Disabling, Enabling, Uninstalling, and Reinstalling Oracle Label Security

A Disabling, Enabling, Uninstalling, and Reinstalling Oracle Label Security

You can disable, enable, uninstall, and reinstall Oracle Label Security from the command line.

Disabling and Enabling Oracle Label Security
You can disable and enable Oracle Label Security as necessary.
Uninstalling and Reinstalling Oracle Label Security
You can uninstall and reinstall Oracle Label Security as necessary.

Parent topic: Appendixes

A.1 Disabling and Enabling Oracle Label Security

You can disable and enable Oracle Label Security as necessary.

When You Must Disable Oracle Label Security
You may need to disable Oracle Label Security to perform upgrade tasks or correct erroneous configurations.
Disabling Oracle Label Security
If Oracle Database Vault has been enabled, then do not disable Oracle Label Security.
Enabling Oracle Label Security
You can enable Oracle Label Security in SQL*Plus.

Parent topic: Disabling, Enabling, Uninstalling, and Reinstalling Oracle Label Security

A.1.1 When You Must Disable Oracle Label Security

You may need to disable Oracle Label Security to perform upgrade tasks or correct erroneous configurations.

Another reason for disabling Oracle Label Security is if you want to test an application without enforcing Oracle Label Security. You can reenable Oracle Label Security after you complete the tasks.

Related Topics

Checking if Oracle Label Security Has Been Registered and Enabled

Parent topic: Disabling and Enabling Oracle Label Security

A.1.2 Disabling Oracle Label Security

If Oracle Database Vault has been enabled, then do not disable Oracle Label Security.

Log into the PDB as user SYS with the SYSDBA administrative privilege, or a user who has been granted the LBAC_DBA role.
For example:
```
sqlplus psmith_ols pdb_name
Enter password: password
```
To find the available PDBs, query the DBA_PDBS data dictionary view. To check the current PDB, run the show con_name command.
Query the DBA_DV_STATUS data dictionary view to find if Oracle Database Vault has been enabled in this PDB.
Oracle Database Vault depends on Oracle Label Security. If Oracle Database Vault is installed in the PDB, then do not disable Oracle Label Security.
```
SELECT * FROM DBA_DV_STATUS;
```
Output similar to the following should appear:
```
NAME                 STATUS
-------------------- -----------
DV_CONFIGURE_STATUS  FALSE
DV_ENABLE_STATUS     FALSE
```
If the output is FALSE, then you can disable Oracle Label Security.

Run the following procedure:

EXEC LBACSYS.OLS_ENFORCEMENT.DISABLE_OLS;

Connect to the CDB as a user with the SYSDBA administrative privilege.
```
CONNECT / AS SYSDBA
```

Close and reopen the PDB.

For example:

ALTER PLUGGABLE DATABASE pdb_name CLOSE IMMEDIATE;
ALTER PLUGGABLE DATABASE pdb_name OPEN;

For Oracle Real Application Clusters (Oracle RAC), repeat these steps for each Oracle RAC node on which you enabled Oracle Label Security.

Parent topic: Disabling and Enabling Oracle Label Security

A.1.3 Enabling Oracle Label Security

You can enable Oracle Label Security in SQL*Plus.

Log into the PDB as user SYS with the SYSDBA administrative privilege, or a user who has been granted the LBAC_DBA role.
For example:
```
sqlplus psmith_ols pdb_name
Enterp password: password
```
To find the available PDBs, query the DBA_PDBS data dictionary view. To check the current PDB, run the show con_name command.

Run the following procedure:

EXEC LBACSYS.OLS_ENFORCEMENT.ENABLE_OLS;

Connect to the CDB as a user with the SYSDBA administrative privilege.
```
CONNECT / AS SYSDBA
```

Close and reopen the PDB.

For example:

ALTER PLUGGABLE DATABASE pdb_name CLOSE IMMEDIATE;
ALTER PLUGGABLE DATABASE pdb_name OPEN;

For Oracle Real Application Clusters (Oracle RAC), repeat these steps for each Oracle RAC node on which you enabled Oracle Label Security.

Parent topic: Disabling and Enabling Oracle Label Security

A.2 Uninstalling and Reinstalling Oracle Label Security

You can uninstall and reinstall Oracle Label Security as necessary.

Uninstalling Oracle Label Security
You can perform a full or partial uninstall of Oracle Label Security.
Reinstalling Oracle Label Security
You can reinstall Oracle Label Security in a PDB but not in the CDB root.

Parent topic: Disabling, Enabling, Uninstalling, and Reinstalling Oracle Label Security

A.2.1 Uninstalling Oracle Label Security

You can perform a full or partial uninstall of Oracle Label Security.

You can only uninstall Oracle Label Security from a PDB, not from the CDB root.

Log into the PDB as user SYS with the SYSDBA administrative privilege, or a user who has been granted the LBAC_DBA role.
For example:
```
sqlplus psmith_ols pdb_name
Enter password: password
```
To find the available PDBs, query the DBA_PDBS data dictionary view. To check the current PDB, run the show con_name command.
Ensure that Oracle Database Vault is not installed on this PDB by querying the DBA_USERS data dictionary view for the user DVSYS.
```
SELECT USERNAME FROM DBA_USERS WHERE USERNAME = 'DVSYS';
```
If the output shows DVSYS, then Oracle Database Vault is installed and you will need to uninstall Oracle Database Vault before you uninstall Oracle Label Security from the PDB.
Enter the following command to uninstall Oracle Label Security:
```
@?/rdbms/admin/catnools.sql value [value]
```
In this specification, value refers to one of the following settings:
- FULL performs a complete uninstall of Oracle Label Security. No OLS columns or the label information within them is retained. You must have the LBAC_DBA role (or be user LBACSYS) to use this option. For example:
```
@?/rdbms/admin/catnools.sql FULL
```
- PARTIAL performs a partial uninstall by only dropping the Oracle Label Security policies. This option preserves the OLS label information but conditionally drops the OLS columns. You must have the LBAC_DBA role (or be user LBACSYS) to use this option. You can drop the policies with or without dropping the OLS columns by using one of following boolean flags:
  - TRUE drops the policies and the OLS label information columns in the tables for which the policy was applied. You must have the LBAC_DBA role (or be user LBACSYS) to use this option. For example:
```
@?/rdbms/admin/catnools.sql PARTIAL TRUE
```
  - FALSE drop the policies but retains the OLS label information columns in the tables for which the policy was applied. You must have the LBAC_DBA role (or be user LBACSYS) to use this option. For example:
```
@?/rdbms/admin/catnools.sql PARTIAL FALSE
```
- LBACSYS uninstalls the LBACSYS schema only. You must be user SYS with the SYSDBA administrative privilege to use this option. For example:
```
@?/rdbms/admin/catnools.sql LBACSYS
```
- POLICIES uninstalls policies but retains the OLS label column. You must have the LBAC_DBA role (or be user LBACSYS) to use this option.
```
@?/rdbms/admin/catnools.sql POLICIES
```
- POLICIES_WITH_DATA uninstalls OLS policies without retaining the OLS label column. You must have the LBAC_DBA role (or be user LBACSYS) to use this option.
```
@?/rdbms/admin/catnools.sql POLICIES_WITH_DATA
```
Connect to the CDB as a user with the SYSDBA administrative privilege.
```
CONNECT / AS SYSDBA
```

Close and reopen the PDB.

For example:

ALTER PLUGGABLE DATABASE pdb_name CLOSE IMMEDIATE;
ALTER PLUGGABLE DATABASE pdb_name OPEN;

For Oracle Real Application Clusters (Oracle RAC), repeat these steps for each Oracle RAC node on which you enabled Oracle Label Security.

Related Topics

Oracle Database Vault Administrator’s Guide

Parent topic: Uninstalling and Reinstalling Oracle Label Security

A.2.2 Reinstalling Oracle Label Security

You can reinstall Oracle Label Security in a PDB but not in the CDB root.

Log into the PDB as user SYS with the SYSDBA administrative privilege, or a user who has been granted the LBAC_DBA role.
For example:
```
sqlplus psmith_ols pdb_name
Enter password: password
```
To find the available PDBs, query the DBA_PDBS data dictionary view. To check the current PDB, run the show con_name command.
Query the DBA_OLS_STATUS data dictionary view to find if Oracle Label Security has already been installed and enabled in this PDB.
For example:
```
SELECT NAME, STATUS FROM DBA_OLS_STATUS;
```
If the DBA_OLS_STATUS data dictionary view is not recognized, then Oracle Label security is not installed and you can reinstall it. If the output is as follows, showing FALSE, then you only need to register Oracle Label Security.
```
NAME                 STATUS
-------------------- -----------
OLS_CONFIGURE_STATUS  FALSE
OLS_DIRECTORY_STATUS  FALSE
OLS_ENABLE_STATUS     FALSE
```
Exit SQL*Plus.
Enter the following command to reinstall Oracle Label Security:
```
@?/rdbms/admin/catols.sql
```
Connect to the CDB as a user with the SYSDBA administrative privilege.
```
CONNECT / AS SYSDBA
```

Close and reopen the PDB.

For example:

ALTER PLUGGABLE DATABASE pdb_name CLOSE IMMEDIATE;
ALTER PLUGGABLE DATABASE pdb_name OPEN;

Register Oracle Label Security for the PDB.
For Oracle Real Application Clusters (Oracle RAC), repeat these steps for each Oracle RAC node on which you enabled Oracle Label Security.

Related Topics

Registering and Logging in to Oracle Label Security

Parent topic: Uninstalling and Reinstalling Oracle Label Security