> Installing the Administration Server > Setting Up and Administering the Database

Installing the Administration Server

     Previous  Next    Open TOC in new window  Open Index in new window  View as PDF - New Window  Get Adobe Reader - New Window
Content starts here

Setting Up and Administering the Database

This section provides information and guidelines to assist you in installing, configuring, and managing the database server and the database client to used with the AquaLogic Enterprise Security Administration Server. This information is not meant to replace or supersede in any way the database documentation provided by Oracle and Sybase for their database server and client products. Also, the information provided here assumes that you are familiar with the Oracle database documentation.

BEA AquaLogic Enterprise Security stores all policy and configuration data used by the Administration Server and Security Service Modules in the policy database. You can use either an Oracle database or a Sybase database for your policy data storage. You must install and configure the database server software before you install the Administration Server. If you install the Administration Server on a machine other than the machine on which you install the database, you must also install and configure the respective Oracle or Sybase client on that machine.

Note: To perform a database installation and setup, you must be a database administrator with a database administrator username and password and permission to create a new instance. In addition, you should be knowledgeable about the operating system you are working with and be adept at database installations and configuration issues. If you do not feel comfortable performing any of these tasks, ask your database administrator for assistance.

This section covers the following topics:

 

Setting Up and Administering the Oracle Database and Client

This section contains the procedures for setting up and administering an Oracle database and an Oracle Client. It covers the following topics:

Before you Begin the Oracle Database Setup

Before you install and set up your Oracle database, review the following topics to better understand Oracle database configuration requirements:

Overview of the Oracle Client/Server Architecture

Each Oracle service is identified by a global database name and an Oracle system identifier referred to as the SID (see Figure A-1). The Oracle global database name is the full name of a database that uniquely differentiates it from any other databases in your network domain. One global database name can represent several database instances. The global database name is also known as the service name. The SID distinguishes the database instance from any other database instances on the same machine.

Figure A-1 Oracle Database Setup

Oracle Database Setup

An Oracle instance is a running Oracle database made up of memory structures and background processes. Each instance is associated with an SID. With the Oracle Parallel Server, multiple instances can exist on different machines for a single database.

The policy database is a set of database schemas in which all data are stored. A database schema is a collection of objects associated with a particular schema name. The objects include tables, views, domains, constraints, assertions, privileges, and so on.

A datafile is an Oracle term for a file that contains the contents of logical database structures, such as tables and indexes. One or more datafiles form a logical unit of storage called a tablespace. A datafile is associated with only one tablespace and only one database.

A tablespace is a logical portion of a database used to allocate storage for table and index data. Each tablespace corresponds to one or more physical datafiles. Every Oracle database has a tablespace called SYSTEM and may have additional tablespaces. A tablespace is used to group related logical structures. The database username or user ID is a login that is given permission by the database administrator to access a specific database instance. This user is also called the schema owner, that is, the owner of the schema objects such as tables, views and triggers that are created.

Oracle Database System Requirements

Table 0-1 describes the minimum requirements for the system on which the Oracle database server is installed.

Table 0-1 Oracle Setup Requirements 
Requirement
Description
Software version
Oracle database server:
  • Version 9i Release 2 (9.2.x)
  • Version 10g Release 1 (10.1.0.4)

Note: On Linux platforms, if you use 9i, BEA recommends using the Oracle 9.2.0.5 client. Use of an earlier version may seriously increase the amount of system memory used by the AquaLogic Enterprise Security servers or processes. This behavior can eventually cause the server to use up system memory. The 9.2.0.4 and 9.2.0.5 versions do not exhibit this behavior.
Server platform
Any platform supported by Oracle.
Memory
As required by Oracle server installation (64 MB minimum).
Disk space for the starter database
As required by Oracle server installation, plus space required to store policy data; 500 MB recommended.
Disk space for Oracle software
Refer to your installation guide for the Oracle Database Server.
Disk space for policy database
Minimum of one tablespace with 250 MB of free space is required.
Oracle Client
Oracle Client that ships with your version of the product. BEA requires that the version of your client software be the same as the database to which you are connecting. Do not use an older version of the client software to connect to a newer version of the database server.

Installing and Configuring the Oracle Database

This section provides additional instructions for installing and configuring an Oracle database for use with the AquaLogic Enterprise Security Administration Server.

To install and configure the database, perform the following tasks:

Installing the Oracle Database

This section provides recommendations for installing the Oracle database and creating a database instance. When you run the Oracle installation program, it automatically starts the Database Configuration Assistant, which you use to create an instance of the database. If the Oracle database is already installed on the database host machine, you can skip this procedure and go to Creating an Instance of an Oracle Database and then go to Configuring an Oracle Policy Database.

To install the Oracle database and create a database instance, perform these steps:

  1. Ensure that the system requirements are satisfied as defined in Table 0-1 and install the Oracle database according to instructions in the Oracle Database Installation Guide. When the Oracle Universal installer runs, select the install options as specified in Table 0-2. For other installer options, accept the default settings or set them as you desire.

    2. Table 0-2 Recommended Selections in the Oracle Universal Installer
    Installer Option
    Recommended Selections
    Available Products
    Oracle 9i Database 9.2.x
    Installation Types
    Enterprise Edition
    Database Configuration
    General Purpose
    Oracle MTS Recovery Service Configuration Port Number
    Accept the default setting.
    Global Database Name (For Oracle 10g only)
    The full Oracle database name that distinguishes the database from any other databases in your network domain, for example asi.ales, where asi is the database name and ales is the domain.
    Database System Identifier (For Oracle 10g only)
    The Oracle system identifier (SID). The SID distinguishes the database instance from any other database instances on the same machine, for example asi,
    Passwords (For Oracle 10g only)
    The install program creates four user accounts, SYS, SYSTEM, SYSMAN, and DBSNMP and assigns default passwords. During the installation, you are prompted to change these passwords. For security reasons, Oracle recommends that you specify new passwords for these user accounts when you install the database software. Be sure to record your password settings as you will need them later.

  2. For Oracle 9i, when the Database Configuration Assistant starts, step through the screens and use the settings specified in Table 0-3.
    3. Note: For Oracle 10g, the Database Configuration Assistant is run after the installer program (just as it is with Oracle 9i), however, for 10g, it does not prompt you for input.

    Table 0-3 Oracle 9.1.2 Database Configuration Assistant Settings
    Database Configuration Assistant Screen
    Recommended Setting
    Step 1 of 8: Operations
    Select Create a database, and click Next.
    Step 2 of 8: Templates
    Select New Database, and click Next

    Note: This selection specifies the template to use to create the instance of the database.
    Step 3 of 8: Database Identification
    Specify the Global Database Name, for example asi.ales.
    Specify the SID, for example asi, and click Next.
    Step 4 of 8: Database Features
    Set these check boxes to on: Oracle spatial, Oracle Ultra Search, Oracle Data Mining, Oracle OLAP, Example Schemas and all check boxes below, and click Next.
    Step 5 of 8: Database Connection Options
    Select Dedicated Server Mode, and click Next
    Step 6 of 8: Initialization Parameters
    Select the Memory tab, click the Custom radio button, and set the parameters as follows:
    • Shared Pool: 69 Mbytes
    • Buffer Cache: 24 Mbytes
    • Java Pool: 32 Mbytes
    • Large Pool: 8 Mbytes
    • PGA: 24 Mbytes
    Click Next.
    Step 7 of 8: Database Storage
    Click Next. The Database Assistant creates the database.
    Database Configuration Assistant
    Set passwords for the SYS and SYSTEM accounts and record these passwords as you will need them later. Click Exit. The Database Assistant completes.
    End of Installation
    Click Exit.

  3. For Oracle 9i, do one of the following to set your system PATH environment variables:
    • For Windows systems, set the environment variables as shown in Listing 0-1.
    • For Solaris and Linux systems, refer to the Oracle Installation Guide Release 2 (9.2.0.1.0) for UNIX systems for instructions.
      • Listing 0-1 Oracle 9i System PATH Environment Variable Settings for Windows 
      <drive>:\oracle\ora920\bin;
      C:\Program Files\Oracle\jre\1.3.1\bin;
      C:\Program Files\Oracle\jre\1.1.8\bin;
      Where <drive> is the hard drive on which the Oracle database is installed.
  4. For Oracle 10g, do one of the following to set environment variables:
    • On Microsoft Windows, the installer program sets the environment variables for you.
    • On Solaris, refer to the Oracle Database Installation Guide 10g release 1 (10.1.0.4) for Solaris.
    • On Linux, refer to the Oracle Database Installation Guide 10g release 1 (10.1.0.4) for Linux.
  5. If you want to allow remote connections to this database instance, proceed to Configuring the Oracle Database Listener for Remote Connections; otherwise, proceed to Configuring an Oracle Policy Database.

Configuring the Oracle Database Listener for Remote Connections

To configure the Oracle database to accept remote connections from the Administration Server, you must configure an Oracle listener. This would only be necessary if you intend to install the Administration Server on a machine other than the machine on which the Oracle data is installed.

To configure an Oracle listener, perform the following steps:

  1. Start the Oracle Net Configuration Assistant and respond to the assistant screens as directed in Table 0-4.

    2. Table 0-4 Oracle Listener Setting
    Assistant Screen
    Setting
    Welcome
    Select Listener configuration, and click Next.
    Listener
    Select Add, and click Next.
    Listener Name
    Enter listener name, for example, asi, and click Next.
    Select Protocols
    Select TCP, and click Next.
    TCP/IP Protocol
    Select the standard port 1521, and click Next.

  2. To verify that the listener is configured, open a command window on a remote system and enter this command: SQLplus system/password@listenername.

    3. where password is the password you assigned to the SYSTEM account upon installation and listenername is the name you assigned to the Oracle listener, for example asi.

  3. Proceed to Configuring an Oracle Policy Database.

Creating an Instance of an Oracle Database

This section describes how to create and configure an instance of an Oracle database. It assumes that the Oracle database software was installed.

Note: You should only perform this procedure when you want to create and configure instances of the database in addition to the instance that was created when the database software was installed.

Perform the following steps to create an instance of an Oracle database:

Note: The section provides guidance to assist you, but it does not supersede the documentation provided by Oracle.
  1. To start the Oracle Database Configuration Assistant, click Start>Programs>Oracle-<OraHome>Configuration and Migration Tools>Database Configuration Assistant, where OraHome indicates the version of the software. The Database Configuration Assistant starts.
  2. When the Database Configuration Assistant starts, step through the screens and select settings as specified in Table 0-3.
  3. To configure a policy database for this instance of an Oracle database, see Configuring an Oracle Policy Database.

Configuring an Oracle Policy Database

To configure an Oracle policy database, you must create the policy database, create a security role and a user, and grant the security role and user access.

To configure a policy database, perform the following steps:

  1. Open a command window, run the Oracle SQLPlus utility, and login as user SYSTEM with the password you set for that user account when you installed the Oracle database software.
    2. sqlplus system/password@asi

    where: password is the password you set for the system account when you installed the database software and asi is the database instance name.

  2. To configure the policy database, enter the following commands at the SQL> prompt:
    3. SQL>connect sys as sysdba
    SQL>create tablespace DATA datafile `C:/Oracle/oradata/ASI/data.dbf'
          size 10M autoextend on next 1M MAXSIZE 250M;
    SQL>CREATE ROLE asi_role;
    SQL>GRANT CREATE SESSION to asi_role;
    SQL>GRANT CREATE TABLE to asi_role;
    SQL>GRANT CREATE PROCEDURE to asi_role;
    SQL>GRANT CREATE SEQUENCE to asi_role;
    SQL>GRANT CREATE TRIGGER to asi_role;
    SQL>GRANT CREATE VIEW to asi_role;
    SQL>CREATE USER wles IDENTIFIED BY password
          default tablespace DATA QUOTA UNLIMITED on DATA;
    SQL>GRANT asi_role to wles;
    SQL>GRANT SELECT on SYS.V_$LOCKED_OBJECT to wles;

    where: asi_role is the security role you define, wles is the user you define, and password is the user password.

  3. To verify that the configured user can connect to the policy database, open a command window and type:
    4. sqlplus wles/password@asi

    where: wles and password are the user and password you defined and asi is the database instance name.

This completes the configuration of the instance of the policy database.

Installing and Configuring an Oracle Client

If you intend to install the AquaLogic Enterprise Security Administration Server on the same machine as you installed the Oracle database, you do not need to install or configure the Oracle Client. The Oracle database installation includes the Oracle Client, so you can skip this task.

However, if you intend to install the Administration Server on a machine other than the machine on which the Oracle database is installed, you must install and configure an Oracle client on that machine to be able to access the Oracle database server from the client machine.

To install and configure an Oracle Client, you need to know the following information:

For instructions on installing and configuring an Oracle Client, see the following topics:

Installing and Configuring an Oracle Client on Windows

To install and configure an Oracle Client, perform these steps:

Note: This section provides guidance to assist you, but it does not supersede the documentation provided by Oracle.
  1. Install the Oracle Client according to instructions in the Oracle Database Installation Guide for Windows. If the Oracle Client is already installed, skip this step and go to the next step.
  2. Start the Oracle Net Configuration Assistant and use it to configure a Local Net Service Name entry for connecting to the Oracle database instance (see Figure A-3).
    3. Note: Figure A-2 shows the Oracle 9i screen. The Oracle 10g screen offers the same options.

    In this step, you set up a service entry in the Oracle configuration file, which is located on the client machine at: ORACLE_HOME/network/admin/tnsnames.ora.

    Figure A-2 Oracle Net Configuration Assistant: Welcome Page (Oracle 9i)


    Oracle Net Configuration Assistant: Welcome Page (Oracle 9i)

  3. To verify that the Oracle Client can access the Oracle database, at the Net Configuration Assistant screen (see Figure A-3), select the Yes, perform a test radio button, click Next, and execute the test.
    4. Note: Figure A-3 shows the Oracle 9i screen. The Oracle 10g screen offers similar options.
    Figure A-3 Oracle Net Service Name Configuration Test Page (Oracle 9i)


    Oracle Net Service Name Configuration Test Page (Oracle 9i)

  4. If the test in the previous step fails, click the Change Login button on the test results page, enter the database username and password, and execute the test again.
    5. Note: If you experience problems getting the Oracle Client to connect to the Oracle database instance, check the configuration of the database instance in the ORACLE_HOME\ora<version>\network\admin\tnsnames.ora file located on the database server host machine, where <version> is 81, 90, or 92.
  5. To use SQLplus to connect to the Oracle database instance on the machine on which your Oracle client is running as the wles user, open a command window and type:
    6. sqlplus wles/password@asi

    where: wles and password are the user and password you defined when you configured the policy database and asi is the database instance name.

This completes the configuration of the Oracle Client.

Installing and Configuring the Oracle Client on Sun Solaris

To install and configure the Oracle Client on a Sun Solaris platform, perform these steps:

Note: This section provides guidance to assist you, but it does not supersede the documentation provided by Oracle.
  1. If they do not already exist, have a Sun Solaris system administrator create a group called dba and a user ID called oracle.
  2. Set dba as the primary group for oracle.
  3. Log into Sun Solaris as oracle.
  4. Unload the Oracle client software to a local directory using the Oracle Installer.
  5. Set the ORACLE_HOME environment variable to the local directory. If necessary, refer to your Oracle Installation Guide.
  6. Set the PATH environment variable to include the bin subdirectory of $ORACLE_HOME.
  7. Set the LD_LIBRARY_PATH environment variable to include the lib subdirectory of $ORACLE_HOME.
  8. To connect to the Oracle database instance on the machine on which your Oracle client is running, open a command window and type the following SQLplus command:

    9. sqlplus wles/password@asi

    where: wles and password are the user and password you defined when you configured the policy database and asi is the database instance name.

    If this command is successful, the client is configured, and you can skip the next step of this procedure. If this command fails, proceed to step 9.

  9. Start an Oracle Network Configuration tool, such as Net Configuration Assistant or Net Manager, and configure a local net service name entry for connecting to the database instance. This step sets up a service entry in the Oracle configuration file located at: $ORACLE_HOME/network/admin/tnsnames.ora.
    10. Note: You may also use a text editor to edit the tnsnames.ora file. However, you should be familiar with Oracle Net before editing the tnsnames.ora file with a text editor.

This completes the configuration of an Oracle Client.

Installing and Configuring the Oracle Client on Red Hat Advanced Server 2.1

There may be some additional considerations when installing Oracle Clients on Red Hat Advanced Server 2.1. To understand all the considerations relative to installing on the Red Hat Advanced Server in your environment, see the Oracle and Red Hat documentation.

To install and configure an Oracle Client on Red Hat Advanced Server 2.1, perform the following steps:

Note: This section provides guidance to assist you, but it does not supersede the documentation provided by Oracle.
  1. If you are installing by downloading the software from the Oracle web site, go to step 2. If you are installing from an Oracle CD-ROM, skip step 2, and go to step 3.
  2. Using the instructions provided on the Oracle download site, perform the following steps:
    1. Download the Oracle Database Server software from the Oracle web site. For example, the Oracle 9.2 download kit requires that you download the following files:
      2. ship_9204_linux_disk1.cpio.gz 
      ship_9204_linux_disk2.cpio.gz
      ship_9204_linux_disk3.cpio.gz
    2. To unzip each file, run:
      3. gunzip <filename>
    3. To extract the cpio archive, run the following command on each file:
      4. cpio -idmv <filename>.cpio

      This command creates directories named Disk1, Disk2, and Disk3.

  3. To start the Oracle installer, run the following command from Disk1: 
    4. ./runInstaller
  4. Select the Oracle Client for installation, and then select the Administrative edition or Application Programmer edition.
  5. When an error window appears, wait for the following error message:

    6. Error in invoking target install of makefile /path/app/oracle/product/version/xyz/lib/ins_xyz.mk, and prompt for Retry, Ignore, and Cancel

    where xyz may be precomp, or plsql, or something else and version is either 9i or 10g.

  6. When this error occurs, examine the file: $ORACLE_HOME/install/make.log.

    7. The file contains the following lines of text. 

    path/app/oracle/product/version/bin/genclntsh 
    /lib/libc.so.6: undefined reference to \Q_dl_lazy@GLIBC_2.1.1' 
    /lib/libc.so.6: undefined reference to \Q_dl_dst_substitute@GLIBC_2.1.1' 
    /lib/libc.so.6: undefined reference to \Q_dl_out_of_memory@GLIBC_2.2' 
    /lib/libc.so.6: undefined reference to \Q_dl_relocate_object@GLIBC_2.0' 
    /lib/libc.so.6: undefined reference to \Q_dl_clktck@GLIBC_2.2' 
    /lib/libc.so.6: undefined reference to \Q__libc_enable_secure@GLIBC_2.0' 
    /lib/libc.so.6: undefined reference to \Q_dl_catch_error@GLIBC_2.0' 
    .....
    /usr/bin/ld: cannot find -lclntsh 
    collect2: ld returned 1 exit status 
    /bin/chmod: getting attributes of \Qprocob18': No such file or directory 
    make: *** [procob18] Error 1 
    /usr/bin/make -f ins_precomp.mk relink ORACLE_HOME=/pathora/u01/app/oracle/product/version EXENAME=ott...
  7. Set the environment variables for ORACLE_HOME, PATH and LD_LIBRARY_PATH.
  8. Open another window, and change to the $ORACLE_HOME/bin directory.
  9. Edit the genclntsh script by setting LD_SELF_CONTAINED="".
  10. Run the following command: 
    11. ./genclntsh

    The following message appears: 

    Created /path/app/oracle/product/version/lib/libclntst#.a
  11. Return to the Oracle installer, and click Retry.
  12. After linking the Oracle libraries, the installer prompts you to run root.sh.
  13. Log in as root and run: 
    14. ./root.sh
  14. Return to the installer, and click OK to continue.

    15. The installer continues. At the last step, it starts the Net Configuration tool to let you configure the first Net Service Name.

  15. To connect to the Oracle database instance on the machine on which your Oracle client is running, open a command window and type the following SQLplus command:

    16. sqlplus wles/password@asi

    where: wles and password are the user and password you defined when you configured the policy database and asi is the database instance name.

    If this command is successful, the client is configured and you can skip the remaining steps of this procedure. If this command fails, proceed to step 16.

  16. Use the Net Configuration Assistant to configure a local net service name entry for connecting to the database instance. This step sets up a service entry in the Oracle configuration file ($ORACLE_HOME/network/admin/tnsnames.ora).
  17. Exit the installer.

This completes the configuration of an Oracle Client.

Installing and Configuring the Oracle Client on Red Hat Advanced Server 3.0

There may be some additional considerations when installing Oracle Clients on Red Hat Advanced Server 3. To understand all the considerations relative to installing on the Red Hat Advanced Server in your environment, see the Oracle and Red Hat documentation.

To install and configure an Oracle Client on Red Hat Advanced Server 3.0, perform the following steps:

Note: This section provides guidance to assist you, but it does not supersede the documentation provided by Oracle.
  1. If you are installing by downloading the software from the Oracle web site, go to step 2. If you are installing from an Oracle CD-ROM, skip step 2, and go to step 3.
  2. Using the instructions provided on the Oracle download site, perform the following steps:
    1. Download the Oracle Database Server software from the Oracle web site. For example, the Oracle 9.2 download kit requires that you download the following files:
      2. ship_9204_linux_disk1.cpio.gz 
      ship_9204_linux_disk2.cpio.gz
      ship_9204_linux_disk3.cpio.gz
    2. To unzip each file, run:
      3. gunzip <filename>
    3. To extract the cpio archive, run the following command on each file:
      4. cpio -idmv <filename>.cpio

      This command creates directories named Disk1, Disk2, and Disk3.

  3. Set the environment variable LD_ASSUME_KERNEL to 2.4.1.
  4. Install the following RedHat Package Managers (RPMs):
    5. compat-db-4.0.14-5.i386.rpm \
    compat-gcc-7.3-2.96.122.i386.rpm \
    compat-gcc-c++-7.3-2.96.122.i386.rpm \
    compat-libstdc++-7.3-2.96.122.i386.rpm \
    compat-libstdc++-devel-7.3-2.96.122.i386.rpm \
  5. Relink gcc to gcc296 and g++ to g++296.
    6. Note: Be sure to restore the gcc and g++ to gcc323 and g++323 after the installation.
  6. Download the patch p3006854_9204_LINUX.zip from http://metalink.oracle.com/. For more information, see Oracle bug 3006854. To apply this patch, run:
    7. su - root
    # unzip p3006854_9204_LINUX.zip
    Archive:  p3006854_9204_LINUX.zip
       creating: 3006854/
       inflating: 3006854/rhel3_pre_install.sh
       inflating: 3006854/README.txt
    # cd 3006854
    # sh rhel3_pre_install.sh
    Applying patch...
    Patch successfully applied
  7. Go to the Disk1 directory and run this command: ./runInstaller.
    8. Note: You cannot run this command as root.
    Note: If you are accessing the system through a Telnet connection, make sure that your display is set correctly.

    The ./runInstaller command displays the Oracle Universal Installer: Welcome window.

  8. On the Oracle Universal Installer Welcome window, click Next. The Inventory Location window appears.
  9. On the Inventory Location window, set the directory field to where you want to install Oracle, for example: /export/home/oracle. The UNIX Group Name window appears.
  10. On the UNIX Group Name window, enter the name for your group, and click Next.
  11. A message window opens and directs you to run the /tmp/orainstRoot.sh command as root. Running this command outputs the following two lines:
    12. Creating Oracle Inventory pointer file (/etc/oraInst.loc)
    Changing groupname of /export/home/oracle to engineering.
  12. Return to the message window and click Continue. The File Locations window appears.
  13. On File Locations window, verify that the Source field is correct and change the Destination Name and Path to where you want to store the oracle files, and click Next. For example:
    14. Name: ORACLE
    Path: /export/home/oracle

    The Loading products progress indicator displays in the upper right corner of the window. When the loading completes, the Available Products window appears.

  14. On the Available Products window, select Oracle 9i Client, and click Next. The Installation Types window appears.
  15. On the Installation Types window, select the Runtime radio button and click Next. The Summary window appears.
  16. On the Summary window, click Install. The Install window appears and a progress indicator displays showing the status of the installation process. When the installation completes, the following message is displayed:
    17. A configuration script needs to be run as root before installation can proceed. Please leave this window up, run /export/home/oracle/root.sh as root from another window, then come back here and click OK to continue.
  17. Run the root.sh command. The root.sh command outputs the following:
    18.        Running Oracle9 root.sh script...
           \nThe following environment variables are set as:
    ORACLE_OWNER= dbooth
               	ORACLE_HOME=  /export/home/oracle
    Enter the full pathname of the local bin directory: [/usr/local/bin]:
    Copying dbhome to /usr/local/bin ...
    Copying oraenv to /usr/local/bin ...
    Copying coraenv to /usr/local/bin ...
    \nCreating /etc/oratab file...
    Adding entry to /etc/oratab file...
    Entries will be added to the /etc/oratab file as needed by Database Configuration Assistant when a database is created
    Finished running generic part of root.sh script.
    Now product-specific root actions will be performed.
  18. After the script completes, click OK. The Configuration Tools window appears. Click No on the Oracle Net Configuration Assistant: Welcome window, and click Next.
  19. Select the oracle9i or later database or service radio button on the Oracle Net Configuration Assistant: Net Service Name Configuration, Database Version window, and click Next.
  20. Enter a Service Name into the entry field, and click Next. For example: mydbhost.mydomain.com.
  21. Select TCP on the oracle Net Configuration Assistant: Net Service Name Configuration. Select the Protocols window, and click Next.
  22. Enter a host name into the entry field on the Oracle Net Configuration Assistant: Net Service name Configuration, TCP/IP Protocol window, and click Next. For example: mydbhost.mydomain.com.
  23. Select Yes to perform a test on the Oracle Net Configuration Assistant: Net Service Name Configuration Test window, and click Next. You should get this message:
    24. Connecting...Test successful.

    If not, click Back, correct the settings, and retest. If successful, click Next.

  24. Enter a Net Service Name value on the Oracle Net Configuration Assistant: Net Service Name Configuration Net Service Name window, and click Next. For example: mydbhost.
  25. Select No on the ...Another Net Service Name window, and click Next.
  26. Click Next on the ...Configuration Done window, and click Next.
  27. Click Finish to complete the Configuration process.
  28. On the Oracle Universal Installer: End of Installation window, click Exit to close the Oracle installation.

This completes the configuration of an Oracle Client.

Administering an Oracle Policy Database

This section covers the following topics:

Creating a User Account in an Oracle Policy Database

This section describes how to configure a new user account in an Oracle policy database. This account is necessary so that the policy for the instance of the Administration Server managed by this user can have a dedicated storage area allocated in the database instance.

Note: To perform this procedure, you must log into the Oracle database server as a database administrator.

To set up a database user account, perform these steps:

  1. To login to the Oracle database server, type:
    2. sqlplus dba/password@ASERVER

    where:

    dba is the username you use to access the database.

    password is your database administrator password.

    ASERVER is the name of the Oracle service (as defined in your tnsnames.ora file).

  2. To create a new role in the database server, type:
    3. SQL> create role asi_role;
    SQL> grant create session to asi_role;
    SQL> grant create table to asi_role;
    SQL> grant create procedure to asi_role;
    SQL> grant create sequence to asi_role;
    SQL> grant create trigger to asi_role;
    SQL> grant create view to asi_role;

    where: asi_role is the new role.

    The following example uses the default tablespaces generated when the Oracle database was first installed, although you can specify any tablespaces.

  3. To set up a new database user account, type:
    4. Note: In this example, you use the default tablespaces generated when you created and configured the Oracle database instance, however, you can specify any tablespaces. 
    SQL> create user username identified by password
    SQL> default tablespace users quota unlimited on users
    SQL> temporary tablespace temp quota unlimited on temp;

    where:

    username is the name to assign to the new user account.

    password is the password to assign to the new user account.

    unlimited is size of the tablespace (shown here as set to unlimited).

  4. To grant the role with the necessary privileges to the user, at the command prompt, type:
    5. grant asi_role to username;
    conn sys as sysdba;
    GRANT SELECT ON SYS.V_$LOCKED_OBJECT to username;
    commit;

    In this case, you grant SELECT permission to the user you created in step 3. The Oracle database server does not allow you to grant the permission to the asi_role. BEA AquaLogic Enterprise Security uses this dynamic view to check whether one of its tables is currently being accessed. Therefore, the SELECT permission is required.

  5. Exit SQLplus.

Using the Database Administration Utilities with Oracle

Table 0-5 lists and describes the batch and shell files provided for database administration. The files are located in the following directory: 

bea\ales22-admin\bin\

where:

Before running these scripts with an Oracle database, you need to ensure the following setup steps are completed:

Backing Up an Oracle Database

BEA strongly recommends that you backup your original policy database regularly. A database backup is always recommended before you uninstall or re-install the policy database. You may need to contact your database or system administrator to assist with this process. Backups should be done on a regularly scheduled basis.

For instructions on backing up your Oracle database, see the Oracle Backup and Recovery Guide that comes with your Oracle documentation.

 

Setting Up and Administering the Sybase Database and Client

This section contains the procedures for setting up and administering an Sybase database and a Sybase Client. It covers the following topics:

Before you Begin the Sybase Database Setup

Before you begin to set up your Sybase database, review the following topics to better understand Sybase database configuration requirements:

Overview of the Sybase Client/Server Architecture

The Sybase Adaptive Server is the server in the Sybase client/server architecture (see Figure A-4). It manages multiple databases and multiple users, keeps track of the actual location of data on disks, maintains mapping of logical data description to physical data storage, and maintains data and procedure caches in memory.

The policy database is a set of database schemas in which all data are stored. The Sybase database contains a set of related data tables and other database objects organized and presented to serve a specific purpose.

A database device is a Sybase term that represents the portion of a device (a portion of a hard drive, such as a partition) that is dedicated to holding database data. When creating the database device, you can choose either a raw partition or an existing file system. Choosing a raw partition can increase the performance of the database server.

Figure A-4 Sybase Adaptive Server Setup

Sybase Adaptive Server Setup

The Database Login ID is a login created by a system administrator to log onto the Adaptive Server. Each Database Login has a password and a default database to access. A login is valid if the Adaptive Server has an entry for that user in the system table syslogins.

The Database Administrator (DBA) has a special database login ID that can access all databases in the Adaptive Server. The DBA is also referred to as the system administrator. In fact, the name of the DBA login is sa (for System Administrator).

The Database Owner (DBO) is a special database login with permission to perform all actions on a policy database. Usually, the login that creates the database automatically becomes the DBO. The Database User ID is dbo (lowercase), which is different from its Database Login ID. For your policy database, you can use any Database Login ID as the DBO.

The Database User ID pertains to one specific database and is a login given permission by the DBO or DBA (system administrator) to access that one database. In most cases, the database user ID is the same as the Database Login ID. However, in some cases, they may be different, as with the special dbo user ID.

A database schema is a collection of objects associated with a particular schema name. The objects include tables, views, domains, constraints, assertions, privileges, and so on.

The policy owner is a Database User ID that controls the set of database schema in the database. BEA recommends that you not use dbo as a policy owner because it requires special administration. The AquaLogic Enterprise Security architecture allows multiple policy owners in its database, each owning a policy different from the other policies.

Sybase Database System Requirements

Table 0-6 describes the minimum requirements for the system on which the Sybase Adaptive Server is installed.

Table 0-6 Sybase Database Minimum Requirements 
Requirement
Description
Software Version
Sybase Adaptive Server Enterprise 12.5.2.
Server Platform
Any platform supported by Sybase.
Memory
As required by Sybase server installation (42 MB minimum).
Disk Space for the default database
As required by Sybase server installation.
Disk Space for Sybase software
Refer to the Sybase Adaptive Server Enterprise Installation Guide for details.
Disk Space for the Policy Database
A minimum of two database devices is required, each having 250 MB.
Sybase Client
Sybase client that ships with Version 12.5 of the product.

Installing and Configuring the Sybase Adaptive Server

This section provides instructions for installing and configuring a Sybase database for use with the AquaLogic Enterprise Security Administration Server.

For guidance on installing and configuring the database, see the following topics:

Installing the Sybase Database

This section provides recommendations for installing and configuring the Sybase database software. If the Sybase database is already installed on the database host machine, you can skip this procedure and go to Creating Sybase Database Devices.

To install the Sybase Adaptive Server, perform these steps:

  1. To install a Sybase Adaptive Server database software, follow the Sybase installation instructions in the Sybase Adaptive Server Enterprise Installation Guide. When the Sybase Installer displays the Configure New Server screen, select the Configure new Adaptive Server and Configure new XP Server check boxes and proceed with the installation.
  2. When the final installer screen appears, select the Yes, restart my computer radio button and click Finish.
    3. Note: By default SYBASE names your database server based on your machine name.
  3. After the machine restarts, start the SYBASE Server (Sybase SQLServer) manually.

Creating Sybase Database Devices

The policy database requires at least two database devices, each having at least 250 MB of free space. The first device stores policy data and the other stores the transaction log. You must create these two database devices before you create and configure the policy database.

Note: For better performance, BEA recommends a raw partition as the best configuration for the database device. Obviously, you must allocate sufficient disk space to ensure that the database meets your performance requirements.

To Create Sybase Database devices on the Windows platform, perform the following steps:

  1. To start the Sybsase Central tool, click Start-->Programs-->Sybase-->Sybase Central Java Edition. The Sybase Central tool opens.
  2. Click Tools, select Connect and log in as user sa (no password is required). The Sybase Central screen appears as shown in Figure A-5.
    3. Note: The user sa does not have a password by default.
    Figure A-5 Sybase Central


    Sybase Central

  3. Expand the Sybase Database server node in the left pane (shown as WAILEE in Figure A-5, but your server is displayed instead) and click Database Devices. Add Device Database appears in the right pane (see Figure A-6).
    4. Figure A-6 Add Database Device Screen


    Add Database Device Screen

  4. Double click Add Database Devices. The Specify the Name and Path screen appears (see Figure A-7).
    5. Figure A-7 Database Device Name and Path Screen


    Database Device Name and Path Screen

  5. Specify the path (for example C:\Sybase\data\asi_data_dev.dat) and the device name (for example asi_data_dev), and click Next. The Add Database Device - Advanced Options screen appears (see Figure A-8).
    6. Figure A-8 Sybase Add Database Device - Advanced Options Screen


    Sybase Add Database Device - Advanced Options Screen

  6. Set the Device number to 2, Size to 250 MB, click the check box to on, and click Finish.
  7. To add database device asi_log_dev, repeat steps 4. to 6., but set the database device name to asi_log_dev instead of asi_data_dev, and click Finish.
Note: For instructions for creating Sybase database devices on Solaris and Linux platforms, see the Chapter "Managing Adaptive Server Databases" in the Sybase Adaptive Server Enterprise Configuration Guide for the particular platform.

Creating and Configuring a Sybase Policy Database

Like other Sybase databases, the policy database contains at least one set of database schemas, owned by a user referred to as the policy owner. While it is unusual, the same database may contain multiple sets of policies, each owned by a different user.

Note: Before continuing, be sure that you have the names of two existing database devices that have sufficient free space to hold the data and transaction log for the policy database. If the database devices do not exist, go to Creating Sybase Database Devices and create them.

To create and configure the policy database, perform these steps:

  1. From a command prompt, log into the database server as the Sybase system administrator. For example, type:
    2. isql -Usa -Sserver_name

    where: sa is the sa user and server_name is the name of your database server.

  2. Enter the following commands:
    3. 1>use master
    2>go
    1>create database     sspolicy on asi_data_dev = 250 log on asi_log_dev =
       250

    where: sspolicy is the name of the database. The name sspolicy is used only for the purpose of the example. You can assign any name to the database. In this example, the minimum database sizes, 250 MB, are used. If you choose to use other sizes, enter those sizes instead.

    asi_data_dev and asi_log_dev are the names of the two devices. 

    2>go
  3. To use the Sybase sp_dboption system procedure to set the database options, type the following commands at the isql command prompt:
    4. 1>use master
    2>go
    1>sp_dboption     sspolicy, "select into/bulkcopy", true
    2>go
    1>sp_dboption     sspolicy, "abort tran on log full", true
    2>go
    1>sp_dboption     sspolicy, "trunc log on chkpt", true
    2>go
    1>sp_dboption     sspolicy, "trunc. log on chkpt.", true
    2>go

    For more information on the sp_dboption system procedure, see Sybase Adaptive Server Enterprise Reference Manual: Procedures.

    Note: In a development database, you may be set the trunc log on chkpt option to true because the DBA may not have time to run a dump transaction from time-to-time to truncate the transaction log. In a production database, you must set this option to false and perform a dump transaction to back up and truncate the database and transaction logs.
  4. To create the database user account for the AquaLogic Enterprise Security Administration Server to access the policy database, perform these steps:
    1. To create the ASI Database Login ID, at the isql command prompt, type the following commands:
      2. 1>use master
      2>go
      1>sp_addlogin asi, password, sspolicy, null, "asi login"
      2>go

      The password must be at least six alphanumeric characters or other characters allowed by Sybase. The name of the default database is sspolicy. If an asi login already exists, you must use the sp_modifylogin command to set its default database to sspolicy.

    2. To create the ASI Database User ID, type the following commands:
      3. 1>use sspolicy
      2>go
      1>sp_adduser asi
      2>go
    3. To grant Permissions to the ASI Database User ID, type the following commands:
      4. 1>use sspolicy
      2>go
      1>grant all to asi
      2>go
  5. To verify that the configured user asi can connect to the target Sybase database using isql, open a command window on the machine on which the database is installed and login. For example, using the values specified in the previous step, type the following:
    6. isql -Uasi -Ppassword -Sserver_name 
    1>

    where: asi is the username, password is the password of the user specified, and server_name is the database server name.

This completes the configuration of the policy database.

Installing and Configuring a Sybase Database Client

Skip this step if you want to administer the Sybase Adaptive Server and run the AquaLogic Enterprise Security Administration Server on the machine on which the Sybase Adaptive Server is installed.

You must install the Sybase Open Client (Sybase client for Adaptive Server) to:

The information you need to install and configure the Sybase Open Client includes:

The following topics provide guidance for installing and testing a Sybase Open Client:

Testing an Existing Sybase Open Client Installation

If the Sybase Open Client is already installed, you need to ensure that you can access the Adaptive Server from the client. To do so, open a command window and type: 

isql -U loginid -S ASERVER -P loginidpassword

where: loginid is the identity you defined when configured the policy database, ASERVER is the name of the policy database, and loginidpassword is the password of the identity.

The isql prompt appears, indicating a successful connection.

If this command fails and you know the client is installed, the client is probably not configured properly to point to the database server. If the client is on the same machine as the Sybase database, the client is configured automatically when you do the installation. If the client is on a machine other than the Sybase database machine, you need to configure the client. For instructions on how to configure the Open Client, see the installation and configuration procedure that applies to you particular platform:

Installing and Configuring the Sybase Open Client on Windows

To install the Sybase Open Client in a Windows environment, do the following:

Note: The section provides guidance to assist you, but it does not supersede the documentation provided by Sybase.
  1. Log into Windows as administrator.
  2. Start the Open Client installation program on your computer (setup.exe) and install the Open Client according to instructions provided in the Sybase Adaptive Server Enterprise Installation Guide for Windows. If the Open Client is already installed, skip this step and go to the next step.
  3. Check that your system environment variables are set correctly to point to the Sybase installation directory, as shown in the following example (where the installation is on the D: drive):
    4. SYBASE=D:\Sybase
    SYBASE-JRE=D:\sybase\shared-1_0\JRE-1_3
    SYBASE_OCS=OCS-12_5
  4. Check that your system PATH environmental variable includes the bin and dll subdirectories of your Sybase installation directory, as shown in the following example (where the installation is on the D: drive):
    5. D:\Sybase\OCS-12_5\bin and D:\Sybase\OCS-12_5\dll
  5. Using a text editor or the Dsedit utility provided by Sybase, edit the Sybase configuration file sql.ini in the \ini sub-folder of your Sybase Open Client installation directory to include a server entry that points to your policy database server. For instructions on how to use the Dsedit utility to edit the sql.ini file, see the Sybase Adaptive Server Enterprise Installation Guide for Windows. For parameters required to edit the sql.ini file, see the sql.ini file located in \sybase\ini directory on the machine on which the Sybase database server is installed. Here is an example sql.ini file produced by the Dsedit utility:
    6. [ASERVER]
    master=TCP,PCWIZ, 5000
    query=TCP,PCWIZ, 5000
  6. To test your installation, at the command prompt, type:
    7. isql -U loginid -S ASERVER -P loginidpassword

    where: loginid is the identity you defined when configured the policy database, ASERVER is the name of the policy database, and loginidpassword is the password of the identity.

    The isql prompt appears, indicating a successful connection.

This completes the configuration of the Sybase Open Client.

Installing and Configuring the Sybase Open Client on Sun Solaris

To install and configure a Sybase Open Client on Sun Solaris, perform the following steps:

Note: The section provides guidance to assist you, but it does not supersede the documentation provided by Sybase.
  1. Login to Solaris with the username sybase. If the user sybase does not exist, have your Solaris system administrator create it.
  2. Start the Open Client installation program to install on your workstation and install the Open Client according to instructions provided in Sybase Adaptive Server Enterprise Installation Guide for Solaris.
  3. Set the SYBASE environment variable to point to the Sybase installation directory, as shown in the following example:
    4. /export/home/sybase
  4. Set the PATH environment variable to include the bin subdirectory of your Sybase installation directory, as shown in the following example:
    5. /export/home/sybase/OCS-12_5/bin
  5. Set the LD_LIBRARY_PATH environment variable to include the lib subdirectory of your Sybase installation directory, as shown in the following example:
    6. /export/home/sybase/OCS-12_5/lib
  6. Using a text editor or the Dsedit utility provided by Sybase, edit the Sybase configuration file sql.ini in the \ini sub-folder of your Sybase Open Client installation directory to include a server entry that points to your database server. For instructions on how to use the Dsedit Utility to edit the sql.ini file, see the Sybase Adaptive Server Enterprise Installation Guide for Solaris. For parameters required to edit the sql.ini file, see the sql.ini file located in \sybase\ini directory on the machine on which the Sybase database server is installed. Here is an example sql.ini file produced by the Dsedit utility:
    7. [ASERVER]
    master=TCP,PCWIZ, 5000
    query=TCP,PCWIZ, 5000
  7. To test your installation, at the Solaris command prompt, type:
    8. isql -U loginid -S ASERVER -P loginpassword

    where: loginid is the identity you defined when configured the policy database, ASERVER is the name of the policy database, and loginidpassword is the password of the identity.

    The isql prompt appears, indicating a successful connection.

  8. Repeat steps 3 to 5 for each user needing access to the Sybase Adaptive Server.

    9. Include these settings in either .profile or .cshrc, depending on the default user shell.

This completes the configuration of the Sybase Open Client.

Installing and Configuring the Sybase Open Client on Red Hat Advanced Server 2.1

To install and configure a Sybase Open Client on Red Hat Advanced Server 2.1, perform the following steps:

Note: The section provides guidance to assist you, but it does not supersede the documentation provided by Sybase.
  1. Install the Red Hat Advanced Server software according to instructions in the Sybase Adaptive Server Enterprise Installation Guide.
  2. To test your installation, at the command prompt, type:
    3. isql -Usa -Ppassword -Sserver_name

    where: server_name is the database server name and password in the password of the sa user.

    The isql prompt appears, indicating a successful connection.

This completes the configuration of the Sybase Open Client.

Administering the Sybase Policy Database

This section covers the following database administration topics:

Creating a User Account in a Sybase Policy Database

This section describes how to configure a new user account in a Sybase database. This account is necessary so that the policy for the instance of the Administration Server managed by this user can have a dedicated storage area allocated in the database instance.

To set up the user account, create the login to the Adaptive Server Enterprise database, create the user for policy database, and grant the user privileges to manipulate the policy schema.

Note: BEA strongly recommends that you not use the dbo of the policy database as the policy owner. While it is possible to do so, it requires additional database configuration that is beyond the scope of this guide.

To create a database user account, perform these steps:

  1. Log in as the System Administrator.
  2. At the command prompt, type:

    3. isql -Usa -S server_name

    where: server_name is the database server name.

  3. To create the ASI Database Login ID, at the isql command prompt, type the following commands:
    4. 1>use master
    2>go
    1>sp_addlogin asi, password, sspolicy, null, "asi login"
    2>go

    where: password must be at least six alphanumeric characters or other characters allowed by Sybase and sspolicy is the name of the default database. If an asi login already exists, you must use the sp_modifylogin command to set its default database to sspolicy.

  4. To create the ASI database user ID, at the isql command prompt, type the following commands:
    5. 1>use sspolicy
    2>go
    1>sp_adduser asi
    2>go
  5. To grant permissions to the ASI database user ID, at the isql command prompt, type the following commands:
    6. 1>use sspolicy
    2>go
    1>grant all to asi
    2>go

Using the Database Administration Utilities with Sybase

Table 0-7 lists and describes the batch and shell files provided for database administration. The files are located in the following directory: 

bea\ales22-admin\bin\

where:

Before running these scripts with a Sybase database, you need to ensure the following setup steps are completed:

Backing Up a Sybase Database

BEA strongly recommends that you backup your original policy database regularly. A database backup is always recommended before you uninstall or re-install the policy database. You may need to contact your database or system administrator to assist with this process. Backups should be done on a regularly scheduled basis.

If you have an existing backup procedure in place, you may choose to run it. Otherwise, follow these steps:

  1. Login to your Sybase database server as the system administrator, database operator, or database owner.

    2. The database owner is not the same as the policy owner.

  2. Backup the transaction log by using the Sybase dump transaction command.
  3. Backup the database by using the Sybase dump database command.
Note: See your Sybase documentation for further information on using these commands.

  Back to Top       Previous  Next