Oracle® Audit Vault Server Installation Guide Release 10.2.3.1 for AIX Part Number E13844-04 |
|
|
View PDF |
This chapter includes an overview of the major steps required to install single instance Oracle Audit Vault Server (Audit Vault Server) and to install Audit Vault Server with Oracle Real Application Clusters (Oracle RAC).
This chapter includes the following sections:
The Oracle Audit Vault Server software is available:
On digital video disc (DVD)
For download on Oracle Technology Network, http://www.oracle.com/technology/index.html
For an overview of requested information specific to the Audit Vault Server installation, see Section 3.6.
See Section 2.12 for important information about setting the correct locale.
To perform Audit Vault Server single instance basic installation:
Invoke Oracle Universal Installer (OUI) to install Oracle Audit Vault as an Oracle Database 10g release 2 (10.2.0.3) database.
Log in as the oracle
user. Alternatively, switch the user to oracle
using the su -
command. Change your current directory to the directory containing the installation files. Start Oracle Universal Installer from the Oracle Audit Vault package.
cd directory-containing-the-Oracle-Audit-Vault-installation-files
./runInstaller
Oracle Universal Installer starts up by first checking the following installation requirements and displaying the results. For example, it shows what the value should be or must be greater than or at least equal to, then the actual value for each check and the check result status: Passed or Failed.
Checking operating system version: must be redhat-3, SuSE-9, SuSE-10, redhat-4, redhat-5, UnitedLinux-1.0, asiaunx-1, asianux-2, enterprise-4 or enterprise-5 Passed
Checking temp space: must be greater than 80 MB. Actual 15412 MB Passed
Checking swap space: must be greater than 150 MB. Actual 3931 MB Passed
Checking monitor: must be configured to display at least 256 colors. Actual 65536 Passed
Then Oracle Universal Installer prepares to launch itself.
On the Select Installation Type page, select the Basic Installation option, then click Next.
Enter the following information on the Basic Installation Details page. See Section 3.6 for more information about each of these topics.
Audit Vault Name – A unique name for the Oracle Audit Vault database. The Oracle Audit Vault name is required. The name will be used as the database SID, and will be the first portion (db_name
) of the database service name.
Audit Vault Home – Specify or browse to find the path to the Oracle Audit Vault Home where you want to install Oracle Audit Vault.
Audit Vault Administrator and Audit Vault Auditor – The account name of the Oracle Audit Vault Administrator and a separate, optional Oracle Audit Vault Auditor, respectively. The Oracle Audit Vault administrator and Oracle Audit Vault auditor account names must not be the same. The Oracle Audit Vault Administrator account name is required. Accept the selected Create a Separate Audit Vault Auditor check box to choose to create the Oracle Audit Vault Auditor account name. The check box is selected by default. Deselecting the check box disables the text fields for the Oracle Audit Vault Auditor user name and password. The Oracle Audit Vault Administrator in this case will also be granted the role of Oracle Audit Vault Auditor.
The Oracle Audit Vault Administrator user name will also be used for the following Oracle Database Vault users that are created to facilitate the separation of duties:
AV_ADMIN
dvo
– The Database Vault Owner (granted DV_OWNER role) to manage Database Vault roles and configuration, where AV_ADMIN
represents the Oracle Audit Vault Administrator user name.
AV_ADMIN
dva
– The Database Vault Account Manager (granted DV_ACCTMGR
role) to manage database user accounts, where AV_ADMIN
represents the Oracle Audit Vault administrator user name.
Administrator Password and Auditor Password – The password for the Oracle Audit Vault administrator account and the Oracle Audit Vault auditor account, respectively.
There cannot be repeating characters in each password. The length of each password must be between 8 and 30 characters. Each password must consist of at least one alphabetic character, one numeric character, and one of the special characters shown in Table 3-2.
The password entered for the Oracle Audit Vault administrator account will also be used for the standard database accounts (sys
, system
, sysman
, dbsnmp
).
The Oracle Audit Vault administrator password will also be used for the Oracle Database Vault users (Database Vault Owner and the Database Vault Account Manager users) that are created to facilitate the separation of duties.
Confirm Password – the confirming password for the Oracle Audit Vault Administrator account and the Oracle Audit Vault auditor account, respectively.
Each password must be identical to its corresponding password confirmation.
After entering the required information, click Next to continue with the installation. The Next button is enabled only when information has been entered for all required fields. Validation of information is done on all user input after you click Next. The installation process will not continue until all required input passes validation.
If this is the first installation of an Oracle product on the system, then the Oracle Universal Installer displays the Specify inventory directory and credentials page, where you must enter the Inventory directory location and the OS group name, then click Next.
Review the installation prerequisite checks on the Prerequisite Check page. This is when all installation prerequisite checks are performed and the results are displayed. Verify that all prerequisite checks succeed, then click Next.
Oracle Universal Installer checks the system to verify that it is configured correctly to run Oracle software. If you have completed all of the preinstallation steps in this guide, all of the checks should pass.
If a check fails, then review the cause of the failure listed for that check on the screen. If possible, rectify the problem and rerun the check. Alternatively, if you are satisfied that your system meets the requirements, then you can select the check box for the failed check to manually verify the requirement.
Review the installation summary information on the Basic Installation Summary page. After reviewing this installation information, click Install to begin the installation procedure. The installation will copy files, link binaries, apply patches, run configuration assistants, including DBCA to create and start the Audit Vault Server, DVCA to secure the server, and AVCA to configure and start Oracle Audit Vault Console.
At the end of running DBCA to configure the software and create the database, a message displays, click OK to continue.
Provide information or run scripts as the root
user when prompted by Oracle Universal Installer. If you need assistance during installation, click Help. If you encounter problems during installation, then examine the Oracle Universal Installer actions recorded in the installation log file. The log file is located in the cfgtoollogs/oui
directory, in the following location:
$ORACLE_HOME/cfgtoollogs/oui/installActionsdate_time.log
After the installation completes, take note of the Oracle Enterprise Manager Database Control URL and the Oracle Audit Vault Console URL. On the Exit page, click Exit. Then, on the Confirmation message box, click Yes to exit Oracle Universal Installer.
See Section 3.7.7 for information about logging into Oracle Audit Vault Console and Oracle Enterprise Manager Database Control.
After you have completed the installation, proceed to Section 3.7 to perform the postinstallation tasks.
This section assumes you performed phase one of the installation procedures for installing Oracle Audit Vault with Oracle Real Application Clusters (Oracle RAC) as described in Oracle Database Oracle Clusterware and Oracle Real Application Clusters Installation Guide for AIX Based Systems. These tasks include preinstallation tasks, configuring Oracle Clusterware and Oracle Database storage, and installing Oracle Clusterware. You are now ready to install Oracle Audit Vault in an Oracle RAC environment.
This section describes the remaining installation procedures for installing Oracle Audit Vault with Oracle Real Application Clusters (Oracle RAC).
Verifying System Readiness for Installing Oracle Audit Vault with CVU
To help to verify that your system is prepared to install Oracle Audit Vault with Oracle RAC successfully, use the Cluster Verification Utility (CVU) runcluvfy command.
See the "Verifying System Readiness for Installing Oracle Database with CVU " section in Oracle Database Oracle Clusterware and Oracle Real Application Clusters Installation Guide for AIX Based Systems.
If the cluster verification check fails, then review and correct the relevant system configuration steps, and run the test again. Use the system configuration checks described in "Troubleshooting Installation Setup" section in Oracle Database Oracle Clusterware and Oracle Real Application Clusters Installation Guide for AIX Based Systems to assist you.
This section describes the advanced installation for both the single instance installation and the Oracle RAC installation.
See Section 2.12 for important information about setting the correct locale.
Perform the following procedures to install Oracle Audit Vault.
Run Oracle Universal Installer (OUI) to install Oracle Audit Vault.
Log in as the oracle
user. Alternatively, switch user to oracle
using the su -
command. Change your current directory to the directory containing the installation files. Start Oracle Universal Installer from the Oracle Audit Vault package.
cd directory-containing-the-Oracle-Audit-Vault-installation-files
./runInstaller
Oracle Universal Installer starts up by first checking the following installation requirements and displaying the results. For example, it shows what the value should be or must be greater than or at least equal to, then the actual value for each check and the check result status: Passed or Failed.
Checking operating system version: must be redhat-3, SuSE-9, SuSE-10, redhat-4, redhat-5, UnitedLinux-1.0, asiaunx-1, asianux-2, enterprise-4 or enterprise-5 Passed
Checking temp space: must be greater than 80 MB. Actual 14773 MB Passed
Checking swap space: must be greater than 150 MB. Actual 3970 MB Passed
Checking monitor: must be configured to display at least 256 colors. Actual 65536 Passed
Then Oracle Universal Installer prepares to launch itself.
On the Select Installation Type screen, select the Advanced Installation option, then click Next.
Enter the following information on the Advanced Installation Details screen. See Section 3.6 for more information about each of these topics.
Audit Vault Name – A unique name for the Audit Vault database. The Oracle Audit Vault name is required. For single instance installation, the name will be used as the database SID, and will be the first portion (db_name
) of the database service name. For an Oracle RAC installation, the name will be used to derive the Oracle RAC database SID of each Oracle RAC node, and will be the first portion (db_name
) of the database service name.
Audit Vault Home – Specify or browse to find the path to the Oracle Audit Vault home where you want to install Oracle Audit Vault.
Audit Vault Administrator and Audit Vault Auditor – the account name of the Oracle Audit Vault administrator and a separate, optional Oracle Audit Vault auditor, respectively. The Oracle Audit Vault administrator and Oracle Audit Vault auditor account names cannot be the same. The Oracle Audit Vault Administrator account name is required. Accept the selected Create a Separate Audit Vault Auditor check box to choose to create the Oracle Audit Vault auditor account name. The check box is selected by default. Deselecting the check box disables the text fields for the Oracle Audit Vault auditor user name and password. The Oracle Audit Vault administrator in this case will also be granted the role of Oracle Audit Vault Auditor.
Administrator Password and Auditor Password – The password for the Oracle Audit Vault administrator account and the Oracle Audit Vault auditor account, respectively.
There cannot be repeating characters in each password. The length of each password must be between 8 and 30 characters. Each password must consist of at least one alphabetic character, one numeric character, and one of the special characters shown in Table 3-2.
Confirm Password – The confirming password for the Oracle Audit Vault Administrator account and the Oracle Audit Vault Auditor account, respectively.
Each password must be identical to its corresponding password confirmation.
After entering the required information, click Next to continue with the installation. The Next button is enabled only when information has been entered for all required fields. Validation of information is done on all user input after you click Next. The installation process will not continue until all required input passes validation.
If this is the first installation of an Oracle product on the system, then the Oracle Universal Installer displays the Specify inventory directory and credentials page, where you must enter the Inventory directory location and the OS group name, then click Next.
Enter the following information on the Database Vault User Credentials screen. See Section 3.6.2 for more information about each of these topics.
Database Vault Owner and Database Vault Account Manager – The account name of the Database Vault Owner and a separate, optional Database Vault Account Manager, respectively. The Database Vault Owner, Database Vault Account Manager, Oracle Audit Vault Administrator, and Oracle Audit Vault Auditor account names must not be the same (applicable when a separate Oracle Audit Vault Auditor or Database Vault Account Manager account is created). The Database Vault Owner name is required. Accept the selected Create a Separate Database Vault Account Manager check box to choose to create the Database Vault Account Manager account name. The check box is selected by default. Deselecting the check box disables the text fields for the Database Vault Account Manager user name and password. The Database Vault Owner in this case will also be granted the role of Database Vault Account Manager.
Database Vault Owner Password and Database Vault Account Manager Password – The password for the Database Vault Owner account and the Database Vault Account Manager account, respectively.
There cannot be repeating characters and space characters in each password. The length of each password must be between 8 and 30 characters. Each password must consist of at least one alphabetic character, one numeric character, and one of the special characters shown in Table 3-2.
Confirm Password – The confirming password for the Database Vault Owner account and the Database Vault Account Manager account, respectively.
Each password must be identical to its corresponding password confirmation.
After entering the required information, click Next to continue with the installation. The Next button is enabled only when information has been entered for all required fields. Validation of information is done on all user input after you click Next. The installation process will not continue until all required input passes validation.
If you are installing on a clustered system (Oracle Clusterware is installed and the system is already part of a cluster), the Node Selection screen appears from which to select the nodes on which Oracle Audit Vault will be installed. Local node will always be selected by default. If you are installing Oracle Audit Vault single instance on this local node only, select the Local Only Installation option, then click Next.
If you are installing on a clustered system (Oracle Clusterware is installed and the system is already part of a cluster), select the nodes on which on which Oracle Audit Vault must be installed, then click Next.
Review the installation prerequisite checks on the Prerequisite Check screen. This is when all installation prerequisite checks are performed and the results are displayed. Verify that all prerequisite checks succeed, then click Next.
Oracle Universal Installer checks the system to verify that it is configured correctly to run Oracle Database software. If you have completed all of the preinstallation steps in this guide, all of the checks should pass.
If a check fails, then review the cause of the failure listed for that check on the screen. If possible, rectify the problem and rerun the check. Alternatively, if you are satisfied that your system meets the requirements, then you can select the check box for the failed check to manually verify the requirement.
On the Specify Database Storage Options screen, you can select one of the following storage options: File system, Automatic Storage Management (ASM), or Raw Devices.
If you select the File System, specify or browse to the database file location for the data files. If you select Raw Devices, specify the path or browse to the Raw Devices mapping file. If you select Automated Storage Management (ASM), you must have already installed ASM. Make a selection and click Next.
On the Specify Backup and Recovery Options screen, you can choose either to not enable automated backups or to enable automated backups.
If you select the Do not enable Automated backups option, click Next.
If you select the Enable Automated backups option, then you must specify a Recovery Area Storage. You can choose either to use the File System option or the Automatic Storage Management option.
If you select the File System option, specify a path or browse to the recovery area location. Next, for Backup Job Credentials, enter the operating system credentials (user name and password) of the user account with administrative privileges to be used for the backup jobs, then click Next.
If you select the Automatic Storage Management option, then for Backup Job Credentials, enter the operating system credentials (user name and password) of the user account with administrative privileges to be used for the backup jobs, then click Next.
Next, select the disk group from the existing disk groups. This screen lets you select the disk groups. If the disk group selected has enough free space, by clicking Next, the Specifying Database Schema Password screen is displayed (see Step 9). If the disk group selected does not have enough free space, the Configure Automatic Storage Management page is displayed.
On the Configure Automatic Storage Management screen, you can select the disks to add from the Add Member Disks table by selecting the check box in the Select column for the corresponding disks.
On AIX systems, the default path for discovering eligible disks is /dev/raw/*
. If your disks are located elsewhere, you must change the disk discovery path for the disks to be discovered by Oracle Universal Installer. To change the path, click Change Disk Discovery Path.
On the Specify Database Schema Passwords screen, you can choose to enter different passwords for each privileged database account or select the Use the same passwords for all accounts option. If you choose to enter a set of valid passwords for each privileged database account, enter these passwords. If you select the Use the same passwords for all accounts option, then enter a single valid password. When you are finished, click Next.
Review the installation summary information on the Advanced Installation Summary screen. After reviewing this installation information, click Install to begin the installation procedure. The installation will copy files, link binaries, apply patches, run configuration assistants, including DBCA to create and start the Audit Vault Server, DVCA to secure the server, and AVCA to configure and start Oracle Audit Vault Console.
At the end of running DBCA to configute the software and create the database, a message displays, click OK to continue.
Run scripts as the root
user when prompted by Oracle Universal Installer. If you need assistance during installation, click Help. If you encounter problems during installation, then examine the Oracle Universal Installer actions recorded in the installation log file. The log file is located in the cfgtoollogs/oui
directory in the following location:
$ORACLE_HOME/cfgtoollogs/oui/installActionsdate_time.log
Note:
The Oracle home name and path that you provide during Oracle Audit Vault installation must be different from the home that you used during the Oracle Clusterware installation. You cannot install Oracle Audit Vault with Oracle RAC software into the same home in which you installed the Oracle Clusterware software.The following is a list of additional information to note about installation:
If you are not using the ASM library driver (ASMLIB), and you select Automatic Storage Management (ASM) during installation, then ASM default discovery finds all disks that ASMLIB marks as ASM disks.
If you are not using ASMLIB, and you select ASM during installation, then ASM default discovery finds all disks marked /dev/raw/*
for which the Oracle software owner user has read/write permission. You can change the disk discovery string during the installation if the disks that you want to use for ASM are located elsewhere.
On the Select Database Management Option page, if you have already completed the Grid Control Management Agent installation, then you can select either Grid or Local Database control. Otherwise, only Local Database control for database management is supported for Oracle RAC. When you use the local Database Control, you can choose the e-mail option and enter the outgoing SMTP server name and e-mail address.
See Also:
Oracle Enterprise Manager Grid Control Installation and Basic Configuration for details about installing Grid Control with Oracle Universal Installer, and Oracle Enterprise Manager Advanced Configuration Guide for details about installing Database Control with the Database Configuration Assistant (DBCA) and Enterprise Manager Configuration Assistant (EMCA)After the installation completes, take note of the Oracle Enterprise Manager Database Control URL and the Oracle Audit Vault Console URL. On the Exit page, click Exit. Then, on the Confirmation message box, click Yes to exit Oracle Universal Installer.
See Section 3.7.7 for information about logging into Oracle Audit Vault Console and Oracle Enterprise Manager Database Control.
After you have completed the part of the installation, proceed to Section 3.7 to perform the postinstallation tasks.
Note:
The Basic installation is not supported in silent mode. Silent installation is only supported for the Advanced installation.Follow these brief steps to perform a silent installation using a response file:
Make sure all prerequisites are met for the installation of Audit Vault Server.
Prepare the Audit Vault Server response file. A template response file can be found at AV_installer_location/response/av.rsp
on the Audit Vault Server installation media.
Prepare the response file by entering values for all parameters that are missing in the first part of the response file, then save the file. Note that for single instance installations, RAW storage is not used. Also note that the CLUSTER_NODES
parameter must be specified for installing Audit Vault Server in an Oracle RAC environment. Do not edit any values in the second part of either response file.
Set the DISPLAY
environment variable to an appropriate value before proceeding with the silent installation. See Section 2.11 for more information.
Invoke Oracle Universal Installer using the following options:
./runInstaller -silent -responseFile path_of_response_file
Note:
Before you invoke Oracle Universal Installer, run therootpre.sh
script to setup the AIX system the first time. If you have already run this script, then you can bypass the silent installation confirmation prompt by setting the following environment variable before starting the runInstaller
utility:
$ export SKIP_ROOTPRE=TRUE
For more information about these options, see Section 1.3.2. For general information about how to complete a database installation using response files, see Oracle Database Oracle Clusterware and Oracle Real Application Clusters Installation Guide for AIX Based Systems.
This section provides an overview of requested information specific to the Audit Vault Server installation.
An Audit Vault Server installation consists of three options:
Upgrade Existing Audit Vault Server Home – Detects the existence of upgradable Oracle Audit Vault Server homes on the system and enables the upgrade option to the current release. Performs an upgrade on the selected upgradable Audit Vault Server home when this option is selected. See Chapter 4 for more information on performing an upgrade.
Basic Installation – Simplifies the installation process and prompts for a minimal set of inputs, including the name of the Oracle Audit Vault database, the Oracle Audit Vault administrator and optionally the auditor user names and passwords. An Oracle RAC installation is not supported through the Basic Installation option.
Advanced Installation – Offers the user more control and options for the installation process, including storage options and backup options. The Advanced Installation option supports the installation of Audit Vault Server on a cluster.
Note:
If you perform an Audit Vault Server installation using Simplified Chinese (zh_CN
) or Japanese (ja_JP
) languages, then accessing help on the installer screen will display a blank help window. For more information on this refer to the Oracle Audit Vault Release Notes.This section includes the following topics:
Advanced Server Installation: Database Vault User Credentials Screen
Advanced Server Installation: Specify Database Storage Options Screen
Advanced Server Installation: Specify Backup and Recovery Option Screen
Advanced Server Installation: Specify Database Schema Passwords Screen
This section describes the required fields in the Basic Installation Details screen and the Advanced Installation Details screen.
The Oracle Audit Vault Name must be a unique name for the Oracle Audit Vault database. The name will be used for the database SID, and will be the first portion (db_name
) of the database service name.
The name cannot exceed 8 characters and must begin with an alphabetic character.
The Oracle Audit Vault name cannot contain any of the characters shown in Table 3-1.
Table 3-1 Invalid Oracle Audit Vault Name and Oracle Audit Vault Account Characters
Symbol | Character Name |
---|---|
! |
Exclamation point |
@ |
At sign |
% |
Percent sign |
^ |
Circumflex |
& |
Ampersand |
* |
Asterisk |
( |
Left parenthesis |
) |
Right parenthesis |
- |
Minus sign |
+ |
Plus sign |
= |
Equal sign |
" |
Double quotation mark |
| |
Vertical bar |
` |
grave |
~ |
tilde |
[ |
Left bracket |
{ |
Left brace |
] |
Right bracket |
} |
Right brace |
; |
Semicolon |
: |
Colon |
' |
Single quotation mark |
< |
Less than sign |
> |
Greater than sign |
/ |
Slash |
\ |
Backslash |
? |
Question mark |
, |
Comma |
. |
Period |
# |
Number sign |
_ |
Underscore |
$ |
Dollar sign |
Space character |
The Oracle Audit Vault Home is the path that you must specify or browse to find the Oracle Audit Vault home where you want to install Oracle Audit Vault. The path can contain only alphanumeric characters (letters and numbers).
In addition, the special characters shown in Table 3-2 are allowed.
The Oracle Audit Vault Server installation software prompts you for user names and passwords for the Oracle Audit Vault Administrator user and the separate, optional Oracle Audit Vault Auditor user. In addition, the installation creates an Oracle Database Vault Owner user and a separate, Oracle Database Vault Account Manager for you (basic installation) or the installation prompts you for these user names and passwords (advanced installation). Finally, the installation creates sys
, system
, sysman
, and dbsnmp
standard database users for you (basic installation) or the installation prompts for passwords for these users (advanced installation).
You must supply a user name and password for the Oracle Audit Vault administrator user and optionally for the Oracle Audit Vault auditor user during installation. The Create a Separate Audit Vault Auditor check box is selected by default, which means that a separate Oracle Audit Vault Auditor account will be created (and the corresponding user name and password are required). The Oracle Audit Vault Administrator user will be granted the AV_ADMIN
role and the Oracle Audit Vault Auditor user will be granted the AV_AUDITOR
role. Deselecting this check box means that the Oracle Audit Vault Administrator user will be granted both roles, because the separate Oracle Audit Vault Auditor user will not be created.
Oracle Audit Vault Administrator and Oracle Audit Vault Auditor Accounts
The Oracle Audit Vault Administrator account is granted the AV_ADMIN
role. The user granted the AV_ADMIN
role can manage the postinstallation configuration. This role accesses Oracle Audit Vault services to administer, configure, and manage a running Oracle Audit Vault system. This role registers audit sources. This role has the ability to configure parameters that assist in populating the Oracle Audit Vault data warehouse. For the basic installation, the Oracle Audit Vault Administrator user name is used to generate the following Oracle Database Vault users to facilitate the separation of duties:
AV_ADMIN
dvo
– The Database Vault Owner (granted DV_OWNER
role) to manage Database Vault roles and configuration
AV_ADMIN
dva
– The Database Vault Account Manager (granted DV_ACCTMGR
role) to manage database user accounts
For the advanced installation, a Database Vault User Credentials page prompts for the Database Vault Owner account name and password and a separate, optional Database Vault Account Manager account name and password.
The Oracle Audit Vault Auditor account is granted the AV_AUDITOR
role. The user granted the AV_AUDITOR
role accesses Oracle Audit Vault Reporting and Analysis services to monitor components, detect security risks, create and evaluate alert scenarios, create detail and summary reports of events across systems, and manage the reports. This role manages central audit settings. This role can use the data warehouse services to further analyze the audit data to assist in looking for trends, intrusions, anomalies, and other areas of interest.
The Oracle Audit Vault Administrator, Oracle Audit Vault Auditor, Database Vault Owner, and Database Vault Account Manager user names must not be the same. For the basic installation, the Oracle Audit Vault Administrator user name must be between 2 and 27 characters because the characters "dvo" and "dva" are appended to the Administrator name making the normal upper limit of 30 characters for the user names that are allowed to be 27 characters. For the advanced installation, the Oracle Audit Vault Administrator user name must be between 2 and 30 characters.
The length of the Oracle Audit Vault Auditor user name must be between 2 and 30 characters. Each user name must not be one of the following reserved names.
Names | Names | Names | Names | Names |
---|---|---|---|---|
ACCESS |
ADD |
ALL |
ALTER |
AND |
ANONYMOUS |
ANY |
AQ_ADMINISTRATOR_ROLE |
AQ_USER_ROLE |
ARRAYLEN |
AS |
ASC |
AUDIT |
AUTHENTICATEDUSER |
AV_ADMIN |
AV_AGENT |
AV_ARCHIVER |
AV_AUDITOR |
AV_SOURCE |
AVSYS |
BETWEEN |
BY |
CHAR |
CHECK |
CLUSTER |
COLUMN |
COMMENT |
COMPRESS |
CONNECT |
CREATE |
CTXAPP |
CTXSYS |
CURRENT |
DATE |
DBA |
DBSNMP |
DECIMAL |
DEFAULT |
DELETE |
DELETE_CATALOG_ROLE |
DESC |
DIP |
DISTINCT |
DM_CATALOG_ROLE |
DMSYS |
DMUSER_ROLE |
DROP |
DV_ACCTMGR |
DV_ADMIN |
DVF |
DV_OWNER |
DV_PUBLIC |
DV_REALM_OWNER |
DV_REALM_RESOURCE |
DV_SECANALYST |
DVSYS |
EJBCLIENT |
ELSE |
EXCLUSIVE |
EXECUTE_CATALOG_ROLE |
EXFSYS |
EXISTS |
EXP_FULL_DATABASE |
FILE |
FLOAT |
FOR |
FROM |
GATHER_SYSTEM_STATISTICS |
GLOBAL_AQ_USER_ROLE |
GRANT |
GROUP |
HAVING |
HS_ADMIN_ROLE |
IDENTIFIED |
IMMEDIATE |
IMP_FULL_DATABASE |
IN |
INCREMENT |
INDEX |
INITIAL |
INSERT |
INTEGER |
INTERSECT |
INTO |
IS |
JAVA_ADMIN |
JAVADEBUGPRIV |
JAVA_DEPLOY |
JAVAIDPRIV |
JAVASYSPRIV |
JAVAUSERPRIV |
LBAC_DBA |
LBACSYS |
LEVEL |
LIKE |
LOCK |
LOGSTDBY_ADMINISTRATOR |
LONG |
MAXEXTENTS |
MDDATA |
MDSYS |
MGMT_USER |
MGMT_VIEW |
MINUS |
MODE |
MODIFY |
NOAUDIT |
NOCOMPRESS |
NOT |
NOTFOUND |
NOWAIT |
NULL |
NUMBER |
OEM_ADVISOR |
OEM_MONITOR |
OF |
OFFLINE |
OLAP_DBA |
OLAPSYS |
OLAP_USER |
ON |
ONLINE |
ONT |
OPTION |
OR |
ORDER |
ORDPLUGINS |
ORDSYS |
OUTLN |
OWF_MGR |
PCTFREE |
PRIOR |
PRIVILEGES |
PUBLIC |
RAW |
RECOVERY_CATALOG_OWNER |
RENAME |
RESOURCE |
REVOKE |
ROW |
ROWID |
ROWLABEL |
ROWNUM |
ROWS |
SCHEDULER_ADMIN |
SCOTT |
SELECT |
SELECT_CATALOG_ROLE |
SESSION |
SET |
SHARE |
SI_INFORMTN_SCHEMA |
SIZE |
SMALLINT |
SQLBUF |
START |
SUCCESSFUL |
SYNONYM |
SYS |
SYSDATE |
SYSMAN |
SYSTEM |
TABLE |
THEN |
TO |
TRIGGER |
TSMSYS |
UID |
UNION |
UNIQUE |
UPDATE |
USER |
VALIDATE |
VALUES |
VARCHAR |
VARCHAR2 |
VIEW |
WHENEVER |
WHERE |
WITH |
WKPROXY |
WKSYS |
WK_TEST |
WKUSER |
WM_ADMIN_ROLE |
WMSYS |
XDB |
XDBADMIN |
Each account name cannot contain any of the characters shown in Table 3-2.
Oracle Audit Vault Administrator and Oracle Audit Vault Auditor Passwords
For the basic installation, the Oracle Audit Vault Administrator password you enter for the Oracle Audit Vault Administrator account is also used for the standard database accounts (sys
, system
, sysman
, dbsnmp
). For the basic installation Details page, the Oracle Audit Vault Administrator user password is also used for the Oracle Database Vault Owner and Oracle Database Vault Account Manager user passwords.
For the advanced installation, the installer can choose individual passwords for each of these database accounts (sys
, system
, sysman
, dbsnmp
) or select to use the same password as the Oracle Audit Vault Administrator for all of these accounts. In addition, a Database Vault User Credentials page prompts for the Database Vault Owner user password and for a separate, optional Database Vault Account Manager user password if that user is created.
The Oracle Audit Vault Administrator and Oracle Audit Vault Auditor password cannot be the name of the Oracle Audit Vault Administrator, Oracle Audit Vault Auditor, Database Vault Owner, or Database Vault Account Manager. The Oracle Audit Vault Administrator user password is required, while the Oracle Audit Vault Auditor user password is only required when creating the separate, optional Oracle Audit Vault Auditor user.
There cannot be repeating characters in each password. The length of each password must be between 8 and 30 characters. Each password must consist of at least one alphabetic character, one numeric character, and one of the special characters shown in Table 3-3.
Table 3-3 Valid Oracle Audit Vault Administrator and Auditor Password Characters
Symbol | Character Name |
---|---|
% |
Percent sign |
^ |
Circumflex |
- |
Hyphen |
[ |
Left bracket |
+ |
Plus sign |
~ |
Tilde |
, |
Comma |
# |
Number sign |
] |
Right bracket |
. |
Period |
_ |
Underscore |
Each password must be identical to its corresponding password confirmation.
The Audit Vault Server installation software prompts you for two accounts that you create during installation. These are the Database Vault Owner account and the separate, optional Database Vault Account Manager account. You must supply an account name and password for the Database Vault Owner account, and optionally for the Database Vault Account Manager account during installation.
The Create a Separate Database Vault Account Manager check box is selected by default, which means that a separate Database Vault Account Manager account will be created (and the corresponding user name and password are required). The Database Vault Owner user will be granted the DV_OWNER
role and the Database Vault Account Manager user will be granted the DV_ACCTMGR
role. Deselecting this check box means that the Database Vault Owner user will be granted both roles, because the separate Database Vault Account Manager user will not be created.
The Database Vault Owner, Database Vault Account Manager, Oracle Audit Vault Administrator, and Oracle Audit Vault Auditor account names must be different from each other (applicable when a separate Oracle Audit Vault Auditor or Database Vault Account Manager account is created). The Database Vault Owner name is required.
The length of each account name must be between 2 and 30 characters.
Each account name must not be one of the reserved names shown in the table in Section 3.6.1.3.
Each account name cannot contain any of the characters shown in Table 3-2.
The Database Vault Owner or Database Vault Account Manager password must not be the name of the Oracle Audit Vault Administrator, Oracle Audit Vault Auditor, Database Vault Owner, or Database Vault Account Manager. The Database Vault Owner user password is required, while the Database Vault Account Manager user password is only required when creating the separate, optional Database Vault Account Manager user.
There must be no repeating characters in each password. There must be no space characters in the password.
The length of each password must be between 8 and 30 characters.
Each password must consist of at least one alphabetic character, one numeric character, and one of the special characters shown in Table 3-2. All other characters are not allowed.
Each password must be identical to its corresponding password confirmation.
The Node Selection screen will appear if you are installing Oracle Audit Vault in an Oracle RAC environment and a clustered system (Oracle Clusterware) is installed and the system is already part of a cluster. On this screen, users can select the nodes on which they want to install Oracle Audit Vault, or they can select a local installation to install Oracle Audit Vault single instance.
On the Specify Database Storage Options screen, you can select File System, Automatic Storage Management, or Raw Storage.
File System
If you choose the File System option, then Database Configuration Assistant creates the database files in a directory on a file system mounted on the computer. Oracle recommends that the file system you choose be separate from the file systems used by the operating system or the Oracle software. The file system that you choose can be any of the following:
A file system on a disk that is physically attached to the system
If you are creating a database on basic disks that are not logical volumes or redundant arrays of independent disks (RAID) devices, then Oracle recommends that you follow the Optimal Flexible Architecture (OFA) recommendations and distribute the database files over more than one disk.
A file system on a logical volume manager (LVM) volume or a RAID device
If you are using multiple disks in an LVM or RAID configuration, then Oracle recommends that you use the stripe and mirror everything (SAME) methodology to increase performance and reliability. Using this methodology, you do not need to specify more than one file system mounting point for database storage.
A network file system (NFS) mounted from a certified network attached storage (NAS) device
You can store database files on NAS devices provided that the NAS device is certified by Oracle. See "Using Network Attached Storage or NFS File Systems" section in Oracle Database Installation Guide for AIX 5L Based Systems (64-Bit) for more information about certified NAS and NFS devices.
Automatic Storage Management
Automatic Storage Management (ASM) is a high-performance storage management solution for Oracle Audit Vault database files. It simplifies the management of a dynamic database environment, such as creating and laying out databases and managing disk space.
Note:
An existing ASM instance must be installed in order to select the ASM option for database storage.Automatic Storage Management can be used with a single instance Oracle Audit Vault installation, multiple Oracle Audit Vault installations, and in an Oracle Real Application Clusters (Oracle RAC) environment. Automatic Storage Management manages the storage of all Oracle Audit Vault database files, such as redo logs, control files, data pump export files, and so on.
See:
Oracle Database Administrator's Guide for more information.Raw Devices
Raw devices are disk partitions or logical volumes that have not been formatted with a file system. When you use raw devices for database file storage, Oracle Database writes data directly to the partition or volume, bypassing the operating system file system layer. For this reason, you can sometimes achieve performance gains by using raw devices. However, because raw devices can be difficult to create and administer, and because the performance gains over more modern file systems are minimal, Oracle recommends that you choose Automatic Storage Management or file system storage instead of raw devices.
On the Specify Backup and Recovery screen, you can choose Enable Automated Backups or Do Not Enable Automated Backups.
If you choose Enable Automated Backups, then Oracle Enterprise Manager schedules a daily backup job that uses Oracle Recovery Manager (RMAN) to back up all of the database files to an on-disk storage area called the flash recovery area. The first time that the backup job runs, it creates a full backup of the database. Subsequent backup jobs perform incremental backups, which enable you to recover the database to its state at any point during the preceding 24 hours.
To enable automated backup jobs during installation, you must specify the following information:
The location of the flash recovery area
You can choose to use either a file system directory or an Automatic Storage Management disk group for the flash recovery area. The default disk quota configured for the flash recovery area is 2 GB. For Automatic Storage Management disk groups, the required disk space depends on the redundancy level of the disk group that you choose.
See Oracle Database Installation Guide for AIX 5L Based Systems (64-Bit) for more information about how to choose the location of the flash recovery area and to determine its disk space requirements.
An operating system user name and password for the backup job
Oracle Enterprise Manager uses the operating system credentials that you specify when running the backup job. The user name that you specify must belong to the AIX group that identifies database administrators (the OSDBA group, typically dba). The Oracle software owner user name (typically oracle) that you use to install the software is a suitable choice for this user.
Section 2.6 describes the requirements for the OSDBA group and Oracle software owner user and explains how to create them.
Backup Job Default Settings
If you enable automated backups after choosing one of the preconfigured databases during the installation, then automated backup is configured with the following default settings:
The backup job is scheduled to run nightly at 2:00 a.m.
The disk quota for the flash recovery area is 2 GB.
If you enable automated backups by using Database Configuration Assistant after the installation, then you can specify a different start time for the backup job and a different disk quota for the flash recovery area.
For information about using Oracle Enterprise Manager Database Control to configure or customize automated backups or to recover a backed up database, see Oracle Database 2 Day DBA.
For more detailed information about defining a backup strategy and backing up and recovering Oracle databases, see Oracle Database Backup and Recovery Advanced User's Guide.
On the Specify Database Schema Passwords screen, provide the passwords for the four standard database accounts (sys
, system
, sysman
, and dbsnmp
).
Either enter and confirm passwords for the privileged database accounts, or select the Use the same passwords for all accounts option. Make your selection, then click Next.
Note:
The use of the Database Configuration Assistant (DBCA) to configure additional components after an Audit Vault Server installation is not supported. Oracle Audit Vault installs with all of the components that it requires already configured, so no additional components need to be configured using DBCA.Creation of additional databases in the Oracle Audit Vault home is not supported.
Cloning of Oracle Audit Vault homes is not supported.
This section includes the following topics:
Run DVCA to Set Instance Parameters and Lock Out SYSDBA Sessions (Oracle RAC Only)
Next Steps to Perform as an Oracle Audit Vault Administrator
You can find mandatory Oracle Audit Vault patchsets on the OracleMetaLink Web site.
To find and download patchsets for Oracle Audit Vault:
Log in to OracleMetaLink from the following URL:
In Quick Find:
Select Knowledge Base from the menu.
Enter Audit Vault
in the search box.
Click Go.
In the list of articles that appears, search for the phrase Mandatory Patches
, and then look for any patches that apply to the current release of Oracle Audit Vault.
Select the article and then read the associated summary text that describes the patch contents.
Under In this Document, click Patches.
The Patches section lists the patches that you must apply.
Click the link for the first patch.
The Download page for the first page appears.
Click View Readme to read about the patch details, and then click Download to download the patch to your computer.
Repeat Step 7 through Step 8 for each patch listed in the Patches section.
Note:
No Oracle Database one-off patches should be applied to the Oracle Audit Vault database unless directed to do so by Oracle Support Services.A critical patch update (CPU) is a collection of patches for security vulnerabilities. It includes non-security fixes required (because of interdependencies) by those security patches. Critical patch updates are cumulative, and they are provided quarterly on the Oracle Technology Network. You should periodically check OracleMetaLink for critical patch updates.
To find and download critical patch updates for Oracle Audit Vault:
Follow Step 1 through Step 3 in Section 3.7.1 to find the critical patch updates for Oracle Audit Vault.
In the list of articles that appears, search for the phrase Oracle Critical Patch Update
.
Select the most recent critical patch update article, and then read its instructions.
Download the most recent critical patch update for Oracle Audit Vault. In most critical patch update articles, there is section entitled "Patch Download Procedure," which explains how to download the critical patch update.
For more information about critical patch updates, see:
http://www.oracle.com/security/critical-patch-update.html
For the latest information on whether a specific critical patch update is certified with Oracle Audit Vault, review the certification matrix on the OracleMetaLink Web site, at:
If you do not have a current Oracle Support Services contract, then you can access the same information at:
http://www.oracle.com/technology/support/metalink/content.html
Audit Vault Server uses the password you enter for the Oracle Audit Vault administrator as the password for core database accounts such as SYS
, SYSTEM
, SYSMAN
, and DBSNMP
in a basic installation. For an advanced installation, the user is given the option of changing the password for each of these accounts.
For a basic installation, Oracle Audit Vault Server also uses the same Oracle Audit Vault Administrator password for the AV_ADMINdvo
account, the Database Vault Owner (granted DV_OWNER
role), to manage Database Vault roles and configuration and the AV_ADMINdva
account, and the Database Vault Account Manager (granted DV_ACCTMGR
role), to manage database user accounts. You must change these passwords according to your company policies.
For an advanced installation, Audit Vault Server uses the Database Vault Owner user password and the separate, optional Database Vault Account Manager user password for these users. You must change these passwords according to your company policies.
To reset user account passwords using SQL*Plus:
Start SQL*Plus and log in as AV_ADMINdva
account.
Enter a command similar to the following, where password
is the new password:
SQL> ALTER USER account IDENTIFIED BY password;
In this example:
The IDENTIFIED BY
password
clause resets the password.
See Also:
Oracle Database Security Guide for more information about:Changing passwords after installation
Oracle security procedures
Best security practices
Oracle Database Vault allows you to disable remote logins with SYSDBA
privileges. This enables enhanced security for your database.
To disable remote SYSDBA
connections, re-create the password file with the nosysdba
flag set to y
(Yes). A user can still log in AS SYSDBA
locally using Operating System (OS) authentication. However, remote connections AS SYSDBA
will fail.
Use the following syntax to run the orapwd
utility:
orapwd file=filename password=password [entries=users] force=y/n nosysdba=y/n
In this example:
file
is the name of password file (mandatory).
password
is the password for SYS
(mandatory). Enter at least six alphanumeric characters.
entries
is the maximum number of distinct DBA users.
force
indicates whether or not to overwrite the existing file (optional). Enter y
(for yes) or n
(for no).
nosysdba
indicates whether or not to enable or disable the SYS
logon (optional for Oracle Database Vault only). Enter y (to disable SYS
login) or n (to enable SYS
login).
The default is no. If you omit this flag, the password file will be created enabling SYSDBA
access for Oracle Database Vault instances.
For example:
orapwd file=$ORACLE_HOME/dbs/orapworcl password=password force=y nosysdba=n
Note:
Do not insert spaces around the equal sign (=).Enable or Disable Connecting with SYSDBA on Oracle Real Application Clusters Systems
Under a cluster file system and raw devices, the password file under $ORACLE_HOME
is in a symbolic link that points to the shared storage location in the default configuration. In this case, the orapwd
command that you issue affects all nodes.
Enable or Disable Connecting with SYSDBA on Automatic Storage Management Systems
For Automatic Storage Management systems, you must update each node to enable or disable the SYSDBA
connection privilege by using the orapwd
utility.
After installing Oracle Audit Vault for a Oracle Real Application Clusters (Oracle RAC) instance, you must run Database Vault Configuration Assistant (DVCA
) with the -action optionrac
switch on all other Oracle RAC nodes. This sets instance parameters and disables SYSDBA
operating system authentication.
You must run this command on all Oracle RAC nodes other than the node on which the Oracle Audit Vault installation is performed. This step is required to enable the enhanced security features provided by Oracle Database Vault.
Note:
The listener and database instance should be running on the nodes on which you runDVCA
.Use the following syntax to run DVCA
:
# dvca -action optionrac -racnode host_name -oh oracle_home -jdbc_str jdbc_connection_string -sys_passwd sys_password [-logfile ./dvca.log] [-silent] [-nodecrypt] [-lockout]
In this example:
action
is the action to perform. The optionrac
utility performs the action of updating the instance parameters for the Oracle RAC instance and optionally disabling SYSDBA
operating system access for the instance.
racnode
is the host name of the Oracle RAC node on which the action is being performed. Do not include the domain name with the host name.
oh
is the Oracle home for the Oracle RAC instance.
jdbc_str
is the JDBC connection string used to connect to the database. For example, "jdbc:oracle:oci:@orcl1"
.
sys_password
is the password for the SYS
user.
logfile
is optionally used to specify a log file name and location. You can enter an absolute path or a path that is relative to the location of the $ORACLE_HOME/bin
directory.
silent
is required if you are not running DVCA
in an Xterm window.
nodecrypt
reads plain text passwords as passed on the command line.
lockout
is used to disable SYSDBA
operating system authentication.
Note:
You can reenableSYSDBA
access by re-creating the password file with the nosysdba
flag set to n
(No). The orapwd
utility enables you to do this.After running DVCA
, stop and restart the instance and database listener on all cluster nodes. This step is also applicable to the node on which Oracle Audit Vault was installed. Use the following commands:
srvctl stop instance -d sid -i instance_name -q Connect String: sys as sysdba Enter password: sysdbapassword srvctl stop nodeapps -n node_name srvctl start nodeapps -n node_name srvctl start instance -d sid -i instance_name -q Connect String: sys as sysdba Enter password: sysdbapassword
Oracle Audit Vault enables you to collect audit records from audit trails in Microsoft SQL Server, Sybase Adaptive Server Enterprise (ASE), and IBM DB2 Universal Database (UDB) databases.
To allow connectivity between Audit Vault Server and Microsoft SQL Server databases, Audit Vault Server and Sybase ASE databases, and Audit Vault Server and IBM DB2 UDB databases, you must download and copy the respective JDBC Driver jar files to the designated location.
Section 3.7.6.1, Section 3.7.6.2, and Section 3.7.6.3 describe this download and copy process for each JDBC Driver.
Because the SQL Server 2005 Driver for JDBC works with both SQL Server 2000 and SQL Server 2005, use the SQL Server 2005 Driver for JDBC.
Download the SQL Server 2005 Driver for JDBC from the following link.
http://msdn2.microsoft.com/en-us/data/aa937724.aspx
This Type 4 JDBC driver (sqljdbc.jar
) provides highly scalable and reliable connectivity for the enterprise Java environment and provides JDBC access to SQL Server 2000 or SQL Server 2005 through any Java-enabled applet, application, or application server.
Copy the sqljdbc.jar
file to the Oracle Audit Vault Server and Oracle Audit Vault Agent home locations:
$ORACLE_HOME/jlib
Download jConnect for JDBC, which provides high performance native access to Sybase ASE data sources, from the following link:
http://www.sybase.com/products/allproductsa-z/softwaredeveloperkit/jconnect
jConnect for JDBC (jconn3.jar
) is a high performance JDBC Driver from Sybase that communicates directly to Sybase data sources.
Copy the jconn3.jar
file to the Oracle Audit Vault Server and Oracle Audit Vault Agent home locations:
$ORACLE_HOME/jlib
Copy the IBM Data Server Driver for JDBC and SQLJ (db2jcc.jar
) to the $ORACLE_HOME/jlib
directories in both the Audit Vault Server and Audit Vault Agent homes. Oracle Audit Vault requires version 3.50 or later of the driver. This version of the db2jcc.jar
file is available in either IBM DB2 UDB version 9.5 or IBM DB2 Connect version 9.5 or later.
This driver provides high performance native access to IBM DB2 database data sources. The DB2 collector uses this driver to collect audit data from IBM DB2 databases, so the driver must be present in Oracle Audit Vault OC4J before you can start the agent OC4J.
Use the following instructions to log in to the Oracle Audit Vault Console:
On the node from which you installed the database, open a Web browser to access the Oracle Audit Vault Console URL, and use the following URL syntax:
http://host:port/av
In the preceding example:
host
is the name of the computer on which you installed Oracle Audit Vault Database.
port
is the port number reserved for the Oracle Audit Vault Console during installation.
If you do not know the correct port number to use, then perform the following steps in the Audit Vault Server home shell:
Set the following environment variables: ORACLE_HOME
, ORACLE_SID
, and PATH
. See Oracle Audit Vault Administrator's Guide for more information.
Issue the AVCTL show_av_status
command. The output displays the Oracle Audit Vault Console URL.
On any system, enter this URL in a Web browser and Oracle Enterprise Manager will display the Oracle Audit Vault Console login page.
Log in to the Oracle Audit Vault Console using the user name AV_ADMIN
and the AV_ADMIN
password that you created during the installation.
After Audit Vault Server installation is complete, see Oracle Audit Vault Collection Agent Installation Guide for information about installing Oracle Audit Vault collection agents and the collectors.
After an Oracle Audit Vault collection agent installation is complete, see Oracle Audit Vault Administrator's Guide for some Oracle Audit Vault Administration tasks to perform. These tasks include:
For Linux and UNIX platforms only: Check and set environment variables in the shells in which you will be interacting with the Audit Vault Server and the Oracle Audit Vault collection agent (see the information about checking and setting Linux and UNIX environment variables).
For collecting audit records from Oracle Database audit sources, see the information about registering Oracle Database sources and collectors.
For collecting audit records from SQL Server Database audit sources, see the information about registering Microsoft SQL Server sources and collector.
For collecting audit records from Sybase ASE Database audit sources, see the information about registering Sybase ASE database sources and collector.
For collecting audit records from IBM DB2 database audit sources, see the information about registering IBM DB2 sources and collector.
To start collecting audit records from a database audit source, see the information about starting collection agents and collectors.
To perform other Oracle Audit Vault configuration tasks, see the information about performing additional Oracle Audit Vault configuration tasks.
To manage and monitor an Oracle Audit Vault system, see the information about managing Oracle Audit Vault.
Before going into production be sure to secure management communications, see the information about Oracle advanced security and secure management communication.