You can use the Oracle Privileged Account Manager command line tool to perform many of the same tasks you perform by using the Oracle Privileged Account Manager Console. This appendix describes how to launch and work with the Oracle Privileged Account Manager command line tool.
This appendix includes the following sections:
Note:
You can also use the Oracle Privileged Account Manager RESTful interface to perform many of these tasks. For more information, refer to Appendix B, "Working with Oracle Privileged Account Manager's RESTful Interface."
The information provided in this appendix is essentially the same whether you are using Oracle Privileged Account Manager on WebLogic or on IBM WebSphere; however, there are a few minor differences.
Refer to "Differences When Using the Oracle Privileged Account Manager Command Line Tool and REST Interfaces on IBM WebSphere" in the Oracle Fusion Middleware Third-Party Application Server Guide for Oracle Identity and Access Management for more information.
Globalization support for the Oracle Privileged Account Manager command line tool is not available for this release. The command line tool messages and help are only provided in English.
This section describes how to launch and use the command line tool, and it contains the following sections:
Oracle Privileged Account Manager provides two methods for launching the command line tool:
In most situations, you can use the instructions in Section A.1.1.1, "Launching the Command Line Tool from IAM_HOME"to launch the command line tool.
However, if you want to use the Oracle Privileged Account Manager command line tool from machines other than the one where you set up Oracle Identity Management middleware, use the instructions in Section A.1.1.2, "Launching the Command Line Tool from Oracle Privileged Account Manager Client Archive."
Note:
For security purposes, the Oracle Privileged Account Manager server only responds to SSL traffic.
When you provide the Oracle Privileged Account Manager server target to the Oracle Privileged Account Manager command line tool (or to Oracle Privileged Account Manager's web-based Console), you must provide the SSL endpoint as https://hostname:sslport/opam.
By default, the WebLogic AdminServer (where the Oracle Privileged Account Manager Console runs) responds to SSL on port 7002 (In IBM WebSphere, the port is 8002). The default Oracle Privileged Account Manager server SSL port is 18102 for both WebLogic and IBM WebSphere. You can use the WebLogic console to check the port for your particular instance.
To launch the Oracle Privileged Account Manager command line tool:
Open a command window and set the ORACLE_HOME and the JAVA_HOME variables to the appropriate path.
Set ORACLE_HOME to IAM_HOME.
Set JAVA_HOME to the JRE location.
Change directory to ORACLE_HOME/opam/bin.
At the prompt, type one of the following commands:
On UNIX, type: opam.sh
On Windows, type: opam.bat
Invoking the command line tool, automatically connects you to the Oracle Privileged Account Manager server.
You can invoke the Oracle Privileged Account Manager command line tool from a remote client by providing the Oracle Privileged Account Manager server's URL (running on the same machine or on a different machine) in the -url option.
The Oracle Privileged Account Manager client is also available as a standalone .zip file, located in the following directory of an Oracle Identity and Access Management suite installation:
Sign In
Thank you for your feedback!IAM_HOME/opam/tools/opamclient.zip
Copy the archive and then follow these steps to launch the command line tool:
Unzip the archive on the machine where the Oracle Privileged Account Manager client is required.
Unzipping the opamclient.zip file creates a top-level directory named opamclient.
Set the OPAMCLIENT_HOME variable to <UNZIP_DIR>/opamclient and set the JAVA_HOME variable to the JRE location.
At the prompt, type one of the following commands:
On UNIX, type: opam.sh
On Windows, type: opam.bat
Invoking the command line tool, automatically connects you to the Oracle Privileged Account Manager server.
You can invoke the Oracle Privileged Account Manager command line tool by providing the Oracle Privileged Account Manager server's URL in the -url option.
Use the following syntax to issue any of the Oracle Privileged Account Manager commands:
Note:
When entering commands
On UNIX, type: opam.sh
On Windows, type: opam.bat
[-url <url>] -u <username> [-p <password>] [-debug] -x <opam-command>
where:
| Option | Description |
|---|---|
|
-url <url> |
Provide the URL address for the Oracle Privileged Account Manager server. Note: If you do not specify a URL for this option, it defaults to |
|
-u <username> |
Provide your log-in user name. |
|
-p <password> |
Provide your log-in password. |
|
-debug |
Enable the debugger log. |
|
-x <opam-command> |
Run the specified Oracle Privileged Account Manager command. |
For example:
-url https://hostname:sslport/opam -u <username> [-p <password>] [-debug] -x checkout -targetname <targetname> -accountname <accountname>
Note:
On a Windows system, you must use double quotes (") instead of single quotes (') for parameters that contain spaces. For example,
opam.bat -u sec_admin -p passwd -x showtargetpassword
-targetname "oracle db"
On a UNIX system, you can use single quotes (') for parameters that contain spaces. You can also use special symbols, such as a dollar sign ($).
The following sections contain information about the commands that you use to manage the Oracle Privileged Account Manager server.
getconfig CommandUse the getconfig command to view the OPAM Global Config configuration entry, which enables you to access and manage various Oracle Privileged Account Manager server properties.
Command Syntax:
[-url <url>] -u <username> [-p <password>] [-debug] -x getconfig –configtype <config type> <options>
The following table describes the options you can use with this command:
| Option | Description |
|---|---|
|
-configtype <global/session> |
Specify the configuration type. |
|
[-help] |
Optional. Displays usage options for this command. |
getserverstatus CommandUse the getserverstatus command to get the status for an Oracle Privileged Account Manager instance.
Command Syntax:
[-url <url>] -u <username> [-p <password>] [-debug] -x getserverstatus <options>
The following table describes the options you can use with this command:
| Option | Description |
|---|---|
|
[-help] |
Optional. Displays usage options for this command. |
modifyconfig CommandUse the modifyconfig command to manage Oracle Privileged Account Manager server properties in the OPAM Global Config configuration entry. You can use this command to perform two types of configuration, global and session.
The following properties are available for global configuration:
policyenforcerinterval. Interval (in seconds) in which Oracle Privileged Account Manager checks accounts and then automatically checks-in the accounts that have exceeded the expiration time defined in the Usage Policy. (Default is 3600 seconds)
passwordcyclerinterval. Interval (in seconds) in which Oracle Privileged Account Manager checks and then resets the password for any accounts that have exceeded the maximum password age defined in the Password Policy. (Default is 3600 seconds)
tdemode. Flag to request that Oracle Privileged Account Manager use Transparent Data Encryption (TDE) mode or non-TDE mode. For more information, refer to Section 15.2, "Securing Data On Disk."
The following properties are available for the session configuration:
updateinterval. Interval (in seconds) in which the Oracle Privileged Session Manager server checks all of the checked out sessions for expiration and updates their transcripts.
opamserverurls. List of Oracle Privileged Account Manager server URLs to which the Session Manager can connect.
maxrecordsize. Maximum recording size that is allowed per session (in KB). When this quota is reached, the session is automatically terminated.
The following properties are SSH-specific:
opamListenPort. The port on which Session Manager listens for incoming SSH connections.
sessioncheckoutinstructions. The checkout instructions that are presented to users for SSH sessions.
Command Syntax:
[-url <url>] -u <username> [-p <password>] [-debug] -x modifyconfig –configtype <config type> <options>
The following table describes the options you can use with the modifyconfig command:
| Option | Description |
|---|---|
|
-configtype <global/session> |
Specify the configuration type. |
|
[-propertyname <property name>] |
Specify the server property to be modified:
|
|
[-propertyvalue <property value>] |
Specify the property value to be modified. |
|
[-help] |
Optional. Displays usage options for this command. |
For example,
-x modifyconfig –configtype global -propertyname policyenforcerinterval -propertyvalue 600
or
-x modifyconfig –configtype global -propertyname tdemode -propertyvalue true
The following sections contain information about the commands that you use when working with Oracle Privileged Account Manager Password Policies and Usage Policies.
addpasswordpolicy CommandUse the addpasswordpolicy command to add a Password Policy.
Command Syntax:
[-url <url>] -u <username> [-p <password>] [-debug] -x addpasswordpolicy <options>
The following table describes the options you can use with this command:
| Option | Description |
|---|---|
|
-policyname <policy name> |
Provide a name for the new Password Policy. |
|
-policystatus <active/disabled> |
Specify the Password Policy status. |
|
[-description <policy description>] |
Optional. Provide a description of the Password Policy. |
|
[-passwordchangedurationunit <minutes/hours/days>] |
Optional. Specify the password age unit. |
|
[-passwordchangedurationvalue <password change duration value>] |
Optional. Specify the password age value. |
|
[-changeoncheckin <true/false>] |
Optional. Specify whether to change the password when checking in the account using this Password Policy. |
|
[-changeoncheckout <true/false>] |
Optional. Specify whether to change the password when checking out the account using this Password Policy. |
|
[-passwordcharsmin <password minimum chars number>] |
Optional. Specify the minimum character length restriction for the Password Policy. |
|
[-passwordcharsmax <password maximum chars number>] |
Optional. Specify the maximum character length restriction for the Password Policy. |
|
[-passwordalphabeticmin <password minimum alphabetic chars number>] |
Optional. Specify the minimum number of alphabetic characters required for the Password Policy. |
|
[-passwordnumericmin <password minimum numeric chars number>] |
Optional. Specify the minimum number of numeric characters required for the Password Policy. |
|
[-passwordalphanumericmin <password minimum alphanumeric chars number>] |
Optional. Specify the minimum number of alphanumeric characters required for the Password Policy. |
|
[-passworduniquemin <password minimum unique chars number>] |
Optional. Specify the minimum number of unique characters required for the Password Policy. |
|
[-passworduppercasemin <password minimum uppercase chars number>] |
Optional. Specify the minimum number of uppercase characters required for the Password Policy. |
|
[-passwordlowercasemin <password minimum lowercase chars number>] |
Optional. Specify the minimum number of lowercase characters required for the Password Policy. |
|
[-passwordspecialmin <password minimum special chars number>] |
Optional. Specify the minimum number of special characters required for the Password Policy. |
|
[-passwordspecialmax <password maximum special chars number>] |
Optional. Specify the maximum number of special characters allowed for the Password Policy. |
|
[-passwordrepeatedmin <password minimum repeated chars number>] |
Optional. Specify the minimum number of repeated characters allowed for the Password Policy. |
|
[-passwordrepeatedmax <password maximum repeated chars number>] |
Optional. Specify the maximum number of repeated characters allowed for the Password Policy. |
|
[-startingchar <true/false>] |
Optional. Specify whether the first character of the generated password can be a numeric character. If you specify |
|
[-isaccountnameallowed <true/false>] |
Optional. Specify whether the generated password can be identical to the account name. |
|
[-requiredchars <required chars>] |
Optional. Specify characters that are required in the generated password. Use the comma ( |
|
[-allowedchars <allowed chars>] |
Optional. Specify characters that are allowed in the generated password. Use the comma ( |
|
[-disallowedchars <disallowed chars>] |
Optional. Specify characters that are not allowed in the generated password. Use the comma ( |
|
[-help] |
Optional. Displays usage options for this command. |
For example:
-url https://hostname:sslport/opam -u opamuser1 -p hr_password123 [-debug] -x addpasswordpolicy -policyname password_policy_hr -policystatus active -changeoncheckin true
addusagepolicy CommandUse the addusagepolicy command to add a Usage Policy.
Command Syntax:
[-url <url>] -u <username> [-p <password>] [-debug] -x addusagepolicy <options>
The following table describes the options you can use with this command:
| Option | Description |
|---|---|
|
-policyname <policy name> |
Provide a name for the new Usage Policy. |
|
-policystatus <active/disabled> |
Specify the Usage Policy status. |
|
[-description <policy description>] |
Optional. Provide a description of the Usage Policy. |
|
-dateorduration <date/duration> |
Set an expiration time based on date or duration. |
|
[-expireddateminutesfromcheckout <minutes to expiration>] |
Optional. Specify the number of minutes until expiration. When a checked-out account with this Usage Policy exceeds the specified duration, Oracle Privileged Account Manager automatically checks-in that account. Note: This field becomes a required field if you specify |
|
[-expireddate <expiration date>] |
Optional. Specify the expiration date. When an account with this Usage Policy meets this expiration date, Oracle Privileged Account Manager automatically checks-in that account. Note: This field becomes a required field if you specify |
|
Use the following three options to specify at what time the access expires on the expiration date:
|
Note: These fields become required fields if you specify
|
|
-timezone <time zone>] |
Specify a time zone for the Usage Policy, including the timezone region. For example, (GMT -6:00) America/Chicago. |
|
-usagedates <dates information of usage policy>] |
Specify the usage dates information for the policy by using the pipe ( For example, |
|
-enablerecording <true/false> |
Set this flag to enable (true) or disable (false) session recording when applying the Usage Policy to a session checkout. (Default is |
|
[-help] |
Optional. Displays usage options for this command. |
For example:
-url https://hostname:sslport/opam -u opamuser1 -p hr_password123 [-debug] -x addusagepolicy -policyname usage_policy_fromPMtoAM -policystatus active -dateorduration duration -expireddateminutesfromcheckout 120 -timezone (GMT -6:00) America/Chicago monday:12:0:am:12:0:am|tuesday:1:15:am:2:35:pm
modifypasswordpolicy CommandUse the modifypasswordpolicy command to modify a Password Policy.
Command Syntax:
[-url <url>] -u <username> [-p <password>] [-debug] -x modifypasswordpolicy <options>
The following table describes the options you can use with this command:
| Option | Description |
|---|---|
|
-policyname <policy name> |
Specify the Password Policy to be modified. |
|
-propertyname <property name> |
Specify the property name that you want to modify. |
|
-propertyvalue <property value> |
Specify the property value that you want to modify. |
|
[-help] |
Optional. Displays usage options for this command. |
For example:
-url https://hostname:sslport/opam -u opamuser1 -p hr_password123 [-debug] -x modifypasswordpolicy -policyname password_policy_hr -propertyname changeoncheckin -propertyvalue true
modifyusagepolicy CommandUse the modifyusagepolicy command to modify a Usage Policy.
Command Syntax:
[-url <url>] -u <username> [-p <password>] [-debug] -x modifyusagepolicy <options>
The following table describes the options you can use with this command:
| Option | Description |
|---|---|
|
-policyname <policy name> |
Specify the Usage Policy to be modified. |
|
-propertyname <property name> |
Specify the property name that you want to modify. |
|
-propertyvalue <property value> |
Specify the property value that you want to modify. |
|
-enablerecording <true/false> |
Set this flag to enable (true) or disable (false) session recording when applying the Usage Policy to a session checkout. (Default is |
|
[-help] |
Optional. Displays usage options for this command. |
For example:
-url https://hostname:sslport/opam -u opamuser1 -p hr_password123 [-debug] -x modifyusagepolicy -policyname usage_policy_fromPMtoAM -propertyname changeoncheckin -propertyvalue true
removepasswordpolicy CommandUse the removepasswordpolicy command to remove a Password Policy.
Command Syntax:
[-url <url>] -u <username> [-p <password>] [-debug] -x removepasswordpolicy <options>
The following table describes the options you can use with this command:
| Option | Description |
|---|---|
|
-policyname <policy name> |
Specify the Password Policy to remove. |
|
[-help] |
Optional. Displays usage options for this command. |
For example:
-url https://hostname:sslport/opam -u opamuser1 -p hr_password123 [-debug] -x removepasswordpolicy -policyname password_policy_hr
removeusagepolicy CommandUse the removeusagepolicy command to remove a Usage Policy.
Command Syntax:
[-url <url>] -u <username> [-p <password>] [-debug] -x removeusagepolicy <options>
The following table describes the options you can use with this command:
| Option | Description |
|---|---|
|
-policyname <policy name> |
Specify the Usage Policy to remove. |
|
[-help] |
Optional. Displays usage options for this command. |
For example:
-url https://hostname:sslport/opam -u opamuser1 -p hr_password123 [-debug] -x removeusagepolicy -policyname usage_policy_fromPMtoAM
retrievepasswordpolicy CommandUse the retrievepasswordpolicy command to retrieve a Password Policy.
Command Syntax:
[-url <url>] -u <username> [-p <password>] [-debug] -x retrievepasswordpolicy <options>
The following table describes the options you can use with this command:
| Option | Description |
|---|---|
|
-policyname <policy name> |
Specify the Password Policy to be retrieved. |
|
[-help] |
Optional. Displays usage options for this command. |
For example:
-url https://hostname:sslport/opam -u opamuser1 -p hr_password123 [-debug] -x retrievepasswordpolicy -policyname password_policy_hr
retrieveusagepolicy CommandUse the retrievepolicy command to retrieve a Usage Policy.
Command Syntax:
[-url <url>] -u <username> [-p <password>] [-debug] -x retrieveusagepolicy <options>
The following table describes the options you can use with this command:
| Option | Description |
|---|---|
|
-policyname <policy name> |
Specify the Usage Policy to be retrieved. |
|
[-help] |
Optional. Displays usage options for this command. |
For example:
-url https://hostname:sslport/opam -u opamuser1 -p hr_password123 [-debug] -x retrieveusagepolicy -policyname usage_policy_hr
The following sections contain information about the commands that you use when working with Oracle Privileged Account Manager targets.
addtarget CommandUse the addtarget command to add a target.
Command Syntax:
[[-url <url>] -u <username> [-p <password>] [-debug] -x addtarget <options>
Oracle Privileged Account Manager supports multiple target types, and each target type has different required and optional parameters. You must specify the target type to see the target-specific options, as follows:
| Option | Description |
|---|---|
|
-targettype <ldap | unix | database> |
Specify the target type to see target-specific attributes. |
Note:
These options should be discovered at run time, before you execute the addtarget command.
The following examples illustrate the commands you can execute to list
Example A-1 Supported Target Types
sh opam.sh –url <OPAM url> -u <security admin user> -p <security admin user password> -x addtarget –help
For example, if https://hostname:sslport/opam is the Oracle Privileged Account Manager server URL, execute the following command:
sh opam.sh -url https://hostname:sslport/opam -u sec_admin -p welcome1 -x addtarget -help
Example A-2 Required and Optional Parameters for a Specific Target Type
sh opam.sh –url <OPAM url> -u <security admin user> -p <security admin user password> -x addtarget –targettype <any supported target type> –help
For example, if you are using the LDAP target type with https://hostname:sslport/opam as the Oracle Privileged Account Manager server URL, execute the following command:
sh opam.sh -url https://hostname:sslport/opam -u sec_admin -p welcome1 -x addtarget -targettype ldap -help
Refer to the following sections for a description of the parameters used with the different target types:
The following table describes the ldap target type parameters that you can use with this command.
| Option | Description |
|---|---|
|
-targetname <targetname> |
Provide a name for the target. |
|
-domain <domain> |
Provide a domain name. |
|
-host <host> |
Provide the host name. |
|
-port <port> |
Provide the TCP/IP port number used to communicate with the LDAP server. |
|
[-ssl <ssl>] |
Optional. Specify to connect to the LDAP server using SSL. |
|
-principal <principal> |
Provide the distinguished name with which to authenticate to the LDAP server. |
|
-credentials <credentials> |
Provide the principal's password. |
|
[-passwordpolicy] <password policy name> |
Optional. Identify a Password Policy to apply to the target. |
|
[-passwordpolicyid] <password policy ID> |
Optional. Identify a Password Policy to apply to the target. |
|
-baseContexts <baseContexts> |
Specify one or more starting points in the LDAP tree to use when searching the tree. Searches are performed when discovering users from the LDAP server or when looking for groups in which the user is a member. |
|
-accountNameAttribute <accountNameAttribute> |
Identify the attribute that holds the account's user name. |
|
[-description <description>] |
Optional. Provide a description of the target. |
|
[-organization <organization>] |
Optional. Provide the organization name. |
|
[-uidAttribute <uidAttribute>] |
Optional. Provide the name of the LDAP attribute that is mapped to the |
|
[-accountSearchFilter <accountSearchFilter>] |
Optional. Provide an LDAP filter to control which accounts are returned from the LDAP resource. If you do not specify a filter, then only accounts that include all specified object classes will be returned. (Defaults to |
|
[-passwordAttribute <passwordAttribute>] |
Optional. Identify the LDAP attribute that holds the password. When changing a user's password, Oracle Privileged Account Manager sets the new password to this attribute. (Defaults to |
|
[-accountObjectClasses <accountObjectClasses>] [Multi-Valued] |
Optional. Specify the objectclass or objectclasses to use when creating new user objects in the LDAP tree. When entering more than one objectclass, put each entry on its own line and do not use commas or semicolons to separate multiple object classes. Some objectclasses may require that you specify all objectclasses in the class hierarchy. (Defaults to |
|
[-force <true/false>] |
Optional. Enable or disable the requirement for connection validation.
|
|
[-help] |
Optional. Displays usage options for this command. |
Note:
You can use either –passwordpolicy <password policy name> or –passwordpolicyid <policy ID> to apply a Password Policy to the target.
You must specify all multi-valued attributes in this format: value1|value2|...
The following table describes the database target type parameters that you can use with this command.
Note:
You can use either –passwordpolicy <password policy name> or –passwordpolicyid <policy ID> to apply a Password Policy to the target.
You must specify all multi-valued attributes in this format: value1|value2|...
The following table describes the unix target type parameters that you can use with this command.
Note:
You can use either –passwordpolicy <password policy name> or –passwordpolicyid <policy ID> to apply a Password Policy to the target.
You must specify all multi-valued attributes in this format: value1|value2|...
The following table describes the lockbox target type parameters that you can use with this command.
| Option | Description |
|---|---|
|
-targetname <targetname> |
Provide a name for the target. |
|
-domain <domain> |
Provide a domain name. |
|
-host <host> |
Provide the host name. |
|
[-description <description>] |
Optional. Provide a description of the target. |
|
[-organization <organization>] |
Optional. Provide the organization name. |
|
[-help] |
Optional. Displays usage options for this command. |
displayalltargets CommandUse the displayalltargets command to display a listing of all targets.
Note:
You must be an administrator with the User Manager Admin Role, the Security Administrator Admin Role, or the Security Auditor Admin Role to successfully run this command.
Command Syntax:
[-url <url>] -u <username> [-p <password>] [-debug] -x displayalltargets <options>
The following table describes the options you can use with this command:
| Option | Description |
|---|---|
|
[-help] |
Optional. Displays usage options for this command. |
modifytarget CommandUse the modifytarget command to modify a target.
Command Syntax:
[-url <url>] -u <username> [-p <password>] [-debug] -x modifytarget <options>
The following table describes the options you can use with this command:
| Option | Description |
|---|---|
|
[-targetid <targetid>] |
Optional. Specify the target GUID value of the target to be modified. Note: When you configure a target, Oracle Privileged Account Manager automatically assigns a unique target GUID. Refer to Section 6.2, "Adding Targets to Oracle Privileged Account Manager" |
|
[-targetname <targetname>] |
Optional. Specify the name of the target to be modified. |
|
-propertyname <propertyname> |
Specify the name of the property that you want to modify. |
|
-propertyvalue <propertyvalue> |
Specify the property value that you want to modify. |
|
[-force <true/false>] |
Optional. Enables or disables the requirement for connection validation.
|
|
[-help] |
Optional. Displays usage options for this command. |
Note:
You use either <targetid> or <targetname> to identify a target. Both values are unique.
removetarget CommandUse the removetarget command to remove a target.
Command Syntax:
[-url <url>] -u <username> [-p <password>] [-debug] -x removetarget <options>
The following table describes the options you can use with this command:
| Option | Description |
|---|---|
|
-targetid <target id> |
Specify the target GUID value of the target to be removed. Note: When you configure a target, Oracle Privileged Account Manager automatically assigns a unique target GUID. Refer to Section 6.2, "Adding Targets to Oracle Privileged Account Manager" |
|
[-targetname <target name>] |
Optional. Specify the name of the target to be removed |
|
[-help] |
Optional. Displays usage options for this command. |
Note:
You use either <targetid> or <targetname> to identify the target. Both values are unique.
resettargetpassword CommandUse the resettargetpassword command to manually reset a target service account password. When you execute this command, Oracle Privileged Account Manager returns the target service account details and prompts you to enter a new password.
Note:
You must be an administrator with the Security Administrator Admin Role to execute this command.
This command is not applicable for the lockbox or ldap target types and will return an "Operation not supported" error message.
Refer to Chapter 7, "Working with Service Accounts" for information about service accounts.
Command Syntax:
[-url <url>] -u <username> [-p <password>] -x resettargetpassword
The following table describes the options you can use with this command:
| Option | Description |
|---|---|
|
[-targetid <target id>] |
Optional. Identify the target to be reset. |
|
[-targetname <target name>]) |
Optional. Identify the target to be reset. |
|
[-password <account password>] |
Optional. Provide a new password for the target. |
|
[-autogen <true/false>] |
Optional. Use to automatically generate a password, according to account Password Policy.
|
|
[-help] |
Optional. Displays usage options for this command. |
Note:
You use either <targetid> or <targetname> to identify the target.
You use either <password> or <autogen> to create a new password for the target.
retrievetarget CommandUse the retrievetarget command to get information about a target.
Command Syntax:
[-url <url>] -u <username> [-p <password>] [-debug] -x retrievetarget <options>
The following table describes the options you can use with this command:
| Option | Description |
|---|---|
|
-targetid <target id> |
Specify the target GUID value of the target to be retrieved. Note: When you configure a target, Oracle Privileged Account Manager automatically assigns a unique target GUID. Refer to Section 6.2, "Adding Targets to Oracle Privileged Account Manager" |
|
[-targetname <target name>] |
Optional. Specify the name of the target to be retrieved. |
|
[-help] |
Optional. Displays usage options for this command. |
Note:
You use either <targetid> or <targetname> to identify the target. Both values are unique.
searchtarget CommandUse the searchtarget command to search for a target.
Command Syntax:
[-url <url>] -u <username> [-p <password>] [-debug] -x searchtarget <options>
The following table describes the options you can use with this command:
| Option | Description |
|---|---|
|
[-targettype <ldap | solaris | oracledb>] |
Optional. Identify the type of target to search for as LDAP, Solaris, or Oracle DB. |
|
[-domain <domain>] |
Optional. Provide a domain to search. |
|
[-targetname <target name>] |
Optional. Provide the target name to search for. |
|
[-help] |
Optional. Displays usage options for this command. |
showtargetpassword CommandUse the showtargetpassword command to view the password for a target service account. When you execute this command, Oracle Privileged Account Manager returns the target service account details and the password.
Note:
You must be an administrator with the Security Administrator Admin Role to execute this command.
This command is not applicable for the lockbox target type and will return an "Operation not supported" error message.
Refer to Chapter 7, "Working with Service Accounts" for information about service accounts.
Command Syntax:
[-url <url>] -u <username> [-p <password>] -x showtargetpassword
The following table describes the options you can use with this command:
| Option | Description |
|---|---|
|
[-targetid <target id>] |
Optional. Identify the target for which the password is being reset. |
|
[-targetname <target name>]) |
Optional. Identify the name of the target for which the password is being reset. |
|
[-help] |
Optional. Displays usage options for this command. |
Note:
You use either <targetid> or <targetname> to identify the target.
showtargetpasswordhistory CommandUse the showtargetpasswordhistory command to view the password history for a target where you have reset the password. When you execute this command, Oracle Privileged Account Manager returns the password history.
Note:
You must be an administrator with the Security Administrator Admin Role to execute this command.
Command Syntax:
[-url <url>] -u <username> [-p <password>] -x showtargetpasswordhistory -targetid <targetid> <options>
The following table describes the options you can use with this command:
| Option | Description |
|---|---|
|
[-targetid <target id>] |
Optional. Identify the target for which you are searching. |
|
[-targetname <target name>]) |
Optional. Identify the name of the target for which you are searching. |
|
[-help] |
Optional. Displays usage options for this command. |
Note:
You use either <targetid> or <targetname> to identify the target.
The following sections contain information about the commands that you use when working with Oracle Privileged Account Manager privileged accounts.
addaccount CommandUse the addaccount command to add a privileged account.
Note:
You must never use the same account as the service account and as a privileged account to be managed by Oracle Privileged Account Manager. Refer to Chapter 7, "Working with Service Accounts" for information about service accounts.
Command Syntax:
[-url <url>] -u <username> [-p <password>] [-debug] -x addaccount <options>
The following table describes the options you can use with this command:
| Option | Description |
|---|---|
|
[-targetid <target id>] |
Optional. Specify the target GUID value of a configured target. Note: When you configure a target, Oracle Privileged Account Manager automatically assigns a unique target GUID. Refer to Section 6.2, "Adding Targets to Oracle Privileged Account Manager" |
|
[-targetname <target name>] |
Optional. Specify the target name of a configured target. |
|
[-password <account password>] |
Optional. Specify a default value for the account password. Note: This field becomes a required field if the target type is lockbox. |
|
[-description <account description>] |
Optional. Provide a description of the account. |
|
-accountname <accountname> |
Provide a name for the new account. |
|
[-force <true/false>] |
Optional. Enables or disables the requirement for connection validation.
|
|
[-help] |
Optional. Displays usage options for this command. |
Note:
You use either <targetid> or <targetname> to identify the target. Both values are unique.
You can use -password to set up an account password.
displayallaccounts CommandUse the displayallaccounts command to display a listing of all accounts.
Note:
You must be an administrator with the User Manager Admin Role or the Security Administrator Admin Role to successfully run this command.
Command Syntax:
[-url <url>] -u <username> [-p <password>] [-debug] -x displayallaccounts <options>
The following table describes the options you can use with this command:
| Option | Description |
|---|---|
|
[-help] |
Optional. Displays usage options for this command. |
checkin CommandUse the checkin command to check in privileged accounts.
Command Syntax:
[-url <url>] -u <username> [-p <password>] [-debug] -x checkin <options>
The following table describes the options you can use with this command:
| Option | Description |
|---|---|
|
[-accountid <account id>] |
Optional. Identify the account to be checked-in. |
|
([-accountname <account name>] and [-targetname <target name>]) |
Optional. Identify the account to be checked-in. Note: The (<accountname> and <targetname>) combination forms a unique pair that can be used to identify a specific account. |
|
[-checkoutid <checkout ID>] |
Specify the checkout ID. |
|
[-force <true/false>] |
Optional. Enables or disables the ability to force check-in a privileged account. A force check-in enables administrators with the User Manager Admin Role to check-in privileged accounts that have been checked-out by other users.
|
|
[-userid <userid>] |
Optional. Specifies which user is to be force checked-in. Oracle Privileged Account Manager allows multiple users to check out an account at the same time. By providing a userid, the force check-in only applies to the specified user. |
|
[-help] |
Optional. Displays usage options for this command. |
Note:
You use either <accountid> or the (<accountname> and <targetname>) combination to identify the account.
checkout CommandUse the checkout command to check out privileged accounts.
Note:
The checkout operation also provides a password for you to use.
Command Syntax:
[-url <url>] -u <username> [-p <password>] [-debug] -x checkout <options>
The following table describes the options you can use with this command:
| Option | Description |
|---|---|
|
[-accountid <account id>] |
Optional. Identify the account to be checked-out. |
|
([-accountname <account name>] and [-targetname <target name>]) |
Optional. Identify the account to be checked-out. Note: The (<accountname> and <targetname>) combination forms a unique pair that can be used to identify a specific account. |
|
[-checkouttype <password/session>] |
Specify the type of checkout:
|
|
[-comment <comment>] |
Optional. Provide a comment about the checkout. |
|
[-help] |
Optional. Displays usage options for this command. |
Note:
You use either <accountid> or (<accountname> and <targetname>) to identify the account.
displaycheckedoutaccounts CommandUse the displaycheckedoutaccounts command to display a listing of a user's checked out accounts.
Command Syntax:
[-url <url>] -u <username> [-p <password>] [-debug] -x displaycheckedoutaccounts <options>
The following table describes the options you can use with this command:
| Option | Description |
|---|---|
|
[-help] |
Optional. Displays usage options for this command. |
modifyaccount CommandUse the modifyaccount command to modify a privileged account.
Command Syntax:
[-url <url>] -u <username> [-p <password>] [-debug] -x modifyaccount <options>
The following table describes the options you can use with this command:
| Option | Description |
|---|---|
|
[-accountid <account id>] |
Optional. Identify the account to be modified. |
|
([-accountname <account name>] and [-targetname <target name>]) |
Optional. Identify the account to be modified. Note: The (<accountname> and <targetname>) combination forms a unique pair that can be used to identify a specific account. |
|
-propertyname <propertyname> |
Specify the name of the property that you want to modify. Note: To modify an account's Credential Store, you must specify -propertyname keymap [map][key][host:port][user][password] For example, [map][key][t3:\/\/localhost:7001][weblogic][abc123]
|
|
-propertyvalue <propertyvalue> |
Specify the property value that you want to modify. |
|
[-help] |
Optional. Displays usage options for this command. |
Note:
To identify an account, you can use either <accountid>
or (<accountname> and <targetname>).
To modify an account's Password Policy, you can use either
–propertyname passwordpolicy -propertyvalue <policy name>
or –propertyname passwordpolicyid -propertyvalue <policy ID>.
removeaccount CommandUse the removeaccount command to remove a privileged account.
Command Syntax:
[-url <url>] -u <username> [-p <password>] [-debug] -x removeaccount <options>
The following table describes the options you can use with this command:
| Option | Description |
|---|---|
|
[-accountid <account id>] |
Optional. Identify the account to be removed. |
|
([-accountname <account name>] and [-targetname <target name>]) |
Optional. Identify the account to be removed. Note: The (<accountname> and <targetname>) combination forms a unique pair that can be used to identify a specific account. |
|
[-help] |
Optional. Displays usage options for this command. |
Note:
You use either <accountid> or (<accountname> and <targetname>) to identify the account.
resetpassword CommandUse the resetpassword command to manually reset the password for an account you have checked out. When you execute this command, Oracle Privileged Account Manager returns the account details and prompts you to enter a new password.
Note:
For most users, if the account has already been checked back in, you will get an error.
If you are an administrator with the Security Administrator Admin Role, you can use this command to reset a password for both checked out and checked-in accounts.
Command Syntax:
[-url <url>] -u <username> [-p <password>] -x resetpassword [-wallet <wallet files directory>] [-wallet password <wallet password>]
The following table describes the options you can use with this command:
| Option | Description |
|---|---|
|
[-accountid <account id>] |
Optional. Identify the account to be reset. |
|
([-accountname <account name>] and [-targetname <target name>]) |
Optional. Identify the account to be reset. Note: The (<accountname> and <targetname>) combination forms a unique pair that can be used to identify a specific account. |
|
[-password <account password>] |
Optional. Provide a new password for the account. |
|
[-autogen <true/false>] |
Optional. Use to automatically generate a password, according to the account Password Policy.
|
|
[-help] |
Optional. Displays usage options for this command. |
Note:
You use either <accountid> or (<accountname> and <targetname>) to identify the account.
If you use <accountid> or (<accountname> and <targetname>), you must use -password or -autogen.
retrieveaccount CommandUse the retrieveaccount command to get information about a privileged account, such as which target the account is on. This information does not include passwords.
Command Syntax:
[-url <url>] -u <username> [-p <password>] [-debug] -x retrieveaccount <options>
The following table describes the options you can use with this command:
| Option | Description |
|---|---|
|
[-accountid <account id>] |
Optional. Identify the account to be retrieved. |
|
([-accountname <account name>] and [-targetname <target name>]) |
Optional. Identify the account to be retrieved. Note: The (<accountname> and <targetname>) combination forms a unique pair that can be used to identify a specific account. |
|
[-targetname <target name>] |
Optional. Identify the account to be retrieved. |
|
[-help] |
Optional. Displays usage options for this command. |
Note:
You use either <accountid> or (<accountname> and <targetname>) to identify the account.
searchaccount CommandUse the searchaccount command to search for an account.
Command Syntax:
[-url <url>] -u <username> [-p <password>] [-debug] -x searchaccount <options>
The following table describes the options you can use with this command:
| Option | Description |
|---|---|
|
[-targettype <ldap | unix | oracledb>] |
Optional. Identify the account to search for. |
|
[-domain <account domain>] |
Optional. Identify the account to search for. |
|
[-targetname <target name>] |
Optional. Identify the account to search for. |
|
[-help] |
Optional. Displays usage options for this command. |
Note:
You can use any combination of -targettype, -domain, or -targetname to identify the account. If you do not provide any of these options, the search returns all accounts.
For example, the following search will return all targets:
https://<host name>:<port>/opam/target/search?
Whereas, the following search will return all targets whose type contains ldap and org:
https://<host name>:<port>/opam/target/search?type=ldap&org=us
searchcheckouthistory CommandUse the searchcheckouthistory command to search the checkouts for an account that you have checked out previously. When you execute this command, Oracle Privileged Account Manager returns the checkout history.
Note:
You must be an administrator with the Security Administrator Admin Role or the User Manager Admin Role to successfully run this command.
Command Syntax:
[-url <url>] -u <username> [-p <password>] [-debug] -x searchcheckouthistory -accountid <accountid> -fromtime <fromTime> -totime <toTime> <options>
The following table describes the options you can use with this command:
| Option | Description |
|---|---|
|
[-accountid <account id>] |
Optional. Identify the account to search for. |
|
[-accountname <account name>] |
Optional. Identify the account to search for. |
|
[-targetname <target name>] |
Optional. Provide the name of the target. |
|
-fromtime <from time> |
Specify the time to start searching for checkouts by using one of the following formats:
|
|
-totime <to time> |
Specify the time to stop searching for checkouts by using one of the following formats:
|
|
[-uid <user id>] |
Identify the user to be searched. |
|
[-event <event>] |
Specify the command executed or a term in the log. |
|
[-size <size>] |
Specify the number of results to be returned. |
|
[-help] |
Optional. Displays usage options for this command. |
showpassword CommandUse the showpassword command to view the password for an account that you have checked out. When you execute this command, Oracle Privileged Account Manager returns the account details and the password.
Note:
If the account has already been checked back in, you will get an error.
You must be an administrator with the Security Administrator Admin Role to successfully run this command.
Command Syntax:
[-url <url>] -u <username> [-p <password>] -x showpassword -accountid <accountid>
The following table describes the options you can use with this command:
| Option | Description |
|---|---|
|
[-accountid <account id>] |
Optional. Identify the account for which the password is being retrieved. |
|
([-accountname <account name>] and [-targetname <target name>]) |
Optional. Identify the account for which the password is being retrieved. Note: The (<accountname> and <targetname>) combination forms a unique pair that can be used to identify a specific account. |
|
[-help] |
Optional. Displays usage options for this command. |
Note:
You use either <accountid> or (<accountname> and <targetname>) to identify the account.
showpasswordhistory CommandUse the showpasswordhistory command to view the password history for an account that you have checked out, checked in, or reset the password. When you execute this command, Oracle Privileged Account Manager returns the password history.
Note:
You must be an administrator with the Security Administrator Admin Role to successfully run this command.
Command Syntax:
[-url <url>] -u <username> [-p <password>] -x showpasswordhistory -accountid <accountid> <options>
The following table describes the options you can use with this command:
| Option | Description |
|---|---|
|
[-accountid <account id>] |
Optional. Identify the account to search for. |
|
[-accountname <account name>] |
Optional. Provide the name of the account to search. |
|
[-targetname <target name>] |
Optional. Provide the name of the target to search. |
|
[-help] |
Optional. Displays usage options for this command. |
The following sections contain information about the commands that you use when working with Oracle Privileged Account Manager grantees.
displayallgroups CommandUse the displayallgroups command to display a listing of all groups.
Note:
You must be an administrator with the User Manager Admin Role to successfully run this command.
Command Syntax:
[-url <url>] -u <username> [-p <password>] [-debug] -x displayallgroups <options>
The following table describes the options you can use with this command:
| Option | Description |
|---|---|
|
[-help] |
Optional. Displays usage options for this command. |
displayallusers CommandUse the displayallusers command to display a listing of all users.
Note:
You must be an administrator with the User Manager Admin Role to successfully run this command.
Command Syntax:
[-url <url>] -u <username> [-p <password>] [-debug] -x displayallusers <options>
The following table describes the options you can use with this command:
| Option | Description |
|---|---|
|
[-help] |
Optional. Displays usage options for this command. |
grantgroupaccess CommandUse the grantgroupaccess command to give a group access to a privileged account.
[-url <url>] -u <username> [-p <password>] [-debug] -x grantgroupaccess <options>
The following table describes the options you can use with this command:
| Option | Description |
|---|---|
|
[-accountid <account id>] |
Optional. Identify the account to which the group is granted access. |
|
([-accountname <account name>] and [-targetname <target name>]) |
Optional. Identify the account to which the group is granted access. Note: The (<accountname> and <targetname>) combination forms a unique pair that can be used to identify a specific account. |
|
-groupname <group name> |
Identify the group to be given access. |
|
[-help] |
Optional. Displays usage options for this command. |
Note:
You use either <accountid> or (<accountname> and <targetname>) to identify the account.
grantuseraccess CommandUse the grantuseraccess command to give a user access to a privileged account.
Command Syntax:
[-url <url>] -u <username> [-p <password>] [-debug] -x grantuseraccess <options>
The following table describes the options you can use with this command:
| Option | Description |
|---|---|
|
[-accountid <account id>] |
Optional. Identify the account to which the user is granted access. |
|
([-accountname <account name>] and [-targetname <target name>]) |
Optional. Identify the account to which the user is granted access. Note: The (<accountname> and <targetname>) combination forms a unique pair that can be used to identify a specific account. |
|
-userid <user id> |
Identify the user to be given access. |
|
[-help] |
Optional. Displays usage options for this command. |
Note:
You use either <accountid> or (<accountname> and <targetname>) to identify the account.
removegroupaccess CommandUse the removegroupaccess command to remove a group's access to a privileged account.
[-url <url>] -u <username> [-p <password>] [-debug] -x removegroupaccess <options>
The following table describes the options you can use with this command:
| Option | Description |
|---|---|
|
[-accountid <account id>] |
Optional. Identify the account where access is being removed |
|
([-accountname <account name>] and [-targetname <target name>]) |
Optional. Identify the account where access is being removed. Note: The (<accountname> and <targetname>) combination forms a unique pair that can be used to identify a specific account. |
|
-groupname <group name> |
Identify the group whose access is being removed. |
|
[-help] |
Optional. Displays usage options for this command. |
Note:
You use either <accountid> or (<accountname> and <targetname>) to identify the account.
removeuseraccess CommandUse the removeuseraccess command to remove a user's access to a privileged account.
Command Syntax:
[-url <url>] -u <username> [-p <password>] [-debug] -x removeuseraccess <options>
The following table describes the options you can use with this command:
| Option | Description |
|---|---|
|
[-accountid <account id>] |
Optional. Identify the account where access is being removed. |
|
([-accountname <account name>] and [-targetname <target name>]) |
Optional. Identify the account where access is being removed. Note: The (<accountname> and <targetname>) combination forms a unique pair that can be used to identify a specific account. |
|
-userid <user id> |
Identify the user whose access is being removed. |
|
[-help] |
Optional. Displays usage options for this command. |
Note:
You use either <accountid> or (<accountname> and <targetname>) to identify the account.
retrievegrantees CommandUse the retrievegrantees command to get information about the grantees on a privileged account.
Command Syntax:
[-url <url>] -u <username> [-p <password>] [-debug] -x retrievegrantees <options>
The following table describes the options you can use with this command:
| Option | Description |
|---|---|
|
[-accountid <account id>] |
Optional. Identify from which account the grantees are to be retrieved. |
|
([-accountname <account name>] and [-targetname <target name>]) |
Optional. Identify from which account the grantees are to be retrieved. Note: The (<accountname> and <targetname>) combination forms a unique pair that can be used to identify a specific account. |
|
[-help] |
Optional. Displays usage options for this command. |
Note:
You use either <accountid> or (<accountname> and <targetname>) to identify the account.
retrievegroup CommandUse the retrievegroup command to get information about a group.
Note:
You must be an administrator with the User Manager Admin Role to successfully run this command.
Command Syntax:
[-url <url>] -u <username> [-p <password>] [-debug] -x retrievegroup <options>
The following table describes the options you can use with this command:
| Option | Description |
|---|---|
|
-groupname <group name> |
Provide the name of the group to retrieve. |
|
[-help] |
Optional. Displays usage options for this command. |
retrieveuser CommandUse the retrieveuser command to get information about a user.
Note:
You must be an administrator with the User Manager Admin Role or the Security Administrator Admin Role to successfully run this command.
Command Syntax:
[-url <url>] -u <username> [-p <password>] [-debug] -x retrieveuser <options>
The following table describes the options you can use with this command:
| Option | Description |
|---|---|
|
-userid <user id> |
Identify the user to be retrieved. |
|
[-help] |
Optional. Displays usage options for this command. |
searchgroup CommandUse the searchgroup command to search for a group.
Note:
You must be an administrator with the User Manager Admin Role to successfully run this command.
Command Syntax:
[-url <url>] -u <username> [-p <password>] [-debug] -x searchgroup <options>
The following table describes the options you can use with this command:
| Option | Description |
|---|---|
|
[-groupname <group name>] |
Optional. Provide the name of the group to search for. |
|
[-description <description>] |
Optional. Provide a description of the group. |
|
[-accountname <account name>] |
Optional. Provide the name of the account to search. |
|
[-targetname <target name>] |
Optional. Provide the name of the target to search. |
|
[-help] |
Optional. Displays usage options for this command. |
searchuser CommandUse the searchuser command to search for a user.
Note:
You must be an administrator with the User Manager Admin Role to successfully run this command.
Command Syntax:
[-url <url>] -u <username> [-p <password>] [-debug] -x searchuser <options>
The following table describes the options you can use with this command:
| Option | Description |
|---|---|
|
[-userid <user id>] |
Optional. Search for the user by the user ID. |
|
[-firstname <first name>] |
Optional. Provide the user's first name. |
|
[-lastname <last name>] |
Optional. Provide the user's last name. |
|
[-accountname <account name>] |
Optional. Provide the name of the account to search. |
|
[-targetname <target name>] |
Optional. Provide the name of the target to search. |
|
[-help] |
Optional. Displays usage options for this command. |
The following sections describe the commands that you can use to configure and deploy Java plug-ins for Oracle Privileged Account Manager.
addplugin CommandUse the addplugin command to add a plug-in to a resource.
Note:
You must be an administrator with the Application Configurator Admin Role to execute this command.
Command Syntax:
[-url <url>] -u <username> [-p <password>] [-debug] -x addplugin
The following table describes the options you can use with this command:
Note:
Oracle Privileged Account Manager uses some of these options as filtering rules to decide whether to execute the plug-in. In addition, Oracle Privileged Account Manager evaluates these filtering rules in a certain order to decide one rule's precedence over another.
For more information, about the filtering rules and creating plug-in configurations, refer to Section 11.2.8, "Filtering Rules." and Section 11.3, "Creating a Plug-In Configuration" respectively.
| Option | Description |
|---|---|
|
-pluginname <plugin name> |
Specify a name for the new plug-in. |
|
-resource <target/account/server> |
Identify the resource on which the plug-in will perform. |
|
-operation <plugin operation> |
Specify the operation the plug-in will perform. Note: Refer to Section 11.2.7, "Supported Operations and Timings" |
|
-timing <pre/post> |
Specify the plug-in timing.
|
|
-order <plugin order> |
Specify the order in which the plug-in should be queued for execution. Where the smaller the number, the closer to the top (or beginning) of the queue. (Minimum value is 1.) |
|
-classname <plugin class name> |
Specify the plug-in's class name. |
|
-classpath <plugin class path> |
Specify the path to the plug-in's jar file. |
|
[-description] <plugin description> |
Optional. Provide a description of the plug-in. |
|
[-status] <active/disabled> |
Specify the plug-in execution status. Where
|
|
[-enableuser] <plugin enabled user> [Multi-Valued] |
Optional. Add one or more users to the plug-in's enabled user list. If the logged in user belongs to the enabled user list, then Oracle Privileged Account Manager will execute the plug-in. |
|
[-disableuser] <plugin disabled user> [Multi-Valued] |
Optional. Add one or more users to the plug-in's disabled user list. If the logged in user belongs to the disabled user list, then Oracle Privileged Account Manager will not execute the plug-in. |
|
[-enablegroup] <plugin enabled group> [Multi-Valued] |
Optional. Add one or more groups to the plug-in's enabled group membership list. If the logged in user belongs to the enabled user membership group, then Oracle Privileged Account Manager will execute the plug-in. |
|
[-disablegroup] <plugin disabled group> [Multi-Valued] |
Optional. Add one or more groups to the plug-in's disabled group membership list. If the logged in user belongs to a disabled membership group, then Oracle Privileged Account Manager will not execute the plug-in. |
|
[-enablehttpresult] <plugin enabled HTTP result> [Multi-Valued] |
Optional. Specify the enabled HTTP response. |
|
[-version] <plugin version> |
Optional. Specify the plug-in version. |
|
[-timeout] <plugin timeout> |
Optional. Specify the plug-in timeout. |
|
[-help] |
Optional. Displays usage options for this command. |
Note:
You must specify all multi-valued attributes in this format: value1|value2|...
addplugincustomattr CommandUse the addplugincustomattr command to add a plug-in custom attribute.
Note:
You must be an administrator with the Security Administrator Admin Role or the Application Configurator Admin Role to execute this command.
Command Syntax:
[-url <url>] -u <username> [-p <password>] [-debug] -x addplugincustomattr
The following table describes the options you can use with this command:
| Option | Description |
|---|---|
|
-pluginname <plugin name> |
Identify the plug-in on which to add the custom attribute. |
|
-pluginattrname <plugin custom attribute name> |
Specify the name of the custom attribute. |
|
-pluginattrvalue <plugin custom attribute value> |
Specify the value of the custom attribute. |
|
[-help] |
Optional. Displays usage options for this command. |
Note:
You must specify all multi-valued attributes in this format: value1|value2|...
removeplugincustomattr CommandUse the removeplugincustomattr command to remove a custom attribute from a plug-in.
Note:
You must be an administrator with the Security Administrator Admin Role or the Application Configurator Admin Role to execute this command.
Command Syntax:
[-url <url>] -u <username> [-p <password>] [-debug] -x removeplugincustomattr
The following table describes the options you can use with this command:
| Option | Description |
|---|---|
|
-pluginname <plugin name> |
Identify the plug-in from which the custom attribute should be removed. |
|
-pluginattrname <plugin custom attribute name> |
Specify the name of the custom attribute to be removed. |
|
[-help] |
Optional. Displays usage options for this command. |
retrieveplugin CommandUse the retrieveplugin command to get information about a plug-in. This information does not include passwords.
Note:
You must be an administrator with the Security Administrator Admin Role or the Application Configurator Admin Role to execute this command.
Command Syntax:
[-url <url>] -u <username> [-p <password>] [-debug] -x retrieveplugin <options>
The following table describes the options you can use with this command:
| Option | Description |
|---|---|
|
-pluginname <plugin name> |
Identify the plug-in to retrieve. |
|
[-help] |
Optional. Displays usage options for this command. |
searchplugin CommandUse the searchplugin command to search for a plug-in.
Note:
You must be an administrator with the Security Administrator Admin Role, the User Manager Admin Role, or the Application Configurator Admin Role to execute this command.
Command Syntax:
[-url <url>] -u <username> [-p <password>] [-debug] -x searchplugin <options>
The following table describes the options you can use with this command:
| Option | Description |
|---|---|
|
[-pluginname] <plugin name> |
Optional. Identify the plug-in to search for. |
|
[-description] <plugin description> |
Optional. Identify the plug-in description to search for. |
|
[-pluginstatus] <active/disabled> |
Optional. Identify the plug-in status to search for. |
|
[-resource] <target/account/server> |
Optional. Identify the plug-in resource to search for. |
|
[-operation] <plugin operation> |
Optional. Identify the plug-in operation to search for. |
|
[-timing] <pre/post> |
Optional. Identify the plug-in timing to search for. |
|
[-help] |
Optional. Displays usage options for this command. |
You can use any combination of -pluginname, -description, -pluginstatus, -resource, -operation or -timing to identify the plug-in. If you do not provide any of these options, then the search returns all plug-ins.
For example, the following search returns all plug-ins:
https://<host name>:<port>/opam/plugin/search?
Whereas, the following search returns all plug-ins whose status is active and timing is pre:
https://<host name>:<port>/opam/plugin/search?pluginstatus=active&timing=pre
modifyplugin CommandUse the modifyplugin command to modify a plug-in.
Note:
You must be an administrator with the Security Administrator Admin Role or the Application Configurator Admin Role to execute this command.
Command Syntax:
[-url <url>] -u <username> [-p <password>] [-debug] -x modifyplugin <options>
The following table describes the options you can use with this command:
Note:
You must specify all multi-valued attributes in this format: value1|value2|...
| Option | Description |
|---|---|
|
-pluginname <plugin name> |
Identify the plug-in to be modified. |
|
-propertyname <propertyname> |
Specify the name of the property that you want to modify. |
|
-propertyvalue <propertyvalue> |
Specify the property value that you want to modify. |
|
[-help] |
Optional. Displays usage options for this command. |
You can modify plug-in with the following property names:
Note:
These property names are case-sensitive.
| Property Name | Description |
|---|---|
|
pluginStatus <active/disabled> |
Modify the plug-in's status. |
|
pluginDescription |
Modify the plug-in description. |
|
pluginResource <target/account/server> |
Modify the resource on which the plug-in will perform. |
|
pluginOperation |
Modify the operation the plug-in performs. |
|
pluginTiming <pre/post> |
Modify the plug-in timing. |
|
pluginOrder |
Modify the plug-in order. |
|
pluginClassName |
Modify the plug-in's class name. |
|
pluginClassPath [multi-valued] |
Modify the plug-in's class path. |
|
pluginEnableUser [multi-valued] |
Modify the plug-in's enabled user list. |
|
pluginDisableUser [multi-valued] |
Modify the plug-in's disabled user list. |
|
pluginEnableGroup [multi-valued] |
Modify the plug-in's enabled group list. |
|
pluginDisableGroup [multi-valued] |
Modify the plug-in's disabled group list. |
|
pluginEnableHTTPResult [multi-valued] |
Modify the plug-in's enabled HTTP response. |
|
pluginVersion |
Modify the plug-in's version. |
|
pluginTimeout |
Modify the plug-in's timeout. |
removeplugin CommandUse the removeplugin command to remove a plug-in.
Note:
You must be an administrator with the Application Configurator Admin Role to execute this command.
Command Syntax:
[-url <url>] -u <username> [-p <password>] [-debug] -x removeplugin <options>
The following table describes the options you can use with this command:
| Option | Description |
|---|---|
|
-pluginname <plugin name> |
Identify the plug-in to be removed. |
|
[-help] |
Optional. Displays usage options for this command. |
The following sections contain information about the commands that you use when exporting and importing Oracle Privileged Account Manager data.
export CommandUse the export command to export data stored in Oracle Privileged Account Manager, such as targets and accounts, to XML format. This option and the "import Command" are useful for performing the following operations:
Bulk operations, such as querying or loading large volumes of data
Back-up and recovery operations, such as periodically backing up Oracle Privileged Account Manager data to XML
Migration operations, such as exporting data from one Oracle Privileged Account Manager instance and importing it to another instance
Note:
You must be an administrator with the Security Administrator Admin Role to use these commands.
The export command exports all Oracle Privileged Account Manager data; including targets, accounts, policies, and grants.
Note:
Exporting accounts also exports the passwords for those accounts. For added security, you can export the passwords in an encrypted format by using the -encpassword and -enckeylen options.
Be sure to note the encryption password and encryption key length because you must provide that same password for decryption during the import operation.
Command Syntax:
[-url <url>] -u <username> [-p <password>] [-debug] -x export <options>
The following table describes the options you can use with the export command:
| Option | Description |
|---|---|
|
-f <export file> |
Specify an export file name. |
|
[-encpassword <encryption password>] |
Optional. Specify a password to use when encrypting the account passwords to the exported file. |
|
[-enckeylen <key length for password encryption>] |
Optional. Specify the minimum key length for an encryption or decryption password. (Defaults to |
|
Optional. Specify a file name and location for the log file. (Defaults to |
|
|
[-noencrypt <true/false>] |
Optional. Specify whether to provide an encryption password. (Defaults to
|
|
[-help] |
Optional. Displays usage options for this command. |
The XML schema for an export file is located in the following file:
ORACLE_HOME/opam/jlib/OPAMBulkTool.xsd
The following example shows some sample XML definitions of Oracle Privileged Account Manager elements.
Example A-3 Sample XML Definition of Oracle Privileged Account Manager Elements
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<OPAMData xmlns="http://www.example.org/OPAMBulkTool"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.example.org/OPAMBulkTool OPAMBulkTool.xsd">
<usagepolicy>
<name value="Accounting Usage Policy"/>
<status value="active"/>
<description value="My Usage Policy"/>
<globaldefault value="n"/>
<dateorduration value="duration"/>
<expiremin value="30"/>
<expiredate value="08/08/2088"/>
<expiretime value="11:30am"/>
<timezone value="America/Los_Angeles"/>
<usagedays>
<day fromtime="12:0am" totime="12:0am" value="monday"/>
<day fromtime="12:0am" totime="12:0am" value="tuesday"/>
<day fromtime="12:0am" totime="12:0am" value="wednesday"/>
<day fromtime="12:0am" totime="12:0am" value="thursday"/>
<day fromtime="12:0am" totime="12:0am" value="friday"/>
<day fromtime="12:0am" totime="12:0am" value="saturday"/>
<day fromtime="12:0am" totime="12:0am" value="sunday"/>
</usagedays>
</usagepolicy>
<passwordpolicy>
<name value="Accounting Password Policy"/>
<status value="active"/>
<description value=""/>
<globaldefault value="n"/>
<changepassevery value="30-days"/>
<changepasscheckout value="y"/>
<changepasscheckin value="y"/>
<passwordlength max="20" min="8"/>
<minalphabets value="1"/>
<minnumeric value="1"/>
<minalphanumeric value="2"/>
<specialchars max="5" min="1"/>
<repeatedchars max="1" min="0"/>
<minuniquechars value="1"/>
<minuppercasechars value="1"/>
<minlowercasechars value="1"/>
<startwithchar value="n"/>
<accountnameaspass value="n"/>
<passwordhistorydays value="30"/>
</passwordpolicy>
<target>
<type name="database"/>
<name value="AccountsDB"/>
<attributes>
<attributeName name="domain" value="Accounting"/>
<attributeName name="host" value="localhost"/>
<attributeName name="jdbcUrl" value="jdbc:oracle:thin:@dbhost:1521:orcl"/>
<attributeName name="loginUser" value="system"/>
<attributeName name="loginPassword" value="welcome1"/>
<attributeName name="dbType" value="Oracle"/>
<attributeName name="description" value="Accounting Database"/>
<attributeName name="organization" value="Accounting"/>
<attributeName name="connectionProperties" value=""/>
</attributes>
</target>
<account>
<name value="ACCT_DBA"/>
<target name="AccountsDB"/>
<description value="Accounts Database"/>
<passwordpolicy name="Accounting Password Policy"/>
<grantee>
<user name="johndoe usagepolicy="Accounting Usage Policy "/>
<user name="janedoe usagepolicy="Default Usage Policy "/>
</grantee>
<shared value="false"/>
</account>
</OPAMData>
filedecryption CommandUse the filedecryption command to decrypt an encrypted Oracle Privileged Account Manager configuration file.
Command Syntax:
[-url <url>] -u <username> [-p <password>] [-debug] -x filedecryption -f <encrypted file> -df <destination file> [-encpassword <decryption password>] <options>
Note:
This operation does not require any server connectivity when the -offline true option is provided.
The following table describes the options you can use with this command:
| Option | Description |
|---|---|
|
-f <file with encrypted data> |
Specify the encrypted Oracle Privileged Account Manager configuration file. |
|
-df <file to write decrypted data> |
Specify where to write the decrypted file. |
|
[-encpassword <encryption/decryption password>] |
Optional. Specify the password to use when decrypting the data. |
|
[-enckeylen <Key length for encryption/decryption password>] |
Optional. Specify the minimum key length for an encryption/decryption password. (Defaults to |
|
[-force <true/false>] |
Optional. Enables or disables the requirement for connection validation.
|
|
[-log <log file location>] |
Optional. Specify a file name and location for the log file. |
|
[-offline <true/false>] |
Specify whether the command can connect to the Oracle Privileged Account Manager server.
|
|
[-help] |
Optional. Displays usage options for this command. |
For example, use the following command if you do not have server connectivity:
sh opam.sh -x filedecryption -f <encrypted file> -df <destination file> -offline true
import CommandUse the import command to import data to Oracle Privileged Account Manager from an XML file. This option and the "export Command" are useful for performing the following operations:
Bulk operations, such as querying or loading large volumes of data
Back-up and recovery operations, such as periodically backing up Oracle Privileged Account Manager data to XML
Migration operations, such as exporting data from one Oracle Privileged Account Manager instance and importing it to another instance
Note:
You must be an administrator with both the Security Administrator Admin Role and the User Manager Admin Role to use these commands.
If the account status is checked-in, users do not have to provide status when importing data to Oracle Privileged Account Manager.
You can create an import XML file from previously exported data or you can manually create the file. If you previously exported the XML file with an encryption password, then you must provide the same password for decryption during import.
In addition to object creation, you can also use the import command to update and delete objects. Refer to reference for more information.
Command Syntax:
[-url <url>] -u <username> [-p <password>] [-debug] -x import <options>
The following table describes the options you can use with this command:
| Option | Description |
|---|---|
|
-f <import file> |
Specify an import file name. |
|
[-encpassword <encryption password>] |
Optional. Specify a password to use when decrypting account passwords from the exported file. |
|
[-enckeylen <key length for password encryption>] |
Optional. Specify the minimum key length for an encryption/decryption password. (Defaults to |
|
[-force <true/false>] |
Optional. Enables or disables the requirement for connection validation.
|
|
[-log <log file location>] |
Optional. Specify a file name and location for the log file. (Defaults to |
|
[-noencrypt <true/false>] |
Optional. Specify whether to decrypt the imported file. (Defaults to
|
|
[-help] |
Optional. Displays usage options for this command. |
The XML schema for an import file is located in the following file:
ORACLE_HOME/opam/jlib/OPAMBulkTool.xsd
The following examples show some sample XML definitions of Oracle Privileged Account Manager elements.
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<OPAMData xmlns=http://www.example.org/OPAMBulkTool
xmlns:xsi=http://www.w3.org/2001/XMLSchema-instance
xsi:schemaLocation="http://www.example.org/OPAMBulkTool OPAMBulkTool.xsd">
<usagepolicy>
<name value="Accounting Usage Policy"/>
<status value="active"/>
<description value="My Usage Policy"/>
<globaldefault value="n"/>
<dateorduration value="duration"/>
<expiremin value="30"/>
<expiredate value="08/08/2088"/>
<expiretime value="11:30am"/>
<timezone value="America/Los_Angeles"/>
<usagedays>
<day fromtime="12:0am" totime="12:0am" value="monday"/>
<day fromtime="12:0am" totime="12:0am" value="tuesday"/>
<day fromtime="12:0am" totime="12:0am" value="wednesday"/>
<day fromtime="12:0am" totime="12:0am" value="thursday"/>
<day fromtime="12:0am" totime="12:0am" value="friday"/>
<day fromtime="12:0am" totime="12:0am" value="saturday"/>
<day fromtime="12:0am" totime="12:0am" value="sunday"/>
</usagedays>
</usagepolicy>
<passwordpolicy>
<name value="Accounting Password Policy"/>
<status value="active"/>
<description value=""/>
<globaldefault value="n"/>
<changepassevery value="30-days"/>
<changepasscheckout value="y"/>
<changepasscheckin value="y"/>
<passwordlength max="20" min="8"/>
<minalphabets value="1"/>
<minnumeric value="1"/>
<minalphanumeric value="2"/>
<specialchars max="5" min="1"/>
<repeatedchars max="1" min="0"/>
<minuniquechars value="1"/>
<minuppercasechars value="1"/>
<minlowercasechars value="1"/>
<startwithchar value="n"/>
<accountnameaspass value="n"/>
<passwordhistorydays value="30"/>
</passwordpolicy>
<target>
<type name="database"/>
<name value="AccountsDB"/>
<attributes>
<attributeName name="domain" value="Accounting"/>
<attributeName name="host" value="localhost"/>
<attributeName name="jdbcUrl" value="jdbc:oracle:thin:@dbhost:1521:orcl"/>
<attributeName name="loginUser" value="system"/>
<attributeName name="loginPassword" value="welcome1"/>
<attributeName name="dbType" value="Oracle"/>
<attributeName name="description" value="Accounting Database"/>
<attributeName name="organization" value="Accounting"/>
<attributeName name="connectionProperties" value=""/>
</attributes>
</target>
<account>
<name value="ACCT_DBA"/>
<target name="AccountsDB"/>
<description value="Accounts Database"/>
<passwordpolicy name="Accounting Password Policy"/>
<grantee>
<user name="johndoe usagepolicy="Accounting Usage Policy "/>
<user name="janedoe usagepolicy="Default Usage Policy "/>
</grantee>
<shared value="false"/>
</account>
</OPAMData>
Example A-5 Data Modification: Modify An Account Password Policy
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<OPAMData xmlns="http://www.example.org/OPAMBulkTool"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.example.org/OPAMBulkTool OPAMBulkTool.xsd">
<account operation="modify">
<name value="account2"/>
<target name="lockbox_target1"/>
<passwordpolicy name="test-pass-policy"/>
<shared value="true"/>
</account>
</OPAMData>
Example A-6 Data Modification: Modify A Password Policy
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<OPAMData xmlns="http://www.example.org/OPAMBulkTool"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.example.org/OPAMBulkTool OPAMBulkTool.xsd">
<passwordpolicy operation="modify">
<name value="test policy"/>
<status value="active"/>
<description value="test"/>
<globaldefault value="n"/>
<changepassevery value="45-hours"/>
<changepasscheckout value="n"/>
<changepasscheckin value="n"/>
<passwordlength max="20" min="5"/>
<minalphabets value="0"/>
<minnumeric value="0"/>
<minalphanumeric value="0"/>
<specialchars max="5" min="0"/>
<repeatedchars max="10" min="0"/>
<minuniquechars value="0"/>
<minuppercasechars value="0"/>
<minlowercasechars value="0"/>
<startwithchar value="y"/>
<requiredchars value="a,b,c,d,e"/>
<allowedchars value="a,b,c,d,e,f,g,h"/>
<disallowedchars value="z,-,x"/>
<accountnameaspass value="y"/>
</passwordpolicy>
</OPAMData>
Example A-7 Data Deletion: Delete a Target
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<OPAMData xmlns="http://www.example.org/OPAMBulkTool"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.example.org/OPAMBulkTool OPAMBulkTool.xsd">
<target operation="delete">
<type name="lockbox"/>
<name value="lockbox_target1"/>
</target>
</OPAMData>
Example A-8 Data Deletion: Delete an Account
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<OPAMData xmlns="http://www.example.org/OPAMBulkTool"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.example.org/OPAMBulkTool OPAMBulkTool.xsd">
<account operation="delete">
<name value="account3"/>
<target name="lockbox_target1"/>
</account>
<account operation="delete">
<name value="account4"/>
<target name="lockbox_target1"/>
</account>
</OPAMData>