Oracle® Database Vault Installation Guide Oracle9i Release 2 (9.2.0.8) for hp Tru64 UNIX Part Number E14405-01 |
|
|
View PDF |
This chapter describes how to install Oracle Database Vault into an existing Oracle9i Database release 2 (9.2.0.8) database. These procedures transform an existing Oracle Database system (including associated applications) into an Oracle Database Vault system. Databases upgraded using the procedures described in this chapter can work almost in the same manner as in earlier releases and, optionally, can leverage new Database Vault functionality. For a list of changes that Database Vault makes, refer to Appendix E, "Default Values for Security-Specific Initialization Parameters" and Oracle Database Vault Administrator's Guide.
Note:
To upgrade a pre-Oracle9i Database release 2 (9.2.0.8) database to Oracle Database Vault, you first must upgrade the database to Oracle9i Database release 2 (9.2.0.8).This chapter covers the following topics:
This section covers the following topics:
For Oracle Real Application Clusters Environments, Set System Variables
Verify that the Global Services Daemon Is Running (RAC Only)
Run Oracle Universal Installer to Install Oracle Database Vault
Before you plan the upgrade process, become familiar with the features of Database Vault. Oracle Database Vault Administrator's Guide discusses the basic features of Database Vault.
The system must meet the following minimum hardware requirements:
At least 512 MB of available physical RAM
Swap space on the disk equal to the system's physical memory, or 1GB, whichever is greater.
400 MB of disk space in the /tmp
directory
270 MB of disk space for the Database Vault software
10 MB of additional disk space for the database files
To ensure that the system meets these requirements:
To determine the physical RAM size, enter the following command:
# /bin/vmstat -P | grep "Total Physical Memory"
If the size of the physical RAM installed in the system is less than the required size, then you must install more memory before continuing.
To determine the size of the configured swap space, enter the following command:
# /sbin/swapon -s
If necessary, refer to your operating system documentation for information about how to configure additional swap space.
To determine the amount of disk space available in the /tmp
directory, enter the following command:
# df -k /tmp
If there is less than 400 MB of disk space available in the /tmp
directory, then complete one of the following steps:
Delete unnecessary files from the /tmp
directory to meet the disk space requirement.
Set the TEMP
and TMPDIR
environment variables when setting the oracle
user's environment (described later).
Extend the file system that contains the /tmp
directory. If necessary, contact your system administrator for information about extending file systems.
To determine the amount of free disk space on the system, enter the following command:
# df -k
The system must meet the following minimum software requirements:
The version of hp Tru64 UNIX must be 5.1 or later.
The following packages must be installed:
OSF11 OSFLIBA OSFCMPLRS OSFSER OSFPGMR
The following patches must be installed:
Patch for hp Tru64 Release 5.1:
5.1 patchkit 4
Patches for hp Tru64 Release 5.1A:
5.1A patchkit 1
You can download these patches from the following Web site:
http://www.compaq.com/support
To ensure that the system meets these requirements, follow these steps:
To determine which version of hp Tru64 UNIX is installed, enter the following command:
# /usr/sbin/sizer -v 5.1
In this example, the version shown is 5.1. If necessary, see your operating system documentation for information about upgrading the operating system.
To determine whether the required packages are installed, enter a command similar to the following:
# /usr/sbin/dupatch -track -type kit
If a package is not installed, then install it. See your operating system or software documentation for information about installing packages.
To determine whether an operating system patch is installed, enter a command similar to the following:
# setld -i |grep os_package
If an operating system patch is not installed, download it from the following Web site and install it:
http://www.compaq.com/support
Verify that the following kernel parameters are set to values greater than or equal to the recommended value shown:
Kernel Parameter | Setting | Purpose |
---|---|---|
MAX_PER_PROC_STACK_SIZE |
33554432
(32 MB) |
Defines the processor stack size. The default size is sufficient for Oracle Database Vault software. If an application that shares the system with Oracle Database Vault requires a higher per process stack size, do not set this parameter higher than 512 MB. |
PER_PROC_STACK_SIZE |
33554432
(32 MB) |
Defines the processor stack size. The default size is sufficient for Oracle Database Vault software. If an application that shares the system with Oracle Database Vault requires a higher per process stack size, do not set this parameter higher than 512 MB. |
PER_PROC_DATA_SIZE |
201326592
(192 MB) |
Defines the minimum per process data segment size. |
SHM_MAX |
4278190080
(4GB less 16 MB) |
Defines the maximum allowable size of the shared memory. The SHM_MAX parameter does not affect how much shared memory is used or needed by Oracle Database Vault, the operating system, or the operating system kernel. |
SHM_MIN |
1 | Defines the minimum allowable size of a single shared memory segment. |
SHM_MNI |
256 | Defines the maximum number of shared memory segments in the entire system. |
SHMSEG |
128 | Defines the maximum number of shared memory segments one process can attach. |
To view the current value specified for these kernel parameters, and to change them if necessary, follow these steps:
To view the current values of these parameters, enter the following command:
# /sbin/sysconfig -q ipc
If you must change any of the current values, follow these steps:
Create a backup copy of the /etc/sysconfigtab
file, for example:
# cp /etc/sysconfigtab /etc/sysconfigtab.orig
Using a text editor, create a file similar to the following, specifying the subsystems and attributes to modify:
ipc: shm_max = 4278190080 shm_mni = 256 shm_seg = 128 proc: per_proc_stack_size = 33554432 per_proc_data_size = 201326592
Enter a command similar to the following to add the subsystem attributes to the /etc/sysconfigtab
file:
# /sbin/sysconfigdb -m -f filename
In this example, replace filename with the name of the file that you created in Step b.
Enter the following command to restart the system:
# /sbin/shutdown -r now
When the system restarts, log in as user root
.
To install Oracle Database Vault, you must run the Enterprise Edition of Oracle9i Database release 2 (9.2.0.8). In addition, the Database Vault installer requires write access to the oratab
and oraInst.loc
files.
Note:
The/var/opt/oracle/oratab
file should have an entry for the database. For example:
DBDV:/oracle/product/9.2_VAULT:Y
A listener must have been configured for the existing database. Oracle Net Configuration Assistant configures the listener when you first install the database.
You must have an existing password file for the database. The password file authentication parameter, REMOTE_LOGIN_PASSWORDFILE
must have been set to EXCLUSIVE
or SHARED
.
You can set the REMOTE_LOGIN_PASSWORDFILE
parameter in the init.ora
file. Use the orapwd
utility to create and manage password files.
See Also:
Oracle9i Database Administrator's Guide for more information on creating and maintaining a password fileThe following topic discusses applying the 9.2.0.8 patch set:
To install Oracle Database Vault, you must upgrade the database to Oracle9i Database release 2 (9.2.0.8). Back up your database before performing any upgrade or installation.
See Also:
Oracle9i Backup and Recovery Concepts for information on database backupsThis section covers the following topics:
Patch Set Overview
Patch sets are cumulative. Patch set release 9.2.0.8 includes all fixes in patch sets 9.2.0.8 and earlier, and new fixes for patch set 9.2.0.8. This means that unless the patch set documentation indicates otherwise, you can apply this patch set to any earlier release 9.2 installation. You do not have to install intermediate patch sets.
Patch sets contain generic fixes that apply to all platforms. Patch sets may also include additional platform-specific patches.
Oracle Universal Installer Version Requirements
This patch set includes Oracle Universal Installer release 10.1.0.5. You must use this Oracle Universal Installer to install this patch set and not Oracle Universal Installer from the 9.2.0.x maintenance release media or Oracle home.
This is not a complete software distribution. You must install it in an existing Oracle9i release 2 (9.2.0.x.x) installation. Users applying this patch set must use Oracle Universal Installer release 10.1.0.5 (provided as part of this patch set) or later to ensure that their Oracle home can be patched in the future. Oracle Universal Installer release 10.1.0.5 is also installed when you install this patch set.
There are two documents related to this release of the Oracle9i release 2 patch set:
Oracle9i Patch Set Notes, Release 2 (9.2.0.8) Patch Set 7 for hp Tru64 UNIX
This document provides:
System requirements and information about how to install or reinstall the patch set
A list of all bugs fixed to date that are specific to Oracle9i Release 2 for hp Tru64 UNIX
A list of known issues relating to Oracle9i Release 2 for hp Tru64 UNIX
Oracle9i List of Bugs Fixed, Release 2 (9.2.0.8) Patch Set 7
The List of Bugs Fixed is a list of all generic bugs related to Oracle9i release 2 that have been fixed in this release.
Both of these documents are included with the patch set. The Oracle9i List of Bugs Fixed is also available on OracleMetaLink, from document 189908.1, ALERT: Oracle9i Release 2 (9.2) Support Status and Alerts at:
For each node of an Oracle Application Clusters (RAC) environment on which you plan to install Oracle Database Vault, set the udp_sendspace
and udp_recvspace
system parameters as follows:
/sbin/sysconfig -r inet udp_sendspace=65536 /sbin/sysconfig -r inet 655360
You can check the current values of these variables by running the following command:
/sbin/sysconfig -q inet
Oracle strongly recommends that you back up your database before performing any upgrade or installation. The ultimate success of your upgrade depends heavily on the design and execution of an appropriate backup strategy. To develop a backup strategy, consider the following questions:
How long can the production database remain inoperable before business consequences become intolerable?
What backup strategy should be used to meet your availability requirements?
Are backups archived in a safe, off-site location?
How quickly can backups be restored (including backups in off-site storage)?
Have recovery procedures been tested successfully?
Your backup strategy should answer all of these questions and include procedures for successfully backing up and recovering your database.
See Also:
Oracle9i User-Managed Backup and Recovery Guide for information on database backupsThe Global Services Daemon (GSD) should be running for the Database Vault installer to find existing Oracle Real Application Clusters (RAC) databases. If you have stopped GSD, then you should restart it before running Oracle Universal Installer. Use the following command to start the GSD service:
$ORACLE_HOME/bin/gsdctl start
You must run this command on each Oracle RAC node.
Stop all processes running in the Oracle home. You must complete this task to enable Oracle Universal Installer to relink certain executables and libraries. For Oracle RAC databases, you must stop the processes on all nodes.
Stop the processes in the following order:
Stop the apachectl
process using the following command:
$ORACLE_HOME/Apache/Apache/bin/apachectl stop
Stop the agentctl
process using the following command:
$ORACLE_HOME/bin/agentctl stop
Shut down all database instances running from the Oracle home directory into which Oracle Database Vault is to be installed.
sqlplus SYS "AS SYSDBA"
Enter password: password
SQL> shutdown immediate
Use the Server Control (srvctl
) utility, and not SQL*Plus, to stop an Oracle Real Application Clusters (RAC) Database instance.
srvctl stop database -d database_name
Oracle Universal Installer configures and starts a default Oracle Net listener using TCP/IP port 1521. However, if an existing Oracle Net listener process is using the same port or key value, then Oracle Universal Installer can only configure the new listener, it cannot start it. To ensure that the new listener process starts during the installation, you must shut down any existing listeners before starting Oracle Universal Installer.
To determine whether an existing listener process is running and to shut it down if necessary:
Switch user to oracle
:
# su - oracle
Enter the following command to determine whether a listener process is running and to identify its name and the Oracle home directory in which it is installed:
$ ps -ef | grep tnslsnr
This command displays information about the Oracle Net listeners running on the system:
... oracle_home1/bin/tnslsnr LISTENER -inherit
In this example, oracle_home1
is the Oracle home directory where the listener is installed and LISTENER
is the listener name.
Note:
If no Oracle Net listeners are running, then refer to "Configure the Oracle User's Environment" to continue.Set the ORACLE_HOME
environment variable to specify the appropriate Oracle home directory for the listener:
Bourne, Bash, or Korn shell:
$ ORACLE_HOME=oracle_home1
$ export ORACLE_HOME
C or tcsh shell:
% setenv ORACLE_HOME oracle_home1
Enter the following command to identify the TCP/IP port number and IPC key value that the listener is using:
$ $ORACLE_HOME/bin/lsnrctl status listenername
Note:
If the listener uses the default name LISTENER, then you do not have to specify the listener name in this command.Enter a command similar to the following to stop the listener process:
$ $ORACLE_HOME/bin/lsnrctl stop listenername
Repeat this procedure to stop all listeners running on this system.
Note:
If you are installing Database Vault for Oracle Real Application Clusters (RAC), then you must shut down all Oracle processes on all cluster nodes. See Appendix A, "Stopping Processes in an Oracle Real Application Clusters Database" for more details.Run Oracle Universal Installer (OUI) using the account that owns the Oracle software. This is usually the oracle
account.
However, before you start Oracle Universal Installer you must configure the environment of the oracle
user. To configure the environment, you must:
Note:
Ensure that thePATH
variable contains $ORACLE_HOME/bin
before /usr/X11R6/bin
.To set the oracle
user's environment:
Start a new terminal session, for example, an X terminal (xterm
).
Enter the following command to ensure that X Window applications can display on this system:
$ xhost fully_qualified_remote_host_name
For example:
$ xhost somehost.us.example.com
If you are not logged in to the system where you want to install the software, then log in to that system as the oracle
user.
If you are not logged in as the oracle
user, then switch user to oracle
:
$ su - oracle
To determine the default shell for the oracle
user, enter the following command:
$ echo $SHELL
Open the oracle
user's shell startup file in any text editor:
Bourne shell (sh
), Bash shell (bash
), or Korn shell (ksh
):
$ vi .profile
C shell (csh
or tcsh
):
% vi .login
Enter or edit the following line, specifying a value of 022 for the default file mode creation mask:
umask 022
Save the file, and exit from the editor.
To run the shell startup script, enter one of the following commands:
Bourne, Bash, or Korn shell:
$ . ./.profile
C shell:
% source ./.login
If you are not installing the software on the local system, then enter a command similar to the following to direct X applications to display on the local system:
Bourne, Bash, or Korn shell:
$ DISPLAY=local_host:0.0 ; export DISPLAY
C shell:
% setenv DISPLAY local_host:0.0
In this example, local_host
is the host name or IP address of the system to use to display Oracle Universal Installer (your workstation or PC).
If you determined that the /tmp
directory has less than 400 MB of free disk space, then identify a file system with at least 400 MB of free space and set the TEMP
and TMPDIR
environment variables to specify a temporary directory on this file system:
Use the df -k
command to identify a suitable file system with sufficient free space.
If necessary, enter commands similar to the following to create a temporary directory on the file system that you identified, and set the appropriate permissions on the directory:
$ su - root # mkdir /mount_point/tmp # chmod a+wr /mount_point/tmp # exit
Enter commands similar to the following to set the TEMP
and TMPDIR
environment variables:
Bourne, Bash, or Korn shell:
$ TEMP=/mount_point/tmp $ TMPDIR=/mount_point/tmp $ export TEMP TMPDIR
C shell:
% setenv TEMP /mount_point/tmp % setenv TMPDIR /mount_point/tmp
Enter commands similar to the following to set the ORACLE_BASE
and ORACLE_SID
environment variables:
Bourne, Bash, or Korn shell:
$ ORACLE_BASE=/u01/app/oracle $ ORACLE_SID=sales $ export ORACLE_BASE ORACLE_SID
C shell:
% setenv ORACLE_BASE /u01/app/oracle % setenv ORACLE_SID sales
In these examples, /u01/app/oracle
is the Oracle base directory that you created or identified earlier and sales
is the name to call the database (typically no more than five characters).
Enter the following commands to ensure that the ORACLE_HOME
and TNS_ADMIN
environment variables are not set:
Bourne, Bash, or Korn shell:
$ unset ORACLE_HOME $ unset TNS_ADMIN
C shell:
% unsetenv ORACLE_HOME % unsetenv TNS_ADMIN
To verify that the environment has been set correctly, enter the following commands:
$ umask $ env | more
Verify that the umask
command displays a value of 22
, 022
, or 0022
and the environment variables that you set in this section have the correct values.
Run Oracle Universal Installer (OUI) to install Oracle Database Vault into an existing Oracle9i Database release 2 (9.2.0.8) database. You should run the installer as the software owner account that owns the current ORACLE_HOME
environment. This is normally the oracle
account.
Log in as the oracle
user. Alternatively, switch user to oracle
using the su
command. Change your current directory to the directory containing the installation files. Start Oracle Universal Installer.
./runInstaller
The following steps discuss the options you must select:
In the Specify Installation Details screen, you must specify the path to the Oracle home that contains the existing Oracle Database. The Destination Path box lists the Oracle home paths of all Oracle9i Database release 2 (9.2.0.8) Enterprise Edition databases registered with the system.
Select the Oracle home corresponding to the database into which you want to install Oracle Database Vault.
Note:
If an Oracle home does not have an Enterprise Edition of Oracle9i Database release 2 (9.2.0.8) installed, then it is not displayed. You must ensure that the Oracle home has an Enterprise Edition of Oracle9i Database release 2 (9.2.0.8) installed.
If an Oracle home currently contains Oracle Database Vault, then it is not displayed. You cannot install Oracle Database Vault into an Oracle home more than once.
For an Oracle Real Application Clusters (RAC) installation, if the Global Services Daemon is not running, then OUI cannot detect the Oracle home. See "Verify that the Global Services Daemon Is Running (RAC Only)" for instructions on starting the Global Services Daemon.
Enter a user name for the Database Vault Owner account in the Database Vault Owner field. The user name can be a minimum of 2 and maximum of 30 characters long.
Enter a password for the Database Vault Owner account in the Database Vault Owner Password field. The password can be a minimum of 8 and a maximum of 30 characters. The password must include at least one alphabet, one digit, and one non alphanumeric character (symbol). It cannot be the same as the account names for either the Database Vault owner or the Database Vault account manager. It cannot contain any consecutive repeating characters.
Reenter the password in the Confirm Password field.
Select Create a Separate Account Manager if you want to create a separate Account Manager to manage Oracle Database Vault accounts.
For greater security and to adhere to separation of duty requirements, Oracle recommends that you create a separate account manager user account.
In the Database Vault Account Manager field, enter a user name for the Database Vault Account Manager if you have chosen to select the Create a Separate Account Manager check box. The user name can be a minimum of 2 and a maximum of 30 characters.
Enter a password for the Database Vault Account Manager account in the Account Manager Password field.
The password can be a minimum of 8 and a maximum of 30 characters. The password must include at least one alphabet, one digit, and one non alphanumeric character (symbol). It cannot be the same as the account names for either the Database Vault owner or the Database Vault account manager. It cannot contain any consecutive repeating characters.
Reenter the password in the Confirm Password field. Click Next.
The Select Existing Database screen is displayed. A list of all databases running from the selected Oracle home is displayed. Select the database into which you want to install Oracle Database Vault.
Note:
If a database is not listed, then check to make sure that you have followed the instructions under "Check the Database Requirements".
Install Oracle Database Vault into an Oracle home containing multiple databases only if you want to enable Oracle Database Vault for all these databases. If this is not the case, then Oracle recommends that you install Oracle Database Vault into an Oracle home containing a single database.
Enter the existing SYS
user password for the selected database in the Existing Database SYS Password field.
Reenter the SYS
password in the Confirm Password field. Click Next.
Note:
At this point, the database requirements are validated.When prompted, shut down all Oracle processes if you have not already done so.
For Oracle Real Application Clusters (RAC) environments, a node selection screen appears, indicating the nodes in which Oracle Database Vault will be installed.
See Also:
"Stop Existing Oracle Processes" for more information on stopping existing Oracle processesWhen the Summary screen appears, verify the details of the installation.
For Oracle RAC, stop the Global Services Daemon on all nodes in which you are installing Oracle Database Vault. To stop the Global Services Daemon, enter the following command in a shell in each of these nodes:
$ORACLE_HOME/bin/gsdctl stop
In the Summary screen, click Install.
The installation screen displays. After the installation completes, Database Vault Configuration Assistant (DVCA) starts.
Answer the Database Vault Configuration Assistant (DVCA) prompts to complete the Oracle Database Vault installation and configuration.
After you complete the installation, the log file has the following message:
You selected -local option, hence OPatch will patch the local system only.
You can disregard this message. For an Oracle RAC environment, Oracle Database Vault is still installed in all nodes.
This section lists the tasks to perform after you have completed an upgrade of your database. The following topics are discussed:
Updating Environment Variables After the Upgrade (UNIX Systems Only)
Starting the Listener and Database on Other Nodes (RAC Only)
Setting the Time-Out Value for Oracle Database Vault Administrator
Make sure you perform a full backup of the production database. See Oracle9i Backup and Recovery Concepts for details on backing up a database.
Make sure that the following environment variables point to the correct Oracle Database Vault directories:
ORACLE_HOME
: Specifies the Oracle home directory. For example, /u01/app/oracle/product/9.2.0/db_1
PATH
: Specifies the directories searched by the shell to locate executable programs. For example, /bin:/usr/bin:/usr/local/bin:/usr/bin/X11:$ORACLE_HOME/bin:$HOME/bin
You may also need to set the following environment variables:
ORA_NLS33
: Specifies the directory where the language, territory, character set, and linguistic definition files are stored. For example, $ORACLE_HOME/ocommon/nls/admin/data
LD_LIBRARY_PATH
: Specifies the list of directories that the shared library loader searches to locate shared object libraries at run time. For example, /usr/dt/lib:$ORACLE_HOME/lib
Use the man ld
command for more information about this environment variable.
Oracle strongly recommends that you change the password for each account after installation. This enables you to effectively implement the strong security provided by Oracle Database Vault.
Note:
If you are creating a database using Database Configuration Assistant, you can unlock accounts after the database is created by clicking Password Management before you exit from Database Configuration Assistant.To unlock and reset user account passwords using SQL*Plus:
Start SQL*Plus and log in using the Database Vault Account Manager account. If you did not create the Database Vault Account Manager account during installation, then you must log in using the Database Vault Owner account.
Enter a command similar to the following, where account
is the user account to unlock and password
is the new password:
SQL> ALTER USER account [ IDENTIFIED BY password ] ACCOUNT UNLOCK;
In this example:
The ACCOUNT UNLOCK
clause unlocks the account.
The IDENTIFED BY
password
clause resets the password.
Oracle Database Vault enables you to disable remote logins with SYSDBA privileges. This enables enhanced security for your database.
To disable remote SYSDBA
connections, re-create the password file with the nosysdba
flag set to y
(Yes). A user can still log in AS SYSDBA
locally using Operating System (OS) authentication. However, remote connections AS SYSDBA
will fail.
Use the following syntax to re-create the password file:
orapwd file=filename password=password [entries=users] nosysdba=y/n
In this specification:
file
: Name of password file (mandatory)
password
: Password for SYS
(mandatory).
entries
: Maximum number of distinct DBA users
nosysdba
: Whether to enable or disable the SYS
logon (optional for Oracle Database Vault only). Enter y
(for yes) or n
(for no)
The default is no, so if you omit this flag, the password file will be created enabling SYSDBA
access for Oracle Database Vault instances.
When you run the orapwd
utility, ensure that the file name is of the orapwSID
format. For example:
orapwd file=$ORACLE_HOME/dbs/orapworcl
password=password
nosysdba=n
Note:
Do not insert spaces around the equal (=) character.Enabling or Disabling Connecting with SYSDBA on Oracle Real Application Clusters Systems
Under a cluster file system and raw devices, the password file under $ORACLE_HOME
is in a symbolic link that points to the shared storage location in the default configuration. In this case, the orapwd
command you issue affects all nodes.
You must start the listener and database on all Oracle Real Application Clusters (RAC) nodes other than the one on which the installation is performed. Use the following commands to start the listener and the database:
Note:
You must enableSYSDBA
connections on all nodes before running these commands. See "Disabling Remote SYSDBA Connections (Optional)" for more information on enabling SYSDBA
connections.$ORACLE_HOME/bin/lsnrctl start listener_name srvctl start instance -d unique_database_name -i instance_name -c "SYS/password AS SYSDBA"
After installing Database Vault for an Oracle Real Application Clusters (RAC) instance, you must run Database Vault Configuration Assistant (DVCA) with the -action optionrac
switch. You must run this command for all Oracle RAC nodes other than the node on which the Database Vault installation is performed. This step is required to enable the enhanced security features provided by Oracle Database Vault.
The command itself must be run on the node on which the Database Vault installation is performed. You must supply the name of the remote Oracle RAC node for which the action is being performed using the -racnode
switch.
Note:
The listener and database instance should be running on the nodes for which you run DVCA.You should also ensure that the Global Services Daemon (GSD) is running on the remote nodes. You can use the following command to start the GSD service on a node:
$ORACLE_HOME/bin/gsdctl start
Use the following syntax to run DVCA:
# dvca -action optionrac -racnode host_name -oh oracle_home -jdbc_str jdbc_connection_string -sys_passwd sys_password [-logfile ./dvca.log] [-silent] [-nodecrypt]
Where:
action
: The action to perform. optionrac
performs the action of updating the instance parameters for the Oracle RAC instance and optionally disabling SYSDBA
operating system access for the instance.
racnode
: The host name of the Oracle RAC node for which the action is being performed. Do not include the domain name with the host name.
oh
: The Oracle home for the Oracle RAC instance.
jdbc_str
: The JDBC connection string used to connect to the instance you are configuring. For example, "jdbc:oracle:oci:@orcl1"
.
sys_password
: The password for the SYS
user.
logfile
: Optionally, specify a log file name and location. You can enter an absolute path or a path that is relative to the location of the $ORACLE_HOME/bin
directory.
silent
: Required if you are not running DVCA in an xterm window.
nodecrypt
: Reads plaintext passwords as passed on the command line.
Note:
You can reenableSYSDBA
access by re-creating the password file with the nosysdba
flag set to n
(No). The orapwd
utility enables you to do this.Oracle Database Vault Administrator (DVA) is a browser-based graphical user interface console that you can use to manage Oracle Database Vault. You can deploy DVA in an existing Oracle Database 10g Release 2 (10.2) installation (release 10.2.0.3 or later) to manage an Oracle Database Vault Oracle9i Release2 (9.2.0.8.1) instance.
You should have the following directory structure on the host containing the Oracle Database 10g Release 2 (10.2) installation:
$ORACLE_HOME |------> jlib | |------> lib | |------> sysman | |---> jlib | |------> rdbms | |---> jlib | |------> owm | |---> jlib | |------> oui | |---> jlib
Note:
Ensure that the environment variable$ORACLE_HOME
is set to the directory containing the installed Oracle product.
For example, if the 10.2 installation directory is /u00/app/oracle/product/10.2/db_1
, then:
ORACLE_HOME = /u00/app/oracle/product/10.2/db_1
Create the following directory structure under the ORACLE_HOME
directory:
$ORACLE_HOME | |------> dv | |---> jlib
For example:
mkdir -p $ORACLE_HOME/dv/jlib/
The following files should be present in the Oracle Database 10g Release 2 (10.2) installation:
$ORACLE_HOME/sysman/jlib/emCORE.jar $ORACLE_HOME/sysman/jlib/emDB.jar $ORACLE_HOME/sysman/jlib/emjsp.jar $ORACLE_HOME/sysman/jlib/ems.jar $ORACLE_HOME/sysman/jlib/log4j-core.jar $ORACLE_HOME/sysman/jlib/jcb.jar $ORACLE_HOME/rdbms/jlib/jmscommon.jar $ORACLE_HOME/rdbms/jlib/qsma.jar $ORACLE_HOME/oui/jlib/OraInstaller.jar $ORACLE_HOME/jlib/regexp.jar $ORACLE_HOME/jlib/providerutil.jar $ORACLE_HOME/jlib/ojmisc.jar $ORACLE_HOME/jlib/netcfg.jar $ORACLE_HOME/jlib/orai18n-mapping.jar $ORACLE_HOME/jlib/ldapjclnt10.jar $ORACLE_HOME/lib/xschema.jar $ORACLE_HOME/lib/xsu12.jar $ORACLE_HOME/lib/oraclexsql.jar
You can manually deploy Database Vault Administrator (DVA) to the following Oracle Application Server Containers for J2EE (OC4J) home:
$ORACLE_HOME/oc4j/j2ee/home
Use the following steps to manually deploy the DVA application:
Note:
If you are redeploying the DVA application, then you must remove the application before you can run the steps to deploy the application. Use the following commands to remove the DVA application:cd $ORACLE_HOME/dv/jlib rm -rf dv_webapp
Copy the following files from the Oracle home to the $ORACLE_HOME/dv/jlib/
directory in your Oracle Database 10g Release 2 (10.2) installation:
dva_webapp_jsp.jar
dva_webapp.ear
Edit the file, $ORACLE_HOME/oc4j/j2ee/home/config/server.xml
. Enter the following line just before the last line that reads, </application-server>
:
<application name="dva" path="$ORACLE_HOME/dv/jlib/dva_webapp.ear" auto-start="true" />
For example:
<application name="dva" path="/u00/app/oracle/oracle/product/dv12/dv/jlib/dva_webapp.ear" auto-start="true" />
Edit the file, $ORACLE_HOME/oc4j/j2ee/home/config/http-web-site.xml
. Enter the following line just above the last line that reads, </web-site>
:
<web-app application="dva" name="dva_webapp" root="/dva" />
Edit the file, $ORACLE_HOME/oc4j/j2ee/home/config/global-web-application.xml
. Search for <servlet-class>oracle.jsp.runtimev2.JspServlet</servlet-class>
. Uncomment the following lines after this:
<init-param> <param-name>main_mode</param-name> <param-value>justrun</param-value> </init-param>
Create the directory, $ORACLE_HOME/dv/jlib/sysman/config
.
mkdir -p $ORACLE_HOME/dv/jlib/sysman/config
Create the database connection configuration file, emoms.properties
, in the configuration directory that you just created. Add the following lines to the file:
oracle.sysman.emSDK.svlt.ConsoleMode=standalone oracle.sysman.eml.mntr.emdRepRAC=FALSE oracle.sysman.eml.mntr.emdRepDBName=ORACLE_SID oracle.sysman.eml.mntr.emdRepConnectDescriptor=TNS_connection_string
Note:
oracle.sysman.eml.mntr.emdRepRAC
should be set to TRUE
for a Real Application Clusters (RAC) database.
ORACLE_SID
should be the SID of the Oracle Database Vault Oracle9i Release 2 (9.2.0.8) instance.
For oracle.sysman.eml.mntr.emdRepConnectDescriptor
, you can use an alias from $ORACLE_HOME/network/admin/tnsnames.ora
. Alternatively, you can use the following syntax:
oracle.sysman.eml.mntr.emdRepConnectDescriptor=(DESCRIPTION\=(ADDRESS_LIST\=(ADDRESS\=(PROTOCOL\=TCP)(HOST\=HOSTNAME)(PORT\=PORT)))(CONNECT_DATA\=(SERVICE_NAME\=ORACLE_SID)))
Start OC4J. Before starting OC4J, ensure that the correct environment variables are set. For example:
ORACLE_HOME=/u00/app/oracle/product/10.2/db_1 export ORACLE_HOME LD_LIBRARY_PATH=$ORACLE_HOME/bin:$ORACLE_HOME/lib:$ORACLE_HOME/jdbc/lib export LD_LIBRARY_PATH PATH=$ORACLE_HOME/bin:$ORACLE_HOME/jdk/bin:$PATH export PATH
Note:
LD_LIBRARY_PATH
must be set to use the OCI-based JDBC libraries.Start OC4J using the following syntax:
$ORACLE_HOME/jdk/bin/java -Djava.awt.headless=true -DEMDROOT=$ORACLE_HOME/dv/jlib -jar $ORACLE_HOME/oc4j/j2ee/home/oc4j.jar -userThreads -config $ORACLE_HOME/oc4j/j2ee/home/config/server.xml
Tip:
You can create a shell script file, put the command to start OC4J in it, and grant appropriateexecute
permissions for the file. This allows you to easily reuse the command when required.
You can also create a shell script file to stop OC4J, if required. You must stop and start OC4J if you make DVA configuration changes. For example:
# script to stop and start OC4J $ORACLE_HOME/jdk/bin/java -jar $ORACLE_HOME/oc4j/j2ee/home/admin.jar ormi://localhost admin welcome -stop $ORACLE_HOME/jdk/bin/java -Djava.awt.headless=true -DEMDROOT=$ORACLE_HOME/dv/jlib -jar $ORACLE_HOME/oc4j/j2ee/home/oc4j.jar -userThreads -config $ORACLE_HOME/oc4j/j2ee/home/config/server.xml
To access the DVA application, use the following URL. The HTTP port defaults to 8888 for this environment. For example:
http://hostname:8888/dva
By default, an Oracle Database Vault session lasts 35 minutes. Afterwards, the session expires. If you want the session to last for a different time, follow the steps in this section.
To set the session time for Oracle Database Vault Administrator:
Back up the web.xml file
, which by default is in the $ORACLE_HOME/dv/jlib/dva_webapp/dva_webapp/WEB-INF
directory.
In a text editor, open the web.xml
file.
Search for the following setting:
<session-config> <session-timeout>35</session-timeout> </session-config>
Change the <session-timeout>
setting to the amount of time in minutes that you prefer.
Save and close the web.xml
file.
Stop and restart the Database Vault Administrator.
You can configure Database Vault Administrator to make data accessible and usable to the disabled community. The following sections explain how to enable Database Vault Administrator for full accessibility.
Enabling Oracle Database Vault Administrator Accessibility Mode
Providing Textual Descriptions of Database Vault Administrator Charts
Oracle Database Vault Administrator takes advantage of user interface development technologies that improve the responsiveness of some user operations. For example, when you navigate to a new record set in a table, Oracle Database Vault Administrator does not redisplay the entire HTML page. However, this performance-improving technology is generally not supported by screen readers. To disable this feature, and as a result, make the Database Vault Administrator HTML pages more accessible for disabled users, use the following procedure.
To enable the display of an entire HTML page:
Locate the uix-config.xml
configuration file.
By default, the uix-config.xml
file is in the following directory:
$ORACLE_HOME/oc4j/j2ee/oc4j_applications/applications/em/em/WEB-INF
Open the uix-config.xml
file using a text editor and locate the following entry:
<!-- An alternate configuration that disables accessibility features --> <default-configuration> <accessibility-mode>inaccessible</accessibility-mode> ... </default-configuration>
Change the value of the accessibility-mode property from inaccessible
to accessible
.
Save and close the uix-config.xml
file.
Restart Database Vault Administrator.
The Monitor page of Database Vault Administrator displays security policy data in a chart. However, charts do not convey information in a manner that can be read by a screen reader. To remedy this problem, you can configure Database Vault Administrator to provide a complete textual representation of each chart. By default, support for the textual representation of charts is disabled. When textual description for charts is enabled, Database Vault Administrator displays a textual representation of the chart data.
To enable the textual representation of charts:
Locate the web.xml
configuration file.
To locate the web.xml
file in a Oracle Database 10g installation, change directory to the following location in the Oracle home:
$ORACLE_HOME/dv/jlib/dva_webapp/dva_webapp/WEB-INF/
Open the web.xml
file with your favorite text editor and locate the following six lines of the file:
<!-- Uncomment this to enable textual chart descriptions <context-param> <param-name>enableChartDescription</param-name> <param-value>true</param-value> </context-param> -->
Remove comments from this section by deleting the first line and the last line of this section so that the section consists of only these four lines:
<context-param> <param-name>enableChartDescription</param-name> <param-value>true</param-value> </context-param>
Save and exit the web.xml
file.
Restart Database Vault Administrator.
Use Oracle Universal Installer (OUI) to remove Oracle software from an Oracle home. The following list summarizes the steps involved:
Log in as the user that owns the Oracle software. This is usually the oracle
user.
Shut down all processes running in the Oracle home.
Start Oracle Universal Installer as follows:
$ $ORACLE_HOME/oui/bin/runInstaller
In the Welcome screen, select Deinstall Products. The Inventory screen appears. This screen lists all the Oracle homes on the system.
Select the Oracle home and the products that you want to remove. Click Remove.
See Also:
Refer to the Oracle Universal Installer Concepts Guide for Oracle Universal Installer (OUI) conceptsNote:
You cannot remove or uninstall the Database Vault option. However, you can disable Oracle Database Vault. Refer to Oracle Database Vault Administrator's Guide for more details.You can also remove the entire Oracle home, as discussed earlier in this section.