CONTEXT

Password Safe includes support for Oracle Database for Discovery and Credential Management.

For a list of Supported Platforms, see:  https://www.beyondtrust.com/docs/beyondinsight-password-safe/ps/supported-platforms/index.htm

This guide provides step-by-step instructions on how to onboard an Oracle Database hosted on AWS RDS (Amazon Relational Database).

Step 1:  Configure Zone and deploy Broker for AWS - Password Safe Cloud only

Deploy a Resource Broker on EC2 instance of Windows Server

Step 2:  Add Rule to Security Group

AWS involves Security Groups to allow for specific Sources to be authorized for TCP Ports etc.  We need to add a Rule to the Oracle RDS Security Group to allow the Resource Broker to communicate with the database port.

Note: Communication for the AWS VPC (Virtual Private Cloud) can be configured in various ways.  For this example, a non-public RDS instance has been used.

Test-NetConnection -ComputerName ora01.c3ci6eamiey1.us-east-1.rds.amazonaws.com -Port 1521

Step 3:  Create Asset in Password Safe

For this guide, an RDS Oracle database without access to the operating system was used.  For such an instance, we need to add the Asset Manually to Password Safe.

Step 4:  Create a Scan Account and Functional Account in Oracle

We used the following SQL to create the Scan Account in Oracle:

create user svc_pws_scan identified by S0mePassword;
grant connect, select on dba_users to svc_pws_scan;

We used the following SQL to create the Scan Account in Oracle:

create user svc_pws_fa identified by S0mePassword;
grant connect, select on dba_users, alter user to svc_pws_fa;

In Password Safe/BeyondInsight, Navigate to Configuration, Discovery Management, Credentials, and create a new Credential:

Navigate to Configuration, Privileged Access Management, and Functional Account.  Create a new Functional Account.

Step 5:  Add database Asset to Password Safe

Navigate back to the Asset, select View Advanced Details, select Database, then use the action menu to Add to Password Safe.

Step 6:  Create a Managed Account Smart Rule for Discovery

Discovery is via a Managed Account Smart Rule and is not via standard Discovery Scans.

First, we need an Asset Smart Rule that resolves our Oracle instance(s).

We are ready to create the Managed Account Smart Rule.

Note:  Make sure you use Selection Criteria that only result in the Accounts for which you want Password Safe to manage credentials.  The accounts will be onboarded automatically under the Managed System. The Smart Rule has priority over manually adding and removing Managed Accounts under the Managed System, or changing the configuration for the Managed Accounts, and will overwrite any manual changes.

Note: You may want to configure a Password Rule specific to Oracle, and adjust the default parameters for Automatic Password Management.

After the Rule is processed, we should be able to view the Results (Oracle active accounts):

At this point, you should be able to Successfully Change and Test Managed Account Passwords.  You should also be able to Successfully test the Functional Account on the Managed System. 

You can check-out new credentials via Password Safe.