• Find us:
    +1-669-900-5138   |   +44-203-372-5553
  • Free Newsletter

    Get Latest Updates

  • Make Training Enquiry


    Company

  • Categories

  • Archive

  • Oracle Privileged Account Manager (OPAM) Installation and Configuration

    Posted by "" in "OPAM" on 2013-01-05

     

    Oracle Privileged Account Manager (OPAM) is a new product introduced in Oracle Identity Management 11gR2 (More on IdM 11gR2  here, here, and here. For new features in IdM 11gR2 click herehere, and here ). OPAM server is part of Oracle Identity Governance Suite and topic 13 of certification Identity Governance Suite 11g Essentials

    OPAM is password management tool that manages access to passwords for privileges shared accounts (like root user on Unix or application super user or user with sysdba or dba access in database ) . OPAM supports check-out and check-in of password and can be configured to automatically change the password on check-in.

     

    This post covers steps to install and configure OPAM.

    Note: If you install OIM and OPAM in same domain you could face issue finding user in OINAV (Identity Navigator). Check more in Release Notes here

     

    High Level Installation and configure OPAM 11gR2 (11.1.2)

    1. Create Schema for OPAM using RCU 11.1.2 , More on RCU here

     

     

    2. Install JDK 1.6.29 (or higher)

    3. Install WebLogic 10.3.6, more on WebLogic installation here and here

    4. Install Identity & Access Management 11gR2 (11.1.2) software under middleware home (created during WebLogic installation) using runInstaller -jreLoc [jdk_location]

    5. Create WebLogic Domain by running $MW_HOME/ oracle_common/ common/ bin/ config.sh  , More on WebLogic Domain here and here

    Note: During Domain creation select Oracle Privileged Account Manager template 

     

    Note: OPAM will be deployed under managed server opam_server1 running on port 18101 and 18102 (non SSL port)

    6. Configure Database Security Store for OPAM Domain using ORACLE_COMMON_HOME/ common/ bin/ wlst.sh $ORACLE_HOME/common/tools/configureSecurityStore.py -d  $DOMAIN_HOME -c IDM -m create -p opss_schema_password

    More here

    This step will migrate policy & credential store from XML file (and files) to database under OPSS schema.

    Note: In 11gR1 you could keep policy store to XML, OID, or in Database . From 11gR2 onwards policy store must be migrated to Database under OPSS Schema.

    7. Start WebLogic Admin Server for OPAM domain. More on WebLogic Admin Server startup here

    8. Configure OPAM by running $ORACLE_HOME/opam/bin/opam-config.sh More here

    9. Assign Application Configurator Role to User from OINNAV (This user will be used to configure OPAM server in OPAM web console) http://<adminserver-host>:<adminserver-port>/oinav     Steps here

     

     

     

    If in OINAV you don’t see any users then check Admin Server log file and if you see errors like below then check Release Notes

    Error message in logs when OIM and OPAM/OIN are in same domain

    _____

    <Jan 2, 2013 9:35:51 PM UTC> <Error> <com.oracle.ovd.arisid.IdentityStoreConfig> <BEA-000000> <Failed to get IdentityStore properties from OPSS – org.openliberty.arisid.IGFException>
    java.lang.NullPointerException
    at com.oracle.ovd.arisid.ArisIdStackProvider.doFind(ArisIdStackProvider.java:153)
    _____

     

    10. Start OPAM Managed Server and ensure that it is running

    11. Configure OPAM console and update OPAM server details  http://<adminserver-host>:<adminserver-port>/oinav/opam

    Note: If you see invalid connection during OPAM server configuration , check Admin Server logs and

    a) Ensure that OPAM managed server is running
    b) SSL certificate is valid or disable host name verification in Admin and OPAM server

    <Jan 3, 2013 11:35:33 PM UTC> <Warning> <Security> <BEA-090482> <BAD_CERTIFICATE alert was received from innowave21.focusthread.com – 81.142.109.132. Check the peer to determine why it rejected the certificate chain (trusted CA configuration, hostname verification). SSL debug tracing may be required to determine the exact reason the certificate was rejected.>

    This completes OPAM installation and configuration

    References/Related

    Related Posts for OPAM


    1. Oracle Privileged Account Manager (OPAM) Installation and Configuration

    6 Responses to “Oracle Privileged Account Manager (OPAM) Installation and Configuration”

    1. […] Connectors 11. Events Handlers, Notifications, Reports, Scheduled tasks 12. Identity Analytics 13. Privilege Account Management 14. […]

    2. andre says:

      When I run configureSecurityStore.py as part of OIM 11.1.2.1 install I get an SQLIntegrityConstraintViolationException: ORA-1: unique constraint (DEV_OPSS.IDX_JPS_RDN_PDN
      This is recorded in oracle support under following bugnrs:
      UNIQUE CONSTRAINT VIOLATION DURING DATABASE SECURITY STORE CREATION[Bug ID 16687761]
      CONFIGURE DATABASE SECURITY STORE (CONFIGURESECURITYSTORE.PY) SCRIPT IS FAILING[Bug ID 16690836]
      UPGRADE ERROR WHEN RUNNING THE CONFIGURESECURITYSTORE.PY SCRIPT TO CONFIGURE POL[Bug ID 16076126]

      did you run into this and did you find a workaround?

      greetz, Andre

    3. vishal says:

      Hi

      i have created a user in weblogic with which i am able to log in into opam console.

      I have a added a Active Directory as a target and able to add 1 service account , Now when i am trying to grant this account to user which i have created in weblogic i am not able to find this user in search result

    4. sahana says:

      Hi,

      I am taking this exam very shortly .. Does anyone have any dumps for the same? or something that is going to help me clear the exam.

      Thanks and Regards,
      Sahana

    5. John says:

      I have installed OPAM. I have also added AD authenticator and i am able to see AD users as well as grant them accounts. My problem is that when a user logs in, he is not able to see the accounts i have granted him. What could be the issue here? Please help.

    6. Piyush says:

      OPAM is used for providing passwords for privileged accounts at run time to the users.

      My requirement is —-(can OPAM let applications use its password vault to connect privileged accounts.)

      Ex. weblogic is connected to a data source using privileged account. can weblogic be configured with OPAM in such a way that weblogic has to use OPAM for password vault to connect to data source every time

    Leave a Reply



  • K21 Technologies is among the most experienced Oracle Gold Partner for Identity Access Management service providers. We work with application development companies and in-house technology division to help achieve significant returns on their IT security investment. Our clientele includes some of the globally renowned corporate, which speaks of our expertise in our field.

    We have the most talented and experienced team that can swiftly deploy security solutions even in complex IT ecosystem. Our clients highly appreciate our timely implementation, interactive training, on-demand support and community resources.
  • CONTACTS

    K21 Technologies
    8 Magnolia Place, Harrow,
    London, HA2 6DS

    UK: +44(0)7476444481
    USA: +1-888-414-1821

  • 2014, K21 Technologies. All rights reserved DMCA.com
  • TOP
    TOP