Skip Headers
Oracle® Database Vault Installation Guide
Oracle9i Release 2 (9.2.0.8) for Solaris Operating System (SPARC 32-Bit)

E10067-02
Go to Documentation Home
Home
Go to Book List
Book List
Go to Table of Contents
Contents
Go to Index
Index
Go to Feedback page
Contact Us

Go to previous page
Previous
Go to next page
Next
PDF · Mobi · ePub

2 Installing Oracle Database Vault as an Option

This chapter includes an overview of the major steps required to install Oracle Database Vault into an existing Oracle9i Database release 2 (9.2.0.8) database. These procedures transform an existing Oracle Database system (including associated applications) into an Oracle Database Vault system. Databases upgraded using the procedures described in this chapter can work almost in the same manner as in earlier releases and, optionally, can leverage new Database Vault functionality. For a list of changes that Database Vault makes, refer to Appendix E, "Initialization Parameters" and the Oracle Database Vault Administrator's Guide.

Note:

In order to upgrade a pre-Oracle9i Database release 2 (9.2.0.8) database to Oracle Database Vault, you first need to upgrade the database to Oracle9i Database release 2 (9.2.0.8).

This chapter covers the following topics:

2.1 Preinstallation and Installation Tasks

This section covers the following topics:

2.1.1 Become Familiar with the Features of Oracle Database Vault

Before you plan the upgrade process, become familiar with the features of Database Vault. The Oracle Database Vault Administrator's Guide discusses the basic features of Database Vault.

2.1.2 Check the Hardware Requirements

The system must meet the following minimum hardware requirements:

  • At least 512 MB of available physical RAM

  • Swap space on the disk equal to the system's physical memory, or 1GB, whichever is greater.

  • 400 MB of disk space in the /tmp directory

  • 270 MB of disk space for the Database Vault software

  • 10 MB of additional disk space for the database files

To ensure that the system meets these requirements:

  1. To determine the physical RAM size, enter the following command:

    # /usr/sbin/prtconf | grep "Memory size"
    
    

    If the size of the physical RAM installed in the system is less than the required size, then you must install more memory before continuing.

  2. To determine the size of the configured swap space, enter the following command:

    # /usr/sbin/swap -s
    
    

    If necessary, refer to your operating system documentation for information about how to configure additional swap space.

  3. To determine the available RAM and swap space, enter the following command:

    # meminfo
    

    Note:

    Oracle recommends that you take multiple readings for the available RAM and swap space before freezing on a value. This is because the available RAM and swap space keep changing depending on the user interactions with the computer.
  4. To determine the amount of disk space available in the /tmp directory, enter the following command:

    # df -k /tmp
    
    

    If there is less than 400 MB of disk space available in the /tmp directory, then complete one of the following steps:

    • Delete unnecessary files from the /tmp directory to meet the disk space requirement.

    • Set the TEMP and TMPDIR environment variables when setting the oracle user's environment (described later).

    • Extend the file system that contains the /tmp directory. If necessary, contact your system administrator for information about extending file systems.

  5. To determine the amount of free disk space on the system, enter the following command:

    # df -k
    
    
  6. To determine whether the system architecture can run the software, enter the following command:

    # /bin/isainfo -kv
    

    Note:

    This command displays the processor type. Verify that the processor architecture matches the Oracle software release that you want to install. If you do not see the expected output, then you cannot install the software on this system.

2.1.3 Check the Operating System Requirements

The system must meet the following minimum software requirements:

  • The version of Solaris must be Solaris 8, Solaris 9, or Solaris 10.

  • The following packages must be installed:

    SUNWarc           SUNWlibms         SUNWi1of
    SUNWbtool         SUNWsprot         SUNWi1cs
    SUNWhea           SUNWsprox         SUNWi15cs
    SUNWlibm          SUNWtoo           SUNWxwfnt
    
    
  • The following patches must be installed:

    Patches for Solaris 8:

    All of the patches included in the J2SE Patch Cluster for Solaris 8:

    • 108528-23, SunOS 5.8: kernel update patch

    • 108652-66, X11 6.4.1: Xsun patch

    • 108773-18, SunOS 5.8: IIIM and X I/O Method patch

    • 108921-16, CDE 1.4: dtwm patch

    • 108940-53, Motif 1.2.7 and 2.1.1: Runtime lib. patch for Solaris 8

    • 108987-13, SunOS 5.8: Patch for patchadd and patchrm

    • 108989-02, /usr/kernel/sys/acctctl & /.../exacctsys patch

    • 108993-18, SunOS 5.8: LDAP2 client, libc, libthread ... lib. patch

    • 109147-24, SunOS 5.8: linker patch

    • 110386-03, SunOS 5.8: RBAC Feature Patch

    • 111023-02, SunOS 5.8: /kernel/fs/mntfs and ... sparcv9/mntfs

    • 111111-03, SunOS 5.8: /usr/bin/nawk patch

    • 111308-03, SunOS 5.8: /usr/lib/libmtmalloc.so.1 patch

    • 111310-01, SunOS 5.8: /usr/lib/libdhcpagent.so.1 patch

    • 112396-02, SunOS 5.8: /usr/bin/fgrep patch

    The following additional patches:

    • 111721-04, SunOS 5.8: Math Library (libm) patch

    • 112003-03, SunOS 5.8: Unable to load fontset in 64-bit Solaris 8 iso-1 or iso-15

    • 112138-01, SunOS 5.8: usr/bin/domainname patch

    Patches for Solaris 9:

    • 112233-11: SunOS 5.9: Kernel Patch

    • 111722-04: SunOS 5.9: Math Library (libm) patch

To ensure that the system meets these requirements, follow these steps:

  1. To determine which version of Solaris is installed, enter the following command:

    # uname -r
    5.8
    
    

    In this example, the version shown is Solaris 8 (5.8). If necessary, see your operating system documentation for information about upgrading the operating system.

  2. To determine whether the required packages are installed, enter a command similar to the following:

    # pkginfo -i SUNWarc SUNWbtool SUNWhea SUNWlibm SUNWlibms \
    SUNWsprot SUNWsprox SUNWtoo SUNWi1of SUNWi1cs SUNWi15cs SUNWxwfnt
    
    

    If a package is not installed, then install it. See your operating system or software documentation for information about installing packages.

  3. To determine whether an operating system patch is installed, enter a command similar to the following:

    # /usr/sbin/patchadd -p | grep patch_number
    
    

    If an operating system patch is not installed, download it from the following Web site and install it:

    http://sunsolve.sun.com
    
    

2.1.4 Check Kernel Parameters

Verify that the following kernel parameters are set to values greater than or equal to the recommended value shown:

Parameter Recommended Value
noexec_user_stack (obsolete in Solaris 9) 1
semsys:seminfo_semmni 100
semsys:seminfo_semmns 1024
semsys:seminfo_semmsl 256
semsys:seminfo_semvmx 32767
shmsys:shminfo_shmmax 4294967295
shmsys:shminfo_shmmin (obsolete in Solaris 9) 1
shmsys:shminfo_shmmni 100
shmsys:shminfo_shmseg (obsolete in Solaris 9) 10

To view the current value specified for these kernel parameters, and to change them if necessary, follow these steps:

  1. To view the current values of these parameters, enter the following commands:

    # grep noexec_user_stack /etc/system
    # /usr/sbin/sysdef | grep SEM
    # /usr/sbin/sysdef | grep SHM
    
    
  2. If you must change any of the current values, follow these steps:

    1. Create a backup copy of the /etc/system file, for example:

      # cp /etc/system /etc/system.orig
      
      
    2. Open the /etc/system file in any text editor:

      # vi /etc/system
      
      
    3. To specify new values for the parameters, add lines similar to the following to the /etc/system file, or edit the lines if the file already contains them:

      set noexec_user_stack=1
      set semsys:seminfo_semmni=100
      set semsys:seminfo_semmns=1024
      set semsys:seminfo_semmsl=256
      set semsys:seminfo_semvmx=32767
      set shmsys:shminfo_shmmax=4294967295
      set shmsys:shminfo_shmmin=1
      set shmsys:shminfo_shmmni=100
      set shmsys:shminfo_shmseg=10
      
      
    4. Enter a command similar to the following to reboot the system:

      # /usr/sbin/reboot
      
      
    5. When the system restarts, log in and switch user to root.

2.1.5 Check the Database Requirements

In order to install Oracle Database Vault, you must be running the Enterprise Edition of Oracle9i Database release 2 (9.2.0.8). In addition, the Database Vault installer requires write access to the files, oratab and oraInst.loc.

Note:

The /var/opt/oracle/oratab file should have an entry for the database. For example:

DBDV:/oracle/product/9.2_VAULT:Y

A listener must have been configured for the existing database. Oracle Net Configuration Assistant configures the listener when you first install the database.

You must have an existing password file for the database. The password file authentication parameter, REMOTE_LOGIN_PASSWORDFILE must have been set to EXCLUSIVE or SHARED.

You can set the REMOTE_LOGIN_PASSWORDFILE parameter in the init.ora file. Use the orapwd utility to create and manage password files.

See Also:

Oracle9i Database Administrator's Guide for more information on creating and maintaining a password file

The following topic discusses applying the 9.2.0.8 patch set:

2.1.5.1 Apply Oracle Database Release 9.2.0.8 Patch Set

To install Oracle Database Vault, you need to upgrade the database to Oracle9i Database release 2 (9.2.0.8). Oracle strongly recommends that you back up your database before performing any upgrade or installation.

See Also:

Oracle9i Backup and Recovery Concepts for information on database backups

This section covers the following topics:

Patch Set Overview

Patch sets are cumulative. Patch set release 9.2.0.8 includes all fixes in patch sets 9.2.0.8 and earlier as well as new fixes for patch set 9.2.0.8. This means that unless the patch set documentation indicates otherwise, you can apply this patch set to any earlier release 9.2 installation. You do not have to install intermediate patch sets.

Patch sets contain generic fixes that apply to all platforms. Patch sets may also include additional platform-specific patches.

Note:

The 32-bit version of the patch set must be installed only on the 32-bit version of the database software, regardless of whether the operating system is 32-bit or 64-bit. The 64-bit version of the patch set must be installed only on the 64-bit version of the database software that runs on the 64-bit operating system.

Oracle Universal Installer Version Requirements

This patch set includes Oracle Universal Installer release 10.1.0.5. You must use this Oracle Universal Installer to install this patch set and not Oracle Universal Installer from the 9.2.0.x maintenance release media or Oracle home.

This is not a complete software distribution. You must install it in an existing Oracle9i release 2 (9.2.0.x.x) installation. Users applying this patch set must use Oracle Universal Installer release 10.1.0.5 (provided as part of this patch set) or later to ensure that their Oracle home can be patched in the future. Oracle Universal Installer release 10.1.0.5 is also installed when you install this patch set.

Patch Set Documentation

There are two documents related to this release of the Oracle9i release 2 patch set:

  • Oracle9i Patch Set Notes, Release 2 (9.2.0.8) Patch Set 7 for Solaris Operating System (SPARC 32-Bit)

    This document provides:

    • System requirements and information about how to install or reinstall the patch set

    • A list of all bugs fixed to date that are specific to Oracle9i release 2 for Solaris Operating System (SPARC 32-Bit)

    • A list of known issues relating to Oracle9i release 2 for Solaris Operating System (SPARC 32-Bit)

  • Oracle9i List of Bugs Fixed, Release 2 (9.2.0.8) Patch Set 7

    The List of Bugs Fixed is a list of all generic bugs related to Oracle9i release 2 that have been fixed in this release.

Both of these documents are included with the patch set. The Oracle9i List of Bugs Fixed is also available on OracleMetalink, from document 189908.1, ALERT: Oracle9i Release 2 (9.2) Support Status and Alerts at:

http://metalink.oracle.com

2.1.6 Prepare a Backup Strategy

Oracle strongly recommends that you back up your database before performing any upgrade or installation. The ultimate success of your upgrade depends heavily on the design and execution of an appropriate backup strategy. To develop a backup strategy, consider the following questions:

  • How long can the production database remain inoperable before business consequences become intolerable?

  • What backup strategy should be used to meet your availability requirements?

  • Are backups archived in a safe, offsite location?

  • How quickly can backups be restored (including backups in offsite storage)?

  • Have recovery procedures been tested successfully?

Your backup strategy should answer all of these questions and include procedures for successfully backing up and recovering your database.

See Also:

Oracle9i User-Managed Backup and Recovery Guide for information on database backups

2.1.7 Verify that the Global Services Daemon Is Running (RAC Only)

The Global Services Daemon (GSD) should be running for the Database Vault installer to find existing Oracle Real Application Clusters (RAC) databases. If you have stopped GSD, then you should restart it before running Oracle Universal Installer. Use the following command to start the GSD service:

$ORACLE_HOME/bin/gsdctl start

You need to run this command on each Oracle RAC node.

2.1.8 Stop Existing Oracle Processes

Stop all processes running in the Oracle home. You must complete this task to enable Oracle Universal Installer to relink certain executables and libraries. For Oracle RAC databases, you need to stop the processes on all nodes.

Stop the processes in the following order:

  1. Stop the apachectl and agentctl Processes

  2. Shut Down All Database Instances

  3. Stop Existing Listeners

2.1.8.1 Stop the apachectl and agentctl Processes

Stop the apachectl process using the following command:

$ORACLE_HOME/Apache/Apache/bin/apachectl stop

Stop the agentctl process using the following command:

$ORACLE_HOME/bin/agentctl stop

2.1.8.2 Shut Down All Database Instances

Shut down all database instances running from the Oracle home directory into which Oracle Database Vault is to be installed.

sqlplus SYS "AS SYSDBA"
Enter password:
SQL> shutdown immediate

Use the Server Control (srvctl) utility, and not SQL*Plus, to stop an Oracle Real Application Clusters (RAC) Database instance.

srvctl stop database -d database_name

2.1.8.3 Stop Existing Listeners

Oracle Universal Installer configures and starts a default Oracle Net listener using TCP/IP port 1521. However, if an existing Oracle Net listener process is using the same port or key value, then Oracle Universal Installer can only configure the new listener, it cannot start it. To ensure that the new listener process starts during the installation, you must shut down any existing listeners before starting Oracle Universal Installer.

To determine whether an existing listener process is running and to shut it down if necessary:

  1. Switch user to oracle:

    # su - oracle
    
    
  2. Enter the following command to determine whether a listener process is running and to identify its name and the Oracle home directory in which it is installed:

    $ ps -ef | grep tnslsnr
    
    

    This command displays information about the Oracle Net listeners running on the system:

    ... oracle_home1/bin/tnslsnr LISTENER -inherit
    
    

    In this example, oracle_home1 is the Oracle home directory where the listener is installed and LISTENER is the listener name.

    Note:

    If no Oracle Net listeners are running, then refer to the "Configure the Oracle User's Environment" section to continue.
  3. Set the ORACLE_HOME environment variable to specify the appropriate Oracle home directory for the listener:

    • Bourne, Bash, or Korn shell:

      $ ORACLE_HOME=oracle_home1
      $ export ORACLE_HOME
      
      
    • C or tcsh shell:

      % setenv ORACLE_HOME oracle_home1
      
      
  4. Enter the following command to identify the TCP/IP port number and IPC key value that the listener is using:

    $ $ORACLE_HOME/bin/lsnrctl status listenername
    

    Note:

    If the listener uses the default name LISTENER, then you do not have to specify the listener name in this command.
  5. Enter a command similar to the following to stop the listener process:

    $ $ORACLE_HOME/bin/lsnrctl stop listenername
    
    
  6. Repeat this procedure to stop all listeners running on this system.

Note:

If you are installing Database Vault for Oracle Real Application Clusters (RAC), then you need to shut down all Oracle processes on all cluster nodes. See Appendix A, "How to Stop Processes in an Existing Oracle Real Application Clusters Database" for more details.

2.1.9 Configure the Oracle User's Environment

Run Oracle Universal Installer (OUI) using the account that owns the Oracle software. This is usually the oracle account.

However, before you start Oracle Universal Installer you must configure the environment of the oracle user. To configure the environment, you must:

  • Set the default file mode creation mask (umask) to 022 in the shell startup file.

  • Set the DISPLAY environment variable.

Note:

Ensure that the PATH variable contains $ORACLE_HOME/bin before /usr/X11R6/bin.

To set the oracle user's environment:

  1. Start a new terminal session, for example, an X terminal (xterm).

  2. Enter the following command to ensure that X Window applications can display on this system:

    $ xhost fully_qualified_remote_host_name
    
    

    For example:

    $ xhost somehost.us.acme.com
    
    
  3. If you are not already logged in to the system where you want to install the software, then log in to that system as the oracle user.

  4. If you are not logged in as the oracle user, then switch user to oracle:

    $ su - oracle
    
    
  5. To determine the default shell for the oracle user, enter the following command:

    $ echo $SHELL
    
    
  6. Open the oracle user's shell startup file in any text editor:

    • Bourne shell (sh), Bash shell (bash), or Korn shell (ksh):

      $ vi .profile
      
      
    • C shell (csh or tcsh):

      % vi .login
      
      
  7. Enter or edit the following line, specifying a value of 022 for the default file mode creation mask:

    umask 022
    
    
  8. Save the file, and exit from the editor.

  9. To run the shell startup script, enter one of the following commands:

    • Bourne, Bash, or Korn shell:

      $ . ./.profile
      
      
    • C shell:

      % source ./.login
      
      
  10. If you are not installing the software on the local system, then enter a command similar to the following to direct X applications to display on the local system:

    • Bourne, Bash, or Korn shell:

      $ DISPLAY=local_host:0.0 ; export DISPLAY
      
      
    • C shell:

      % setenv DISPLAY local_host:0.0
      
      

    In this example, local_host is the host name or IP address of the system that you want to use to display Oracle Universal Installer (your workstation or PC).

  11. If you determined that the /tmp directory has less than 400 MB of free disk space, then identify a file system with at least 400 MB of free space and set the TEMP and TMPDIR environment variables to specify a temporary directory on this file system:

    1. Use the df -k command to identify a suitable file system with sufficient free space.

    2. If necessary, enter commands similar to the following to create a temporary directory on the file system that you identified, and set the appropriate permissions on the directory:

      $ su - root
      # mkdir /mount_point/tmp
      # chmod a+wr /mount_point/tmp
      # exit
      
      
    3. Enter commands similar to the following to set the TEMP and TMPDIR environment variables:

      • Bourne, Bash, or Korn shell:

        $ TEMP=/mount_point/tmp
        $ TMPDIR=/mount_point/tmp
        $ export TEMP TMPDIR
        
        
      • C shell:

        % setenv TEMP /mount_point/tmp
        % setenv TMPDIR /mount_point/tmp
        
        
  12. Enter commands similar to the following to set the ORACLE_BASE and ORACLE_SID environment variables:

    • Bourne, Bash, or Korn shell:

      $ ORACLE_BASE=/u01/app/oracle
      $ ORACLE_SID=sales
      $ export ORACLE_BASE ORACLE_SID
      
      
    • C shell:

      % setenv ORACLE_BASE /u01/app/oracle
      % setenv ORACLE_SID sales
      
      

    In these examples, /u01/app/oracle is the Oracle base directory that you created or identified earlier and sales is the name that you want to call the database (typically no more than five characters).

  13. Enter the following commands to ensure that the ORACLE_HOME and TNS_ADMIN environment variables are not set:

    • Bourne, Bash, or Korn shell:

      $ unset ORACLE_HOME
      $ unset TNS_ADMIN
      
      
    • C shell:

      % unsetenv ORACLE_HOME
      % unsetenv TNS_ADMIN
      
      
  14. To verify that the environment has been set correctly, enter the following commands:

    $ umask
    $ env | more
    
    

    Verify that the umask command displays a value of 22, 022, or 0022 and the environment variables that you set in this section have the correct values.

2.1.10 Run Oracle Universal Installer to Install

Run Oracle Universal Installer (OUI) to install Oracle Database Vault into an existing Oracle9i Database release 2 (9.2.0.8) database. You should run the installer as the software owner account that owns the current ORACLE_HOME environment. This is normally the oracle account.

Log in as the oracle user. Alternatively, switch user to oracle using the su command. Change your current directory to the directory containing the installation files. Start Oracle Universal Installer.

./runInstaller

The following steps discuss the options you need to select:

  1. In the Specify Installation Details screen, you need to specify the path to the Oracle home that contains the existing Oracle Database. The Destination Path box lists the Oracle home paths of all Oracle9i Database release 2 (9.2.0.8) Enterprise Edition databases registered with the system.

    Select the Oracle home corresponding to the database into which you want to install Oracle Database Vault.

    Note:

    • If an Oracle home does not have an Enterprise Edition of Oracle9i Database release 2 (9.2.0.8) installed, then it is not displayed. You must ensure that the Oracle home has an Enterprise Edition of Oracle9i Database release 2 (9.2.0.8) installed.

    • If an Oracle home already contains Oracle Database Vault, then it is not displayed. You cannot install Oracle Database Vault into an Oracle home more than once.

  2. Enter a user name for the Database Vault Owner account in the Database Vault Owner field. The user name can be a minimum of 2 and maximum of 30 characters long.

  3. Enter a password for the Database Vault Owner account in the Database Vault Owner Password field. The password can be a minimum of 8 and a maximum of 30 characters. The password must include at least one alphabet, one digit, and one nonalphanumeric character (symbol). It cannot be the same as the account names for either the Database Vault owner or the Database Vault account manager. It cannot contain any consecutive repeating characters.

  4. Reenter the password in the Confirm Password field.

  5. Select Create a Separate Account Manager if you want to create a separate Account Manager to manage Oracle Database Vault accounts.

  6. In the Database Vault Account Manager field, enter a user name for the Database Vault Account Manager if you have chosen to select the Create a Separate Account Manager check box. The user name can be a minimum of 2 and a maximum of 30 characters.

  7. Enter a password for the Database Vault Account Manager account in the Account Manager Password field. The password can be a minimum of 8 and a maximum of 30 characters. The password must include at least one alphabet, one digit, and one nonalphanumeric character (symbol). It cannot be the same as the account names for either the Database Vault owner or the Database Vault account manager. It cannot contain any consecutive repeating characters.

  8. Reenter the password in the Confirm Password field. Click Next.

  9. The Select Existing Database screen is displayed. A list of all databases running from the selected Oracle home is displayed. Select the database into which you wish to install Oracle Database Vault.

    Note:

    • If the selected Oracle home contains more than one database, then Operating System (OS) authentication is turned off for all the databases in the Oracle home.

    • If a database is not listed, then check to make sure that you have followed the instructions under "Check the Database Requirements".

    • Install Oracle Database Vault into an Oracle home containing multiple databases only if you wish to enable Oracle Database Vault for all these databases. If this is not the case, then Oracle recommends that you install Oracle Database Vault into an Oracle home containing a single database.

  10. Enter the existing SYS user password for the selected database in the Existing Database SYS Password field.

  11. Reenter the SYS password in the Confirm Password field. Click Next.

    Note:

    At this point, the database requirements are validated.
  12. You are prompted to shut down all Oracle processes running from the Oracle home before proceeding. Shut down the Oracle processes, if you have not already done so.

    See Also:

    "Stop Existing Oracle Processes" for more information on stopping existing Oracle processes
  13. Product-specific prerequisite checks are performed. Confirm that all tests have passed. Click Next to continue.

  14. The Summary screen is displayed with the installation details. Verify the details and click Install.

  15. The Installation screen is displayed. After the installation completes, the Database Vault Configuration Assistant (DVCA) is run automatically. DVCA helps configure the Database Vault installation.

2.2 Postinstallation Tasks

This section lists the tasks to perform after you have completed an upgrade of your database. The following topics are discussed:

2.2.1 Back Up the Database

Make sure you perform a full backup of the production database. See Oracle9i Backup and Recovery Concepts for details on backing up a database.

2.2.2 Update Environment Variables After the Upgrade (UNIX Systems Only)

Make sure that the following environment variables point to the correct Oracle Database Vault directories:

  • ORACLE_HOME: Specifies the Oracle home directory. For example, /u01/app/oracle/product/9.2.0/db_1

  • PATH: Specifies the directories searched by the shell to locate executable programs. For example, /bin:/usr/bin:/usr/local/bin:/usr/bin/X11:$ORACLE_HOME/bin:$HOME/bin

You may also need to set the following environment variables:

  • ORA_NLS33: Specifies the directory where the language, territory, character set, and linguistic definition files are stored. For example, $ORACLE_HOME/ocommon/nls/admin/data

  • LD_LIBRARY_PATH: Specifies the list of directories that the shared library loader searches to locate shared object libraries at run time. For example, /usr/dt/lib:$ORACLE_HOME/lib

    Use the man ld command for more information about this environment variable.

2.2.3 Change Passwords for Oracle-Supplied Accounts

Oracle strongly recommends that you change the password for each account after installation. This enables you to effectively implement the strong security provided by Oracle Database Vault.

Note:

If you are creating a database using Database Configuration Assistant, you can unlock accounts after the database is created by clicking Password Management before you exit from Database Configuration Assistant.

2.2.3.1 Using SQL*Plus to Unlock Accounts and Reset Passwords

To unlock and reset user account passwords using SQL*Plus:

  1. Start SQL*Plus and log in using the Database Vault Account Manager account. If you did not create the Database Vault Account Manager account during installation, then you will need to log in using the Database Vault Owner account.

  2. Enter a command similar to the following, where account is the user account that you want to unlock and password is the new password:

    SQL> ALTER USER account [ IDENTIFIED BY password ] ACCOUNT UNLOCK;
    
    

    In this example:

    • The ACCOUNT UNLOCK clause unlocks the account.

    • The IDENTIFED BY password clause resets the password.

    Note:

    If you unlock an account but do not reset the password, then the password remains expired. The first time someone connects as that user, they must change the user's password.

    To permit unauthenticated access to your data through HTTP, unlock the ANONYMOUS user account.

2.2.4 Enable or Disable Connections with the SYSDBA Privilege

If you are using password file authentication for administrative users, then you can choose to disable SYSDBA logins by creating the password file with the nosysdba flag set to y (Yes).

If a password file has been created using the orapwd utility with the nosysdba flag set to y (Yes) (the default action of a Database Vault installation), users will not be able to log in to an Oracle Database Vault instance using the SYS account or any account with SYSDBA privilege using the AS SYSDBA clause. You can reenable the ability to connect with the SYSDBA privilege by re-creating the password file with the nosysdba flag set to n (No). You might need to reenable the ability to connect with SYSDBA privileges, if certain products or utilities require it's use.

When you re-create the password file, any accounts other than SYS that were granted the SYSDBA or SYSOPER privileges will have those privileges removed. You will need to regrant the privileges for these accounts after you have re-created the password file.

In order to run the orapwd command, you need to shut down the database, run the orapwd command and then restart the database. Use the following syntax to run the orapwd command:

orapwd file=filename password=password [entries=users] nosysdba=y/n

Where:

  • file: Name of password file (mandatory)

  • password: Password for SYS (mandatory). Enter at least six alphanumeric characters.

  • entries: Maximum number of distinct DBA users

  • nosysdba: Whether to enable or disable the SYS logon (optional for Oracle Database Vault only). Enter y (for yes) or n (for no)

    The default is no, so if you omit this flag, the password file will be created enabling SYSDBA access for Oracle Database Vault instances.

For example:

orapwd file=$ORACLE_HOME/dbs/orapworcl password=5hjk99 nosysdba=n
where the file name is of the format, orapwSID_Name

Note:

Do not insert spaces around the equal (=) character.

See Also:

Oracle9i Database Administrator's Guide for more information on using the orapwd utility.

Enabling or Disabling Connecting with SYSDBA on Oracle Real Application Clusters Systems

Under a cluster file system and raw devices, the password file under $ORACLE_HOME is in a symbolic link that points to the shared storage location in the default configuration. In this case, the orapwd command you issue affects all nodes.

2.2.5 Start the Listener and Database on Other Nodes (RAC Only)

You need to start the listener and database on all Oracle Real Application Clusters (RAC) nodes other than the one on which the installation is performed. Use the following commands to start the listener and the database:

Note:

You need to enable SYSDBA connections on all nodes before running these commands. See "Enable or Disable Connections with the SYSDBA Privilege" for more information on enabling SYSDBA connections.
$ORACLE_HOME/bin/lsnrctl start listener_name
srvctl start instance -d unique_database_name -i instance_name -c "SYS/password AS SYSDBA"

Note:

You must use the Server Control (srvctl) utility to start and stop Oracle Database Vault RAC instances. Do not use SQL*Plus to start and stop Oracle RAC instances. You need to enable SYSDBA connections before you can use the srvctl command.

2.2.6 Run DVCA to Set Instance Parameters (RAC Only)

After installing Database Vault for an Oracle Real Application Clusters (RAC) instance, you need to run Database Vault Configuration Assistant (DVCA) with the -action optionrac switch. You need to run this command for all Oracle RAC nodes other than the node on which the Database Vault installation is performed. This step is required to enable the enhanced security features provided by Oracle Database Vault.

The command itself needs to be run on the node on which the Database Vault installation is performed. You need to supply the name of the remote Oracle RAC node for which the action is being performed using the -racnode switch.

Note:

The listener and database instance should be running on the nodes for which you run DVCA.

You should also ensure that the Global Services Daemon (GSD) is running on the remote nodes. You can use the following command to start the GSD service on a node:

$ORACLE_HOME/bin/gsdctl start

Use the following syntax to run DVCA:

# dvca -action optionrac -racnode host_name -oh oracle_home -jdbc_str jdbc_connection_string -sys_passwd sys_password [-logfile ./dvca.log] [-silent] [-nodecrypt]

Where:

  • action: The action to perform. optionrac performs the action of updating the instance parameters for the Oracle RAC instance and optionally disabling SYSDBA operating system access for the instance.

  • racnode: The host name of the Oracle RAC node for which the action is being performed. Do not include the domain name with the host name.

  • oh: The Oracle home for the Oracle RAC instance.

  • jdbc_str: The JDBC connection string used to connect to the instance you are configuring. For example, "jdbc:oracle:oci:@orcl1".

  • sys_password: The password for the SYS user.

  • logfile: Optionally, specify a log file name and location. You can enter an absolute path or a path that is relative to the location of the $ORACLE_HOME/bin directory.

  • silent: Required if you are not running DVCA in an xterm window.

  • nodecrypt: Reads plaintext passwords as passed on the command line.

Note:

You can reenable SYSDBA access by re-creating the password file with the nosysdba flag set to n (No). The orapwd utility enables you to do this.

2.2.7 Deploy the DVA Application

Oracle Database Vault Administrator (DVA) is a browser-based graphical user interface console that you can use to manage Oracle Database Vault. You can deploy DVA in an existing Oracle Database 10g Release 2 (10.2) installation in order to manage an Oracle Database Vault Oracle9i Release2 (9.2.0.8.1) instance.

You should have the following directory structure on the host containing the Oracle Database 10g Release 2 (10.2) installation:

        $ORACLE_HOME
                |------> jlib
                |
                |------> lib
                |
                |------> sysman
                |         |---> jlib
                |
                |------> rdbms
                |         |---> jlib
                |
                |------> owm
                |         |---> jlib
                |
                |------> oui
                |         |---> jlib

Note:

The environment variable $ORACLE_HOME must be set to the directory containing the installed Oracle product.

For example, if the 10.2 installation directory is /u00/app/oracle/product/10.2/db_1, then:

ORACLE_HOME = /u00/app/oracle/product/10.2/db_1

Create the following directory structure under the ORACLE_HOME directory:

$ORACLE_HOME
        |
        |------> dv
        |         |---> jlib

For example:

mkdir -p $ORACLE_HOME/dv/jlib/

The following files should already be present in the Oracle Database 10g Release 2 (10.2) installation:

$ORACLE_HOME/sysman/jlib/emCORE.jar
$ORACLE_HOME/sysman/jlib/emDB.jar
$ORACLE_HOME/sysman/jlib/emjsp.jar
$ORACLE_HOME/sysman/jlib/ems.jar
$ORACLE_HOME/sysman/jlib/log4j-core.jar
$ORACLE_HOME/sysman/jlib/jcb.jar
$ORACLE_HOME/rdbms/jlib/jmscommon.jar
$ORACLE_HOME/rdbms/jlib/qsma.jar
$ORACLE_HOME/oui/jlib/OraInstaller.jar
$ORACLE_HOME/jlib/regexp.jar
$ORACLE_HOME/jlib/providerutil.jar
$ORACLE_HOME/jlib/ojmisc.jar
$ORACLE_HOME/jlib/netcfg.jar
$ORACLE_HOME/jlib/orai18n-mapping.jar
$ORACLE_HOME/jlib/ldapjclnt10.jar
$ORACLE_HOME/lib/xschema.jar
$ORACLE_HOME/lib/xsu12.jar
$ORACLE_HOME/lib/oraclexsql.jar

You can manually deploy Database Vault Administrator (DVA) to the following Oracle Application Server Containers for J2EE (OC4J) home:

$ORACLE_HOME/oc4j/j2ee/home

Use the following steps to manually deploy the DVA application:

Note:

If you are redeploying the DVA application, then you need to remove the application before you can run the steps to deploy the application. Use the following commands to remove the DVA application:
cd $ORACLE_HOME/dv/jlib
rm -rf dv_webapp

  1. The dva_webapp_jsp.jar and dva_webapp.ear files are shipped with the Oracle Database Vault Oracle9i Release 2 (9.2.0.8) installation media. Navigate to the Disk1 directory.

  2. Extract the dva.zip file to the disk.

  3. Copy the following extracted files to the $ORACLE_HOME/dv/jlib/ directory in your Oracle Database 10g Release 2 (10.2) installation:

    • dva_webapp_jsp.jar

    • dva_webapp.ear

  4. Edit the file, $ORACLE_HOME/oc4j/j2ee/home/config/server.xml. Enter the following line just before the last line that reads, </application-server>:

    <application name="dva" path="$ORACLE_HOME/dv/jlib/dva_webapp.ear" auto-start="true" />
    
    

    For example:

    <application name="dva" path="/u00/app/oracle/oracle/product/dv12/dv/jlib/dva_webapp.ear" auto-start="true" />
    
    

    Note:

    If there was a previous version of DVA installed, and if you are redeploying the new dva_webapp.ear file from Disk1, then steps 4 to 8 have been already performed. You can move to step 9.
  5. Edit the file, $ORACLE_HOME/oc4j/j2ee/home/config/http-web-site.xml. Enter the following line just above the last line that reads, </web-site>:

    <web-app application="dva" name="dva_webapp" root="/dva" />
    
    
  6. Edit the file, $ORACLE_HOME/oc4j/j2ee/home/config/global-web-application.xml. Search for <servlet-class>oracle.jsp.runtimev2.JspServlet</servlet-class>. Uncomment the following lines after this:

    <init-param>
      <param-name>main_mode</param-name>
      <param-value>justrun</param-value>
    </init-param>
    
    
  7. Create the directory, $ORACLE_HOME/dv/jlib/sysman/config.

    mkdir -p $ORACLE_HOME/dv/jlib/sysman/config
    
    
  8. Create the database connection configuration file, emoms.properties, in the configuration directory that you just created. Add the following lines to the file:

    oracle.sysman.emSDK.svlt.ConsoleMode=standalone 
    oracle.sysman.eml.mntr.emdRepRAC=FALSE 
    oracle.sysman.eml.mntr.emdRepDBName=ORACLE_SID
    oracle.sysman.eml.mntr.emdRepConnectDescriptor=TNS_connection_string
    
    

    Note:

    • oracle.sysman.eml.mntr.emdRepRAC should be set to TRUE for a Real Application Clusters (RAC) database.

    • ORACLE_SID should be the SID of the Oracle Database Vault Oracle9i Release 2 (9.2.0.8) instance.

    • For oracle.sysman.eml.mntr.emdRepConnectDescriptor, you can use an alias from $ORACLE_HOME/network/admin/tnsnames.ora. Alternatively, you can use the following syntax:

      oracle.sysman.eml.mntr.emdRepConnectDescriptor=(DESCRIPTION\=(ADDRESS_LIST\=(ADDRESS\=(PROTOCOL\=TCP)(HOST\=HOSTNAME)(PORT\=PORT)))(CONNECT_DATA\=(SERVICE_NAME\=ORACLE_SID)))
      
  9. Start OC4J. Before starting OC4J, ensure that the correct environment variables are set. For example :

    ORACLE_HOME=/u00/app/oracle/product/10.2/db_1
    export ORACLE_HOME
    LD_LIBRARY_PATH=$ORACLE_HOME/bin:$ORACLE_HOME/lib:$ORACLE_HOME/jdbc/lib
    export LD_LIBRARY_PATH
    PATH=$ORACLE_HOME/bin:$ORACLE_HOME/jdk/bin:$PATH
    export PATH
    
    

    Note:

    LD_LIBRARY_PATH must be set to use the OCI-based JDBC libraries.

    Start OC4J using the following syntax:

    $ORACLE_HOME/jdk/bin/java -Djava.awt.headless=true -DEMDROOT=$ORACLE_HOME/dv/jlib -jar $ORACLE_HOME/oc4j/j2ee/home/oc4j.jar  -userThreads -config $ORACLE_HOME/oc4j/j2ee/home/config/server.xml
    
    

    Tip:

    You can create a shell script file, put the command to start OC4J in it, and grant appropriate execute permissions for the file. This allows you to easily reuse the command when required.

    You can also create a shell script file to stop OC4J, if required. You will need to stop and start OC4J if you make DVA configuration changes. For example:

    # script to stop and start OC4J
    $ORACLE_HOME/jdk/bin/java -jar $ORACLE_HOME/oc4j/j2ee/home/admin.jar ormi://localhost admin welcome -stop
    $ORACLE_HOME/jdk/bin/java -Djava.awt.headless=true -DEMDROOT=$ORACLE_HOME/dv/jlib -jar $ORACLE_HOME/oc4j/j2ee/home/oc4j.jar  -userThreads -config $ORACLE_HOME/oc4j/j2ee/home/config/server.xml
    
  10. You can now access the DVA application. The HTTP port defaults to 8888 for this environment. Use the following URL:

    http://hostname:8888/dva
    
    

2.2.7.1 Setting the Timeout Value for DVA

You can modify the length of time that DVA stays connected while inactive. By default, the connection duration is 35 minutes. Your session automatically gets expired after 35 minutes of inactivity.

To set the session time for Oracle Database Vault Administrator:

  1. Back up the web.xml file, which by default is in the $ORACLE_HOME/dv/jlib/dva_webapp/dva_webapp/WEB-INF directory.

  2. In a text editor, open the web.xml file .

  3. Search for the following setting:

    <session-config>
     <session-timeout>35</session-timeout>
    </session-config>
    
    
  4. Change the <session-timeout> setting to the amount of time in minutes that you prefer.

  5. Save and close the web.xml file.

  6. Stop and restart OC4J for the change to take effect.

    You can use the following command to restart OC4J:

    $ORACLE_HOME/jdk/bin/java -jar $ORACLE_HOME/oc4j/j2ee/home/admin.jar ormi://oc4jHost:oc4jOrmiPort adminId adminPassword -restart
    
    

    For example:

    $ORACLE_HOME/jdk/bin/java -jar $ORACLE_HOME/oc4j/j2ee/home/admin.jar ormi://localhost admin welcome -restart
    
    

    Note:

    If you have Oracle Enterprise Manager Console DB installed in your Oracle Database 10g Release 2 (10.2) installation, then you can also use the following commands to stop and start the DVA application:
    emctl stop dbconsole
    emctl start dbconsole
    

2.3 Removing Oracle Software

Use Oracle Universal Installer (OUI) to remove Oracle software from an Oracle home. The following list summarizes the steps involved:

  1. Log in as the user that owns the Oracle software. This is usually the oracle user.

  2. Shut down all processes running in the Oracle home.

  3. Start Oracle Universal Installer as follows:

    $ $ORACLE_HOME/oui/bin/runInstaller
    
    
  4. In the Welcome screen, select Deinstall Products. The Inventory screen appears. This screen lists all the Oracle homes on the system.

  5. Select the Oracle home and the products that you wish to remove. Click Remove.

See Also:

Refer to the Oracle Universal Installer Concepts Guide for Oracle Universal Installer (OUI) concepts

Note:

You cannot remove or uninstall the Database Vault option. However, you can disable Oracle Database Vault. Refer to Oracle Database Vault Administrator's Guide for more details.

You can also remove the entire Oracle home, as discussed earlier in this section.