Skip Headers
Oracle® Audit Vault Server Installation Guide
Release 10.2.3.1 for AIX

Part Number E13844-04
Go to Documentation Home
Home
Go to Book List
Book List
Go to Table of Contents
Contents
Go to Index
Index
Go to Feedback page
Contact Us

Go to previous page
Previous
Go to next page
Next
View PDF

3 Installing the Oracle Audit Vault Server

This chapter includes an overview of the major steps required to install single instance Oracle Audit Vault Server (Audit Vault Server) and to install Audit Vault Server with Oracle Real Application Clusters (Oracle RAC).

This chapter includes the following sections:

3.1 Accessing the Server Installation Software

The Oracle Audit Vault Server software is available:

3.2 Basic Installation – Performing the Single Instance Server Installation

For an overview of requested information specific to the Audit Vault Server installation, see Section 3.6.

See Section 2.12 for important information about setting the correct locale.

To perform Audit Vault Server single instance basic installation:

  1. Invoke Oracle Universal Installer (OUI) to install Oracle Audit Vault as an Oracle Database 10g release 2 (10.2.0.3) database.

    Log in as the oracle user. Alternatively, switch the user to oracle using the su - command. Change your current directory to the directory containing the installation files. Start Oracle Universal Installer from the Oracle Audit Vault package.

    cd directory-containing-the-Oracle-Audit-Vault-installation-files
    ./runInstaller
    

    Oracle Universal Installer starts up by first checking the following installation requirements and displaying the results. For example, it shows what the value should be or must be greater than or at least equal to, then the actual value for each check and the check result status: Passed or Failed.

    • Checking operating system version: must be redhat-3, SuSE-9, SuSE-10, redhat-4, redhat-5, UnitedLinux-1.0, asiaunx-1, asianux-2, enterprise-4 or enterprise-5 Passed

    • Checking temp space: must be greater than 80 MB. Actual 15412 MB Passed

    • Checking swap space: must be greater than 150 MB. Actual 3931 MB Passed

    • Checking monitor: must be configured to display at least 256 colors. Actual 65536 Passed

    Then Oracle Universal Installer prepares to launch itself.

  2. On the Select Installation Type page, select the Basic Installation option, then click Next.

  3. Enter the following information on the Basic Installation Details page. See Section 3.6 for more information about each of these topics.

    1. Audit Vault Name – A unique name for the Oracle Audit Vault database. The Oracle Audit Vault name is required. The name will be used as the database SID, and will be the first portion (db_name) of the database service name.

    2. Audit Vault Home – Specify or browse to find the path to the Oracle Audit Vault Home where you want to install Oracle Audit Vault.

    3. Audit Vault Administrator and Audit Vault Auditor – The account name of the Oracle Audit Vault Administrator and a separate, optional Oracle Audit Vault Auditor, respectively. The Oracle Audit Vault administrator and Oracle Audit Vault auditor account names must not be the same. The Oracle Audit Vault Administrator account name is required. Accept the selected Create a Separate Audit Vault Auditor check box to choose to create the Oracle Audit Vault Auditor account name. The check box is selected by default. Deselecting the check box disables the text fields for the Oracle Audit Vault Auditor user name and password. The Oracle Audit Vault Administrator in this case will also be granted the role of Oracle Audit Vault Auditor.

      The Oracle Audit Vault Administrator user name will also be used for the following Oracle Database Vault users that are created to facilitate the separation of duties:

      AV_ADMINdvo – The Database Vault Owner (granted DV_OWNER role) to manage Database Vault roles and configuration, where AV_ADMIN represents the Oracle Audit Vault Administrator user name.

      AV_ADMINdva – The Database Vault Account Manager (granted DV_ACCTMGR role) to manage database user accounts, where AV_ADMIN represents the Oracle Audit Vault administrator user name.

    4. Administrator Password and Auditor Password – The password for the Oracle Audit Vault administrator account and the Oracle Audit Vault auditor account, respectively.

      There cannot be repeating characters in each password. The length of each password must be between 8 and 30 characters. Each password must consist of at least one alphabetic character, one numeric character, and one of the special characters shown in Table 3-2.

      The password entered for the Oracle Audit Vault administrator account will also be used for the standard database accounts (sys, system, sysman, dbsnmp).

      The Oracle Audit Vault administrator password will also be used for the Oracle Database Vault users (Database Vault Owner and the Database Vault Account Manager users) that are created to facilitate the separation of duties.

    5. Confirm Password – the confirming password for the Oracle Audit Vault Administrator account and the Oracle Audit Vault auditor account, respectively.

      Each password must be identical to its corresponding password confirmation.

    After entering the required information, click Next to continue with the installation. The Next button is enabled only when information has been entered for all required fields. Validation of information is done on all user input after you click Next. The installation process will not continue until all required input passes validation.

  4. If this is the first installation of an Oracle product on the system, then the Oracle Universal Installer displays the Specify inventory directory and credentials page, where you must enter the Inventory directory location and the OS group name, then click Next.

  5. Review the installation prerequisite checks on the Prerequisite Check page. This is when all installation prerequisite checks are performed and the results are displayed. Verify that all prerequisite checks succeed, then click Next.

    Oracle Universal Installer checks the system to verify that it is configured correctly to run Oracle software. If you have completed all of the preinstallation steps in this guide, all of the checks should pass.

    If a check fails, then review the cause of the failure listed for that check on the screen. If possible, rectify the problem and rerun the check. Alternatively, if you are satisfied that your system meets the requirements, then you can select the check box for the failed check to manually verify the requirement.

  6. Review the installation summary information on the Basic Installation Summary page. After reviewing this installation information, click Install to begin the installation procedure. The installation will copy files, link binaries, apply patches, run configuration assistants, including DBCA to create and start the Audit Vault Server, DVCA to secure the server, and AVCA to configure and start Oracle Audit Vault Console.

    At the end of running DBCA to configure the software and create the database, a message displays, click OK to continue.

  7. Provide information or run scripts as the root user when prompted by Oracle Universal Installer. If you need assistance during installation, click Help. If you encounter problems during installation, then examine the Oracle Universal Installer actions recorded in the installation log file. The log file is located in the cfgtoollogs/oui directory, in the following location:

    $ORACLE_HOME/cfgtoollogs/oui/installActionsdate_time.log
    
  8. After the installation completes, take note of the Oracle Enterprise Manager Database Control URL and the Oracle Audit Vault Console URL. On the Exit page, click Exit. Then, on the Confirmation message box, click Yes to exit Oracle Universal Installer.

See Section 3.7.7 for information about logging into Oracle Audit Vault Console and Oracle Enterprise Manager Database Control.

After you have completed the installation, proceed to Section 3.7 to perform the postinstallation tasks.

3.3 Advanced Installation – Prerequisite Information for Installing in an Oracle Real Application Clusters Environment

This section assumes you performed phase one of the installation procedures for installing Oracle Audit Vault with Oracle Real Application Clusters (Oracle RAC) as described in Oracle Database Oracle Clusterware and Oracle Real Application Clusters Installation Guide for AIX Based Systems. These tasks include preinstallation tasks, configuring Oracle Clusterware and Oracle Database storage, and installing Oracle Clusterware. You are now ready to install Oracle Audit Vault in an Oracle RAC environment.

This section describes the remaining installation procedures for installing Oracle Audit Vault with Oracle Real Application Clusters (Oracle RAC).

Verifying System Readiness for Installing Oracle Audit Vault with CVU

To help to verify that your system is prepared to install Oracle Audit Vault with Oracle RAC successfully, use the Cluster Verification Utility (CVU) runcluvfy command.

See the "Verifying System Readiness for Installing Oracle Database with CVU " section in Oracle Database Oracle Clusterware and Oracle Real Application Clusters Installation Guide for AIX Based Systems.

If the cluster verification check fails, then review and correct the relevant system configuration steps, and run the test again. Use the system configuration checks described in "Troubleshooting Installation Setup" section in Oracle Database Oracle Clusterware and Oracle Real Application Clusters Installation Guide for AIX Based Systems to assist you.

3.4 Advanced Installation – Installing Single Instance and Installing in an Oracle Real Application Clusters Environment

This section describes the advanced installation for both the single instance installation and the Oracle RAC installation.

See Section 2.12 for important information about setting the correct locale.

Perform the following procedures to install Oracle Audit Vault.

  1. Run Oracle Universal Installer (OUI) to install Oracle Audit Vault.

    Log in as the oracle user. Alternatively, switch user to oracle using the su - command. Change your current directory to the directory containing the installation files. Start Oracle Universal Installer from the Oracle Audit Vault package.

    cd directory-containing-the-Oracle-Audit-Vault-installation-files
    ./runInstaller
    

    Oracle Universal Installer starts up by first checking the following installation requirements and displaying the results. For example, it shows what the value should be or must be greater than or at least equal to, then the actual value for each check and the check result status: Passed or Failed.

    • Checking operating system version: must be redhat-3, SuSE-9, SuSE-10, redhat-4, redhat-5, UnitedLinux-1.0, asiaunx-1, asianux-2, enterprise-4 or enterprise-5 Passed

    • Checking temp space: must be greater than 80 MB. Actual 14773 MB Passed

    • Checking swap space: must be greater than 150 MB. Actual 3970 MB Passed

    • Checking monitor: must be configured to display at least 256 colors. Actual 65536 Passed

    Then Oracle Universal Installer prepares to launch itself.

  2. On the Select Installation Type screen, select the Advanced Installation option, then click Next.

  3. Enter the following information on the Advanced Installation Details screen. See Section 3.6 for more information about each of these topics.

    1. Audit Vault Name – A unique name for the Audit Vault database. The Oracle Audit Vault name is required. For single instance installation, the name will be used as the database SID, and will be the first portion (db_name) of the database service name. For an Oracle RAC installation, the name will be used to derive the Oracle RAC database SID of each Oracle RAC node, and will be the first portion (db_name) of the database service name.

    2. Audit Vault Home – Specify or browse to find the path to the Oracle Audit Vault home where you want to install Oracle Audit Vault.

    3. Audit Vault Administrator and Audit Vault Auditor – the account name of the Oracle Audit Vault administrator and a separate, optional Oracle Audit Vault auditor, respectively. The Oracle Audit Vault administrator and Oracle Audit Vault auditor account names cannot be the same. The Oracle Audit Vault Administrator account name is required. Accept the selected Create a Separate Audit Vault Auditor check box to choose to create the Oracle Audit Vault auditor account name. The check box is selected by default. Deselecting the check box disables the text fields for the Oracle Audit Vault auditor user name and password. The Oracle Audit Vault administrator in this case will also be granted the role of Oracle Audit Vault Auditor.

    4. Administrator Password and Auditor Password – The password for the Oracle Audit Vault administrator account and the Oracle Audit Vault auditor account, respectively.

      There cannot be repeating characters in each password. The length of each password must be between 8 and 30 characters. Each password must consist of at least one alphabetic character, one numeric character, and one of the special characters shown in Table 3-2.

    5. Confirm Password – The confirming password for the Oracle Audit Vault Administrator account and the Oracle Audit Vault Auditor account, respectively.

      Each password must be identical to its corresponding password confirmation.

    After entering the required information, click Next to continue with the installation. The Next button is enabled only when information has been entered for all required fields. Validation of information is done on all user input after you click Next. The installation process will not continue until all required input passes validation.

  4. If this is the first installation of an Oracle product on the system, then the Oracle Universal Installer displays the Specify inventory directory and credentials page, where you must enter the Inventory directory location and the OS group name, then click Next.

  5. Enter the following information on the Database Vault User Credentials screen. See Section 3.6.2 for more information about each of these topics.

    1. Database Vault Owner and Database Vault Account Manager – The account name of the Database Vault Owner and a separate, optional Database Vault Account Manager, respectively. The Database Vault Owner, Database Vault Account Manager, Oracle Audit Vault Administrator, and Oracle Audit Vault Auditor account names must not be the same (applicable when a separate Oracle Audit Vault Auditor or Database Vault Account Manager account is created). The Database Vault Owner name is required. Accept the selected Create a Separate Database Vault Account Manager check box to choose to create the Database Vault Account Manager account name. The check box is selected by default. Deselecting the check box disables the text fields for the Database Vault Account Manager user name and password. The Database Vault Owner in this case will also be granted the role of Database Vault Account Manager.

    2. Database Vault Owner Password and Database Vault Account Manager Password – The password for the Database Vault Owner account and the Database Vault Account Manager account, respectively.

      There cannot be repeating characters and space characters in each password. The length of each password must be between 8 and 30 characters. Each password must consist of at least one alphabetic character, one numeric character, and one of the special characters shown in Table 3-2.

    3. Confirm Password – The confirming password for the Database Vault Owner account and the Database Vault Account Manager account, respectively.

      Each password must be identical to its corresponding password confirmation.

    After entering the required information, click Next to continue with the installation. The Next button is enabled only when information has been entered for all required fields. Validation of information is done on all user input after you click Next. The installation process will not continue until all required input passes validation.

  6. If you are installing on a clustered system (Oracle Clusterware is installed and the system is already part of a cluster), the Node Selection screen appears from which to select the nodes on which Oracle Audit Vault will be installed. Local node will always be selected by default. If you are installing Oracle Audit Vault single instance on this local node only, select the Local Only Installation option, then click Next.

    If you are installing on a clustered system (Oracle Clusterware is installed and the system is already part of a cluster), select the nodes on which on which Oracle Audit Vault must be installed, then click Next.

  7. Review the installation prerequisite checks on the Prerequisite Check screen. This is when all installation prerequisite checks are performed and the results are displayed. Verify that all prerequisite checks succeed, then click Next.

    Oracle Universal Installer checks the system to verify that it is configured correctly to run Oracle Database software. If you have completed all of the preinstallation steps in this guide, all of the checks should pass.

    If a check fails, then review the cause of the failure listed for that check on the screen. If possible, rectify the problem and rerun the check. Alternatively, if you are satisfied that your system meets the requirements, then you can select the check box for the failed check to manually verify the requirement.

  8. On the Specify Database Storage Options screen, you can select one of the following storage options: File system, Automatic Storage Management (ASM), or Raw Devices.

    If you select the File System, specify or browse to the database file location for the data files. If you select Raw Devices, specify the path or browse to the Raw Devices mapping file. If you select Automated Storage Management (ASM), you must have already installed ASM. Make a selection and click Next.

  9. On the Specify Backup and Recovery Options screen, you can choose either to not enable automated backups or to enable automated backups.

    If you select the Do not enable Automated backups option, click Next.

    If you select the Enable Automated backups option, then you must specify a Recovery Area Storage. You can choose either to use the File System option or the Automatic Storage Management option.

    If you select the File System option, specify a path or browse to the recovery area location. Next, for Backup Job Credentials, enter the operating system credentials (user name and password) of the user account with administrative privileges to be used for the backup jobs, then click Next.

    If you select the Automatic Storage Management option, then for Backup Job Credentials, enter the operating system credentials (user name and password) of the user account with administrative privileges to be used for the backup jobs, then click Next.

    Next, select the disk group from the existing disk groups. This screen lets you select the disk groups. If the disk group selected has enough free space, by clicking Next, the Specifying Database Schema Password screen is displayed (see Step 9). If the disk group selected does not have enough free space, the Configure Automatic Storage Management page is displayed.

    On the Configure Automatic Storage Management screen, you can select the disks to add from the Add Member Disks table by selecting the check box in the Select column for the corresponding disks.

    On AIX systems, the default path for discovering eligible disks is /dev/raw/*. If your disks are located elsewhere, you must change the disk discovery path for the disks to be discovered by Oracle Universal Installer. To change the path, click Change Disk Discovery Path.

  10. On the Specify Database Schema Passwords screen, you can choose to enter different passwords for each privileged database account or select the Use the same passwords for all accounts option. If you choose to enter a set of valid passwords for each privileged database account, enter these passwords. If you select the Use the same passwords for all accounts option, then enter a single valid password. When you are finished, click Next.

  11. Review the installation summary information on the Advanced Installation Summary screen. After reviewing this installation information, click Install to begin the installation procedure. The installation will copy files, link binaries, apply patches, run configuration assistants, including DBCA to create and start the Audit Vault Server, DVCA to secure the server, and AVCA to configure and start Oracle Audit Vault Console.

    At the end of running DBCA to configute the software and create the database, a message displays, click OK to continue.

  12. Run scripts as the root user when prompted by Oracle Universal Installer. If you need assistance during installation, click Help. If you encounter problems during installation, then examine the Oracle Universal Installer actions recorded in the installation log file. The log file is located in the cfgtoollogs/oui directory in the following location:

    $ORACLE_HOME/cfgtoollogs/oui/installActionsdate_time.log
    

    Note:

    The Oracle home name and path that you provide during Oracle Audit Vault installation must be different from the home that you used during the Oracle Clusterware installation. You cannot install Oracle Audit Vault with Oracle RAC software into the same home in which you installed the Oracle Clusterware software.

    The following is a list of additional information to note about installation:

    • If you are not using the ASM library driver (ASMLIB), and you select Automatic Storage Management (ASM) during installation, then ASM default discovery finds all disks that ASMLIB marks as ASM disks.

    • If you are not using ASMLIB, and you select ASM during installation, then ASM default discovery finds all disks marked /dev/raw/* for which the Oracle software owner user has read/write permission. You can change the disk discovery string during the installation if the disks that you want to use for ASM are located elsewhere.

    • On the Select Database Management Option page, if you have already completed the Grid Control Management Agent installation, then you can select either Grid or Local Database control. Otherwise, only Local Database control for database management is supported for Oracle RAC. When you use the local Database Control, you can choose the e-mail option and enter the outgoing SMTP server name and e-mail address.

    See Also:

    Oracle Enterprise Manager Grid Control Installation and Basic Configuration for details about installing Grid Control with Oracle Universal Installer, and Oracle Enterprise Manager Advanced Configuration Guide for details about installing Database Control with the Database Configuration Assistant (DBCA) and Enterprise Manager Configuration Assistant (EMCA)
  13. After the installation completes, take note of the Oracle Enterprise Manager Database Control URL and the Oracle Audit Vault Console URL. On the Exit page, click Exit. Then, on the Confirmation message box, click Yes to exit Oracle Universal Installer.

See Section 3.7.7 for information about logging into Oracle Audit Vault Console and Oracle Enterprise Manager Database Control.

After you have completed the part of the installation, proceed to Section 3.7 to perform the postinstallation tasks.

3.5 Performing a Silent Installation Using a Response File

Note:

The Basic installation is not supported in silent mode. Silent installation is only supported for the Advanced installation.

Follow these brief steps to perform a silent installation using a response file:

  1. Make sure all prerequisites are met for the installation of Audit Vault Server.

  2. Prepare the Audit Vault Server response file. A template response file can be found at AV_installer_location/response/av.rsp on the Audit Vault Server installation media.

    Prepare the response file by entering values for all parameters that are missing in the first part of the response file, then save the file. Note that for single instance installations, RAW storage is not used. Also note that the CLUSTER_NODES parameter must be specified for installing Audit Vault Server in an Oracle RAC environment. Do not edit any values in the second part of either response file.

  3. Set the DISPLAY environment variable to an appropriate value before proceeding with the silent installation. See Section 2.11 for more information.

  4. Invoke Oracle Universal Installer using the following options:

    ./runInstaller -silent -responseFile path_of_response_file
    

    Note:

    Before you invoke Oracle Universal Installer, run the rootpre.sh script to setup the AIX system the first time. If you have already run this script, then you can bypass the silent installation confirmation prompt by setting the following environment variable before starting the runInstaller utility:

    $ export SKIP_ROOTPRE=TRUE

For more information about these options, see Section 1.3.2. For general information about how to complete a database installation using response files, see Oracle Database Oracle Clusterware and Oracle Real Application Clusters Installation Guide for AIX Based Systems.

3.6 Oracle Audit Vault Server Installation Details

This section provides an overview of requested information specific to the Audit Vault Server installation.

An Audit Vault Server installation consists of three options:

Note:

If you perform an Audit Vault Server installation using Simplified Chinese (zh_CN) or Japanese (ja_JP) languages, then accessing help on the installer screen will display a blank help window. For more information on this refer to the Oracle Audit Vault Release Notes.

This section includes the following topics:

3.6.1 Basic and Advanced Installation Details Screens

This section describes the required fields in the Basic Installation Details screen and the Advanced Installation Details screen.

3.6.1.1 Oracle Audit Vault Name

The Oracle Audit Vault Name must be a unique name for the Oracle Audit Vault database. The name will be used for the database SID, and will be the first portion (db_name) of the database service name.

The name cannot exceed 8 characters and must begin with an alphabetic character.

The Oracle Audit Vault name cannot contain any of the characters shown in Table 3-1.

Table 3-1 Invalid Oracle Audit Vault Name and Oracle Audit Vault Account Characters

Symbol Character Name

!

Exclamation point

@

At sign

%

Percent sign

^

Circumflex

&

Ampersand

*

Asterisk

(

Left parenthesis

)

Right parenthesis

-

Minus sign

+

Plus sign

=

Equal sign

"

Double quotation mark

|

Vertical bar

`

grave

~

tilde

[

Left bracket

{

Left brace

]

Right bracket

}

Right brace

;

Semicolon

:

Colon

'

Single quotation mark

<

Less than sign

>

Greater than sign

/

Slash

\

Backslash

?

Question mark

,

Comma

.

Period

#

Number sign

_

Underscore

$

Dollar sign

 

Space character


3.6.1.2 Oracle Audit Vault Home

The Oracle Audit Vault Home is the path that you must specify or browse to find the Oracle Audit Vault home where you want to install Oracle Audit Vault. The path can contain only alphanumeric characters (letters and numbers).

In addition, the special characters shown in Table 3-2 are allowed.

Table 3-2 Special Characters Allowed in the Oracle Audit Vault Home Name

Symbol Character Name

\

Backslash

/

Slash

-

hyphen

_

Underscore

.

Period

:

Colon


3.6.1.3 Oracle Audit Vault Server Accounts

The Oracle Audit Vault Server installation software prompts you for user names and passwords for the Oracle Audit Vault Administrator user and the separate, optional Oracle Audit Vault Auditor user. In addition, the installation creates an Oracle Database Vault Owner user and a separate, Oracle Database Vault Account Manager for you (basic installation) or the installation prompts you for these user names and passwords (advanced installation). Finally, the installation creates sys, system, sysman, and dbsnmp standard database users for you (basic installation) or the installation prompts for passwords for these users (advanced installation).

You must supply a user name and password for the Oracle Audit Vault administrator user and optionally for the Oracle Audit Vault auditor user during installation. The Create a Separate Audit Vault Auditor check box is selected by default, which means that a separate Oracle Audit Vault Auditor account will be created (and the corresponding user name and password are required). The Oracle Audit Vault Administrator user will be granted the AV_ADMIN role and the Oracle Audit Vault Auditor user will be granted the AV_AUDITOR role. Deselecting this check box means that the Oracle Audit Vault Administrator user will be granted both roles, because the separate Oracle Audit Vault Auditor user will not be created.

Oracle Audit Vault Administrator and Oracle Audit Vault Auditor Accounts

The Oracle Audit Vault Administrator account is granted the AV_ADMIN role. The user granted the AV_ADMIN role can manage the postinstallation configuration. This role accesses Oracle Audit Vault services to administer, configure, and manage a running Oracle Audit Vault system. This role registers audit sources. This role has the ability to configure parameters that assist in populating the Oracle Audit Vault data warehouse. For the basic installation, the Oracle Audit Vault Administrator user name is used to generate the following Oracle Database Vault users to facilitate the separation of duties:

  • AV_ADMINdvo – The Database Vault Owner (granted DV_OWNER role) to manage Database Vault roles and configuration

  • AV_ADMINdva – The Database Vault Account Manager (granted DV_ACCTMGR role) to manage database user accounts

For the advanced installation, a Database Vault User Credentials page prompts for the Database Vault Owner account name and password and a separate, optional Database Vault Account Manager account name and password.

The Oracle Audit Vault Auditor account is granted the AV_AUDITOR role. The user granted the AV_AUDITOR role accesses Oracle Audit Vault Reporting and Analysis services to monitor components, detect security risks, create and evaluate alert scenarios, create detail and summary reports of events across systems, and manage the reports. This role manages central audit settings. This role can use the data warehouse services to further analyze the audit data to assist in looking for trends, intrusions, anomalies, and other areas of interest.

The Oracle Audit Vault Administrator, Oracle Audit Vault Auditor, Database Vault Owner, and Database Vault Account Manager user names must not be the same. For the basic installation, the Oracle Audit Vault Administrator user name must be between 2 and 27 characters because the characters "dvo" and "dva" are appended to the Administrator name making the normal upper limit of 30 characters for the user names that are allowed to be 27 characters. For the advanced installation, the Oracle Audit Vault Administrator user name must be between 2 and 30 characters.

The length of the Oracle Audit Vault Auditor user name must be between 2 and 30 characters. Each user name must not be one of the following reserved names.

Names Names Names Names Names
ACCESS ADD ALL ALTER AND
ANONYMOUS ANY AQ_ADMINISTRATOR_ROLE AQ_USER_ROLE ARRAYLEN
AS ASC AUDIT AUTHENTICATEDUSER AV_ADMIN
AV_AGENT AV_ARCHIVER AV_AUDITOR AV_SOURCE AVSYS
BETWEEN BY CHAR CHECK CLUSTER
COLUMN COMMENT COMPRESS CONNECT CREATE
CTXAPP CTXSYS CURRENT DATE DBA
DBSNMP DECIMAL DEFAULT DELETE DELETE_CATALOG_ROLE
DESC DIP DISTINCT DM_CATALOG_ROLE DMSYS
DMUSER_ROLE DROP DV_ACCTMGR DV_ADMIN DVF
DV_OWNER DV_PUBLIC DV_REALM_OWNER DV_REALM_RESOURCE DV_SECANALYST
DVSYS EJBCLIENT ELSE EXCLUSIVE EXECUTE_CATALOG_ROLE
EXFSYS EXISTS EXP_FULL_DATABASE FILE FLOAT
FOR FROM GATHER_SYSTEM_STATISTICS GLOBAL_AQ_USER_ROLE GRANT
GROUP HAVING HS_ADMIN_ROLE IDENTIFIED IMMEDIATE
IMP_FULL_DATABASE IN INCREMENT INDEX INITIAL
INSERT INTEGER INTERSECT INTO IS
JAVA_ADMIN JAVADEBUGPRIV JAVA_DEPLOY JAVAIDPRIV JAVASYSPRIV
JAVAUSERPRIV LBAC_DBA LBACSYS LEVEL LIKE
LOCK LOGSTDBY_ADMINISTRATOR LONG MAXEXTENTS MDDATA
MDSYS MGMT_USER MGMT_VIEW MINUS MODE
MODIFY NOAUDIT NOCOMPRESS NOT NOTFOUND
NOWAIT NULL NUMBER OEM_ADVISOR OEM_MONITOR
OF OFFLINE OLAP_DBA OLAPSYS OLAP_USER
ON ONLINE ONT OPTION OR
ORDER ORDPLUGINS ORDSYS OUTLN OWF_MGR
PCTFREE PRIOR PRIVILEGES PUBLIC RAW
RECOVERY_CATALOG_OWNER RENAME RESOURCE REVOKE ROW
ROWID ROWLABEL ROWNUM ROWS SCHEDULER_ADMIN
SCOTT SELECT SELECT_CATALOG_ROLE SESSION SET
SHARE SI_INFORMTN_SCHEMA SIZE SMALLINT SQLBUF
START SUCCESSFUL SYNONYM SYS SYSDATE
SYSMAN SYSTEM TABLE THEN TO
TRIGGER TSMSYS UID UNION UNIQUE
UPDATE USER VALIDATE VALUES VARCHAR
VARCHAR2 VIEW WHENEVER WHERE WITH
WKPROXY WKSYS WK_TEST WKUSER WM_ADMIN_ROLE
WMSYS XDB XDBADMIN    

Each account name cannot contain any of the characters shown in Table 3-2.

Oracle Audit Vault Administrator and Oracle Audit Vault Auditor Passwords

For the basic installation, the Oracle Audit Vault Administrator password you enter for the Oracle Audit Vault Administrator account is also used for the standard database accounts (sys, system, sysman, dbsnmp). For the basic installation Details page, the Oracle Audit Vault Administrator user password is also used for the Oracle Database Vault Owner and Oracle Database Vault Account Manager user passwords.

For the advanced installation, the installer can choose individual passwords for each of these database accounts (sys, system, sysman, dbsnmp) or select to use the same password as the Oracle Audit Vault Administrator for all of these accounts. In addition, a Database Vault User Credentials page prompts for the Database Vault Owner user password and for a separate, optional Database Vault Account Manager user password if that user is created.

The Oracle Audit Vault Administrator and Oracle Audit Vault Auditor password cannot be the name of the Oracle Audit Vault Administrator, Oracle Audit Vault Auditor, Database Vault Owner, or Database Vault Account Manager. The Oracle Audit Vault Administrator user password is required, while the Oracle Audit Vault Auditor user password is only required when creating the separate, optional Oracle Audit Vault Auditor user.

There cannot be repeating characters in each password. The length of each password must be between 8 and 30 characters. Each password must consist of at least one alphabetic character, one numeric character, and one of the special characters shown in Table 3-3.

Table 3-3 Valid Oracle Audit Vault Administrator and Auditor Password Characters

Symbol Character Name

%

Percent sign

^

Circumflex

-

Hyphen

[

Left bracket

+

Plus sign

~

Tilde

,

Comma

#

Number sign

]

Right bracket

.

Period

_

Underscore


Each password must be identical to its corresponding password confirmation.

3.6.2 Advanced Server Installation: Database Vault User Credentials Screen

The Audit Vault Server installation software prompts you for two accounts that you create during installation. These are the Database Vault Owner account and the separate, optional Database Vault Account Manager account. You must supply an account name and password for the Database Vault Owner account, and optionally for the Database Vault Account Manager account during installation.

The Create a Separate Database Vault Account Manager check box is selected by default, which means that a separate Database Vault Account Manager account will be created (and the corresponding user name and password are required). The Database Vault Owner user will be granted the DV_OWNER role and the Database Vault Account Manager user will be granted the DV_ACCTMGR role. Deselecting this check box means that the Database Vault Owner user will be granted both roles, because the separate Database Vault Account Manager user will not be created.

3.6.2.1 Database Vault Owner and Database Vault Account Manager Accounts

The Database Vault Owner, Database Vault Account Manager, Oracle Audit Vault Administrator, and Oracle Audit Vault Auditor account names must be different from each other (applicable when a separate Oracle Audit Vault Auditor or Database Vault Account Manager account is created). The Database Vault Owner name is required.

The length of each account name must be between 2 and 30 characters.

Each account name must not be one of the reserved names shown in the table in Section 3.6.1.3.

Each account name cannot contain any of the characters shown in Table 3-2.

3.6.2.2 Database Vault Owner and Database Vault Account Manager Passwords

The Database Vault Owner or Database Vault Account Manager password must not be the name of the Oracle Audit Vault Administrator, Oracle Audit Vault Auditor, Database Vault Owner, or Database Vault Account Manager. The Database Vault Owner user password is required, while the Database Vault Account Manager user password is only required when creating the separate, optional Database Vault Account Manager user.

There must be no repeating characters in each password. There must be no space characters in the password.

The length of each password must be between 8 and 30 characters.

Each password must consist of at least one alphabetic character, one numeric character, and one of the special characters shown in Table 3-2. All other characters are not allowed.

Each password must be identical to its corresponding password confirmation.

3.6.3 Advanced Server Installation: Node Selection Screen

The Node Selection screen will appear if you are installing Oracle Audit Vault in an Oracle RAC environment and a clustered system (Oracle Clusterware) is installed and the system is already part of a cluster. On this screen, users can select the nodes on which they want to install Oracle Audit Vault, or they can select a local installation to install Oracle Audit Vault single instance.

See Oracle Database Oracle Clusterware and Oracle Real Application Clusters Installation Guide for AIX Based Systems.

3.6.4 Advanced Server Installation: Specify Database Storage Options Screen

On the Specify Database Storage Options screen, you can select File System, Automatic Storage Management, or Raw Storage.

File System

If you choose the File System option, then Database Configuration Assistant creates the database files in a directory on a file system mounted on the computer. Oracle recommends that the file system you choose be separate from the file systems used by the operating system or the Oracle software. The file system that you choose can be any of the following:

  • A file system on a disk that is physically attached to the system

    If you are creating a database on basic disks that are not logical volumes or redundant arrays of independent disks (RAID) devices, then Oracle recommends that you follow the Optimal Flexible Architecture (OFA) recommendations and distribute the database files over more than one disk.

  • A file system on a logical volume manager (LVM) volume or a RAID device

    If you are using multiple disks in an LVM or RAID configuration, then Oracle recommends that you use the stripe and mirror everything (SAME) methodology to increase performance and reliability. Using this methodology, you do not need to specify more than one file system mounting point for database storage.

  • A network file system (NFS) mounted from a certified network attached storage (NAS) device

    You can store database files on NAS devices provided that the NAS device is certified by Oracle. See "Using Network Attached Storage or NFS File Systems" section in Oracle Database Installation Guide for AIX 5L Based Systems (64-Bit) for more information about certified NAS and NFS devices.

Automatic Storage Management

Automatic Storage Management (ASM) is a high-performance storage management solution for Oracle Audit Vault database files. It simplifies the management of a dynamic database environment, such as creating and laying out databases and managing disk space.

Note:

An existing ASM instance must be installed in order to select the ASM option for database storage.

Automatic Storage Management can be used with a single instance Oracle Audit Vault installation, multiple Oracle Audit Vault installations, and in an Oracle Real Application Clusters (Oracle RAC) environment. Automatic Storage Management manages the storage of all Oracle Audit Vault database files, such as redo logs, control files, data pump export files, and so on.

See:

Oracle Database Administrator's Guide for more information.

Raw Devices

Raw devices are disk partitions or logical volumes that have not been formatted with a file system. When you use raw devices for database file storage, Oracle Database writes data directly to the partition or volume, bypassing the operating system file system layer. For this reason, you can sometimes achieve performance gains by using raw devices. However, because raw devices can be difficult to create and administer, and because the performance gains over more modern file systems are minimal, Oracle recommends that you choose Automatic Storage Management or file system storage instead of raw devices.

3.6.5 Advanced Server Installation: Specify Backup and Recovery Option Screen

On the Specify Backup and Recovery screen, you can choose Enable Automated Backups or Do Not Enable Automated Backups.

If you choose Enable Automated Backups, then Oracle Enterprise Manager schedules a daily backup job that uses Oracle Recovery Manager (RMAN) to back up all of the database files to an on-disk storage area called the flash recovery area. The first time that the backup job runs, it creates a full backup of the database. Subsequent backup jobs perform incremental backups, which enable you to recover the database to its state at any point during the preceding 24 hours.

To enable automated backup jobs during installation, you must specify the following information:

  • The location of the flash recovery area

    You can choose to use either a file system directory or an Automatic Storage Management disk group for the flash recovery area. The default disk quota configured for the flash recovery area is 2 GB. For Automatic Storage Management disk groups, the required disk space depends on the redundancy level of the disk group that you choose.

    See Oracle Database Installation Guide for AIX 5L Based Systems (64-Bit) for more information about how to choose the location of the flash recovery area and to determine its disk space requirements.

  • An operating system user name and password for the backup job

    Oracle Enterprise Manager uses the operating system credentials that you specify when running the backup job. The user name that you specify must belong to the AIX group that identifies database administrators (the OSDBA group, typically dba). The Oracle software owner user name (typically oracle) that you use to install the software is a suitable choice for this user.

    Section 2.6 describes the requirements for the OSDBA group and Oracle software owner user and explains how to create them.

Backup Job Default Settings

If you enable automated backups after choosing one of the preconfigured databases during the installation, then automated backup is configured with the following default settings:

  • The backup job is scheduled to run nightly at 2:00 a.m.

  • The disk quota for the flash recovery area is 2 GB.

If you enable automated backups by using Database Configuration Assistant after the installation, then you can specify a different start time for the backup job and a different disk quota for the flash recovery area.

For information about using Oracle Enterprise Manager Database Control to configure or customize automated backups or to recover a backed up database, see Oracle Database 2 Day DBA.

For more detailed information about defining a backup strategy and backing up and recovering Oracle databases, see Oracle Database Backup and Recovery Advanced User's Guide.

3.6.6 Advanced Server Installation: Specify Database Schema Passwords Screen

On the Specify Database Schema Passwords screen, provide the passwords for the four standard database accounts (sys, system, sysman, and dbsnmp).

Either enter and confirm passwords for the privileged database accounts, or select the Use the same passwords for all accounts option. Make your selection, then click Next.

3.7 Postinstallation Server Tasks

Note:

The use of the Database Configuration Assistant (DBCA) to configure additional components after an Audit Vault Server installation is not supported. Oracle Audit Vault installs with all of the components that it requires already configured, so no additional components need to be configured using DBCA.

Creation of additional databases in the Oracle Audit Vault home is not supported.

Cloning of Oracle Audit Vault homes is not supported.

This section includes the following topics:

3.7.1 Download Patches

You can find mandatory Oracle Audit Vault patchsets on the OracleMetaLink Web site.

To find and download patchsets for Oracle Audit Vault:

  1. Log in to OracleMetaLink from the following URL:

    https://metalink.oracle.com

  2. In Quick Find:

    • Select Knowledge Base from the menu.

    • Enter Audit Vault in the search box.

  3. Click Go.

  4. In the list of articles that appears, search for the phrase Mandatory Patches, and then look for any patches that apply to the current release of Oracle Audit Vault.

  5. Select the article and then read the associated summary text that describes the patch contents.

  6. Under In this Document, click Patches.

    The Patches section lists the patches that you must apply.

  7. Click the link for the first patch.

    The Download page for the first page appears.

  8. Click View Readme to read about the patch details, and then click Download to download the patch to your computer.

  9. Repeat Step 7 through Step 8 for each patch listed in the Patches section.

Note:

No Oracle Database one-off patches should be applied to the Oracle Audit Vault database unless directed to do so by Oracle Support Services.

3.7.2 Download Critical Patch Updates

A critical patch update (CPU) is a collection of patches for security vulnerabilities. It includes non-security fixes required (because of interdependencies) by those security patches. Critical patch updates are cumulative, and they are provided quarterly on the Oracle Technology Network. You should periodically check OracleMetaLink for critical patch updates.

To find and download critical patch updates for Oracle Audit Vault:

  1. Follow Step 1 through Step 3 in Section 3.7.1 to find the critical patch updates for Oracle Audit Vault.

  2. In the list of articles that appears, search for the phrase Oracle Critical Patch Update.

  3. Select the most recent critical patch update article, and then read its instructions.

    Download the most recent critical patch update for Oracle Audit Vault. In most critical patch update articles, there is section entitled "Patch Download Procedure," which explains how to download the critical patch update.

For more information about critical patch updates, see:

http://www.oracle.com/security/critical-patch-update.html

For the latest information on whether a specific critical patch update is certified with Oracle Audit Vault, review the certification matrix on the OracleMetaLink Web site, at:

https://metalink.oracle.com

If you do not have a current Oracle Support Services contract, then you can access the same information at:

http://www.oracle.com/technology/support/metalink/content.html

3.7.3 Reset User Passwords

Audit Vault Server uses the password you enter for the Oracle Audit Vault administrator as the password for core database accounts such as SYS, SYSTEM, SYSMAN, and DBSNMP in a basic installation. For an advanced installation, the user is given the option of changing the password for each of these accounts.

For a basic installation, Oracle Audit Vault Server also uses the same Oracle Audit Vault Administrator password for the AV_ADMINdvo account, the Database Vault Owner (granted DV_OWNER role), to manage Database Vault roles and configuration and the AV_ADMINdva account, and the Database Vault Account Manager (granted DV_ACCTMGR role), to manage database user accounts. You must change these passwords according to your company policies.

For an advanced installation, Audit Vault Server uses the Database Vault Owner user password and the separate, optional Database Vault Account Manager user password for these users. You must change these passwords according to your company policies.

3.7.3.1 Using SQL*Plus to Reset Passwords

To reset user account passwords using SQL*Plus:

  1. Start SQL*Plus and log in as AV_ADMINdva account.

  2. Enter a command similar to the following, where password is the new password:

    SQL> ALTER USER account IDENTIFIED BY password;
    

    In this example:

    The IDENTIFIED BY password clause resets the password.

    See Also:

    Oracle Database Security Guide for more information about:
    • Changing passwords after installation

    • Oracle security procedures

    • Best security practices

3.7.4 Enable or Disable Connections with the SYSDBA Privilege

Oracle Database Vault allows you to disable remote logins with SYSDBA privileges. This enables enhanced security for your database.

To disable remote SYSDBA connections, re-create the password file with the nosysdba flag set to y (Yes). A user can still log in AS SYSDBA locally using Operating System (OS) authentication. However, remote connections AS SYSDBA will fail.

Use the following syntax to run the orapwd utility:

orapwd file=filename password=password [entries=users] force=y/n nosysdba=y/n

In this example:

  • file is the name of password file (mandatory).

  • password is the password for SYS (mandatory). Enter at least six alphanumeric characters.

  • entries is the maximum number of distinct DBA users.

  • force indicates whether or not to overwrite the existing file (optional). Enter y (for yes) or n (for no).

  • nosysdba indicates whether or not to enable or disable the SYS logon (optional for Oracle Database Vault only). Enter y (to disable SYS login) or n (to enable SYS login).

    The default is no. If you omit this flag, the password file will be created enabling SYSDBA access for Oracle Database Vault instances.

For example:

orapwd file=$ORACLE_HOME/dbs/orapworcl password=password force=y nosysdba=n

Note:

Do not insert spaces around the equal sign (=).

See Also:

Oracle Database Administrator's Guide for more information about using the orapwd utility

Enable or Disable Connecting with SYSDBA on Oracle Real Application Clusters Systems

Under a cluster file system and raw devices, the password file under $ORACLE_HOME is in a symbolic link that points to the shared storage location in the default configuration. In this case, the orapwd command that you issue affects all nodes.

Enable or Disable Connecting with SYSDBA on Automatic Storage Management Systems

For Automatic Storage Management systems, you must update each node to enable or disable the SYSDBA connection privilege by using the orapwd utility.

3.7.5 Run DVCA to Set Instance Parameters and Lock Out SYSDBA Sessions (Oracle RAC Only)

After installing Oracle Audit Vault for a Oracle Real Application Clusters (Oracle RAC) instance, you must run Database Vault Configuration Assistant (DVCA) with the -action optionrac switch on all other Oracle RAC nodes. This sets instance parameters and disables SYSDBA operating system authentication.

You must run this command on all Oracle RAC nodes other than the node on which the Oracle Audit Vault installation is performed. This step is required to enable the enhanced security features provided by Oracle Database Vault.

Note:

The listener and database instance should be running on the nodes on which you run DVCA.

Use the following syntax to run DVCA:

# dvca -action optionrac -racnode host_name -oh oracle_home 
-jdbc_str jdbc_connection_string -sys_passwd sys_password 
[-logfile ./dvca.log] [-silent] [-nodecrypt] [-lockout]

In this example:

  • action is the action to perform. The optionrac utility performs the action of updating the instance parameters for the Oracle RAC instance and optionally disabling SYSDBA operating system access for the instance.

  • racnode is the host name of the Oracle RAC node on which the action is being performed. Do not include the domain name with the host name.

  • oh is the Oracle home for the Oracle RAC instance.

  • jdbc_str is the JDBC connection string used to connect to the database. For example, "jdbc:oracle:oci:@orcl1".

  • sys_password is the password for the SYS user.

  • logfile is optionally used to specify a log file name and location. You can enter an absolute path or a path that is relative to the location of the $ORACLE_HOME/bin directory.

  • silent is required if you are not running DVCA in an Xterm window.

  • nodecrypt reads plain text passwords as passed on the command line.

  • lockout is used to disable SYSDBA operating system authentication.

Note:

You can reenable SYSDBA access by re-creating the password file with the nosysdba flag set to n (No). The orapwd utility enables you to do this.

After running DVCA, stop and restart the instance and database listener on all cluster nodes. This step is also applicable to the node on which Oracle Audit Vault was installed. Use the following commands:

srvctl stop instance -d sid -i instance_name -q
Connect String: sys as sysdba
Enter password: sysdbapassword
srvctl stop nodeapps -n node_name
srvctl start nodeapps -n node_name
srvctl start instance -d sid -i instance_name -q
Connect String: sys as sysdba
Enter password: sysdbapassword

3.7.6 Download JDBC Driver Files for Source Database Connectivity

Oracle Audit Vault enables you to collect audit records from audit trails in Microsoft SQL Server, Sybase Adaptive Server Enterprise (ASE), and IBM DB2 Universal Database (UDB) databases.

To allow connectivity between Audit Vault Server and Microsoft SQL Server databases, Audit Vault Server and Sybase ASE databases, and Audit Vault Server and IBM DB2 UDB databases, you must download and copy the respective JDBC Driver jar files to the designated location.

Section 3.7.6.1, Section 3.7.6.2, and Section 3.7.6.3 describe this download and copy process for each JDBC Driver.

3.7.6.1 Download SQL Server 2005 JDBC Driver for SQL Server Connectivity

Because the SQL Server 2005 Driver for JDBC works with both SQL Server 2000 and SQL Server 2005, use the SQL Server 2005 Driver for JDBC.

Download the SQL Server 2005 Driver for JDBC from the following link.

http://msdn2.microsoft.com/en-us/data/aa937724.aspx

This Type 4 JDBC driver (sqljdbc.jar) provides highly scalable and reliable connectivity for the enterprise Java environment and provides JDBC access to SQL Server 2000 or SQL Server 2005 through any Java-enabled applet, application, or application server.

Copy the sqljdbc.jar file to the Oracle Audit Vault Server and Oracle Audit Vault Agent home locations:

$ORACLE_HOME/jlib

3.7.6.2 Download jConnect JDBC Driver for Sybase ASE Connectivity

Download jConnect for JDBC, which provides high performance native access to Sybase ASE data sources, from the following link:

http://www.sybase.com/products/allproductsa-z/softwaredeveloperkit/jconnect

jConnect for JDBC (jconn3.jar) is a high performance JDBC Driver from Sybase that communicates directly to Sybase data sources.

Copy the jconn3.jar file to the Oracle Audit Vault Server and Oracle Audit Vault Agent home locations:

$ORACLE_HOME/jlib

3.7.6.3 Copy the IBM DB2 Data Server Driver for JDBC and SQLJ to the Audit Vault Homes

Copy the IBM Data Server Driver for JDBC and SQLJ (db2jcc.jar) to the $ORACLE_HOME/jlib directories in both the Audit Vault Server and Audit Vault Agent homes. Oracle Audit Vault requires version 3.50 or later of the driver. This version of the db2jcc.jar file is available in either IBM DB2 UDB version 9.5 or IBM DB2 Connect version 9.5 or later.

This driver provides high performance native access to IBM DB2 database data sources. The DB2 collector uses this driver to collect audit data from IBM DB2 databases, so the driver must be present in Oracle Audit Vault OC4J before you can start the agent OC4J.

3.7.7 Log In to Oracle Audit Vault Console

Use the following instructions to log in to the Oracle Audit Vault Console:

  1. On the node from which you installed the database, open a Web browser to access the Oracle Audit Vault Console URL, and use the following URL syntax:

    http://host:port/av
    

    In the preceding example:

    • host is the name of the computer on which you installed Oracle Audit Vault Database.

    • port is the port number reserved for the Oracle Audit Vault Console during installation.

    If you do not know the correct port number to use, then perform the following steps in the Audit Vault Server home shell:

    1. Set the following environment variables: ORACLE_HOME, ORACLE_SID, and PATH. See Oracle Audit Vault Administrator's Guide for more information.

    2. Issue the AVCTL show_av_status command. The output displays the Oracle Audit Vault Console URL.

    3. On any system, enter this URL in a Web browser and Oracle Enterprise Manager will display the Oracle Audit Vault Console login page.

  2. Log in to the Oracle Audit Vault Console using the user name AV_ADMIN and the AV_ADMIN password that you created during the installation.

3.7.8 Next Steps to Perform as an Oracle Audit Vault Administrator

After Audit Vault Server installation is complete, see Oracle Audit Vault Collection Agent Installation Guide for information about installing Oracle Audit Vault collection agents and the collectors.

After an Oracle Audit Vault collection agent installation is complete, see Oracle Audit Vault Administrator's Guide for some Oracle Audit Vault Administration tasks to perform. These tasks include:

  1. For Linux and UNIX platforms only: Check and set environment variables in the shells in which you will be interacting with the Audit Vault Server and the Oracle Audit Vault collection agent (see the information about checking and setting Linux and UNIX environment variables).

  2. For collecting audit records from Oracle Database audit sources, see the information about registering Oracle Database sources and collectors.

  3. For collecting audit records from SQL Server Database audit sources, see the information about registering Microsoft SQL Server sources and collector.

  4. For collecting audit records from Sybase ASE Database audit sources, see the information about registering Sybase ASE database sources and collector.

  5. For collecting audit records from IBM DB2 database audit sources, see the information about registering IBM DB2 sources and collector.

  6. To start collecting audit records from a database audit source, see the information about starting collection agents and collectors.

  7. To perform other Oracle Audit Vault configuration tasks, see the information about performing additional Oracle Audit Vault configuration tasks.

  8. To manage and monitor an Oracle Audit Vault system, see the information about managing Oracle Audit Vault.

  9. Before going into production be sure to secure management communications, see the information about Oracle advanced security and secure management communication.