# Native Oracle

<figure><img src="https://762006384-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MJXOXEifAmpyvNVL1to%2Fuploads%2FiOdSncfGnuB2ypcIsRAM%2FOracle.jpg?alt=media&#x26;token=421406d2-0024-448a-b403-c1467c81964f" alt=""><figcaption></figcaption></figure>

## Overview

In this guide, you'll learn how to rotate Local Oracle Database User and/or Admin accounts within your local network using Keeper Rotation. For a high-level overview on the rotation process in the local network, visit this [page](https://docs.keeper.io/keeperpam/privileged-access-manager/password-rotation/rotation-use-cases#local-network).

## Prerequisites

This guide assumes the following tasks have already taken place:

* Keeper Secrets Manager is enabled for your [role](https://docs.keeper.io/en/keeperpam/privileged-access-manager/rotation-overview#enabling-rotation-on-the-admin-console)
* Keeper Rotation is enabled for your [role](https://docs.keeper.io/en/keeperpam/privileged-access-manager/rotation-overview#enabling-rotation-on-the-admin-console)
* A Keeper Secrets Manager [application](https://docs.keeper.io/en/keeperpam/privileged-access-manager/getting-started/applications) has been created
* A Keeper Rotation [gateway](https://docs.keeper.io/keeperpam/privileged-access-manager/getting-started/gateways) is already installed, running, and is able to communicate to your Oracle database

## 1. Set up a PAM Database Record

Keeper Rotation will use an admin credential linked to the PAM Database to rotate credentials of other accounts in your local environment. These admin credentials need to have the sufficient permissions in order to successfully change the credentials of other accounts.

The following table lists all the **required** fields that needs to be filled on the PAM Database record with your information:

<table><thead><tr><th width="194.5">Field</th><th>Description</th></tr></thead><tbody><tr><td><strong>Title</strong></td><td>Keeper record title Ex: <code>dbadmin</code></td></tr><tr><td><strong>Hostname or IP Address</strong></td><td>Server address - <em>doesn't need to be publicly</em> routable</td></tr><tr><td><strong>Port</strong></td><td>For default ports, see <a href="https://docs.keeper.io/en/keeperpam/privileged-access-manager/references/port-mapping">port mapping</a><br>Ex: <code>oracle=1521</code></td></tr><tr><td><strong>Use SSL</strong></td><td>Check to perform SSL verification before connecting, if your database has SSL configured</td></tr><tr><td><strong>Administrative Credentials</strong></td><td>Linked PAM User record that contains the username and password of the Admin account which will perform the rotation.</td></tr><tr><td><strong>Database Type</strong></td><td><code>oracle</code></td></tr></tbody></table>

## 2. Set up a PAM Configuration

If you already have a **PAM Configuration** for your Local environment, you can simply add the additional Resource Credentials required for rotating database users to the existing PAM Configuration.

If you are creating a new **PAM Configuration**, login to the Keeper Vault and select "Secrets Manager", then select the "PAM Configurations" tab, and click on "New Configuration".\
\
The following table lists all the required fields on the **PAM Configuration** Record:

<table><thead><tr><th width="204">Field</th><th>Description</th><th data-hidden></th></tr></thead><tbody><tr><td><strong>Title</strong></td><td>Configuration name, example: <code>Oracle LAN Configuration</code></td><td></td></tr><tr><td><strong>Environment</strong></td><td>Select: <code>Local Network</code></td><td></td></tr><tr><td><strong>Gateway</strong></td><td>Select the Gateway that is configured on the Keeper Secrets Manager application and has network access to your Oracle database</td><td></td></tr><tr><td><strong>Application Folder</strong></td><td>Select the Shared folder where the PAM Configuration will be stored. We recommend placing this in a shared folder with the PAM User records, not the database resources.</td><td></td></tr></tbody></table>

## 3. Set up one or more PAM user records

Keeper Rotation will use the credentials in the **PAM Database** record to rotate the **PAM User** records on your Local environment. The **PAM User** credential needs to be in a shared folder that is shared to the KSM application created in the prerequisites.

The following table lists all the required fields on the **PAM User** record:

<table><thead><tr><th width="194.5">Field</th><th>Description</th></tr></thead><tbody><tr><td><strong>Record Type</strong></td><td>PAM User</td></tr><tr><td><strong>Title</strong></td><td>Keeper record title</td></tr><tr><td><strong>Login</strong></td><td>Case sensitive username of the db account being rotated. Example: <code>msmith</code></td></tr><tr><td><strong>Password</strong></td><td>Account password is optional, rotation will set one if blank</td></tr></tbody></table>

## 4. Configure Rotation on the PAM User records

Select the **PAM User** record(s) from Step 3, edit the record and open the "Password Rotation Settings".

* Select the desired schedule and password complexity.
* The "Rotation Settings" should use the **PAM Configuration** setup previously.
* The "Resource Credential" field should select the **PAM Database** credential setup from Step 1.
* Upon saving, the rotation button will be enabled and available to rotate on demand, or via the selected schedule.

Any user with `edit` rights to a **PAM User** record has the ability to setup rotation for that record.