OPAM – Installation and Configuration

What is OPAM?

Oracle Privileged Account Manager (OPAM) is a secure password management solution designed to generate, provision, and manage access to passwords for privileged accounts like UNIX “root” or Oracle database admin accounts. It enables auditing and establishes accountability for users who normally share privileged account credentials, and has user Session Management and Recording. It leverages the Oracle Platform Security Services (OPSS) framework as a security foundation and Oracle Database as back-end data storage.

While Oracle Privileged Account Manager most commonly manages shared and elevated privileged accounts, OPAM administrators can also use it to manage passwords for any type of account. For example, if the administrator of a certain group is on a leave and you have a business reason for allowing another employee to access the administrator’s system using his/her account, Oracle Privileged Account Manager can manage that privileged account.

What can OPAM do?

  • Associates privileged accounts with targets (Target is a software system that contains, uses, and relies on user, system, or application accounts) and policies with privileged accounts.
  • Grants users and groups, access to privileged accounts and removes that access after a specified time limit.
  • It also provides role-based access to accounts maintained in OPAM accounts.
  • Provides password check out and check in, as well as session checkout to control access to accounts
  • Resets passwords to a random value on check in and check out by default for security purposes.
  • OPAM can be configured to automatically check in privileged accounts after a specified time to protect against multiple open accesses.
  • Manages password resets on configured targets.
  • Performs Create, Read, Update, Delete, and Search (CRUDS) operations on targets, privileged accounts, and policies.
  • Provides an extensible plug-in framework that uses various plug-ins to perform operations such as custom notifications, usage policies, and synchronize passwords.
  • OPAM connects to targets by using Identity Connector Framework (ICF) connectors.
  • Oracle Privileged Account Manager supports database, LDAP, lockbox, and UNIX target types.

Roles in OPAM:

The following are the four Administrator roles in OPAM:

  • Application Configurator (OPAM_APPLICATION_CONFIGURATOR):

Configure Oracle Privileged Account Manager Console and servers, Manage plug-in configurations and Session Manager Configuration properties.

  • Security Administrator (OPAM_SECURITY_ADMIN):

Manage Accounts, targets (add, edit, and remove) and password usage and policies.

  • Security Auditor (OPAM_SECURITY_AUDITOR):

Open and review Oracle Privileged Account Manager reports.View Oracle Privileged Account Manager Audit reports in the Oracle Identity Navigator Reports portlet.

  • User Manager (OPAM_USER_MANAGER):

Assign end users with grants to privileged accounts, Manage Usage Policies. This group can assign Usage Policies to grants and terminate all Oracle Privileged Session Manager sessions for a selected account.

Installation and Configuration – High Level Steps:

Installation Tasks:

1. Schema Creation: Create Schema for OPAM using RCU 11.1.2.x.

2. Install JDK 1.6.29 or higher.

3. Install WebLogic 10.3.6.

4. IAM Suite Installation: Install Identity & Access Management 11gR2 (11.1.2) software under middleware home by running the command:

./runInstaller -jreLoc $JAVA_HOME

5. Weblogic Domain configuration: Run the Oracle Fusion Middleware Configuration Wizard to configure OPAM in a new WebLogic domain.

cd <IAM_Home>/common/bin

Note: During Domain creation select Oracle Privileged Account Manager template. OPAM will be deployed under managed server opam_server1 running on port 18101 and 18102 (non SSL port).

6. Configure Database Security Store for OPAM Domain: We can share the same Database Security Store and use the same domain encryption key from the oim_domain for opam_domain:

  • Export the encryption key from the oim_domain
cd <Middleware_Home>/oracle_common/common/bin

  • Check for the encryption file present in <Middleware_Home> and join the DB Security store to opam_domain by executing the command:
<Middleware_Home> /oracle_common/common/bin/ <IAM_Home>/common/tools/ –d <Middleware_Home>/user_projects/domains/opam_domain -c IAM -p <oim store password> -m join -k <Middleware_Home> -w <keyFilePassword>

  • This will migrate policy & credential store from XML file (and files) to database under OPSS schema.

Note: In 11gR1 you could keep policy store to XML, OID, or in Database. From 11gR2 onwards policy store must be migrated to Database under OPSS Schema.

Configuration Tasks:

1. Start WebLogic Admin Server for OPAM domain.

2. Set the ANT_HOME, ORACLE_HOME and Permgen Size

export ORACLE_HOME=<Middleware_Home>/Oracle_IDM1
export ANT_HOME=<Middleware_Home>/org.apache.ant_1.7.1
export ANT_OPTS="-Xmx512M -XX:MaxPermSize=512m"

 3. Configuring OPAM: Enter relevant details when prompted and restart the Admin server

cd <IAM_Home>/opam/bin

4. OPAM Server:

  • Start the OPAM server:
    cd <Middleware_Home> /user_projects/domains/opam_domain
    ./ opam_server1
  • Check the status by opening a web browser and going to https://<host>:18102/opam and login via Weblogic Admin credentials.
  • Check the OPAM Admin console by browsing to https://<host>:18101/oinav/opam

5. Configure OPAM Identity Store:

  • We can configure any Directory Service as an Identity store. We use the embedded Weblogic LDAP Directory as the Identity store for OPAM.
  • We do not need to create a separate Authentication Provider, instead we can use the DefaultAuthenticator. External Identity store can be used while integrating OPAM with OIM.
  • Create an Admin user in the Weblogic LDAP Directory by browsing to https://<host>:<Admin_port>/console and login using Weblogic Admin credentials.
  • Navigate to Security Realms-> myrealm->Users and Groups->New and create “opam_admin”.

6. Assign OPAM Admin role to user:

  • Log into Oracle Identity Navigator ( https://<host>:18101/oinav ) with Weblogic Admin credentials and go to the Administrator tab.
  • Search for “opam_admin” user and assign the Application Configurator
  • Log into OPAM console ( https://<host>:18101/oinav/opam ) with “opam_admin” credentials and confirm.

7. Manage Targets:

  • Log into OIN with Weblogic Admin credentials and assign the Security Admin role to opadmin user.
  • Log into OPAM console and check for Administrator Tab. Now we can add Targets and Accounts to be managed.