Oracle® Database Vault Administrator's Guide Oracle9i Release 2 (9.2.0.8) Part Number B32509-05 |
|
|
View PDF |
You may need to disable Oracle Database Vault to perform upgrade tasks or correct erroneous configurations. You can reenable Oracle Database Vault after you complete the corrective tasks.
Note:
Be aware that if you disable Oracle Database Vault, the privileges that were revoked from existing users and roles during installation remain in effect. See "Privileges That Are Revoked or Prevented from Existing Users and Roles" for a listing of the revoked privileges.The following situations require you to disable Oracle Database Vault:
The password for the Oracle Database Vault account manager (with role DV_ACCTMGR
) has been forgotten.
The Database Vault Owner (with role DV_OWNER
) or Database Vault Administrator (with role DV_ADMIN
) accounts have been inadvertently locked out.
A rule set associated with the CONNECT
role has been configured incorrectly. This is resulting in failed database logins for all accounts, including those with the DV_OWNER
or DV_ADMIN
role, who could correct this problem.
You must perform maintenance tasks on Oracle Database Vault.
You must install any of the Oracle Database optional products, such as Oracle Spatial Data Option, Oracle OLAP, or Oracle interMedia, by using Database Configuration Assistant (DBCA).
You are about to install a third-party product, install an Oracle product, or perform an Oracle patch update whose installation may be prevented if Oracle Database Vault is running.
You must archive the Oracle Database Vault audit trail.
You can check if Oracle Database Vault has already been enabled or disabled by querying the V$OPTIONS
table. Any user can query this table. If Oracle Database Vault is enabled, the query returns TRUE
. Otherwise, it returns FALSE
.
Remember that the PARAMETER
column value is case sensitive. For example:
SELECT * FROM V$OPTION WHERE PARAMETER = 'Oracle Database Vault';
If Oracle Database Vault is enabled, the following output appears:
PARAMETER VALUE ----------------------------- ----------------------- Oracle Database Vault TRUE
Follow these steps to disable Oracle Database Vault on UNIX systems:
Turn off the software processes. Make sure that the environment variables, ORACLE_HOME
, ORACLE_SID
, and PATH
are correctly set.
For single-instance installations, shut down the database instance:
$ sqlplus "SYS / AS SYSOPER"
Enter password: password
SQL> SHUTDOWN IMMEDIATE
SQL> EXIT
For Oracle Real Application Clusters (RAC) installations, shut down each database instance as follows:
$ srvctl stop database -d db_name -c "sys/sys_passwd as sysoper"
If you cannot connect to the database, then proceed to the next step.
Relink the Oracle executable to turn off the Oracle Database Vault option:
$ cd $ORACLE_HOME/rdbms/lib $ make -f ins_rdbms.mk dv_off $ cd $ORACLE_HOME/bin $ relink oracle
For RAC installations, run these commands on all nodes.
In SQL*Plus, start the database.
For single-instance database installations:
$ sqlplus "SYS / AS SYSOPER"
Enter password: password
SQL> STARTUP
SQL> EXIT
For RAC installations:
$ srvctl start database -d db_name -c "sys/sys_passwd as sysoper"
Connect as SYS
using the SYSDBA
privilege, and then run the following ALTER TRIGGER
statements:
SQL> CONNECT SYS / AS SYSDBA
Enter password: password
SQL> ALTER TRIGGER DVSYS.DV_BEFORE_DDL_TRG DISABLE;
SQL> ALTER TRIGGER DVSYS.DV_AFTER_DDL_TRG DISABLE;
Note:
After you disable Oracle Database Vault, you still can run the Oracle Database Vault API functions. Note also that after you disable Oracle Database Vault, theANY
privileges are available.With Oracle Database Vault disabled, you can restart your database and perform the following tasks, as required. You can perform the following types of activities:
Use the Oracle Database Vault PL/SQL packages and functions. For example, to correct a login or CONNECT rule set error, use the DBMS_MACADM
package or the Oracle Database Vault Administrator interface.
Note:
If you are using Oracle Database Vault Administrator, then you must start thedbconsole
process. You can check the status of the dbconsole
process by entering the following command from the $ORACLE_HOME/bin
directory of the Oracle home in which you deployed Database Vault Administrator:
./emctl status dbconsole
To start dbconsole
:
./emctl start dbconsole
Use the SYSTEM or SYS accounts to perform tasks such as creating or changing passwords. For example:
$ sqlplus "sys/as sysdba" Enter password: password SQL> PASSWORD dbvanalyst New password: new_password Retype new password: new_password
Similarly, to unlock a locked account, log in to the database instance as SYSTEM or SYS, and then unlock the account. For example:
SQL> ALTER USER SCOTT ACCOUNT UNLOCK;
Perform the installation, upgrade, or other tasks that require security protections to be disabled. If you must run Oracle Database Vault Configuration Assistant (DVCA), ensure that the Oracle Database listener is running. To start the listener, run the following command from the $ORACLE_HOME/bin
directory:
$ ./lsnrctl start
Use the following steps to enable Oracle Database Vault on UNIX systems:
Log into SQL*Plus as SYS
using the SYSDBA
privilege, and then run the following ALTER TRIGGER
statements:
$ sqlplus "sys / as sysdba"
Enter password: password
Connected.
SQL> ALTER TRIGGER DVSYS.DV_BEFORE_DDL_TRG ENABLE;
SQL> ALTER TRIGGER DVSYS.DV_AFTER_DDL_TRG ENABLE;
Turn off the software processes. Make sure that the environment variables, ORACLE_HOME
, ORACLE_SID
, and PATH
are correctly set.
Shut down the database instance.
For single-instance installations:
$ sqlplus "sys / as sysoper"
Enter password: password
Connected.
SQL> SHUTDOWN IMMEDIATE
SQL> EXIT
For RAC installations:
$ srvctl stop database -d db_name -c "sys/sys_passwd as sysoper"
Relink the oracle executable to turn on the Oracle Database Vault option:
$ cd $ORACLE_HOME/rdbms/lib $ make -f ins_rdbms.mk dv_on $ cd $ORACLE_HOME/bin $ relink oracle
For RAC installations, run these commands on all nodes.
In SQL*Plus, start the database:
For single-instance database installations:
$ sqlplus "sys / as sysoper"
Enter password: password
Connected.
SQL> STARTUP
SQL> EXIT
For RAC installations:
$ srvctl start database -d db_name -c "sys/sys_passwd as sysoper"