This chapter provides information that administrators must know to configure and manage an Oracle Privileged Account Manager server and an Oracle Privileged Session Manager (Session Manager) server.
This chapter includes the following sections:
Section 5.2, "Managing an Oracle Privileged Account Manager Server"
Section 5.3, "Managing the Oracle Privileged Session Manager Server"
Note:
If you are using Oracle Privileged Account Manager on IBM WebSphere, refer to "Differences in Configuring and Managing the Servers" in the Oracle Fusion Middleware Third-Party Application Server Guide for Oracle Identity and Access Management for information about this topic.
This section provides a high-level overview of the following servers:
The Oracle Privileged Account Manager server implements the core functionality of Oracle Privileged Account Manager and makes authorization decisions that determine:
Which targets and privileged accounts are exposed to administrators and end-users
Which operations administrators and end-users can perform on targets, privileged accounts, and policies
In addition, the Oracle Privileged Account Manager server
Supports Usage and Password Policies for accounts
Enforces its authorization decisions
Supports authentication by using the SAML-based Oracle Security Token from OPSS Trust Services and HTTP-Basic Authentication
Supports different Admin Roles for the Oracle Privileged Account Manager server
Note:
For security purposes, the Oracle Privileged Account Manager server only responds to SSL traffic.
When you add the Oracle Privileged Account Manager server target to the Oracle Privileged Account Manager user interface or to the Oracle Privileged Account Manager command line tool (CLI), you must provide the SSL endpoint as https://hostname:sslport/opam.
By default, WebLogic responds to SSL using port 7002 on the Admin Server and port 18102 on the Managed Server. You can use the WebLogic console to check the port for your particular instance.
The following figure illustrates the Oracle Privileged Account Manager server architecture.
The Oracle Privileged Session Manager creates a single access point to target resources and enables you to manage privileged sessions to the target system through
Session Initiation by
Providing a single control point for privileged access
Never exposing privileged credentials
Supporting any compliant, third-party clients (such as Putty, OpenSSH, etc.)
Session Control by providing control through policy-based and administrator-initiated session termination and lockout.
Session Monitoring and Auditing by maintaining historical records (transcripts) to support forensic analysis and audit data
The following figure illustrates how the Oracle Privileged Session Manager relates to the Oracle Privileged Account Manager server.
This section provides information administrators need to manage an Oracle Privileged Account Manager server, which includes the following topics:
Configuring a Connection to the Oracle Privileged Account Manager Server
Managing Oracle Privileged Account Manager Server Properties
You must be an Oracle Privileged Account Manager administrator with the Application Configurator Admin Role to add and manage an Oracle Privileged Account Manager server.
Note:
For more information about this Admin Role, refer to Section 2.3.1, "Administration Role Types" and Section 3.3.4, "Assigning the Application Configurator Role to a User."
The procedures described in this chapter reference information and instructions contained in the following Oracle publications. If necessary, review the referenced concepts, terminology, and procedures before you begin configuring the Oracle Privileged Account Manager server.
Table 5-1 Reference Publications
| For Information About | Refer to |
|---|---|
|
Admin Roles |
Section 2.3.1, "Administration Role Types" |
|
Oracle WebLogic Server concepts and terminology |
Oracle Fusion Middleware Oracle WebLogic Server Administration Console Online Help and Oracle Fusion Middleware Securing Oracle WebLogic Server |
|
Adding and managing an Oracle Privileged Account Manager server on IBM WebSphere |
"IBM WebSphere Identity Stores" |
|
Directory structure |
"Oracle Fusion Middleware Directory Structure" |
|
Starting WebLogic and Managed Servers |
"Starting or Stopping the Oracle Stack" |
When you log into Oracle Privileged Account Manager, the Oracle Privileged Account Manager Server URL is automatically detected by default.
Use the following steps to configure a new connection to the Oracle Privileged Account Manager server from the Oracle Privileged Account Manager Console:
Open Oracle Privileged Account Manager by logging in to:
http://managedserver_host:managedserver_port/oinav/opam
Note:
You must log in as a user with the Application Configurator Admin Role, or the Server Configuration page will not be accessible.
For more information about this, and other, Admin Roles refer to Section 2.3.1, "Administration Role Types" and Section 3.3.4, "Assigning the Application Configurator Role to a User."
When the Oracle Privileged Account Manager Console displays, select Server Connection from the Configuration accordion.
When the Server Connection page displays, notice that the Oracle Privileged Account Manager Server URL is displayed as the Auto-Detect URL.
To add a different server, enter that server's Host name and SSL Port number.
Note:
You must provide a fully qualified host name for the Host value. Using localhost can cause problems, such as described in Section C.3.13, "Cannot Open Session Recordings."
Click the Test button to test the connection settings.
If the server configuration tested successfully, you should see a "Test Succeeded" message.
Click the Apply button to save this connection information.
You can use the Console or properties in the OPAM Global Config configuration entry to define server-level behavior for activities such as scheduler intervals, timeouts, etc. The available server properties are explained in detail in Section 5.2.3.1.
You can manage server properties defined in the OPAM Global Config configuration entry from two locations:
Use the following steps to manage the Oracle Privileged Account Manager server properties from the Oracle Privileged Account Manager Console:
Open Oracle Privileged Account Manager by logging in to:
http://managedserver_host:managedserver_port/oinav/opam
Note:
You must log in as a user with the Application Configurator Admin Role, or the Server Configuration page will not be accessible.
For more information about this, and other, Admin Roles refer to Section 2.3.1, "Administration Role Types" and Section 3.3.4, "Assigning the Application Configurator Role to a User."
When the Oracle Privileged Account Manager Console displays, select Server Configuration from the Configuration accordion.
When the Server Configuration page displays, you can modify any of the following server property options:
Usage policy enforcement interval in seconds. Specify an interval (in seconds) in which Oracle Privileged Account Manager checks accounts and then automatically checks-in the accounts that have exceeded the expiration time defined in the Usage Policy. (Default is 3600 seconds)
Password policy enforcement interval in seconds. Specify an interval (in seconds) in which Oracle Privileged Account Manager checks and then resets the password for any accounts that have exceeded the maximum password age defined in the Password Policy. (Default is 3600 seconds)
Target connection timeout in seconds. Specify an interval (in seconds) in which Oracle Privileged Account Manager allows an ICF connector to wait for a response from the target system to which it is connecting.
The default value for this setting is 20 seconds, but in some deployments where network latency is high and target systems take longer to respond, you may need to increase this value.
Require TDE enabled backend. Check this box to enable Oracle Privileged Account Manager to use Transparent Data Encryption (TDE) mode. (Default is TDE mode enabled.)
Enabling TDE ensures that all sensitive information stored by Oracle Privileged Account Manager (such as account passwords) is encrypted on disk.
Unchecking the box disables TDE mode.
Note:
Oracle strongly recommends that you enable TDE mode for enhanced security.
Refer to Section 2.4.6, "Hardening the Back-End Oracle Privileged Account Manager Database" for more information about using TDE mode.
When you are finished, click the Apply button to save these configuration settings.
To access the OPAM Global Config configuration entry and modify these server properties, use the getconfig and the modifyconfig commands from the command line.
Note:
Refer to Section A.2.1, "getconfig Command" and Section A.2.3, "modifyconfig Command" for detailed information about using these commands.
Refer to Section 15.2, "Securing Data On Disk" for more information about enabling or disabling TDE mode from the command line.
This section provides information administrators need to manage a Session Manager Server, which includes the following topics:
You must be an administrator with the Application Configurator Admin Role or the Security Administrator role to view the Session Manager Configuration page.
Only administrators with the Application Configurator Admin Role can modify any of the settings on the Session Manager Configuration page.
Note:
For more information about these Admin Roles refer to Section 2.3.1, "Administration Role Types" and Section 3.3.4, "Assigning the Application Configurator Role to a User."
Use the following steps to configure the Oracle Privileged Session Manager server from the Oracle Privileged Account Manager Console:
Open Oracle Privileged Account Manager by logging in to:
http://managedserver_host:managedserver_port/oinav/opam
When the Oracle Privileged Account Manager Console displays, select Session Manager Configuration from the Configuration accordion.
Use the properties on the Session Manager Configuration page to configure the Session Manager. Refer to Section 5.3.3, "Managing the Oracle Privileged Session Manager Properties" for instructions.
Note:
You cannot run two instances of Oracle Privileged Session Manager on the same machine.
Use the following steps to manage the Session Manager properties from the Oracle Privileged Account Manager Console:
Note:
You can also configure Session Manager properties by using the Oracle Privileged Account Manager RESTful interface. Refer to Appendix B, "Working with Oracle Privileged Account Manager's RESTful Interface" for more information.
You cannot use the Oracle Privileged Account Manager Command Line Tool (CLI) to configure Session Manager properties.
Open Oracle Privileged Account Manager and navigate to the Session Manager Configuration page as described in Section 5.3.2, "Configuring a Connection to the Oracle Privileged Session Manager Server."
When the Server Configuration page displays, configure the following options:
Session Monitoring Update Interval in seconds. Specify an interval (in seconds) in which Session Manager checks all checked-out sessions and updates their transcripts. Session Manager automatically terminates any sessions that have exceeded the expiration time defined in the Usage Policy. (Default is 60 seconds.)
Oracle Privileged Account Manager URLs. Use this table to manage an array of Oracle Privileged Account Manager servers to which Session Manager can connect:
Note:
Notice that the Oracle Privileged Account Manager Server URL is displayed by default in the first row of the table, as the Auto-Detect URL.
Clicking the Add button removes the Auto-Detect URL. After adding one or more rows to the table, you must click Remove and remove all rows to use the Auto-Detect URL instead. The Auto-Detect URL only displays when the table is empty.
The Oracle Privileged Account Manager Server URL is multi-valued to allow for High Availability (HA).
Session Manager maintains the server list and, when required, uses it on a round-robin basis for connections to Oracle Privileged Account Manager. Connection attempts are made against all configured servers until one succeeds or all configured URLs are exhausted.
To add one or more Oracle Privileged Account Manager Server URLs, click Add.
When the new row is displayed in the table, enter the URL of an Oracle Privileged Account Manager server into the blank field. For example,
https://<opamserver_host>:<port>/opam
To delete one or more Oracle Privileged Account Manager Server URLs from the table, select the row and click Remove.
SSH Configuration. Use the following options to configure the connection details to be displayed for session checkouts:
Listener Port: Provide the reserved SSH port on which the Session Manager listener protocol is listening. The value must be greater than 1024 and it defaults to 1122.
Session Checkout Instructions: Enter an instruction message to be displayed when users check out a session. This message should describe the information a user must provide to connect to the Session Manager server by using a regular SSH client.
For example:
ssh -p <port> <opamuser>:<targetname>:<accountname>@<sessionmgrhost>Use opam password on password prompt
When you are finished, click the Apply button to save these configuration settings.
Note:
For the detailed instructions you need to check out and check in sessions, refer to Section 12.7, "Checking Out Privileged Account Sessions."
Sign In
Thank you for your feedback!
