Planning for Adding Database Accounts

Before adding any databases to the Privileged Access Service, you might want to consider which accounts you need to manage and whether there are any restrictions on those accounts that you should be aware of.

The most common accounts that are likely candidates to be managed through the Privileged Access Service include the system administrator accounts such as the sa account for Microsoft SQL Server databases, the SYSTEM administrative account for Oracle databases, the DBA administrative account for SAP Adaptive Server Enterprise databases, or any other account you use for database administration.

You might have many other administrative or in-house database accounts that require special privileges or have access to sensitive information. You can use Privileged Access Service to manage the password for any of these accounts or add non-administrative accounts to securely store the account information without having the password managed by Privileged Access Service.

For supported infrastructure (for example: systems and databases), account names are often case sensitive. Ensure the account entered in Privileged Access Service matches the account in the infrastructure.

For more information about the requirements for adding databases and database account, see the following topics:

Requirements for Microsoft SQL Server Databases

Before attempting to add Microsoft SQL Server database accounts to the Privileged Access Service, you should keep the following requirements in mind:

  • You can only use the Privileged Access Service to manage passwords for local SQL Server Login database accounts that use SQL Server authentication.
  • You cannot rotate or manage expired passwords for managed accounts.
  • If you are using Windows authentication to connect to the SQL Server database, you should add domain accounts to the Privileged Access Service to manage those accounts.

Database Accounts and Clustering

The accounts used to communicate with databases fall into two major categories: administrative accounts and service accounts. Administrative accounts are used by the database administrator to connect to the database to perform administrative tasks, such as adding new databases or database users or managing database tables. Service accounts are used by application servers—such as Tomcat, JBoss, or IIS—to authenticate to the database before storing or retrieving service-specific information in the database. The Privileged Access Service supports password management for the administrative database accounts.

In addition, there are two types of authentication for database accounts in SQL Server:

  • Windows authentication
  • SQL Server authentication

You can use the Privileged Access Service to manage the password for both Windows authentication database accounts and SQL Server authentication database accounts for standalone SQL Server instances.

If you have a SQL Server cluster configured for high availability using automatic failover, the administrative database accounts you manage should be domain accounts that use Windows authentication domain to avoid the replication issues.

If the managed database account is a Windows domain account, passwords can be synchronized for SQL Server clusters that are configured to use failover clustered instances, database mirroring, AlwaysOn availability groups, log shipping, or any combination of these features.

If you use SQL Server authentication for the database account you want to manage, the SQL Server cluster must be configured to use failover clustered instances. For managed SQL Server database accounts, only failover clustered instances are supported because other high-availability features might result in replication delays and authentication failures.

For details about the versions of Microsoft SQL Server supported in the current release, see the release notes. For information about configuring clustering for SQL Server and clustering scenarios, see the Microsoft documentation.

Requirements for Oracle Database Accounts

Before attempting to add Oracle database accounts to the Privileged Access Service, you should keep the following requirements in mind:

You can only use the Privileged Access Service to manage passwords for local Oracle database accounts.

The accounts you manage must be configured to include the CREATE SESSION privilege.

You cannot rotate or manage expired passwords for managed accounts.

You cannot use the Privileged Access Service to manage the password for the SYS account because that account requires a physical password file. If you attempt to manage the password for the SYS account, you will see an “Invalid account credentials” error.

The computer where the connector is installed must have the Oracle Data Provider for the .NET Managed Driver (ODP.NET) client library installed in the global assembly catalog. You can download the latest Oracle ODP.NETmanaged driver and Install the ODP.NET client library. If you download and install the library after you install the Delinea Connector, you should restart the connector before adding the database to Privileged Access Service.

Privileged Access Service can manage the account password for standalone Oracle server, or synchronize managed passwords across computers in a Real Application Cluster (RAC).

Oracle Database Support

The following Oracle databases are supported: 11g, 12c, 18c , and 19c. For more details about which versions of the Oracle database are supported in the current release, see the release notes.

Oracle databases can be configured to allow encrypted connections from the Connector.

Configuring Oracle Real-Application Clusters (RAC)

When configuring the Privileged Access Service for the databases in an Oracle Real Application Cluster, use the following settings:

Service Type: Oracle

Hostname: SCAN name

Port: SCAN port

Service Name: global Database Name

The SCAN name and port can be found with the following sqlplus command:

Copy 
show parameter remote_listener

The global Database Name can be found with the following sqlplus command:

Copy 
select * from global_NAME

Configure Oracle Data Guard

This section describes how to set the DNS alias when configuring the Oracle Data Guard.

To set the DNS alias:

  1. Login the DNS Server Administrator.
  2. Open DNS Manager.
  3. Go to Forward Lookup Zones.
  4. Right-click the target domain and choose New Alias (CNAME).
  5. Set an alias.
  6. Input the target FQDN and click OK.
  7. On the machine running the application, open the Command Prompt window as Administrator and enter the command:
  8. run "ipconfig /flushdns"
  9. Ping the alias in FQDN to check the target IP address.

Installing the ODP.NET client library

Before you install, ensure you download the "64-bit ODAC 19.3 installation package."

To install the ODP.NET client library:

  1. Unzip the 64-bit ODAC 19.3 zip file.

  2. Launch the Command Prompt using Run as administrator.

  3. Use cd to navigate to the folder containing the unzipped files.

  4. Run the command install.bat odp.net4 c:\oracle odac. This will install both the x86 and x64 drivers to the path c:\oracle.

  5. To configure ODP.NET in GAC, use the Command Prompt to navigate to C:\oracle\odp.net\managed\x64 and run the following commands:

    OraProvCfg /action:config /product:odpm /frameworkversion:v4.0.30319 /providerpath:"C:\oracle\odp.net\managed\common\Oracle.ManagedDataAccess.dll" /set:settings\TNS_ADMIN:"C:\oracle\network\admin"

    OraProvCfg /action:gac /providerpath:"C:\oracle\odp.net\managed\common\Oracle.ManagedDataAccess.dll"

    OraProvCfg /action:gac /providerpath:"C:\oracle\odp.net\PublisherPolicy\4\Policy.4.122.Oracle.DataAccess.dll"

  6. After the installation completes, restart the connector. This will ensure ODP.NET is correctly loaded.

Requirements for SAP Adaptive Server Enterprise

Before attempting to add SAP Adaptive Server Enterprise (ASE) database accounts to the Privileged Access Service, you should keep the following requirements in mind:

  • You can only use the Privileged Access Service to manage passwords for local database accounts.
  • You cannot rotate or manage expired passwords for managed accounts.
  • Supported releases are subject to change based on the end of mainstream maintenance date as determined by SAP. For more details about which versions of the SAP ASE database are supported in the current release, see the release notes.
  • The computer where the Delinea Connector is installed must have the SAP ASE Data Provider for the .NET client (ADO.NET) installed in the global assembly cache (GAC). For installation details, see "Installing ADO.NET with the Delinea Connector." If you download and install the library after you install the Delinea Connector, you should restart the connector before adding the database to Privileged Access Service. If you have an older version of the ADO.NET client library, check the SAP ASE website to see if a newer version is available.
  • Privileged Access Service can manage the account password for a standalone SAP ASE servers, or synchronize managed passwords across computers in a Windows cluster.
  • Support for password encryption is enabled in the Privileged Access Service SAP ASE plug in. If the SAP ASE server also has password encryption enabled, the password is encrypted before being sent to the server. For additional information on password encryption, see the SAP documentation.

Installing ADO.NET with the Delinea Connector

You must install the SAP ASE Data Provider for the .NET client (ADO.NET) on the computer where the Delinea Connector is installed.

To install ADO.NET Data Provider

  1. On the computer where the Delinea Connector is installed, download SDK For SAP ASE 16.0 (Platform: Windows x64).

    If you do not have the SDK for SAP ASE 16.0, check the SAP support portal > Software Downloads or contact your SAP support representative.

  2. Execute setup.exe.

  3. In the installation menu, select Customize installation. Select SAP ASE ADO.NET Data Provider.

  4. After installation, the Data Provider should be registered in the GAC.

    If it is not registered in the GAC, see SAP KB article 2139582 for additional information.

    https://apps.support.sap.com/sap/support/knowledge/preview/en/2139582

Configuring a DNS Alias for SAP ASE Failover Clusters

This section describes how to set the DNS alias when configuring an SAP ASE failover cluster. The configuration requires a DNS alias to map to the primary and secondary node IP address.

You can install the SAP ASE database on a Windows Server but use another Linux server for DNS.

To set the DNS alias on a Windows Server:

  1. Log in to the DNS Server Administrator.

  2. Open the DNS Manager.

  3. Go to Forward Lookup Zones.

  4. Right-click the target domain and choose New Alias (CNAME).

  5. Set an alias.

  6. Input the target FQDN and click OK.

  7. On the machine running the application, open the Command Prompt window as Administrator and enter the command:

    run "ipconfig /flushdns"

  8. Ping the alias in FQDN to check the target IP address.