• Find us:
    +1 415 655 1723   |   +91-804-719-2727
  • Free Newsletter


  • Archive

  • Categories

  • Oracle Privileged Account Manager Installation and Configuration

    Posted by "" in "FMW, RCU, WebLogic" on 2014-10-15


    Oracle Privileged Account Manager deals with the password and usage management of the privileged accounts such as Unix root account, Database Sys accounts, System Administrator accounts etc. To know more about this product, please check my blog here: http://gskblogs.blogspot.co.uk/2014/04/a-tour-of-oracle-privileged-account.html

    In this post, we will learn how to install Oracle Privileged Account Manager It includes the creation of required schemas, domain configuration, post installation configuration steps.

    Schema Creation

    • Download the Repository Creation Utility (RCU) from http://edelivery.oracle.com
    • Start the RCU by running rcu or rcu.cmd
    • Click Next on Welcome screen

    Screen Shot 2014-10-06 at 04.45.47 pm

    • Select Create and click Next

    Screen Shot 2014-10-06 at 04.46.26 pm

    • Provide the database details in the next screen with sys database user credentials

    Screen Shot 2014-10-06 at 04.46.37 pm

    • The installer performs some prerequisite checks. Click OK if all the checks are successful

    Screen Shot 2014-10-06 at 04.46.49 pm

    • You can select an existing prefix if you have already run the RCU for other product configuration or you can choose to create a new prefix. Select Oracle Privileged Account Manager from the Component table. Oracle Platform Security Services will get selected automatically.

    Screen Shot 2014-10-06 at 04.47.05 pm

    • Provide the passwords for the OPSS & OPAM schemas

    Screen Shot 2014-10-06 at 04.47.22 pm

    • Follow the next steps to create the tablespaces and components

    Screen Shot 2014-10-06 at 04.47.30 pm

    Screen Shot 2014-10-06 at 04.47.51 pm

    Screen Shot 2014-10-06 at 04.48.40 pm



    Oracle Identity & Access Management Installation

    It is assumed here that you have already installed Oracle WebLogic Server and Oracle Identity & Access Management home.


    Oracle Privileged Account Manager Domain Configuration

    • Start the domain configuration wizard by running config.sh or config.cmd from <ORACLE_IAM_HOME>/common/bin
    • Select Create a new WebLogic Domain

    Screen Shot 2014-10-06 at 04.48.57 pm

    • Select Oracle Privileged Account Manager in Domain Source

    Screen Shot 2014-10-06 at 04.49.29 pm

    • Provide the domain name

    Screen Shot 2014-10-06 at 04.49.57 pm

    • Provide administrator username and password

    Screen Shot 2014-10-06 at 04.50.13 pm

    • Provide server start mode – Development/Production

    Screen Shot 2014-10-06 at 04.50.23 pm

    • Enter the schema details which we created in Schema creation steps

    Screen Shot 2014-10-13 at 04.17.45 pm

    • The installer will verify the schema details

    Screen Shot 2014-10-13 at 04.18.01 pm

    • Don’t select any checkbox in the next screen if you want to use default server configuration

    Screen Shot 2014-10-06 at 04.51.43 pm

    • View the configuration summary and click on Create to create the domain

    Screen Shot 2014-10-06 at 04.52.16 pm

    • Click on Done to finish the installation

    Screen Shot 2014-10-13 at 04.20.26 pm


    Oracle Platform Security Services Upgrade

    • Run Patch Set Assistant utility to upgrade Oracle Platform Security Services Schema for version. Run psa or psa.cmd from <MW_HOME>/oracle_common/bin
    • Click Next on the Welcome Screen

    Screen Shot 2014-10-06 at 04.59.32 pm

    • Select only Oracle Platform Security Services

    Screen Shot 2014-10-06 at 04.59.45 pm

    • Make sure you have backed up the database

    Screen Shot 2014-10-06 at 04.59.56 pm

    • Provide the database details. Click on connect to populate the OPSS schema in schema user name. Provide password

    Screen Shot 2014-10-06 at 05.00.39 pm

    • Click Next

    Screen Shot 2014-10-06 at 05.00.48 pm

    • Click on Upgrade to start the upgrade process

    Screen Shot 2014-10-13 at 04.24.02 pm

    • Once the progress is 100%, click on Next

    Screen Shot 2014-10-06 at 05.01.08 pm

    • Click on Close once the OPSS schema is upgraded

    Screen Shot 2014-10-06 at 05.01.17 pm


    Configure Security Store

    • Run the following command to create the security store in database. Since we have created new OPSS schema, we need to create a new security store. The command also provides an option to join to existing security store.
    • <MW_HOME>/oracle_common/common/bin/wlst.sh or wlst.cmd <ORACLE_IAM_HOME>/common/tools/configureSecurityStore.py -d <DOMAIN_HOME> -c IAM -p <PASSWORD> -m create


    OPAM Configuration

    • Start the WebLogic Admin server and run opam-config.sh or opam-config.cmd from <ORACLE_IAM_HOME>/opam/bin
    • You must set the following variables:
    • export ORACLE_HOME=/oracle/apps/iam/idam/
      export ANT_HOME=/oracle/apps/iam/modules/org.apache.ant_1.7.1/
      export JAVA_HOME=/usr/java/jdk1.7.0_51/
      export ANT_OPTS=”-Xmx512M -XX:MaxPermSize=512m”
    • You will be prompted to provide following details:
    • [input] Enter WebLogic Admin Username:
      Enter WebLogic Admin Password:
      [input] Enter WebLogic URL: (t3://<weblogic-host>:<weblogic-port>)
      [input] Enter WebLogic Domain Name
      [input] Enter Middleware Home


    OPAM Authorisation

    • In order to access the OPAM via GUI or Command Line Interface, the user must have appropriate roles assigned. Assign Application Configurator Role to the admin user with the help of Oracle Identity Navigator.
    • Login to Oracle Identity Navigator with administrator user: http://<OPAM_SERVER_IP>:18101/oinav
    • Click on Administration tab. Search the user whom you want to assign OPAM administrator access. Select the user. Select checkbox under OPAM for Application Configurator and click Apply.

    Screen Shot 2014-10-13 at 07.47.37 pm

    • Now you will be able to access the OPAM with administrator privileges


    Non-TDE Mode

    • If you are not using TDE (Transparent Data Encryption) and is enabled, you will get following error in logs:
    • <Error> <oracle.idm.opam> <BEA-000000> <OPAMFlexManager.updateRuntimeFlags(String attrname, String attrvalue) SQLException :WALLET_CLOSED>
      <Error> <oracle.idm.opam> <BEA-000000> <PolicyEnforcer.checkExpiration OPAMException :WALLET_CLOSED>
    • To resolve this, you will need to either configure TDE or disable it. Following is the command to disable TDE:
    • <ORACLE_IAM_HOME>/opam/bin/opam.sh or opam.bin -url https://<OPAM_SERVER_IP>:18102/opam -x modifyglobalconfig -propertyname tdemode -propertyvalue false -u <ADMINISTRATOR_USER> -p <PASSWORD>
    • Make sure you provide https and not http address and port
    • If you have not assigned the Application Configurator Role in the previous step and try to run opam.sh or opam.cmd to disable TDE, you will get this error – Error Modifying global config: Error Code: 401. So run this step with the user with Application Configurator Role




    Leave a Reply

    Your email address will not be published. Required fields are marked *

  • K21 Technologies is among the most experienced Identity Access Management service providers. We work with application development companies and in-house technology division to help achieve significant returns on their IT security investment. Our clientele includes some of the globally renowned corporate, which speaks of our expertise in our field.

    We have the most talented and experienced team that can swiftly deploy security solutions even in complex IT ecosystem. Our clients highly appreciate our timely implementation, interactive training, on-demand support and community resources.

    K21 Technologies
    128 Uxbridge Road, Hatchend,,
    London, HA5 4DS

    US: +1 415 655 1723
    India: +91-804-719-2727

  • Copyright 2019, K21 Technologies. All rights reserved
  • TOP