1. Installation Guide
  2. Installing Oracle AVDF on Oracle Database Appliance (ODA)

B Installing Oracle AVDF on Oracle Database Appliance (ODA)

Learn how to install Audit Vault Server or Database Firewall on Oracle Database Appliance.

The Oracle Database Appliance (ODA) is a database server appliance. It is the easiest and most affordable way to run Oracle Databases and applications in remote and edge computing environments. It reduces Oracle Database deployment time and management workload using a pre-built integrated system with management automation.

Oracle AVDF comprises of Audit Vault Server and Database Firewall. They are delivered as software appliance images that can be deployed on physical machines or virtual machines (VM). Audit Vault Server and Database Firewall can be deployed on Oracle Database Appliance by creating a KVM (Kernel-based Virtual Machine) guest instance on ODA.

This appendix contains an overview for installing Audit Vault Server and Database Firewall on Oracle Database Appliance.

At the high level, below would be the flow of installation.

Figure B-1 Oracle AVDF on ODA

Description of Figure B-1 follows
Description of "Figure B-1 Oracle AVDF on ODA"

Follow these steps at a high level:

  1. Prerequisites

    1. Create an ODA VM instance
    2. Download Oracle AVDF ISO files within the ODA VM instance

  2. Install KVM on ODA VM instance

  3. Install Audit Vault Server

    1. Create a storage pool for ISO files and Audit Vault Server installation
    2. Create a KVM guest instance
    3. Install Audit Vault Server or Database Firewall

  4. Configure Audit Vault Server

    1. Deploy Audit Vault Agents
    2. Register the target database instance in the Audit Vault Server
    3. Start the Audit Vault Agent
    4. Configure the database instance as a target using the Audit Vault Server console
    5. Configure Auditing
    6. Provision Audit Policies
    7. Monitor Database Activity in Audit Vault Server

B.1 Completing the Installation Prerequisites

Learn about the prerequisites before the installation of Oracle AVDF on ODA.

  1. Create an ODA VM instance by referring to Oracle Database Appliance X8-2 Deployment and User’s Guide.

    See Also:

    Creating a Virtual Machine in a KVM Deployment

    Note:

    Oracle recommends to create a vdisk to accommodate the storage pools and attach the same to the VM.

    This ODA VM instance is used as a hypervisor to host a nested VM for installing Oracle AVDF. The CPU mode in the ODA VM instance needs to be updated to support this nested virtualization.

  2. Follow these steps to edit the CPU mode.

    Note:

    In these steps, vm_name is the ODA VM instance name and vmstorage_name is the vmstorage for this ODA VM instance.

    1. Run the command:

      virsh edit <vm_name>

    2. Identify and spot the following lines in the XML file which need to be changed:

      
  <cpu mode='custom' match='exact' check='partial'>

    3. Change the lines as follows:

      <cpu mode='host-passthrough' check='none'/>

    4. Save the XML file.

    5. Copy the domain XML file (/etc/libvirt/qemu/<vm_name>.xml) to the ODA location /u05/app/sharedrepo/<vmstorage_name>/.ACFS/snaps/vm_<vm_name> by running the following command: 

      cp /etc/libvirt/qemu/<vm_name>.xml /u05/app/sharedrepo/<vmstorage_name>/.ACFS/snaps/vm_<vm_name>

    6. Restart the VM using these commands:

      odacli stop-vm -n <vm_name>
      odacli start-vm -n <vm_name>
  3. Download the Oracle AVDF ISO files.

B.2 Download the Oracle AVDF ISO Files

Learn about downloading and verifying the software to install Oracle AVDF on ODA.

Download Oracle AVDF ISO files using the VNC console for the ODA VM instance. Refer to Downloading and Verifying Oracle AVDF Software for detailed steps for complete information.

Here are high level steps to follow:

  1. 1 Open a web browser on the VNC console for ODA VM instance and go to the Oracle Software Delivery Cloud portal:
  2. Click Sign In, and if prompted, enter your User ID and Password.
  3. In the All Categories menu, select Release. In the following field, enter Oracle Audit Vault and Database Firewall, and then click Search.
  4. Select the Oracle Audit Vault and Database Firewall version you want to install from the displayed list. Or click the Select icon that appears against the specific release.
  5. In the next page, verify the details of the installation package, and then click Continue.
  6. Read the Oracle Standard Terms and Restrictions displayed on the page. Select I reviewed and accept the Oracle License Agreement check box, and then click Continue.

    Note:

    Oracle AVDF release 20.3 and earlier, the Audit Vault Server installable files are available in parts and must be concatenated before installation. Starting with Oracle AVDF release 20.4, there is a single Audit Vault Server ISO file, and there is no need to concatenate.

    The download page appears and displays the list of ISO files for Oracle Audit Vault and Database Firewall.

    1. Audit Vault Server install: Vpart_number.iso Oracle Audit Vault and Database Firewall 20.x.0.0.0 - Audit Vault Server

      Note:

      Starting Oracle AVDF 20.4, there is a single Audit Vault Server ISO file, and there is no need to concatenate.

    2. Database Firewall install: Vpart_number.zip Oracle Audit Vault and Database Firewall 20.x.0.0.0 - Utilities.

  7. Next to the Print button, click View Digest Details.

    The ISO files list expands to display each ISO file's SHA-1 and SHA-256 checksum reference numbers.

  8. Verify the checksum value for all the ISO files.
  9. Click Download. The Download Manager Installation screen is displayed. The size of the combined ISO files exceeds 11 GB, and takes time to download, depending on the network speed. The estimated download time and speed are displayed in the File Download dialog box.
  10. Click Download the installer, and then click Save File.
  11. Create a directory in ODA VM instance to download the ISO files. Download the ISO files into the ODA VM instance sources directory.
  12. Click Save.
  13. After the download is complete, launch a terminal session.
  14. Check the ISO files have been downloaded correctly.

B.3 Installing KVM on ODA VM Instance for Running Oracle AVDF

Learn how to install KVM on ODA VM instance for running Oracle AVDF appliances.

Follow these steps to install KVM on the ODA VM instance, refer to the OS documentation about installing KVM hypervisor:

  1. Run the following command to install the latest qemu packages and virt-manager:

    If ODA VM instance is OL7: 

    yum -y install qemu-kvm qemu-img virt-manager libvirt libvirt-python libvirt-client virt-install

    If ODA VM instance is OL8: 

    # yum install qemu-kvm qemu-img virt-manager libvirt libvirt-client virt-install
  2. Run the following commands to enable libvirtd:
    systemctl enable libvirtd
    systemctl start libvirtd
  3. Run the following commands to enable tuned:
    systemctl enable tuned
    systemctl start tuned
    tuned-adm profile virtual-host
  4. Enable nested VM support. Prior to ODA X10-2, ODA is Intel based and nested VM support is enabled by default. Starting from ODA X10-2 and above, ODA is AMD based, nested KVM support needs to be enabled manually by commenting out options kvm_amd nested=0 on the ODA BM hosts. Make these changes in both BM hosts if using ODA high availabiliy model.
    [root@ODABM root]# cat /etc/modprobe.d/kvm.conf
# Enable nested virtualization on Intel processorsoptions kvm_intel nested=1
# Nested virtualization support on AMD processors is not stable enough
# for production use, so disable it
# options kvm_amd nested=0
  5. Reboot BM host to make the changes effective.

B.4 Configuring the Network on ODA VM Instance

Learn how to configure a bridge network on ODA VM instance to be used by the Oracle AVDF VM instance.

The purpose of this section is to create a bridge network for ODA VM instance, attach the virtual interface to the bridge, and plumb IP to the bridge.

Refer to the Oracle Linux documentation for more details about how to configure the network.

Follow these steps:

  1. From the bare metal host, access the ODA VM by using:
    virsh <ODA VM name> --console
  2. Create the bridge network:
    < delete the existing ens3 configuration from network manager>
# nmcli connection down ens3
# nmcli connection delete ens3

<create a bridge br0 and add port ens3 to the bridge br0>
# nmcli connection add type bridge con-name br0 ifname br0
# nmcli connection add type ethernet slave-type bridge con-name br0-port1 ifname ens3 master br0

<configure IP, gateway, dns to the bridge>
# nmcli connection modify br0 ipv4.addresses 'x.x.x.x/xx'
# nmcli connection modify br0 ipv4.gateway 'y.y.y.y'
# nmcli connection modify br0 ipv4.dns 'x.x.x.x'
# nmcli connection modify br0 ipv4.dns-search 'example.com'
# nmcli connection modify br0 ipv4.method manual

B.5 Installing the Audit Vault Server on the ODA VM Instance

Learn how to install the Audit Vault Server or Database Firewall on the ODA VM instance.

The ODA VM instance was installed following the steps in the previous topic.

Follow these steps on a high level to install Audit Vault Server or Database Firewall on the ODA VM instance

  1. Create a storage pool to upload ISO files.
  2. Create a storage pool for installing Audit Vault Server
  3. Create a KVM guest instance
  4. Install the Audit Vault Server

Follow these steps to create a storage pool in the ODA VM instance to upload Oracle AVDF ISO files:

  1. Connect to the Virtual Machine using the VNC Viewer as root user.
  2. Open a terminal and launch the virt-manager.
  3. Right click on QEMU/KVM. Choose Details, and then select the Storage tab.
  4. In the Storage tab of the virt-manager, click the plus button in the bottom left corner.
  5. Provide a Name from which you can quickly identify that it is for the installable ISO file.
  6. Select the Type of the storage pool. For example: dir: Filesystem Directory.
  7. Provide the Target Path. It is the directory where the Audit Vault Server ISO files will be stored. For example: /u01/source/av.
  8. Click Finish.
  9. The newly created storage pool appears on the left hand side. Select the pool.
  10. Copy or move the ISO file to this storage pool.

Follow these steps to create a storage pool for installing Audit Vault Server or Database Firewall. The appliance is installed on the storage pool.

  1. Connect to the Virtual Machine with VNC Viewer as the root user.
  2. Open a terminal and launch virt-manager.
  3. Right-click on QEMU/KVM. Then choose Details and select the Storage tab.
  4. Click the plus button in the bottom left corner.
  5. Provide a Name.
  6. Select the Type of the storage pool. For example: dir: Filesystem Directory.
  7. Provide the Target Path. It is the directory where Audit Vault Server files are stored. For example: /u01/kvm/av.
  8. Click Finish.
  9. The new directory created appears on the left-hand side. Select the directory and then click the plus button next to Volumes.
  10. Enter the Name.
  11. Select the Format as qcow2.
  12. Specify the size in the Max Capacity field. This is for installing Audit Vault Server, which requires a minimum of 256 GB.
  13. Click Finish.
  14. The newly created entry appears in the table below the Volumes field. Verify the same.

Follow these steps to create a KVM guest instance. KVM can be managed through the command line or GUI tools. In this document, the focus is on using the GUI tools. Use VNC console to connect to the ODA VM instance. Open the gnome-terminal and follow the steps or commands.

  1. Connect to the Virtual Machine with VNC Viewer as the root user.
  2. Open a terminal and launch virt-manager.
  3. Select File and select New Virtual Machine.
  4. Select the Local install media (ISO image or CDROM) option.
  5. In the next few steps, choose the options based on the configuration, which may differ. Select the Use ISO image option and click Browse to select the first ISO file.
  6. Deselect the checkbox Automatically detect operating system based on install media.
  7. Select Linux as the OS Type.
  8. Choose the Version. For example, Oracle Linux 7.7.
  9. Choose Memory and CPU settings based on the workload of the service used on this KVM guest virtual machine. For example, 16384 MB as Memory (RAM) and CPUs as 4.
  10. Click Forward.
  11. Select the radio button Select or create custom storage.
  12. Enter the path of the storage pool created earlier. For example: /u01/kvm/av/av191.qcow2.
  13. In the New VM dialog, enter the Name.
  14. Select the Customize configuration before install field.
  15. Expand the Network selection area, and select the previously created bridge.
  16. Select virtio in the Device model field.
  17. Add the MAC address of the vNIC, and click Apply.
  18. Click VirtIO Disk1 on the left, and expand Advanced Options.
  19. Select SATA in the Disk bus field.
  20. Click IDE CDROM 1 on the left, and ensure the Source path has the correct ISO file.
  21. Select SATA in the Disk bus field.21. Click VirtIO Disk1 on the left, and expand Advanced Options.
  22. Click Begin Installation in the top left corner of the dialog.

The virtual machine starts the installation and detects the vNIC network device attached to the virtual machine. The installation takes approximately one hour to complete. See Installing Audit Vault Server or Database Firewall for more information.

  1. The system boots, and the initial splash screen appears. This indicates the Oracle AVDF release is being installed.
  2. Enter the new root user password when prompted for change. Enter the same password when prompted for confirmation.
  3. See Post-Install Configuration Tasks for more information on the installation passphrase used for initial log in to the Audit Vault Server console.
  4. When prompted to insert the installation ISO again to continue, go to the KVM console.
  5. Click View and then Details.
  6. Click IDE CDROM1 on the left. In the Source path field, click Connect to specify the ISO file path.
  7. Select the Image Location option and click Browse to navigate and select the ISO file.
  8. Click Choose Volume.
  9. Click the terminal icon to switch to the installation console.
  10. Log in as root user to continue with the installation.
  11. Select the default network interface. Ensure the MAC address is correct.

  12. Set up the network configuration by entering the following fields:

    • IP address: Enter the IP address that is used for Audit Vault Server installation.

    • Network mask

    • Gateway: Enter the IP address of the network interface if a gateway is required. Else, clear the field before saving.

  13. Press the Tab key to navigate to the OK button, and press the Enter button. The installation begins and may take up to two hours to complete.
  14. A confirmation message is displayed on the screen after the installation is completed. Click OK.
  15. In the host VM instance, open a web browser. Enter https://<VM Private IP address of the vNIC assigned to Oracle AVDF VM>/console.
  16. Choose to accept and continue to connect to the Audit Vault Server console.
  17. Enter the password chosen earlier to log in.
  18. When prompted, enter the user name of the super administrator and super auditor. Set the repository encryption password, support user password (for SSH access to VM), root user password (for root privilege on the VM). See Accessing the Audit Vault Server Post-Install Configuration Page for more information.

  19. Expand the Time Setup region, and select Use NTP. Enter Server 1 IP address and click Test Server.

    Note: Time difference between the Audit Vault Server and target negatively impacts the audit collection.

  20. Check the network connectivity between the Audit Vault Server and targets by using ICMP ping. If all the previous steps were correctly performed, the Audit Vault Server and targets will connect with each other.

B.6 Installing the Database Firewall on the ODA VM Instance

Learn how to install the Database Firewall on ODA (Oracle Database Appliance) VM instance.

Follow the same steps documented in the previous section Installing the Audit Vault Server on the ODA VM Instance pointing to the Database Firewall ISO.

After the Database Firewall VM is ready, you need to follow additional steps to register the Database Firewall.

Additionally, follow these steps:

  1. Register the Database Firewall in the Audit Vault Server console. See Specifying the Audit Vault Server Certificate and IP Address for more information.
  2. Log in to the Audit Vault Server console as an administrator.
  3. Click the Settings tab.
  4. Click the Security tab in the left navigation menu.
  5. Click the Certificate tab on the main page, and then click the Server Certificate sub tab. The server's certificate is displayed.
  6. Copy the server's certificate.
  7. Connect to the Database Firewall server through SSH as a support user.
  8. Switch to root user:
    su – root
  9. Copy the certificate of the Audit Vault Server into a file: vi /root/certif_avs.crt.
  10. Run the following command to associate the primary Audit Vault Server to the Database Firewall:
    cat /root/certif_avs.crt | /opt/avdf/config-utils/bin/config-avs set avs=primary address=<IP address of the primary AVS> certificate=<Path of the certificate>
  11. Run the following command to synchronize the system clocks of Database Firewall Server with the Audit Vault Server:
    /opt/avdf/config-utils/bin/config-ntp set servers=<Comma separated IP addresses or hostnames of NTP servers> sync_on_save=true enabled=true
  12. In the Audit Vault Server console, navigate to the Database Firewalls tab.
  13. Click Register.
  14. Enter a Name and IP Address in the dialog.
  15. Click Save. The Database Firewall instance is registered and is displayed in the list.