Skip Headers
Oracle® Audit Vault Administrator's Guide
Release 10.2.3.2

Part Number E14459-12
Go to Documentation Home
Home
Go to Book List
Book List
Go to Table of Contents
Contents
Go to Index
Index
Go to Feedback page
Contact Us

Go to previous page
Previous
Go to next page
Next
PDF · Mobi · ePub

5 Managing Oracle Audit Vault Security

This chapter contains:

5.1 About Managing Oracle Audit Vault Security

This chapter explains how to manage Oracle Audit Vault security. You should perform Oracle Audit Vault security tasks in this order of importance:

  1. Secure management communication between the Oracle Audit Vault Server and collection agent, described in Section 5.6.

  2. Manage user authentication metadata, described in Section 5.3.

Section 5.5 explains how Oracle Database Vault protects audit data and provides strong access control.

5.2 Managing Oracle Audit Vault User Accounts

During the Oracle Audit Vault installation process, you created the following two system-generated user accounts:

As a best practice, you should use these two user accounts only as back-up accounts, and grant the appropriate Audit Vault role to the users who are responsible for the day-to-day Oracle Audit Vault operations. Each user account must have its own user name and password. For example, if your site requires two Audit Vault administrators and six auditors, then grant the administrators the AV_ADMIN role and the auditors the AV_AUDITOR role. Or, for example, if all your administrators are granted SEC_ADMIN role and everyone who has the SEC_ADMIN role must also administer Oracle Audit Vault, then grant the AV_ADMIN role to the SEC_ADMIN role.

This way, if an Audit Vault administrator or auditor leaves the department or your company, then you only need to revoke the role from this user. If all the users who have been granted a particular role leave your company, then you can use the back-up Audit Vault user account that you created during installation to grant the role to new users. The danger of relying on the default user accounts that you created during installation is that if multiple users use the account, then they all can log in using the same user account and password. Shared passwords make your system less secure.

Similarly, you should grant the DV_OWNER and DV_ACCTMGR roles to individual users, and only use the DV_OWNER and DV_ACCTMGR accounts that you created during installation as back-up accounts. This is particularly important in the case where a user must have his or her password reset, because only a user who has been granted the DV_ACCTMGR role or the ALTER USER privilege can set passwords.

In addition to the AV_ADMIN and AV_AUDITOR roles, a default Oracle Audit Vault installation provides a set of administrative roles that you can use to manage Oracle Audit Vault. These roles provide separation-of-duty tasks. See Table 5-1 for more information.

To create user accounts for use with Oracle Audit Vault:

  1. Open a shell or command prompt for the Audit Vault Server.

    • UNIX: Set the environment variables, as described in Section 2.2.2.

    • Microsoft Windows: Go to the Audit Vault Server ORACLE_HOME\bin directory.

  2. If you must create new user accounts, then log in to SQL*Plus as a user who has been granted the CREATE USER privilege or the DV_ACCTMGR role, and create the user accounts.

    For example:

    sqlplus avadmindva
    Enter password: password
    Connected.
    
    SQL> CREATE USER tjones IDENTIFIED BY password;  -- The AV_ADMIN user
    SQL> CREATE USER psmith IDENTIFIED BY password;  -- The AV_AUDITOR user
    
  3. Connect as a user who has been granted the AV_ADMIN role and then grant the AV_ADMIN and AV_AUDITOR roles to these users.

    For example:

    SQL> CONNECT avadmin
    Enter password: password
    Connected.
    
    SQL> GRANT AV_ADMIN TO tjones;    -- The AV_ADMIN user
    SQL> GRANT AV_AUDITOR TO psmith;  -- The AV_AUDITOR user
    
  4. Repeat these steps to create individual accounts to be granted the DV_OWNER and DV_ACCTMGR roles.

    For the role grants, do the following:

    • When you are ready to grant the DV_OWNER role to the user, connect as a user who has been granted the DV_OWNER role.

    • When you are ready to grant the DV_ACCTMGR role to the user, connect as a user who has been granted the DV_ACCTMGR role.

    See Table 1-7 for more information about these roles.

  5. Optionally, audit the actions of the user who has been granted the AV_ADMIN role.

5.3 Managing Authentication Metadata Using Oracle Advanced Security

As part of the Audit Vault Server and the Oracle Audit Vault collection agent installation, two wallets are created. One wallet resides on the Audit Vault Server and this one contains the credentials of the AV_ADMIN. The Audit Vault Console uses this wallet to communicate with the Oracle Audit Vault database. The Audit Vault Console provides the management service that initiates the communication with collection agents using HTTP. Audit Vault Configuration Assistant (AVCA) modifies the Database Control console server.xml file and other related files to enable Oracle Audit Vault management through the Oracle Enterprise Manager Database Control console. The wallet is located in the $ORACLE_HOME/network/admin/avwallet directory.

The other wallet resides on the Audit Vault collection agent and contains the AV_AGENT credentials. The collection agent uses this wallet to get configuration data from Oracle Audit Vault. This wallet is located in the $ORACLE_HOME/network/admin/avwallet directory. This wallet also contains the credentials used by the collectors to communicate with the source database (Oracle Database, Microsoft SQL Server database, Sybase ASE, or IBM DB2 database). The three ORCLDB collectors, the MSSQLDB collector, the SYBDB collector, and the DB2 collector all use these credentials to connect to the source database and to:

The Oracle wallet is a password-protected container that stores credentials, such as certificates, authentication credentials, and private keys, all of which are used by SSL for strong authentication. You can manage Oracle wallets by using Oracle Wallet Manager. Oracle Wallet Manager can perform tasks such as wallet creation, certificate request generation, and importing certificates into the wallet.

Oracle Audit Vault uses third-party network authentication services (PKI-based authentication) to authenticate its user clients. Authentication systems based on public key infrastructure (PKI) issue digital certificates to user clients, which use them to authenticate directly to servers in the enterprise without involving an authentication server. These user certificates, along with the private key of the user and the set of trust points of a user (trusted certificate authorities), are stored in Oracle wallets.

5.4 Changing Oracle Audit Vault User Passwords on a Regular Basis

This section contains:

5.4.1 About Oracle Audit Vault User Passwords

You should have a policy in place for changing passwords for the Oracle Audit Vault user accounts. For example, you may require that users change their passwords on a regular basis, such as every 120 days, and that they create passwords that are not easily guessed.

Table 5-1 summarizes guidelines that you must follow when you change passwords for the Oracle Audit Vault user accounts.

Table 5-1 Storage Location of Audit Vault and Source User Name Passwords

Audit Vault Role Is Password Stored in Wallet? How Do I Change the Password?

AV_ADMIN

Yes

  1. If the system-generated AV_ADMIN user account password changes, then use the ALTER USER SQL statement to change the password of this user in the database. (You do not need to change the password for other users who have been granted the AV_ADMIN role.)

  2. Use the avca create_credential command to change the password in the wallet in the Audit Vault Server home.

See Section 5.4.2.

AVREPORTUSER user

Yes

  1. Use the ALTER USER SQL statement to change the password of this user in the database.

  2. Use the avca create_credential command to change the password in the wallet in the Audit Vault Server home.

AV_AGENT

Yes

  1. Use the ALTER USER SQL statement to change the password of this user in the database.

  2. Use the avca create_credential command to change the password in the wallet in the Audit Vault collection agent home.

See Section 5.4.4.

Source user on source database

Yes

  1. For Oracle Database source user accounts, use the ALTER USER SQL statement in the source database to change the password.

  2. Also for Oracle databases, run the avca create_credential command to change the password in the wallet in the Audit Vault Server.

  3. For all source database types, run the setup command of the AVORCLDB, AVMSSQLDB, or AVSYBDB utility to change the password in the wallet in the Audit Vault collection agent home. (The AVDB2DB utility has no setup command. For IBM DB2 databases, you only need to change the password of the designated user account.)

See Section 5.4.4

AV_AUDITOR

No

Use the ALTER USER SQL statement in the Audit Vault Server home to change this user's password.

See Section 5.4.6.


5.4.2 Changing the AV_ADMIN User Password

After you have updated the AV_ADMIN user account using the ALTER USER SQL statement, you must update the password credentials of this user.

To change the password of a user who has been granted the AV_ADMIN role:

  1. Open a shell or command prompt for the Audit Vault Server.

    • UNIX: Set the environment variables, as described in Section 2.2.2.

    • Microsoft Windows: Go to the Audit Vault Server ORACLE_HOME\bin directory.

  2. Log in to SQL*Plus as the user whose password you must change, another user who has been granted the ALTER_USER privilege, or a user with the DV_ACCTMGR role, and then change the password.

    For example:

    sqlplus dvsmith
    Enter password: password
    Connected.
    
    SQL> ALTER USER avsmith IDENTIFIED BY password;
    
  3. Exit SQL*Plus.

    If this user was granted the AV_ADMIN role after the Oracle Audit Vault installation, then you have completed this procedure. Otherwise, if the AV_ADMIN user account had been created during the Audit Vault installation, then go to Step 4.

  4. Run the avca create_credential command to change the password credentials of the AV_ADMIN user.

    For example:

    avca create_credential -wrl $ORACLE_HOME/network/admin/avwallet -dbalias orcl
    AVCA started
    Storing user credentials in wallet... 
    Enter source user username: avadminuser
    Enter source user password: password
    Re-enter source user password: password
    Create credential Modify credential
    Modify 2
    done.
    

    In this example, the dbalias parameter specifies the Audit Vault Server SID in the Audit Vault Server home. You can find this information by running the lsnrctl status command on the computer where you installed the source database. For detailed information about using the avca create_credential command, see Section 6.4.

5.4.3 Changing the AVREPORTUSER Password

The AVREPORTUSER account is an internal account that is used to manage Audit Vault reports.

To update the AVREPORTUSER password:

  1. Open a shell or command prompt for the Audit Vault Server.

    • UNIX: Set the environment variables, as described in Section 2.2.2.

    • Microsoft Windows: Go to the Audit Vault Server ORACLE_HOME\bin directory.

  2. Log in to SQL*Plus as the user whose password you must change, another user who has been granted the ALTER_USER privilege, or a user with the DV_ACCTMGR role, and then change the password.

    For example:

    sqlplus dvsmith
    Enter password: password
    Connected.
    
    SQL> ALTER USER avreportuser IDENTIFIED BY password;
    
  3. Run the avca create_credential command to change the password credentials of the AVREPORTUSER account.

    For example:

    avca create_credential -wrl $ORACLE_HOME/network/admin/avwallet -dbalias av_auditor_user
    
    AVCA started
    Storing user credentials in wallet... 
    Enter source user username: AVREPORTUSER
    Enter source user password: password
    Re-enter source user password: password
    Create credential Modify credential
    Modify 2
    done.
    

5.4.4 Changing the AV_AGENT Password

When you change the AV_AGENT user password, you must also update this user's credentials for each agent that connects to the Audit Vault Server as the AV_AGENT user account.

To change the password credentials for the AV_AGENT user account:

  1. Open a shell or command prompt for the Audit Vault collection agent.

    • UNIX: Set the environment variables, as described in Section 2.2.3.

    • Microsoft Windows: Go to the collection agent ORACLE_HOME\bin directory.

  2. Log in to SQL*Plus and use the ALTER USER SQL statement to change the password of the AV_AGENT user.

    For example:

    sqlplus dvsmith
    Enter password: password
    Connected.
    SQL> ALTER USER avagent_usr IDENTIFIED BY password;
    
  3. Access the shell or command prompt used for the Audit Vault collection agent.

  4. For each agent that connects to the server as the AV_AGENT user account, run the avca create_credential command to update the locally cached credentials with the new password.

    For example:

    avca create_credential -wrl $ORACLE_HOME/network/admin/avwallet -dbalias av
    AVCA started
    Storing user credentials in wallet... 
    Enter source user username: avagentuser
    Enter source user password: password
    Re-enter source user password: password
    Create credential Modify credential
    Modify 2
    done.
    

    For detailed information about using the avca create_credential command, see Section 6.4.

5.4.5 Changing the Source User Password

After you have updated the source database stored password credential, you must update the password credentials of this account.

To change the password credentials for the source user account:

  1. In the source database, change the password for the source database user.

    For an Oracle Database source, use the ALTER USER SQL statement to change the password.

    For example:

    sqlplus dvsmith
    Enter password: password
    Connected.
    SQL> ALTER USER srcuser_ora IDENTIFIED BY password;
    

    For source user accounts created for Microsoft Windows, Sybase ASE, and IBM DB2, log in to the appropriate source database and then change the password there.

  2. Open a shell or command prompt for the Audit Vault collection agent.

    • UNIX: Set the environment variables, as described in Section 2.2.3.

    • Microsoft Windows: Go to the collection agent ORACLE_HOME\bin directory.

  3. Run the appropriate setup command to configure the source user password. (Ensure that you only run this command on the agent, not the server.)

    • Oracle Database source databases: Run the avorcldb setup command (see Section 8.9). For example:

      avorcldb setup -srcname hrdb.example.com
      Enter Source user name: srcuser_ora
      Enter Source password: password
      
    • SQL Server source databases: Run the avmssqldb setup command (Section 9.9). For example:

      avmssqldb setup -srcname mssqldb4
      Enter a username : source_user_name
      Enter a password : password
      
    • Sybase ASE source databases: Run the avsybdb setup command (Section 10.9). For example:

      avsybdb setup -srcname sybdb4 
      Enter a username : source_user_name
      Enter a password : password
      
    • IBM DB2 databases: The avdb2db utility has no setup command. For IBM DB2 databases, you only need to change the password of the designated user account.

  4. If the source database is an Oracle database, then open a shell or command prompt for the Audit Vault Server.

    • UNIX: Set the environment variables, as described in Section 2.2.2.

    • Microsoft Windows: Go to the Audit Vault Server ORACLE_HOME\bin directory.

  5. For this Oracle source database, run the avca create_credential command to change the password credentials.

    1. Find the value of the dbalias parameter for the Oracle source database. Query source ID from Audit Vault as follows, and appending it to the string SRCDB (for example, SRCDB1):

      sqlplus /@AV_SID
      SELECT SOURCE_ID FROM AVSYS.AV$SOURCE WHERE SOURCE_NAME = source_name
      
    2. Use this value in the avca create_credential command. For example, assuming the dbalias is avorcl:

      avca create_credential -wrl $ORACLE_HOME/network/admin/avwallet -dbalias avorcl
      AVCA started
      Storing user credentials in wallet... 
      Enter source user username: avsource_user
      Enter source user password: password
      Re-enter source user password: password
      Create credential Modify credential
      Modify 2
      done.
      

5.4.6 Changing the AV_AUDITOR Password

To change the password of a user who has been granted the AV_AUDITOR role, you must change the passwords in both the Audit Vault Server home in the Audit Vault database by using the SQL ALTER_USER command. Log in as the user with the role of Database Vault Account Manager.

For example:

  1. Open a shell or command prompt for the Audit Vault Server.

    • UNIX: Set the environment variables, as described in Section 2.2.2.

    • Microsoft Windows: Go to the Audit Vault Server ORACLE_HOME\bin directory.

  2. Log in to SQL*Plus as the Database Vault Account Manager (that is, a user who has been granted the DV_ACCTMGR role).

    For example:

    sqlplus dvsmith
    Enter password: password
    Connected.
    SQL>
    
  3. Use the ALTER USER SQL statement to change the AV_AUDITOR user account.

    For example:

    SQL> ALTER USER avauditorusr-name IDENTIFIED BY password;
    

5.4.7 Ensuring That All Changed User Name Passwords Work Correctly

To test the changed passwords for users who have been granted the AV_ADMIN and AV_AUDITOR roles, log in to the Audit Vault Console as the Audit Vault administrator and then as the Audit Vault auditor. See Section 3.2.3 for instructions on logging in to the Audit Vault Console. If the login is not successful, repeat the procedures described in this section to re-create the passwords, and then retest them.

For the AV_ADMIN role, you must also test that the credentials were stored correctly in the wallet.

Follow these steps:

  1. Open a shell or command prompt for the Audit Vault Server.

    • UNIX: Set the environment variables, as described in Section 2.2.2.

    • Microsoft Windows: Go to the Audit Vault Server ORACLE_HOME\bin directory.

  2. In SQL*Plus, log in to the Audit Vault Server.

    For example, assuming the SID of the Audit Vault Server is av:

    sqlplus /@av 
    

To test the AV_AGENT and source database user account passwords, stop the collection agents, and then restart the collection agent and each collector. See Chapter 7 for information about the commands you use to perform this test. If you are able to collect new audit records, then the AV_AGENT and source database user account passwords are working. If you cannot collect audit records, then check the log files (see Appendix A for more information) to determine which user name password might be the cause of the problem. If necessary, re-create the passwords and then retest them.

5.5 Using Oracle Database Vault within Oracle Audit Vault

By default, Oracle Database Vault is enabled in the Audit Vault Server. Oracle Database Vault restricts access to the data in the Audit Vault Server from any user, including users who have administrative access. For Oracle Audit Vault, Oracle Database Vault protects the Audit Vault Server by using a realm. To ensure that the data in the Audit Vault Server is protected, do not disable Oracle Database Vault.

The inclusion of Oracle Database Vault provides the DV_OWNER and DV_ACCTMGR roles. The DV_OWNER role manages the database roles and configuration, and the DV_ACCTMGR role manages user accounts. As with all Oracle Database roles, grant these roles only to those users who are responsible for the tasks associated with the role.

Be aware that Oracle Database Vault revokes some privileges from several roles supplied by the Oracle database roles, including SYS and SYSTEM. Oracle Database Vault Administrator's Guide describes roles and privileges that Oracle Database Vault affects. Remember that only the user who has been granted the DV_ACCTMGR role can create, alter, and drop users. However, the DV_ACCTMGR user cannot grant these roles to these users. Only the user who has been granted the AV_ADMIN role can grant the AV_ADMIN and AV_AUDITOR roles to another user.

Table 5-2 shows the roles and privileges an administrative user is granted when that user is granted and Oracle Audit Vault or Oracle Database Vault roles. For detailed information about the Oracle Audit Vault or Oracle Database Vault roles, see Section 1.5.

Table 5-2 Roles and Privileges Granted to Audit Vault or Database Vault Administrators

Role Granted to User Roles Granted to This Role Privileges Granted

AV_ADMIN

SELECT_CATALOG_ROLE

AQ_ADMINISTRATOR_ROLE

AV_AUDITORFoot 1 

AV_AGENT

XDBADMIN

CREATE SESSION

GRANT ANY ROLE

AV_AUDITOR

SELECT_CATALOG_ROLE

CREATE SESSION

AV_AGENT

No additional roles granted

CREATE SESSION

CREATE ANY VIEW

DV_ACCTMGR

DV_PUBLIC

CONNECT

CREATE SESSION

CREATE USER

ALTER USER

DROP USER

CREATE PROFILE

ALTER PROFILE

DROP PROFILE

DV_OWNER

DV_PUBLIC

CONNECT

DV_ADMIN

DV_SECANALYST

CREATE SESSION

GRANT ANY ROLE

ALTER ANY TRIGGER

ADMINISTER DATABASE TRIGGER


Footnote 1 The AV_ADMIN role is granted the AV_AUDITOR role only if you did not create the AV_AUDITOR user during installation.

Table 5-3 shows other database core accounts that are created in the default Oracle Audit Vault installation. Oracle Audit Vault permits operating system authentication to the database. It disables remote authentication to the database if you try to use the SYSDBA privilege, but if it is needed, you can enable it by using a password file. See the sections that discuss postinstallation tasks in the Oracle Audit Vault Installation Guide for more information about unlocking and resetting user passwords and enabling or disabling connections with the SYSDBA privilege.

Table 5-3 Database Core Accounts Created and Privileges Use

Account Privileges Privilege In Use Password to Use

SYS

SYSTEM

SYSMAN

DBSNMP

ManyFoot 1 

Yes

Use same password as user granted AV_ADMIN role for basic installation or password may be set separately in advanced installation

SYS AS or

/ AS

SYSDBA

Yes, allowed

Operating system authentication to the database is enabled by default.

SYS AS

SYSDBA

No, not allowed for remote connection

To use for remote connection, user must create a password file to enable its use. Password is set when password file is created.

SYS AS

SYSOPER

Yes, allowed

Use same password as user granted AV_ADMIN role


Footnote 1 To find the privileges associated with the user account, log in to SQL*Plus as the user and then run the following query: SELECT * FROM SESSION_ROLES;

5.6 Configuring HTTPS and SSL Communication for Oracle Audit Vault

This section contains:

5.6.1 About Configuring HTTPS and SSL Communication for Oracle Audit Vault

You can secure management communication between the Oracle Audit Vault Server and collection agent by using the HTTPS protocol to encrypt data. In this case, you provide X.509 certificates for authentication. This section explains how to configure Secure Sockets Layer (SSL) for the mutual authentication between Oracle Audit Vault on the server side and each collection agent over HTTPS. A certificate authority (CA) must provide these certificates to you, the Oracle Audit Vault administrator.

To accomplish this, you secure the following services on the Audit Vault Server side:

  • Oracle Audit Vault Web application, which you secure by using the avca secure_av command.

  • XDB services, which you secure by using the avca generate_crs and avca import commands.

For the Audit Vault agent side, you secure OC4J by using the avca secure_agent command.

After you secure the Audit Vault Server and Audit Vault collection agent communication to use HTTPS, you must enable the browser to use HTTPS to access the Audit Vault Console. At this stage, HTTP will no longer be available for the browser user because the browser to the Audit Vault Console communication is also made secure.

Before you follow the procedures described in this section, you must understand how to use keystores, which are in JKS (Java Keystore) format from Sun Microsystems. You can create and manage keystores by using the keystore application from Sun Microsystems. See the following URLs for more information:

http://java.sun.com/j2se/1.3/docs/tooldocs/win32/keytool.html

http://www.sslshopper.com/article-most-common-java-keytool-keystore-commands.html

See Also:

Oracle Database Advanced Security Administrator's Guide for more information about PKI-based authentication, digital certificates, secure external password stores, and Oracle wallets.

5.6.2 Step 1: Generate the Keystore

To generate the keystore:

  1. Create a keystore to secure the Audit Vault Console.

    The following example uses the name avkeystore to denote the Audit Vault Server keystore:

    oracle:/home/oracle> $ORACLE_HOME/jdk/bin/keytool -genkey -v -alias avkey -keyalg RSA -keysize 1024 -dname "CN=avserver, OU=st, O=example, L=nomadcity, ST=ca, C=us" -validity 365 -keypass welcome -keystore /tmp/certs/avkeystore -storepass password
    

    Output similar to the following appears:

    Generating 1,024 bit RSA key pair and self-signed certificate (MD5WithRSA)
    for: CN=avserver, OU=st, O=example, L=nomadcity, ST=ca, C=us
    [Saving /tmp/certs/avkeystore]
    
  2. List the contents, and ensure that the keystore has valid keys and components.

    At this stage, you should have a new keystore with an Audit Vault Server private key/certificate pair.

    For example:

    oracle:/home/oracle> $ORACLE_HOME/jdk/bin/keytool -list -v -keystore /tmp/certs/avkeystore
    Enter keystore password: password
    

    Output similar to the following appears:

    Keystore type: jks
    Keystore provider: SUN
     
    Your keystore contains 1 entry
     
    Alias name: avkey
    Creation date: Feb 18, 2010
    Entry type: keyEntry
    Certificate chain length: 1
    Certificate[1]:
    Owner: CN=avserver, OU=st, O=example, L=nomadcity, ST=ca, C=us
    Issuer: CN=avserver, OU=st, O=example, L=nomadcity, ST=ca, C=us
    Serial number: 4b7e19da
    
  3. Generate the certificate request.

    For example:

    oracle:/home/oracle> $ORACLE_HOME/jdk/bin/keytool -certreq -alias avkey -keystore /tmp/certs/avkeystore -file /tmp/mycsr.csr
    Enter keystore password: password
    
  4. Send this certificate request file to a CA to be signed and then returned to you.

    In the preceding steps, this request file is called mycsr.csr and was created in the tmp directory.

  5. Import the CA root certificate.

    For example:

    oracle:/home/oracle> $ORACLE_HOME/jdk/bin/keytool -keystore /tmp/certs/avkeystore -import -alias CAcert -trustcacerts -file /tmp/cacert.pem
    Enter keystore password: password
    

    Output similar to the following appears; answer the prompts as needed.

    Owner: EMAILADDRESS=sunil.shetty@example.com, CN=Sathya, OU=ExampleISC, O=Support, L=Bangalore, ST=Karnataka, C=IN
    Issuer: EMAILADDRESS=sunil.shetty@example.com, CN=Sathya, OU=ExampleSC, O=Support, L=Bangalore, ST=Karnataka, C=IN
    Serial number: 0
    Valid from: Mon Feb 08 23:54:23 MST 2010 until: Tue Feb 08 23:54:23 MST 2011
    Certificate fingerprints:
    MD5: 1C:D7:51:31:81:14:39:F3:CC:E0:24:86:9C:8A:69:08
    SHA1: 6C:A4:35:1F:82:57:BF:DB:DC:D9:2B:82:A2:AC:F6:15:BD:8C:A6:99
    Trust this certificate? [no]: yes
    Certificate was added to keystore
    
  6. Import the signed certificate to keystore.

    For example:

    oracle:/tmp> $ORACLE_HOME/jdk/bin/keytool -keystore /tmp/certs/avkeystore -import -file /tmp/mycert.cer
    Enter keystore password: password
     
    Certificate was added to keystore
    
  7. Check the keystore to ensure that the certificate chain is complete.

    For example:

    oracle:/tmp> $ORACLE_HOME/jdk/bin/keytool -list -v -keystore /tmp/certs/avkeystore
    Enter keystore password: password
    

    Output similar to the following appears:

    Keystore type: jks
    Keystore provider: SUN
     
    Your keystore contains 3 entries
     
    Alias name: avkey
    Creation date: Feb 18, 2010
    Entry type: keyEntry
    Certificate chain length: 1
    Certificate[1]:
    Owner: CN=avserver, OU=st, O=example, L=nomadcity, ST=ca, C=us
    Issuer: CN=avserver, OU=st, O=example, L=nomadcity, ST=ca, C=us
    Serial number: 4b7e19da
    Valid from: Thu Feb 18 21:55:54 MST 2010 until: Fri Feb 18 21:55:54 MST 2011
    Certificate fingerprints:
    MD5: 89:AF:A3:3E:3C:91:B6:41:9C:26:D3:95:6C:AF:24:17
    SHA1: 69:04:B2:16:95:69:38:9D:0F:D1:7B:4F:1B:EE:F3:E4:FA:A2:72:78
     
    *******************************************
    *******************************************
     
    Alias name: cacert
    Creation date: Feb 18, 2010
    Entry type: trustedCertEntry
     
    Owner: EMAILADDRESS=sunil.shetty@example.com, CN=Sathya, OU=ExampleISC, O=Support, L=Bangalore, ST=Karnataka, C=IN
    Issuer: EMAILADDRESS=sunil.shetty@example.com, CN=Sathya, OU=ExampleISC, O=Support, L=Bangalore, ST=Karnataka, C=IN
    Serial number: 0
    Valid from: Mon Feb 08 23:54:23 MST 2010 until: Tue Feb 08 23:54:23 MST 2011
    Certificate fingerprints:
    MD5: 1C:D7:51:31:81:14:39:F3:CC:E0:24:86:9C:8A:69:08
    SHA1: 6C:A4:35:1F:82:57:BF:DB:DC:D9:2B:82:A2:AC:F6:15:BD:8C:A6:99
     
    *******************************************
    *******************************************
     
    Alias name: mykey
    Creation date: Feb 18, 2010
    Entry type: trustedCertEntry
     
    Owner: CN=avserver, OU=st, O=example, L=nomadcity, ST=ca, C=us
    Issuer: EMAILADDRESS=sunil.shetty@examplecom, CN=Sathya, OU=ExampleISC, O=Support, L=Bangalore, ST=Karnataka, C=IN
    Serial number: 4
    Valid from: Thu Feb 18 21:37:12 MST 2010 until: Fri Feb 18 21:37:12 MST 2011
    Certificate fingerprints:
    MD5: 87:82:9F:09:11:40:62:9E:FA:63:68:92:E2:7C:AA:57
    SHA1: 47:41:0E:BE:05:49:2C:A5:55:3A:3E:F5:14:47:04:6E:85:40:F0:9F
     
    *******************************************
    *******************************************
    

5.6.3 Step 2: Create an Audit Vault Agent Keystore by Using the keytool Utility

To create an Audit Vault Agent keystore using the keytool utility:

  1. Create the keystore that you will use to secure the Audit Vault agent.

    For example:

    oracle:/tmp/certs> $ORACLE_HOME/jdk/bin/keytool -genkey -v -alias agkey -keyalg RSA -keysize 1024 -dname "CN=agent, OU=st, O=example, L=nomadcity, ST=ca, C=us" -validity 365 -keypass password -keystore /tmp/certs/agkeystore -storepass password
    

    Specify the same password for the keypass and storepass parameters. Otherwise, OC4J will be unable to open the keystore during startup.

    Output similar to the following appears:

    Generating 1,024 bit RSA key pair and self-signed certificate (MD5WithRSA)
    for: CN=agent, OU=st, O=example, L=nomadcity, ST=ca, C=us
    [Saving /tmp/certs/agkeystore]
    
  2. List the contents to ensure that the keystore has valid keys and components.

    At this stage, you should have a new keystore with an Audit Vault agent private key/certificate pair.

    For example:

    oracle:/tmp/certs> $ORACLE_HOME/jdk/bin/keytool -list -v -keystore /tmp/certs/agkeystore
    Enter keystore password: password
    

    Output similar to the following appears:

    Keystore type: jks
    Keystore provider: SUN
     
    Your keystore contains 1 entry
     
    Alias name: agkey
    Creation date: Feb 18, 2010
    Entry type: keyEntry
    Certificate chain length: 1
    Certificate[1]:
    Owner: CN=agent, OU=st, O=example, L=nomadcity, ST=ca, C=us
    Issuer: CN=agent, OU=st, O=example, L=nomadcity, ST=ca, C=us
    Serial number: 4b7e211b
    Valid from: Thu Feb 18 22:26:51 MST 2010 until: Fri Feb 18 22:26:51 MST 2011
    Certificate fingerprints:
    MD5: D4:EE:B1:EC:D2:DA:02:07:20:8C:01:C8:36:FE:2C:0B
    SHA1: CF:1F:9D:BF:6C:65:FD:4D:15:54:0C:27:F3:5F:63:E8:39:90:D4:EA
     
    *******************************************
    *******************************************
    
  3. Generate the certificate request.

    For example:

    oracle:/tmp/certs> $ORACLE_HOME/jdk/bin/keytool -certreq -alias agkey -keystore /tmp/certs/agkeystore -file /tmp/mycsr_agent.csr
    Enter keystore password: password
    
  4. Send this certificate request file to a CA to be signed and then returned to you.

  5. Import the CA root certificate to the agent keystore.

    For example:

    oracle:/tmp> $ORACLE_HOME/jdk/bin/keytool -keystore /tmp/certs/agkeystore -import -alias CAcert_agent -trustcacerts -file /tmp/cacert.pem
    Enter keystore password: password
    

    Output similar to the following appears; answer the prompts as needed.

    Owner: EMAILADDRESS=sunil.shetty@example.com, CN=Sathya, OU=ExampleISC, O=Support, L=Bangalore, ST=Karnataka, C=IN
    Issuer: EMAILADDRESS=sunil.shetty@example.com, CN=Sathya, OU=ExampleISC, O=Support, L=Bangalore, ST=Karnataka, C=IN
    Serial number: 0
    Valid from: Mon Feb 08 23:54:23 MST 2010 until: Tue Feb 08 23:54:23 MST 2011
    Certificate fingerprints:
    MD5: 1C:D7:51:31:81:14:39:F3:CC:E0:24:86:9C:8A:69:08
    SHA1: 6C:A4:35:1F:82:57:BF:DB:DC:D9:2B:82:A2:AC:F6:15:BD:8C:A6:99
    Trust this certificate? [no]: yes
    
    Certificate was added to keystore
    
  6. Import the signed certificate of the Audit Vault agent to keystore.

    For example:

    oracle:/tmp> $ORACLE_HOME/jdk/bin/keytool -keystore /tmp/certs/agkeystore -import -trustcacerts -file /tmp/mycert_agent.cer
    Enter keystore password: password
     
    Certificate was added to keystore
    
  7. Ensure that the Audit Vault agent keystore has proper certificate chain.

    For example:

    oracle:/tmp> $ORACLE_HOME/jdk/bin/keytool -list -v -keystore /tmp/certs/agkeystore
    Enter keystore password: password
    

    Output similar to the following appears:

    Keystore type: jks
    Keystore provider: SUN
     
    Your keystore contains 3 entries
     
    Alias name: agkey
    Creation date: Feb 18, 2010
    Entry type: keyEntry
    Certificate chain length: 1
    Certificate[1]:
    Owner: CN=agent, OU=st, O=example, L=nomadcity, ST=ca, C=us
    Issuer: CN=agent, OU=st, O=example, L=nomadcity, ST=ca, C=us
    Serial number: 4b7e211b
    Valid from: Thu Feb 18 22:26:51 MST 2010 until: Fri Feb 18 22:26:51 MST 2011
    Certificate fingerprints:
    MD5: D4:EE:B1:EC:D2:DA:02:07:20:8C:01:C8:36:FE:2C:0B
    SHA1: CF:1F:9D:BF:6C:65:FD:4D:15:54:0C:27:F3:5F:63:E8:39:90:D4:EA
     
    *******************************************
    *******************************************
     
    Alias name: cacert_agent
    Creation date: Feb 18, 2010
    Entry type: trustedCertEntry
     
    Owner: EMAILADDRESS=sunil.shetty@example.com, CN=Sathya, OU=ExampleISC, O=Support, L=Bangalore, ST=Karnataka, C=IN
    Issuer: EMAILADDRESS=sunil.shetty@example.com, CN=Sathya, OU=Example eISC, O=Support, L=Bangalore, ST=Karnataka, C=IN
    Serial number: 0
    Valid from: Mon Feb 08 23:54:23 MST 2010 until: Tue Feb 08 23:54:23 MST 2011
    Certificate fingerprints:
    MD5: 1C:D7:51:31:81:14:39:F3:CC:E0:24:86:9C:8A:69:08
    SHA1: 6C:A4:35:1F:82:57:BF:DB:DC:D9:2B:82:A2:AC:F6:15:BD:8C:A6:99
     
    *******************************************
    *******************************************
     
    Alias name: mykey
    Creation date: Feb 18, 2010
    Entry type: trustedCertEntry
     
    Owner: CN=agent, OU=st, O=example, L=nomadcity, ST=ca, C=us
    Issuer: EMAILADDRESS=sunil.shetty@example.com, CN=Sathya, OU=ExampleISC, O=Support, L=Bangalore, ST=Karnataka, C=IN
    Serial number: 5
    Valid from: Thu Feb 18 21:57:09 MST 2010 until: Fri Feb 18 21:57:09 MST 2011
    Certificate fingerprints:
    MD5: E5:19:D5:F8:95:37:C5:F3:91:AB:CB:F1:C9:26:E1:30
    SHA1: 16:4A:63:6A:84:9A:CC:2A:8E:6D:28:46:65:48:CA:31:D0:80:DA:3D
     
    *******************************************
    *******************************************
    

5.6.4 Step 3: Secure the XDB Services

To secure the XDB services:

  1. Open a shell or command prompt for the Audit Vault Server.

    • UNIX: Set the environment variables, as described in Section 2.2.2.

    • Microsoft Windows: Go to the Audit Vault Server ORACLE_HOME\bin directory.

  2. Create a certificate request that will be stored in the Oracle wallet.

    oracle:/tmp> avca generate_csr -certdn \"cn=oel5upd1,OU=DBSEC,O=Example,ST=CA,C=US\" -out /tmp/cert.out
    
    Generating Certificate request...
    Certificate request generated successfully.
    

    See Section 6.12 for detailed information about the avca generate_csr command.

  3. Send this certificate request file to a CA to be signed and then returned to you.

  4. Import the CA certificate into the Oracle wallet as a trusted CA.

    For example:

    oracle:/tmp> avca import_cert -cert /tmp/cacert.pem -trusted
    
    Importing Certificate...
    Certificate imported successfully.
    

    See Section 6.14 for detailed information about the avca import_cert command.

  5. Import the user certificate.

    For example:

    oracle:/tmp> avca import_cert -cert /tmp/newcert.pem
    
    Importing Certificate...
    Certificate imported successfully.
    

5.6.5 Step 4: Secure Audit Vault Server

To secure Audit Vault Server:

  1. Open a shell or command prompt for the Audit Vault Server.

    • UNIX: Set the environment variables, as described in Section 2.2.2.

    • Microsoft Windows: Go to the Audit Vault Server ORACLE_HOME\bin directory.

  2. Run the avca secure_av command.

    For example:

    oracle:/tmp> avca secure_av -avkeystore /tmp/certs/avkeystore -avtruststore /tmp/certs/avkeystore
    

    See Section 6.20 for detailed information about the avca secure_av command.

    Output similar to the following appears:

    Checking for SSL Certificate...
    done.
    Enter Audit Vault Server keystore password:
    Stopping OC4J...
    OC4J stopped successfully.
    Securing XDB services...
    Identified XDB http(s) Port...
    Stopping Listeners...
    done.
    Starting Listeners...
    done.
    done.
    Starting OC4J...
    OC4J started successfully.
    TZ set to US/MountainOracle Audit Vault 10g Database Control Release 10.2.3.2.0
    Copyright (c) 2006, 2009 Oracle Corporation. All rights reserved.
    https://oel5upd1:5700/av
    Oracle Audit Vault 10g is running.
    ------------------------------------
     
    Logs are generated in directory /home/oracle/product/10.2.3/av_1/av/log
    

5.6.6 Step 5: Secure Audit Vault Agent

To secure the Audit Vault agent:

  1. Open a shell or command prompt for the Audit Vault collection agent.

    • UNIX: Set the environment variables, as described in Section 2.2.3.

    • Microsoft Windows: Go to the Audit Vault Server or collection agent ORACLE_HOME\bin directory.

  2. Run the avca secure_agent command.

    For example:

    oracle:/tmp> avca secure_agent -agentkeystore /tmp/certs/agkeystore -avdn \"CN=avserver, OU=st, O=example, L=nomadcity, ST=ca, C=us\" -agentdn \"CN=agent, OU=st, O=example,L=nomadcity, ST=ca, C=us\"
    

    See Section 6.19 for detailed information about the avca secure_agent command.

    Output similar to the following appears; answer the prompts as needed.

    Enter Audit Vault Agent keystore password: password
    Stopping agent...
    Agent stopped successfully.
    Starting agent...
    Agent started successfully.
    

5.7 Updating XDB Certificates

If you need to update the XDB certificate that you obtained from running the avca generate_csr command, then follow these steps to ensure that the Oracle wallet uses the updated XDB certificate:

  1. Open a shell or command prompt for the Audit Vault Server.

    • UNIX: Set the environment variables, as described in Section 2.2.2.

    • Microsoft Windows: Go to the Audit Vault Server ORACLE_HOME\bin directory.

  2. Run the avca remove_certificate command with the -certdn parameter set to the DN of the XDB certificate.

    For example:

    avca remove_cert -certdn -hrdb.example.com \"CN=AV_Server_host_DN,OU=DBSEC,O=Oracle,ST=CA,C=US\"
    
  3. Shut down the Audit Vault Web application.

    avctl stop_av
    
  4. Stop the listener for the Audit Vault database.

    lsnrctl stop
    
  5. Log in to SQL*Plus and then shut down the Audit Vault database.

    For example:

    sqlplus sys as sysoper
    Enter password: password
    Connected. 
    
    SQL> SHUTDOWN IMMEDIATE
    
  6. Restart the Audit Vault database listener.

    lsnrctl start
    
  7. Restart the Audit Vault database.

    SQL> STARTUP
    
  8. Start the Audit Vault Web application

    avctl start_av
    
  9. Generate a new certificate.

    For example:

    avca generate_csr -certdn \"CN=AV_Server_host_DN,OU=DBSEC,O=Oracle,ST=CA,C=US\" -out user_certificate.cer
    
  10. Import the new certificate.

    For example:

    avca import_cert -cert user_certificate.cer