7 Upgrading Oracle Audit Vault and Database Firewall from Release 12.2 to Release 20
If you're on Oracle Audit Vault and Database Firewall (Oracle AVDF) release 12.2, you can upgrade to release 20 to maintain support and access the latest features and bug fixes.
If you're already on Oracle AVDF release 20, see Patching Oracle Audit Vault and Database Firewall Release 20 to apply the latest release updates.
Note:
This chapter uses the terms update and upgrade interchangeable.7.1 About Upgrading Oracle Audit Vault and Database Firewall
Follow these guidelines for upgrading Oracle Audit Vault and Database Firewall (Oracle AVDF) release 12.2 to release 20.
Use the following high-level process to upgrade Oracle AVDF:
- Download the files from My Oracle Support.
- Complete the pre-update tasks, such as creating a backup.
- Update the Audit Vault Servers.
- Verify that Audit Vault Agents and Host Monitor Agents were updated automatically.
- Update the Database Firewalls.
- Complete the post-update tasks, such as confirming that the update was successful.
Note:
- To upgrade Oracle AVDF from release 12.2 to release 20.9 or later, first upgrade to release 20.8 and then apply the latest release update (RU) patch.
-
If you're on Oracle AVDF 12.2.0.0.0 to 12.2.0.8.0, upgrade to release 12.2.0.9.0 before upgrading to release 20.
You can perform a single backup operation before performing the first upgrade.
- If you've deployed Database Firewall In-line Bridge mode in release 12.2, follow the instructions in Change the Database Firewall In-line Bridge to an Equivalent Proxy Configuration.
-
If you have a large amount of event data, maintain sufficient disk space of about 5% of the total event log data size.
If you have both HDD and SAN storage, then maintain the necessary disk space on either HDD or SAN. Each disk group (EVENTDATA, SYSTEMDATA, and RECOVERY) should have at least 20% available space.
7.2 Upgrading from Oracle AVDF 12.2 to Release 20.8
Follow this process to upgrade Oracle Audit Vault and Database Firewall (Oracle AVDF) from release 12.2 to release 20.8.
7.2.1 Download the Files
To patch or upgrade Oracle Audit Vault and Database firewall (Oracle AVDF), you need to download files from My Oracle Support.
- Go to My Oracle Support and sign in.
- Click the Patches & Updates tab.
- Use the Patch Search box to search for
the patch.
- Click the Product or Family (Advanced) link on the left.
- In the Product field, enter Audit Vault and Database Firewall.
- In the Release field, select the latest Oracle AVDF release from the drop-down list.
- Click Search.
- In the Patch Name column of the search results, click the link for the latest bundle patch.
7.2.2 Pre-update Tasks
Before updating Oracle Audit Vault and Database Firewall (Oracle AVDF) to the latest release, complete the prerequisite tasks, such as performing a backup.
Note:
If Audit Vault Agent is running on a Windows machine, close all the agent-related directories and open files before updating Oracle AVDF.7.2.2.1 Migrate Host Monitor Agent on Windows
If you're on Oracle Audit Vault and Database Firewall (Oracle AVDF) release 12.2 and you use Host Monitoring on Windows, then update the Npcap and OpenSSL libraries on Windows before upgrading to Oracle AVDF release 20.
Complete the following tasks:
-
After installing Npcap and OpenSSL, ensure that the
network_device_name_for_hostmonitor
collection attribute is set.See Create a Network Audit Trail for instructions.
- Deploying the Host Monitor Agent on a Windows Host Machine
7.2.2.2 Back Up the Current Oracle Audit Vault and Database Firewall Installation
Before updating Oracle Audit Vault and Database Firewall (Oracle AVDF) to the latest release, back up the Audit Vault Server.
See Backing Up and Restoring the Audit Vault Server for complete information.
If your current Audit Vault Server is installed on a virtual machine (VM), such as Oracle VM or VMWare, Oracle recommends that you take a VM snapshot before starting the update process.
7.2.2.3 Set the Host Monitor Agent and Audit Vault Agent TLS Version
If your current Oracle Audit Vault and Database Firewall (Oracle AVDF) 12.2 deployment has Host Monitor Agents or Audit Vault Agents on AIX and you're upgrading to Oracle AVDF 20.4 or later, set the TLS version to TLS 1.1 before upgrading.
If you're upgrading from Oracle AVDF 12.2.0.11.0 and earlier and you've deployed Host Monitor Agents (or Audit Vault Agents on AIX) with the default version of TLS 1.2, the Host Monitor Agents (or Audit Vault Agents on AIX) do not upgrade automatically.
For Oracle AVDF 12.2.0.12.0 and later, this issue only affects Audit Vault Agents on AIX.
To prevent this issue, run the following command before upgrading:
ruby /usr/local/dbfw/bin/upgrade/configure_tls_settings.rb 2
Note:
After upgrading, set the TLS level to Level-4. See Post Upgrade TLS Security Hardening for more information.Related Topics
7.2.2.4 Ensure That the System Has Sufficient Space to Purge the Alert Queue
If the system doesn't have sufficient space to purge the alert queue, you'll receive an error when you run the pre-upgrade RPM during the process of updating Oracle Audit Vault and Database Firewall (Oracle AVDF).
Follow these steps to prevent this issue:
-
Log in to the Audit Vault Server through SSH and switch to the
root
user. -
Unlock the
avsys
user.Note:
Remember to relock theavsys
account when you've completed this task. - Exit back to
root
. -
Switch to the
oracle
user.su - oracle
-
Start SQL*Plus as the
avsys
user.sqlplus avsys
-
Enter the password at the prompt.
-
Run the following SQL query:
declare object_exist exception; pragma exception_init(object_exist, -24002); po dbms_aqadm.aq$_purge_options_t; begin po.block := FALSE; dbms_aqadm.purge_queue_table('AVSYS.AV_ALERT_QT', NULL, po); exception when object_exist then null; end;/
-
Exit back to
root
.exit
-
Lock the
avsys
user.
Related Topics
7.2.2.5 Release Existing Tablespaces That Are Retrieved Manually
If you're updating to Oracle Audit Vault and Database Firewall (Oracle AVDF) release 20.1 through 20.3, release all the existing tablespaces that were retrieved manually. This procedure is performed automatically if you're updating to Oracle AVDF release 20.4 or later.
The following steps are only applicable for AVDF 20.1 - 20.3.
If you don't release the existing tablespaces, the following situations could occur:
- The update might fail, resulting in an error.
- New indexes might not be created after the update because space can't be allocated.
To manually release the tablespaces, follow these steps:
-
Log in to the Audit Vault Server console as a super administrator.
-
Click the Settings tab.
-
Click Archiving in the left navigation menu.
-
Click the Retrieve subtab.
The page lists all the retrieved tablespaces.
-
Select and release all the tablespaces.
7.2.2.6 Preserve File Customizations
Preserve customizations that have been applied to configuration files before upgrading to Oracle Audit Vault and Database Firewall (Oracle AVDF) release 20.
The upgrade erases all custom changes that have been made to system configuration files. Oracle recommends that you back up any required changes that you need to transfer to the upgraded system.
To preserve file customizations:
- Create your own custom configuration file. See the Oracle Linux documentation for details.
- Move any rules to a custom configuration file before performing the upgrade process.
-
Synchronize the time between the Database Firewalls and Audit Vault Servers.
If the system clocks for the Database Firewalls and Audit Vault Servers are not synchronized, then you may see a certificate error after the upgrade. After the upgrade, check the appliance diagnostics output to ensure that everything is marked
OK
in green. The diagnostic failures are markedFAILED
in red.- To configure the time for Audit Vault Servers, see Specifying the Server Date, Time, and Keyboard Settings.
- To configure the time for Database Firewalls, see Setting the Date and Time in Oracle Database Firewall.
7.2.2.7 Ensure That the Boot Device Is Less Than 2 TB
If the boot device is greater than 2 TB, you'll receive an error when you run the pre-upgrade RPM during the process of upgrading Oracle Audit Vault and Database Firewall (Oracle AVDF).
Boot Device Is Greater Than 2 TB When Upgrading the Audit Vault Server
Follow these steps if the boot device is greater than 2 TB when upgrading the Audit Vault Server:
- Stop all trails and monitoring points.
- Stop all Audit Vault Agents and shut down all Database Firewall servers.
- Back up the system.
- Choose a server that has at least one hard disk that is less than 2 TB.
- Install the same bundle patch version of Audit Vault Server on release 12.2.
- Configure the system to boot in BIOS mode.
- Restore from the backup. Use the same IP address and ensure that the system is up.
- Upgrade the Audit Vault Server to release 20 using the documented upgrade process.
Boot Device Is Greater Than 2 TB When Upgrading a Database Firewall That Was Added to the Audit Vault Server Before Release 12.2.0.1.0
-
Reset the Database Firewall.
- Log in to the Audit Vault Server console as an administrator.
- Click Reset Firewall to update all the settings on the Audit Vault Server.
- Choose a server that has at least one hard disk that is less than 2 TB.
- Install the same bundle patch version of Database Firewall on release 12.2.
- Configure the system to boot in BIOS mode.
- Log in to the Audit Vault Server console as an administrator.
- Configure the Database Firewall instance.
- Specify the Audit Vault Server certificate and IP address on the new Database Firewall instance.
-
Click the Database Firewalls tab.
The status of the newly installed Database Firewall instance is
Down
(red). - Click the name of the specific Database Firewall instance.
-
Click Update Certificate, and wait for the page to load.
The status of the Database Firewall instance is
Up
(green). - Click Reset Firewall.
- Click OK.
- Check the status of this operation in the
Jobs dialog box.
- Click the Settings tab.
- Click System in the left navigation menu.
-
Click the Jobs link in the Monitoring section.
The job type is
Reset Firewall
.
-
Click the Job Details page icon on the left.
If the job has failed, a message appears in the Job Status Details dialog box. If the job is successful, then it displays the completion time.
Boot Device Is Greater Than 2 TB When Upgrading a Database Firewall on Oracle AVDF 12.2.0.2.0 or Later
- Choose a server that has at least one hard disk that is less than 2 TB.
- Install the same bundle patch version of Database Firewall on release 12.2.
- Configure the system to boot in BIOS mode.
- Log in to the Audit Vault Server console as an administrator.
- Configure the Database Firewall instance.
- Specify the Audit Vault Server certificate and IP address on the new Database Firewall instance.
-
Click the Database Firewalls tab.
The status of the newly installed Database Firewall instance is
Down
(red). - Click the name of the specific Database Firewall instance.
-
Click Update Certificate, and wait for the page to load.
The status of the Database Firewall instance is
Up
(green). - Click Reset Firewall.
- Click OK.
- Check the status of this operation in the
Jobs dialog box.
- Click the Settings tab.
- Click System in the left navigation menu.
-
Click the Jobs link in the Monitoring section.
The job type is
Reset Firewall
.
-
Click the Job Details page icon on the left.
If the job has failed, a message appears in the Job Status Details dialog box. If the job is successful, then it displays the completion time.
Related Topics
7.2.2.8 Ensure That the Boot Partition Has at Least 500 MB
If the boot partition has less than 500 MB, you'll receive an error when you run the pre-upgrade RPM during the process of updating Oracle Audit Vault and Database Firewall (Oracle AVDF).
Insufficient Space in the Boot Partition When Upgrading the Audit Vault Server
Follow these steps if there is insufficient space in the boot partition when upgrading the Audit Vault Server:
- Stop all trails and monitoring points.
- Stop all Audit Vault Agents and shut down all Database Firewall servers.
- Back up of the system.
-
Install the same bundle patch version of Audit Vault Server on release 12.2.
This creates the
/boot
partition with 500 MB. - Restore from the backup. Use the same IP address and ensure that the system is up.
- Upgrade Audit Vault Server to release 20 using the documented upgrade process.
Insufficient Space in the Boot Partition When Upgrading a Database Firewall
Follow these steps if there is insufficient space in the boot partition when upgrading a Database Firewall:
-
If the Database Firewall was added to the Audit Vault Server before release 12.2.0.1.0, reset the Database Firewall.
- Log in to the Audit Vault Server console as an administrator.
- Click Reset Firewall to update all the settings on the Audit Vault Server.
- Install the same bundle patch version of Database Firewall on release 12.2. This
creates the
/boot
partition with 500 MB. - Log in to the Audit Vault Server console as an administrator.
- Configure the Database Firewall instance.
- Specify the Audit Vault Server certificate and IP address on the new Database Firewall instance.
-
Click the Database Firewallstab.
The status of the newly installed Database Firewall instance is
Down
(red). - Click the name of the specific Database Firewall instance.
-
Click Update Certificate, and wait for the page to load.
The status of the Database Firewall instance is
Up
(green). - Click Reset Firewall.
- Click OK.
- Check the status of this operation in the
Jobs dialog box.
- Click the Settings tab.
- Click System in the left navigation menu.
-
Click the Jobs link in the Monitoring section.
The job type is
Reset Firewall
.
-
Click the Job Details page icon on the left.
If the job has failed, a message appears in the Job Status Details dialog box. If the job is successful, then it displays the completion time.
- Check the overall health status of the Database Firewall instance.
- Click the Database Firewalls tab.
- Click the name of the specific instance.
- Click the Health Indicators link in the Diagnostics section.
-
Expand the Certificates section.
Check the message about certificate validation failure, and take appropriate action.
- Expand the Database Firewall Monitoring section and ensure that all statuses are green.
- Click Close.
Related Topics
7.2.2.9 Verify That the SYS User Is Unlocked and the Password Is Not Expired
If the sys
password has expired or the sys
user is locked, you'll receive an error when you run the pre-upgrade RPM during the process
of updating Oracle Audit Vault and Database Firewall (Oracle AVDF).
To prevent this issue, update the sys
user on the primary
and standby systems.
- Perform the following steps on both the primary and standby systems:
-
Log in to the Audit Vault Server through SSH and switch to the
root
user. - As the
root
user, run the following command:systemctl stop monitor
- Check for any
observerctl
processes running and stop them.ps -elf | grep observerctl kill -9 <PID of observerctl>
- Check for any
dgmgrl
processes running and stop them.ps -elf | grep dgmgrl kill -9 <PID of dgmgrl>
-
- Update the primary system.
-
Log in to the primary Audit Vault Server through SSH and switch to the
root
user. -
Switch to the
oracle
user.su - oracle
-
Start SQL*Plus by entering the following command:
sqlplus / as sysdba
-
Enter the following command:
select avsys.secutil.gen_rand_pwd(30) as pwd from dual
Note:
Use this password in all steps that require a password on both primary and standby systems. -
Enter the following commands:
alter user sys identified by <password_from_step_1d_above> account unlock;
ALTER SYSTEM SWITCH LOGFILE;
- Exit back to the
oracle
user. -
As the
oracle
user, enter the following commands:mkstore -wrl /var/lib/oracle/dbfw/network/admin/observer/ -modifyCredential DBFWDB_HA2_DGMGRL SYS <password_from_step_1d>
mkstore -wrl /var/lib/oracle/dbfw/network/admin/observer/ -modifyCredential DBFWDB_HA1_DGMGRL SYS <password_from_step_1d>
mkstore -wrl /var/lib/oracle/dbfw/network/admin/observer/ -modifyCredential DBFWDB_HA1 SYS <password_from_step_1d>
mkstore -wrl /var/lib/oracle/dbfw/network/admin/observer/ -modifyCredential DBFWDB_HA2 SYS <password_from_step_1d>
-
Securely copy the file to the standby system by entering the following command:
scp /var/lib/oracle/dbfw/dbs/orapwdbfwdb support@<standby IP>:~/
-
-
Update the standby system.
-
Log in to the standby Audit Vault Server through SSH and switch to the
root
user. - Ensure that the new file permissions are the same as the original file.
-
Switch to the
oracle
user.su - oracle
-
Enter the following commands:
mkstore -wrl /var/lib/oracle/dbfw/network/admin/observer/ -modifyCredential DBFWDB_HA2_DGMGRL SYS <password_from_step_1d>
mkstore -wrl /var/lib/oracle/dbfw/network/admin/observer/ -modifyCredential DBFWDB_HA1_DGMGRL SYS <password_from_step_1d>
mkstore -wrl /var/lib/oracle/dbfw/network/admin/observer/ -modifyCredential DBFWDB_HA1 SYS <password_from_step_1d>
mkstore -wrl /var/lib/oracle/dbfw/network/admin/observer/ -modifyCredential DBFWDB_HA2 SYS <password_from_step_1d>
-
-
Enter the following commands as the
root
user on both primary and standby systems:systemctl stop monitor
systemctl stop dbfwlistener
systemctl stop dbfwdb
systemctl start dbfwdb
systemctl start dbfwlistener
systemctl start monitor
-
Enter the following command as the
oracle
user on both primary and standby systems:/usr/local/dbfw/bin/observerctl --start
Related Topics
7.2.3 Update the Audit Vault Server
Update the Audit Vault Server before you update the Audit Vault Agents and Database Firewalls.
Note:
In this section, the word appliance refers to the Audit Vault Server.
7.2.3.1 Update a Standalone Audit Vault Server
Follow this process to update a standalone Audit Vault Server that is not paired in a high availability environment.
- Stop all audit trails.
- Run the pre-upgrade RPM.
- Transfer the ISO file to the appliance.
- Start the update script.
- Restart the appliance.
Note:
When the appliance restarts, the update process continues. This takes several hours to complete on Audit Vault Servers. Don't restart the system while this is in progress.
Update Notes
-
If you have existing targets for which you ran Oracle Audit Vault and Database Firewall (Oracle AVDF) setup scripts to set user privileges (for example, for stored procedure auditing), no further action is required to update those privileges after you update Audit Vault Servers.
Check the Oracle AVDF release notes to find out if you need to rerun the setup scripts because they've changed. -
When updating from Oracle AVDF 12.2 to release 20.1-20.8, password hashing has been upgraded to a more secure standard. This change affects the operating system passwords (support and root). Change your passwords after you update Audit Vault Servers to take advantage of the more secure hash.
7.2.3.1.1 Stop All Audit Trails
Stop all audit trails before updating the Audit Vault Server.
- Log into the Audit Vault Server console as an administrator.
- Click the Targets tab.
- Click Audit Trails in the left navigation menu.
- Select all audit trails.
- Click Stop.
7.2.3.1.2 Run the Pre-upgrade RPM
Run the pre-upgrade RPM to check for the required space in the file system and prepare the system for updating.
Note:
The patching process uses the same pre-upgrade RPM as the upgrade process, although patching involves a smaller subset of tasks compared to a full upgrade.
The pre-upgrade RPM performs the following tasks to prepare the system for updating:
- Rearranges free space on the appliance so that there's enough room to copy the patch files to the appliance and start the installation. After the update, the space for the patch files is returned to the file system.
- Starting with updates from Oracle AVDF 20.9 to Oracle AVDF 20.10 and later, verifies that the Audit Vault Agents and Host Monitor Agents are compatible with the new version of the Audit Vault Server. For example, it verifies that agent host machines have compatible operating system and Java versions.
- Verifies that other prerequisites and platform conditions are met before the update.
- Prepares the system for updating by creating the
/var/dbfw/upgrade
directory with enough space to hold the main ISO file for the update.
To run the pre-upgrade RPM, follow these steps:
-
Log in to the appliance through SSH and switch to the
root
user. -
Run the
screen
command as theroot
user.The
screen
command prevents network disconnections from interrupting the update. If the session terminates, resume by switching to theroot
user and then running thescreen -r
command. -
Change to the
root
directory.cd /root
-
Run the following command to copy the pre-upgrade RPM file from the downloaded location to the appliance:
scp remote_host:/path/to/avdf-pre-upgrade-20.x.0.0.0.zip /root
-
Verify the download by using a shasum of the
avdf-pre-upgrade-20.x.0.0.0.zip
file.sha256sum /root/avdf-pre-upgrade-20.x.0.0.0.zip
-
Unzip the bundle.
unzip /root/avdf-pre-upgrade-20.x.0.0.0.zip
-
Run the following command to run the
avdf-pre-upgrade-20.x.0.0.0-0_NNNNNN.NNNN.x86_64.rpm
file:rpm -i /root/avdf-pre-upgrade-20.x.0.0.0-0_NNNNNN.NNNN.x86_64.rpm
The following message appears:
SUCCESS: The upgrade media can now be copied to '/var/dbfw/upgrade'. The upgrade can then be started by running: /usr/bin/avdf-upgrade
7.2.3.1.3 Transfer the ISO File to the Appliance
Transfer the avdf-upgrade-20.x.0.0.0.iso
file to the
appliance that you're updating.
-
Log in to the appliance through SSH and switch to the
root
user. -
Copy the
avdf-upgrade-20.x.0.0.0.iso
file by using the following command:scp remote_host:/path/to/avdf-upgrade-20.x.0.0.0.iso /var/dbfw/upgrade
7.2.3.1.4 Start the Update Script
The update script mounts the ISO, changes to the correct working directory, runs the update process, and unmounts the ISO after the upgrade process is complete.
Note:
The system may take some time to complete the commands. Don't interrupt
the update or the system may be left in an inconsistent state. For this reason, it
is important to use a reliable and uninterruptible shell, such as a direct console
login (or ILOM equivalent), or use the screen
command to prevent
network disconnections from interrupting the update.
-
Log in to the appliance through SSH and switch to the
root
user. -
Run the
screen
command as theroot
user.The
screen
command prevents network disconnections from interrupting the update. If the session terminates, resume by switching to theroot
user and then running thescreen -r
command. -
Run the following command to perform the appropriate checks before updating:
/usr/bin/avdf-upgrade
-
Follow the system prompt, warning, and instruction to proceed with the update accordingly.
You should see output like the following:
Please wait while validating SHA256 checksum for /var/dbfw/upgrade/avdf-upgrade-20.x.0.0.0.iso Checksum validation successful for /var/dbfw/upgrade/avdf-upgrade-20.x.0.0.0.iso Mounting /var/dbfw/upgrade/avdf-upgrade-20.x.0.0.0.iso on /images mount: /dev/loop0 is write-protected, mounting read-only Successfully mounted /var/dbfw/upgrade/avdf-upgrade-20.x.0.0.0.iso on /images The following messages have important information about the upgrade process. Power loss during upgrade may cause data loss. Do not power off during upgrade. Please review Note ID 2235931.1 for a current list of known issues. The upgrade process is irreversible, please confirm 'y' to continue or 'n' to abort. [y/N]?
-
Enter
y
to proceed.You should see output like the following:
The Oracle base has been set to /var/lib/oracle Error: ORA-01034: ORACLE not available ORA-27101: shared memory realm does not exist Linux-x86_64 Error: 2: No such file or directory Additional information: 4475 Additional information: 1990413931 The Oracle base has been set to /var/lib/oracle Error: ORA-01034: ORACLE not available ORA-27101: shared memory realm does not exist Linux-x86_64 Error: 2: No such file or directory Additional information: 4475 Additional information: 1990413931 Verifying upgrade preconditions 1/11: Mounting filesystems (1) 2/11: Cleaning yum configuration 3/11: Cleaning old packages and files 4/11: Upgrading kernel 5/11: Upgrading system 6/11: Cleaning platform packages repo 7/11: Adding required platform packages 8/11: Cleaning AVDF packages repo 9/11: Installing AVDF packages 10/11: Setting boot title 11/11: Setting final system status Reboot now to continue the upgrade process. Unmounted /var/dbfw/upgrade/avdf-upgrade-20.x.0.0.0.iso on /images
Note:
The preceding output varies depending on the base installation level, appliance type, and configuration.
7.2.3.1.5 Restart the Appliance
After updating, restart the appliance and continue the update process.
-
Log in to the appliance through SSH and switch to the
root
user. -
Restart the appliance. For example:
reboot
Note:
When the appliance restarts, the update process continues. This takes several hours to complete on Audit Vault Servers and several minutes to complete on Database Firewalls. Don't restart the system while this is in progress.
-
If you've updated a Database Firewall, it may have regenerated the appliance certificate. In this scenario, you need to reregister the Database Firewall. To check this:
- Log in to the Audit Vault Server console as an administrator.
-
Click the Database Firewalls tab.
In the left navigation menu, Database Firewalls is selected by default and the page displays a list of configured Database Firewall instances.
- Select the Database Firewall instance that indicates a certificate error after the update.
- Click Reset Firewall.
7.2.3.2 Update a Pair of Audit Vault Servers That Are Configured for High Availability
Follow this process to update a pair of Audit Vault Servers in a high availability environment.
Note:
Don't change the primary and standby roles before completing the update on both Audit Vault Servers.
Follow this process:
-
Update the standby Audit Vault Server.
- After you reboot the standby Audit Vault Server, ensure that it is up and running before updating the primary Audit Vault Server.
- Stop the audit trails on the primary Audit Vault Server.
-
Update the primary Audit Vault Server.
After you reboot the primary Audit Vault Server and confirm that it's running, no additional reboot is needed. It's fully functional at this point.
7.2.3.2.1 Update the Standby Audit Vault Server
Use this procedure to update the standby Audit Vault Server in a high availability environment. Update the standby Audit Vault server first, then update the primary Audit Vault Server.
Follow this process:
- Check the failover status on the primary Audit Vault Server.
- Run the pre-upgrade RPM.
- Transfer the ISO file to the appliance.
- Start the update script.
- Restart the appliance.
Note:
When the appliance restarts, the update process continues. This takes several hours to complete on Audit Vault Servers. Don't restart the system while this is in progress.
7.2.3.2.1.1 Check the Failover Status on the Primary Audit Vault Server
Before running the pre-upgrade RPM in a high availability environment, check
the failover status on the primary Audit Vault Server. If the failover status is
STALLED
, then wait for a while and check the status again. If the
status doesn't change, then contact Oracle Support.
Follow these steps on the primary Audit Vault Server:
-
Log in to the primary Audit Vault Server through SSH and switch to the
root
user. -
Switch to the
oracle
user.su - oracle
-
Run the following command:
/usr/local/dbfw/bin/setup_ha.rb --status
-
Check the failover status in the output.
7.2.3.2.1.2 Run the Pre-upgrade RPM
Run the pre-upgrade RPM to check for the required space in the file system and prepare the system for updating.
Note:
The patching process uses the same pre-upgrade RPM as the upgrade process, although patching involves a smaller subset of tasks compared to a full upgrade.
The pre-upgrade RPM performs the following tasks to prepare the system for updating:
- Rearranges free space on the appliance so that there's enough room to copy the patch files to the appliance and start the installation. After the update, the space for the patch files is returned to the file system.
- Starting with updates from Oracle AVDF 20.9 to Oracle AVDF 20.10 and later, verifies that the Audit Vault Agents and Host Monitor Agents are compatible with the new version of the Audit Vault Server. For example, it verifies that agent host machines have compatible operating system and Java versions.
- Verifies that other prerequisites and platform conditions are met before the update.
- Prepares the system for updating by creating the
/var/dbfw/upgrade
directory with enough space to hold the main ISO file for the update.
To run the pre-upgrade RPM, follow these steps:
-
Log in to the appliance through SSH and switch to the
root
user. -
Run the
screen
command as theroot
user.The
screen
command prevents network disconnections from interrupting the update. If the session terminates, resume by switching to theroot
user and then running thescreen -r
command. -
Change to the
root
directory.cd /root
-
Run the following command to copy the pre-upgrade RPM file from the downloaded location to the appliance:
scp remote_host:/path/to/avdf-pre-upgrade-20.x.0.0.0.zip /root
-
Verify the download by using a shasum of the
avdf-pre-upgrade-20.x.0.0.0.zip
file.sha256sum /root/avdf-pre-upgrade-20.x.0.0.0.zip
-
Unzip the bundle.
unzip /root/avdf-pre-upgrade-20.x.0.0.0.zip
-
Run the following command to run the
avdf-pre-upgrade-20.x.0.0.0-0_NNNNNN.NNNN.x86_64.rpm
file:rpm -i /root/avdf-pre-upgrade-20.x.0.0.0-0_NNNNNN.NNNN.x86_64.rpm
The following message appears:
SUCCESS: The upgrade media can now be copied to '/var/dbfw/upgrade'. The upgrade can then be started by running: /usr/bin/avdf-upgrade
7.2.3.2.1.3 Transfer the ISO File to the Appliance
Transfer the avdf-upgrade-20.x.0.0.0.iso
file to the
appliance that you're updating.
-
Log in to the appliance through SSH and switch to the
root
user. -
Copy the
avdf-upgrade-20.x.0.0.0.iso
file by using the following command:scp remote_host:/path/to/avdf-upgrade-20.x.0.0.0.iso /var/dbfw/upgrade
7.2.3.2.1.4 Start the Update Script
The update script mounts the ISO, changes to the correct working directory, runs the update process, and unmounts the ISO after the upgrade process is complete.
Note:
The system may take some time to complete the commands. Don't interrupt
the update or the system may be left in an inconsistent state. For this reason, it
is important to use a reliable and uninterruptible shell, such as a direct console
login (or ILOM equivalent), or use the screen
command to prevent
network disconnections from interrupting the update.
-
Log in to the appliance through SSH and switch to the
root
user. -
Run the
screen
command as theroot
user.The
screen
command prevents network disconnections from interrupting the update. If the session terminates, resume by switching to theroot
user and then running thescreen -r
command. -
Run the following command to perform the appropriate checks before updating:
/usr/bin/avdf-upgrade
-
Follow the system prompt, warning, and instruction to proceed with the update accordingly.
You should see output like the following:
Please wait while validating SHA256 checksum for /var/dbfw/upgrade/avdf-upgrade-20.x.0.0.0.iso Checksum validation successful for /var/dbfw/upgrade/avdf-upgrade-20.x.0.0.0.iso Mounting /var/dbfw/upgrade/avdf-upgrade-20.x.0.0.0.iso on /images mount: /dev/loop0 is write-protected, mounting read-only Successfully mounted /var/dbfw/upgrade/avdf-upgrade-20.x.0.0.0.iso on /images The following messages have important information about the upgrade process. Power loss during upgrade may cause data loss. Do not power off during upgrade. Please review Note ID 2235931.1 for a current list of known issues. The upgrade process is irreversible, please confirm 'y' to continue or 'n' to abort. [y/N]?
-
Enter
y
to proceed.You should see output like the following:
The Oracle base has been set to /var/lib/oracle Error: ORA-01034: ORACLE not available ORA-27101: shared memory realm does not exist Linux-x86_64 Error: 2: No such file or directory Additional information: 4475 Additional information: 1990413931 The Oracle base has been set to /var/lib/oracle Error: ORA-01034: ORACLE not available ORA-27101: shared memory realm does not exist Linux-x86_64 Error: 2: No such file or directory Additional information: 4475 Additional information: 1990413931 Verifying upgrade preconditions 1/11: Mounting filesystems (1) 2/11: Cleaning yum configuration 3/11: Cleaning old packages and files 4/11: Upgrading kernel 5/11: Upgrading system 6/11: Cleaning platform packages repo 7/11: Adding required platform packages 8/11: Cleaning AVDF packages repo 9/11: Installing AVDF packages 10/11: Setting boot title 11/11: Setting final system status Reboot now to continue the upgrade process. Unmounted /var/dbfw/upgrade/avdf-upgrade-20.x.0.0.0.iso on /images
Note:
The preceding output varies depending on the base installation level, appliance type, and configuration.
7.2.3.2.1.5 Restart the Appliance
After updating, restart the appliance and continue the update process.
-
Log in to the appliance through SSH and switch to the
root
user. -
Restart the appliance. For example:
reboot
Note:
When the appliance restarts, the update process continues. This takes several hours to complete on Audit Vault Servers and several minutes to complete on Database Firewalls. Don't restart the system while this is in progress.
-
If you've updated a Database Firewall, it may have regenerated the appliance certificate. In this scenario, you need to reregister the Database Firewall. To check this:
- Log in to the Audit Vault Server console as an administrator.
-
Click the Database Firewalls tab.
In the left navigation menu, Database Firewalls is selected by default and the page displays a list of configured Database Firewall instances.
- Select the Database Firewall instance that indicates a certificate error after the update.
- Click Reset Firewall.
7.2.4 Verify That Audit Vault Agents and Host Monitor Agents Were Automatically Updated
The Audit Vault Agents and Host Monitor Agents are automatically updated when you update the Audit Vault Server. However, some situations require manual updates.
Note:
During the Audit Vault Agent automatic update process, its status is
UNREACHABLE
. It may take as long as 45 minutes to return to the
RUNNING
state.
In the following situations you may need to update the Audit Vault Agents manually:
-
On Windows hosts, the Audit Vault Agent is updated automatically only if you've registered it as a Windows service and you've set this service to use the credentials of the OS user that originally installed the agent. See Additional Requirements for Starting Audit Vault Agent as a Service on Windows for more information.
When you start the agent from the command line, the Audit Vault Agent does not automatically update. In this case, update the agent manually. For example:
<agent_home>\bin\agentctl.bat stop
Download the new
agent.jar
from the Audit Vault Server console and extract it usingjava -jar agent.jar
from theagent_home
of the existing agent. Then run the following command:<agent_home>\bin\agentctl.bat start
Don't delete the existing
agent_home
directory. - When configuring the Audit vault Server for high availability, if the designated standby Audit Vault Server's agents were deployed before pairing, then manually download and deploy the agents again after pairing.
7.2.5 Update the Database Firewalls
After you update all Audit Vault Servers, update the Database Firewalls.
When you update Database Firewalls that are configured for high availability (a resilient pair), update both primary and standby Database Firewalls. Update the standby Database Firewall instance first. Restart the standby instance after the update. Swap the roles of the primary and standby Database Firewall instances in the high availability environment so that the existing standby instance becomes the primary instance. Update the standby (previous primary) Database Firewall instance.
For standalone Database Firewall instances, update all of them independently.
Note:
-
After updating to Oracle Audit Vault and Database Firewall (Oracle AVDF) release 20.3 or later, the status of some of the Database Firewall monitoring points may be
Down
.The Database Firewall policies that were created before the update are being migrated to the new format. This may take a few minutes. Navigate to the Jobs dialog box in the Audit Vault Server console and check the status of the
Firewall post-upgrade actions
job. If the background job fails, then deploy the Database Firewall policy by using the Audit Vault Server console only. Verify that the status of the Database Firewall monitoring points has changed toUp
. Otherwise, start the monitoring point. -
You can't perform the following operations until the Database Firewalls are updated:
- Database Firewall policy deployment
- New configurations or configuration changes
-
In this section, the word appliance refers to the Database Firewall.
7.2.5.1 Update a Standalone Database Firewall
Use this procedure to update a standalone Database Firewall that is not paired in a high availability environment.
Follow this process:
- Stop all Database Firewall monitoring points.
- Run the pre-upgrade RPM.
- Transfer the ISO file to the appliance.
- Start the update script.
- Restart the appliance.
Note:
When the appliance restarts, the update process continues. This takes several minutes to complete on Database Firewalls. Don't restart the system while this is in progress.
7.2.5.1.1 Stop All Database Firewall Monitoring Points
Stop all monitoring points before updating the Database Firewall.
- Log into the Audit Vault Server console as an administrator.
- Click the Database Firewalls tab.
- Click Database Firewall Monitoring in the left navigation menu.
- Select all monitoring points.
- Click Stop.
7.2.5.1.2 Run the Pre-upgrade RPM
Run the pre-upgrade RPM to check for the required space in the file system and prepare the system for updating.
Note:
The patching process uses the same pre-upgrade RPM as the upgrade process, although patching involves a smaller subset of tasks compared to a full upgrade.
The pre-upgrade RPM performs the following tasks to prepare the system for updating:
- Rearranges free space on the appliance so that there's enough room to copy the patch files to the appliance and start the installation. After the update, the space for the patch files is returned to the file system.
- Starting with updates from Oracle AVDF 20.9 to Oracle AVDF 20.10 and later, verifies that the Audit Vault Agents and Host Monitor Agents are compatible with the new version of the Audit Vault Server. For example, it verifies that agent host machines have compatible operating system and Java versions.
- Verifies that other prerequisites and platform conditions are met before the update.
- Prepares the system for updating by creating the
/var/dbfw/upgrade
directory with enough space to hold the main ISO file for the update.
To run the pre-upgrade RPM, follow these steps:
-
Log in to the appliance through SSH and switch to the
root
user. -
Run the
screen
command as theroot
user.The
screen
command prevents network disconnections from interrupting the update. If the session terminates, resume by switching to theroot
user and then running thescreen -r
command. -
Change to the
root
directory.cd /root
-
Run the following command to copy the pre-upgrade RPM file from the downloaded location to the appliance:
scp remote_host:/path/to/avdf-pre-upgrade-20.x.0.0.0.zip /root
-
Verify the download by using a shasum of the
avdf-pre-upgrade-20.x.0.0.0.zip
file.sha256sum /root/avdf-pre-upgrade-20.x.0.0.0.zip
-
Unzip the bundle.
unzip /root/avdf-pre-upgrade-20.x.0.0.0.zip
-
Run the following command to run the
avdf-pre-upgrade-20.x.0.0.0-0_NNNNNN.NNNN.x86_64.rpm
file:rpm -i /root/avdf-pre-upgrade-20.x.0.0.0-0_NNNNNN.NNNN.x86_64.rpm
The following message appears:
SUCCESS: The upgrade media can now be copied to '/var/dbfw/upgrade'. The upgrade can then be started by running: /usr/bin/avdf-upgrade
7.2.5.1.3 Transfer the ISO File to the Appliance
Transfer the avdf-upgrade-20.x.0.0.0.iso
file to the
appliance that you're updating.
-
Log in to the appliance through SSH and switch to the
root
user. -
Copy the
avdf-upgrade-20.x.0.0.0.iso
file by using the following command:scp remote_host:/path/to/avdf-upgrade-20.x.0.0.0.iso /var/dbfw/upgrade
7.2.5.1.4 Start the Update Script
The update script mounts the ISO, changes to the correct working directory, runs the update process, and unmounts the ISO after the upgrade process is complete.
Note:
The system may take some time to complete the commands. Don't interrupt
the update or the system may be left in an inconsistent state. For this reason, it
is important to use a reliable and uninterruptible shell, such as a direct console
login (or ILOM equivalent), or use the screen
command to prevent
network disconnections from interrupting the update.
-
Log in to the appliance through SSH and switch to the
root
user. -
Run the
screen
command as theroot
user.The
screen
command prevents network disconnections from interrupting the update. If the session terminates, resume by switching to theroot
user and then running thescreen -r
command. -
Run the following command to perform the appropriate checks before updating:
/usr/bin/avdf-upgrade
-
Follow the system prompt, warning, and instruction to proceed with the update accordingly.
You should see output like the following:
Please wait while validating SHA256 checksum for /var/dbfw/upgrade/avdf-upgrade-20.x.0.0.0.iso Checksum validation successful for /var/dbfw/upgrade/avdf-upgrade-20.x.0.0.0.iso Mounting /var/dbfw/upgrade/avdf-upgrade-20.x.0.0.0.iso on /images mount: /dev/loop0 is write-protected, mounting read-only Successfully mounted /var/dbfw/upgrade/avdf-upgrade-20.x.0.0.0.iso on /images The following messages have important information about the upgrade process. Power loss during upgrade may cause data loss. Do not power off during upgrade. Please review Note ID 2235931.1 for a current list of known issues. The upgrade process is irreversible, please confirm 'y' to continue or 'n' to abort. [y/N]?
-
Enter
y
to proceed.You should see output like the following:
The Oracle base has been set to /var/lib/oracle Error: ORA-01034: ORACLE not available ORA-27101: shared memory realm does not exist Linux-x86_64 Error: 2: No such file or directory Additional information: 4475 Additional information: 1990413931 The Oracle base has been set to /var/lib/oracle Error: ORA-01034: ORACLE not available ORA-27101: shared memory realm does not exist Linux-x86_64 Error: 2: No such file or directory Additional information: 4475 Additional information: 1990413931 Verifying upgrade preconditions 1/11: Mounting filesystems (1) 2/11: Cleaning yum configuration 3/11: Cleaning old packages and files 4/11: Upgrading kernel 5/11: Upgrading system 6/11: Cleaning platform packages repo 7/11: Adding required platform packages 8/11: Cleaning AVDF packages repo 9/11: Installing AVDF packages 10/11: Setting boot title 11/11: Setting final system status Reboot now to continue the upgrade process. Unmounted /var/dbfw/upgrade/avdf-upgrade-20.x.0.0.0.iso on /images
Note:
The preceding output varies depending on the base installation level, appliance type, and configuration.
7.2.5.1.5 Restart the Appliance
After updating, restart the appliance and continue the update process.
-
Log in to the appliance through SSH and switch to the
root
user. -
Restart the appliance. For example:
reboot
Note:
When the appliance restarts, the update process continues. This takes several hours to complete on Audit Vault Servers and several minutes to complete on Database Firewalls. Don't restart the system while this is in progress.
-
If you've updated a Database Firewall, it may have regenerated the appliance certificate. In this scenario, you need to reregister the Database Firewall. To check this:
- Log in to the Audit Vault Server console as an administrator.
-
Click the Database Firewalls tab.
In the left navigation menu, Database Firewalls is selected by default and the page displays a list of configured Database Firewall instances.
- Select the Database Firewall instance that indicates a certificate error after the update.
- Click Reset Firewall.
7.2.5.2 Update a Pair of Database Firewalls That Are Configured for High Availability
Use this procedure to update a pair of Database Firewalls in a high availability environment.
Follow this process:
- Update the standby Database Firewall.
- After the standby Database Firewall has fully restarted, swap the standby Database Firewall so that it becomes the primary Database Firewall.
- Update the original primary (now standby) Database Firewall.
- (Optional) After the original primary Database Firewall has fully restarted, swap the Database Firewalls so they return to their original primary and standby roles.
7.2.5.2.1 Update the Standby Database Firewall
Use this procedure to update the standby Database Firewall in a high availability environment. Update the standby Database Firewall first, then swap this Database Firewall so that it becomes the primary Database Firewall. Then update the original primary (now standby) Database Firewall.
Follow this process:
- Stop all Database Firewall monitoring points.
- Run the pre-upgrade RPM.
- Transfer the ISO file to the appliance.
- Start the update script.
- Restart the appliance.
Note:
When the appliance restarts, the update process continues. This takes several minutes to complete on Database Firewalls. Don't restart the system while this is in progress.
7.2.5.2.1.1 Stop All Database Firewall Monitoring Points
Stop all monitoring points before updating the Database Firewall.
- Log into the Audit Vault Server console as an administrator.
- Click the Database Firewalls tab.
- Click Database Firewall Monitoring in the left navigation menu.
- Select all monitoring points.
- Click Stop.
7.2.5.2.1.2 Run the Pre-upgrade RPM
Run the pre-upgrade RPM to check for the required space in the file system and prepare the system for updating.
Note:
The patching process uses the same pre-upgrade RPM as the upgrade process, although patching involves a smaller subset of tasks compared to a full upgrade.
The pre-upgrade RPM performs the following tasks to prepare the system for updating:
- Rearranges free space on the appliance so that there's enough room to copy the patch files to the appliance and start the installation. After the update, the space for the patch files is returned to the file system.
- Starting with updates from Oracle AVDF 20.9 to Oracle AVDF 20.10 and later, verifies that the Audit Vault Agents and Host Monitor Agents are compatible with the new version of the Audit Vault Server. For example, it verifies that agent host machines have compatible operating system and Java versions.
- Verifies that other prerequisites and platform conditions are met before the update.
- Prepares the system for updating by creating the
/var/dbfw/upgrade
directory with enough space to hold the main ISO file for the update.
To run the pre-upgrade RPM, follow these steps:
-
Log in to the appliance through SSH and switch to the
root
user. -
Run the
screen
command as theroot
user.The
screen
command prevents network disconnections from interrupting the update. If the session terminates, resume by switching to theroot
user and then running thescreen -r
command. -
Change to the
root
directory.cd /root
-
Run the following command to copy the pre-upgrade RPM file from the downloaded location to the appliance:
scp remote_host:/path/to/avdf-pre-upgrade-20.x.0.0.0.zip /root
-
Verify the download by using a shasum of the
avdf-pre-upgrade-20.x.0.0.0.zip
file.sha256sum /root/avdf-pre-upgrade-20.x.0.0.0.zip
-
Unzip the bundle.
unzip /root/avdf-pre-upgrade-20.x.0.0.0.zip
-
Run the following command to run the
avdf-pre-upgrade-20.x.0.0.0-0_NNNNNN.NNNN.x86_64.rpm
file:rpm -i /root/avdf-pre-upgrade-20.x.0.0.0-0_NNNNNN.NNNN.x86_64.rpm
The following message appears:
SUCCESS: The upgrade media can now be copied to '/var/dbfw/upgrade'. The upgrade can then be started by running: /usr/bin/avdf-upgrade
7.2.5.2.1.3 Transfer the ISO File to the Appliance
Transfer the avdf-upgrade-20.x.0.0.0.iso
file to the
appliance that you're updating.
-
Log in to the appliance through SSH and switch to the
root
user. -
Copy the
avdf-upgrade-20.x.0.0.0.iso
file by using the following command:scp remote_host:/path/to/avdf-upgrade-20.x.0.0.0.iso /var/dbfw/upgrade
7.2.5.2.1.4 Start the Update Script
The update script mounts the ISO, changes to the correct working directory, runs the update process, and unmounts the ISO after the upgrade process is complete.
Note:
The system may take some time to complete the commands. Don't interrupt
the update or the system may be left in an inconsistent state. For this reason, it
is important to use a reliable and uninterruptible shell, such as a direct console
login (or ILOM equivalent), or use the screen
command to prevent
network disconnections from interrupting the update.
-
Log in to the appliance through SSH and switch to the
root
user. -
Run the
screen
command as theroot
user.The
screen
command prevents network disconnections from interrupting the update. If the session terminates, resume by switching to theroot
user and then running thescreen -r
command. -
Run the following command to perform the appropriate checks before updating:
/usr/bin/avdf-upgrade
-
Follow the system prompt, warning, and instruction to proceed with the update accordingly.
You should see output like the following:
Please wait while validating SHA256 checksum for /var/dbfw/upgrade/avdf-upgrade-20.x.0.0.0.iso Checksum validation successful for /var/dbfw/upgrade/avdf-upgrade-20.x.0.0.0.iso Mounting /var/dbfw/upgrade/avdf-upgrade-20.x.0.0.0.iso on /images mount: /dev/loop0 is write-protected, mounting read-only Successfully mounted /var/dbfw/upgrade/avdf-upgrade-20.x.0.0.0.iso on /images The following messages have important information about the upgrade process. Power loss during upgrade may cause data loss. Do not power off during upgrade. Please review Note ID 2235931.1 for a current list of known issues. The upgrade process is irreversible, please confirm 'y' to continue or 'n' to abort. [y/N]?
-
Enter
y
to proceed.You should see output like the following:
The Oracle base has been set to /var/lib/oracle Error: ORA-01034: ORACLE not available ORA-27101: shared memory realm does not exist Linux-x86_64 Error: 2: No such file or directory Additional information: 4475 Additional information: 1990413931 The Oracle base has been set to /var/lib/oracle Error: ORA-01034: ORACLE not available ORA-27101: shared memory realm does not exist Linux-x86_64 Error: 2: No such file or directory Additional information: 4475 Additional information: 1990413931 Verifying upgrade preconditions 1/11: Mounting filesystems (1) 2/11: Cleaning yum configuration 3/11: Cleaning old packages and files 4/11: Upgrading kernel 5/11: Upgrading system 6/11: Cleaning platform packages repo 7/11: Adding required platform packages 8/11: Cleaning AVDF packages repo 9/11: Installing AVDF packages 10/11: Setting boot title 11/11: Setting final system status Reboot now to continue the upgrade process. Unmounted /var/dbfw/upgrade/avdf-upgrade-20.x.0.0.0.iso on /images
Note:
The preceding output varies depending on the base installation level, appliance type, and configuration.
7.2.5.2.1.5 Restart the Appliance
After updating, restart the appliance and continue the update process.
-
Log in to the appliance through SSH and switch to the
root
user. -
Restart the appliance. For example:
reboot
Note:
When the appliance restarts, the update process continues. This takes several hours to complete on Audit Vault Servers and several minutes to complete on Database Firewalls. Don't restart the system while this is in progress.
-
If you've updated a Database Firewall, it may have regenerated the appliance certificate. In this scenario, you need to reregister the Database Firewall. To check this:
- Log in to the Audit Vault Server console as an administrator.
-
Click the Database Firewalls tab.
In the left navigation menu, Database Firewalls is selected by default and the page displays a list of configured Database Firewall instances.
- Select the Database Firewall instance that indicates a certificate error after the update.
- Click Reset Firewall.
7.2.5.2.2 Swap the Standby and Primary Database Firewalls
After updating the standby Database Firewall, swap the standby Database Firewall so that it becomes the primary Database Firewall. You can also swap the Database Firewalls back to their original roles after updating them both.
- Log into the Audit Vault Server console as an administrator.
- Click the Database Firewalls tab.
- Click High Availability in the left navigation menu.
- Select this resilient pair of Database Firewall instances.
-
Click Swap.
7.2.6 Post-update Tasks
After updating Oracle Audit Vault and Database Firewall (Oracle AVDF), complete these tasks to confirm the update process, enable required functionality, and resolve any remaining issues.
Note:
- If you're updating Audit Vault Server to releases 20.1 through
20.3, then apply the
Deprecated-Cipher-Removal.zip
patch after updating. - If you're updating Audit Vault Server to release 20.4 and later,
then apply the
Deprecated-Cipher-Removal.zip
patch only if you reduce the TLS level during the update.
7.2.6.1 Confirm the Update Process
Use these steps to verify that the update process was successful.
Successful Updates of Audit Vault Servers
- Verify that you can open the Audit Vault Server console without any issues.
- Verify that you can log in to the Audit Vault Server console as an administrator and an auditor without any issues.
- Verify that you can connect to the Audit Vault Server through SSH without any issues.
- Log in to the Audit Vault Server console as an administrator
and check the following items:
- Click Settings tab, and then click System in the left navigation menu.
- Verify that the Audit Vault Server Version field displays the correct version of Audit Vault Server.
- Check the Uptime value.
- Ensure that Database Firewall log collection displays a green arrow pointing up.
- Ensure that Background Job displays a green arrow pointing up.
- Check the High Availability Status value.
Successful Updates of Audit Vault Agents
- Log in to the Audit Vault Server console as an administrator.
- Click the Agents tab.
- Verify that all Audit Vault agents have a status of
RUNNING
. - Verify that the Agent Details column displays the correct version for each Audit Vault Agent.
Successful Updates of Database Firewalls
- Log in to the Audit Vault Server console as an administrator.
- Click the Database Firewalls tab.
- Verify that all Database Firewalls have a status of
Up
. - Verify that the Version column displays the correct version for each Database Firewall.
- Click the link for a specific Database Firewall in the Name column.
- Verify that the Firewall Version field also displays the correct version.
- Click the Health Indicators link in the Diagnostics section and verify that all the health indicators must have a green mark.
- Close the dialog box.
- Click Database Firewall Monitoring in the left navigation menu.
- Verify that tall the monitoring points have a status of
Up
.
Unsuccessful Updates
The following symptoms indicate that an update has failed:
- You're unable to open the Audit Vault Server console.
- An SSH connection to the Audit Vault Server (or the terminal) displays an error that the update has failed.
Note:
Also review the system diagnostics for the current status and system log for any errors.7.2.6.2 Post Upgrade TLS Security Hardening
If your previous Oracle Audit Vault and Database Firewall (Oracle AVDF) 12.2 deployment had Host Monitor Agents or Audit Vault Agents on AIX and you upgraded to Oracle AVDF 20.4 or later, then you set the TLS version to TLS 1.1 before upgrading. After upgrading, you should reset the TLS level.
If you set the TLS version to TLS 1.1 before upgrading, as discussed in the following topics, then the upgrade process did not automatically set the TLS level to Level-4:
- Set the Host Monitor Agent and Audit Vault Agent TLS Version
- Pre-upgrade RPM Check: Legacy Crypto Warning
After the update process is complete (including all agents), Oracle strongly recommends setting the TLS level to Level-4. See About Setting Transport Layer Security Levels for instructions.
7.2.6.3 Post Upgrade Agent User Security Hardening
When updating to Oracle Audit Vault and Database Firewall (Oracle AVDF) 20.9 or later, tighten the agent user privileges after all the agents have been updated.
-
Confirm that all the agents have been updated.
- Download the
revoke_privileges.sql
script (patch number 35303191) from My Oracle Support. -
Log in to the Audit Vault Server through SSH and switch to the
root
user. -
Unlock the
avsys
user.Note:
Remember to relock theavsys
account when you've completed this task. - Transfer the downloaded
revoke_privileges.sql
script to the Audit Vault Server (for example, to/tmp
). -
Start SQL*Plus as the
avsys
user.sqlplus avsys
-
Enter the password at the prompt.
-
Run the
revoke_privileges.sql
script.@<path to revoke_privileges.sql>
For example, if you copied the file to
/tmp
, then enter@/tmp/revoke_privileges.sql
. -
Exit back to
root
.exit
-
Lock the
avsys
user.
7.2.6.4 Add Preexisting SQL Clusters to New Cluster Sets After Upgrading
After upgrading to Oracle Audit Vault and Database Firewall (Oracle AVDF) release 20, you can't add preexisting SQL clusters from release 12.2 to new cluster sets when creating new Database Firewall policies.
To resolve this issue, run the populate_cluster_job.sql
script immediately after upgrading to Oracle AVDF release 20. This script resolves the
issue in the event log table and you can create cluster sets based on the clusters that
were generated before the upgrade to 20.1.
Note:
This issue occurs in Oracle AVDF 20.1 only. It is resolved in later releases.- Download the
populate_cluster_job.sql
script from ARU or My Oracle Support. -
(Optional) Stop the Database Firewall monitoring points and other traffic.
This is not required, but doing so makes the script run faster.
See Starting, Stopping, or Deleting Database Firewall Monitoring Points.
-
Log in to the Audit Vault Server through SSH and switch to the
root
user. -
Unlock the
avsys
user.Note:
Remember to relock theavsys
account when you've completed this task. - Exit back to
root
. -
Switch to the
oracle
user.su - oracle
-
Start SQL*Plus as the
avsys
user.sqlplus avsys
-
Enter the password at the prompt.
-
Run the following script:
@<file path of the populate_cluster_job.sql script>
The script runs in the background. The duration of the script is based on the traffic, and sometimes it takes longer.
-
Check the status of the job.
- Log in to the Audit Vault Server console as an administrator.
- Click the Settings tab.
- Click System in the left navigation menu.
-
Click Jobs.
The status of the job type is Retrieve_clusters.
- If the script failed, repeat the preceding steps to run the script again.
-
Exit back to
root
.exit
-
Lock the
avsys
user.
7.2.6.5 Change the Database Firewall In-line Bridge to an Equivalent Proxy Configuration
The Database Firewall In-line Bridge deployment mode is desupported in Oracle AVDF release 20. If you have Database Firewall In-line Bridge mode deployed in release 12.2, you need to update your configuration to an equivalent proxy mode. The deprecation notice was issued in release 12.2.
Oracle Audit Vault and Database Firewall (Oracle AVDF) release 20 requires configuration changes to maintain network separation that was originally provided by a traffic source (bridge). The order of the network interface cards (NIC) and the components that are connected can't be determined.
Note:
A single proxy port is required for every target. A single proxy port can't service multiple target databases. Add more traffic proxy ports as required.Complete this task if you meet the following conditions:
- The current Database Firewall is on Oracle AVDF release 12.2.
- The Database Firewall is currently deployed in monitoring (DAM) or blocking (DPE) mode with one or more traffic sources that are configured as a bridge.
- You want to maintain your existing network segmentation.
- The interfaces are used for monitoring only.
- The default bridge device is created or repurposed to create the monitoring point services.
To update your configuration to an equivalent proxy mode:
7.2.6.6 Enable Administrator Access to Existing Archive Locations
After updating Oracle Audit Vault and Database Firewall, the following new behavior applies to archive locations:
- New archive locations are owned by the user with an administrator role who created them.
- Users with the super administrator role can view all archive locations.
- Only users with the super administrator role can access existing archive locations.
To give regular users with the administrator role access to existing archive locations, perform the following steps for each archive location:
-
Log in to the Audit Vault Server through SSH and switch to the
root
user. -
Unlock the
avsys
user.Note:
Remember to relock theavsys
account when you've completed this task. - Exit back to
root
. -
Start SQL*Plus as the
avsys
user.sqlplus avsys
-
Enter the password at the prompt.
-
Run the following commands:
update avsys.archive_host set created_by=<adminuser> where name=<archive location name>; commit; exit;
-
Exit back to
root
.exit
-
Lock the
avsys
user.
7.2.6.7 Enable Archiving Functionality for High Availability
If the Audit Vault Server is deployed in a high availability environment, you might need to enable archiving after the update.
If you have Network File System (NFS) locations and archived data files, ensure that all the data files are available in the respective NFS locations. After completing the upgrade process, archiving is disabled, so you need to enable it.
- Oracle Audit Vault and Database Firewall (Oracle AVDF) release 20.1 and later support archive and retrieve functionality with NFS server versions v3 and v4.
- Only NFS v3 is not supported for releases 20.3 and earlier. It is supported starting Oracle AVDF release 20.4.
- If your NFS server supports and permits both v3 and v4 for archive or retrieve, then no action is required.
-
If you have NFS v4 only in your environment for archive or retrieve, then set the
_SHOWMOUNT_DISABLED
parameter toTRUE
using the following steps:-
Log in to the Audit Vault Server through SSH and switch to the
root
user. -
Switch to the
oracle
user.su - oracle
-
Start SQL*Plus without the user name or password.
sqlplus /nolog
-
In SQL*Plus, run the following command:
connect <super administrator>
-
Enter the password when prompted.
-
Run the following command:
exec avsys.adm.add_config_param('_SHOWMOUNT_DISABLED','TRUE');
-
-
Log in to the primary Audit Vault Server through SSH and switch to the
root
user. -
Switch to the
oracle
user.su - oracle
-
Create new NFS locations by using the Audit Vault Server console.
These new locations consider the newly mounted NFS points for both the primary and secondary Audit Vault Servers. Ensure that there is sufficient space in the newly created NFS locations to store all the necessary data files to be archived.
-
Start SQL*Plus without the user name or password.
sqlplus /nolog
-
In SQL*Plus run the following command:
connect super administrator
-
Enter the password when prompted.
-
Enable the archiving functionality by running the following command:
exec management.ar.run_hailm_job('<NFS location name defined>');
This command initiates a background job. You can view the status on the Jobs page. The name of the job is
HAILM POST UPGRADE JOB
.After you enable this functionality , all the archived data files are moved to the new NFS location and archiving is enabled after the job completes successfully.
7.2.6.8 Clear Unused Kernels from Oracle Audit Vault and Database Firewall
See My Oracle Support Doc ID 2458154.1 for instructions to clear unused kernels from Oracle Audit Vault and Database Firewall (Oracle AVDF).
7.2.6.9 Check the Observer Status After Updating to Oracle AVDF 20.7 or Later for High Availability
After upgrading from Oracle AVDF release 20.5 or 20.6 to release 20.7 or later in a high availability environment, you might encounter an issue with the Oracle Data Guard observer. The Audit Vault Server uses Oracle Data Guard to manage high availability.
To check the status of the Oracle Data Guard observer:
-
Log in to the standby Audit Vault Server through SSH and switch to the
root
user. -
Switch to the
oracle
user.su - oracle
-
Run the following commands:
dgmgrl /
show observer
The output displays the status and the last ping interval of the observers running on both primary and standby Audit Vault Servers. The last ping interval of both observers must have a specific duration in seconds.
-
If the output from the previous step doesn't display a specific duration for both observers, as shown in the following example, then complete the remaining steps to resolve the issue.
Host Name: <host name> Last Ping to Primary: (unknown) Last Ping to Target: (unknown)
-
Log in to the standby Audit Vault Server through SSH and switch to the
root
user. -
Switch to the
oracle
user.su - oracle
-
Run the following command:
/usr/local/dbfw/bin/observerctl --stop
- Wait for one minute.
-
Run the following commands:
dgmgrl /
show observer
- Verify that the last ping interval of both observers has a specific duration in seconds.
-
7.2.6.10 Configure Audit Vault Server Backups
The Audit Vault Server backup configuration file is release-specific and
works on the same release for which it was created. Oracle recommends that you run the
avbackup config
command to create a new configuration file before
performing the backup operation after updating Oracle Audit Vault and Database Firewall
(Oracle AVDF).
7.2.6.11 Schedule Maintenance Jobs
Oracle Audit Vault and Database Firewall (Oracle AVDF) runs some jobs on the Audit Vault Server for proper and effective functioning of the system.
7.2.6.12 Add a Privilege to the Native Network Encryption User for Decrypting the Native Network Encryption
If you're upgrading Audit Vault Server from release 12.2 to release 20 and a native network encryption user was already created on the target database for decrypting the native network encryption, you need to provide an additional privilege to the native network encryption user.
7.2.7 Recover the Database If an Update Fails
If you backed up Oracle Audit Vault and Database Firewall (Oracle AVDF) before updating, and if there is enough space in the Audit Vault Server's flash recovery area, you may be able to recover the database after a failed update under the guidance of Oracle Support.
To make recovery of the database possible, you should have the following amount of free space in the flash recovery area:
20 GB or 150% of the amount of data that is stored in the Audit Vault Server database, whichever is larger
For information on monitoring the flash recovery area, see Oracle Audit Vault and Database Firewall Administrator's Guide.
7.3 Patching Oracle AVDF 20.8 to Apply the Latest Release Update
To upgrade Oracle AVDF from release 12.2 to release 20.9 or later, first upgrade to release 20.8 and then apply the latest release update (RU) patch.
See Patching Oracle Audit Vault and Database Firewall Release 20 for instructions.