Oracle Privileged Account Manager (OPAM) Installation and Configuration


Oracle Privileged Account Manager (OPAM) is a new product introduced in Oracle Identity Management 11gR2 (More on IdM 11gR2  here, here, and here. For new features in IdM 11gR2 click herehere, and here ). OPAM server is part of Oracle Identity Governance Suite and topic 13 of certification Identity Governance Suite 11g Essentials

OPAM is password management tool that manages access to passwords for privileges shared accounts (like root user on Unix or application super user or user with sysdba or dba access in database ) . OPAM supports check-out and check-in of password and can be configured to automatically change the password on check-in.


This post covers steps to install and configure OPAM.

Note: If you install OIM and OPAM in same domain you could face issue finding user in OINAV (Identity Navigator). Check more in Release Notes here


High Level Installation and configure OPAM 11gR2 (11.1.2)

1. Create Schema for OPAM using RCU 11.1.2 , More on RCU here



2. Install JDK 1.6.29 (or higher)

3. Install WebLogic 10.3.6, more on WebLogic installation here and here

4. Install Identity & Access Management 11gR2 (11.1.2) software under middleware home (created during WebLogic installation) using runInstaller -jreLoc [jdk_location]

5. Create WebLogic Domain by running $MW_HOME/ oracle_common/ common/ bin/  , More on WebLogic Domain here and here

Note: During Domain creation select Oracle Privileged Account Manager template 


Note: OPAM will be deployed under managed server opam_server1 running on port 18101 and 18102 (non SSL port)

6. Configure Database Security Store for OPAM Domain using ORACLE_COMMON_HOME/ common/ bin/ $ORACLE_HOME/common/tools/ -d  $DOMAIN_HOME -c IDM -m create -p opss_schema_password

More here

This step will migrate policy & credential store from XML file (and files) to database under OPSS schema.

Note: In 11gR1 you could keep policy store to XML, OID, or in Database . From 11gR2 onwards policy store must be migrated to Database under OPSS Schema.

7. Start WebLogic Admin Server for OPAM domain. More on WebLogic Admin Server startup here

8. Configure OPAM by running $ORACLE_HOME/opam/bin/ More here

9. Assign Application Configurator Role to User from OINNAV (This user will be used to configure OPAM server in OPAM web console) http://<adminserver-host>:<adminserver-port>/oinav     Steps here




If in OINAV you don’t see any users then check Admin Server log file and if you see errors like below then check Release Notes

Error message in logs when OIM and OPAM/OIN are in same domain


<Jan 2, 2013 9:35:51 PM UTC> <Error> <> <BEA-000000> <Failed to get IdentityStore properties from OPSS – org.openliberty.arisid.IGFException>


10. Start OPAM Managed Server and ensure that it is running

11. Configure OPAM console and update OPAM server details  http://<adminserver-host>:<adminserver-port>/oinav/opam

Note: If you see invalid connection during OPAM server configuration , check Admin Server logs and

a) Ensure that OPAM managed server is running
b) SSL certificate is valid or disable host name verification in Admin and OPAM server

<Jan 3, 2013 11:35:33 PM UTC> <Warning> <Security> <BEA-090482> <BAD_CERTIFICATE alert was received from – Check the peer to determine why it rejected the certificate chain (trusted CA configuration, hostname verification). SSL debug tracing may be required to determine the exact reason the certificate was rejected.>

This completes OPAM installation and configuration


Share This Post with Your Friends over Social Media!

About the Author Atul Kumar

Oracle ACE, Author, Speaker and Founder of K21 Technologies & K21 Academy : Specialising in Design, Implement, and Trainings.

follow me on:

Leave a Comment:

» Certification : Oracle Identity Governance Suite 11g Essentials Exam (1Z1-459) Online Apps DBA: One Stop Shop for Apps DBA’s says January 11, 2013

[…] Connectors 11. Events Handlers, Notifications, Reports, Scheduled tasks 12. Identity Analytics 13. Privilege Account Management 14. […]

andre says April 22, 2013

When I run as part of OIM install I get an SQLIntegrityConstraintViolationException: ORA-1: unique constraint (DEV_OPSS.IDX_JPS_RDN_PDN
This is recorded in oracle support under following bugnrs:

did you run into this and did you find a workaround?

greetz, Andre

vishal says June 15, 2013


i have created a user in weblogic with which i am able to log in into opam console.

I have a added a Active Directory as a target and able to add 1 service account , Now when i am trying to grant this account to user which i have created in weblogic i am not able to find this user in search result

sahana says September 15, 2013


I am taking this exam very shortly .. Does anyone have any dumps for the same? or something that is going to help me clear the exam.

Thanks and Regards,

John says October 31, 2013

I have installed OPAM. I have also added AD authenticator and i am able to see AD users as well as grant them accounts. My problem is that when a user logs in, he is not able to see the accounts i have granted him. What could be the issue here? Please help.

Piyush says January 14, 2014

OPAM is used for providing passwords for privileged accounts at run time to the users.

My requirement is —-(can OPAM let applications use its password vault to connect privileged accounts.)

Ex. weblogic is connected to a data source using privileged account. can weblogic be configured with OPAM in such a way that weblogic has to use OPAM for password vault to connect to data source every time

Arvind says March 27, 2015

I have configured the OPAM. But when i hit the hostname:port/oinav/ URL it goes into loop and keeps on loading.. any idea?

yashwanth says February 12, 2017

I installed OIM,OPAM in single domain. I am able to login into opam console but i didn’t get certificate with OPAM server URL. And still OIM,OPAM integration is required if we install in single domain?? please suggest me its urgent.

Add Your Reply

{"wp_error":"stream_socket_client(): SSL: Handshake timed out\nstream_socket_client(): Failed to enable crypto\nstream_socket_client(): unable to connect to ssl:\/\/ (Unknown error)"}