Credential Checkout for databases allows you to provide elevated access to a database and monitor user actions on the database. This feature is supported only on Linux environments.
To enable credential checkout for Oracle, perform the following:
Download and install the Oracle database client:
Download and install the Oracle database client by using the instantclient-basic-linux.x64-x.x.zip package.
NOTE:You can download the Oracle database client from the Instant Client at http://www.oracle.com/technetwork/indexes/downloads/index.html#database. All the files that you retrieve through the Oracle client zip/ tar file should be saved in /lib64 for 64-bit machine and /lib for 32-bit machine.
Create a symbolic link libclntsh.so for the libclntsh.so.xx.x file in /lib64 or /lib.
For example, for libclntsh.so.12.1 create a symbolic link libclntsh.so (libclntsh.so -> libclntsh.so.12.1).
Configure the Oracle client library path in PAM:
On the home page of the Privileged Account Manager administration console, click Hosts.
On the middle pane, select the Privileged Account Manager host.
On the right pane, click Packages.
Select the dbaudit package.
On the left pane, click Settings.
In the Oracle Client Library Path field, specify the path where oracle client is installed. By default the path is /lib64 for a 64-bit machine or /lib for a 32-bit machine.
This library must be installed on a Privileged Account Manager server.
Add the database server details as a resource and add the privileged account of the database server. To add database resource and its credentials, click Credential Vault > Database > Database Type and click + next to the Resources. For more information about the resource configuration fields, see the contextual help.
Create a database rule:
On the home page of the console, click Command Control.
In the Command control pane, click Rules.
In the details pane, click Add Rule.
Specify a name for the database rule, then click Finish.
To configure the rule, select the rule, then in the details pane, click Modify.
Configure only the following:
Run User: Select Everyone from dropdown list.
Run Host: Specify the name of the Database resource created above.
Authorize: Select Yes, then select Stop from the drop-down list.
Click Finish. The settings you have defined for the rule are displayed in the console.
Add database password check out command to the rule:
On the middle pane, click the Commands icon.
For database password check out rule, From the drop down list of commands, drag the Oracle DB Password Check Out command and drop it to the database rule
To enable credential checkout for databases, such as Microsoft SQL Server, MySQL, PostgreSQL, MariaDB, Sybase, and IBM Db2 perform the following:
In the agent that has the dbaudit module, perform the following:
Install the ODBC (Open Database Connectivity) package that is unixODBC rpm package which is part of the OS distribution.
Create the Symbolic links for ODBC Libraries in /lib64 or in /usr/lib64 as explained below:
Create a link libodbc.so for libodbc.so.x.x.x
Create a link libodbcinst.so for libodbcinst.so.x.x.x
Install the supporting ODBC driver of the respective database. This ODBC driver is available as part of the database provider’s server distribution.
For Microsoft SQL Server, choose the drivers as follows:
Microsoft SQL Driver is supported only on Linux 64-bit.
Free TDS Driver is supported on Linux 32 bit and 64-bit.
Configure the database driver in ODBC by using odbcinst.ini file.
Configure Data Source Name (DSN) of the database in the odbc.ini file.
For more information about how to configuring odbcinst.ini and odbc.ini files, see the Knowledge Base Article.
NOTE:To enable password change for a Linux IBM Db2 database, refer to the IBM Db2 documentation. For more information on setting up ODBC application connectivity on Linux using the IBM Data Server Driver, refer to the IBM Support pages.
In the Privileged Account Manager administration console:
Set the ODBC library path:
On the home page of the Privileged Account Manager administration console, click Hosts.
On the middle pane, select the Privileged Account Manager host.
On the right pane, click Packages.
Select the dbaudit package.
On the left pane, click Settings.
In the ODBC Library Path field, specify the path where the symbolic links are created.
You can use the appropriate policy template to automatically create a resource and rule for databases. This resource and rule can be customized as required. For more information about adding the policy template, see Adding a Policy Template. To create the resource and rule manually, continue with the following steps.
Add the database server details as a resource and add the privileged account of the database server. To add database resource and its credentials, click Credential Vault > Database > Database Type and click + next to the Resources. For more information about the resource configuration fields, see the contextual help.
Create a database rule:
On the home page of the console, click Command Control.
In the Command control pane, click Rules.
In the details pane, click Add.
Specify a name for the database rule, then click Add.
To configure the rule, select the rule, click edit icon in the details pane and
configure the following:
Run User: Select Everyone from the drop-down list.
Run Host: Specify the name of the Database resource created above.
Authorize: Select Yes, then select Stop from the drop-down list.
Click Modify. The settings you have defined for the rule are displayed in the console.
To add database password check out command to the rule, perform the following:
In the middle pane, click the Commands icon.
From the drop-down list of commands, drag the appropriate database command and drop it to the database rule.
Privileged Account Manager (PAM) allows users to checkout the database credentials in the following ways:
Credential Checkout from the user console
Checkout credentials using API tokens.
For more information about AAPM, see Application to Application Password Management.
Checkout credentials using REST API.
To view the REST API documentation:
In the new administration or user console, click the logged in user on the top-right corner.
Click REST API.
The REST API document opens in a new tab.