2 Installing Oracle Database Vault as an Option

This chapter describes how to install Oracle Database Vault into an existing Oracle9i Database release 2 (9.2.0.8) database. These procedures transform an existing Oracle Database system (including associated applications) into an Oracle Database Vault system. Databases upgraded using the procedures described in this chapter can work almost in the same manner as in earlier releases and, optionally, can leverage new Database Vault functionality. For a list of changes that Database Vault makes, refer to Appendix E, "Default Values for Security-Specific Initialization Parameters" and Oracle Database Vault Administrator's Guide.

Note:

To upgrade a pre-Oracle9i Database release 2 (9.2.0.8) database to Oracle Database Vault, you first must upgrade the database to Oracle9i Database release 2 (9.2.0.8).

This chapter covers the following topics:

• Preinstallation and Installation Tasks

• Postinstallation Tasks

• Removing Oracle Software

2.1 Preinstallation and Installation Tasks

This section covers the following topics:

• Become Familiar with the Features of Oracle Database Vault

• Check the Hardware Requirements

• Check the Operating System Requirements

• Check Kernel Parameters

• Check the Database Requirements

• For Oracle Real Application Clusters Environments, Set System Variables

• Prepare a Backup Strategy

• Verify that the Global Services Daemon Is Running (RAC Only)

• Stop Existing Oracle Processes

• Configure the Oracle User's Environment

• Run Oracle Universal Installer to Install Oracle Database Vault

2.1.1 Become Familiar with the Features of Oracle Database Vault

Before you plan the upgrade process, become familiar with the features of Database Vault. Oracle Database Vault Administrator's Guide discusses the basic features of Database Vault.

2.1.2 Check the Hardware Requirements

The system must meet the following minimum hardware requirements:

• At least 512 MB of available physical RAM

• Swap space on the disk equal to the system's physical memory, or 1GB, whichever is greater.

• 400 MB of disk space in the /tmp directory

• 270 MB of disk space for the Database Vault software

• 10 MB of additional disk space for the database files

To ensure that the system meets these requirements:

1. To determine the physical RAM size, enter the following command:

   # /bin/vmstat -P | grep "Total Physical Memory"
   

   If the size of the physical RAM installed in the system is less than the required size, then you must install more memory before continuing.

2. To determine the size of the configured swap space, enter the following command:

   # /sbin/swapon -s
   

   If necessary, refer to your operating system documentation for information about how to configure additional swap space.

3. To determine the amount of disk space available in the /tmp directory, enter the following command:

   # df -k /tmp
   

   If there is less than 400 MB of disk space available in the /tmp directory, then complete one of the following steps:

   • Delete unnecessary files from the /tmp directory to meet the disk space requirement.

   • Set the TEMP and TMPDIR environment variables when setting the oracle user's environment (described later).

   • Extend the file system that contains the /tmp directory. If necessary, contact your system administrator for information about extending file systems.

4. To determine the amount of free disk space on the system, enter the following command:

   # df -k
   

2.1.3 Check the Operating System Requirements

The system must meet the following minimum software requirements:

• The version of hp Tru64 UNIX must be 5.1 or later.

• The following packages must be installed:

  OSF11          OSFLIBA         OSFCMPLRS 
  OSFSER         OSFPGMR         
  

• The following patches must be installed:

  Patch for hp Tru64 Release 5.1:

  • 5.1 patchkit 4

  Patches for hp Tru64 Release 5.1A:

  • 5.1A patchkit 1

  You can download these patches from the following Web site:

  http://www.compaq.com/support
  

To ensure that the system meets these requirements, follow these steps:

1. To determine which version of hp Tru64 UNIX is installed, enter the following command:

   # /usr/sbin/sizer -v
   5.1
   

   In this example, the version shown is 5.1. If necessary, see your operating system documentation for information about upgrading the operating system.

2. To determine whether the required packages are installed, enter a command similar to the following:

   # /usr/sbin/dupatch -track -type kit
   

   If a package is not installed, then install it. See your operating system or software documentation for information about installing packages.

3. To determine whether an operating system patch is installed, enter a command similar to the following:

   # setld -i |grep os_package
   

   If an operating system patch is not installed, download it from the following Web site and install it:

   http://www.compaq.com/support
   

2.1.4 Check Kernel Parameters

Verify that the following kernel parameters are set to values greater than or equal to the recommended value shown:

Kernel Parameter	Setting	Purpose
MAX_PER_PROC_STACK_SIZE	33554432 (32 MB)	Defines the processor stack size. The default size is sufficient for Oracle Database Vault software. If an application that shares the system with Oracle Database Vault requires a higher per process stack size, do not set this parameter higher than 512 MB.
PER_PROC_STACK_SIZE	33554432 (32 MB)	Defines the processor stack size. The default size is sufficient for Oracle Database Vault software. If an application that shares the system with Oracle Database Vault requires a higher per process stack size, do not set this parameter higher than 512 MB.
PER_PROC_DATA_SIZE	201326592 (192 MB)	Defines the minimum per process data segment size.
SHM_MAX	4278190080 (4GB less 16 MB)	Defines the maximum allowable size of the shared memory. The SHM_MAX parameter does not affect how much shared memory is used or needed by Oracle Database Vault, the operating system, or the operating system kernel.
SHM_MIN	1	Defines the minimum allowable size of a single shared memory segment.
SHM_MNI	256	Defines the maximum number of shared memory segments in the entire system.
SHMSEG	128	Defines the maximum number of shared memory segments one process can attach.

To view the current value specified for these kernel parameters, and to change them if necessary, follow these steps:

1. To view the current values of these parameters, enter the following command:

   # /sbin/sysconfig -q ipc
   

2. If you must change any of the current values, follow these steps:

   1. Create a backup copy of the /etc/sysconfigtab file, for example:

      # cp /etc/sysconfigtab /etc/sysconfigtab.orig
      

   2. Using a text editor, create a file similar to the following, specifying the subsystems and attributes to modify:

      ipc:  shm_max = 4278190080
            shm_mni = 256
            shm_seg = 128
       
      proc: per_proc_stack_size = 33554432
            per_proc_data_size = 201326592
      

   3. Enter a command similar to the following to add the subsystem attributes to the /etc/sysconfigtab file:

      # /sbin/sysconfigdb -m -f filename
      

      In this example, replace filename with the name of the file that you created in Step b.

   4. Enter the following command to restart the system:

      # /sbin/shutdown -r now
      

   5. When the system restarts, log in as user root.

2.1.5 Check the Database Requirements

To install Oracle Database Vault, you must run the Enterprise Edition of Oracle9i Database release 2 (9.2.0.8). In addition, the Database Vault installer requires write access to the oratab and oraInst.loc files.

Note:

The /var/opt/oracle/oratab file should have an entry for the database. For example:

DBDV:/oracle/product/9.2_VAULT:Y

A listener must have been configured for the existing database. Oracle Net Configuration Assistant configures the listener when you first install the database.

You must have an existing password file for the database. The password file authentication parameter, REMOTE_LOGIN_PASSWORDFILE must have been set to EXCLUSIVE or SHARED.

You can set the REMOTE_LOGIN_PASSWORDFILE parameter in the init.ora file. Use the orapwd utility to create and manage password files.

See Also:

Oracle9i Database Administrator's Guide for more information on creating and maintaining a password file

The following topic discusses applying the 9.2.0.8 patch set:

2.1.5.1 Apply Oracle Database Release 9.2.0.8 Patch Set

To install Oracle Database Vault, you must upgrade the database to Oracle9i Database release 2 (9.2.0.8). Back up your database before performing any upgrade or installation.

See Also:

Oracle9i Backup and Recovery Concepts for information on database backups

This section covers the following topics:

Patch Set Overview

Patch sets are cumulative. Patch set release 9.2.0.8 includes all fixes in patch sets 9.2.0.8 and earlier, and new fixes for patch set 9.2.0.8. This means that unless the patch set documentation indicates otherwise, you can apply this patch set to any earlier release 9.2 installation. You do not have to install intermediate patch sets.

Patch sets contain generic fixes that apply to all platforms. Patch sets may also include additional platform-specific patches.

Oracle Universal Installer Version Requirements

This patch set includes Oracle Universal Installer release 10.1.0.5. You must use this Oracle Universal Installer to install this patch set and not Oracle Universal Installer from the 9.2.0.x maintenance release media or Oracle home.

This is not a complete software distribution. You must install it in an existing Oracle9i release 2 (9.2.0.x.x) installation. Users applying this patch set must use Oracle Universal Installer release 10.1.0.5 (provided as part of this patch set) or later to ensure that their Oracle home can be patched in the future. Oracle Universal Installer release 10.1.0.5 is also installed when you install this patch set.

Patch Set Documentation

There are two documents related to this release of the Oracle9i release 2 patch set:

• Oracle9i Patch Set Notes, Release 2 (9.2.0.8) Patch Set 7 for hp Tru64 UNIX

  This document provides:

  • System requirements and information about how to install or reinstall the patch set

  • A list of all bugs fixed to date that are specific to Oracle9i Release 2 for hp Tru64 UNIX

  • A list of known issues relating to Oracle9i Release 2 for hp Tru64 UNIX

• Oracle9i List of Bugs Fixed, Release 2 (9.2.0.8) Patch Set 7

  The List of Bugs Fixed is a list of all generic bugs related to Oracle9i release 2 that have been fixed in this release.

Both of these documents are included with the patch set. The Oracle9i List of Bugs Fixed is also available on OracleMetaLink, from document 189908.1, ALERT: Oracle9i Release 2 (9.2) Support Status and Alerts at:

http://metalink.oracle.com

2.1.6 For Oracle Real Application Clusters Environments, Set System Variables

For each node of an Oracle Application Clusters (RAC) environment on which you plan to install Oracle Database Vault, set the udp_sendspace and udp_recvspace system parameters as follows:

/sbin/sysconfig -r inet udp_sendspace=65536
/sbin/sysconfig -r inet 655360

You can check the current values of these variables by running the following command:

/sbin/sysconfig -q inet

2.1.7 Prepare a Backup Strategy

Oracle strongly recommends that you back up your database before performing any upgrade or installation. The ultimate success of your upgrade depends heavily on the design and execution of an appropriate backup strategy. To develop a backup strategy, consider the following questions:

• How long can the production database remain inoperable before business consequences become intolerable?

• What backup strategy should be used to meet your availability requirements?

• Are backups archived in a safe, off-site location?

• How quickly can backups be restored (including backups in off-site storage)?

• Have recovery procedures been tested successfully?

Your backup strategy should answer all of these questions and include procedures for successfully backing up and recovering your database.

See Also:

Oracle9i User-Managed Backup and Recovery Guide for information on database backups

2.1.8 Verify that the Global Services Daemon Is Running (RAC Only)

The Global Services Daemon (GSD) should be running for the Database Vault installer to find existing Oracle Real Application Clusters (RAC) databases. If you have stopped GSD, then you should restart it before running Oracle Universal Installer. Use the following command to start the GSD service:

$ORACLE_HOME/bin/gsdctl start

You must run this command on each Oracle RAC node.

2.1.9 Stop Existing Oracle Processes

Stop all processes running in the Oracle home. You must complete this task to enable Oracle Universal Installer to relink certain executables and libraries. For Oracle RAC databases, you must stop the processes on all nodes.

Stop the processes in the following order:

• Step 1: Stop the apachectl and agentctl Processes

• Step 2: Shut Down All Database Instances

• Step 3: Stop Existing Listeners

2.1.9.1 Step 1: Stop the apachectl and agentctl Processes

Stop the apachectl process using the following command:

$ORACLE_HOME/Apache/Apache/bin/apachectl stop

Stop the agentctl process using the following command:

$ORACLE_HOME/bin/agentctl stop

2.1.9.2 Step 2: Shut Down All Database Instances

Shut down all database instances running from the Oracle home directory into which Oracle Database Vault is to be installed.

sqlplus SYS "AS SYSDBA"
Enter password: password
SQL> shutdown immediate

Use the Server Control (srvctl) utility, and not SQL*Plus, to stop an Oracle Real Application Clusters (RAC) Database instance.

srvctl stop database -d database_name

2.1.9.3 Step 3: Stop Existing Listeners

Oracle Universal Installer configures and starts a default Oracle Net listener using TCP/IP port 1521. However, if an existing Oracle Net listener process is using the same port or key value, then Oracle Universal Installer can only configure the new listener, it cannot start it. To ensure that the new listener process starts during the installation, you must shut down any existing listeners before starting Oracle Universal Installer.

To determine whether an existing listener process is running and to shut it down if necessary:

1. Switch user to oracle:

   # su - oracle
   

2. Enter the following command to determine whether a listener process is running and to identify its name and the Oracle home directory in which it is installed:

   $ ps -ef | grep tnslsnr
   

   This command displays information about the Oracle Net listeners running on the system:

   ... oracle_home1/bin/tnslsnr LISTENER -inherit
   

   In this example, oracle_home1 is the Oracle home directory where the listener is installed and LISTENER is the listener name.

   Note:

   If no Oracle Net listeners are running, then refer to "Configure the Oracle User's Environment" to continue.

3. Set the ORACLE_HOME environment variable to specify the appropriate Oracle home directory for the listener:

   • Bourne, Bash, or Korn shell:

     $ ORACLE_HOME=oracle_home1
     $ export ORACLE_HOME
     

   • C or tcsh shell:

     % setenv ORACLE_HOME oracle_home1
     

4. Enter the following command to identify the TCP/IP port number and IPC key value that the listener is using:

   $ $ORACLE_HOME/bin/lsnrctl status listenername
   

   Note:

   If the listener uses the default name LISTENER, then you do not have to specify the listener name in this command.

5. Enter a command similar to the following to stop the listener process:

   $ $ORACLE_HOME/bin/lsnrctl stop listenername
   

6. Repeat this procedure to stop all listeners running on this system.

Note:

If you are installing Database Vault for Oracle Real Application Clusters (RAC), then you must shut down all Oracle processes on all cluster nodes. See Appendix A, "Stopping Processes in an Oracle Real Application Clusters Database" for more details.

2.1.10 Configure the Oracle User's Environment

Run Oracle Universal Installer (OUI) using the account that owns the Oracle software. This is usually the oracle account.

However, before you start Oracle Universal Installer you must configure the environment of the oracle user. To configure the environment, you must:

• Set the default file mode creation mask (umask) to 022 in the shell startup file.

• Set the DISPLAY environment variable.

Note:

Ensure that the PATH variable contains $ORACLE_HOME/bin before /usr/X11R6/bin.

To set the oracle user's environment:

1. Start a new terminal session, for example, an X terminal (xterm).

2. Enter the following command to ensure that X Window applications can display on this system:

   $ xhost fully_qualified_remote_host_name
   

   For example:

   $ xhost somehost.us.example.com
   

3. If you are not logged in to the system where you want to install the software, then log in to that system as the oracle user.

4. If you are not logged in as the oracle user, then switch user to oracle:

   $ su - oracle
   

5. To determine the default shell for the oracle user, enter the following command:

   $ echo $SHELL
   

6. Open the oracle user's shell startup file in any text editor:

   • Bourne shell (sh), Bash shell (bash), or Korn shell (ksh):

     $ vi .profile
     

   • C shell (csh or tcsh):

     % vi .login
     

7. Enter or edit the following line, specifying a value of 022 for the default file mode creation mask:

   umask 022
   

8. Save the file, and exit from the editor.

9. To run the shell startup script, enter one of the following commands:

   • Bourne, Bash, or Korn shell:

     $ . ./.profile
     

   • C shell:

     % source ./.login
     

10. If you are not installing the software on the local system, then enter a command similar to the following to direct X applications to display on the local system:

    • Bourne, Bash, or Korn shell:

      $ DISPLAY=local_host:0.0 ; export DISPLAY
      

    • C shell:

      % setenv DISPLAY local_host:0.0
      

    In this example, local_host is the host name or IP address of the system to use to display Oracle Universal Installer (your workstation or PC).

11. If you determined that the /tmp directory has less than 400 MB of free disk space, then identify a file system with at least 400 MB of free space and set the TEMP and TMPDIR environment variables to specify a temporary directory on this file system:

    1. Use the df -k command to identify a suitable file system with sufficient free space.

    2. If necessary, enter commands similar to the following to create a temporary directory on the file system that you identified, and set the appropriate permissions on the directory:

       $ su - root
       # mkdir /mount_point/tmp
       # chmod a+wr /mount_point/tmp
       # exit
       

    3. Enter commands similar to the following to set the TEMP and TMPDIR environment variables:

       • Bourne, Bash, or Korn shell:

         $ TEMP=/mount_point/tmp
         $ TMPDIR=/mount_point/tmp
         $ export TEMP TMPDIR
         

       • C shell:

         % setenv TEMP /mount_point/tmp
         % setenv TMPDIR /mount_point/tmp
         

12. Enter commands similar to the following to set the ORACLE_BASE and ORACLE_SID environment variables:

    • Bourne, Bash, or Korn shell:

      $ ORACLE_BASE=/u01/app/oracle
      $ ORACLE_SID=sales
      $ export ORACLE_BASE ORACLE_SID
      

    • C shell:

      % setenv ORACLE_BASE /u01/app/oracle
      % setenv ORACLE_SID sales
      

    In these examples, /u01/app/oracle is the Oracle base directory that you created or identified earlier and sales is the name to call the database (typically no more than five characters).

13. Enter the following commands to ensure that the ORACLE_HOME and TNS_ADMIN environment variables are not set:

    • Bourne, Bash, or Korn shell:

      $ unset ORACLE_HOME
      $ unset TNS_ADMIN
      

    • C shell:

      % unsetenv ORACLE_HOME
      % unsetenv TNS_ADMIN
      

14. To verify that the environment has been set correctly, enter the following commands:

    $ umask
    $ env | more
    

    Verify that the umask command displays a value of 22, 022, or 0022 and the environment variables that you set in this section have the correct values.

2.1.11 Run Oracle Universal Installer to Install Oracle Database Vault

Run Oracle Universal Installer (OUI) to install Oracle Database Vault into an existing Oracle9i Database release 2 (9.2.0.8) database. You should run the installer as the software owner account that owns the current ORACLE_HOME environment. This is normally the oracle account.

Log in as the oracle user. Alternatively, switch user to oracle using the su command. Change your current directory to the directory containing the installation files. Start Oracle Universal Installer.

./runInstaller

The following steps discuss the options you must select:

1. In the Specify Installation Details screen, you must specify the path to the Oracle home that contains the existing Oracle Database. The Destination Path box lists the Oracle home paths of all Oracle9i Database release 2 (9.2.0.8) Enterprise Edition databases registered with the system.

   Select the Oracle home corresponding to the database into which you want to install Oracle Database Vault.

   Note:

   • If an Oracle home does not have an Enterprise Edition of Oracle9i Database release 2 (9.2.0.8) installed, then it is not displayed. You must ensure that the Oracle home has an Enterprise Edition of Oracle9i Database release 2 (9.2.0.8) installed.

   • If an Oracle home currently contains Oracle Database Vault, then it is not displayed. You cannot install Oracle Database Vault into an Oracle home more than once.

   • For an Oracle Real Application Clusters (RAC) installation, if the Global Services Daemon is not running, then OUI cannot detect the Oracle home. See "Verify that the Global Services Daemon Is Running (RAC Only)" for instructions on starting the Global Services Daemon.

2. Enter a user name for the Database Vault Owner account in the Database Vault Owner field. The user name can be a minimum of 2 and maximum of 30 characters long.

3. Enter a password for the Database Vault Owner account in the Database Vault Owner Password field. The password can be a minimum of 8 and a maximum of 30 characters. The password must include at least one alphabet, one digit, and one non alphanumeric character (symbol). It cannot be the same as the account names for either the Database Vault owner or the Database Vault account manager. It cannot contain any consecutive repeating characters.

4. Reenter the password in the Confirm Password field.

5. Select Create a Separate Account Manager if you want to create a separate Account Manager to manage Oracle Database Vault accounts.

   For greater security and to adhere to separation of duty requirements, Oracle recommends that you create a separate account manager user account.

6. In the Database Vault Account Manager field, enter a user name for the Database Vault Account Manager if you have chosen to select the Create a Separate Account Manager check box. The user name can be a minimum of 2 and a maximum of 30 characters.

7. Enter a password for the Database Vault Account Manager account in the Account Manager Password field.

   The password can be a minimum of 8 and a maximum of 30 characters. The password must include at least one alphabet, one digit, and one non alphanumeric character (symbol). It cannot be the same as the account names for either the Database Vault owner or the Database Vault account manager. It cannot contain any consecutive repeating characters.

8. Reenter the password in the Confirm Password field. Click Next.

9. The Select Existing Database screen is displayed. A list of all databases running from the selected Oracle home is displayed. Select the database into which you want to install Oracle Database Vault.

   Note:

   • If a database is not listed, then check to make sure that you have followed the instructions under "Check the Database Requirements".

   • Install Oracle Database Vault into an Oracle home containing multiple databases only if you want to enable Oracle Database Vault for all these databases. If this is not the case, then Oracle recommends that you install Oracle Database Vault into an Oracle home containing a single database.

10. Enter the existing SYS user password for the selected database in the Existing Database SYS Password field.

11. Reenter the SYS password in the Confirm Password field. Click Next.

    Note:

    At this point, the database requirements are validated.

12. When prompted, shut down all Oracle processes if you have not already done so.

    For Oracle Real Application Clusters (RAC) environments, a node selection screen appears, indicating the nodes in which Oracle Database Vault will be installed.

    See Also:

    "Stop Existing Oracle Processes" for more information on stopping existing Oracle processes

13. When the Summary screen appears, verify the details of the installation.

    For Oracle RAC, stop the Global Services Daemon on all nodes in which you are installing Oracle Database Vault. To stop the Global Services Daemon, enter the following command in a shell in each of these nodes:

    $ORACLE_HOME/bin/gsdctl stop
    

14. In the Summary screen, click Install.

    The installation screen displays. After the installation completes, Database Vault Configuration Assistant (DVCA) starts.

15. Answer the Database Vault Configuration Assistant (DVCA) prompts to complete the Oracle Database Vault installation and configuration.

    After you complete the installation, the log file has the following message:

    You selected -local option, hence OPatch will patch the local system only.
    

    You can disregard this message. For an Oracle RAC environment, Oracle Database Vault is still installed in all nodes.

2.2 Postinstallation Tasks

This section lists the tasks to perform after you have completed an upgrade of your database. The following topics are discussed:

• Backing Up the Database

• Updating Environment Variables After the Upgrade (UNIX Systems Only)

• Changing Passwords for Oracle-Supplied Accounts

• Disabling Remote SYSDBA Connections (Optional)

• Starting the Listener and Database on Other Nodes (RAC Only)

• Running DVCA to Set Instance Parameters (RAC Only)

• Deploying the Database Vault Administrator Application

• Setting the Time-Out Value for Oracle Database Vault Administrator

• Enabling Oracle Database Vault Administrator Accessibility

2.2.1 Backing Up the Database

Make sure you perform a full backup of the production database. See Oracle9i Backup and Recovery Concepts for details on backing up a database.

2.2.2 Updating Environment Variables After the Upgrade (UNIX Systems Only)

Make sure that the following environment variables point to the correct Oracle Database Vault directories:

• ORACLE_HOME: Specifies the Oracle home directory. For example, /u01/app/oracle/product/9.2.0/db_1

• PATH: Specifies the directories searched by the shell to locate executable programs. For example, /bin:/usr/bin:/usr/local/bin:/usr/bin/X11:$ORACLE_HOME/bin:$HOME/bin

You may also need to set the following environment variables:

• ORA_NLS33: Specifies the directory where the language, territory, character set, and linguistic definition files are stored. For example, $ORACLE_HOME/ocommon/nls/admin/data

• LD_LIBRARY_PATH: Specifies the list of directories that the shared library loader searches to locate shared object libraries at run time. For example, /usr/dt/lib:$ORACLE_HOME/lib

  Use the man ld command for more information about this environment variable.

2.2.3 Changing Passwords for Oracle-Supplied Accounts

Oracle strongly recommends that you change the password for each account after installation. This enables you to effectively implement the strong security provided by Oracle Database Vault.

Note:

If you are creating a database using Database Configuration Assistant, you can unlock accounts after the database is created by clicking Password Management before you exit from Database Configuration Assistant.

2.2.3.1 Using SQL*Plus to Unlock Accounts and Reset Passwords

To unlock and reset user account passwords using SQL*Plus:

1. Start SQL*Plus and log in using the Database Vault Account Manager account. If you did not create the Database Vault Account Manager account during installation, then you must log in using the Database Vault Owner account.

2. Enter a command similar to the following, where account is the user account to unlock and password is the new password:

   SQL> ALTER USER account [ IDENTIFIED BY password ] ACCOUNT UNLOCK;
   

   In this example:

   • The ACCOUNT UNLOCK clause unlocks the account.

   • The IDENTIFED BY password clause resets the password.

   Note:

   If you unlock an account but do not reset the password, then the password remains expired. The first time someone connects as that user, they must change the user's password.

   To permit unauthenticated access to your data through HTTP, unlock the ANONYMOUS user account.

2.2.4 Disabling Remote SYSDBA Connections (Optional)

Oracle Database Vault enables you to disable remote logins with SYSDBA privileges. This enables enhanced security for your database.

To disable remote SYSDBA connections, re-create the password file with the nosysdba flag set to y (Yes). A user can still log in AS SYSDBA locally using Operating System (OS) authentication. However, remote connections AS SYSDBA will fail.

Use the following syntax to re-create the password file:

orapwd file=filename password=password [entries=users] nosysdba=y/n

In this specification:

• file: Name of password file (mandatory)

• password: Password for SYS (mandatory).

• entries: Maximum number of distinct DBA users

• nosysdba: Whether to enable or disable the SYS logon (optional for Oracle Database Vault only). Enter y (for yes) or n (for no)

  The default is no, so if you omit this flag, the password file will be created enabling SYSDBA access for Oracle Database Vault instances.

When you run the orapwd utility, ensure that the file name is of the orapwSID format. For example:

orapwd file=$ORACLE_HOME/dbs/orapworcl 
password=password 
nosysdba=n

Note:

Do not insert spaces around the equal (=) character.

See Also:

Oracle9i Database Administrator's Guide for more information on using the orapwd utility.

Enabling or Disabling Connecting with SYSDBA on Oracle Real Application Clusters Systems

Under a cluster file system and raw devices, the password file under $ORACLE_HOME is in a symbolic link that points to the shared storage location in the default configuration. In this case, the orapwd command you issue affects all nodes.

2.2.5 Starting the Listener and Database on Other Nodes (RAC Only)

You must start the listener and database on all Oracle Real Application Clusters (RAC) nodes other than the one on which the installation is performed. Use the following commands to start the listener and the database:

Note:

You must enable SYSDBA connections on all nodes before running these commands. See "Disabling Remote SYSDBA Connections (Optional)" for more information on enabling SYSDBA connections.

$ORACLE_HOME/bin/lsnrctl start listener_name
srvctl start instance -d unique_database_name -i instance_name -c "SYS/password AS SYSDBA"

Note:

You must use the Server Control (srvctl) utility to start and stop Oracle Database Vault RAC instances. Do not use SQL*Plus to start and stop Oracle RAC instances. You must enable SYSDBA connections before you can use the srvctl command.

2.2.6 Running DVCA to Set Instance Parameters (RAC Only)

After installing Database Vault for an Oracle Real Application Clusters (RAC) instance, you must run Database Vault Configuration Assistant (DVCA) with the -action optionrac switch. You must run this command for all Oracle RAC nodes other than the node on which the Database Vault installation is performed. This step is required to enable the enhanced security features provided by Oracle Database Vault.

The command itself must be run on the node on which the Database Vault installation is performed. You must supply the name of the remote Oracle RAC node for which the action is being performed using the -racnode switch.

Note:

The listener and database instance should be running on the nodes for which you run DVCA.

You should also ensure that the Global Services Daemon (GSD) is running on the remote nodes. You can use the following command to start the GSD service on a node:

$ORACLE_HOME/bin/gsdctl start

Use the following syntax to run DVCA:

# dvca -action optionrac -racnode host_name -oh oracle_home -jdbc_str jdbc_connection_string -sys_passwd sys_password [-logfile ./dvca.log] [-silent] [-nodecrypt]

Where:

• action: The action to perform. optionrac performs the action of updating the instance parameters for the Oracle RAC instance and optionally disabling SYSDBA operating system access for the instance.

• racnode: The host name of the Oracle RAC node for which the action is being performed. Do not include the domain name with the host name.

• oh: The Oracle home for the Oracle RAC instance.

• jdbc_str: The JDBC connection string used to connect to the instance you are configuring. For example, "jdbc:oracle:oci:@orcl1".

• sys_password: The password for the SYS user.

• logfile: Optionally, specify a log file name and location. You can enter an absolute path or a path that is relative to the location of the $ORACLE_HOME/bin directory.

• silent: Required if you are not running DVCA in an xterm window.

• nodecrypt: Reads plaintext passwords as passed on the command line.

Note:

You can reenable SYSDBA access by re-creating the password file with the nosysdba flag set to n (No). The orapwd utility enables you to do this.

2.2.7 Deploying the Database Vault Administrator Application

Oracle Database Vault Administrator (DVA) is a browser-based graphical user interface console that you can use to manage Oracle Database Vault. You can deploy DVA in an existing Oracle Database 10g Release 2 (10.2) installation (release 10.2.0.3 or later) to manage an Oracle Database Vault Oracle9i Release2 (9.2.0.8.1) instance.

You should have the following directory structure on the host containing the Oracle Database 10g Release 2 (10.2) installation:

$ORACLE_HOME
                |------> jlib
                |
                |------> lib
                |
                |------> sysman
                |         |---> jlib
                |
                |------> rdbms
                |         |---> jlib
                |
                |------> owm
                |         |---> jlib
                |
                |------> oui
                |         |---> jlib

Note:

Ensure that the environment variable $ORACLE_HOME is set to the directory containing the installed Oracle product.

For example, if the 10.2 installation directory is /u00/app/oracle/product/10.2/db_1, then:

ORACLE_HOME = /u00/app/oracle/product/10.2/db_1

Create the following directory structure under the ORACLE_HOME directory:

$ORACLE_HOME
        |
        |------> dv
        |         |---> jlib

For example:

mkdir -p $ORACLE_HOME/dv/jlib/

The following files should be present in the Oracle Database 10g Release 2 (10.2) installation:

$ORACLE_HOME/sysman/jlib/emCORE.jar
$ORACLE_HOME/sysman/jlib/emDB.jar
$ORACLE_HOME/sysman/jlib/emjsp.jar
$ORACLE_HOME/sysman/jlib/ems.jar
$ORACLE_HOME/sysman/jlib/log4j-core.jar
$ORACLE_HOME/sysman/jlib/jcb.jar
$ORACLE_HOME/rdbms/jlib/jmscommon.jar
$ORACLE_HOME/rdbms/jlib/qsma.jar
$ORACLE_HOME/oui/jlib/OraInstaller.jar
$ORACLE_HOME/jlib/regexp.jar
$ORACLE_HOME/jlib/providerutil.jar
$ORACLE_HOME/jlib/ojmisc.jar
$ORACLE_HOME/jlib/netcfg.jar
$ORACLE_HOME/jlib/orai18n-mapping.jar
$ORACLE_HOME/jlib/ldapjclnt10.jar
$ORACLE_HOME/lib/xschema.jar
$ORACLE_HOME/lib/xsu12.jar
$ORACLE_HOME/lib/oraclexsql.jar

You can manually deploy Database Vault Administrator (DVA) to the following Oracle Application Server Containers for J2EE (OC4J) home:

$ORACLE_HOME/oc4j/j2ee/home

Use the following steps to manually deploy the DVA application:

Note:

If you are redeploying the DVA application, then you must remove the application before you can run the steps to deploy the application. Use the following commands to remove the DVA application:

cd $ORACLE_HOME/dv/jlib
rm -rf dv_webapp

1. Copy the following files from the Oracle home to the $ORACLE_HOME/dv/jlib/ directory in your Oracle Database 10g Release 2 (10.2) installation:

   • dva_webapp_jsp.jar

   • dva_webapp.ear

2. Edit the file, $ORACLE_HOME/oc4j/j2ee/home/config/server.xml. Enter the following line just before the last line that reads, </application-server>:

   <application name="dva" path="$ORACLE_HOME/dv/jlib/dva_webapp.ear" auto-start="true" />
   

   For example:

   <application name="dva" path="/u00/app/oracle/oracle/product/dv12/dv/jlib/dva_webapp.ear" auto-start="true" />
   

   Note:

   If there was a previous version of DVA installed, and if you are redeploying the new dva_webapp.ear file from Disk1, then steps 2 to 6 have been performed. You can move to step 7.

3. Edit the file, $ORACLE_HOME/oc4j/j2ee/home/config/http-web-site.xml. Enter the following line just above the last line that reads, </web-site>:

   <web-app application="dva" name="dva_webapp" root="/dva" />
   

4. Edit the file, $ORACLE_HOME/oc4j/j2ee/home/config/global-web-application.xml. Search for <servlet-class>oracle.jsp.runtimev2.JspServlet</servlet-class>. Uncomment the following lines after this:

   <init-param>
     <param-name>main_mode</param-name>
     <param-value>justrun</param-value>
   </init-param>
   

5. Create the directory, $ORACLE_HOME/dv/jlib/sysman/config.

   mkdir -p $ORACLE_HOME/dv/jlib/sysman/config
   

6. Create the database connection configuration file, emoms.properties, in the configuration directory that you just created. Add the following lines to the file:

   oracle.sysman.emSDK.svlt.ConsoleMode=standalone 
   oracle.sysman.eml.mntr.emdRepRAC=FALSE 
   oracle.sysman.eml.mntr.emdRepDBName=ORACLE_SID
   oracle.sysman.eml.mntr.emdRepConnectDescriptor=TNS_connection_string
   

   Note:

   • oracle.sysman.eml.mntr.emdRepRAC should be set to TRUE for a Real Application Clusters (RAC) database.

   • ORACLE_SID should be the SID of the Oracle Database Vault Oracle9i Release 2 (9.2.0.8) instance.

   • For oracle.sysman.eml.mntr.emdRepConnectDescriptor, you can use an alias from $ORACLE_HOME/network/admin/tnsnames.ora. Alternatively, you can use the following syntax:

     oracle.sysman.eml.mntr.emdRepConnectDescriptor=(DESCRIPTION\=(ADDRESS_LIST\=(ADDRESS\=(PROTOCOL\=TCP)(HOST\=HOSTNAME)(PORT\=PORT)))(CONNECT_DATA\=(SERVICE_NAME\=ORACLE_SID)))
     

7. Start OC4J. Before starting OC4J, ensure that the correct environment variables are set. For example:

   ORACLE_HOME=/u00/app/oracle/product/10.2/db_1
   export ORACLE_HOME
   LD_LIBRARY_PATH=$ORACLE_HOME/bin:$ORACLE_HOME/lib:$ORACLE_HOME/jdbc/lib
   export LD_LIBRARY_PATH
   PATH=$ORACLE_HOME/bin:$ORACLE_HOME/jdk/bin:$PATH
   export PATH
   

   Note:

   LD_LIBRARY_PATH must be set to use the OCI-based JDBC libraries.

   Start OC4J using the following syntax:

   $ORACLE_HOME/jdk/bin/java -Djava.awt.headless=true -DEMDROOT=$ORACLE_HOME/dv/jlib -jar $ORACLE_HOME/oc4j/j2ee/home/oc4j.jar  -userThreads -config $ORACLE_HOME/oc4j/j2ee/home/config/server.xml
   

   Tip:

   You can create a shell script file, put the command to start OC4J in it, and grant appropriate execute permissions for the file. This allows you to easily reuse the command when required.

   You can also create a shell script file to stop OC4J, if required. You must stop and start OC4J if you make DVA configuration changes. For example:

   # script to stop and start OC4J
   $ORACLE_HOME/jdk/bin/java -jar $ORACLE_HOME/oc4j/j2ee/home/admin.jar ormi://localhost admin welcome -stop
   $ORACLE_HOME/jdk/bin/java -Djava.awt.headless=true -DEMDROOT=$ORACLE_HOME/dv/jlib -jar $ORACLE_HOME/oc4j/j2ee/home/oc4j.jar  -userThreads -config $ORACLE_HOME/oc4j/j2ee/home/config/server.xml
   

8. To access the DVA application, use the following URL. The HTTP port defaults to 8888 for this environment. For example:

   http://hostname:8888/dva
   

2.2.8 Setting the Time-Out Value for Oracle Database Vault Administrator

By default, an Oracle Database Vault session lasts 35 minutes. Afterwards, the session expires. If you want the session to last for a different time, follow the steps in this section.

To set the session time for Oracle Database Vault Administrator:

1. Back up the web.xml file, which by default is in the $ORACLE_HOME/dv/jlib/dva_webapp/dva_webapp/WEB-INF directory.

2. In a text editor, open the web.xml file.

3. Search for the following setting:

   <session-config>
    <session-timeout>35</session-timeout>
   </session-config>
   

4. Change the <session-timeout> setting to the amount of time in minutes that you prefer.

5. Save and close the web.xml file.

6. Stop and restart the Database Vault Administrator.

2.2.9 Enabling Oracle Database Vault Administrator Accessibility

You can configure Database Vault Administrator to make data accessible and usable to the disabled community. The following sections explain how to enable Database Vault Administrator for full accessibility.

• Enabling Oracle Database Vault Administrator Accessibility Mode

• Providing Textual Descriptions of Database Vault Administrator Charts

2.2.9.1 Enabling Oracle Database Vault Administrator Accessibility Mode

Oracle Database Vault Administrator takes advantage of user interface development technologies that improve the responsiveness of some user operations. For example, when you navigate to a new record set in a table, Oracle Database Vault Administrator does not redisplay the entire HTML page. However, this performance-improving technology is generally not supported by screen readers. To disable this feature, and as a result, make the Database Vault Administrator HTML pages more accessible for disabled users, use the following procedure.

To enable the display of an entire HTML page:

1. Locate the uix-config.xml configuration file.

   By default, the uix-config.xml file is in the following directory:

   $ORACLE_HOME/oc4j/j2ee/oc4j_applications/applications/em/em/WEB-INF 
   

2. Open the uix-config.xml file using a text editor and locate the following entry:

   <!-- An alternate configuration that disables accessibility features  -->
   <default-configuration>
     <accessibility-mode>inaccessible</accessibility-mode>
   ...
   </default-configuration>
   

3. Change the value of the accessibility-mode property from inaccessible to accessible.

4. Save and close the uix-config.xml file.

5. Restart Database Vault Administrator.

2.2.9.2 Providing Textual Descriptions of Database Vault Administrator Charts

The Monitor page of Database Vault Administrator displays security policy data in a chart. However, charts do not convey information in a manner that can be read by a screen reader. To remedy this problem, you can configure Database Vault Administrator to provide a complete textual representation of each chart. By default, support for the textual representation of charts is disabled. When textual description for charts is enabled, Database Vault Administrator displays a textual representation of the chart data.

To enable the textual representation of charts:

1. Locate the web.xml configuration file.

   To locate the web.xml file in a Oracle Database 10g installation, change directory to the following location in the Oracle home:

   $ORACLE_HOME/dv/jlib/dva_webapp/dva_webapp/WEB-INF/
   

2. Open the web.xml file with your favorite text editor and locate the following six lines of the file:

   <!-- Uncomment this to enable textual chart descriptions
   <context-param>
   <param-name>enableChartDescription</param-name>
   <param-value>true</param-value>
   </context-param>
   -->
   

3. Remove comments from this section by deleting the first line and the last line of this section so that the section consists of only these four lines:

   <context-param>
   <param-name>enableChartDescription</param-name>
   <param-value>true</param-value>
   </context-param>
   

4. Save and exit the web.xml file.

5. Restart Database Vault Administrator.

2.3 Removing Oracle Software

Use Oracle Universal Installer (OUI) to remove Oracle software from an Oracle home. The following list summarizes the steps involved:

1. Log in as the user that owns the Oracle software. This is usually the oracle user.

2. Shut down all processes running in the Oracle home.

3. Start Oracle Universal Installer as follows:

   $ $ORACLE_HOME/oui/bin/runInstaller
   

4. In the Welcome screen, select Deinstall Products. The Inventory screen appears. This screen lists all the Oracle homes on the system.

5. Select the Oracle home and the products that you want to remove. Click Remove.

See Also:

Refer to the Oracle Universal Installer Concepts Guide for Oracle Universal Installer (OUI) concepts

Note:

You cannot remove or uninstall the Database Vault option. However, you can disable Oracle Database Vault. Refer to Oracle Database Vault Administrator's Guide for more details.

You can also remove the entire Oracle home, as discussed earlier in this section.