2 Configuring and Enabling Oracle Database Vault
To get started with Oracle Database Vault, you must configure it, enable it, and then restart the Oracle database. In an Oracle multitenant environment, you complete this on the container database (CDB) and then each of the pluggable databases (PDB).
Oracle recommends creating four accounts to manage key roles within Oracle Database
Vault. Two are primary accounts and two are backup accounts. Store the passwords for
these accounts in a safe place so that you do not lose or forget them. The accounts with
the DV_OWNER role, specifically, become your most critical accounts to
never lock and never lose the passwords to. To minimize the risk of locking the
accounts, Oracle recommends creating specific database profiles to assign to these four
accounts.
2.1 Configuring Database Vault on the Container Database
Perform the following steps to configure Database Vault on the container database.
- Connect as a database user that can create accounts and grant privileges
in both the container root and pluggable
database:
connect / as sysdba - Grant the following
privileges:
GRANT CREATE SESSION, SET CONTAINER TO c##dvowner IDENTIFIED BY <password> CONTAINER = ALL; GRANT CREATE SESSION, SET CONTAINER TO c##dvowner_backup IDENTIFIED BY <password> CONTAINER = ALL; GRANT CREATE SESSION, SET CONTAINER TO c##dvacctmgr IDENTIFIED BY <password> CONTAINER = ALL; GRANT CREATE SESSION, SET CONTAINER TO c##dvacctmgr_backup IDENTIFIED BY <password> CONTAINER = ALL; - Oracle recommends creating a profile that will not permanently lock the accounts you
created for Oracle Database Vault. You can adjust these to meet your requirements,
but Oracle recommends using the
PASSWORD_LOCK_TIMEprofile parameter to an acceptable length to allow the account to be unlocked after a reasonable time has passed. In this example, the following parameter is set to one minute:CREATE PROFILE C##DV_PROFILE LIMIT FAILED_LOGIN_ATTEMPTS 5 PASSWORD_VERIFY_FUNCTION ora12c_verify_function PASSWORD_LOCK_TIME 1/1440 CONTAINER=ALL; - Assign the profile to the Oracle Database Vault accounts you
created:
ALTER USER c##dvowner PROFILE c##dv_profile CONTAINER=ALL; ALTER USER c##dvowner_backup PROFILE c##dv_profile CONTAINER=ALL; ALTER USER c##dvacctmgr PROFILE c##dv_profile CONTAINER=ALL; ALTER USER c##dvacctmgr_backup PROFILE c##dv_profile CONTAINER=ALL; - Perform the configuration on the container
database:
connect / as sysdba BEGIN CONFIGURE_DV ( dvowner_uname => 'c##dvowner', dvacctmgr_uname => 'c##dvacctmgr', force_local_dvowner => FALSE); END; / - Recompile invalid objects. This step is not required but it's
recommended to keep invalid objects to a
minimum.
@$ORACLE_HOME/rdbms/admin/utlrp.sql - As
C##DVOWNER, enable Oracle Database Vault:CONNECT c##dvowner EXEC DBMS_MACADM.ENABLE_DV; - Restart the Oracle database. If you are in an Oracle Real Application Cluster, you
can minimize the downtime by using Oracle Real Application Clusters to perform a
rolling enablement, but in a single instance environment you must take the
downtime.
CONNECT / as sysoper shutdown immediate; startup; - From the container database, verify Oracle Database Vault is configured and enabled
in the CDB
root:
connect / as sysdba SELECT * FROM DBA_DV_STATUS;Both
DV_CONFIGURE_STATUSandDV_ENABLE_STATUSshould showTRUEandAPP_PROTECTIONwill showNOT CONFIGUREDbecause you have not enabled Oracle Database Vault operations control.For example:NAME STATUS ------------------- -------------- DV_CONFIGURE_STATUS TRUE DV_ENABLE_STATUS TRUE DV_APP_PROTECTION NOT CONFIGURED - Grant the backup accounts the appropriate Database Vault roles.
For example, the user who is the backup for Oracle Database Vault Owner has the
DV_OWNERrole:CONNECT c##dvowner GRANT DV_OWNER TO c##dvowner_backup WITH ADMIN OPTION CONTAINER=ALL; - Grant the backup accounts the appropriate Database Vault roles.
For example, the user who is the backup for Oracle Database Vault Account Manager has the
DV_ACCTMGRrole:CONNECT c##dvacctmgr GRANT DV_ACCTMGR TO c##dvacctmgr_backup WITH ADMIN OPTION CONTAINER=ALL; - To verify the Database Vault related users have the appropriate roles, query the
role privileges view as a user who has the DBA
role:
connect / as sysdba column grantee format a25 column granted_role format a25 select grantee, granted_role, admin_option, common from dba_role_privs where granted_role in ('DV_ACCTMGR','DV_OWNER') order by 1,2,3;The output should look like the following:GRANTEE GRANTED_ROLE ADMIN_OPTION COMMON ______________________ _______________ _______________ _________ C##DVACCTMGR DV_ACCTMGR YES YES C##DVACCTMGR_BACKUP DV_ACCTMGR YES YES C##DVOWNER DV_OWNER YES YES C##DVOWNER_BACKUP DV_OWNER YES YES
2.2 Configuring Database Vault on a Pluggable Database
Perform the following steps to configure Database Vault on a pluggable database. You can enable Database Vault on zero or more pluggable databases.
The following configuration will use common database users and grant them the
DV_OWNER and DV_ACCTMGR roles, respectively. This
is a common configuration however, not the only configuration. You may create, and use,
database users local to the pluggable database instead of common users. For more
information on the different configuration options, see the Oracle Database Vault
Administrator’s Guide.
- On the pluggable database, as a user with the
SYSDBAadministrative privilege, perform the configuration:alter session set container=pdb_name; BEGIN CONFIGURE_DV ( dvowner_uname => 'c##dvowner', dvacctmgr_uname => 'c##dvacctmgr'); END; / - Recompile invalid objects. This step is not required but it's
recommended to keep invalid objects to a minimum.
$ORACLE_HOME/rdbms/admin/utlrp.sql - Next, as
C##DVOWNER, enable Oracle Database Vault in the pluggable database:CONNECT c##dvowner@pdb_name EXEC DBMS_MACADM.ENABLE_DV; - As a user with the
SYSOPERrole, restart the Oracle pluggable database. If you are in an Oracle Real Application Cluster, you can minimize the downtime by performing rolling enablement, but in a single instance environment you must take the downtime.connect / as sysoper ALTER PLUGGABLE DATABASE pdb_name CLOSE IMMEDIATE; ALTER PLUGGABLE DATABASE pdb_name OPEN; - If you wish to check the status of Oracle Database Vault in all container and
pluggable databases, you can run the following command from the container database.
Now, Database Vault should be enabled on the container and pluggable
databases.
connect / as sysdba SELECT * FROM CDB_DV_STATUS;The output should look like the following. Notice the red highlighted rows, demonstrating both the container and pluggable database have Oracle Database Vault enabled:NAME STATUS CON_ID ______________________ _________________ _________ DV_CONFIGURE_STATUS TRUE 1 DV_ENABLE_STATUS TRUE 1 DV_APP_PROTECTION NOT CONFIGURED 1 DV_CONFIGURE_STATUS TRUE 3 DV_ENABLE_STATUS TRUE 3 DV_APP_PROTECTION NOT CONFIGURED 3Alternatively, if you want to see the container name instead of the container ID, run the following query:SELECT CON_ID_TO_CON_NAME(CON_ID) CON_NAME, NAME, STATUS FROM CDB_DV_STATUS;The output should look like the following:NAME STATUS CON_ID ______________________ _________________ _________ CDB$ROOT DV_CONFIGURE_STATUS TRUE CDB$ROOT DV_ENABLE_STATUS TRUE CDB$ROOT DV_APP_PROTECTION NOT CONFIGURED pdb_name DV_CONFIGURE_STATUS TRUE pdb_name DV_ENABLE_STATUS TRUE pdb_name DV_APP_PROTECTION NOT CONFIGUREDFor more information on the
CON_ID_TO_CON_NAMEfunction, review the Oracle Database SQL Language Reference