Release Notes
Release 2 (9.2.0.8) for Linux x86-64
E10099-04
June 2007
These Release Notes describe issues you may encounter with Oracle Database Vault Release 2 (9.2.0.8). The Oracle Database Vault installation is covered in detail in the Oracle Database Vault Installation Guide for Linux x86-64.
Note:
Oracle Real Application Clusters (RAC) is not certified on Linux x86-64.This document may be updated after it is released. To check for updates to this document and to view other Oracle documentation, see the Documentation section on the Oracle Technology Network (OTN) Web site:
http://www.oracle.com/technology/documentation/
This document contains the following sections:
This section describes the known issues pertaining to installation. It also provides the workarounds that you can use.
Bug 5258820
Running Database Vault Configuration Assistant (DVCA) manually, after creating a new database in the Database Vault home, fails if the Oracle System Identifier (SID) for the database is longer than 8 characters.
The following steps reproduce the bug:
Use Database Configuration Assistant (DBCA) to create a new database in an existing Database Vault home.
Run DVCA on the newly created database:
$ORACLE_HOME/bin/dvca -action option -oh oracle_home -jdbc_str jdbc_connection_string -sys_passwd SYS_password \ -owner_account DV_owner_account_name -owner_passwd DV_owner_account_password \ [-acctmgr_account DV_account_manager_account_name] [-acctmgr_passwd DV_account_manager_password] \ [-logfile ./dvca.log] [-silent] [-nodecrypt][-lockout] [-languages {["en"],["de"],["es"],["fr"],["it"],["ja"], \ ["ko"],["pt_BR"],["zh_CN"],["zh_TW"]}]
See Also:
Oracle Database Vault Installation Guide for Linux x86-64 for more information on running the DVCA command.The reason for the bug is that the Oracle Net service name in the tnsnames.ora ($ORACLE_HOME/network/admin/tnsnames.ora) file is truncated to 8 characters.
The workaround for the bug is to change the truncated Net service name in the tnsnames.ora file to it's correct value. For example, say the SID for the database is ORACLEDB90, and the entry in tnsnames.ora appears as:
ORACLEDB = (DESCRIPTION = (ADDRESS = (PROTOCOL = TCP)(HOST ....
Replace the truncated entry in the tnsnames.ora file with the correct entry:
ORACLEDB90 = (DESCRIPTION = (ADDRESS = (PROTOCOL = TCP)(HOST ....
Bug 5577503
The Database Vault installer fails to install Database Vault in an existing physical standby database.
You can create a new physical standby database by using the following steps:
Install Database Vault on the primary database.
Create a physical standby database using a hot backup of the primary database. This backup should include the Oracle home.
Set up communications between the primary and the physical standby database. Redo logs communicate changes from the primary database to the standby database.
See Also:
Oracle Data Guard Concepts and Administration for more information on creating a physical standby databaseBug 5948835
After you create a new database in an existing Oracle Database Vault home and run Database Vault Configuration Assistant (DVCA) to configure the database, invalid DVSYS objects are created in the database. The following SQL query output illustrates the problem:
SQL> SELECT * FROM all_objects WHERE status='INVALID';
.
OWNER OBJECT_NAME
------------------------------ ------------------------------
SUBOBJECT_NAME OBJECT_ID DATA_OBJECT_ID OBJECT_TYPE
------------------------------ ---------- -------------- ------------------
CREATED LAST_DDL_ TIMESTAMP STATUS T G S
--------- --------- ------------------- ------- - - -
DVSYS DBMS_MACOLS
33658 PACKAGE BODY
22-MAR-07 22-MAR-07 2007-03-22:08:09:56 INVALID N N N
.
DVSYS DBMS_MACOLS_SESSION
33667 PACKAGE BODY
22-MAR-07 22-MAR-07 2007-03-22:08:09:56 INVALID N N N
The problem occurs if you use one of the predefined database templates to create your database. Create the new database from scratch using the Custom Database option in the Database Configuration Assistant (DBCA) tool. Do not use one of the already provided templates like Data Warehouse, General Purpose, or Transaction Processing.
Bug 5966314
After applying the latest Critical Patch Update (CPU), when you run Oracle Universal Installer (OUI) to install Oracle Database Vault, the latest CPU is listed in the products being uninstalled on the Summary screen. This is not a problem and should be ignored. The Database Vault installer does not rollback already applied patches. It just removes their entries from the inventory.
The current patchset contains patches that include all the fixes provided by already installed patches. Hence, OUI needs to remove the old entries from the inventory. OUI and the OPatch utility use the inventory for conflict detection of patches. Removing old patch entries from the inventory ensures that you do not get false errors related to patches in future.
Bug 5963717
When the user clicks Cancel, to cancel out an error, the Oracle Database Vault installer takes the user back to the Specify File Location screen and not the first screen.
The following steps reproduce the error:
Run the Database Vault Installer for an Oracle Real Applications Cluster (RAC) node
When prompted to shut down the database processes, shut down the database and the listener process leaving the Global Services Daemon (GSD) service running
On the node list screen, the installer raises an error about the following process not being shut down:
/private/qatest/9208DV/RC2/d3/jre/1.1.8/bin/../bin/sparc/native_threads/jre
Click Cancel. Click OK in the confirmation prompt.
The installer takes you to the Specify File Location screen instead of the first screen.
The workaround is to click Back. This takes you to the first screen. An alternate workaround is to click Cancel to exit Oracle Universal Installer (OUI), and then start OUI again.
Bug 5971092
After installing Database Vault, the Global Services Daemon (GSD) service does not automatically start on the remote nodes. You need to manually start the GSD service on the remote nodes. You can then start the database and the listener process on the remote nodes. Use the following command to start the GSD service on an Oracle Real Application Clusters (RAC) node:
$ORACLE_HOME/bin/gsdctl start
This section discusses usage issues that you may encounter with Database Vault. It also provides the workarounds for these issues.
Bug 5161953
Accounts with the DV_OWNER, DV_ADMIN, or DV_SECANALYST role cannot run the following command:
ALTER USER user QUOTA UNLIMITED ON tablespace
The workaround is to REVOKE the role from the account, run the ALTER USER command, and then GRANT back the role to the account. This works if the account is not the DV_OWNER account that was created during installation. If the account is the DV_OWNER account created during installation, then you would need to use the following steps:
Disable the Database Vault command rule for the ALTER USER command.
Run the ALTER USER command.
Re-enable the Database Vault command rule for the ALTER USER command.
Bug 5582720
Enabling a realm fails with the following error:
ORA-00942: Table or view does not exist
This might happen if you try to enable a realm on an invalid object. The workaround is to make sure that all objects protected by the realm are valid, before trying to enable the realm.
Bug 5508407
The following error is displayed when you try to update the owner or the rule set for the SELECT command rule:
Command Rule SELECT not found for schema.%
After the update has failed, you are not allowed to delete the command rule. You can use the following workaround steps:
Login to SQL*Plus using the SYSTEM account. Run the following command:
SQL>ALTER SYSTEM FLUSH SHARED_POOL;
Delete the command rule.
If you were trying to update the command rule, then re-create the command rule with the new parameters.
Repeat Step 1 for the new command rule to take effect.
Bug 5953290
After including a validation function in a factor, you might get the ORA-01001 or ORA-07445 error when trying to use the factor in a command rule.
The workaround is to implement the validation logic in the factor function itself rather than using a validation function to implement the logic.
Use the following steps to grant the CREATE SESSION privilege:
Add the SYSTEM user to the data dictionary realm as an owner.
Log in to SQL*Plus as the SYSTEM user.
Grant the CREATE SESSION privilege.
Enable the data dictionary realm.
This section covers some of the frequently asked questions related to Database Vault installation. Oracle Database Vault installation is covered in detail in the Oracle Database Vault Installation Guide for Linux x86-64.
The installer does not detect my existing Release 2 (9.2.0.8) instance. What should I do?
To allow the installer to find the database instance information, you should check the following:
/etc/oratab has an entry for the database. The oratab entry for the database is case-sensitive. Ensure that this entry exactly matches your database.
All database names listed in /etc/oratab have unique system identifier (SID) names.
The file, /etc/oraInst.loc exists.
The oraInventory location is set in the /etc/oraInst.loc file.
The oraInventory location set in /etc/oraInst.loc is the same as the 9.2.0.8 Enterprise Edition database's oraInventory location.
The 9.2.0.8 database home does not have Oracle Database Vault in it.
I have installed Oracle Database Vault into an Oracle home that has multiple databases. How do I secure the other databases in the Oracle home?
You would need to run Database Vault Configuration Assistant (DVCA) manually on the other databases. Refer to Appendix C in the Oracle Database Vault Installation Guide for Linux x86-64 for detailed instructions.
I have installed Oracle Database Vault on a Real Application Clusters (RAC) database instance. How do I secure the other nodes in the cluster?
You need to run DVCA manually on the other Oracle RAC nodes. Refer to Run DVCA to Set Instance Parameters in the Oracle Database Vault Installation Guide for Linux x86-64 for detailed instructions.
This section contains miscellaneous notes not covered in the Oracle Database Vault documentation.
The keyword SNAPSHOT is supported in place of MATERIALIZED VIEW for backward compatibility.
The JOB_QUEUE_PROCESSES initialization parameter specifies the maximum number of processes that can be created for the execution of jobs. It specifies the number of job queue processes per instance.
This parameter must have a non-zero value. The default value for JOB_QUEUE_PROCESSES is 10.
Database Vault supports the following languages:
de: German
en: American English
es: Spanish
fr: French
it: Italian
ja: Japanese
ko: Korean
pt_BR: Brazilian Portuguese
zh_CN: Simplified Chinese
zh_TW: Traditional Chinese
Make sure that the NLS_LANG parameter in your database corresponds to one of these languages before installing Database Vault. If the language setting in the NLS_LANG parameter is not compatible, then the Database Vault Administrator (DVA) application interface is not displayed properly.
Use the following steps to add a supported language to an already installed instance of the Database Vault Administrator (DVA) application:
Disable Database Vault.
See Also:
Appendix B, "Enabling and Disabling Oracle Database Vault" in the Oracle Database Vault Administrator's GuideMake sure that environment variables like ORACLE_HOME, PATH, ORACLE_SID, and LD_LIBRARY_PATH, are properly set.
Run the following command:
java -classpath $ORACLE_HOME/dv/jlib/dvca.jar:\ $ORACLE_HOME/lib/xmlparserv2.jar:\ $ORACLE_HOME/jdbc/lib/classes12.zip \ oracle.security.datval.dvca.util.DvcaNLSLoader \ "jdbc:oracle:oci:@database_sid" \ dvsys dvsys_password file1 file2 ... fileN
Here, file1 file2 ... fileN are the names of the language set files. The language files are a set of files with the following names:
code_language.dlf
factor_type_language.dlf
factor_language.dlf
rule_language.dlf
rule_set_language.dlf
realm_language.dlf
For example, to enable support for Japanese language, use the following command:
java -classpath $ORACLE_HOME/dv/jlib/dvca.jar:\ $ORACLE_HOME/lib/xmlparserv2.jar:\ $ORACLE_HOME/jdbc/lib/classes12.zip \ oracle.security.datval.dvca.util.DvcaNLSLoader "jdbc:oracle:oci:@db1" \ dvsys oracle $ORACLE_HOME/dv/admin/code_ja.dlf
Note:
You can either repeat the preceding command for each file in the language set, or use a single command with the language specific file names separated by whitespace characters.Enable Database Vault.
See Also:
Appendix B, "Enabling and Disabling Oracle Database Vault" in the Oracle Database Vault Administrator's GuideOur goal is to make Oracle products, services, and supporting documentation accessible, with good usability, to the disabled community. To that end, our documentation includes features that make information available to users of assistive technology. This documentation is available in HTML format, and contains markup to facilitate access by the disabled community. Accessibility standards will continue to evolve over time, and Oracle is actively engaged with other market-leading technology vendors to address technical obstacles so that our documentation can be accessible to all of our customers. For more information, visit the Oracle Accessibility Program Web site at
http://www.oracle.com/accessibility/
Accessibility of Code Examples in Documentation
Screen readers may not always correctly read the code examples in this document. The conventions for writing code require that closing braces should appear on an otherwise empty line; however, some screen readers may not always read a line of text that consists solely of a bracket or brace.
Accessibility of Links to External Web Sites in Documentation
This documentation may contain links to Web sites of other companies or organizations that Oracle does not own or control. Oracle neither evaluates nor makes any representations regarding the accessibility of these Web sites.
TTY Access to Oracle Support Services
Oracle provides dedicated Text Telephone (TTY) access to Oracle Support Services within the United States of America 24 hours a day, seven days a week. For TTY support, call 800.446.2398.
Oracle Database Vault Release Notes Release 2 (9.2.0.8) for Linux x86-64
E10099-04
Copyright © 2007, Oracle. All rights reserved.
The Programs (which include both the software and documentation) contain proprietary information; they are provided under a license agreement containing restrictions on use and disclosure and are also protected by copyright, patent, and other intellectual and industrial property laws. Reverse engineering, disassembly, or decompilation of the Programs, except to the extent required to obtain interoperability with other independently created software or as specified by law, is prohibited.
The information contained in this document is subject to change without notice. If you find any problems in the documentation, please report them to us in writing. This document is not warranted to be error-free. Except as may be expressly permitted in your license agreement for these Programs, no part of these Programs may be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose.
If the Programs are delivered to the United States Government or anyone licensing or using the Programs on behalf of the United States Government, the following notice is applicable:
U.S. GOVERNMENT RIGHTS Programs, software, databases, and related documentation and technical data delivered to U.S. Government customers are "commercial computer software" or "commercial technical data" pursuant to the applicable Federal Acquisition Regulation and agency-specific supplemental regulations. As such, use, duplication, disclosure, modification, and adaptation of the Programs, including documentation and technical data, shall be subject to the licensing restrictions set forth in the applicable Oracle license agreement, and, to the extent applicable, the additional rights set forth in FAR 52.227-19, Commercial Computer Software--Restricted Rights (June 1987). Oracle USA, Inc., 500 Oracle Parkway, Redwood City, CA 94065.
The Programs are not intended for use in any nuclear, aviation, mass transit, medical, or other inherently dangerous applications. It shall be the licensee's responsibility to take all appropriate fail-safe, backup, redundancy and other measures to ensure the safe use of such applications if the Programs are used for such purposes, and we disclaim liability for any damages caused by such use of the Programs.
Oracle, JD Edwards, PeopleSoft, and Siebel are registered trademarks of Oracle Corporation and/or its affiliates. Other names may be trademarks of their respective owners.
The Programs may provide links to Web sites and access to content, products, and services from third parties. Oracle is not responsible for the availability of, or any content provided on, third-party Web sites. You bear all risks associated with the use of such content. If you choose to purchase any products or services from a third party, the relationship is directly between you and the third party. Oracle is not responsible for: (a) the quality of third-party products or services; or (b) fulfilling any of the terms of the agreement with the third party, including delivery of products or services and warranty obligations related to purchased products or services. Oracle is not responsible for any loss or damage of any sort that you may incur from dealing with any third party.