Oracle Privileged Account Manager (OPAM) Installation and Configuration

 

Oracle Privileged Account Manager (OPAM) is a new product introduced in Oracle Identity Management 11gR2 (More on IdM 11gR2  here, here, and here. For new features in IdM 11gR2 click herehere, and here ). OPAM server is part of Oracle Identity Governance Suite and topic 13 of certification Identity Governance Suite 11g Essentials

OPAM is password management tool that manages access to passwords for privileges shared accounts (like root user on Unix or application super user or user with sysdba or dba access in database ) . OPAM supports check-out and check-in of password and can be configured to automatically change the password on check-in.

 

This post covers steps to install and configure OPAM.

Note: If you install OIM and OPAM in same domain you could face issue finding user in OINAV (Identity Navigator). Check more in Release Notes here

 

High Level Installation and configure OPAM 11gR2 (11.1.2)

1. Create Schema for OPAM using RCU 11.1.2 , More on RCU here

 

 

2. Install JDK 1.6.29 (or higher)

3. Install WebLogic 10.3.6, more on WebLogic installation here and here

4. Install Identity & Access Management 11gR2 (11.1.2) software under middleware home (created during WebLogic installation) using runInstaller -jreLoc [jdk_location]

5. Create WebLogic Domain by running $MW_HOME/ oracle_common/ common/ bin/ config.sh  , More on WebLogic Domain here and here

Note: During Domain creation select Oracle Privileged Account Manager template 

 

Note: OPAM will be deployed under managed server opam_server1 running on port 18101 and 18102 (non SSL port)

6. Configure Database Security Store for OPAM Domain using ORACLE_COMMON_HOME/ common/ bin/ wlst.sh $ORACLE_HOME/common/tools/configureSecurityStore.py -d  $DOMAIN_HOME -c IDM -m create -p opss_schema_password

More here

This step will migrate policy & credential store from XML file (and files) to database under OPSS schema.

Note: In 11gR1 you could keep policy store to XML, OID, or in Database . From 11gR2 onwards policy store must be migrated to Database under OPSS Schema.

7. Start WebLogic Admin Server for OPAM domain. More on WebLogic Admin Server startup here

8. Configure OPAM by running $ORACLE_HOME/opam/bin/opam-config.sh More here

9. Assign Application Configurator Role to User from OINNAV (This user will be used to configure OPAM server in OPAM web console) http://<adminserver-host>:<adminserver-port>/oinav     Steps here

 

 

 

If in OINAV you don’t see any users then check Admin Server log file and if you see errors like below then check Release Notes

Error message in logs when OIM and OPAM/OIN are in same domain

_____

<Jan 2, 2013 9:35:51 PM UTC> <Error> <com.oracle.ovd.arisid.IdentityStoreConfig> <BEA-000000> <Failed to get IdentityStore properties from OPSS – org.openliberty.arisid.IGFException>
java.lang.NullPointerException
at com.oracle.ovd.arisid.ArisIdStackProvider.doFind(ArisIdStackProvider.java:153)
_____

 

10. Start OPAM Managed Server and ensure that it is running

11. Configure OPAM console and update OPAM server details  http://<adminserver-host>:<adminserver-port>/oinav/opam

Note: If you see invalid connection during OPAM server configuration , check Admin Server logs and

a) Ensure that OPAM managed server is running
b) SSL certificate is valid or disable host name verification in Admin and OPAM server

<Jan 3, 2013 11:35:33 PM UTC> <Warning> <Security> <BEA-090482> <BAD_CERTIFICATE alert was received from innowave21.focusthread.com – 81.142.109.132. Check the peer to determine why it rejected the certificate chain (trusted CA configuration, hostname verification). SSL debug tracing may be required to determine the exact reason the certificate was rejected.>

This completes OPAM installation and configuration

References/Related

About the Author Atul Kumar

Oracle ACE, Author, Speaker and Founder of K21 Technologies & K21 Academy : Specialising in Design, Implement, and Trainings.

follow me on:

Leave a Comment:

8 comments
» Certification : Oracle Identity Governance Suite 11g Essentials Exam (1Z1-459) Online Apps DBA: One Stop Shop for Apps DBA’s says January 11, 2013

[…] Connectors 11. Events Handlers, Notifications, Reports, Scheduled tasks 12. Identity Analytics 13. Privilege Account Management 14. […]

Reply
andre says April 22, 2013

When I run configureSecurityStore.py as part of OIM 11.1.2.1 install I get an SQLIntegrityConstraintViolationException: ORA-1: unique constraint (DEV_OPSS.IDX_JPS_RDN_PDN
This is recorded in oracle support under following bugnrs:
UNIQUE CONSTRAINT VIOLATION DURING DATABASE SECURITY STORE CREATION[Bug ID 16687761]
CONFIGURE DATABASE SECURITY STORE (CONFIGURESECURITYSTORE.PY) SCRIPT IS FAILING[Bug ID 16690836]
UPGRADE ERROR WHEN RUNNING THE CONFIGURESECURITYSTORE.PY SCRIPT TO CONFIGURE POL[Bug ID 16076126]

did you run into this and did you find a workaround?

greetz, Andre

Reply
vishal says June 15, 2013

Hi

i have created a user in weblogic with which i am able to log in into opam console.

I have a added a Active Directory as a target and able to add 1 service account , Now when i am trying to grant this account to user which i have created in weblogic i am not able to find this user in search result

Reply
sahana says September 15, 2013

Hi,

I am taking this exam very shortly .. Does anyone have any dumps for the same? or something that is going to help me clear the exam.

Thanks and Regards,
Sahana

Reply
John says October 31, 2013

I have installed OPAM. I have also added AD authenticator and i am able to see AD users as well as grant them accounts. My problem is that when a user logs in, he is not able to see the accounts i have granted him. What could be the issue here? Please help.

Reply
Piyush says January 14, 2014

OPAM is used for providing passwords for privileged accounts at run time to the users.

My requirement is —-(can OPAM let applications use its password vault to connect privileged accounts.)

Ex. weblogic is connected to a data source using privileged account. can weblogic be configured with OPAM in such a way that weblogic has to use OPAM for password vault to connect to data source every time

Reply
Arvind says March 27, 2015

Hi,
I have configured the OPAM. But when i hit the hostname:port/oinav/ URL it goes into loop and keeps on loading.. any idea?

Reply
yashwanth says February 12, 2017

I installed OIM,OPAM in single domain. I am able to login into opam console but i didn’t get certificate with OPAM server URL. And still OIM,OPAM integration is required if we install in single domain?? please suggest me its urgent.

Reply
Add Your Reply

Not found