18.1 Database Access Through Credential Checkout

Credential Checkout for databases allows you to provide elevated access to a database and monitor user actions on the database. This feature is supported only on Linux environments.

18.1.1 Configuring Credential Checkout for Oracle Database

To enable credential checkout for Oracle, perform the following:

  1. Download and install the Oracle database client:

    1. Download and install the Oracle database client by using the instantclient-basic-linux.x64-x.x.zip package.

      NOTE:You can download the Oracle database client from the Instant Client at http://www.oracle.com/technetwork/indexes/downloads/index.html#database. All the files that you retrieve through the Oracle client zip/ tar file should be saved in /lib64 for 64-bit machine and /lib for 32-bit machine.

    2. Create a symbolic link libclntsh.so for the libclntsh.so.xx.xfile in /lib64 or /lib.

      For example, for libclntsh.so.12.1 create a symbolic link libclntsh.so (libclntsh.so -> libclntsh.so.12.1).

  2. Configure the Oracle client library path in PAM:

    1. On the home page of the Privileged Account Manager administration console, click Hosts.

    2. On the middle pane, select the Privileged Account Manager host.

    3. On the right pane, click Packages.

    4. Select the dbaudit package.

    5. On the left pane, click Settings.

    6. In the Oracle Client Library Path field, specify the path where oracle client is installed. By default the path is /lib64 for a 64-bit machine or /lib for a 32-bit machine.

      This library must be installed on a Privileged Account Manager server.

  3. Create a privileged account for the database server:

    1. On the home page of the console, click Enterprise Credential Vault.

    2. Click Credential Vaults in the left pane and click Add Account Domain.

    3. Specify the following information:

      Name: Specify the name of the database. This name is used along with the Credential to authenticate. If you do not provide the correct domain name, user authentication fails.

      Type: Select Database

      Profile: Select Oracle

      User Name: Specify the user for the database administrator user account.

      Password: Specify the password for the database administrator user account.

      Connect String: You can specify the string that will reset the password in the database and check in the password. Specify the following string for Oracle database:

      (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(Host=<IP address of the database that you have configured>)(Port=<configured port number>))(CONNECT_DATA=(SID=orcl)))

      Connect As: Select SYSDBA. If you want PAM to perform the password check in process then, to check the connection to the database server click Test Connection.

      Password check-in: If you want to delegate the password check-in process to Identity Manager, select Delegate to Identity manager. On selecting this option, the IDM (Identity Manager) driver for PAM takes care of generating random password and synchronizing the password to IDM. The PAM driver checks-in the new password to PAM. IDM takes care of synchronizing password on the database through the respective database driver. For more information, refer the Driver Implementation guide on the PAM documentation page.

      NOTE:Before you delegate password check-in to Identity Manager ensure that both the PAM driver and the database driver are operational.

      Password Policy: Select the appropriate password policy. By default Default Password Policy is selected. You can either modify the default password policy or create a new password policy. For more information about specifying password policy refer, Specifying Password Policies.

      This option is available only when the Delegate to Identity Manager option is not selected.

    4. Click Finish to save the account domain details.

    5. Add database account credentials. For more information refer, Adding Shared Account Credentials in the Account Domain

      These credentials are provided to the user when they checkout the password for the database. The available credentials are provided to the users, and if all credentials are used, then the user who checks out the password later gets a message indicating that all credentials are in use. The user can try to connect after some time.

  4. Create a database rule:

    1. On the home page of the console, click Command Control.

    2. In the Command control pane, click Rules.

    3. In the details pane, click Add Rule.

    4. Specify a name for the database rule, then click Finish.

    5. To configure the rule, select the rule, then in the details pane, click Modify.

      Configure only the following:

      Run User: Select Everyone from dropdown list.

      Run Host: Specify the name of the Database Account Domain created above.

      Authorize: Select Yes, then select Stop from the drop-down list.

    6. Click Finish. The settings you have defined for the rule are displayed in the console.

  5. Add database password check out command to the rule:

    1. On the middle pane, click the Commands icon.

    2. For database password check out rule, From the drop down list of commands, drag the Oracle DB Password Check Out command and drop it to the database rule

18.1.2 Configuring Credential Checkout for Other Databases

To enable credential checkout for databases, such as Microsoft SQL Server, MySQL, PostgreSQL, MariaDB, and Sybase, perform the following:

  1. In the agent that has the dbaudit module, perform the following:

    1. Install the ODBC(Open Database Connectivity) package that is unixODBC rpm package which is part of the OS distribution.

    2. Create the Symbolic links for ODBC Libraries in /lib64 or in /usr/lib64 as explained below:

      1. Create a link libodbc.so for libodbc.so.x.x.x

      2. Create a link libodbcinst.so for libodbcinst.so.x.x.x

    3. Install the supporting ODBC driver of the respective database. This ODBC driver is available as part of the database provider’s server distribution.

      For Microsoft SQL Server, choose the drivers as follows:

      1. Microsoft SQL Driver is supported only on Linux 64-bit.

      2. Free TDS Driver is supported on Linux 32 bit and 64-bit.

    4. Configure the database driver in ODBC by using odbcinst.ini file.

    5. Configure Data Source Name (DSN) of the database in the odbc.ini file.

      For more information about how to configuring odbcinst.ini and odbc.ini files, see the Knowledge Base Article.

  2. In the Privileged Account Manager administration console:

    1. Set the ODBC library path:

      1. On the home page of the Privileged Account Manager administration console, click Hosts.

        On the middle pane, select the Privileged Account Manager host.

        On the right pane, click Packages.

      2. Select the dbaudit package.

      3. On the left pane, click Settings.

      4. In the ODBC Library Path field, specify the path where the symbolic links are created.

      You can use the appropriate policy template to automatically create an account domain and rule for databases. This account domain and rule can be customized as required. For more information about adding the policy template, see Adding a Policy Template. To create the account domain and rule manually, continue with the following steps.

    2. Create a privileged account for the database server:

      1. On the home page of the console, click Enterprise Credential Vault.

      2. Click Credential Vaults in the left pane and click Add Account Domain.

      3. Specify the following information:

        Name: Specify the name of the database.

        Type: Select Database.

        Profile: Select the appropriate database.

        User Name: Specify the user of the database administrator account.

        Password: Specify the password of the database administrator account.

        ODBC Initialization Path: Specify the path of the odbc.ini as mentioned above is step 1c and click Fetch DSNs to fetch and list all the DSN in odbc.ini in ODBC Data Source Name.

        ODBC Data Source Name: Select the DSN configured above in step 1c.

        Password Check-in: Select the Delegate to identity Manager check box to delegate the password check-in process to Identity Manager.

        On selecting this option, the Identity Manager driver for Privileged Account Manager takes care of generating random password and synchronizing the password to Identity Manager.

        Password Policy: Select the appropriate password policy. By default, Default Password Policy is selected. You can either modify the default password policy or create a new password policy. For more information about specifying password policy refer, Specifying Password Policies.

      4. Click Add to save the Account Domain details.

    3. Create a database rule:

      1. On the home page of the console, click Command Control.

      2. In the Command control pane, click Rules.

      3. In the details pane, click Add.

      4. Specify a name for the database rule, then click Add.

      5. To configure the rule, select the rule, click edit icon in the details pane and

        configure the following:

        Run User: Select Everyone from the drop-down list.

        Run Host: Specify the name of the Database Account Domain created above.

        Authorize: Select Yes, then select Stop from the drop-down list.

      6. Click Modify. The settings you have defined for the rule are displayed in the console.

    4. To add database password check out command to the rule, perform the following:

      1. In the middle pane, click the Commands icon.

      2. From the drop-down list of commands, drag the appropriate database command and drop it to the database rule.

18.1.3 Checking Out Database Credentials

Privileged Account Manager (PAM) allows users to checkout the database credentials in the following ways:

  • Credential Checkout from the user console

  • Checkout credentials using API tokens.

    For more information about AAPM, see Application to Application Password Management.

  • Checkout credentials using REST API.

    To view the REST API documentation:

    1. In the new administration or user console, click the logged in user on the top-right corner.

    2. Click REST API.

      The REST API document opens in a new tab.