3 Installing Audit Vault Server

This chapter includes an overview of the major steps required to install single instance Oracle Audit Vault Server and installing Oracle Audit Vault Server with Oracle Real Application Clusters (Oracle RAC).

This chapter includes the following topics:

Accessing the Server Installation Software
Audit Vault Server Installation Details
Basic Installation -- Performing the Single Instance Server Installation
Advanced Installation -- Prerequisite Information for Installing in an Oracle Real Application Clusters Environment
Advanced Installation -- Installing Single Instance and in an Oracle Real Application Clusters Environment
Performing a Silent Installation Using a Response File
Postinstallation Server Tasks

3.1 Accessing the Server Installation Software

The Oracle Audit Vault Server software is available on digital video disc (DVD).

3.2 Audit Vault Server Installation Details

This section provides an overview of requested information specific to the Audit Vault Server installation.

An Audit Vault Server installation consists of two options:

Basic Installation -- simplifies the installation process and prompts for a minimal set of inputs, including the name of the Audit Vault database, the Audit Vault Administrator and optionally the Auditor user names and passwords. An Oracle RAC installation is not supported through the Basic Installation option.
Advanced Installation -- offers the user more control and options for the installation process, including storage options and backup options. The Advanced Installation option supports the installation of Audit Vault Server on a cluster.

3.2.1 Basic and Advanced Installation Details Screens

This section describes the required fields in the Basic Installation Details screen and the Advanced Installation Details screen.

3.2.1.1 Audit Vault Name

The Audit Vault Name must be a unique name for the Audit Vault database. The name will be used for the database SID, and will be the first portion (<db_name>) of the database service name.

The name cannot exceed 8 characters and must begin with an alphabetic character.

The Audit Vault name cannot contain any of the characters shown in Table 3-1.

Table 3-1 Invalid Audit Vault Name and Audit Vault Account Characters

Symbol	Character Name	Symbol	Character Name	Symbol	Character Name
!	Exclamation point	"	Double quote mark	<	Less than sign
@	At sign	\|	Vertical bar	>	Greater than sign
%	Percent sign	`	grave	/	Slash
^	Circumflex	~	tilde	\	Backslash
&	Ampersand	[	Left bracket	?	Question mark
*	Asterisk	{	Left brace	,	Comma
(	Left parenthesis	]	Right bracket	.	Period
)	Right parenthesis	}	Right brace	#	Number sign
-	Minus sign	;	Semicolon	_	Underscore
+	Plus sign	:	Colon	$	Dollar sign
=	Equal sign	'	Single quotation mark		Space character

3.2.1.2 Audit Vault Home

The Audit Vault Home is the path you must specify or browse to find the Audit Vault home where you want to install Oracle Audit Vault. The path can contain only alpha-numeric characters (letters and numbers).

In addition, the following special characters shown in Table 3-2 are allowed.

Table 3-2 Special Characters Allowed in the Audit Vault Home Name

Symbol	Character Name	Symbol	Character name
\	Backslash	_	Underscore
/	Slash	.	Period
-	hyphen	:	Colon

3.2.1.3 Audit Vault Server Accounts

The Audit Vault Server installation software prompts you for user names and passwords for the Audit Vault Administrator user and the separate, optional Audit Vault Auditor user. In addition, a Database Vault Owner user and a separate, optional Database Vault Account Manager user are created for you (basic installation) or the installation prompts you for these user names and passwords (advanced installation). Finally, sys, system, sysman, and dbsnmp standard database users are created for you (basic installation) or the installation prompts for passwords for these users (advanced installation).

You need to supply a user name and password for the Audit Vault Administrator and optionally for the Audit Vault Auditor during installation. The Create a Separate Audit Vault Auditor check box is selected by default, which means that a separate Audit Vault Auditor account will be created (and the corresponding user name and password are required). The Audit Vault Administrator user will be granted the AV_ADMIN role and the Audit Vault Auditor user will be granted the AV_AUDITOR role. Deselecting this check box means the Audit Vault Administrator user will be granted both roles because the separate Audit Vault Auditor user will not be created.

Audit Vault Administrator and Audit Vault Auditor Accounts

The Audit Vault Administrator account is granted the AV_ADMIN role. The user granted the AV_ADMIN role can manage the postinstallation configuration. This role accesses Oracle Audit Vault services to administer, configure, and manage a running Oracle Audit Vault system. This role manages the audit services including source creation and parameters, and sources and their channels. This role registers audit sources, defines plug-ins for translation, and manages central audit settings. For the basic installation, the Audit Vault Administrator user name is used to generate the following Oracle Database Vault roles to facilitate the separation of duties:

AV_ADMINdvo-- the Database Vault Owner (granted DV_OWNER role) to manage Database Vault roles and configuration
AV_ADMINdva -- the Database Vault Account Manager (granted DV_ACCTMGR role) to manage database user accounts

For the advanced installation, a Database Vault User Credentials page prompts for the Database Vault Owner account name and password and a separate, optional Database Vault Account Manager account name and password.

The Audit Vault Auditor account is granted the AV_AUDITOR role. The user granted the AV_AUDITOR role accesses Audit Vault Reporting and Analysis services to monitor components, detect security risks, create and evaluate alert scenarios, create detail and summary reports of events across systems, and manage the reports. This role has the ability to configure parameters that assist in populating the Audit Vault Data Warehouse. This role can use the Data Warehouse services to further analyze the audit data to assist in looking for trends, intrusions, anomalies, and other areas of interest.

The Audit Vault Administrator, Audit Vault Auditor, Database Vault Owner, and Database Vault Account Manager user names must not be the same. For the basic installation, the Audit Vault Administrator user name must be between 2 and 27 characters because the characters "dvo" and "dva" are appended to the Administrator name making the normal upper limit of 30 characters for the number of characters allowed to be 27 characters. For the advanced installation, the Audit Vault Administrator user name must be between 2 and 30 characters.

The length of the Audit Vault Auditor user name must be between 2 and 30 characters. Each user name must not be one of the reserved names shown in Table 3-3.

Table 3-3 Reserved Names That Cannot Be Used in Audit Vault Account Names

Names	Names	Names	Names	Names
ACCESS	ADD	ALL	ALTER	AND
ANONYMOUS	ANY	AQ_ADMINISTRATOR_ROLE	AQ_USER_ROLE	ARRAYLEN
AS	ASC	AUDIT	AUTHENTICATEDUSER	AV_ADMIN
AV_AGENT	AV_ARCHIVER	AV_AUDITOR	AV_SOURCE	AVSYS
BETWEEN	BY	CHAR	CHECK	CLUSTER
COLUMN	COMMENT	COMPRESS	CONNECT	CREATE
CTXAPP	CTXSYS	CURRENT	DATE	DBA
DBSNMP	DECIMAL	DEFAULT	DELETE	DELETE_CATALOG_ROLE
DESC	DIP	DISTINCT	DM_CATALOG_ROLE	DMSYS
DMUSER_ROLE	DROP	DV_ACCTMGR	DV_ADMIN	DVF
DV_OWNER	DV_PUBLIC	DV_REALM_OWNER	DV_REALM_RESOURCE	DV_SECANALYST
DVSYS	EJBCLIENT	ELSE	EXCLUSIVE	EXECUTE_CATALOG_ROLE
EXFSYS	EXISTS	EXP_FULL_DATABASE	FILE	FLOAT
FOR	FROM	GATHER_SYSTEM_STATISTICS	GLOBAL_AQ_USER_ROLE	GRANT
GROUP	HAVING	HS_ADMIN_ROLE	IDENTIFIED	IMMEDIATE
IMP_FULL_DATABASE	IN	INCREMENT	INDEX	INITIAL
INSERT	INTEGER	INTERSECT	INTO	IS
JAVA_ADMIN	JAVADEBUGPRIV	JAVA_DEPLOY	JAVAIDPRIV	JAVASYSPRIV
JAVAUSERPRIV	LBAC_DBA	LBACSYS	LEVEL	LIKE
LOCK	LOGSTDBY_ADMINISTRATOR	LONG	MAXEXTENTS	MDDATA
MDSYS	MGMT_USER	MGMT_VIEW	MINUS	MODE
MODIFY	NOAUDIT	NOCOMPRESS	NOT	NOTFOUND
NOWAIT	NULL	NUMBER	OEM_ADVISOR	OEM_MONITOR
OF	OFFLINE	OLAP_DBA	OLAPSYS	OLAP_USER
ON	ONLINE	ONT	OPTION	OR
ORDER	ORDPLUGINS	ORDSYS	OUTLN	OWF_MGR
PCTFREE	PRIOR	PRIVILEGES	PUBLIC	RAW
RECOVERY_CATALOG_OWNER	RENAME	RESOURCE	REVOKE	ROW
ROWID	ROWLABEL	ROWNUM	ROWS	SCHEDULER_ADMIN
SCOTT	SELECT	SELECT_CATALOG_ROLE	SESSION	SET
SHARE	SI_INFORMTN_SCHEMA	SIZE	SMALLINT	SQLBUF
START	SUCCESSFUL	SYNONYM	SYS	SYSDATE
SYSMAN	SYSTEM	TABLE	THEN	TO
TRIGGER	TSMSYS	UID	UNION	UNIQUE
UPDATE	USER	VALIDATE	VALUES	VARCHAR
VARCHAR2	VIEW	WHENEVER	WHERE	WITH
WKPROXY	WKSYS	WK_TEST	WKUSER	WM_ADMIN_ROLE
WMSYS	XDB	XDBADMIN

Each account name cannot contain any of the characters shown in Table 3-1.

Audit Vault Administrator and Audit Vault Auditor Passwords

For the basic installation, the Audit Vault Administrator password entered for the Audit Vault Administrator account is also used for the standard database accounts (sys, system, sysman, dbsnmp). For the basic installation Details page, the Audit Vault Administrator user password is also used for the Oracle Database Vault Owner and Oracle Database Vault Account Manager user passwords.

For the advanced installation, the installer can choose individual passwords for each of these database accounts (sys, system, sysman, dbsnmp) or select to use the same password as the Audit Vault Administrator for all of these accounts. In addition, a Database Vault User Credentials page prompts for the Database Vault Owner user password and for a separate, optional Database Vault Account Manager user password if that user is created.

The Audit Vault Administrator and Audit Vault Auditor password cannot be the name of the Audit Vault Administrator, Audit Vault Auditor, Database Vault Owner, or Database Vault Account Manager. The Audit Vault Administrator user password is required, while the Audit Vault Auditor user password is only required when creating the separate, optional Audit Vault Auditor user.

There cannot be repeating characters in each password. The length of each password must be between 8 and 30 characters. Each password must consist of at least one alphabetic character, one numeric character, and one of the following special characters shown in Table 3-4.

Table 3-4 Valid Audit Vault Administrator and Audit Vault Auditor Password Characters

Symbol	Character Name	Symbol	Character Name	Symbol	Character Name
%	Percent sign	+	Plus sign	]	Right bracket
^	Circumflex	~	Tilde	.	Period
-	Hyphen	,	Comma	_	Underscore
[	Left bracket	#	Number sign

Each password must be identical to its corresponding password confirmation.

3.2.2 Advanced Server Installation: Database Vault User Credentials Screen

The Audit Vault Server installation software prompts you for two accounts that you create during installation. These are the Database Vault Owner account and the separate, optional Database Vault Account Manager account. You need to supply an account name and password for the Database Vault Owner account, and optionally for the Database Vault Account Manager account during installation.

The Create a Separate Database Vault Account Manager check box is selected by default, which means that a separate Database Vault Account Manager account will be created (and the corresponding user name and password are required). The Database Vault Owner user will be granted the DV_OWNER role and the Database Vault Account Manager user will be granted the DV_ACCTMGR role. Deselecting this check box means the Database Vault Owner user will be granted both roles because the separate Database Vault Account Manager user will not be created.

3.2.2.1 Database Vault Owner and Database Vault Account Manager Accounts

The Database Vault Owner, Database Vault Account Manager, Audit Vault Administrator, and Audit Vault Auditor account names must be different from each other (applicable when a separate Audit Vault Auditor or Database Vault Account Manager account is created). The Database Vault Owner name is required.

The length of each account name must be between 2 and 30 characters.

Each account name must not be one of the reserved names shown in Table 3-3.

Each account name cannot contain any of the characters shown in Table 3-1.

3.2.2.2 Database Vault Owner and Database Vault Account Manager Passwords

The Database Vault Owner or Database Vault Account Manager password must not be the name of the Audit Vault Administrator, Audit Vault Auditor, Database Vault Owner, or Database Vault Account Manager. The Database Vault Owner user password is required, while the Database Vault Account Manager user password is only required when creating the separate, optional Database Vault Account Manager user.

There must be no repeating characters in each password. There must be no space characters in the password.

The length of each password must be between 8 and 30 characters.

Each password must consist of at least one alphabetic character, one numeric character, and one of the following special characters shown in Table 3-4. All other characters are not allowed.

Each password must be identical to its corresponding password confirmation.

3.2.3 Advanced Server Installation: Node Selection Screen

The Node Selection screen will display when you install Audit Vault on an Oracle RAC environment. On this screen, users can select the nodes on which they want to install Audit Vault, or they can select a local installation to install Audit Vault single instance.

3.2.4 Advanced Server Installation: Specify Database Storage Options Screen

On the Specify Database Storage Options screen, you can select either File System, Automatic Storage Management, or Raw Storage.

File System

If you choose the File System option, then Database Configuration Assistant creates the database files in a directory on a file system mounted on the computer. Oracle recommends that the file system you choose be separate from the file systems used by the operating system or the Oracle software. The file system that you choose can be any of the following:

A file system on a disk that is physically attached to the system

If you are creating a database on basic disks that are not logical volumes or redundant arrays of independent disks (RAID) devices, then Oracle recommends that you follow the Optimal Flexible Architecture (OFA) recommendations and distribute the database files over more than one disk.
A file system on a logical volume manager (LVM) volume or a RAID device

If you are using multiple disks in an LVM or RAID configuration, then Oracle recommends that you use the stripe and mirror everything (SAME) methodology to increase performance and reliability. Using this methodology, you do not need to specify more than one file system mounting point for database storage.
A network file system (NFS) mounted from a certified network attached storage (NAS) device

You can store database files on NAS devices only if the NAS device is certified by Oracle.

See Also:
"Using Network Attached Storage or NFS File Systems" section in the Oracle Database Installation Guide for more information about certified NAS and NFS devices.

Automatic Storage Management

Automatic Storage Management is a high-performance storage management solution for Oracle Audit Vault database files. It simplifies the management of a dynamic database environment, such as creating and laying out databases and managing disk space.

Note:

An existing ASM instance must be installed to select the ASM option for database storage.

Automatic Storage Management can be used with a single instance Audit Vault installation, multiple Audit Vault installations, and in an Oracle Real Application Clusters (Oracle RAC) environment. Automatic Storage Management manages the storage of all Audit Vault database files, such as redo logs, control files, data pump export files, and so on.

3.2.5 Advanced Server Installation: Specify Backup and Recovery Option Screen

On the Specify Backup and Recovery screen, you can choose Enable Automated Backups or Do Not Enable Automated Backups.

If you choose Enable Automated Backups, then Oracle Enterprise Manager schedules a daily backup job that uses Oracle Recovery Manager (RMAN) to back up all the database files to an on-disk storage area called the flash recovery area. The first time the backup job runs, it creates a full backup of the database. Subsequent backup jobs perform incremental backups, which enable you to recover the database to its state at any point during the preceding 24 hours.

To enable automated backup jobs during installation, you must specify the following information:

The location of the flash recovery area

You can choose to use either a file system directory or an Automatic Storage Management disk group for the flash recovery area. The default disk quota configured for the flash recovery area is 2 GB. For Automatic Storage Management disk groups, the required disk space depends on the redundancy level of the disk group that you choose. See Oracle Database Installation Guide for more information on how to choose the location of the flash recovery area and to determine its disk space requirements.
An operating system user name and password for the backup job

Oracle Enterprise Manager uses the operating system credentials that you specify when running the backup job. The user name that you specify must belong to the HP-UX PA-RISC (64-Bit) group that identifies database administrators (the OSDBA group, typically dba). The Oracle software owner user name (typically oracle) that you use to install the software is a suitable choice for this user.

Section 2.6 describes the requirements for the OSDBA group and Oracle software owner user and describes how to create them.

Backup Job Default Settings

If you enable automated backups after choosing one of the preconfigured databases during the installation, then automated backup is configured with the following default settings:

The backup job is scheduled to run nightly at 2:00 a.m.
The disk quota for the flash recovery area is 2 GB.

If you enable automated backups by using Database Configuration Assistant after the installation, then you can specify a different start time for the backup job and a different disk quota for the flash recovery area.

For information about using Oracle Enterprise Manager Database Control to configure or customize automated backups or to recover a backed up database, see Oracle Database 2 Day DBA.

For more detailed information about defining a backup strategy and backing up and recovering Oracle databases, see Oracle Database Backup and Recovery Advanced User's Guide.

3.2.6 Advanced Server Installation: Specify Database Schema Passwords Screen

On the Specify Database Schema Passwords screen, provide the passwords for the four standard database accounts (sys, system, sysman, and dbsnmp).

Either enter and confirm passwords for the privileged database accounts, or select Use the same passwords for all accounts option. Make your selection, then click Next.

3.2.7 Default Audit Policy and Initialization Parameters

Oracle Audit Vault installs a baseline database auditing policy. This policy covers the access control configuration information stored in Audit Vault database tables, information stored in Oracle Catalog (rollback segments, tablespaces, and so on), the use of system privileges, and Oracle Label Security configuration.

3.3 Basic Installation -- Performing the Single Instance Server Installation

To perform Audit Vault Server Single Instance Basic Installation:

Invoke Oracle Universal Installer (OUI) to install Oracle Audit Vault as an Oracle Database 10g release 2 (10.2.0.3) database. You should run the installer as the software owner account that owns the current ORACLE_HOME environment. This is normally the oracle account.

Log in as the oracle user. Alternatively, switch the user to oracle using the su - command. Change your current directory to the directory containing the installation files. Start Oracle Universal Installer from the Oracle Audit Vault package.
```
cd <directory containing the Oracle Audit Vault installation files>
./runInstaller
```
On the Select Installation Type page, select the Basic Installation option, then click Next.
Enter the following information on the Basic Installation Details page. See Section 3.2 for more information about each of these topics.
1. Audit Vault Name -- a unique name for the Audit Vault database. The Audit Vault name is required. The name will be used as the database SID, and will be the first portion (<db_name>) of the database service name.
2. Audit Vault Home -- specify or browse to find the path to the Audit Vault Home where you want to install Oracle Audit Vault.
3. Audit Vault Administrator and Audit Vault Auditor -- the account name of the Audit Vault Administrator and a separate, optional Audit Vault Auditor, respectively. The Audit Vault Administrator and Audit Vault Auditor account names must not be the same. The Audit Vault Administrator account name is required. Accept the selected Create a Separate Audit Vault Auditor check box to choose to create the Audit Vault Auditor account name. The check box is selected by default. Deselecting the check box disables the text fields for the Audit Vault Auditor user name and password. The Audit Vault Administrator in this case will also be granted the role of Audit Vault Auditor.
  
  The Audit Vault Administrator user name will also be used for the following Oracle Database Vault roles that are created to facilitate the separation of duties:
  
  AV_ADMINdvo -- the Database Vault Owner (granted DV_OWNER role) to manage Database Vault roles and configuration, where AV_ADMIN represents the Audit Vault Administrator user name.
  
  AV_ADMINdva -- the Database Vault Account Manager (granted DV_ACCTMGR role) to manage database user accounts, where AV_ADMIN represents the Audit Vault Administrator user name.
4. Administrator Password and Auditor Password -- the password for the Audit Vault Administrator account and the Audit Vault Auditor account, respectively.
  
  There cannot be repeating characters in each password. The length of each password must be between 8 and 30 characters. Each password must consist of at least one alphabetic character, one numeric character, and one of the following special characters shown in Table 3-4.
  
  The password entered for the Audit Vault Administrator account will also be used for the standard database accounts (sys, system, sysman, dbsnmp).
  
  The Audit Vault Administrator password will also be used for the Oracle Database Vault roles (Database Vault Owner and the Database Vault Account Manager users) that are created to facilitate the separation of duties.
5. Confirm Password -- the confirming password for the Audit Vault Administrator account and the Audit Vault Auditor account, respectively.
  
  Each password must be identical to its corresponding password confirmation.
After entering the required information, click Next to continue with the installation. The Next button is enabled only when information has been entered for all the required fields. Validation of information is done on all user input after you click Next. The installation process will not continue until all required input passes validation.
Review the installation prerequisite checks on the Prerequisite Check page. This is when all the installation prerequisite checks are performed and the results display. Verify that all prerequisite checks succeed, then click Next.

Oracle Universal Installer checks the system to verify that it is configured correctly to run Oracle software. If you have completed all of the preinstallation steps in this guide, all of the checks should pass.

If a check fails, then review the cause of the failure listed for that check on the screen. If possible, rectify the problem and rerun the check. Alternatively, if you are satisfied that your system meets the requirements, then you can select the check box for the failed check to manually verify the requirement.
Review the installation summary information on the Basic Installation Summary page. After reviewing this installation information, click Install to begin the installation procedure.
Provide information or run scripts as root when prompted by OUI. If you need assistance during installation, click Help. If you encounter problems during installation, then examine the OUI actions recorded in the installation log file. The log file is located in the cfgtoollogs/oui directory, in the following location:
```
$ORACLE_HOME/cfgtoollogs/oui/installActionsdate_time.log
```
After the installation completes, take note of the Oracle Enterprise Manager Database Control URL and the Audit Vault Console URL. Next on the Exit page, click Exit. Then, on the Confirmation message box click Yes to exit Oracle Universal Installer.

3.4 Advanced Installation -- Prerequisite Information for Installing in an Oracle Real Application Clusters Environment

This section assumes you performed phase one of the installation procedures for installing Oracle Audit Vault with Oracle Real Application Clusters (Oracle RAC) as described in Oracle Database Oracle Clusterware and Oracle Real Application Clusters Installation Guide for HP-UX. These tasks include preinstallation tasks, configuring Oracle Clusterware and Oracle Database storage, and installing Oracle Clusterware. You are now ready to install Oracle Audit Vault in an Oracle RAC environment.

This section describes phase two of the installation procedures for installing Oracle Audit Vault with Oracle Real Application Clusters (Oracle RAC). This chapter also describes some of the Oracle Universal Installer (OUI) features. This section contains the following topics:

Verifying System Readiness for Installing Oracle Audit Vault with CVU

3.4.1 Verifying System Readiness for Installing Oracle Audit Vault with CVU

To help to verify that your system is prepared to install the Oracle Audit Vault with RAC successfully using the Cluster Verification Utility (CVU) runcluvfy command.

See the "Verifying System Readiness for Installing Oracle Database with CVU " section in Oracle Database Oracle Clusterware and Oracle Real Application Clusters Installation Guide for HP-UX.

If the cluster verification check fails, then review and correct the relevant system configuration steps, and run the test again. Use the system configuration checks described in "Troubleshooting Installation Setup" section in Oracle Database Oracle Clusterware and Oracle Real Application Clusters Installation Guide for HP-UX to assist you.

3.5 Advanced Installation -- Installing Single Instance and in an Oracle Real Application Clusters Environment

This section describes the advanced installation for both the single instance installation and the Oracle RAC installation.

Perform the following procedures to install the Oracle Audit Vault.

Run Oracle Universal Installer (OUI) to install Oracle Audit Vault. You should run the installer as the software owner account that owns the current ORACLE_HOME environment. This is normally the oracle account.

Log in as the oracle user. Alternatively, switch user to oracle using the su - command. Change your current directory to the directory containing the installation files. Start Oracle Universal Installer from the Oracle Audit Vault package.
```
cd <directory containing the Oracle Audit Vault installation files>
./runInstaller
```
On the Select Installation Type page, select the Advanced Installation option, then click Next.
Enter the following information on the Advanced Installation Details page. See Section 3.2 for more information about each of these topics.
1. Audit Vault Name -- a unique name for the Audit Vault database. The Audit Vault name is required. For single instance installation, the name will be used as the database SID, and will be the first portion (<db_name>) of the database service name. For Oracle RAC installation, the name will be used to derive the Oracle RAC database SID of each Oracle RAC node, and will be the first portion (<db_name>) of the database service name.
2. Audit Vault Home -- specify or browse to find the path to the Audit Vault home where you want to install Oracle Audit Vault.
3. Audit Vault Administrator and Audit Vault Auditor -- the account name of the Audit Vault Administrator and a separate, optional Audit Vault Auditor, respectively. The Audit Vault Administrator and Audit Vault Auditor account names cannot be the same. The Audit Vault Administrator account name is required. Accept the selected Create a Separate Audit Vault Auditor check box to choose to create the Audit Vault Auditor account name. The check box is selected by default. Deselecting the check box disables the text fields for the Audit Vault Auditor user name and password. The Audit Vault Administrator in this case will also be granted the role of Audit Vault Auditor.
4. Administrator Password and Auditor Password -- the password for the Audit Vault Administrator account and the Audit Vault Auditor account, respectively.
  
  There cannot be repeating characters in each password. The length of each password must be between 8 and 30 characters. Each password must consist of at least one alphabetic character, one numeric character, and one of the following special characters shown in Table 3-4.
5. Confirm Password -- the confirming password for the Audit Vault Administrator account and the Audit Vault Auditor account, respectively.
  
  Each password must be identical to its corresponding password confirmation.
After entering the required information, click Next to continue with the installation. The Next button is enabled only when information has been entered for all the required fields. Validation of information is done on all user input after you click Next. The installation process will not continue until all required input passes validation.
Enter the following information on the Database Vault User Credentials page. See Section 3.2.2 for more information about each of these topics.
1. Database Vault Owner and Database Vault Account Manager -- the account name of the Database Vault Owner and a separate, optional Database Vault Account Manager, respectively. The Database Vault Owner, Database Vault Account Manager, Audit Vault Administrator, and Audit Vault Auditor account names must not be the same (applicable when a separate Audit Vault Auditor or Database Vault Account Manager account is created). The Database Vault Owner name is required. Accept the selected Create a Separate Database Vault Account Manager check box to choose to create the Database Vault Account Manager account name. The check box is selected by default. Deselecting the check box disables the text fields for the Database Vault Account Manager user name and password. The Database Vault Owner in this case will also be granted the role of Database Vault Account Manager.
2. Database Vault Owner Password and Database Vault Account Manager Password -- the password for the Database Vault Owner account and the Database Vault Account Manager account, respectively.
  
  There cannot be repeating characters and space characters in each password. The length of each password must be between 8 and 30 characters. Each password must consist of at least one alphabetic character, one numeric character, and one of the following special characters shown in Table 3-4.
3. Confirm Password -- the confirming password for the Database Vault Owner account and the Database Vault Account Manager account, respectively.
  
  Each password must be identical to its corresponding password confirmation.
After entering the required information, click Next to continue with the installation. The Next button is enabled only when information has been entered for all the required fields. Validation of information is done on all user input after you click Next. The installation process will not continue until all required input passes validation.
If installing on a clustered system (Oracle Clusterware (CRS) is installed and the system is already part of a cluster), the Node Selection page appears from which to select the nodes on which Audit Vault needs to be installed. Local node will always be selected by default. If you are installing Audit Vault single instance on this local node only, select the Local Only Installation option, then click Next.

If installing on a clustered system (Oracle Clusterware (CRS) is installed and the system is already part of a cluster), select the nodes on which on which Audit Vault needs to be installed, then click Next.
Review the installation prerequisite checks on the Prerequisite Check page. This is when all the installation prerequisite checks are performed and the results display. Verify that all prerequisite checks succeed, then click Next.

Oracle Universal Installer checks the system to verify that it is configured correctly to run Oracle software. If you have completed all of the preinstallation steps in this guide, all of the checks should pass.

If a check fails, then review the cause of the failure listed for that check on the screen. If possible, rectify the problem and rerun the check. Alternatively, if you are satisfied that your system meets the requirements, then you can select the check box for the failed check to manually verify the requirement.
On the Specify Database Storage Options page, one of the following storage options can be selected: File system, Automated Storage Management (ASM), or Raw Devices.

If the File System is selected, specify or browse to the database file location for the data files. If Raw Devices is selected, specify the path or browse to the Raw Devices mapping file. If Automated Storage Management (ASM) is selected, you must have already installed ASM. Make a selection and click Next.
On the Specify Backup and Recovery Options page, you can choose either to not enable automated backups or to enable automated backups.

If you select the Do not enable Automated backups option, click Next.

If you select the Enable Automated backups option, then you must specify a Recovery Area Storage. You can choose either to use the File System option or the Automatic Storage Management option.

If you select the File System option, specify a path or browse to the recovery area location. Next, for Backup Job Credentials, enter the operating system credentials (user name and password) of the user account with administrative privileges to be used for the backup jobs, then click Next.

If you select the Automatic Storage Management option, then for Backup Job Credentials, enter the operating system credentials (user name and password) of the user account with administrative privileges to be used for the backup jobs, then click Next.

Next, select the disk group from the existing disk groups. This screen lets you select the disk groups. If the disk group selected has enough free space, by clicking Next, the Specifying Database Schema Password page displays (see Step 9). If the disk group selected does not have enough free space, the Configure Automatic Storage Management page displays.

On the Configure Automatic Storage Management page, you can select the disks to add from the Add Member Disks table by selecting the check box in the Select column for the corresponding disks.

On HP-UX PA-RISC (64-Bit) systems, the default path for discovering eligible disks is /dev/rdsk/*. If your disks are located elsewhere, you must change the disk discovery path for the disks to be discovered by Oracle Universal Installer. To change the path, click Change Disk Discovery Path.
On the Specify Database Schema Passwords page, you can choose to enter different passwords for each privileged database account or select Use the same passwords for all accounts option. If you choose to enter set of valid passwords for each privileged database account, enter these passwords. If you select Use the same passwords for all accounts option, then enter a single valid password. When finished, click Next.
Review the installation summary information on the Advanced Installation Summary page. After reviewing this installation information, click Install to begin the installation procedure.
Run scripts as root when prompted by Oracle Universal Installer. If you need assistance during installation, click Help. If you encounter problems during installation, then examine the OUI actions recorded in the installation log file. The log file is located in the cfgtoollogs/oui directory in the following location:
```
$ORACLE_HOME/cfgtoollogs/oui/installActionsdate_time.log
```
Note:
The Oracle home name and path that you provide during database installation must be different from the home that you used during the Oracle Clusterware installation in phase one. You cannot install Oracle Audit Vault with Oracle RAC software into the same home in which you installed the Oracle Clusterware software.

The following is a list of additional information to note about installation:
- If you are not using the ASM library driver (ASMLIB), and you select Automatic Storage Management (ASM) during installation, then ASM default discovery finds all disks that ASMLIB marks as ASM disks.
- If you are not using ASMLIB, and you select ASM during installation, then ASM default discovery finds all disks marked /dev/raw/* for which the Oracle user has read/write permission. You can change the disk discovery string during the installation if the disks you want to use for ASM are located elsewhere.
- On the Select Database Management Option page, if you have already completed the Grid Control Management Agent installation, then you can select either Grid or Local Database control. Otherwise, only Local Database control for database management is supported for Oracle RAC. When you use the local Database Control, you can choose the email option and enter the outgoing SMTP server name and e-mail address.
See Also:
Oracle Enterprise Manager Grid Control Installation and Basic Configuration for details about installing Grid Control with OUI, and Oracle Enterprise Manager Advanced Configuration Guide for details about installing Database Control with DBCA and EMCA
After the installation completes, take note of the Oracle Enterprise Manager Database Control URL and the Audit Vault Console URL. Next on the Exit page, click Exit. Then, on the Confirmation message box, click Yes to exit Oracle Universal Installer.

After you have completed the second and final phase of the installation, proceed to Section 3.7 to perform the postinstallation tasks.

3.6 Performing a Silent Installation Using a Response File

Note:

The Basic installation is not supported in silent mode. Silent installation is only supported for the Advanced installation.

Follow these brief steps to perform a silent install using a response file:

Make sure all the pre-requisites are met for the installation of Audit Vault Server and Audit Vault Agent.
Prepare the Audit Vault Server response file. A template response file can be found at <AV installer location>/response/av.rsp on the Audit Vault Server installation media.

Prepare the response file by entering values for all parameters that are missing in the first part of the response file, then save the file. Note that for single instance installations, RAW storage is not used. Also note that the CLUSTER_NODES parameter must be specified for installing Audit Vault Server in an Oracle RAC environment. Do not edit any values in the second part of either response file.
Set the DISPLAY environment variable to an appropriate value before proceeding with the silent install. See Section 2.11 for more information.

Invoke Oracle Universal Installer using the following options:

./runInstaller -silent -responseFile <Path of response file>

For more information about these options, see Section 1.4.2. For general information about how to complete a database installation using response files, see Oracle Database Oracle Clusterware and Oracle Real Application Clusters Installation Guide for HP-UX.

3.7 Postinstallation Server Tasks

Note:

The use of the Database Configuration Assistant (DBCA) to configure additional components after an Audit Vault Server installation is not supported. Audit Vault installs with all the components it requires already configured, so no additional components need to be configured using DBCA.

Creation of additional databases in the Audit Vault home is not supported.

This section describes the following topics:

Unlocking and Resetting User Passwords
Enabling or Disabling Connections with the SYSDBA Privilege
Run DVCA to Set Instance Parameters and Lock Out SYSDBA Sessions (Oracle RAC only)
Logging in to Audit Vault Console

3.7.1 Unlocking and Resetting User Passwords

The password entered for the Audit Vault Administrator is used as the password for core database accounts such as SYS, SYSTEM, SYSMAN, and DBSNMP in the case of a basic installation. For an advanced installation, the user is given the option of changing the password for each of these accounts.

For a basic installation, the same Audit Vault Administrator password is also used for the AV_ADMINdvo account, the Database Vault Owner (granted DV_OWNER role), to manage Database Vault roles and configuration and the AV_ADMINdva account, and the Database Vault Account Manager (granted DV_ACCTMGR role), to manage database user accounts. You must change these passwords according to your company policies.

For an advanced installation, the Database Vault Owner user password and the separate, optional Database Vault Account Manager user password are entered for these users. You must change these passwords according to your company policies.

3.7.1.1 Using SQL*Plus to Unlock Accounts and Reset Passwords

To unlock and reset user account passwords using SQL*Plus:

Start SQL*Plus and log in as AV_ADMINdva account.
Enter a command similar to the following, where account is the user account that you want to unlock and password is the new password:
```
SQL> ALTER USER account [ IDENTIFIED BY password ] ACCOUNT UNLOCK;
```
In this example:
- The ACCOUNT UNLOCK clause unlocks the account.
- The IDENTIFED BY password clause resets the password.
  
  Note:
  If you unlock an account but do not reset the password, then the password remains expired. The first time someone connects as that user, they must change the password.
  To permit unauthenticated access to your data through HTTP, unlock the ANONYMOUS user account.
  See Also:
  Oracle Database Administrator's Guide for more information about:
  - Unlocking and changing passwords after installation
  - Oracle security procedures
  - Best security practices

3.7.2 Enabling or Disabling Connections with the SYSDBA Privilege

In a default Audit Vault installation, the operating system authentication to the database is disabled. In addition, connections to the database using the SYSDBA privilege (that is, those that use the AS SYSDBA clause) are disabled. This is a security feature and is implemented to prevent misuse of the SYSDBA privilege.

If a password file was created using the orapwd utility with the nosysdba flag set to y (Yes), which is the default action of a Database Vault installation, users will not be able to log in to an Oracle Database Vault instance using the SYS account or any account with SYSDBA privilege using the AS SYSDBA clause. You can re-enable the ability to connect with the SYSDBA privilege by re-creating the password file with the nosysdba flag set to n (No). You might need to re-enable the ability to connect with SYSDBA privileges, if certain products or utilities require its use.

When you re-create the password file, any accounts other than SYS that were granted the SYSDBA or SYSOPER privileges will have those privileges removed. You will need to grant again the privileges for these accounts after you have re-created the password file.

Use the following syntax to run the orapwd utility:

orapwd file=filename password=password [entries=users] force=y/n nosysdba=y/n

Where:

file: Name of password file (mandatory).
password: Password for SYS (mandatory). Enter at least six alphanumeric characters.
entries: Maximum number of distinct DBA users.
force: Whether to overwrite the existing file (optional). Enter y (for yes) or n (for no).
nosysdba: Whether to enable or disable the SYS logon (optional for Oracle Database Vault only). Enter y (to disable SYS login) or n (to enable SYS login).

The default is no. If you omit this flag, the password file will be created enabling SYSDBA access for Oracle Database Vault instances.

For example:

orapwd file=$ORACLE_HOME/dbs/orapworcl password=5hjk99 force=y nosysdba=n

Note:

Do not insert spaces around the equal sign (=).

3.7.3 Run DVCA to Set Instance Parameters and Lock Out SYSDBA Sessions (Oracle RAC only)

After installing Audit Vault for a Oracle Real Application Clusters (Oracle RAC) instance, you need to run Database Vault Configuration Assistant (DVCA) with the -action optionrac switch on all other Oracle RAC nodes. This sets instance parameters and disables SYSDBA operating system authentication.

You need to run this command on all Oracle RAC nodes other than the node on which the Audit Vault installation is performed. This step is required to enable the enhanced security features provided by Oracle Database Vault.

Note:

The listener and database instance should be running on the nodes on which you run DVCA.

Use the following syntax to run DVCA:

# dvca -action optionrac -racnode host_name -oh oracle_home 
-jdbc_str jdbc_connection_string -sys_passwd sys_password 
[-logfile ./dvca.log] [-silent] [-nodecrypt] [-lockout]

Where:

action: The action to perform. The optionrac utility performs the action of updating the instance parameters for the Oracle RAC instance and optionally disabling SYSDBA operating system access for the instance.
racnode: The host name of the Oracle RAC node on which the action is being performed. Do not include the domain name with the host name.
oh: The Oracle home for the Oracle RAC instance.
jdbc_str: The JDBC connection string used to connect to the database. For example, "jdbc:oracle:oci:@orcl1".
sys_password: The password for the SYS user.
logfile: Optionally, specify a log file name and location. You can enter an absolute path or a path that is relative to the location of the $ORACLE_HOME/bin directory.
silent: Required if you are not running DVCA in an Xterm window.
nodecrypt: Reads plain text passwords as passed on the command line.
lockout: Used to disable SYSDBA operating system authentication.

Note:

You can re-enable SYSDBA access by re-creating the password file with the nosysdba flag set to n (No). The orapwd utility enables you to do this.

After running DVCA, stop and restart the instance and database listener on all the cluster nodes. This step is also applicable to the node on which Audit Vault was installed. Use the following commands:

srvctl stop instance -d sid -i instance_name -c "SYS/password AS SYSDBA"
srvctl stop nodeapps -n node_name
srvctl start nodeapps -n node_name
srvctl start instance -d sid -i instance_name -c "SYS/password AS SYSDBA"

Note:

You can re-enable SYSDBA access by re-creating the password file with the nosysdba flag set to n (No). The orapwd utility enables you to do this.

3.7.4 Logging in to Audit Vault Console

To use Audit Vault Console, you must access it on the node where you installed the Audit Vault database. If you want to log in to Audit Vault Console from another cluster node, then you need to reconfigure Enterprise Manager to start the Audit Vault Console interface on that other node.

Use the following instructions to log in to Audit Vault Console:

On the node from which you installed the database, open a Web browser to access the Audit Vault Console URL, and use the following URL syntax:
```
http://host:port/av
```
In the preceding example:
- host is the name of the computer on which you installed Oracle Audit Vault Database.
- port is the port number reserved for the Audit Vault Console during installation.
If you do not know the correct port number to use, then perform the following steps in the Audit Vault Server home shell:
1. Set the following environment variables: ORACLE_HOME, ORACLE_SID, and PATH. See the "Configuring Audit Vault" chapter in Oracle Audit Vault Administrator's Guide for more information.
2. Issue the AVCTL show_av_status command. The output displays the Audit Vault Console URL.
3. On any system, enter this URL in a Web browser and Oracle Enterprise Manager displays the Audit Vault Console login page.
Log in to the Audit Vault Console using the user name AV_ADMIN and the AV_ADMIN password you created during the installation.