configuration region is displayed. This region contains the basic configuration parameters for which values can be specified while creating a windows target type. Refer to Table 6-8 for the description of these parameters.
Table 6-8 Basic Configuration Parameters for the Windows Target Type
Parameter Name | Description |
---|---|
Name |
Enter a name for the new target. |
Description |
Enter a description for this target. |
Organization |
Enter the name of an organization to associate with the target. |
Domain |
Enter the domain of the target server. |
Password Policy |
Select a Password Policy to apply to the target's service account. Oracle Privileged Account Manager uses this policy to auto-generate passwords. |
Connector Server |
Select a connector server from the drop-down list to specify a connector server to be used. Default is Note: A Windows target requires a connector server with a Windows Connector installed on it. Refer to Section 5.4, "Managing a Connector Server" for more information about configuring a connector server. |
Enable Password Rollover |
Enable this box to allow Oracle Privileged Account Manager to automatically change (rollover) the service account password for this target to a randomized value according to the "Expire password after" setting that is specified in the assigned Password Policy. Note: Password rollover for target service accounts is similar to password expiration for privileged accounts. If a password has not been changed by the expiration date configured in the associated Password Policy, then Oracle Privileged Account Manager will automatically change the password to a randomized value. |
Host |
Enter the host name of the target server. |
Administrators Account |
Enter the user name of the Administrator account. Note: The format for AdminName can be any of the following:
|
Administrators Password |
Enter the password of the Administrator account. |
Member-of Resource Group |
Search for and select a resource group with which this target can be associated. |
When you select the "ssh" target type, the Basic Configuration region is displayed. This region contains the basic configuration parameters for which values can be specified while creating an ssh target type. Refer to Table 6-9 for the description of these parameters.
Note:
Some examples of network devices that support SSH are routers, firewalls, and hypervisors. Refer to Appendix C, "Working with the SSH Connector" for detailed information on how to add customizations to work with your specific network device.The customization process involves creating scripts and framing regular expressions. Refer to the following sections for detailed information about these steps:
Table 6-9 Basic Configuration Parameters for the SSH Target Type
Parameter Name | Description |
---|---|
Name |
Enter a name for the new target. |
Description |
Enter a description for this target. |
Organization |
Enter the name of an organization to associate with the target. |
Domain |
Enter the domain of the target server. |
Password Policy |
Select a Password Policy to apply to the target's service account. Oracle Privileged Account Manager uses this policy to auto-generate passwords. |
Connector Server |
Select a connector server from the drop-down list to specify a connector server to be used. Default is |
Enable Password Rollover |
Enable this box to allow Oracle Privileged Account Manager to automatically change (rollover) the service account password for this target to a randomized value according to the Expire password after setting that is specified in the assigned Password Policy. Note: Password rollover for target service accounts is similar to password expiration for privileged accounts. If a password has not been changed by the expiration date configured in the associated Password Policy, then Oracle Privileged Account Manager will automatically change the password to a randomized value. |
Host |
Enter the host name of the target server. |
Manage Privilege Mode Password |
Enable this box to allow Oracle Privileged Account Manager to manage the Privilege Mode Password of this target for Cisco devices. Note: The privilege Mode Password is used by some Cisco devices to enter privilege mode where privileged commands can be executed. If this option is selected, an account called "PRIVILEGE_MODE_ACCOUNT" will be created under the target in Oracle Privileged Account Manager. Security Administrators can use this account to manage the privilege mode password of that Cisco device. For example, when the password of this account is reset, the privilege mode password of the Cisco device will also be reset. When the password is reset on this account, the script defined for UPDATE_ACCOUNT operation will be used to reset the privilege mode password on the Cisco device. Refer to the Section C.2, "Creating Scripts" and Section C.4.1.1, "Contents Of the Script Files" for detailed information about scripts. |
Port |
Enter the port (default port is Note: Only the SSH protocol is supported. |
Login User Name |
Enter the user name to use when connecting to this target. |
Password |
Enter the password of the user that is used to connect to this target. |
Properties File Path |
Enter the full path of the .properties file. |
Search Regex |
Enter the regex (regular expression) that must be used to fetch users, roles, or both from the user search output obtained from the target. |
Login Shell Prompt |
Enter the shell prompt to display when you log in to the target. For example, |
Privilege Mode Password |
This field is optional. Enter the password of the privilege mode, to access the privilege mode. Specify a value for this parameter only if you are using Cisco, else, you can ignore this field. |
Member-of Resource Group |
Search for and select a resource group with which this target can be associated. |
When you select the "sapum" target type, the following regions are displayed:
Basic Configuration
This region contains the basic configuration parameters for which values can be specified while creating an sapum target type. Refer to Table 6-10 for the description of these parameters.
Advanced Configuration
This region contains the optional advanced configuration parameters for which values can be specified while creating an sapum target type. Refer to Table 6-11 for the description of these parameters.
Note:
You must copy third-party jars for this target. Refer to Section 6.2.4.2, "Copying Third-Party JARs for the SAPUM and SAPUME Targets" for more information.Table 6-10 Basic Configuration Parameters for the SAPUM Target Type
The following table discusses the optional advanced configuration parameters:
When you select the "sapume" target type, the following regions are displayed:
Basic Configuration
This region contains the basic configuration parameters for which values can be specified while creating an sapume target type. Refer to Table 6-12 for the description of these parameters.
Advanced Configuration
This region contains the optional advanced configuration parameters for which values can be specified while creating an sapume target type. Refer to Table 6-13 for the description of these parameters.
Note:
You must copy third-party jars for this target. Refer to Section 6.2.4.2, "Copying Third-Party JARs for the SAPUM and SAPUME Targets" for more information.Table 6-12 Basic Configuration Parameters for the SAPUME Target Type
The following table discusses the optional advanced configuration parameters:
Table 6-13 Advanced Configuration Parameters for the SAPUME Target Type
Parameter Name | Description |
---|---|
Logon Name Initial Substring |
Enter a set of characters to support full reconciliation for the English language. For other languages, enter all characters of that language. Sample value: abcdefghijklmnopqrstuvwxyz1234567890 |
Log SPML Request |
Enter "yes" to print the SPML request. The default value is |
Custom attributes are optional parameters that can be used to store custom attributes and values. You can use these parameters to store additional information about the target. For example, you can define the data center name for a Unix target, define the Oracle Home path for a Oracle database target, and so on. You can use these attributes to provide more information about target systems to administrators. The custom attributes can also be used to pass such additional information to plug-ins.
You can configure a custom attribute by adding a new row and specifying values for the Attribute Name and Attribute Value columns. For multivalued attributes, you must add another row with the same Attribute Name and specify the next value in the Attribute Value column.
You can configure custom attributes for any target type by adding a new row and specifying a value in the "Attribute Name" column, and clicking Save.
This section discusses the procedure to copy third-party jars for the Database, SAPUM, and SAPUME targets. Depending on the target that you are configuring, perform one of the following procedures:
Section 6.2.4.1, "Copying Third-Party JARs for the Database Target"
Section 6.2.4.2, "Copying Third-Party JARs for the SAPUM and SAPUME Targets"
If you select an Oracle database target, then no driver jar is required. For other target systems, you must copy one of the following third-party jars:
For MSSQL: Copy sqljdbc4.jar.
For MySQL: Copy mysql-connector-java-5.1.20-bin.jar.
For Sybase: Copy jconn4.jar.
You can use one of the following options to copy the jars:
Option 1: Copy the third-party jars to the WebLogic domain /lib
directory, as described in the "Adding JARs to the Domain /lib Directory" section in Oracle Fusion Middleware Developing Applications for Oracle WebLogic Server.
Option 2: Modify the connector jars to include the third-party jars as follows:
Make a back-up copy of the DBUM connector bundle, which is available in the following location:
ORACLE_HOME/connectors/dbum/bundle/
org.identityconnectors.dbum-1.0.1116.jar
Create a temporary/lib
folder and place the third-party jars in this folder.
Update the bundle with the third-party jar as shown below:
jar -uvf org.identityconnectors.dbum-1.0.1116.jar lib/JAR_NAME
Delete the temporary/lib
folder.
Restart all Oracle Privileged Account Manager processes for all changes to take effect.
For more information, refer to the "Installing the Connector on the Connector Server" section of the Oracle Identity Manager Connector Guide for Database User Management.
Note:
Ensure that you are using version 3.0.2 or later of the sapjco3.jar file. To download files from the SAP Web site, you must have access to the SAP service marketplace with Software Download authorization.To download and copy the third-party jars and external code files to the required locations:
Download the SAP Java connector file from the SAP Web site as follows:
Open the SAP Java Connector page by selecting Application Platform, Connectivity, Connectors, SAP Java Connector, and Tools & Services.
On the SAP Java Connector page, links for files that you can download are displayed on the right pane. Click the link for the SAP JCo release that you want to download.
In the dialog box that is displayed, specify the location in which you want to save the file.
From the saved location, extract the contents of the file that you download.
Copy these third-party jars to the WebLogic domain /lib
directory, as described in the "Adding JARs to the Domain /lib Directory" section of Oracle Fusion Middleware Developing Applications for Oracle WebLogic Server.
Copy the RFC files into the required directory on the Oracle Identity Manager host computer, and then modify the appropriate environment variable so that it includes the path to this directory:
On Microsoft Windows:
Copy the sapjco3.dll file into the winnt\system32 directory. Alternatively, you can copy these files into any directory and then add the path to the directory in the "PATH" environment variable.
On Solaris and Linux:
Copy the libsapjco3.so file into the /usr/local/jco directory, and then add the path to this directory in the LD_LIBRARY_PATH environment variable.
On a Microsoft Windows platform, ensure that the msvcr80.dll and msvcp80.dll files are in the c:\WINDOWS\system32 directory. If required, both files can be downloaded from various sources on the Internet.
If you are using IBM WebSphere Application Server, perform the following steps:
Copy the following files to WEBSPHERE_HOME/AppServer/lib:
libsapjco3.so
sapidoc3.jar
sapjco3.jar
For example, copy the preceding files to the /home/shareuser/R2PS1ST1WAS/IBM/WebSphere/AppServer/lib
location.
Update the PROFILE_HOME/bin/setupCmdLine.sh file as shown in the following example:
WAS_CLASSPATH="$WAS_HOME"/properties:"$WAS_HOME"/lib/startup.jar:"$WAS_HOME"/lib/bootstrap.jar:"$WAS_HOME"/lib/lmproxy.jar:"$WAS_HOME"/lib/urlprotocols.jar:"$WAS_HOME"/lib/sapjco3.jar:"$WAS_HOME"/lib/sapidoc3.jar:"$JAVA_HOME"/lib/tools.jar
Restart the server for the changes in the environment variable to take effect.
To check if SAP JCo is correctly installed in a command window, run one of the following commands:
java –jar JCO_DIRECTORY/sapjco3.jar java –classpath JCO_DIRECTORY/sapjco3.jar com.sap.conn.jco.rt.About
In the preceding commands, JCO_DIRECTORY is the location where the sapjco3.jar file was copied.
Figure 6-1 shows the dialog box that is displayed. The JCo classes and JCo library paths must be displayed in this dialog box.
Figure 6-1 Dialog Box Displayed on Running the SAP JCo Test
If you have administrator privileges, you can search for targets using the following criteria or a combination of these items:
Name
Type (All, database, ldap, lockbox, sapum, sapume, ssh, unix, or windows)
Host
Domain
Description
Password Age
Privilege
To search for a target, perform the following procedure:
Select Targets in the Administration accordion.
When the Targets tab is displayed, use the Search portlet parameters to configure your search. For example,
To search for all LDAP targets, select ldap from the Type menu.
To search for all available targets, do not specify any search parameters.
Click Search.
Review your search results in the Search Results table.
You can open a target to review and edit the target's configuration parameters and its associated privileged account parameters.
Use one of the following methods to open a target:
Click Name (an active link) in the Search Results table.
Select the target's Row number, then click Actions and select the Open option from the drop-down list.
The Target: TargetName page opens where you can access the target and privileged account information.
Oracle Privileged Account Manager provides several options for managing a target's service account passwords, including:
Showing passwords
Viewing password history
Resetting passwords
Enabling password rollover
Administrators with the Security Administrator Admin Role can perform these password management tasks by using the Oracle Privileged Account Manager Console, command line tool, or REST API.
Note:
For information about managing passwords by using the Console, refer to Section 7.3, "Managing Service Account Passwords."
For command line instructions, refer to Section A.5, "Working with Targets."
For REST API instructions, refer to Section B.6, "Target Resource."
Oracle Privileged Account Manager audits password management actions to keep a track of password access.
Note:
The procedures for showing and resetting a privileged account password are different from the procedures described in this section. Refer to Section 9.8, "Managing Privileged Account Passwords" for information.To remove a target, select the target from the Search Results table and then click the Remove icon.
WARNING:
When you remove a target, you also remove all information about the target that is stored in Oracle Privileged Account Manager (including privileged accounts).
Before removing a target, it is critical that you first capture all relevant information from that target. For example, save the target's service account password and any current passwords that are associated with the privileged accounts on the target.