Requirements for Oracle database accounts

Before attempting to add Oracle database accounts to the Privileged Access Service, you should keep the following requirements in mind:

You can only use the Privileged Access Service to manage passwords for local Oracle database accounts.

The accounts you manage must be configured to include the CREATE SESSION privilege.

You cannot rotate or manage expired passwords for managed accounts.

You cannot use the Privileged Access Service to manage the password for the SYS account because that account requires a physical password file. If you attempt to manage the password for the SYS account, you will see an “Invalid account credentials” error.

The computer where the connector is installed must have the Oracle Data Provider for the .NET Managed Driver (ODP.NET) client library installed in the global assembly catalog. You can download the latest Oracle ODP.NETmanaged driver and Install the ODP.NET client library. If you download and install the library after you install the Centrify Connector, you should restart the connector before adding the database to Privileged Access Service.

Privileged Access Service can manage the account password for standalone Oracle server, or synchronize managed passwords across computers in a Real Application Cluster (RAC).

Oracle database support

The following Oracle databases are supported: 11g, 12c, 18c , and 19c. For more details about which versions of the Oracle database are supported in the current release, see the release notes.

Oracle databases can be configured to allow encrypted connections from the Connector.

Configure Oracle Real Application Clusters (RAC)

When configuring the Privileged Access Service for the databases in an Oracle Real Application Cluster, use the following settings:

Service Type: Oracle

Hostname: SCAN name

Port: SCAN port

Service Name: global Database Name

The SCAN name and port can be found with the following sqlplus command:

show parameter remote_listener

The global Database Name can be found with the following sqlplus command:

select * from global_NAME

Configure Oracle Data Guard

This section describes how to set the DNS alias when configuring the Oracle Data Guard.

To set the DNS alias:

  1. Login the DNS Server Administrator.
  2. Open DNS Manager.
  3. Go to Forward Lookup Zones.
  4. Right-click the target domain and choose New Alias (CNAME).
  5. Set an alias.
  6. Input the target FQDN and click OK.
  7. On the machine running the application, open the Command Prompt window as Administrator and enter the command:
  8. run "ipconfig /flushdns"
  9. Ping the alias in FQDN to check the target IP address.

Install the ODP.NET client library

Before you install, ensure you download the 64-bit ODAC 19.3 installation package.

To install the ODP.NET client library:

  1. Unzip the 64-bit ODAC 19.3 zip file.
  2. Launch the Command Prompt using Run as administrator.
  3. Use cd to navigate to the folder containing the unzipped files.
  4. Run the command install.bat odp.net4 c:\oracle odac. This will install both the x86 and x64 drivers to the path c:\oracle.
  5. To configure ODP.NET in GAC, use the Command Prompt to navigate to C:\oracle\\managed\x64 and run the following commands:

    OraProvCfg /action:config /product:odpm /frameworkversion:v4.0.30319 /providerpath:"C:\oracle\\managed\common\Oracle.ManagedDataAccess.dll" /set:settings\TNS_ADMIN:"C:\oracle\network\admin"

    OraProvCfg /action:gac /providerpath:"C:\oracle\\managed\common\Oracle.ManagedDataAccess.dll"

    OraProvCfg /action:gac /providerpath:"C:\oracle\\PublisherPolicy\4\Policy.4.122.Oracle.DataAccess.dll"
  6. After the installation completes, restart the connector. This will ensure ODP.NET is correctly loaded.