2 Installing Oracle Database Vault as an Option

2.1.1 Become Familiar with the Features of Oracle Database Vault

Before you plan the upgrade process, become familiar with the features of Oracle Database Vault. The Oracle Database Vault Administrator's Guide discusses the basic features of Oracle Database Vault.

2.1.2 Check the Hardware Requirements

The following sections describe the minimum hardware requirements for installing Oracle Database Vault on an OpenVMS system.

• Minimum Hardware Requirements

• Disk Space Requirements

$ SHOW MEMORY

$ SHOW MEMORY/RESERVED 
System Memory Resources on 13-JUL-2002 09:57:11.72 

Memory Reservations (pages):   Group   Reserved  In Use  Type
ORA_PROD_SGA                   SYSGBL  5120      0       Allocated
ORA_PROD_SGA                   SYSGBL  5         0       Page Table
Total (40.04 Mbytes reserved)          5125      0

2.1.3 Check the Operating System Requirements

Depending on the products that you intend to install, verify that the following software is installed on the system. The procedure following the table describes how to verify whether these requirements are addressed.

To ensure that the system meets these requirements:

1. To determine which version of OpenVMS is installed, enter the following command:

   For OpenVMS Alpha:

   $ WRITE SYS$OUTPUT F$GETSYI("VERSION")
   V8.2
   

   For OpenVMS Itanium:

   $ WRITE SYS$OUTPUT F$GETSYI("VERSION")
   V8.2-1
   

   If necessary, refer to the operating system documentation for information about upgrading the operating system.

2. To display additional information about the operating system, enter the following command:

   $ SHOW SYSTEM /NOPROCESS /FULL
   

   To view information about all nodes in a cluster, add the /CLUSTER qualifier to this command.

3. To determine the version of TCP/IP installed, enter the following command:

   For OpenVMS Alpha:

   $ tcpip show version
   HP TCP/IP Services for OpenVMS Alpha Version V5.5 - ECO 1 
   on a AlphaServer GS160 6/731 running OpenVMS V8.2
   

   For OpenVMS Itanium:

   $ tcpip show version
   HP TCP/IP Services for OpenVMS Industry Standard 64 
   Version V5.5 - ECO 1
   on an HP rx4640 (1.50GHz/6.0MB) running OpenVMS V8.2-1
   

Oracle Net Services OpenVMS Mailbox Driver

The Oracle Net Services OpenVMS Mailbox driver (protocol IPC) is included in NETWORK. You do not need an Oracle Net Services license to use the OpenVMS Mailbox driver.

2.1.4 Installation Specific Issues and Restrictions

There are factors that can affect the installation or use of Oracle Database. This section discusses these factors:

• Install Oracle Database Vault into an Existing Oracle Home Only

• Do Not Modify the JDK

2.1.5 Plan for the Use of Oracle Database Vault Administrator

Oracle Database Vault Administrator is a graphical user interface for administering Oracle Database Vault. However, Database Vault Administrator is not available on the hp OpenVMS platform. It is only available in Oracle Database Release 11g Release 1 (11.1) as an installation option. If you have access to this release, you can remotely connect Database Vault Administrator to an Oracle Database Release 10g Release 2 (10.2.0.4) installation on hp OpenVMS. See Oracle Database Vault Administrator's Guide for information about making this remote connection.

If you do not have access to Oracle Database 11g, then you can use the DVSYS PL/SQL packages and the PL/SQL interfaces described in Oracle Database Vault Administrator's Guide to manage Oracle Database Vault.

2.1.6 Check the Database Requirements

In order to install Oracle Database Vault, you must be running the Enterprise Edition of Oracle Database 10g release 2 (10.2.0.4).

A listener must have been configured for the existing database. Oracle Net Configuration Assistant configures the listener when you first install the database.

You must have an existing password file for the database. The password file authentication parameter, REMOTE_LOGIN_PASSWORDFILE must have been set to EXCLUSIVE or SHARED.

You can set the REMOTE_LOGIN_PASSWORDFILE parameter in the init.ora file. Use the orapwd utility to create and manage password files.

2.1.7 Prepare a Backup Strategy

Oracle strongly recommends that you back up your database before performing any upgrade or installation. The ultimate success of your upgrade depends heavily on the design and execution of an appropriate backup strategy. To develop a backup strategy, consider the following questions:

• How long can the production database remain inoperable before business consequences become intolerable?

• What backup strategy should be used to meet your availability requirements?

• Are backups archived in a safe, offsite location?

• How quickly can backups be restored (including backups in offsite storage)?

• Have recovery procedures been tested successfully?

Your backup strategy should answer all of these questions and include procedures for successfully backing up and recovering your database.

2.1.8 Disable Custom Profiles (If Any)

If you have created custom profiles and password complexity checks in your existing database, then you must disable these before performing the installation. You can reenable these after the installation is complete. Use the following steps to achieve this:

1. Extract the profile names and associated settings for each profile that is being used. You can use a script to accomplish this.

   Example 2-1 shows a sample script that extracts the profile names and settings to create an output script called, myprofiles.sql. After the installation is complete, you can run myprofiles.sql to restore the profile settings.

   Example 2-1 Extracting Profiles

   set serverout on size 100000
    spool myprofiles.sql
    declare
    l_last varchar2(30) := 'X';
    l_count number := 0;
    begin
        for c in (
            select profile, resource_name , limit
            from dba_profiles
            order by profile, resource_name
        ) loop
            if l_last <> c.profile then
                l_last := c.profile;
                if l_count > 0 then
                    dbms_output.put_line(';');
                end if;
                l_count := l_count + 1;
                dbms_output.put_line('create profile ' || c.profile || ' limit ');
            else
                dbms_output.put_line('    ' || c.resource_name || ' ' || c.limit);
            end if;
        end loop;
        dbms_output.put_line(';');
    end;
    /
    spool off 
   

2. Disable the custom profiles and password complexity settings. For example:

   SQL> ALTER PROFILE SomeCustomProfile LIMIT
   PASSWORD_REUSE_MAX UNLIMITED -- The number of times a password can be reused
   PASSWORD_REUSE_TIME UNLIMITED -- The number of days between reuses of a password
   PASSWORD_VERIFY_FUNCTION NULL
   /
   

3. After the Oracle Database Vault installation is complete, reenable the profiles by running the script created in Step 1.

   SQL>@myprofiles.sql
   

2.1.9 Verify That Oracle Clusterware Is Running (RAC Only)

Oracle Clusterware should be running for the Database Vault installer to find the existing Real Application Clusters (RAC) databases. If you have stopped Oracle Clusterware, then you should restart it before running Oracle Universal Installer. Use the following command to verify if Oracle Clusterware is running:

$ CRSCTL CHECK CRS

The output from this command should indicate the health of the Oracle Clusterware server processes of the current node. Run this command on each node of the RAC cluster. In the following example, the CSS, CRS, and EVM processes are healthy.

$ CRSCTL CHECK CRS
CSS appears healthy
CRS appears healthy
EVM appears healthy

2.1.10 Stop Existing Oracle Processes

to stop the existing Oracle processes:

1. Log in as the owner of the Oracle installation.

2. For each database associated with the installation, perform these steps:

   1. Run the orauser.com script with the SID of the database instance, for example, assuming the SID is PROD:

      @DISK$ORACLE:[ORACLE10GR2]ORAUSER PROD
      

   2. Shut the database down.

3. Shut down all listeners.

   For example, to stop listeners LISTENER1 and LISTENER2:

   LSNRCTL STOP LISTENER1
   LSNRCTL STOP LISTENER2
   

4. Shut down all other services.

5. Log out.

2.1.11 Configure the Oracle User's Environment

Before you start Oracle Universal Installer, you must configure the environment of the Oracle database account.

To configure the Oracle database account environment:

1. Start a new terminal session.

2. Set up the display by using the SET DISPLAY command.

   If you are not installing the software on the local system, then enter the following command to direct X applications to display on the local system:

   $ SET DISPLAY/CREATE/TRANSPORT=TCPIP/NODE=ip_address
    
   

   To confirm that the display is set correctly, run the following command:

   $ RUN SYS$SYSTEM:DECW$CLOCK
   

3. If the database to be updated with this Oracle Database Vault installation is not an Oracle Real Applications Clusters (RAC) database, then define the ORA_DB_NONRAC_INSTALL logical name as follows:

   $ DEFINE ORA_DB_NONRAC_INSTALL "TRUE"
   

4. Ensure that the file oraInst.loc file points to the inventory for the correct Oracle home.

   By default, the oraInst.loc file is in disk:[login_dir.hostname], where login_dir is the equivalent of the SYS$LOGIN logical name, and hostname is the name of the network node where the databases have been created.

5. Ensure that the ORATAB file exists and contains information about all Oracle databases created on the node.

   The database entries in this file are of the following form:

   ORACLE_SID:ORACLE_HOME:[N|Y]
   

   By default, the ORATAB file is in the same directory as oraInst.loc discussed in Step 4.

6. Copy the DV.RSP file from the [.response] subdirectory of your Oracle Database Vault kit to any location where you can edit this file, for example, SYS$LOGIN.

7. Edit the DV.RSP file and provide all the required values, making sure to enclose them in double quotation marks (").

   For more information about the response file, see Appendix B, "Using Response Files".

8. Enter the following command:

   $ SET NOVERIFY
   

9. Enter the following command:

   $ SET PROCESS/PRIV=ALL
   

10. Start Oracle Universal Installer.

    See "Run Oracle Universal Installer to Install Oracle Database Vault".

2.1.12 Run Oracle Universal Installer to Install Oracle Database Vault

Run Oracle Universal Installer (OUI) to install Oracle Database Vault into an existing Oracle Database 10g release 2 (10.2.0.4) database.

To start Oracle Universal Installer:

1. Ensure that you have created a response file.

   You must use a response file to install Oracle Database Vault on an hp OpenVMS system. See Appendix B, "Using Response Files" for details about creating response files. Also, ensure that you have completed the instructions in "Configure the Oracle User's Environment".

2. Run the following command:

   $ @kit_device:[Disk1]runInstaller.com -responseFile response_file
   

   In this specification:

   • kit_device is the disk that contains the Oracle Database Vault installation kit.

   • response_file is the full specification in OpenVMS format of the DV.RSP file that you edited in "Configure the Oracle User's Environment".

   Optionally, you can use the -silent parameter if you want to bypass the Graphical User Interface of Oracle Universal Installer. For example:

   $ @kit_device:[Disk1]runInstaller.com -responseFile response_file -silent
   

   For more information about other options that you can use with the runInstaller utility, enter the following command:

   $ @kit_device:[Disk1]runInstaller.com -HELP
   

If you omit the -silent parameter, then Oracle Universal Installer loads the values you created in the response file. The following actions take place:

1. The Summary screen displays, showing the installation details. Verify these details and then click Install.

2. The Installation screen appears next. After the installation completes, Database Vault Configuration Assistant (DVCA) runs automatically to configure the Database Vault.

2.2.1 Review the Database Vault Configuration Assistant Related Files

The installation of the Oracle Database Vault triggers an automatic execution of the dvca.com script. This Database Vault Configuration Assistant procedure uses a dvca.args file that is generated by the installer. The script also creates and leaves behind the dvca.jinput file. When the configuration phase completes, it renames the dvca.args file to dvca.args_OLD. Both, the dvca.jinput and the dvca.args_OLD files reside in your ORACLE_HOME location. Even though the access to these files is limited to the SYSTEM and the owner accounts, you may want to delete files, or otherwise secure these files because they contain sensitive database access information.

2.2.2 Back Up the Database

Make sure you perform a full backup of the production database. See Oracle Database Backup and Recovery User's Guide for details on backing up a database.

2.2.3 Change Passwords for Oracle-Supplied Accounts

Oracle strongly recommends that you change the password for each account after installation. This enables you to effectively implement the strong security provided by Oracle Database Vault.

To unlock and reset user account passwords using SQL*Plus:

1. Start SQL*Plus and log in using the Database Vault Account Manager account. If you did not create the Database Vault Account Manager account during installation, then you must log in using the Database Vault Owner account.

2. Enter a command similar to the following, where account is the user account that you want to unlock and password is the new password:

   SQL> ALTER USER account [ IDENTIFIED BY password ] ACCOUNT UNLOCK;
   

   In this example:

   • The ACCOUNT UNLOCK clause unlocks the account.

   • The IDENTIFED BY password clause resets the password.

   Note:

   If you unlock an account but do not reset the password, then the password remains expired. The first time someone connects as that user, they must change the user's password.

   To permit unauthenticated access to your data through HTTP, unlock the ANONYMOUS user account.

   See Also:

   Oracle Database Administrator's Guide for more information about:

   • Unlocking and changing passwords after installation

   • Oracle security procedures

   • Best security practices

2.2.4 Disable Remote SYSDBA Connections (Optional)

Oracle Database Vault allows you to disable remote logins with SYSDBA privileges. This enables enhanced security for your database.

To disable remote SYSDBA connections, re-create the password file with the nosysdba flag set to y (Yes). A user can still log in AS SYSDBA locally using Operating System (OS) authentication. However, remote connections AS SYSDBA will fail.

Use the following syntax to re-create the password file:

orapwd file=filename password=password [entries=users] force=y nosysdba=y

In this specification:

• file: Name of password file (mandatory)

• password: Password for SYS (mandatory). Enter at least six alphanumeric characters.

• entries: Maximum number of distinct DBA users

• force: Whether to overwrite the existing file

• nosysdba: Whether to enable or disable the SYS logon

  The default is no, so if you omit this flag, the password file will be created enabling SYSDBA access for Oracle Database Vault instances.

For example, to create a password file for an Oracle database named orcl:

orapwd file=ORA_ROOT:[DBS]orapworcl.ora password=sys_password force=y nosysdba=y

When you re-create the password file, any accounts other than SYS that were granted the SYSDBA or SYSOPER privileges will have those privileges removed. You must regrant the privileges for these accounts after you have re-created the password file.

You can reenable the ability to connect with the SYSDBA privilege by re-creating the password file with the nosysdba flag set to n (No). You might need to reenable the ability to connect with the SYSDBA privilege, if certain products or utilities require it's use.

2.2.5 Start the Listener and Database on Other Nodes (RAC Only)

You must start the listener and database on all RAC nodes other than the one on which the installation is performed. Use the following commands to start the listener and the database:

$ SRVCTL start listener "-n" node_name
$ SRVCTL start instance "-d" sid "-i" instance_name

2.2.6 Running DVCA on Other Oracle Real Application Nodes

For this release of Oracle Database Vault on the hp OpenVMS platform, you do not need to run DVCA on other nodes in a RAC installation.

2.2.7 Running Oracle Database Vault Administrator

See Oracle Database Vault Release Notes for hp OpenVMS for more information.