After you install Oracle Database Vault, you must register it with your database.
Note:
You cannot enable Oracle Database Vault by using scripts that have been generated by Database Configuration Assistant (DBCA).To register Oracle Database Vault:
Ensure that the computer on which you want to register Oracle Database Vault has the Oracle Enterprise Manager Database Console available.
You can check the status of the Database Console by running the emctl status dbconsole
command. For example:
./emctl status dbconsole
Start Database Configuration Assistant.
UNIX: Enter the following command at a terminal window:
dbca
By default, dbca
is in the $ORACLE_HOME/bin
directory.
Windows: From the Start menu, click All Programs. Then, click Oracle - ORACLE_HOME, Configuration and Migration Tools, and then Database Configuration Assistant.
Alternatively, you can start Database Configuration Assistant at a command prompt:
dbca
As with UNIX, typically, dbca
is in the ORACLE_BASE
\
ORACLE_HOME
\bin
directory.
In the Welcome page, click Next.
The Operations page appears.
Select Configure Database Options, and then click Next.
The Database page appears.
From the list, select the database where you installed Oracle Database and then click Next.
The Database Content page appears.
Perform one of the following actions:
If Oracle Label Security is already enabled: Select the Oracle Database Vault option, and then click Next.
If Oracle Label Security is not enabled: Select the Oracle Label Security option so that the Oracle Database Vault option becomes available for selection. Select the Oracle Database Vault option as well, and then click Next.
Specify the name and password for the Database Vault Owner account (for example, DBVOWNER
) and the Database Vault Account Manager (for example, DBVACCTMGR
).
Enter any password that is secure, according to the password guidelines described in Oracle Database Security Guide. Oracle Database Vault has additional password requirements, which are displayed if you try to create an incorrect password.
Click Next.
The Connection Mode page appears.
Select either Dedicated Server Mode or Shared Server Mode (depending on the selection you made when you created this database), click Finish, and then click OK in the confirmation prompts.
Database Configuration Assistant registers Oracle Database Vault, and then restarts the database instance.
Exit Database Configuration Assistant.
After you have registered Oracle Database Vault with an Oracle database, you can start Oracle Database Vault Administrator. See "Starting Oracle Database Vault" for more information.
Ensure that the value of the NLS_LANGUAGE
initialization parameter matches the locale and NLS settings (either the NLS_LANG
or LANG
environment variables) used by the operating system of the computer on which Oracle Database is installed. If these values are inconsistent, then Database Vault Administrator does not display the default realms, command rules, rule sets, or factors.
For example, if the operating system locale (the variable $LANG
) setting is en_US.UTF-8
, then you must set the corresponding NLS_LANG
environment variable to AMERICAN_AMERICA.AL32UTF8
and the database NLS_LANGUAGE
initialization parameter value to be AMERICAN
. The database NLS_LANGUAGE
parameter is derived from the operating system NLS_LANG
environment variable.
For more information about checking and configuring locale and NLS settings, see the appendix that covers globalization support in the Oracle Database Installation Guide for your platform.
If you have created an Oracle database manually, and have configured Oracle Enterprise Manager Database Control by using Enterprise Manager Configuration Assistant, you must manually deploy Oracle Database Vault Administrator. This procedure deploys Database Vault Administrator in the same OC4J container as the current Enterprise Manager, rather than creating a new application.
This section contains:
Deploying Database Vault Administrator to a Standalone OC4J Container
Deploying Database Vault Administrator to the Database Console OC4J Container
You can manually deploy Database Vault Administrator to the Oracle Application Server Containers for J2EE (OC4J) home, which by default is in the $ORACLE_HOME/oc4j/j2ee/home
directory.
To manually deploy Database Vault Administrator:
Edit the file $ORACLE_HOME/oc4j/j2ee/home/config/server.xml
. Enter the following line just before the last line that reads, </application-server>
:
<application name="dva" path="Oracle_home_dir/dv/jlib/dva_webapp.ear" auto-start="true" />
Replace Oracle_home_dir
with the relative or direct path to the Oracle home directory. (You cannot enter the $ORACLE_HOME
environment variable.) For example:
<application name="dva" path="/u00/app/oracle/oracle/product/dv12/dv/jlib/dva_webapp.ear" auto-start="true" />
Edit the file $ORACLE_HOME/oc4j/j2ee/home/config/http-web-site.xml
. Enter the following line just above the last line that reads, </web-site>
:
<web-app application="dva" name="dva_webapp" root="/dva" />
Edit the file $ORACLE_HOME/oc4j/j2ee/home/config/global-web-application.xml
. Search for <servlet-class>oracle.jsp.runtimev2.JspServlet</servlet-class>
. Uncomment the following lines after this:
<init-param> <param-name>main_mode</param-name> <param-value>justrun</param-value> </init-param>
Create the following directory:
mkdir -p $ORACLE_HOME/dv/jlib/sysman/config
Create the database connection configuration file, emoms.properties, in the configuration directory that you just created. Add the following lines to the file:
oracle.sysman.emSDK.svlt.ConsoleMode=standalone oracle.sysman.eml.mntr.emdRepRAC=FALSE oracle.sysman.eml.mntr.emdRepDBName=oracle_sid oracle.system.eml.mntr.emdRepConnectDescriptor=TNS_connection_string
Follow these instructions:
For an Oracle RAC environment, set oracle.sysman.eml.mntr.emdRepRAC
to TRUE
.
For oracle.sysman.eml.mntr.emdRepConnectDescriptor
, you can use an alias from $ORACLE_HOME/network/admin/tnsnames.ora
. Alternatively, you can use the following syntax:
oracle.sysman.eml.mntr.emdRepConnectDescriptor= (DESCRIPTION\= (ADDRESS_LIST\=(ADDRESS\=(PROTOCOL\=TCP) (HOST\=HOSTNAME)(PORT\=PORT))) (CONNECT_DATA\= (SERVICE_NAME\=ORACLE_SID))
Ensure that the correct environment variables are set.
For example:
ORACLE_SID=orcl export ORACLE_SID ORACLE_HOME=/u00/app/oracle/product/11.1.0 export ORACLE_HOME LD_LIBRARY_PATH=$ORACLE_HOME/bin:$ORACLE_HOME/lib:$ORACLE_HOME/jdbc/lib export LD_LIBRARY_PATH PATH=$ORACLE_HOME/bin:$ORACLE_HOME/jdk/bin:$PATH export PATH
Set the LD_LIBRARY_PATH
variable to use the OCI-based JDBC libraries.
Start OC4J using the following syntax:
$ORACLE_HOME/jdk/bin/java -Djava.awt.headless=true -DEMDROOT=$ORACLE_HOME/dv/jlib -jar $ORACLE_HOME/oc4j/j2ee/home/oc4j.jar -userThreads -config $ORACLE_HOME/oc4j/j2ee/home/config/server.xml
After you complete these steps, you can start Database Vault Administrator. The HTTP port defaults to 8888 for this environment. Use the following syntax for the URL:
http://hostname:8888/dva
To manually deploy Database Vault Administrator to the Database Console OC4J container:
Stop Oracle Database Console.
UNIX: Go to the $ORACLE_HOME/bin
directory and run the following command:
./emctl stop dbconsole
Microsoft Windows: In the Administrative Services, select the Services utility, and then right-click the OracleDBConsolesid service. Select Stop from the menu.
Create a backup copy and then open the $ORACLE_HOME/oc4j/j2ee/OC4J_DBConsole_
service_name
/config/server.xml
file.
Add the following line before the </application-server>
element:
<application name="dva" path="$ORACLE_HOME/dv/jlib/dva_webapp.ear" parent="default" start="true" />
On UNIX and Windows systems, replace $ORACLE_HOME
with the absolute path to your Oracle Database home.
Create a backup copy and then open the $ORACLE_HOME/oc4j/j2ee/OC4J_DBConsole_
service_name
/config/http-web-site.xml
file.
Add the following line before the </web-site> element:
<web-app application="dva" name="dva_webapp" load-on-startup="true" root="/dva" shared="true"/>
Restart Oracle Database Console.
UNIX: Go to the $ORACLE_HOME/bin
directory and run the following command:
./emctl start dbconsole
Windows: In the Administrative Services, select the Services utility, and then right-click the OracleDBConsolesid service. Select Start from the menu.
After you complete these steps, you can start Oracle Database Vault Administrator by using the following URL:
https://hostname:port/dva
For example:
https://myserver:1158/dva
If you are unsure of the port number, open the ORACLE_HOME
/
host_sid
/sysman/config/emd.properties
file and search for REPOSITORY_URL
. In most cases, the host name and port number are the same as Oracle Enterprise Manager Database Control.
By default, an Oracle Database Vault session lasts 35 minutes. If you want the session to last for a different time, follow the steps in this section.
To set the session time for Oracle Database Vault Administrator:
Back up the web.xml file
, which by default is in the $ORACLE_HOME/dv/jlib/dva_webapp/dva_webapp/WEB-INF
directory.
In a text editor, open the web.xml
file.
Search for the following setting:
<session-config> <session-timeout>35</session-timeout> </session-config>
Change the <session-timeout>
setting to the amount of time in minutes that you prefer.
Save and close the web.xml
file.
Stop and restart the Database Vault Administrator.
UNIX: Go to the $ORACLE_HOME/bin
directory and run the following command:
./emctl stop dbconsole ./emctl start dbconsole
Windows: In the Administrative Services, select the Services utility, and then right-click the OracleDBConsolesid service. Select Stop from the menu. After the console stops, select Start.
You can configure Database Vault Administrator to make data accessible and usable to the disabled community. The following sections explain how to enable Database Vault Administrator for full accessibility.
Enabling Oracle Database Vault Administrator Accessibility Mode
Providing Textual Descriptions of Database Vault Administrator Charts
Oracle Database Vault Administrator takes advantage of user interface development technologies that improve the responsiveness of some user operations. For example, when you navigate to a new record set in a table, Oracle Database Vault Administrator does not redisplay the entire HTML page. However, this performance-improving technology is generally not supported by screen readers. To disable this feature, and as a result, make the Database Vault Administrator HTML pages more accessible for disabled users, use the following procedure.
To enable the display of an entire HTML page:
Locate the uix-config.xml
configuration file.
By default, the uix-config.xml
file is in the following directory:
$ORACLE_HOME/oc4j/j2ee/oc4j_applications/applications/em/em/WEB-INF
Open the uix-config.xml
file using a text editor and locate the following entry:
<!-- An alternate configuration that disables accessibility features --> <default-configuration> <accessibility-mode>inaccessible</accessibility-mode> ... </default-configuration>
Change the value of the accessibility-mode property from inaccessible
to accessible
.
Save and close the uix-config.xml
file.
Restart Database Vault Administrator.
The Monitor page of Database Vault Administrator displays security policy data in a chart. However, charts do not convey information in a manner that can be read by a screen reader. To remedy this problem, you can configure Database Vault Administrator to provide a complete textual representation of each chart. By default, support for the textual representation of charts is disabled. When textual description for charts is enabled, Database Vault Administrator displays a textual representation of the chart data.
To enable the textual representation of charts:
Locate the web.xml
configuration file.
To locate the web.xml
file in a Oracle Database 10g installation, change directory to the following location in the Oracle home:
$ORACLE_HOME/dv/jlib/dva_webapp/dva_webapp/WEB-INF/
Open the web.xml
file with your favorite text editor and locate the following six lines of the file:
<!-- Uncomment this to enable textual chart descriptions <context-param> <param-name>enableChartDescription</param-name> <param-value>true</param-value> </context-param> -->
Remove comments from this section by deleting the first line and the last line of this section so that the section consists of only these four lines:
<context-param> <param-name>enableChartDescription</param-name> <param-value>true</param-value> </context-param>
Save and exit the web.xml
file.
Restart Database Vault Administrator.
After you install Oracle Database Vault for an Oracle Real Application Clusters (Oracle RAC) instance, you must run Oracle Database Vault Configuration Assistant (DVCA) with the -action
optionrac
option on all other RAC nodes.
You must run this command on all RAC nodes other than the node on which the Database Vault installation is performed. This step is required to enable the enhanced security features provided by Oracle Database Vault.
This section includes the following topics:
The syntax for using dvca -action optionrac
is as follows:
dvca -action optionrac -oh Oracle_home -instance Oracle_instance_name -dbname database_name -jdbc_str jdbc_connection_string -sys_passwd SYS_password [-silent] [-logfile ./dvca.log] [-nodecrypt] [-lockout]
In this specification:
-action
is the action to perform. optionrac
performs updates the instance parameters for the RAC instance. This flag also provides the option of disabling SYSDBA
operating system access for the instance.
-racnode
is the host name of the RAC node on which the action is being performed. Do not include the domain name with the host name.
-oh
is the Oracle home for the RAC instance. Provide the ORACLE_HOME
path.
-instance
is the name of the Database instance.
-dbname
is the database name.
-jdbc_str
is the JDBC connection string used to connect to the database. For example:
jdbc:oracle:oci:@orcl1
-sys_passwd
is the password for the SYS
user. If you use a cleartext password on the command line, you must include the nodecrypt
option. If you omit the password, DVCA prompts you for it. For greater security, Oracle strongly recommends that you omit the password and then enter it interactively when prompted.
-logfile
is an optional flag to specify a log file name and location. You can enter an absolute path, or enter a path that is relative to the location of the $ORACLE_HOME
/bin
directory.
-silent
is the option to run in command line mode. This option is required if you are not running DVCA in an xterm window.
-nodecrypt
is the option to read plaintext passwords.
-lockout
is the flag to use to disable SYSDBA
operating system authentication.
To configure Oracle Database Vault on RAC nodes:
Ensure that the listener and database instance are running on the nodes on which you run DVCA.
At a command prompt, enter the DVCA command. For example:
dvca -action optionrac
-oh c:\oracle\product\11.1.0\db_1
-jdbc_str jdbc:oracle:oci:@orcl1
-racnode mynode
-silent
-logfile ./dvcalog.txt
Enter SYS password: sys_password
By default, Oracle Database Vault loads only the English language tables. You can use DVCA to add more languages to Oracle Database Vault by specifying the addlanguages
flag to the dvca -action
option.
This section contains:
The syntax for using dvca -action addlanguages
is as follows:
dvca -action addlanguages -oh Oracle_home -instance Oracle_SID_name -dbname database_name -jdbc_str jdbc_connection_string -sys_passwd SYS_password -dvsys_passwd DVSYS_password -languages language_list [-owner_account DV_owner_account_name] [-owner_passwd DV_owner_account_password] [-acctmgr_account DV_account_manager_account_name>] [-acctmgr_passwd DV_account_manager_password] [-silent] [-logfile ./dvca.log] [-nodecrypt] [-lockout] [-racnode node]
In this specification:
-action
is the action to perform. In this case the action is addlanguages
.
-oh
is the Oracle home for the Oracle RAC instance. Provide the ORACLE_HOME
path.
-instance
is the name of the database instance. You can confirm this name by querying the INSTANCE_NAME
column of the V$INSTANCE
view. It specified in the entry for the database instance in the listener.ora
file that is on the server.
-dbname
is the database name.
-sys_passwd
is the password for the SYS
user. If you enter a cleartext password on the command line, then you must include the nodecrypt
option. If you omit the password, then DVCA prompts you for it. For better security, Oracle strongly recommends that you omit the password and then enter it interactively when you are prompted.
-dvsys_passwd
is the password for the DVSYS
user. If you enter a cleartext password on the command line, then you must include the nodecrypt
option. If you omit the password, then DVCA prompts you for it. Preferably, omit the password and then enter the password interactively when prompted.
-jdbc_str
is the JDBC connection string used to connect to the database. Enter the net service name (that is, the SID) as it is listed in the tnsnames.ora
file, which is located in the $ORACLE_HOME/network/admin
directory. For example:
-jdbc_str jdbc:oracle:oci:@sales_orders
-languages
is the list of languages to be loaded. Provide the list of languages as a string in the following format:
{"language_1,language_2,language_n"}
Oracle Database Vault supports the following languages:
en : English |
ja : Japanese |
|
de : German |
ko : Korean |
|
es : Spanish |
pt_BR : Brazilian Portuguese |
|
fr : French |
zh_CN : Simplified Chinese |
|
it : Italian |
zh_TW : Traditional Chinese |
For example, to load English, Spanish, German, and French, you would enter the following setting:
-languages {"en,es,de,fr"}
-owner_account
is the Oracle Database Vault Owner (DV_OWNER
) account name.
-owner_passwd
is the Oracle Database Vault Owner account password. If you enter a cleartext password on the command line, then you must include the nodecrypt
option. If you omit the password, then DVCA prompts you for it. Preferably, omit the password and then enter it interactively when prompted.
-acctmgr_account
is the Oracle Database Vault Account Manager (DV_ACCTMGR
) user name.
-acctmgr_passwd
is the Oracle Database Vault Account Manager (DV_ACCTMGR
) password. If you enter a cleartext password on the command line, then you must include the nodecrypt
option. If you omit the password, then DVCA prompts you for it. Preferably, omit the password and then enter it interactively when prompted.
-silent
is the option to run in command line mode. This option is required if you are not running DVCA in an xterm window.
-logfile
is an optional flag to specify a log file name and location. You can enter an absolute path, or enter a path that is relative to the location of the $ORACLE_HOME
/bin
directory.
-nodecrypt
is the option to read plaintext passwords.
-lockout
is the flag used to disable SYSDBA
operating system authentication. (This option is deprecated.)
-racnode
is the host name of the Oracle RAC node on which the action is being performed. Do not include the domain name with the host name.
To add languages to Oracle Database Vault:
Disable Oracle Database Vault by completing the steps under "Step 1: Disable Oracle Database Vault", but do not perform Step 5.
Step 5 of that section is a DVCA command that disables the Oracle Database Vault service.
Use DVCA to add the languages you want.
For example:
dvca -action addlanguages -oh c:\oracle\product\11.1.0\db_1 -instance sales_orders -dbname sales_db -jdbc_str jdbc:oracle:oci:@sales_orders -languages {"es","ja"} -silent -logfile dvcalog.txt Enter SYS password: sys_password Enter DVSYS password: dvsys_password Enter owner password: owner_password Enter DV account manager password: dv_acct_password
Enable Oracle Database Vault by completing the steps "Step 3: Enable Oracle Database Vault", but do not perform Step 1 of that procedure.
The following procedure removes Oracle Database Vault from an Oracle Database installation. It applies to both single-instance and Oracle RAC installations. The deinstallation process does not affect the initialization parameter settings, even those settings that were modified during the installation process.
To deinstall Oracle Database Vault:
Stop the database, Database Control console process, and listener.
For example:
sqlplus sys as sysoper Enter password: password Connected. SQL> SHUTDOWN IMMEDIATE SQL> EXIT $ emctl stop dbconsole $ lsnrctl stop [listener_name]
For Oracle RAC installations, shut down each database instance as follows:
$ srvctl stop database -d db_name
On Windows, you can stop the database, Database Control console process, and listener from the Services tool in the Control Panel. The names of Oracle Database services begin with Oracle
.
Run the following commands to turn off the Oracle Database Vault option:
$ cd $ORACLE_HOME/rdbms/lib $ make -f ins_rdbms.mk dv_off lbac_off $ cd $ORACLE_HOME/bin $ relink oracle
Log in to SQL*Plus and then restart the database, Database Control console process, and listener.
For example:
SQL> STARTUP
SQL> EXIT
$ emctl stop dbconsole
$ lsnrctl start [listener_name]
For each instance in an Oracle RAC installation:
$ srvctl start database -d db_name
On Windows, you can restart the database, Database Control console process, and listener from the Services tool in the Control Panel. The names of Oracle Database services begin with Oracle
.
Log in to SQL*Plus as user SYS
with the SYSDBA
privilege.
Disable the Oracle Database Vault triggers.
SQL> ALTER TRIGGER DVSYS.DV_BEFORE_DDL_TRG DISABLE; SQL> ALTER TRIGGER DVSYS.DV_AFTER_DDL_TRG DISABLE;
Disable the recycle bin.
First, check the current setting of the RECYCLEBIN
initialization parameter.
SQL> SHOW PARAMETER RECYCLEBIN;
If the recycle bin is enabled, then disable it as follows:
SQL> ALTER SYSTEM SET RECYCLEBIN='OFF' SCOPE=SPFILE; SQL> SHUTDOWN IMMMEDIATE SQL> STARTUP
Disabling the recycle bin does not purge or otherwise affect objects that are already in the recycle bin. For better security, keep the recycle bin disabled. See "Security Considerations for the Recycle Bin".
Run the dvremov.sql
script to remove the Oracle Database Vault software.
SQL> @$ORACLE_HOME/rdbms/admin/dvremov.sql
Manually drop the DV_OWNER
and DV_ACCTMGR
user accounts and the DV_REALM_RESOURCE
and DV_REALM_OWNER
roles.
SQL> DROP DBV_OWNER CASCADE; SQL> DROP DBV_ACCTMGR CASCADE; SQL> DROP DV_REALM_RESOURCE; SQL> DROP DV_REALM_OWNER;
Drop the ACLs associated with the network privileges that are used by the DVSYS
schema.
SQL> EXEC DBMS_NETWORK_ACL_ADMIN.DROP_ACL ('/sys/acls/dvsys-network-privileges.xml'); SQL> COMMIT;
Enable Oracle Label Security.
$ cd $ORACLE_HOME/rdbms/lib $ make -f ins_rdbms.mk lbac_on ioracle
Afterward, you can double-check that Oracle Database Vault is truly deinstalled by logging in to SQL*Plus and entering the following statement:
SQL> SELECT * FROM V$OPTION WHERE PARAMETER = 'Oracle Database Vault';
If Oracle Database Vault is deinstalled, the following output appears:
PARAMETER VALUE ----------------------------- ----------------------- Oracle Database Vault FALSE
The following procedure applies to both single-instance and Oracle RAC installations.
To reinstall Oracle Database Vault:
Stop the database, Database Control console process, and listener.
For example:
sqlplus sys as sysoper Enter password: password Connected. SQL> SHUTDOWN IMMEDIATE SQL> EXIT $ emctl stop dbconsole $ lsnrctl stop [listener_name]
For Oracle RAC installations, shut down each database instance as follows:
$ srvctl stop database -d db_name
On Windows, you can stop the database, Database Control console process, and listener from the Services tool in the Control Panel. The names of Oracle Database services begin with Oracle
.
Enable Oracle Database Vault as follows:
$ cd $ORACLE_HOME/rdbms/lib $ make -f ins_rdbms.mk dv_on $ cd $ORACLE_HOME/bin $ relink oracle
Log in to SQL*Plus and then restart the database, Database Control console process, and listener.
For example:
SQL> STARTUP
SQL> EXIT
$ emctl stop dbconsole
$ lsnrctl start [listener_name]
For each instance in an Oracle RAC installation:
$ srvctl start database -d db_name
On Windows, you can restart the database, Database Control console process, and listener from the Services tool in the Control Panel. The names of Oracle Database services begin with Oracle
.
Register Oracle Database Vault.
See "Registering (Enabling) Oracle Database Vault" for more information.