This chapter provides information on upgrades and Bundle Patch updates and how to upgrade from the previous release of Oracle Audit Vault and Database Firewall.
Note:
Upgrade to Oracle AVDF 20 at the earliest as premier support for release 12.2 ends in March 2021, as specified in the Oracle Lifetime Support Policy Guide. Refer to Oracle AVDF 20 Installation Guide > Chapter 5 Upgrading Oracle Audit Vault and Database Firewall for complete information.Learn the steps to upgrade Oracle Audit Vault and Database Firewall (Oracle AVDF).
Caution:
Oracle Audit Vault and Database Firewall release 12.2.0.11.0
does not support Niagara cards. Do not upgrade to this release if you have Niagara cards in your system.
You can upgrade Oracle Audit Vault and Database Firewall from the previous release.
Note:
You must first take backup prior to performing any upgrade.
Oracle Audit Vault and Database Firewall versions 12.2.0.0.0
and above must first upgrade to 12.2.0.9.0
, and then to the latest version in release 12.2
.
Oracle Audit Vault and Database Firewall versions 12.1.2.7.0
and above in 12.1.x
series must first upgrade to 12.2.0.8.0
, then to 12.2.0.9.0
, and then to the latest version in release 12.2
. Follow the instructions in section Mandatory Pre-upgrade Patch for upgrading to 12.2.0.9.0
.
Oracle Audit Vault and Database Firewall versions prior to 12.1.2.7.0
must first upgrade to 12.2.0.2.0
, then to 12.2.0.9.0
, and then subsequently to the latest version in release 12.2
.
In all the above cases, you may perform a single backup operation prior to performing the first upgrade.
In case you have a Niagara card in your system, then contact Oracle support before performing the upgrade task. The Niagara drivers built for UEK 3 that is shipped with previous versions of Audit Vault and Database Firewall are not compatible with UEK 4 and Audit Vault and Database Firewall 12.2.0.4.0
. This leads to failure of the upgrade and subsequent boots of the system.
You must keep sufficient disk space if there is huge amount of event data. The amount of disk space required is about 5% of the total event log data size.
Go to My Oracle Support and sign in.
Click the Patches & Updates tab.
Use the Patch Search box to find the patch.
The following image is an example only:
Click the Product or Family (Advanced) link on the left.
In the Product field, start typing Audit Vault and Database Firewall
, and then select the product name.
In the Release field, select the latest patch from the drop-down list.
Click Search.
In the search results page, in the Patch Name column, click the number for the latest Bundle Patch.
A corresponding patch page appears.
Click Readme to access the README file, which has the upgrade instructions.
Follow the instructions in the README file to complete the upgrade.
Parent topic: Upgrading Oracle Audit Vault and Database Firewall
Learn about the pre-upgrade prerequisites before upgrading Oracle Audit Vault and Database Firewall (Oracle AVDF).
12.2.0.9.0
.Parent topic: Upgrading Oracle Audit Vault and Database Firewall
If you are using Host Monitoring on Windows platform, then install Npcap and update OpenSSL libraries on Windows before upgrading to 12.2.0.13.0.
Complete the steps in the following sections:
network_device_name_for_hostmonitor
collection attribute post installation of Npcap and OpenSSL.Parent topic: Pre-upgrade Tasks
Install a mandatory pre-upgrade patch before upgrading to Oracle Audit Vault and Database Firewall (Oracle AVDF) release 12.2.0.9.0
.
Before upgrading to Oracle AVDF release 12.2.0.9.0
, apply the Mandatory AVDF BP9 Pre-upgrade Patch (Doc ID 2457374.1) (bug_28581135_agentpatch.zip
).
Note:
This pre-upgrade patch must be executed only if you are upgrading to Oracle Audit Vault and Database Firewall release 12.2.0.9.0
from any release between 12.2.0.0.0
and 12.2.0.8.0
.
This pre-upgrade patch is not applicable if you are upgrading to Oracle Audit Vault and Database Firewall release 12.2.0.10.0
or above from release 12.2.0.9.0
.
This patch must be executed only if all the hosts on which your Audit Vault Agents are running, have Java
version 1.8. If you have hosts which have Java
version 1.6, then update those hosts to Java
1.8 before installing this patch.
In case of High Availability configuration of Audit Vault Server this Pre-upgrade Agent Patch has to be applied only on the primary Audit Vault Server.
For deploying Audit Vault Agent on IBM AIX
, ensure OpenSSL 64-bit
version 1.0.1 (or later) is installed.
Host Monitor requires OpenSSL 64-bit
version 1.0.1 (or later), on the target machine.
Requirements
Note:
This patch is located in the zip files extracted in section Instructions To Apply This Bundle Patch.
If you do not meet the above mentioned requirements, or in case you are not certain that you meet these requirements, log a Service Request and contact Oracle support.
Ensure that all Agents are running when this patch is applied.
Stopped Agents are not updated with this patch.
To apply the patch:
Parent topic: Pre-upgrade Tasks
To check the patch application status, complete an update of the Audit Vault agents.
Parent topic: Mandatory Pre-upgrade Patch
Steps to remove the pre-upgrade patch on the Audit Vault Server.
To remove the pre-upgrade patch:
Parent topic: Mandatory Pre-upgrade Patch
Steps to download and manually apply the Agent patch on individual Agents.
Steps To Download The Patch
In case the Mandatory Pre-upgrade Patch has failed to upgrade one or more Audit Vault Agents, then use this procedure to apply the Agent patch manually on each Audit Vault Agent.
Go to https://support.oracle.com
, sign in, and click the Patches & Updates tab.
In the Patch Search box type bug 28581683
.
From the search results, choose PRE BP9 PATCH FOR MANUALLY UPDATING AGENT (Patch 28581683).
Click README and follow the instructions in the file.
Steps To Apply The Patch
Parent topic: Mandatory Pre-upgrade Patch
Steps to undo the manual application of the Agent patch.
Parent topic: Mandatory Pre-upgrade Patch
Before upgrading Oracle Audit Vault and Database Firewall (Oracle AVDF), you must back up some Audit Vault Server and Audit Vault Agent components.
You must back up the following components:
The Audit Vault Server database
The Audit Vault Server appliance
The Audit Vault Agent home directory
Note:
If your current Audit Vault Server is installed on a virtual machine (for example VM on Oracle VM or VMWare), it is recommended to take a VM snapshot before starting the upgrade process.Parent topic: Pre-upgrade Tasks
Learn about releasing tablespaces retrieved manually.
Release all the existing tablespaces that were retrieved manually before performing the Oracle Audit Vault and Database Firewall (Oracle AVDF) upgrade process. Else, the index job creation may fail after upgrade because they cannot allocate space. The new indexes may also not be created after the upgrade.
To release the tablespaces follow this procedure:
Log in to the Audit Vault Server console as super administrator.
Navigate to Settings, and then to Archiving.
Click Retrieve.
You will find a list of tablespaces retrieved.
Select and release all the tablespaces.
Parent topic: Pre-upgrade Tasks
Preserve customizations applied to the log rotate configuration files during upgrade of Oracle Audit Vault and Database Firewall (Oracle AVDF).
Any customization applied to the log rotate configuration files may be lost during upgrade. To preserve such rules:
Create your own custom configuration file. See Oracle Linux documentation for details.
Move any rules to a custom configuration file before performing the upgrade process.
Parent topic: Pre-upgrade Tasks
Check for any busy devices before starting the Oracle Audit Vault and Database Firewall (Oracle AVDF) upgrade process.
The upgrade may not check for busy volumes and may result in an error later.
Run lsof
against /tmp
and /usr/local/dbfw/tmp
to discover any open temporary files. Ensure that no logs are open when starting the upgrade process.
Note:
If you have an Audit Vault Agent running on a Windows machine, then ensure to close all the Agent related directories and open files before upgrading Oracle AVDF.Parent topic: Pre-upgrade Tasks
Tasks for upgrading Oracle Audit Vault and Database Firewall.
Parent topic: Upgrading Oracle Audit Vault and Database Firewall
You must upgrade the Audit Vault Server before you upgrade the Audit Vault Agents and Database Firewall.
If you have set up a high availability environment, upgrade both your primary and standby Audit Vault Server.
Parent topic: Upgrade Tasks
This procedure is for updating an Audit Vault Server that is not part of a pair of Audit Vault Servers configured for high availability (a resilient pair).
To upgrade an Audit Vault Server:
Make sure that all audit trails are stopped.
Click the Secured Targets tab in the Audit Vault Server console.
In the Monitoring menu, click Audit Trails.
Select all audit trails, and then click Stop.
Follow the steps in Steps To Upgrade Oracle Audit Vault And Database Firewall Appliances to upgrade the Audit Vault Server.
Upgrade Notes
If you have existing secured targets for which you ran Oracle Audit Vault and Database Firewall setup scripts to set user privileges (for example, for stored procedure auditing), no further action is required to update those privileges.
Password hashing has been upgraded to a more secure standard in versions 12.1.2.x and later. This change affects the operating system passwords (support and root). Change your passwords after upgrade to take advantage of the more secure hash.
Learn to upgrade a pair of Audit Vault Servers configured for high availability.
Note:
Do not change the primary and standby roles before completing the upgrade on both Audit Vault Servers.
Upgrade the standby Audit Vault Server first.
Follow the steps in Steps To Upgrade Oracle Audit Vault And Database Firewall Appliances to upgrade the standby (secondary).
After the standby Audit Vault Server is rebooted, ensure that it is up and running before proceeding to upgrade the primary Audit Vault Server.
Stop the audit trails before upgrading the primary Audit Vault Server.
Click the Secured Targets tab in the Audit Vault Server console.
In the Monitoring menu, click Audit Trails.
Select all audit trails, and then click Stop.
Follow the steps in Steps To Upgrade Oracle Audit Vault And Database Firewall Appliances to upgrade the primary.
Note:
After the primary Audit Vault Server is rebooted and is running, no additional reboot is needed. It is fully functional at this point.
The Agents and Host Monitors are automatically upgraded when you upgrade the Audit Vault Server.
Note:
If any Agent is using Java 1.6
, then upgrade the Java
version to 1.8
. This action ensures the following:
Establishes communication between the Audit Vault Server and the Agents.
Auto upgrade of Agents to release 12.2.0.9.0
.
During the Audit Vault Agent auto-update process, its status will be UNREACHABLE
for a while. It may take as much as 45 minutes to return to RUNNING
state.
On Windows hosts, the Audit Vault Agent gets updated automatically only if you have registered it as a Windows service, and you have set this service to use the credentials of the OS user that originally installed the agent.
When you start the Agent from the command line, the Audit Vault Agent will not auto-update. In this case, update the Agent manually. For example:
<agent_home>\bin\agentctl.bat stop
Download the new agent.jar
from the Audit Vault Server Console and extract it using java -jar agent.jar
from agent_home
of the existing agent. Then run:
<agent_home>\bin\agentctl.bat start
Do not delete the existing agent_home
directory.
Parent topic: Upgrade Tasks
You must first upgrade the Audit Vault Server (or high availability pair of servers), before following these instructions to upgrade all Database Firewalls.
When updating Database Firewalls configured for high availability (a resilient pair), upgrade both the primary and secondary Database Firewall.
Parent topic: Upgrade Tasks
This procedure is for updating a Database Firewall that is not part of a pair of Database Firewalls configured for high availability (a resilient pair).
To upgrade a Database Firewall:
Stop all the enforcement points.
Click Secured Targets tab in the Audit Vault Server console.
In the Monitoring menu, click Enforcement Points.
Select all the enforcement points, and then click Stop.
Follow the procedures in Steps To Upgrade Oracle Audit Vault And Database Firewall Appliances to upgrade the Database Firewall.
Parent topic: Upgrade The Database Firewall Or Firewall Pair
Learn to upgrade a pair of Database Firewalls configured for high availability.
Follow the steps in Steps To Upgrade Oracle Audit Vault And Database Firewall Appliances to first upgrade the standby (secondary) Database Firewall.
Ensure that the standby Database Firewall has been restarted.
After the standby Database Firewall has fully started up after the reboot, swap this Database Firewall so that it now becomes the primary Database Firewall. To do this:
In the Audit Vault Server console, click the Firewalls tab.
Click Resilient Pairs.
Select this resilient pair of firewalls, and click Swap.
The Database Firewall you just upgraded is now the primary firewall.
Follow the steps in Steps To Upgrade Oracle Audit Vault And Database Firewall Appliances to upgrade the original primary Database Firewall.
After the original primary Database Firewall has fully started up after the reboot, swap this Database Firewall so that it now becomes the primary Database Firewall. This is an optional step.
Parent topic: Upgrade The Database Firewall Or Firewall Pair
The steps to upgrade an Audit Vault Server appliance or a Database Firewall appliance are similar.
In the following steps, the term appliance refers to Audit Vault Server or Database Firewall depending on the one you are upgrading. Make sure you upgrade all the appliances as described in the sections above.
Parent topic: Upgrade Tasks
Steps to install the Oracle Audit Vault and Database Firewall (Oracle AVDF) pre-upgrade RPM.
You must install the pre-upgrade RPM. It puts the system into a state that can be safely upgraded after it checks for suitable space on the file system. When the pre-upgrade RPM is installed, it re-arranges free space on the appliance so that there is enough room to copy the upgrade files to the appliance and start the installation. After the upgrade, the space for the upgrade files is given back to the file system.
The avdf-pre-upgrade-12.2.0.10.0-1.x86_64.rpm
executable includes the upgrade prerequisites and also checks that the platform conditions are met prior to the installation.
The pre-upgrade RPM prepares the system for upgrade by creating the /var/dbfw/upgrade
directory with enough space to hold the main upgrade ISO file.
Prerequisite
In case of high availability environment, before running the pre-upgrade RPM, check the failover status on the primary Audit Vault Server. The failover status should not be STALLED
. If the failover status is STALLED
, then wait for a while and check the status again. If the status is not changing, then contact Oracle Support.
Follow these steps to check the failover status on the primary Audit Vault Server:
Log in to the primary Audit Vault Server console as oracle user.
Run the following command:
/usr/local/dbfw/bin/setup_ha.rb --status
Check the failover status in the output.
Run Pre-Upgrade RPM
Log in to the appliance through SSH as user support
, and then switch user (su
) to root
.
If you are upgrading from release 12.2.0.5.0 or later, then run the screen
command as user root
.
Note:
Using the screen
command prevents network disconnections interrupting the upgrade. If the session terminates, resume as follows:
Connect as support
.
Switch to user root
.
Run command screen -r
Run the following command to copy the avdf-pre-upgrade-12.2.0.10.0-1.x86_64.rpm
executable from the download location to this appliance:
scp remote_host:/path/to/avdf-pre-upgrade-12.2.0.10.0-1.x86_64.rpm /root
Run the following command to install the avdf-pre-upgrade-12.2.0.10.0-1.x86_64.rpm
executable:
rpm -i /root/avdf-pre-upgrade-12.2.0.10.0-1.x86_64.rpm
The following message should appear:
SUCCESS: The upgrade media can now be copied to '/var/dbfw/upgrade'. The upgrade can then be started by running: /usr/bin/avdf-upgrade
Note:
In case the installation of the pre-upgrade RPM fails, take the remedial action described in the error message displayed. The appliance may not be ready for installation or the pre-upgrade RPM may have detected a problem. Upon taking the necessary measures, remove the pre-upgrade RPM and attempt installation again.
To remove the RPM execute the following command as root user:
rpm -e avdf-pre-upgrade
Execute the following command if there is an issue with uninstalling the pre-upgrade RPM:
rpm -e avdf-pre-upgrade --noscripts
Steps to transfer the ISO file to the appliance.
The avdf-upgrade-12.2.0.10.0.iso
file is the main upgrade ISO that you generated earlier by combining the three ISO files downloaded from My Oracle Support.
Log in to the appliance as user support
.
Copy the avdf-upgrade-12.2.0.10.0.iso
file as follows:
scp remote_host:/path/to/avdf-upgrade-12.2.0.10.0.iso /var/dbfw/upgrade
The upgrade script mounts the ISO, changes to the correct working directory, executes the upgrade process, and then after the upgrade process is complete, unmounts the ISO.
Log in to the appliance through SSH as user support
, and then switch user (su
) to root
.
Note:
If you are upgrading from release12.2.0.5.0
or later, then run the screen
command as user root. Using the screen
command prevents network disconnections interrupting the upgrade. If the session terminates, resume by switching to user root and then run command screen -r
.Execute the following command to perform appropriate checks before the upgrade:
/usr/bin/avdf-upgrade
Follow the system prompt, warning, and instruction to proceed with the upgrade accordingly.
Note:
For upgrade from Oracle Audit Vault and Database Firewall releases prior to 12.2, a data encryption keystore password is prompted as follows. This password prompt appears on primary and standalone systems, but not on standby systems.
In Oracle Audit Vault and Database Firewall release 12.2, the repository is encrypted using Oracle Database Transparent Database Encryption (TDE). This password protects the master encryption key wallet for TDE. After the upgrade, you may choose to integrate Oracle Audit Vault and Database Firewall with Oracle Key Vault to further protect your encryption key.
The password must contain at least 8 characters and at most 30 bytes. It cannot have a leading or trailing space. It must not contain control characters, delete character, non-spacebar white space, or a double-quote (") character. An ASCII only password must have at least one uppercase letter, one lowercase letter, one digit (0-9), and one special character from the following: (.,+:_!).
Output similar to the following appears:
Enter Keystore Password: ******** Re-Enter Keystore Password:
WARNING: power loss during upgrade may cause data loss. Do not power off during upgrade.
Verifying upgrade preconditions
1/7: Mounting filesystems (1)
2/7: Cleaning yum configuration
3/7: Cleaning old packages and files
4/7: Upgrading kernel
5/7: Upgrading system
6/7: Installing database bundle patch resources
7/7: Setting final system status
Remove media and reboot now to fully apply changes.
Unmounted /var/dbfw/upgrade/avdf-upgrade-12.2.0.10.0.iso on /images
The output above varies depending on the base installation level, the appliance type, and the configuration.
Upgrading the Appliance
The system may take some time to complete the commands. Do not interrupt the upgrade, otherwise the system may be left in an inconsistent state.
For this reason it is important to use a reliable and uninterruptible shell, for example, a direct console login (or iLOM equivalent).
If you use a network (ssh) connection to upgrade the appliance, ensure the connection is reliable. You may also need to set the connection to keepalive
. If you are using ssh from the Oracle Linux command line, you can use the ServerAliveInterval
option, for example as follows:
# ssh -o ServerAliveInterval=20 [other ssh options]
Note:
If you are upgrading from release 12.2.0.5.0
or later, then run the screen
command as user root. Using the screen command prevents network disconnections interrupting the upgrade. If the session terminates, resume as follows:
screen -r
Steps to reboot the appliance and continue the upgrade process.
To reboot the appliance, perform the following steps:
Log in to the appliance through SSH as user support
, and then switch user (su
) to root
.
Restart the appliance. For example:
reboot
The restart process completes the upgrade. When the appliance restarts, the pre-database and post-database migrations are run automatically. This process also removes the pre-upgrade avdf-pre-upgrade-12.2.0.10.0-1.x86_64.rpm
executable, so you do not need to manually remove this file.
Note:
After restarting, the migration process can take several hours to complete. Please be patient. Do not restart the system while this is in progress.If you have upgraded a Database Firewall, it may have regenerated the appliance certificate. In this scenario, you need to re-register the Database Firewall. To check this:
Log in to the Audit Vault Server as an administrator
.
Click the Database Firewalls tab.
If the upgraded Database Firewall indicates a certificate error, click on its name, and then click Re-Register Firewall.
Note:
Make sure that you upgrade all the components as mentioned in these sections:
Upgrade The Audit Vault Server (Standalone) Or Server Pair (High Availability)
Automatic Upgrade Of The Audit Vault Agents And Host Monitors
Once the upgrade is complete, perform the post-upgrade changes.
Post upgrade tasks for Oracle Audit Vault and Database Firewall (Oracle AVDF).
Note:
Apply the deprecated ciphers patch (Deprecated-Cipher-Removal.zip
) to remove old ciphers, post AVS install or upgrade. Apply this patch on Audit Vault Server after installation or upgrade to 12.2.0.13.0 (or later). Before applying the patch, make sure that all the Audit Vault Agents and Host Monitor Agents are upgraded to 12.2.0.13.0.
The following topics describe some important post upgrade changes:
Parent topic: Upgrading Oracle Audit Vault and Database Firewall
Here are the symptoms that validate whether the upgrade was successful or not.
Symptoms when the upgrade is successful:
The Audit Vault Server console can be launched without issues
The home page on the Audit Vault Server console displays the actual version on the top right corner
SSH connection to the Audit Vault Server is successful without any errors
Symptoms when the upgrade has failed:
Unable to launch the Audit Vault Server console
SSH connection to the Audit Vault Server displays an error that the upgrade has failed
Parent topic: Post Upgrade Tasks
After upgrade, the newly created tablespaces are automatically encrypted.
However, tablespaces created before the system was upgraded to 12.2 continue to be in clear text.
See Also:
Data Encryption on Upgraded Instances in the Oracle Audit Vault and Database Firewall Administrator's Guide for detailed steps to encrypt existing tablespaces.Parent topic: Post Upgrade Tasks
After the upgrade, new behavior is enforced on archive locations.
New archive locations are owned by the user with administrator role who created them.
The user with super administrator role can view all archive locations.
Existing archive locations can only be accessed by the user with super administrator role. In order for the regular user with administrator role to access these locations, you must do the following task for each archive location:
Log in to Audit Vault Server as root
OS user, then perform the following commands:
su - dvaccountmgr sqlplus / alter user avsys identified by <password> account unlock; exit; exit; su - oracle sqlplus avsys/<password> update avsys.archive_host set created_by=<adminuser> where name=<archive location name>; commit; exit; exit; su - dvaccountmgr sqlplus / alter user avsys account lock; exit; exit;
Parent topic: Post Upgrade Tasks
Learn how to fix disabled archiving functionality post upgrade from Oracle AVDF 12.2.0.11.0 to later releases (12.2.0.12.0 or 12.2.0.13.0).
Problem
Archiving functionality may be disabled after upgrading from Oracle AVDF 12.2.0.11.0 or 12.2.0.12.0, to 12.2.0.12.0 or 12.2.0.13.0.
Archiving functionality for high availability environment is supported starting Oracle AVDF release 12.2.0.11.0. This problem arises when you are upgrading from older releases where archiving functionality is supported only on the primary Audit Vault Server. Execute the steps only if you are upgrading from Oracle AVDF 12.2.0.11.0 to later releases.
Note:
If you are upgrading from any release prior to Oracle AVDF 12.2.0.11.0, then follow the steps documented in section Enable Archiving Functionality Post Upgrade.Solution
If archive locations were present before upgrading to 12.2.0.13.0, execute the following steps to enable archiving functionality. These steps must be executed post upgrade process.
Create a new archive location using the Audit Vault Server console. While creating this new archive location enter the details of both the primary and standby location. This will mount the new archive location on the primary or standby Audit Vault Server and update the fstab
with both archive locations.
SSH to the primary Audit Vault Server as support user and then unlock the avsys user by executing the following commands:
su root
su dvaccountmgr
sqlplus /
alter user avsys identified by <new password for avsys user> account unlock;
exit;
exit;
Execute the following commands as avsys user:
su oracle
sqlplus avsys
Enter the avsys password when prompted. Execute the following SQL commands:
delete from avsys.system_configuration where property = '_ILM_ARCHIVING_DISABLED';
COMMIT;
insert into avsys.system_configuration values ('_ILM_HA_UPGRADE_COMPLETED', 'Y');
COMMIT;
exit;
exit;
Execute the following command to lock the avsys user:
su dvaccountmgr
sqlplus /
alter user avsys account lock;
Delete the new archive location that was created in the initial step. Navigate to Settings tab, then click Manage Archive Locations in the left navigation menu. Delete the specific archive location.
Parent topic: Post Upgrade Tasks
Enable archiving functionality post upgrade from release 12.2.0.10.0 and prior. This is required only if the Audit Vault Server is deployed in a high availability environment.
Archiving functionality for high availability environment is supported starting Oracle AVDF release 12.2.0.11.0. This problem arises when you are upgrading from older releases where archiving functionality is supported only on the primary Audit Vault Server. Execute the steps only if you are upgrading from Oracle AVDF 12.2.0.10.0 or prior releases to later releases where archiving functionality is supported for both primary and standby Audit Vault Servers.
In case there are NFS locations and archived data files, ensure all the data files are available in the respective NFS locations. Upon completion of the upgrade process, archiving is disabled. User must follow the below steps to enable archiving.
Parent topic: Post Upgrade Tasks
After upgrading all of the appliances and Agents, Oracle recommends that you set the TLS level to Level-4.
Set the TLS level to Level-4 by executing the following command:
/usr/local/dbfw/bin/priv/configure-networking --wui-tls-cipher-level 4 --internal-tls-cipher-level 4 --agent-tls-cipher-level 4
Note:
In case any single instance of an Agent is running on IBM AIX, then use --agent-tls-cipher-level 3
instead of --agent-tls-cipher-level 4
in the above command.
If any Agent is using Java 1.6
, then upgrade the Java
version to 1.8
.
Then, perform the following procedure to propagate cipher level change to all Agents:
Log in to the Audit Vault Server console as root user.
Change the directory by using the command:
cd /usr/local/dbfw/bin/priv
Execute the following script using the command:
./send_agent_update_signal.sh
Note:
This command must not be executed more than once in a period of one hour.
This will break communication with external systems if they do not support the strict TLS setting. See About Setting TLS Levels in the Oracle Audit Vault and Database Firewall Administrator's Guide for the appropriate level.
Parent topic: Post Upgrade Tasks
See MOS note (Doc ID 2458154.1) for complete instructions to clear unused kernels from Oracle Audit Vault and Database Firewall (Oracle AVDF).
Parent topic: Post Upgrade Tasks
There are some jobs on the Audit Vault Server that need to be scheduled for proper and effective functioning of the system.
These jobs should run during a period when the Audit Vault server usage is low, such as night.
The user can schedule these jobs as per their time zone, through these procedures:
Parent topic: Post Upgrade Tasks
After upgrading Oracle Audit Vault and Database Firewall (Oracle AVDF), you will need to resolve a missing log rotate file.
This scenario is encountered while upgrading from Oracle Audit Vault and Database Firewall release 12.2.0.4.0
or prior, to release 12.2.0.5.0
and above. The /etc/logrotate.d/dbfw-db
file may be missing after the upgrade.
To fix this issue, execute the following commands as root user:
install -o root -g root -m 0400 \ /usr/local/dbfw/templates/template-logrotate.d_dbfw-db \ /etc/logrotate.d/dbfw-db
Upgrade to Oracle Audit Vault and Database Firewall release 12.2.0.10.0
or later, to fix the following error:
error: /etc/logrotate.d/dbfw-db:10 duplicate log entry for /var/lib/oracle/dbfw/av/log/apex_perf_patch.log
Parent topic: Post Upgrade Tasks
Releases prior to Oracle Audit Vault and Database Firewall 12.2 did not automatically archive expired audit records (records that were older than the months online period specified in the data retention/archiving policy).
Expired audit records were stored in the AVSPACE
schema of the Audit Vault Server.
After you upgrade to Oracle Audit Vault and Database Firewall 12.2, a migration job automatically kicks off to migrate expired audit data, and either archive it or delete it according to retention policies set for your secured targets. You can see the status of this migration job in the Jobs page (Settings tab, System menu, Jobs). In the event of an error (for example, not enough space for migration), the error appears in the job status. The expired records migration job runs every six hours until errors are fixed and the migration is complete.
Note:
Upon successfully upgrading to release 12.2.0.4.0 from 12.2.0.3.0, the user must run the encryption script prior to executing archive jobs.See Also:
Oracle Audit Vault and Database Firewall Administrator's Guide for more information on archiving.Parent topic: Upgrading Oracle Audit Vault and Database Firewall
Always take back up Oracle Audit Vault and Database Firewall before upgrading in case the upgrade fails for an unforeseen reason.
If there is enough space in the Audit Vault Server's flash recovery area, you may be able to recover the database after a failed upgrade under the guidance of Oracle Support.
As a rule of thumb, to make recovery of the database possible, you should have the following amount of free space in the flash recovery area:
20 GB or 150% of the amount of data stored in the Audit Vault Server database, whichever is larger.
See Also:
Back Up The Current Oracle Audit Vault And Database Firewall Installation
Oracle Audit Vault and Database Firewall Administrator's Guide for information on monitoring the flash recovery area.
Parent topic: Upgrading Oracle Audit Vault and Database Firewall
Uninstall the Audit Vault Server and the Database Firewall appliances, and the Audit Vault Agents, that are deployed on target host machines.
To remove the Audit Vault Agent from secured target host machines:
To uninstall the Audit Vault Server or Database Firewall(s), turn off the computers on which they are installed, and follow the procedures for safely decomissioning the hardware.
Parent topic: Upgrading Oracle Audit Vault and Database Firewall
About reimaging Oracle Database Firewall and to restore from Audit Vault Server.
Use this procedure to reimage the Oracle Database Firewall appliance and restore the configuration from the Audit Vault Server console.
Certificate Validation Failed
message displayed in the list.Primary
and the status of the Enforcement Point is Up
.Parent topic: Upgrading Oracle Audit Vault and Database Firewall