Oracle Privileged Account Manager (OPAM) is a new product introduced in Oracle Identity Management 11gR2 (More on IdM 11gR2 here, here, and here. For new features in IdM 11gR2 click here, here, and here ). OPAM server is part of Oracle Identity Governance Suite and topic 13 of certification Identity Governance Suite 11g Essentials
OPAM is password management tool that manages access to passwords for privileges shared accounts (like root user on Unix or application super user or user with sysdba or dba access in database ) . OPAM supports check-out and check-in of password and can be configured to automatically change the password on check-in.
This post covers steps to install and configure OPAM.
Note: If you install OIM and OPAM in same domain you could face issue finding user in OINAV (Identity Navigator). Check more in Release Notes here
High Level Installation and configure OPAM 11gR2 (11.1.2)
1. Create Schema for OPAM using RCU 11.1.2 , More on RCU here
2. Install JDK 1.6.29 (or higher)
4. Install Identity & Access Management 11gR2 (11.1.2) software under middleware home (created during WebLogic installation) using runInstaller -jreLoc [jdk_location]
Note: During Domain creation select Oracle Privileged Account Manager template
Note: OPAM will be deployed under managed server opam_server1 running on port 18101 and 18102 (non SSL port)
6. Configure Database Security Store for OPAM Domain using ORACLE_COMMON_HOME/ common/ bin/ wlst.sh $ORACLE_HOME/common/tools/configureSecurityStore.py -d $DOMAIN_HOME -c IDM -m create -p opss_schema_password
This step will migrate policy & credential store from XML file (and files) to database under OPSS schema.
Note: In 11gR1 you could keep policy store to XML, OID, or in Database . From 11gR2 onwards policy store must be migrated to Database under OPSS Schema.
7. Start WebLogic Admin Server for OPAM domain. More on WebLogic Admin Server startup here
8. Configure OPAM by running $ORACLE_HOME/opam/bin/opam-config.sh More here
9. Assign Application Configurator Role to User from OINNAV (This user will be used to configure OPAM server in OPAM web console) http://<adminserver-host>:<adminserver-port>/oinav Steps here
If in OINAV you don’t see any users then check Admin Server log file and if you see errors like below then check Release Notes
Error message in logs when OIM and OPAM/OIN are in same domain
<Jan 2, 2013 9:35:51 PM UTC> <Error> <com.oracle.ovd.arisid.IdentityStoreConfig> <BEA-000000> <Failed to get IdentityStore properties from OPSS – org.openliberty.arisid.IGFException>
10. Start OPAM Managed Server and ensure that it is running
11. Configure OPAM console and update OPAM server details http://<adminserver-host>:<adminserver-port>/oinav/opam
a) Ensure that OPAM managed server is running
b) SSL certificate is valid or disable host name verification in Admin and OPAM server
<Jan 3, 2013 11:35:33 PM UTC> <Warning> <Security> <BEA-090482> <BAD_CERTIFICATE alert was received from innowave21.focusthread.com – 188.8.131.52. Check the peer to determine why it rejected the certificate chain (trusted CA configuration, hostname verification). SSL debug tracing may be required to determine the exact reason the certificate was rejected.>