15.6 Enabling Password Checkout for Microsoft SQL Server database monitoring

The password checkout feature can be used for Microsoft SQL Server database. To use this feature, you must install the following on the agent that has the primary dbaudit module:

  • ODBC (Open Database Connectivity) package

  • Supporting drivers such as Microsoft SQL Driver or Free TDS Driver

This feature is currently only supported on Linux.

To enable password checkout, perform the following:

  1. Install the unixODBC rpm package.

  2. Create the Symbolic links for ODBC Libraries in /lib64 or in /usr/lib64 as explained below.

    1. Create a link libodbc.so for libodbc.so.x.x.x

    2. Create a link libodbcinst.so for libodbcinst.so.x.x.x

  3. On the home page of the Privileged Account Manager administration console, click Hosts.On the middle pane, select the Privileged Account Manager host.On the right pane, click Packages.Select the dbaudit package.On the left pane, click Settings.In the ODBC Library Path field, specify the path where the symbolic links are created.

  4. Install the Microsoft SQL Driver or Free TDS Driver.Configure the Microsoft SQL Driver or Free TDS Driver in ODBC by using odbcinst.ini file.

    NOTE:

    1. Microsoft SQL Driver is supported only on Linux 64-bit.

    2. Free TDS Driver is supported on Linux 32 bit and 64-bit.

  5. Configure Data Source Name (DSN) for the Microsoft SQL Server, for which the Password Checkout needs to be enabled using the odbc.ini file.

    1. Configure DSN in Enterprise Credential Vault.

    2. The Path of odbc.ini needs to be configured in the Enterprise Credential Vault.

  6. On the home page of the Privileged Account Manager administration console, click Hosts.On the middle pane, select the Privileged Account Manager host.On the right pane, click Packages.Select the dbaudit package.

  7. On the left pane, click Settings.

  8. In the ODBC Library Path field, specify the path where Microsoft SQL database is installed. By default, the path is /usr/lib64.

  9. Create a privileged account for the database server:

    1. On the home page of the console, click Enterprise Credential Vault.

    2. Click Credential Vaults in the left pane and click Add Account Domain.

    3. Specify the following information:

      Name: Specify the name of the database.

      Type: Select Database

      Profile: Select the Microsoft SQL Server

      User Name: Specify the user for the database administrator user account.

      Password: Specify the password for the database administrator user account.

      ODBC Initialization Path: Specify the path of the odbc.ini as mentioned above is step 4 and click Fetch DSNs to fetch and list all the DSN in odbc.ini in ODBC Data Source Name.

      ODBC Data Source Name: Select the DSN configured above in step 4.

      Password Check-in: Select the Delegate to identity Manager checkbox to hide the below fields.

      Password Policy: Select Default Password Policy from the dropdown menu.

    4. Click Add to save the Account Domain Details.

  10. Create a database rule.

    1. On the home page of the console, click Command Control.

    2. In the Command control pane, click Rules.

    3. In the details pane, click Add.

    4. Specify a name for the database rule, then click Add.

    5. To configure the rule, select the rule, click edit icon in the details pane.

      Make the following changes:

      Run User: Select Everyone from dropdown list.

      Run Host: Add the name of the Database Account Domain created above.

      Authorize: Select Yes, then select Stop from the drop-down list.

    6. Click Modify. The settings you have defined for the rule are displayed in the console.

  11. To add database password check out command to the rule, perform the following:

    1. In the middle pane, click the Commands icon.

    2. From the drop down list of commands, drag the Microsoft SQL Server Password Check Out command and drop it to the database rule.