Requirements for Oracle database accounts

Before attempting to add Oracle database accounts to the Zero Trust Privileged Access Service, you should keep the following requirements in mind:

You can only use the Privileged Access Service to manage passwords for local Oracle database accounts.

The accounts you manage must be configured to include the CREATE SESSION privilege.

You cannot rotate or manage expired passwords for managed accounts.

You cannot use the Privileged Access Service to manage the password for the SYS account because that account requires a physical password file. If you attempt to manage the password for the SYS account, you will see an “Invalid account credentials” error.

The computer where the connector is installed must have the Oracle Data Provider for the .NET Managed Driver (ODP.NET) client library installed in the global assembly catalog. You can download the latest Oracle ODP.NET managed driver from the Oracle website. Installation instructions for the driver are included in the zip file. If you download and install the library after you install the Centrify connector, you should restart the connector before adding the database to Privileged Access Service. If you have an older version of the ODP.NET client library, you should check the Oracle website to see if a newer version is available.

Privileged Access Service can manage the account password for standalone Oracle server, or synchronize managed passwords across computers in a Real Application Cluster (RAC).

You should only add Oracle 11g or Oracle 12c databases to the Privileged Access Service. For more details about which versions of the Oracle database are supported in the current release, see the release notes.

Configuring Oracle Real Application Clusters (RAC)

When configuring the Privileged Access Service for the databases in an Oracle Real Application Cluster, use the following settings:

Service Type: Oracle

Hostname: SCAN name

Port: SCAN port

Service Name: global Database Name

The SCAN name and port can be found with the following sqlplus command:

show parameter remote_listener

The global Database Name can be found with the following sqlplus command:

select * from global_NAME

Configuring Oracle Data Guard

This section describes how to set the DNS alias when configuring the Oracle Data Guard.

To set the DNS alias:

  1. Login the DNS Server Administrator.
  2. Open DNS Manager.
  3. Go to Forward Lookup Zones.
  4. Right-click the target domain and choose New Alias (CNAME).
  5. Set an alias.
  6. Input the target FQDN and click OK.
  7. On the machine running the application, open the Command Prompt window as Administrator and enter the command:
  8. run "ipconfig /flushdns"
  9. Ping the alias in FQDN to check the target IP address.