Using Oracle Database Vault in Database Cloud Service

You can use Oracle Database Vault in an Oracle Database Cloud Service database deployment.

Oracle Database Vault provides powerful security controls to help protect application data from unauthorized access, and comply with privacy and regulatory requirements.

You can deploy controls to block privileged account access to application data and control sensitive operations inside the database. Trusted paths can be used to add additional security controls to authorized data access and database changes. Through the runtime analysis of privileges and roles, you can increase the security of existing applications by implementing least privileges and reducing the attack profile of your database accounts. Oracle Database Vault secures existing database environments transparently, eliminating costly and time consuming application changes.

The information in this document tells you about enabling and disabling Oracle Database Vault in an Oracle Database Cloud Service database deployment, but does not provide detail on using the features of Oracle Database Vault. Be sure to refer to Oracle Database Vault Administrator’s Guide for Release 18, 12.2, 12.1 or 11.2 for detailed information on implementing Oracle Database Vault features.

Configuring and Enabling Oracle Database Vault

You can use the dv on subcommand of the dbaascli utility to configure and enable Database Vault with your database.

Oracle Database includes Database Vault, but you must configure and enable it before you can use it.

The dbaascli utility provides an easy-to-use interface for configuring and enabling Database Vault. As an alternative to using dbaascli, you can follow the steps in "Getting Started with Oracle Database Vault" in Oracle Database Vault Administrator's Guide for Release 18, 12.2, 12.1 or 11.2.

Be sure to review "What to Expect After You Enable Oracle Database Vault" in Oracle Database Vault Administrator’s Guide for Release 18, 12.2, 12.1 or 11.2 to gain an understanding of the impact of enabling and configuring Database Vault.

As part of the configuration process, Database Vault administrative accounts are created. Oracle strongly recommends that you create two accounts for each role. One account, the primary account, will be used on a day-to-day basis and the other account will be used as a backup account in case the password of the primary account is lost and must be reset.

Refer to dbaascli dv on for additional information about the dv on subcommand, including options that can be used to enable Database Vault only for the root container (CDB) or a specified pluggable database (PDB) in a database deployment using Oracle Database 12c or later.

To enable and configure Database Vault by using the dv on subcommand:
  1. Connect to the compute node as the oracle user.
  2. Enable and configure Database Vault:
    $ dbaascli dv on
    ...
    Enter DV owner username: DVownerusername
    Enter DV owner password: DVownerpassword
    Re-enter DV owner password: DVownerpassword
    Enter DV manager username: DVmanagerusername
    Enter DV manager password: DVmanagerpassword
    Re-enter DV manager password: DVmanagerpassword
    ...
    Successfully configured DV
    $
    

    Enter a user name and password for the Database Vault Owner and Database Vault Account Manager when prompted. In a database deployment using Oracle Database 12c or later, the Database Vault Owner and Account Manager user names must begin with c##.

  3. Disconnect from the compute node.

Disabling Oracle Database Vault

You can use the dv off subcommand of the dbaascli utility to disable Database Vault in your database.

The dbaascli utility provides an easy-to-use interface for disabling Database Vault. As an alternative to using dbaascli, you can follow the steps in "Disabling and Enabling Oracle Database Vault" in Oracle Database Vault Administrator's Guide for Release 18, 12.2, 12.1 or 11.2.

When you install Oracle Database Vault, it revokes a set of privileges from several Oracle Database-supplied users and roles. Be aware that if you disable Oracle Database Vault, these privileges remain revoked. See "Privileges That Are Revoked from Existing Users and Roles" in Oracle Database Vault Administrator’s Guide for Release 18, 12.2, 12.1 or 11.2 for additional information.

Refer to dbaascli dv off for additional information about the dv off subcommand, including options to disable Database Vault for only the root container (CDB) or a specific pluggable database (PDB) in a database deployment using Oracle Database 12c or later.

To enable and configure Database Vault by using the dv off subcommand:
  1. Connect to the compute node as the oracle user.
  2. Disable Database Vault:
    $ dbaascli dv off
    ...
    Enter DV owner username: DVownerusername
    Enter DV owner password: DVownerpassword
    ...
    Successfully configured DV
    $
    

    Enter the user name and password for the Database Vault Owner when prompted.

  3. Disconnect from the compute node.