The password checkout feature can be used for Oracle databases. This feature is currently only supported on Linux. To enable password checkout, perform the following:
Download the Oracle database client by using the instantclient-basic-linux.x64-x.x.zip package.
NOTE:You can download the Oracle database client from the Instant Client at http://www.oracle.com/technetwork/indexes/downloads/index.html#database. All the files that you retrieve through the oracle client zip/ tar file should be saved in /lib64 for 64-bit machine and /lib for 32-bit machine.
Create a symbolic link libclntsh.so for the libclntsh.so.xx.x file in /lib64 or /lib.
For example, for libclntsh.so.12.1 create a symbolic link libclntsh.so (libclntsh.so -> libclntsh.so.12.1).
On the home page of the Privileged Account Manager administration console, click Hosts.
On the middle pane, select the Privileged Account Manager host.
On the right pane, click Packages.
Select the dbaudit package.
On the left pane, click Settings.
In the Oracle Client Library Path field, specify the path where oracle client is installed. By default the path is /lib64 for a 64-bit machine or /lib for a 32-bit machine.
This library must be installed on a Privileged Account Manager server.
Create a privileged account for the database server:
On the home page of the console, click Enterprise Credential Vault.
Click Credential Vaults in the left pane and click Add Account Domain.
Specify the following information:
Name: Specify the name of the database. This name is used along with the Credential to authenticate. If you do not provide the correct domain name, user authentication fails.
Type: Select Database
Profile: Select Oracle
User Name: Specify the user for the database administrator user account.
Password: Specify the password for the database administrator user account.
Connect String: You can specify the string that will reset the password in the database and check in the password. Specify the following string for Oracle database:
(DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(Host=<IP address of the database that you have configured>)(Port=<configured port number>))(CONNECT_DATA=(SID=orcl)))
Connect As: Select SYSDBA. If you want PAM to perform the password check in process then, to check the connection to the database server click Test Connection.
Password check-in: If you want to delegate the password check-in process to Identity Manager, select Delegate to Identity manager. On selecting this option, the IDM (Identity Manager) driver for PAM takes care of generating random password and synchronizing the password to IDM. The PAM driver checks-in the new password to PAM. IDM takes care of synchronizing password on the database through the respective database driver. For more information, refer the Driver Implementation guide on the PAM documentation page.
NOTE:Before you delegate password check-in to Identity Manager ensure that both the PAM driver and the database driver are operational.
Password Policy: Select the appropriate password policy. By default Default Password Policy is selected. You can either modify the default password policy or create a new password policy. For more information about specifying password policy refer, Specifying Password Policies.
This option is available only when the Delegate to Identity Manager option is not selected.
Click Finish to save the account domain details.
Add database account credentials. For more information refer, Adding Shared Account Credentials in the Account Domain
These credentials are provided to the user when they checkout the password for the database. The available credentials are provided to the users, and if all credentials are used, then the user who checks out the password later gets a message indicating that all credentials are in use. The user can try to connect after some time.
Create a database rule.
On the home page of the console, click Command Control.
In the Command control pane, click Rules.
In the details pane, click Add Rule.
Specify a name for the database rule, then click Finish.
To configure the rule, select the rule, then in the details pane, click Modify.
Make the following changes:
Run User: Select Everyone from dropdown list.
Run Host: Add the name of the Database Account Domain created above.
Authorize: Select Yes, then select Stop from the drop-down list.
Click Finish. The settings you have defined for the rule are displayed in the console.
To add database password check out command to the rule, perform the following:
On the middle pane, click the Commands icon.
For database password check out rule, From the drop down list of commands, drag the Oracle DB Password Check Out command and drop it to the database rule