B Disabling and Enabling Oracle Database Vault

Periodically you must disable and then re-enable Oracle Database Vault, for activities such as installing Oracle Database optional products or features.

B.1 When You Must Disable Oracle Database Vault

You may need to disable Oracle Database Vault to perform upgrade tasks or correct erroneous configurations.

You can reenable Oracle Database Vault after you complete the corrective tasks.

The following situations require you to disable Oracle Database Vault:

  • You must install any of the Oracle Database optional products or features, such as Oracle Spatial, by using Database Configuration Assistant (DBCA).

  • If you did not configure backup DV_OWNER and DV_ACCTMGR accounts when you registered Oracle Database Vault, and these accounts are inadvertently locked or their passwords forgotten. Note that if your site only has one DV_OWNER user and this user has lost his or her password, you will be unable to disable Oracle Database Vault. However, if your site's only DV_ACCTMGR user has lost the password, you can disable Database Vault. As a best practice, you should grant the DV_OWNER and DV_ACCTMGR roles to new or existing user accounts, and use the Database Vault Owner and Account Manager accounts that you created when you registered Database Vault as back-up accounts.

  • If you want to register Oracle Internet Directory (OID) using Oracle Database Configuration Assistant (DBCA).

  • If Oracle Database Vault is enabled and you are upgrading an entire CDB, then use one of the following methods:

    • CDB upgrade method 1: Temporarily grant the DV_PATCH_ADMIN to user SYS commonly by logging into the root container as a common user with the DV_OWNER role, and then issuing the GRANT DV_PATCH_ADMIN TO SYS CONTAINER=ALL statement. Oracle Database Vault controls will be in the same state as it was before the upgrade. When the upgrade is complete, log into the root container as the DV_OWNER user and revoke the DV_PATCH_ADMIN role from SYS by issuing the REVOKE DV_PATCH_ADMIN FROM SYS CONTAINER=ALL statement.
    • CDB upgrade method 2: Log into each container as a user who has the DV_OWNER role and then execute the DBMS_MACADM.DISABLE_DV procedure. You must first disable the PDBs (in any order) and then after that, disable the root container last. If you are upgrading only one PDB, then you can disable Oracle Database Vault in that PDB only. After you have completed the upgrade, you can enable Oracle Database Vault by logging into each container as the DV_OWNER user and then executing the DVSYS.DBMS_MACADM.ENABLE_DV procedure. The order of enabling Oracle Database Vault must be the root container first and PDBs afterward. You can enable the PDBs in any order, but the root container must be enabled first.

Note:

Be aware that if you disable Oracle Database Vault, the privileges that were revoked from existing users and roles during the Oracle Database Vault configuration remain in effect.

B.2 Step 1: Disable Oracle Database Vault

Be aware that after you disable Oracle Database Vault, Oracle Label Security, which is required to run Database Vault, is still enabled.

  1. As a user who has been granted the DV_OWNER role, log in to the root or to the PDB in which you want to disable Oracle Database Vault.
    For example, to log in to the root:
    sqlplus c##sec_admin_owen
    Enter password: password

    To log in to a PDB:

    sqlplus sec_admin_owen@pdb_name
    Enter password: password

    To find the available PDBs, query the PDB_NAME column of the DBA_PDBS data dictionary view. To check the current container, run the show con_name command.

  2. If necessary, verify the enablement status of Oracle Database Vault.
  3. Disable Oracle Database Vault.
    EXEC DBMS_MACADM.DISABLE_DV;
  4. Restart the CDB or close and then reopen the PDB.
    To restart the CDB from the root:
    CONNECT SYS@pdb_name AS SYSOPER 
    Enter password: password
    
    SQL> SHUTDOWN IMMEDIATE
    SQL> STARTUP 

    To close and reopen the PDB:

    CONNECT sec_admin_owen@pdb_name
    Enter password: password
    
    SQL> ALTER PLUGGABLE DATABASE pdb_name CLOSE IMMEDIATE;
    SQL> ALTER PLUGGABLE DATABASE pdb_name OPEN;
    \
  5. For Oracle RAC installations, repeat these steps for each node on which the database is installed.

B.3 Step 2: Perform the Required Tasks

At this stage, Oracle Database Vault is disabled and you can perform the required tasks.

You can perform the following types of activities:

  • Use the Oracle Database Vault PL/SQL packages and functions. For example, to correct a login or CONNECT rule set error, use the DBMS_MACADM PL/SQL package or the Oracle Database Vault pages in Enterprise Manager Cloud Control. Note that a CONNECT command rule cannot prevent a user who has the DV_OWNER or DV_ADMIN role from connecting to the database. This enables a Database Vault administrator to correct a misconfigured protection without having to disable Database Vault.

  • Use the SYSTEM or SYS accounts to perform tasks such as creating or changing passwords, or locking and unlocking accounts. In addition to modifying standard database and administrative user accounts, you can modify passwords and the lock status of any of the Oracle Database Vault-specific accounts, such as users who have been granted the DV_ADMIN or DV_ACCTMGR roles.

  • Perform the installation or other tasks that require security protections to be disabled.

B.4 Step 3: Enable Oracle Database Vault

You can enable Oracle Database Vault and Oracle Label Security from SQL*Plus from either the root or a PDB.

  1. As a user who has been granted the DV_OWNER role, log in to the root or to the PDB in which you want to enable Oracle Database Vault.
    For example, to log in to the root:
    sqlplus c##sec_admin_owen
    Enter password: password

    To log in to a PDB:

    sqlplus sec_admin_owen@pdb_name
    Enter password: password

    To find the available PDBs, query the PDB_NAME column of the DBA_PDBS data dictionary view. To check the current container, run the show con_name command.

  2. If necessary, verify the enablement status of Oracle Database Vault.
  3. Enable Database Vault.
    EXEC DBMS_MACADM.ENABLE_DV (strict_mode => 'n');
     -- For regular mode
    EXEC DBMS_MACADM.ENABLE_DV (strict_mode => 'y');
     -- For strict mode
  4. Check if Oracle Label Security is enabled.
    SELECT VALUE FROM V$OPTION WHERE PARAMETER = 'Oracle Label Security';
    

    Oracle Label security must be enabled before you can use Database Vault. If it is not enabled, then this query returns FALSE.

  5. If Oracle Label Security is not enabled, then enable it.
    EXEC LBACSYS.CONFIGURE_OLS;
    EXEC LBACSYS.OLS_ENFORCEMENT.ENABLE_OLS;
  6. Restart the CDB or close and then reopen the PDB.
    To restart the CDB from the root:
    CONNECT SYS@pdb_name AS SYSOPER 
    Enter password: password
    
    SQL> SHUTDOWN IMMEDIATE
    SQL> STARTUP 

    To close and reopen the PDB:

    CONNECT sec_admin_owen@pdb_name
    Enter password: password
    
    SQL> ALTER PLUGGABLE DATABASE pdb_name CLOSE IMMEDIATE;
    SQL> ALTER PLUGGABLE DATABASE pdb_name OPEN;
  7. For Oracle RAC installations, repeat these steps for each node on which the database is installed.