7 Upgrading Oracle Audit Vault and Database Firewall from Release 12.2 to Release 20

If you're on Oracle Audit Vault and Database Firewall (Oracle AVDF) release 12.2, you can upgrade to release 20 to maintain support and access the latest features and bug fixes.

If you're already on Oracle AVDF release 20, see Patching Oracle Audit Vault and Database Firewall Release 20 to apply the latest release updates.

Note:

This chapter uses the terms update and upgrade interchangeable.

7.1 About Upgrading Oracle Audit Vault and Database Firewall

Follow these guidelines for upgrading Oracle Audit Vault and Database Firewall (Oracle AVDF) release 12.2 to release 20.

Use the following high-level process to upgrade Oracle AVDF:

  1. Download the files from My Oracle Support.
  2. Complete the pre-update tasks, such as creating a backup.
  3. Update the Audit Vault Servers.
  4. Verify that Audit Vault Agents and Host Monitor Agents were updated automatically.
  5. Update the Database Firewalls.
  6. Complete the post-update tasks, such as confirming that the update was successful.

Note:

  • To upgrade Oracle AVDF from release 12.2 to release 20.9 or later, first upgrade to release 20.8 and then apply the latest release update (RU) patch.
  • If you're on Oracle AVDF 12.2.0.0.0 to 12.2.0.8.0, upgrade to release 12.2.0.9.0 before upgrading to release 20.

    You can perform a single backup operation before performing the first upgrade.

  • If you've deployed Database Firewall In-line Bridge mode in release 12.2, follow the instructions in Change the Database Firewall In-line Bridge to an Equivalent Proxy Configuration.
  • If you have a large amount of event data, maintain sufficient disk space of about 5% of the total event log data size.

    If you have both HDD and SAN storage, then maintain the necessary disk space on either HDD or SAN. Each disk group (EVENTDATA, SYSTEMDATA, and RECOVERY) should have at least 20% available space.

7.2 Upgrading from Oracle AVDF 12.2 to Release 20.8

Follow this process to upgrade Oracle Audit Vault and Database Firewall (Oracle AVDF) from release 12.2 to release 20.8.

7.2.1 Download the Files

To patch or upgrade Oracle Audit Vault and Database firewall (Oracle AVDF), you need to download files from My Oracle Support.

  1. Go to My Oracle Support and sign in.
  2. Click the Patches & Updates tab.
  3. Use the Patch Search box to search for the patch.
    1. Click the Product or Family (Advanced) link on the left.
    2. In the Product field, enter Audit Vault and Database Firewall.
    3. In the Release field, select the latest Oracle AVDF release from the drop-down list.
    4. Click Search.
  4. In the Patch Name column of the search results, click the link for the latest bundle patch.

7.2.2 Pre-update Tasks

Before updating Oracle Audit Vault and Database Firewall (Oracle AVDF) to the latest release, complete the prerequisite tasks, such as performing a backup.

Note:

If Audit Vault Agent is running on a Windows machine, close all the agent-related directories and open files before updating Oracle AVDF.
7.2.2.1 Migrate Host Monitor Agent on Windows

If you're on Oracle Audit Vault and Database Firewall (Oracle AVDF) release 12.2 and you use Host Monitoring on Windows, then update the Npcap and OpenSSL libraries on Windows before upgrading to Oracle AVDF release 20.

Complete the following tasks:

7.2.2.2 Back Up the Current Oracle Audit Vault and Database Firewall Installation

Before updating Oracle Audit Vault and Database Firewall (Oracle AVDF) to the latest release, back up the Audit Vault Server.

See Backing Up and Restoring the Audit Vault Server for complete information.

If your current Audit Vault Server is installed on a virtual machine (VM), such as Oracle VM or VMWare, Oracle recommends that you take a VM snapshot before starting the update process.

7.2.2.3 Set the Host Monitor Agent and Audit Vault Agent TLS Version

If your current Oracle Audit Vault and Database Firewall (Oracle AVDF) 12.2 deployment has Host Monitor Agents or Audit Vault Agents on AIX and you're upgrading to Oracle AVDF 20.4 or later, set the TLS version to TLS 1.1 before upgrading.

If you're upgrading from Oracle AVDF 12.2.0.11.0 and earlier and you've deployed Host Monitor Agents (or Audit Vault Agents on AIX) with the default version of TLS 1.2, the Host Monitor Agents (or Audit Vault Agents on AIX) do not upgrade automatically.

For Oracle AVDF 12.2.0.12.0 and later, this issue only affects Audit Vault Agents on AIX.

To prevent this issue, run the following command before upgrading:

ruby /usr/local/dbfw/bin/upgrade/configure_tls_settings.rb 2

Note:

After upgrading, set the TLS level to Level-4. See Post Upgrade TLS Security Hardening for more information.
7.2.2.4 Ensure That the System Has Sufficient Space to Purge the Alert Queue

If the system doesn't have sufficient space to purge the alert queue, you'll receive an error when you run the pre-upgrade RPM during the process of updating Oracle Audit Vault and Database Firewall (Oracle AVDF).

Follow these steps to prevent this issue:

  1. Log in to the Audit Vault Server through SSH and switch to the root user.

    See Logging In to Oracle AVDF Appliances Through SSH.

  2. Unlock the avsys user.

    See Unlocking the AVSYS User.

    Note:

    Remember to relock the avsys account when you've completed this task.
  3. Exit back to root.
  4. Switch to the oracle user.

    su - oracle
  5. Start SQL*Plus as the avsys user.

    sqlplus avsys
  6. Enter the password at the prompt.

  7. Run the following SQL query:

    declare object_exist exception; pragma exception_init(object_exist, -24002); po dbms_aqadm.aq$_purge_options_t;
    begin po.block := FALSE; dbms_aqadm.purge_queue_table('AVSYS.AV_ALERT_QT', NULL, po);
    exception when object_exist then null; end;/
  8. Exit back to root.

    exit
  9. Lock the avsys user.

    See Locking the AVSYS User.

7.2.2.5 Release Existing Tablespaces That Are Retrieved Manually

If you're updating to Oracle Audit Vault and Database Firewall (Oracle AVDF) release 20.1 through 20.3, release all the existing tablespaces that were retrieved manually. This procedure is performed automatically if you're updating to Oracle AVDF release 20.4 or later.

The following steps are only applicable for AVDF 20.1 - 20.3.

If you don't release the existing tablespaces, the following situations could occur:

  • The update might fail, resulting in an error.
  • New indexes might not be created after the update because space can't be allocated.

To manually release the tablespaces, follow these steps:

  1. Log in to the Audit Vault Server console as a super administrator.

  2. Click the Settings tab.

  3. Click Archiving in the left navigation menu.

  4. Click the Retrieve subtab.

    The page lists all the retrieved tablespaces.

  5. Select and release all the tablespaces.

7.2.2.6 Preserve File Customizations

Preserve customizations that have been applied to configuration files before upgrading to Oracle Audit Vault and Database Firewall (Oracle AVDF) release 20.

The upgrade erases all custom changes that have been made to system configuration files. Oracle recommends that you back up any required changes that you need to transfer to the upgraded system.

To preserve file customizations:

  • Create your own custom configuration file. See the Oracle Linux documentation for details.
  • Move any rules to a custom configuration file before performing the upgrade process.
  • Synchronize the time between the Database Firewalls and Audit Vault Servers.

    If the system clocks for the Database Firewalls and Audit Vault Servers are not synchronized, then you may see a certificate error after the upgrade. After the upgrade, check the appliance diagnostics output to ensure that everything is marked OK in green. The diagnostic failures are marked FAILED in red.

  • To configure the time for Database Firewalls, see Setting the Date and Time in Oracle Database Firewall.
7.2.2.7 Ensure That the Boot Device Is Less Than 2 TB

If the boot device is greater than 2 TB, you'll receive an error when you run the pre-upgrade RPM during the process of upgrading Oracle Audit Vault and Database Firewall (Oracle AVDF).

Boot Device Is Greater Than 2 TB When Upgrading the Audit Vault Server

Follow these steps if the boot device is greater than 2 TB when upgrading the Audit Vault Server:

  1. Stop all trails and monitoring points.
  2. Stop all Audit Vault Agents and shut down all Database Firewall servers.
  3. Back up the system.
  4. Choose a server that has at least one hard disk that is less than 2 TB.
  5. Install the same bundle patch version of Audit Vault Server on release 12.2.
  6. Configure the system to boot in BIOS mode.
  7. Restore from the backup. Use the same IP address and ensure that the system is up.
  8. Upgrade the Audit Vault Server to release 20 using the documented upgrade process.

Boot Device Is Greater Than 2 TB When Upgrading a Database Firewall That Was Added to the Audit Vault Server Before Release 12.2.0.1.0

  1. Reset the Database Firewall.

    1. Log in to the Audit Vault Server console as an administrator.
    2. Click Reset Firewall to update all the settings on the Audit Vault Server.
  2. Choose a server that has at least one hard disk that is less than 2 TB.
  3. Install the same bundle patch version of Database Firewall on release 12.2.
  4. Configure the system to boot in BIOS mode.
  5. Log in to the Audit Vault Server console as an administrator.
  6. Configure the Database Firewall instance.
  7. Specify the Audit Vault Server certificate and IP address on the new Database Firewall instance.
  8. Click the Database Firewalls tab.

    The status of the newly installed Database Firewall instance is Down (red).

  9. Click the name of the specific Database Firewall instance.
  10. Click Update Certificate, and wait for the page to load.

    The status of the Database Firewall instance is Up (green).

  11. Click Reset Firewall.
  12. Click OK.
  13. Check the status of this operation in the Jobs dialog box.
    1. Click the Settings tab.
    2. Click System in the left navigation menu.
    3. Click the Jobs link in the Monitoring section.

      The job type is Reset Firewall.

  14. Click the Job Details page icon on the left.

    If the job has failed, a message appears in the Job Status Details dialog box. If the job is successful, then it displays the completion time.

Boot Device Is Greater Than 2 TB When Upgrading a Database Firewall on Oracle AVDF 12.2.0.2.0 or Later

  1. Choose a server that has at least one hard disk that is less than 2 TB.
  2. Install the same bundle patch version of Database Firewall on release 12.2.
  3. Configure the system to boot in BIOS mode.
  4. Log in to the Audit Vault Server console as an administrator.
  5. Configure the Database Firewall instance.
  6. Specify the Audit Vault Server certificate and IP address on the new Database Firewall instance.
  7. Click the Database Firewalls tab.

    The status of the newly installed Database Firewall instance is Down (red).

  8. Click the name of the specific Database Firewall instance.
  9. Click Update Certificate, and wait for the page to load.

    The status of the Database Firewall instance is Up (green).

  10. Click Reset Firewall.
  11. Click OK.
  12. Check the status of this operation in the Jobs dialog box.
    1. Click the Settings tab.
    2. Click System in the left navigation menu.
    3. Click the Jobs link in the Monitoring section.

      The job type is Reset Firewall.

  13. Click the Job Details page icon on the left.

    If the job has failed, a message appears in the Job Status Details dialog box. If the job is successful, then it displays the completion time.

7.2.2.8 Ensure That the Boot Partition Has at Least 500 MB

If the boot partition has less than 500 MB, you'll receive an error when you run the pre-upgrade RPM during the process of updating Oracle Audit Vault and Database Firewall (Oracle AVDF).

Insufficient Space in the Boot Partition When Upgrading the Audit Vault Server

Follow these steps if there is insufficient space in the boot partition when upgrading the Audit Vault Server:

  1. Stop all trails and monitoring points.
  2. Stop all Audit Vault Agents and shut down all Database Firewall servers.
  3. Back up of the system.
  4. Install the same bundle patch version of Audit Vault Server on release 12.2.

    This creates the /boot partition with 500 MB.

  5. Restore from the backup. Use the same IP address and ensure that the system is up.
  6. Upgrade Audit Vault Server to release 20 using the documented upgrade process.

Insufficient Space in the Boot Partition When Upgrading a Database Firewall

Follow these steps if there is insufficient space in the boot partition when upgrading a Database Firewall:

  1. If the Database Firewall was added to the Audit Vault Server before release 12.2.0.1.0, reset the Database Firewall.

    1. Log in to the Audit Vault Server console as an administrator.
    2. Click Reset Firewall to update all the settings on the Audit Vault Server.
  2. Install the same bundle patch version of Database Firewall on release 12.2. This creates the /boot partition with 500 MB.
  3. Log in to the Audit Vault Server console as an administrator.
  4. Configure the Database Firewall instance.
  5. Specify the Audit Vault Server certificate and IP address on the new Database Firewall instance.
  6. Click the Database Firewallstab.

    The status of the newly installed Database Firewall instance is Down (red).

  7. Click the name of the specific Database Firewall instance.
  8. Click Update Certificate, and wait for the page to load.

    The status of the Database Firewall instance is Up (green).

  9. Click Reset Firewall.
  10. Click OK.
  11. Check the status of this operation in the Jobs dialog box.
    1. Click the Settings tab.
    2. Click System in the left navigation menu.
    3. Click the Jobs link in the Monitoring section.

      The job type is Reset Firewall.

  12. Click the Job Details page icon on the left.

    If the job has failed, a message appears in the Job Status Details dialog box. If the job is successful, then it displays the completion time.

  13. Check the overall health status of the Database Firewall instance.
    1. Click the Database Firewalls tab.
    2. Click the name of the specific instance.
    3. Click the Health Indicators link in the Diagnostics section.
  14. Expand the Certificates section.

    Check the message about certificate validation failure, and take appropriate action.

  15. Expand the Database Firewall Monitoring section and ensure that all statuses are green.
  16. Click Close.
7.2.2.9 Verify That the SYS User Is Unlocked and the Password Is Not Expired

If the sys password has expired or the sys user is locked, you'll receive an error when you run the pre-upgrade RPM during the process of updating Oracle Audit Vault and Database Firewall (Oracle AVDF).

To prevent this issue, update the sys user on the primary and standby systems.

  1. Perform the following steps on both the primary and standby systems:
    1. Log in to the Audit Vault Server through SSH and switch to the root user.

      See Logging In to Oracle AVDF Appliances Through SSH.

    2. As the root user, run the following command:
      systemctl stop monitor
    3. Check for any observerctl processes running and stop them.
      ps -elf | grep observerctl
      kill -9 <PID of observerctl>
    4. Check for any dgmgrl processes running and stop them.
      ps -elf | grep dgmgrl
      kill -9 <PID of dgmgrl>
  2. Update the primary system.
    1. Log in to the primary Audit Vault Server through SSH and switch to the root user.

      See Logging In to Oracle AVDF Appliances Through SSH.

    2. Switch to the oracle user.

      su - oracle
    3. Start SQL*Plus by entering the following command:

      sqlplus / as sysdba
    4. Enter the following command:

      select avsys.secutil.gen_rand_pwd(30) as pwd from dual

      Note:

      Use this password in all steps that require a password on both primary and standby systems.
    5. Enter the following commands:

      alter user sys identified by <password_from_step_1d_above> account unlock;
      ALTER SYSTEM SWITCH LOGFILE;
    6. Exit back to the oracle user.
    7. As the oracle user, enter the following commands:

       mkstore -wrl /var/lib/oracle/dbfw/network/admin/observer/ -modifyCredential DBFWDB_HA2_DGMGRL SYS <password_from_step_1d>
      mkstore -wrl /var/lib/oracle/dbfw/network/admin/observer/ -modifyCredential DBFWDB_HA1_DGMGRL SYS <password_from_step_1d>
      mkstore -wrl /var/lib/oracle/dbfw/network/admin/observer/ -modifyCredential DBFWDB_HA1 SYS <password_from_step_1d>
      mkstore -wrl /var/lib/oracle/dbfw/network/admin/observer/ -modifyCredential DBFWDB_HA2 SYS <password_from_step_1d>
    8. Securely copy the file to the standby system by entering the following command:

      scp /var/lib/oracle/dbfw/dbs/orapwdbfwdb support@<standby IP>:~/
  3. Update the standby system.

    1. Log in to the standby Audit Vault Server through SSH and switch to the root user.

      See Logging In to Oracle AVDF Appliances Through SSH.

    2. Ensure that the new file permissions are the same as the original file.
    3. Switch to the oracle user.

      su - oracle
    4. Enter the following commands:

      mkstore -wrl /var/lib/oracle/dbfw/network/admin/observer/ -modifyCredential DBFWDB_HA2_DGMGRL SYS <password_from_step_1d>
      mkstore -wrl /var/lib/oracle/dbfw/network/admin/observer/ -modifyCredential DBFWDB_HA1_DGMGRL SYS <password_from_step_1d>
      mkstore -wrl /var/lib/oracle/dbfw/network/admin/observer/ -modifyCredential DBFWDB_HA1 SYS <password_from_step_1d>
      mkstore -wrl /var/lib/oracle/dbfw/network/admin/observer/ -modifyCredential DBFWDB_HA2 SYS <password_from_step_1d>
  4. Enter the following commands as the root user on both primary and standby systems:

    systemctl stop monitor
    systemctl stop dbfwlistener
    systemctl stop dbfwdb
    systemctl start dbfwdb
    systemctl start dbfwlistener
    systemctl start monitor
  5. Enter the following command as the oracle user on both primary and standby systems:

    /usr/local/dbfw/bin/observerctl --start

7.2.3 Update the Audit Vault Server

Update the Audit Vault Server before you update the Audit Vault Agents and Database Firewalls.

Note:

In this section, the word appliance refers to the Audit Vault Server.

7.2.3.1 Update a Standalone Audit Vault Server

Follow this process to update a standalone Audit Vault Server that is not paired in a high availability environment.

  1. Stop all audit trails.
  2. Run the pre-upgrade RPM.
  3. Transfer the ISO file to the appliance.
  4. Start the update script.
  5. Restart the appliance.

Note:

When the appliance restarts, the update process continues. This takes several hours to complete on Audit Vault Servers. Don't restart the system while this is in progress.

Update Notes

  • If you have existing targets for which you ran Oracle Audit Vault and Database Firewall (Oracle AVDF) setup scripts to set user privileges (for example, for stored procedure auditing), no further action is required to update those privileges after you update Audit Vault Servers.

    Check the Oracle AVDF release notes to find out if you need to rerun the setup scripts because they've changed.
  • When updating from Oracle AVDF 12.2 to release 20.1-20.8, password hashing has been upgraded to a more secure standard. This change affects the operating system passwords (support and root). Change your passwords after you update Audit Vault Servers to take advantage of the more secure hash.

7.2.3.1.1 Stop All Audit Trails

Stop all audit trails before updating the Audit Vault Server.

  1. Log into the Audit Vault Server console as an administrator.
  2. Click the Targets tab.
  3. Click Audit Trails in the left navigation menu.
  4. Select all audit trails.
  5. Click Stop.
7.2.3.1.2 Run the Pre-upgrade RPM

Run the pre-upgrade RPM to check for the required space in the file system and prepare the system for updating.

Note:

The patching process uses the same pre-upgrade RPM as the upgrade process, although patching involves a smaller subset of tasks compared to a full upgrade.

The pre-upgrade RPM performs the following tasks to prepare the system for updating:

  • Rearranges free space on the appliance so that there's enough room to copy the patch files to the appliance and start the installation. After the update, the space for the patch files is returned to the file system.
  • Starting with updates from Oracle AVDF 20.9 to Oracle AVDF 20.10 and later, verifies that the Audit Vault Agents and Host Monitor Agents are compatible with the new version of the Audit Vault Server. For example, it verifies that agent host machines have compatible operating system and Java versions.
  • Verifies that other prerequisites and platform conditions are met before the update.
  • Prepares the system for updating by creating the /var/dbfw/upgrade directory with enough space to hold the main ISO file for the update.

To run the pre-upgrade RPM, follow these steps:

  1. Log in to the appliance through SSH and switch to the root user.

    See Logging In to Oracle AVDF Appliances Through SSH.

  2. Run the screen command as the root user.

    The screen command prevents network disconnections from interrupting the update. If the session terminates, resume by switching to the root user and then running the screen -r command.

  3. Change to the root directory.

    cd /root
  4. Run the following command to copy the pre-upgrade RPM file from the downloaded location to the appliance:

    scp remote_host:/path/to/avdf-pre-upgrade-20.x.0.0.0.zip /root
  5. Verify the download by using a shasum of the avdf-pre-upgrade-20.x.0.0.0.zip file.

    sha256sum /root/avdf-pre-upgrade-20.x.0.0.0.zip
  6. Unzip the bundle.

    unzip /root/avdf-pre-upgrade-20.x.0.0.0.zip
  7. Run the following command to run the avdf-pre-upgrade-20.x.0.0.0-0_NNNNNN.NNNN.x86_64.rpm file:

    rpm -i /root/avdf-pre-upgrade-20.x.0.0.0-0_NNNNNN.NNNN.x86_64.rpm

    The following message appears:

    SUCCESS: The upgrade media can now be copied to '/var/dbfw/upgrade'.
    The upgrade can then be started by running: /usr/bin/avdf-upgrade
7.2.3.1.3 Transfer the ISO File to the Appliance

Transfer the avdf-upgrade-20.x.0.0.0.iso file to the appliance that you're updating.

  1. Log in to the appliance through SSH and switch to the root user.

    See Logging In to Oracle AVDF Appliances Through SSH.

  2. Copy the avdf-upgrade-20.x.0.0.0.iso file by using the following command:

    scp remote_host:/path/to/avdf-upgrade-20.x.0.0.0.iso /var/dbfw/upgrade
7.2.3.1.4 Start the Update Script

The update script mounts the ISO, changes to the correct working directory, runs the update process, and unmounts the ISO after the upgrade process is complete.

Note:

The system may take some time to complete the commands. Don't interrupt the update or the system may be left in an inconsistent state. For this reason, it is important to use a reliable and uninterruptible shell, such as a direct console login (or ILOM equivalent), or use the screen command to prevent network disconnections from interrupting the update.

  1. Log in to the appliance through SSH and switch to the root user.

    See Logging In to Oracle AVDF Appliances Through SSH.

  2. Run the screen command as the root user.

    The screen command prevents network disconnections from interrupting the update. If the session terminates, resume by switching to the root user and then running the screen -r command.

  3. Run the following command to perform the appropriate checks before updating:

    /usr/bin/avdf-upgrade
  4. Follow the system prompt, warning, and instruction to proceed with the update accordingly.

    You should see output like the following:

    Please wait while validating SHA256 checksum for /var/dbfw/upgrade/avdf-upgrade-20.x.0.0.0.iso 
    Checksum validation successful for /var/dbfw/upgrade/avdf-upgrade-20.x.0.0.0.iso 
    Mounting /var/dbfw/upgrade/avdf-upgrade-20.x.0.0.0.iso on /images 
    mount: /dev/loop0 is write-protected, mounting read-only 
    Successfully mounted /var/dbfw/upgrade/avdf-upgrade-20.x.0.0.0.iso on /images 
    
    The following messages have important information about the upgrade process. 
    
    Power loss during upgrade may cause data loss. Do not power off during upgrade. Please review Note ID 2235931.1 for a current list of known issues. 
    
    The upgrade process is irreversible, please confirm 'y' to continue or 'n' to abort. [y/N]?
  5. Enter y to proceed.

    You should see output like the following:

    The Oracle base has been set to /var/lib/oracle 
    Error: ORA-01034: ORACLE not available 
    ORA-27101: shared memory realm does not exist 
    Linux-x86_64 Error: 2: No such file or directory 
    Additional information: 4475 
    Additional information: 1990413931 
    The Oracle base has been set to /var/lib/oracle 
    Error: ORA-01034: ORACLE not available 
    ORA-27101: shared memory realm does not exist 
    Linux-x86_64 Error: 2: No such file or directory 
    Additional information: 4475 
    Additional information: 1990413931 
    Verifying upgrade preconditions 
    1/11: Mounting filesystems (1) 
    2/11: Cleaning yum configuration 
    3/11: Cleaning old packages and files 
    4/11: Upgrading kernel 
    5/11: Upgrading system 
    6/11: Cleaning platform packages repo 
    7/11: Adding required platform packages 
    8/11: Cleaning AVDF packages repo 
    9/11: Installing AVDF packages 
    10/11: Setting boot title 
    11/11: Setting final system status 
    Reboot now to continue the upgrade process. 
    Unmounted /var/dbfw/upgrade/avdf-upgrade-20.x.0.0.0.iso on /images 

    Note:

    The preceding output varies depending on the base installation level, appliance type, and configuration.
7.2.3.1.5 Restart the Appliance

After updating, restart the appliance and continue the update process.

  1. Log in to the appliance through SSH and switch to the root user.

    See Logging In to Oracle AVDF Appliances Through SSH.

  2. Restart the appliance. For example:

    reboot

    Note:

    When the appliance restarts, the update process continues. This takes several hours to complete on Audit Vault Servers and several minutes to complete on Database Firewalls. Don't restart the system while this is in progress.

  3. If you've updated a Database Firewall, it may have regenerated the appliance certificate. In this scenario, you need to reregister the Database Firewall. To check this:

    1. Log in to the Audit Vault Server console as an administrator.
    2. Click the Database Firewalls tab.

      In the left navigation menu, Database Firewalls is selected by default and the page displays a list of configured Database Firewall instances.

    3. Select the Database Firewall instance that indicates a certificate error after the update.
    4. Click Reset Firewall.
7.2.3.2 Update a Pair of Audit Vault Servers That Are Configured for High Availability

Follow this process to update a pair of Audit Vault Servers in a high availability environment.

Note:

Don't change the primary and standby roles before completing the update on both Audit Vault Servers.

Follow this process:

  1. Update the standby Audit Vault Server.

  2. After you reboot the standby Audit Vault Server, ensure that it is up and running before updating the primary Audit Vault Server.
  3. Stop the audit trails on the primary Audit Vault Server.
  4. Update the primary Audit Vault Server.

    After you reboot the primary Audit Vault Server and confirm that it's running, no additional reboot is needed. It's fully functional at this point.

7.2.3.2.1 Update the Standby Audit Vault Server

Use this procedure to update the standby Audit Vault Server in a high availability environment. Update the standby Audit Vault server first, then update the primary Audit Vault Server.

Follow this process:

  1. Check the failover status on the primary Audit Vault Server.
  2. Run the pre-upgrade RPM.
  3. Transfer the ISO file to the appliance.
  4. Start the update script.
  5. Restart the appliance.

Note:

When the appliance restarts, the update process continues. This takes several hours to complete on Audit Vault Servers. Don't restart the system while this is in progress.

7.2.3.2.1.1 Check the Failover Status on the Primary Audit Vault Server

Before running the pre-upgrade RPM in a high availability environment, check the failover status on the primary Audit Vault Server. If the failover status is STALLED, then wait for a while and check the status again. If the status doesn't change, then contact Oracle Support.

Follow these steps on the primary Audit Vault Server:

  1. Log in to the primary Audit Vault Server through SSH and switch to the root user.

    See Logging In to Oracle AVDF Appliances Through SSH.

  2. Switch to the oracle user.

    su - oracle
  3. Run the following command:

    /usr/local/dbfw/bin/setup_ha.rb --status
  4. Check the failover status in the output.

7.2.3.2.1.2 Run the Pre-upgrade RPM

Run the pre-upgrade RPM to check for the required space in the file system and prepare the system for updating.

Note:

The patching process uses the same pre-upgrade RPM as the upgrade process, although patching involves a smaller subset of tasks compared to a full upgrade.

The pre-upgrade RPM performs the following tasks to prepare the system for updating:

  • Rearranges free space on the appliance so that there's enough room to copy the patch files to the appliance and start the installation. After the update, the space for the patch files is returned to the file system.
  • Starting with updates from Oracle AVDF 20.9 to Oracle AVDF 20.10 and later, verifies that the Audit Vault Agents and Host Monitor Agents are compatible with the new version of the Audit Vault Server. For example, it verifies that agent host machines have compatible operating system and Java versions.
  • Verifies that other prerequisites and platform conditions are met before the update.
  • Prepares the system for updating by creating the /var/dbfw/upgrade directory with enough space to hold the main ISO file for the update.

To run the pre-upgrade RPM, follow these steps:

  1. Log in to the appliance through SSH and switch to the root user.

    See Logging In to Oracle AVDF Appliances Through SSH.

  2. Run the screen command as the root user.

    The screen command prevents network disconnections from interrupting the update. If the session terminates, resume by switching to the root user and then running the screen -r command.

  3. Change to the root directory.

    cd /root
  4. Run the following command to copy the pre-upgrade RPM file from the downloaded location to the appliance:

    scp remote_host:/path/to/avdf-pre-upgrade-20.x.0.0.0.zip /root
  5. Verify the download by using a shasum of the avdf-pre-upgrade-20.x.0.0.0.zip file.

    sha256sum /root/avdf-pre-upgrade-20.x.0.0.0.zip
  6. Unzip the bundle.

    unzip /root/avdf-pre-upgrade-20.x.0.0.0.zip
  7. Run the following command to run the avdf-pre-upgrade-20.x.0.0.0-0_NNNNNN.NNNN.x86_64.rpm file:

    rpm -i /root/avdf-pre-upgrade-20.x.0.0.0-0_NNNNNN.NNNN.x86_64.rpm

    The following message appears:

    SUCCESS: The upgrade media can now be copied to '/var/dbfw/upgrade'.
    The upgrade can then be started by running: /usr/bin/avdf-upgrade
7.2.3.2.1.3 Transfer the ISO File to the Appliance

Transfer the avdf-upgrade-20.x.0.0.0.iso file to the appliance that you're updating.

  1. Log in to the appliance through SSH and switch to the root user.

    See Logging In to Oracle AVDF Appliances Through SSH.

  2. Copy the avdf-upgrade-20.x.0.0.0.iso file by using the following command:

    scp remote_host:/path/to/avdf-upgrade-20.x.0.0.0.iso /var/dbfw/upgrade
7.2.3.2.1.4 Start the Update Script

The update script mounts the ISO, changes to the correct working directory, runs the update process, and unmounts the ISO after the upgrade process is complete.

Note:

The system may take some time to complete the commands. Don't interrupt the update or the system may be left in an inconsistent state. For this reason, it is important to use a reliable and uninterruptible shell, such as a direct console login (or ILOM equivalent), or use the screen command to prevent network disconnections from interrupting the update.

  1. Log in to the appliance through SSH and switch to the root user.

    See Logging In to Oracle AVDF Appliances Through SSH.

  2. Run the screen command as the root user.

    The screen command prevents network disconnections from interrupting the update. If the session terminates, resume by switching to the root user and then running the screen -r command.

  3. Run the following command to perform the appropriate checks before updating:

    /usr/bin/avdf-upgrade
  4. Follow the system prompt, warning, and instruction to proceed with the update accordingly.

    You should see output like the following:

    Please wait while validating SHA256 checksum for /var/dbfw/upgrade/avdf-upgrade-20.x.0.0.0.iso 
    Checksum validation successful for /var/dbfw/upgrade/avdf-upgrade-20.x.0.0.0.iso 
    Mounting /var/dbfw/upgrade/avdf-upgrade-20.x.0.0.0.iso on /images 
    mount: /dev/loop0 is write-protected, mounting read-only 
    Successfully mounted /var/dbfw/upgrade/avdf-upgrade-20.x.0.0.0.iso on /images 
    
    The following messages have important information about the upgrade process. 
    
    Power loss during upgrade may cause data loss. Do not power off during upgrade. Please review Note ID 2235931.1 for a current list of known issues. 
    
    The upgrade process is irreversible, please confirm 'y' to continue or 'n' to abort. [y/N]?
  5. Enter y to proceed.

    You should see output like the following:

    The Oracle base has been set to /var/lib/oracle 
    Error: ORA-01034: ORACLE not available 
    ORA-27101: shared memory realm does not exist 
    Linux-x86_64 Error: 2: No such file or directory 
    Additional information: 4475 
    Additional information: 1990413931 
    The Oracle base has been set to /var/lib/oracle 
    Error: ORA-01034: ORACLE not available 
    ORA-27101: shared memory realm does not exist 
    Linux-x86_64 Error: 2: No such file or directory 
    Additional information: 4475 
    Additional information: 1990413931 
    Verifying upgrade preconditions 
    1/11: Mounting filesystems (1) 
    2/11: Cleaning yum configuration 
    3/11: Cleaning old packages and files 
    4/11: Upgrading kernel 
    5/11: Upgrading system 
    6/11: Cleaning platform packages repo 
    7/11: Adding required platform packages 
    8/11: Cleaning AVDF packages repo 
    9/11: Installing AVDF packages 
    10/11: Setting boot title 
    11/11: Setting final system status 
    Reboot now to continue the upgrade process. 
    Unmounted /var/dbfw/upgrade/avdf-upgrade-20.x.0.0.0.iso on /images 

    Note:

    The preceding output varies depending on the base installation level, appliance type, and configuration.
7.2.3.2.1.5 Restart the Appliance

After updating, restart the appliance and continue the update process.

  1. Log in to the appliance through SSH and switch to the root user.

    See Logging In to Oracle AVDF Appliances Through SSH.

  2. Restart the appliance. For example:

    reboot

    Note:

    When the appliance restarts, the update process continues. This takes several hours to complete on Audit Vault Servers and several minutes to complete on Database Firewalls. Don't restart the system while this is in progress.

  3. If you've updated a Database Firewall, it may have regenerated the appliance certificate. In this scenario, you need to reregister the Database Firewall. To check this:

    1. Log in to the Audit Vault Server console as an administrator.
    2. Click the Database Firewalls tab.

      In the left navigation menu, Database Firewalls is selected by default and the page displays a list of configured Database Firewall instances.

    3. Select the Database Firewall instance that indicates a certificate error after the update.
    4. Click Reset Firewall.
7.2.3.2.2 Stop All Audit Trails

Stop all audit trails before updating the Audit Vault Server.

  1. Log into the Audit Vault Server console as an administrator.
  2. Click the Targets tab.
  3. Click Audit Trails in the left navigation menu.
  4. Select all audit trails.
  5. Click Stop.
7.2.3.2.3 Update the Primary Audit Vault Server

To update the primary Audit Vault Server in a high availability environment, follow the same process that you used to update the standby Audit Vault Server.

7.2.4 Verify That Audit Vault Agents and Host Monitor Agents Were Automatically Updated

The Audit Vault Agents and Host Monitor Agents are automatically updated when you update the Audit Vault Server. However, some situations require manual updates.

Note:

During the Audit Vault Agent automatic update process, its status is UNREACHABLE. It may take as long as 45 minutes to return to the RUNNING state.

In the following situations you may need to update the Audit Vault Agents manually:

  • On Windows hosts, the Audit Vault Agent is updated automatically only if you've registered it as a Windows service and you've set this service to use the credentials of the OS user that originally installed the agent. See Additional Requirements for Starting Audit Vault Agent as a Service on Windows for more information.

    When you start the agent from the command line, the Audit Vault Agent does not automatically update. In this case, update the agent manually. For example:

    <agent_home>\bin\agentctl.bat stop

    Download the new agent.jar from the Audit Vault Server console and extract it using java -jar agent.jar from the agent_home of the existing agent. Then run the following command:

    <agent_home>\bin\agentctl.bat start

    Don't delete the existing agent_home directory.

  • When configuring the Audit vault Server for high availability, if the designated standby Audit Vault Server's agents were deployed before pairing, then manually download and deploy the agents again after pairing.

7.2.5 Update the Database Firewalls

After you update all Audit Vault Servers, update the Database Firewalls.

When you update Database Firewalls that are configured for high availability (a resilient pair), update both primary and standby Database Firewalls. Update the standby Database Firewall instance first. Restart the standby instance after the update. Swap the roles of the primary and standby Database Firewall instances in the high availability environment so that the existing standby instance becomes the primary instance. Update the standby (previous primary) Database Firewall instance.

For standalone Database Firewall instances, update all of them independently.

Note:

  • After updating to Oracle Audit Vault and Database Firewall (Oracle AVDF) release 20.3 or later, the status of some of the Database Firewall monitoring points may be Down.

    The Database Firewall policies that were created before the update are being migrated to the new format. This may take a few minutes. Navigate to the Jobs dialog box in the Audit Vault Server console and check the status of the Firewall post-upgrade actions job. If the background job fails, then deploy the Database Firewall policy by using the Audit Vault Server console only. Verify that the status of the Database Firewall monitoring points has changed to Up. Otherwise, start the monitoring point.

  • You can't perform the following operations until the Database Firewalls are updated:

    • Database Firewall policy deployment
    • New configurations or configuration changes
  • In this section, the word appliance refers to the Database Firewall.

7.2.5.1 Update a Standalone Database Firewall

Use this procedure to update a standalone Database Firewall that is not paired in a high availability environment.

Follow this process:

  1. Stop all Database Firewall monitoring points.
  2. Run the pre-upgrade RPM.
  3. Transfer the ISO file to the appliance.
  4. Start the update script.
  5. Restart the appliance.

Note:

When the appliance restarts, the update process continues. This takes several minutes to complete on Database Firewalls. Don't restart the system while this is in progress.

7.2.5.1.1 Stop All Database Firewall Monitoring Points

Stop all monitoring points before updating the Database Firewall.

  1. Log into the Audit Vault Server console as an administrator.
  2. Click the Database Firewalls tab.
  3. Click Database Firewall Monitoring in the left navigation menu.
  4. Select all monitoring points.
  5. Click Stop.
7.2.5.1.2 Run the Pre-upgrade RPM

Run the pre-upgrade RPM to check for the required space in the file system and prepare the system for updating.

Note:

The patching process uses the same pre-upgrade RPM as the upgrade process, although patching involves a smaller subset of tasks compared to a full upgrade.

The pre-upgrade RPM performs the following tasks to prepare the system for updating:

  • Rearranges free space on the appliance so that there's enough room to copy the patch files to the appliance and start the installation. After the update, the space for the patch files is returned to the file system.
  • Starting with updates from Oracle AVDF 20.9 to Oracle AVDF 20.10 and later, verifies that the Audit Vault Agents and Host Monitor Agents are compatible with the new version of the Audit Vault Server. For example, it verifies that agent host machines have compatible operating system and Java versions.
  • Verifies that other prerequisites and platform conditions are met before the update.
  • Prepares the system for updating by creating the /var/dbfw/upgrade directory with enough space to hold the main ISO file for the update.

To run the pre-upgrade RPM, follow these steps:

  1. Log in to the appliance through SSH and switch to the root user.

    See Logging In to Oracle AVDF Appliances Through SSH.

  2. Run the screen command as the root user.

    The screen command prevents network disconnections from interrupting the update. If the session terminates, resume by switching to the root user and then running the screen -r command.

  3. Change to the root directory.

    cd /root
  4. Run the following command to copy the pre-upgrade RPM file from the downloaded location to the appliance:

    scp remote_host:/path/to/avdf-pre-upgrade-20.x.0.0.0.zip /root
  5. Verify the download by using a shasum of the avdf-pre-upgrade-20.x.0.0.0.zip file.

    sha256sum /root/avdf-pre-upgrade-20.x.0.0.0.zip
  6. Unzip the bundle.

    unzip /root/avdf-pre-upgrade-20.x.0.0.0.zip
  7. Run the following command to run the avdf-pre-upgrade-20.x.0.0.0-0_NNNNNN.NNNN.x86_64.rpm file:

    rpm -i /root/avdf-pre-upgrade-20.x.0.0.0-0_NNNNNN.NNNN.x86_64.rpm

    The following message appears:

    SUCCESS: The upgrade media can now be copied to '/var/dbfw/upgrade'.
    The upgrade can then be started by running: /usr/bin/avdf-upgrade
7.2.5.1.3 Transfer the ISO File to the Appliance

Transfer the avdf-upgrade-20.x.0.0.0.iso file to the appliance that you're updating.

  1. Log in to the appliance through SSH and switch to the root user.

    See Logging In to Oracle AVDF Appliances Through SSH.

  2. Copy the avdf-upgrade-20.x.0.0.0.iso file by using the following command:

    scp remote_host:/path/to/avdf-upgrade-20.x.0.0.0.iso /var/dbfw/upgrade
7.2.5.1.4 Start the Update Script

The update script mounts the ISO, changes to the correct working directory, runs the update process, and unmounts the ISO after the upgrade process is complete.

Note:

The system may take some time to complete the commands. Don't interrupt the update or the system may be left in an inconsistent state. For this reason, it is important to use a reliable and uninterruptible shell, such as a direct console login (or ILOM equivalent), or use the screen command to prevent network disconnections from interrupting the update.

  1. Log in to the appliance through SSH and switch to the root user.

    See Logging In to Oracle AVDF Appliances Through SSH.

  2. Run the screen command as the root user.

    The screen command prevents network disconnections from interrupting the update. If the session terminates, resume by switching to the root user and then running the screen -r command.

  3. Run the following command to perform the appropriate checks before updating:

    /usr/bin/avdf-upgrade
  4. Follow the system prompt, warning, and instruction to proceed with the update accordingly.

    You should see output like the following:

    Please wait while validating SHA256 checksum for /var/dbfw/upgrade/avdf-upgrade-20.x.0.0.0.iso 
    Checksum validation successful for /var/dbfw/upgrade/avdf-upgrade-20.x.0.0.0.iso 
    Mounting /var/dbfw/upgrade/avdf-upgrade-20.x.0.0.0.iso on /images 
    mount: /dev/loop0 is write-protected, mounting read-only 
    Successfully mounted /var/dbfw/upgrade/avdf-upgrade-20.x.0.0.0.iso on /images 
    
    The following messages have important information about the upgrade process. 
    
    Power loss during upgrade may cause data loss. Do not power off during upgrade. Please review Note ID 2235931.1 for a current list of known issues. 
    
    The upgrade process is irreversible, please confirm 'y' to continue or 'n' to abort. [y/N]?
  5. Enter y to proceed.

    You should see output like the following:

    The Oracle base has been set to /var/lib/oracle 
    Error: ORA-01034: ORACLE not available 
    ORA-27101: shared memory realm does not exist 
    Linux-x86_64 Error: 2: No such file or directory 
    Additional information: 4475 
    Additional information: 1990413931 
    The Oracle base has been set to /var/lib/oracle 
    Error: ORA-01034: ORACLE not available 
    ORA-27101: shared memory realm does not exist 
    Linux-x86_64 Error: 2: No such file or directory 
    Additional information: 4475 
    Additional information: 1990413931 
    Verifying upgrade preconditions 
    1/11: Mounting filesystems (1) 
    2/11: Cleaning yum configuration 
    3/11: Cleaning old packages and files 
    4/11: Upgrading kernel 
    5/11: Upgrading system 
    6/11: Cleaning platform packages repo 
    7/11: Adding required platform packages 
    8/11: Cleaning AVDF packages repo 
    9/11: Installing AVDF packages 
    10/11: Setting boot title 
    11/11: Setting final system status 
    Reboot now to continue the upgrade process. 
    Unmounted /var/dbfw/upgrade/avdf-upgrade-20.x.0.0.0.iso on /images 

    Note:

    The preceding output varies depending on the base installation level, appliance type, and configuration.
7.2.5.1.5 Restart the Appliance

After updating, restart the appliance and continue the update process.

  1. Log in to the appliance through SSH and switch to the root user.

    See Logging In to Oracle AVDF Appliances Through SSH.

  2. Restart the appliance. For example:

    reboot

    Note:

    When the appliance restarts, the update process continues. This takes several hours to complete on Audit Vault Servers and several minutes to complete on Database Firewalls. Don't restart the system while this is in progress.

  3. If you've updated a Database Firewall, it may have regenerated the appliance certificate. In this scenario, you need to reregister the Database Firewall. To check this:

    1. Log in to the Audit Vault Server console as an administrator.
    2. Click the Database Firewalls tab.

      In the left navigation menu, Database Firewalls is selected by default and the page displays a list of configured Database Firewall instances.

    3. Select the Database Firewall instance that indicates a certificate error after the update.
    4. Click Reset Firewall.
7.2.5.2 Update a Pair of Database Firewalls That Are Configured for High Availability

Use this procedure to update a pair of Database Firewalls in a high availability environment.

Follow this process:

  1. Update the standby Database Firewall.
  2. After the standby Database Firewall has fully restarted, swap the standby Database Firewall so that it becomes the primary Database Firewall.
  3. Update the original primary (now standby) Database Firewall.
  4. (Optional) After the original primary Database Firewall has fully restarted, swap the Database Firewalls so they return to their original primary and standby roles.
7.2.5.2.1 Update the Standby Database Firewall

Use this procedure to update the standby Database Firewall in a high availability environment. Update the standby Database Firewall first, then swap this Database Firewall so that it becomes the primary Database Firewall. Then update the original primary (now standby) Database Firewall.

Follow this process:

  1. Stop all Database Firewall monitoring points.
  2. Run the pre-upgrade RPM.
  3. Transfer the ISO file to the appliance.
  4. Start the update script.
  5. Restart the appliance.

Note:

When the appliance restarts, the update process continues. This takes several minutes to complete on Database Firewalls. Don't restart the system while this is in progress.

7.2.5.2.1.1 Stop All Database Firewall Monitoring Points

Stop all monitoring points before updating the Database Firewall.

  1. Log into the Audit Vault Server console as an administrator.
  2. Click the Database Firewalls tab.
  3. Click Database Firewall Monitoring in the left navigation menu.
  4. Select all monitoring points.
  5. Click Stop.
7.2.5.2.1.2 Run the Pre-upgrade RPM

Run the pre-upgrade RPM to check for the required space in the file system and prepare the system for updating.

Note:

The patching process uses the same pre-upgrade RPM as the upgrade process, although patching involves a smaller subset of tasks compared to a full upgrade.

The pre-upgrade RPM performs the following tasks to prepare the system for updating:

  • Rearranges free space on the appliance so that there's enough room to copy the patch files to the appliance and start the installation. After the update, the space for the patch files is returned to the file system.
  • Starting with updates from Oracle AVDF 20.9 to Oracle AVDF 20.10 and later, verifies that the Audit Vault Agents and Host Monitor Agents are compatible with the new version of the Audit Vault Server. For example, it verifies that agent host machines have compatible operating system and Java versions.
  • Verifies that other prerequisites and platform conditions are met before the update.
  • Prepares the system for updating by creating the /var/dbfw/upgrade directory with enough space to hold the main ISO file for the update.

To run the pre-upgrade RPM, follow these steps:

  1. Log in to the appliance through SSH and switch to the root user.

    See Logging In to Oracle AVDF Appliances Through SSH.

  2. Run the screen command as the root user.

    The screen command prevents network disconnections from interrupting the update. If the session terminates, resume by switching to the root user and then running the screen -r command.

  3. Change to the root directory.

    cd /root
  4. Run the following command to copy the pre-upgrade RPM file from the downloaded location to the appliance:

    scp remote_host:/path/to/avdf-pre-upgrade-20.x.0.0.0.zip /root
  5. Verify the download by using a shasum of the avdf-pre-upgrade-20.x.0.0.0.zip file.

    sha256sum /root/avdf-pre-upgrade-20.x.0.0.0.zip
  6. Unzip the bundle.

    unzip /root/avdf-pre-upgrade-20.x.0.0.0.zip
  7. Run the following command to run the avdf-pre-upgrade-20.x.0.0.0-0_NNNNNN.NNNN.x86_64.rpm file:

    rpm -i /root/avdf-pre-upgrade-20.x.0.0.0-0_NNNNNN.NNNN.x86_64.rpm

    The following message appears:

    SUCCESS: The upgrade media can now be copied to '/var/dbfw/upgrade'.
    The upgrade can then be started by running: /usr/bin/avdf-upgrade
7.2.5.2.1.3 Transfer the ISO File to the Appliance

Transfer the avdf-upgrade-20.x.0.0.0.iso file to the appliance that you're updating.

  1. Log in to the appliance through SSH and switch to the root user.

    See Logging In to Oracle AVDF Appliances Through SSH.

  2. Copy the avdf-upgrade-20.x.0.0.0.iso file by using the following command:

    scp remote_host:/path/to/avdf-upgrade-20.x.0.0.0.iso /var/dbfw/upgrade
7.2.5.2.1.4 Start the Update Script

The update script mounts the ISO, changes to the correct working directory, runs the update process, and unmounts the ISO after the upgrade process is complete.

Note:

The system may take some time to complete the commands. Don't interrupt the update or the system may be left in an inconsistent state. For this reason, it is important to use a reliable and uninterruptible shell, such as a direct console login (or ILOM equivalent), or use the screen command to prevent network disconnections from interrupting the update.

  1. Log in to the appliance through SSH and switch to the root user.

    See Logging In to Oracle AVDF Appliances Through SSH.

  2. Run the screen command as the root user.

    The screen command prevents network disconnections from interrupting the update. If the session terminates, resume by switching to the root user and then running the screen -r command.

  3. Run the following command to perform the appropriate checks before updating:

    /usr/bin/avdf-upgrade
  4. Follow the system prompt, warning, and instruction to proceed with the update accordingly.

    You should see output like the following:

    Please wait while validating SHA256 checksum for /var/dbfw/upgrade/avdf-upgrade-20.x.0.0.0.iso 
    Checksum validation successful for /var/dbfw/upgrade/avdf-upgrade-20.x.0.0.0.iso 
    Mounting /var/dbfw/upgrade/avdf-upgrade-20.x.0.0.0.iso on /images 
    mount: /dev/loop0 is write-protected, mounting read-only 
    Successfully mounted /var/dbfw/upgrade/avdf-upgrade-20.x.0.0.0.iso on /images 
    
    The following messages have important information about the upgrade process. 
    
    Power loss during upgrade may cause data loss. Do not power off during upgrade. Please review Note ID 2235931.1 for a current list of known issues. 
    
    The upgrade process is irreversible, please confirm 'y' to continue or 'n' to abort. [y/N]?
  5. Enter y to proceed.

    You should see output like the following:

    The Oracle base has been set to /var/lib/oracle 
    Error: ORA-01034: ORACLE not available 
    ORA-27101: shared memory realm does not exist 
    Linux-x86_64 Error: 2: No such file or directory 
    Additional information: 4475 
    Additional information: 1990413931 
    The Oracle base has been set to /var/lib/oracle 
    Error: ORA-01034: ORACLE not available 
    ORA-27101: shared memory realm does not exist 
    Linux-x86_64 Error: 2: No such file or directory 
    Additional information: 4475 
    Additional information: 1990413931 
    Verifying upgrade preconditions 
    1/11: Mounting filesystems (1) 
    2/11: Cleaning yum configuration 
    3/11: Cleaning old packages and files 
    4/11: Upgrading kernel 
    5/11: Upgrading system 
    6/11: Cleaning platform packages repo 
    7/11: Adding required platform packages 
    8/11: Cleaning AVDF packages repo 
    9/11: Installing AVDF packages 
    10/11: Setting boot title 
    11/11: Setting final system status 
    Reboot now to continue the upgrade process. 
    Unmounted /var/dbfw/upgrade/avdf-upgrade-20.x.0.0.0.iso on /images 

    Note:

    The preceding output varies depending on the base installation level, appliance type, and configuration.
7.2.5.2.1.5 Restart the Appliance

After updating, restart the appliance and continue the update process.

  1. Log in to the appliance through SSH and switch to the root user.

    See Logging In to Oracle AVDF Appliances Through SSH.

  2. Restart the appliance. For example:

    reboot

    Note:

    When the appliance restarts, the update process continues. This takes several hours to complete on Audit Vault Servers and several minutes to complete on Database Firewalls. Don't restart the system while this is in progress.

  3. If you've updated a Database Firewall, it may have regenerated the appliance certificate. In this scenario, you need to reregister the Database Firewall. To check this:

    1. Log in to the Audit Vault Server console as an administrator.
    2. Click the Database Firewalls tab.

      In the left navigation menu, Database Firewalls is selected by default and the page displays a list of configured Database Firewall instances.

    3. Select the Database Firewall instance that indicates a certificate error after the update.
    4. Click Reset Firewall.
7.2.5.2.2 Swap the Standby and Primary Database Firewalls

After updating the standby Database Firewall, swap the standby Database Firewall so that it becomes the primary Database Firewall. You can also swap the Database Firewalls back to their original roles after updating them both.

  1. Log into the Audit Vault Server console as an administrator.
  2. Click the Database Firewalls tab.
  3. Click High Availability in the left navigation menu.
  4. Select this resilient pair of Database Firewall instances.
  5. Click Swap.

7.2.5.2.3 Update the Original Primary (Now Standby) Database Firewall

To update the original primary (now standby) Database Firewall in a high availability environment, follow the same process that you used to update the original standby Database Firewall.

7.2.6 Post-update Tasks

After updating Oracle Audit Vault and Database Firewall (Oracle AVDF), complete these tasks to confirm the update process, enable required functionality, and resolve any remaining issues.

Note:

  • If you're updating Audit Vault Server to releases 20.1 through 20.3, then apply the Deprecated-Cipher-Removal.zip patch after updating.
  • If you're updating Audit Vault Server to release 20.4 and later, then apply the Deprecated-Cipher-Removal.zip patch only if you reduce the TLS level during the update.
7.2.6.1 Confirm the Update Process

Use these steps to verify that the update process was successful.

Successful Updates of Audit Vault Servers

  1. Verify that you can open the Audit Vault Server console without any issues.
  2. Verify that you can log in to the Audit Vault Server console as an administrator and an auditor without any issues.
  3. Verify that you can connect to the Audit Vault Server through SSH without any issues.
  4. Log in to the Audit Vault Server console as an administrator and check the following items:
    1. Click Settings tab, and then click System in the left navigation menu.
    2. Verify that the Audit Vault Server Version field displays the correct version of Audit Vault Server.
    3. Check the Uptime value.
    4. Ensure that Database Firewall log collection displays a green arrow pointing up.
    5. Ensure that Background Job displays a green arrow pointing up.
    6. Check the High Availability Status value.

Successful Updates of Audit Vault Agents

  1. Log in to the Audit Vault Server console as an administrator.
  2. Click the Agents tab.
  3. Verify that all Audit Vault agents have a status of RUNNING.
  4. Verify that the Agent Details column displays the correct version for each Audit Vault Agent.

Successful Updates of Database Firewalls

  1. Log in to the Audit Vault Server console as an administrator.
  2. Click the Database Firewalls tab.
  3. Verify that all Database Firewalls have a status of Up.
  4. Verify that the Version column displays the correct version for each Database Firewall.
  5. Click the link for a specific Database Firewall in the Name column.
  6. Verify that the Firewall Version field also displays the correct version.
  7. Click the Health Indicators link in the Diagnostics section and verify that all the health indicators must have a green mark.
  8. Close the dialog box.
  9. Click Database Firewall Monitoring in the left navigation menu.
  10. Verify that tall the monitoring points have a status of Up.

Unsuccessful Updates

The following symptoms indicate that an update has failed:

  • You're unable to open the Audit Vault Server console.
  • An SSH connection to the Audit Vault Server (or the terminal) displays an error that the update has failed.

Note:

Also review the system diagnostics for the current status and system log for any errors.
7.2.6.2 Post Upgrade TLS Security Hardening

If your previous Oracle Audit Vault and Database Firewall (Oracle AVDF) 12.2 deployment had Host Monitor Agents or Audit Vault Agents on AIX and you upgraded to Oracle AVDF 20.4 or later, then you set the TLS version to TLS 1.1 before upgrading. After upgrading, you should reset the TLS level.

If you set the TLS version to TLS 1.1 before upgrading, as discussed in the following topics, then the upgrade process did not automatically set the TLS level to Level-4:

After the update process is complete (including all agents), Oracle strongly recommends setting the TLS level to Level-4. See About Setting Transport Layer Security Levels for instructions.

7.2.6.3 Post Upgrade Agent User Security Hardening

When updating to Oracle Audit Vault and Database Firewall (Oracle AVDF) 20.9 or later, tighten the agent user privileges after all the agents have been updated.

  1. Confirm that all the agents have been updated.

    See Confirm the Update Process.

  2. Download the revoke_privileges.sql script (patch number 35303191) from My Oracle Support.
  3. Log in to the Audit Vault Server through SSH and switch to the root user.

    See Logging In to Oracle AVDF Appliances Through SSH.

  4. Unlock the avsys user.

    See Unlocking the AVSYS User.

    Note:

    Remember to relock the avsys account when you've completed this task.
  5. Transfer the downloaded revoke_privileges.sql script to the Audit Vault Server (for example, to /tmp).
  6. Start SQL*Plus as the avsys user.

    sqlplus avsys
  7. Enter the password at the prompt.

  8. Run the revoke_privileges.sql script.

    @<path to revoke_privileges.sql>

    For example, if you copied the file to /tmp, then enter @/tmp/revoke_privileges.sql.

  9. Exit back to root.

    exit
  10. Lock the avsys user.

    See Locking the AVSYS User.

7.2.6.4 Add Preexisting SQL Clusters to New Cluster Sets After Upgrading

After upgrading to Oracle Audit Vault and Database Firewall (Oracle AVDF) release 20, you can't add preexisting SQL clusters from release 12.2 to new cluster sets when creating new Database Firewall policies.

To resolve this issue, run the populate_cluster_job.sql script immediately after upgrading to Oracle AVDF release 20. This script resolves the issue in the event log table and you can create cluster sets based on the clusters that were generated before the upgrade to 20.1.

Note:

This issue occurs in Oracle AVDF 20.1 only. It is resolved in later releases.
  1. Download the populate_cluster_job.sql script from ARU or My Oracle Support.
  2. (Optional) Stop the Database Firewall monitoring points and other traffic.

    This is not required, but doing so makes the script run faster.

    See Starting, Stopping, or Deleting Database Firewall Monitoring Points.

  3. Log in to the Audit Vault Server through SSH and switch to the root user.

    See Logging In to Oracle AVDF Appliances Through SSH.

  4. Unlock the avsys user.

    See Unlocking the AVSYS User.

    Note:

    Remember to relock the avsys account when you've completed this task.
  5. Exit back to root.
  6. Switch to the oracle user.

    su - oracle
  7. Start SQL*Plus as the avsys user.

    sqlplus avsys
  8. Enter the password at the prompt.

  9. Run the following script:

    @<file path of the populate_cluster_job.sql script>

    The script runs in the background. The duration of the script is based on the traffic, and sometimes it takes longer.

  10. Check the status of the job.

    1. Log in to the Audit Vault Server console as an administrator.
    2. Click the Settings tab.
    3. Click System in the left navigation menu.
    4. Click Jobs.

      The status of the job type is Retrieve_clusters.

    5. If the script failed, repeat the preceding steps to run the script again.
  11. Exit back to root.

    exit
  12. Lock the avsys user.

    See Locking the AVSYS User.

7.2.6.5 Change the Database Firewall In-line Bridge to an Equivalent Proxy Configuration

The Database Firewall In-line Bridge deployment mode is desupported in Oracle AVDF release 20. If you have Database Firewall In-line Bridge mode deployed in release 12.2, you need to update your configuration to an equivalent proxy mode. The deprecation notice was issued in release 12.2.

Oracle Audit Vault and Database Firewall (Oracle AVDF) release 20 requires configuration changes to maintain network separation that was originally provided by a traffic source (bridge). The order of the network interface cards (NIC) and the components that are connected can't be determined.

Note:

A single proxy port is required for every target. A single proxy port can't service multiple target databases. Add more traffic proxy ports as required.

Complete this task if you meet the following conditions:

  • The current Database Firewall is on Oracle AVDF release 12.2.
  • The Database Firewall is currently deployed in monitoring (DAM) or blocking (DPE) mode with one or more traffic sources that are configured as a bridge.
  • You want to maintain your existing network segmentation.
  • The interfaces are used for monitoring only.
  • The default bridge device is created or repurposed to create the monitoring point services.

To update your configuration to an equivalent proxy mode:

  1. Complete the upgrade to Oracle AVDF release 20.

    After the upgrade, the NICs have the original bridge configuration.

  2. Log in to the Audit Vault Server console to check the current status of the Database Firewall network configuration.

    From the available Database Firewall configuration information, the network connections of the two interfaces that are used by the traffic source are not known.

  3. Determine the information of the network segment and the interfaces that plugged in by using a tool like ping.
  4. Determine which of the two NICs is the client-side NIC, make a note, and ensure that the device has a valid IP address and is up.

    Note:

    Be sure to add a valid proxy port for this interface. A default port number is created automatically.
  5. Determine which of the two NICs is the database-facing NIC, make a note, and ensure that the device has a valid IP address and is up.
  6. After collecting the required data and reviewing the Database Firewall configuration, ping the target addresses from the database-facing device.
  7. Enable one NIC at a time and attempt to ping the target addresses from the appliance.

    If you can't find any information on the first interface, then check on the second one. If the target addresses are not available, then try pinging the local gateway. This approach usually directs towards the clients.

    Assuming that no other network changes are made, the network mask remains the same.

    After you enable the NICs and incorporate the changes, the settings in the NET_SERVICE_MAP within the dbfw.conf file are similar to the following:

    NET_SERVICE_MAP="{"enp0s9":{"ip4":{"address":"192.0.2.21/24","gateway":"","enabled":true}},"enp0s10":{"ip4":{"address":"192.0.2.20/24","gateway":"","enabled":true}}}"
  8. Add the routes to the NET_SERVICE_MAP as follows.

    Routes are required so that the proxy can send the traffic between the clients and the database.

    NET_SERVICE_MAP="{"enp0s9":{"ip4":{"address":"192.0.2.21/24","gateway":"","enabled":true},'route':{'ip4route':['192.0.2.4/22 192.0.2.21',...]}},...}

    The routing requires a general range for the clients as follows:

    ip route add 192.0.2.21/24 via 192.0.2.20 dev enp0s10

    The routing range for the targets is as follows:

    ip route add 192.0.2.4 via 192.0.2.21 dev enp0s9
  9. Run the following command to apply all the settings:
    configure-networking
  10. Test the client connectivity with the database.
7.2.6.6 Enable Administrator Access to Existing Archive Locations

After updating Oracle Audit Vault and Database Firewall, the following new behavior applies to archive locations:

  • New archive locations are owned by the user with an administrator role who created them.
  • Users with the super administrator role can view all archive locations.
  • Only users with the super administrator role can access existing archive locations.

To give regular users with the administrator role access to existing archive locations, perform the following steps for each archive location:

  1. Log in to the Audit Vault Server through SSH and switch to the root user.

    See Logging In to Oracle AVDF Appliances Through SSH.

  2. Unlock the avsys user.

    See Unlocking the AVSYS User.

    Note:

    Remember to relock the avsys account when you've completed this task.
  3. Exit back to root.
  4. Start SQL*Plus as the avsys user.

    sqlplus avsys
  5. Enter the password at the prompt.

  6. Run the following commands:

    update avsys.archive_host set created_by=<adminuser> where name=<archive location name>;
    commit;
    exit;
  7. Exit back to root.

    exit
  8. Lock the avsys user.

    See Locking the AVSYS User.

7.2.6.7 Enable Archiving Functionality for High Availability

If the Audit Vault Server is deployed in a high availability environment, you might need to enable archiving after the update.

If you have Network File System (NFS) locations and archived data files, ensure that all the data files are available in the respective NFS locations. After completing the upgrade process, archiving is disabled, so you need to enable it.

  • Oracle Audit Vault and Database Firewall (Oracle AVDF) release 20.1 and later support archive and retrieve functionality with NFS server versions v3 and v4.
  • Only NFS v3 is not supported for releases 20.3 and earlier. It is supported starting Oracle AVDF release 20.4.
  • If your NFS server supports and permits both v3 and v4 for archive or retrieve, then no action is required.
  • If you have NFS v4 only in your environment for archive or retrieve, then set the _SHOWMOUNT_DISABLED parameter to TRUE using the following steps:

    1. Log in to the Audit Vault Server through SSH and switch to the root user.

      See Logging In to Oracle AVDF Appliances Through SSH.

    2. Switch to the oracle user.

      su - oracle
    3. Start SQL*Plus without the user name or password.

      sqlplus /nolog
    4. In SQL*Plus, run the following command:

      connect <super administrator>
    5. Enter the password when prompted.

    6. Run the following command:

      exec avsys.adm.add_config_param('_SHOWMOUNT_DISABLED','TRUE');
  1. Log in to the primary Audit Vault Server through SSH and switch to the root user.

    See Logging In to Oracle AVDF Appliances Through SSH.

  2. Switch to the oracle user.

    su - oracle
  3. Create new NFS locations by using the Audit Vault Server console.

    These new locations consider the newly mounted NFS points for both the primary and secondary Audit Vault Servers. Ensure that there is sufficient space in the newly created NFS locations to store all the necessary data files to be archived.

  4. Start SQL*Plus without the user name or password.

    sqlplus /nolog
  5. In SQL*Plus run the following command:

    connect super administrator
  6. Enter the password when prompted.

  7. Enable the archiving functionality by running the following command:

    exec management.ar.run_hailm_job('<NFS location name defined>');

    This command initiates a background job. You can view the status on the Jobs page. The name of the job is HAILM POST UPGRADE JOB.

    After you enable this functionality , all the archived data files are moved to the new NFS location and archiving is enabled after the job completes successfully.

7.2.6.8 Clear Unused Kernels from Oracle Audit Vault and Database Firewall

See My Oracle Support Doc ID 2458154.1 for instructions to clear unused kernels from Oracle Audit Vault and Database Firewall (Oracle AVDF).

7.2.6.9 Check the Observer Status After Updating to Oracle AVDF 20.7 or Later for High Availability

After upgrading from Oracle AVDF release 20.5 or 20.6 to release 20.7 or later in a high availability environment, you might encounter an issue with the Oracle Data Guard observer. The Audit Vault Server uses Oracle Data Guard to manage high availability.

To check the status of the Oracle Data Guard observer:

  1. Log in to the standby Audit Vault Server through SSH and switch to the root user.

    See Logging In to Oracle AVDF Appliances Through SSH.

  2. Switch to the oracle user.

    su - oracle
  3. Run the following commands:

    dgmgrl /
    show observer

    The output displays the status and the last ping interval of the observers running on both primary and standby Audit Vault Servers. The last ping interval of both observers must have a specific duration in seconds.

  4. If the output from the previous step doesn't display a specific duration for both observers, as shown in the following example, then complete the remaining steps to resolve the issue.

    
    Host Name:                   <host name>
    Last Ping to Primary:        (unknown)
    Last Ping to Target:         (unknown)
    1. Log in to the standby Audit Vault Server through SSH and switch to the root user.

      See Logging In to Oracle AVDF Appliances Through SSH.

    2. Switch to the oracle user.

      su - oracle
    3. Run the following command:

      /usr/local/dbfw/bin/observerctl --stop
    4. Wait for one minute.
    5. Run the following commands:

      dgmgrl /
      show observer
    6. Verify that the last ping interval of both observers has a specific duration in seconds.
7.2.6.10 Configure Audit Vault Server Backups

The Audit Vault Server backup configuration file is release-specific and works on the same release for which it was created. Oracle recommends that you run the avbackup config command to create a new configuration file before performing the backup operation after updating Oracle Audit Vault and Database Firewall (Oracle AVDF).

7.2.6.11 Schedule Maintenance Jobs

Oracle Audit Vault and Database Firewall (Oracle AVDF) runs some jobs on the Audit Vault Server for proper and effective functioning of the system.

Oracle recommends that you run these jobs during a period when the Audit Vault Server usage is low, such as at night. You can schedule these jobs based on your time zone.
  1. Log in to the Audit Vault Server console as an administrator.
  2. Click the Settings tab.
  3. Click System in the left navigation menu.
  4. In the Configuration section, click one of the following links, depending on your release:
    Oracle AVDF Release Link
    20.1 and 20.2 Manage
    20.3 and later Maintenance
  5. To schedule a new maintenance job, enter the start time in hours and minutes.
    The time that you specify here is the time on the browser.
  6. In the Time Out (In hours) field, enter the duration of the maintenance job in hours.

    If the job doesn't complete in the specified duration, it times out.

    Note:

    The job runs at the specified start time daily. You can't change the repeat frequency.
  7. Click Save.
7.2.6.12 Add a Privilege to the Native Network Encryption User for Decrypting the Native Network Encryption

If you're upgrading Audit Vault Server from release 12.2 to release 20 and a native network encryption user was already created on the target database for decrypting the native network encryption, you need to provide an additional privilege to the native network encryption user.

  1. Log in to the target database as a user with administrative privileges.
  2. Run the following command:
    grant select on V_$SESSION to <NNE_USER>

    <NNE_USER> is the user that is configured in the target database for decrypting the native network encryption.

7.2.7 Recover the Database If an Update Fails

If you backed up Oracle Audit Vault and Database Firewall (Oracle AVDF) before updating, and if there is enough space in the Audit Vault Server's flash recovery area, you may be able to recover the database after a failed update under the guidance of Oracle Support.

To make recovery of the database possible, you should have the following amount of free space in the flash recovery area:

20 GB or 150% of the amount of data that is stored in the Audit Vault Server database, whichever is larger

For information on monitoring the flash recovery area, see Oracle Audit Vault and Database Firewall Administrator's Guide.

7.3 Patching Oracle AVDF 20.8 to Apply the Latest Release Update

To upgrade Oracle AVDF from release 12.2 to release 20.9 or later, first upgrade to release 20.8 and then apply the latest release update (RU) patch.

See Patching Oracle Audit Vault and Database Firewall Release 20 for instructions.