Practice: Uninstalling Oracle Database Vault

Overview

This practice shows how to uninstall Oracle Database Vault from an Oracle Database installation for PDBs (but not the CDB root) and Oracle RAC installations.

The uninstallation process does not affect the initialization parameter settings, even those settings that were modified during the installation process, nor does it affect Oracle Label Security.

Before starting any new practice, refer to the Practices Environment recommendations.

Step 1 :  Ensure Database Vault is enabled before uninstalling

  • Execute the shell script to configure Database Vault at the CDB level.

    
    $ cd /home/oracle/labs/M104781GC10
    $ /home/oracle/labs/M104781GC10/setup_DV.sh
    ...
    SQL> INSERT INTO l_tab values(2);
    
    1 row created.
    
    SQL> COMMIT;
    
    Commit complete.
    
    SQL> EXIT
    
    $
  • Connect to the CDB root as C##SEC_ADMIN to verify the status of Database Vault.

    
    $ sqlplus c##sec_admin
    
    Enter password:
    
    SQL> SELECT * FROM DVSYS.DBA_DV_STATUS;
    
    NAME                STATUS
    ------------------- --------------
    DV_CONFIGURE_STATUS TRUE
    DV_ENABLE_STATUS    TRUE
    DV_APP_PROTECTION   NOT CONFIGURED
    
    SQL>
  • Log in to PDB21 as SYS with the SYSDBA administrative privilege.

    
    SQL> CONNECT sys@PDB21 AS SYSDBA
    Enter password:
    Connected.
    SQL> SELECT * FROM DVSYS.DBA_DV_STATUS;
    
    NAME                STATUS
    ------------------- --------------
    DV_CONFIGURE_STATUS TRUE
    DV_ENABLE_STATUS    TRUE
    DV_APP_PROTECTION   NOT CONFIGURED
    
    SQL> SELECT * FROM V$OPTION WHERE PARAMETER = 'Oracle Database Vault';
    
    PARAMETER                 VALUE   CON_ID
    ------------------------- ------- ------
    Oracle Database Vault     TRUE         0
    
    SQL>
  • Log in to the CDB root to ensure that the recycle bin is disabled.

    
    SQL> CONNECT / AS SYSDBA
    Connected.
    SQL> SHOW PARAMETER recyclebin
    
    NAME                                 TYPE        VALUE
    ------------------------------------ ----------- ------------------------------
    recyclebin                           string      on
    SQL>

    If the recycle bin is on, then disable it.

    
    SQL> ALTER SYSTEM SET RECYCLEBIN = OFF SCOPE=SPFILE;
    
    System altered.
    
    SQL>

Step 2 : Disable Database Vault at the PDB and CDB levels

  • Connect to PDB21 as a user who has been granted the DV_OWNER or DV_ADMIN role, such as C##SEC_ADMIN.

    
    SQL> CONNECT c##sec_admin@PDB21
    Enter password:
    Connected.
    SQL>
  • Disable Oracle Database Vault at the PDB level.

    
    SQL> EXEC DBMS_MACADM.DISABLE_DV
    
    PL/SQL procedure successfully completed.
    
    SQL>

    Proceed in all PDBs.

  • Close and reopen PDB21.

    
    SQL> CONNECT sys@PDB21 AS SYSDBA
    Enter password:
    Connected.
    SQL> SHUTDOWN
    Pluggable Database closed.
    SQL> STARTUP
    Pluggable Database opened.
    SQL> SELECT * FROM V$OPTION WHERE PARAMETER = 'Oracle Database Vault';
    
    PARAMETER                 VALUE   CON_ID
    ------------------------- ------- ------
    Oracle Database Vault     FALSE        0
    
    SQL> 

    Even if the CON_ID displays 0, the value for the Database Vault refers to the PDB you are connected to.

  • What is the status of Database Vault in the CDB root?

    
    SQL> CONNECT / AS SYSDBA
    Connected.
    SQL> SELECT * FROM V$OPTION WHERE PARAMETER = 'Oracle Database Vault';
    
    PARAMETER                 VALUE   CON_ID
    ------------------------- ------- ------
    Oracle Database Vault     TRUE         0
    
    SQL>
  • Disable Oracle Database Vault at the CDB level.

    
    SQL> CONNECT c##sec_admin
    Enter password:
    Connected.
    SQL> EXEC DBMS_MACADM.DISABLE_DV
    
    PL/SQL procedure successfully completed.
    
    SQL>


  • Restart the CDB instance.

    
    SQL> CONNECT / AS SYSDBA
    Connected.
    SQL> SHUTDOWN IMMEDIATE
    Database closed.
    Database dismounted.
    ORACLE instance shut down.
    SQL> STARTUP
    ORACLE instance started.
    
    Total System Global Area 1426060208 bytes
    Fixed Size                  9687984 bytes
    Variable Size             436207616 bytes
    Database Buffers          973078528 bytes
    Redo Buffers                7086080 bytes
    Database mounted.
    Database opened.
    SQL> SELECT * FROM V$OPTION WHERE PARAMETER = 'Oracle Database Vault';
    
    PARAMETER                 VALUE   CON_ID
    ------------------------- ------- ------
    Oracle Database Vault     FALSE        0
    
    SQL>

Step 3 : Remove Database Vault metadata at the PDB and CDB levels

  • Run the dvremov.sql script to remove Oracle Database Vault related metadata.

    
    SQL> @$ORACLE_HOME/rdbms/admin/dvremov.sql
    Session altered.
    
    DECLARE
    *
    ERROR at line 1:
    ORA-48000: Cannot run dvremov.sql from CDB root when one or more PDBs are
    closed.
    ORA-06512: at line 17
    
    $
  • Reopen PDB21 before removing Database Vault from the CDB root.

    
    $ sqlplus / AS SYSDBA
    
    Connected to:
    
    SQL> ALTER PLUGGABLE DATABASE ALL OPEN;
    
    Pluggable database altered.
    
    SQL> @$ORACLE_HOME/rdbms/admin/dvremov.sql
    Session altered.
    
    DECLARE
    *
    ERROR at line 1:
    ORA-47993: Cannot run dvremov.sql from CDB root when DV is installed in one or
    more PDBs.
    ORA-06512: at line 32
    
    
    Disconnected from Oracle Database 21c Enterprise Edition Release 21.0.0.0.0 - Development
    Version 21.1.0.0.0
    $ oerr ORA 47993
    47993, 00000, "Cannot run dvremov.sql from CDB root when DV is installed in one or more PDBs."
    // *Cause: The Database Vault (DV) removal script was not allowed to be run from the multitenant
    //         container database (CDB) root when DV is installed in one or more of the underlying
    //         pluggable databases (PDBs).
    // *Action: Run dvremov.sql on all PDBs before running it from CDB root.
    $
    SQL>
    
  • Run the dvremov.sql script to remove Oracle Database Vault related metadata from PDB21 and from all PDBs.

    
    $ sqlplus sys@PDB21 AS SYSDBA
    Enter password:
    Connected.
    SQL> @$ORACLE_HOME/rdbms/admin/dvremov.sql
    Session altered.
    
    PL/SQL procedure successfully completed.
    ...
    User dropped.
    ...
    Role dropped.
    
    PL/SQL procedure successfully completed.
    ...
    Grant succeeded.
    
    PL/SQL procedure successfully completed.
    
    Noaudit succeeded.
    ...
    Commit complete.
    
    PL/SQL procedure successfully completed.
    
    Session altered.
    
    SQL>
    
  • Now remove Oracle Database Vault related metadata from the CDB root.

    
    SQL> CONNECT / AS SYSDBA
    Connected.
    SQL> @$ORACLE_HOME/rdbms/admin/dvremov.sql
    Session altered.
    
    PL/SQL procedure successfully completed.
    ...
    Commit complete.
    
    PL/SQL procedure successfully completed.
    ...
    Noaudit succeeded.
    
    Commit complete.
    
    PL/SQL procedure successfully completed.
    
    Session altered.
    
    SQL>  EXIT
    $