Oracle® Database Vault Installation Guide 10g Release 2 (10.2) for Oracle Solaris on SPARC (64-Bit) Part Number B31294-06 |
|
|
PDF · Mobi · ePub |
This chapter includes an overview of the major steps required to install Oracle Database Vault into an existing Oracle Database 10g Release 2 (10.2.0.5) database. These procedures transform an existing Oracle Database system (including associated applications) into an Oracle Database Vault system. Databases upgraded using the procedures described in this chapter can work almost in the same manner as in earlier releases and, optionally, can leverage new Oracle Database Vault functionality. For a list of changes that Database Vault makes, refer to Appendix F, "Initialization Parameters" and Oracle Database Vault Administrator's Guide.
Note:
In order to upgrade a pre-10g Release 2 Oracle Database to Oracle Database Vault, you first need to upgrade the database to a 10g Release 2 (10.2.0.5) database.See Also:
Oracle Database Upgrade Guide, 10g Release 2 (10.2) for information about upgrading your Oracle Database to Oracle Database 10g Release 2.This chapter covers the following topics:
This section covers the following topics:
Before you plan the upgrade process, become familiar with the features of Oracle Database Vault. The Oracle Database Vault Administrator's Guide discusses the basic features of Oracle Database Vault.
The system must meet the following minimum hardware requirements:
At least 1024 MB of available physical RAM
The following table gives the relationship between the available RAM and the required swap space.
Available RAM | Swap Space Required |
---|---|
Between 1024 MB and 2048 MB | 1.5 times the size of RAM |
Between 2049 MB and 8192 MB | Equal to the size of RAM |
More than 8192 MB | 0.75 times the size of RAM |
400 MB of disk space in the /tmp
directory
Between 1.5 GB and 3.5 GB of disk space for the Oracle software, depending on the installation type
1.2 GB of disk space for a preconfigured database that uses file system storage (optional)
Note:
The disk space requirement for databases that use Automatic Storage Management or raw device storage is described later in this chapter.Additional disk space, either on a file system or in an Automatic Storage Management disk group, is required for the flash recovery area if you choose to configure automated backups.
To ensure that the system meets these requirements:
To determine the physical RAM size, enter the following command:
# /usr/sbin/prtconf | grep "Memory size"
If the size of the physical RAM installed in the system is less than the required size, then you must install more memory before continuing.
To determine the size of the configured swap space, enter the following command:
# /usr/sbin/swap -s
If necessary, refer to your operating system documentation for information about how to configure additional swap space.
To determine the amount of disk space available in the /tmp
directory, enter the following command:
# df -k /tmp # df -h /tmp (on Solaris 10)
If there is less than 400 MB of free disk space available in the /tmp
directory, then complete one of the following steps:
Delete unnecessary files from the /tmp
directory to meet the disk space requirement.
Set the TMP
and TMPDIR
environment variables when setting the oracle
user's environment (described later).
Extend the file system that contains the /tmp
directory. If necessary, contact your system administrator for information about extending file systems.
To determine the amount of free disk space on the system, enter the following command:
# df -k # df -h (on Solaris 10)
The following table shows the approximate disk space requirements for software files for each installation type:
Installation Type | Requirement for Software Files (GB) |
---|---|
Enterprise Edition | 2.0 |
Standard Edition | 1.5 |
Custom (maximum) | 2.5 |
To determine whether the system architecture can run the software, enter the following command:
# /bin/isainfo -kv
Note:
The following is the expected output of this command:64-bit sparcv9 kernel modules
If you do not see the expected output, then you cannot install the software on this system.
Depending on the products that you intend to install, verify that the following software is installed on the system. The procedure following the table describes how to verify whether these requirements are addressed.
Note:
Oracle Universal Installer performs checks on your system to verify that it meets the listed requirements. To ensure that these checks pass, verify the requirements before you start Oracle Universal Installer.To ensure that the system meets these requirements:
To determine which version of Oracle Solaris is installed, enter the following command:
# uname -r 5.9
In this example, the version shown is Oracle Solaris 9 (5.9). If necessary, refer to your operating system documentation for information about upgrading the operating system.
To determine whether the required packages are installed, enter a command similar to the following:
# pkginfo -i SUNWarc SUNWbtool SUNWhea SUNWlibm SUNWlibms SUNWsprot \ SUNWsprox SUNWtoo SUNWi1of SUNWi1cs SUNWi15cs SUNWxwfnt
If a package is not installed, then install it. Refer to your operating system or software documentation for information about installing packages.
In addition, you need to verify that the following patches are installed on the system. The procedure following the table describes how to check these requirements.
Note:
There may be more recent versions of the patches listed installed on the system. If a listed patch is not installed, then determine whether a more recent version is installed before installing the version listed.Installation Type or Product | Requirement |
---|---|
All installations | Patches for Oracle Solaris 8:
All of the patches included in the J2SE Patch Cluster for Oracle Solaris 8:
The following additional patches:
|
All installations | Patches for Oracle Solaris 9:
The following additional patches are required for Numa Systems:
|
Note:
The following patches are not required for silent installations:108652-66, X11 6.4.1: Xsun patch
108773-18, SunOS 5.8: IIIM and X I/O Method patch
108921-16, CDE 1.4: dtwm patch
108940-53, Motif 1.2.7 and 2.1.1: Runtime lib. patch for Oracle Solaris 8
For more information about silent installations, refer to Appendix B.
To ensure that the system meets these requirements:
To determine whether an operating system patch is installed, enter a command similar to the following:
# /usr/sbin/patchadd -p | grep patch_number(without version number)
For example, to determine if any version of the 111713 patch is istalled, use the following command:
# /usr/sbin/patchadd -p | grep 111713
If an operating system patch is not installed, then download it from the following Web site and install it:
http://sunsolve.sun.com
If you require a CSD or a SupportPac for WebSphere MQ, then refer to the following Web site for download and installation information:
http://www-306.ibm.com/software/integration/wmq/support
Note:
The kernel parameter and shell limit values shown in the following section are recommended values only. For production database systems, Oracle recommends that you tune these values to optimize the performance of the system. Refer to your operating system documentation for more information about tuning kernel parameters.Verify that the kernel parameters shown in the following table are set to values greater than or equal to the recommended value shown on Oracle Solaris 8 and Oracle Solaris 9 operating systems. The procedure following the table describes how to verify and set the values.
Note:
The following parameters are obsolete in Oracle Solaris 9:shmsys:shminfo_shmmin
shmsys:shminfo_shmseg
On Oracle Solaris 10, verify that the kernel parameters shown in the following table are set to values greater than or equal to the recommended value shown. The table aslo contains the resource controls that replace the /etc/system
file for a specific kernel parameter.
Note:
In Oracle Solaris 10, you are not required to make changes to the/etc/system
file to implement the System V TPC. Oracle Solaris 10 uses the resource control facility for its implementation.On Oracle Solaris 8 and Oracle Solaris 9 operating systems, use the following procedure to view the current value specified for these kernel parameters, and to change them if necessary:
To view the current values of these parameters, enter the following commands:
# grep noexec_user_stack /etc/system # /usr/sbin/sysdef | grep SEM # /usr/sbin/sysdef | grep SHM
If you must change any of the current values, then:
Create a backup copy of the /etc/system
file, for example:
# cp /etc/system /etc/system.orig
Open the /etc/system
file in any text editor and, if necessary, add lines similar to the following (edit the lines if the file already contains them):
set noexec_user_stack=1 set semsys:seminfo_semmni=100 set semsys:seminfo_semmns=1024 set semsys:seminfo_semmsl=256 set semsys:seminfo_semvmx=32767 set shmsys:shminfo_shmmax=4294967295 set shmsys:shminfo_shmmin=1 set shmsys:shminfo_shmmni=100 set shmsys:shminfo_shmseg=10
Enter the following command to restart the system:
# /usr/sbin/reboot
When the system restarts, log in and switch user to root
.
On Oracle Solaris 10, use the following procedure to view the current value specified for resource controls, and to change them if necessary:
To view the current values of the resource control, enter the following commands:
# id -p // to verify the project id uid=0(root) gid=0(root) projid=1 (user.root) # prctl -n project.max-shm-memory -i project user.root # prctl -n project.max-sem-ids -i project user.root
If you must change any of the current values, then:
To modify the value of max-shm-memory to 6 GB:
# prctl -n project.max-shm-memory -v 6gb -r -i project user.root
To modify the value of max-sem-ids to 256:
# prctl -n project.max-sem-ids -v 256 -r -i project user.root
In order to install Oracle Database Vault, you must be running the Enterprise Edition of Oracle Database 10g Release 2 (10.2.0.5). The database should also have Oracle Enterprise Manager Console DB 10.2.0.5.0 installed. In addition, the Database Vault installer requires write access to the files, oratab
and oraInst.loc
.
A listener must have been configured for the existing database. Oracle Net Configuration Assistant configures the listener when you first install the database. You can also use Oracle Enterprise Manager to administer listeners.
You must have an existing password file for the database. The password file authentication parameter, REMOTE_LOGIN_PASSWORDFILE
must have been set to EXCLUSIVE
or SHARED
.
You can set the REMOTE_LOGIN_PASSWORDFILE
parameter in the init.ora
file. Use the orapwd
utility to create and manage password files.
See Also:
Oracle Database Administrator's Guide for more information on creating and maintaining a password fileThe following topics discuss applying the 10.2.0.5 patch set and installing the required components:
Before installing Oracle Database Vault, you should ensure that Oracle Enterprise Manager Console DB 10.2.0.5.0 is installed. Oracle Enterprise Manager Console DB is installed using the Oracle Universal Installer (OUI). The following steps summarize installing Oracle Enterprise Manager Console DB:
Run Oracle Universal Installer (OUI) and perform a custom installation to install Oracle Enterprise Manager Console DB 10.2.0.5.0. Add Oracle Enterprise Manager Console DB from the list of available product components.
Apply the Oracle Database release 10.2.0.5 patch set.
Note:
You can configure the database to use Enterprise Manager Database Control by using Database Configuration Assistant (DBCA). However, configuring Enterprise Manager Database Control is not a prerequisite for installing Oracle Database Vault.To install Oracle Database Vault, you need to upgrade the database to Oracle Database release 10.2.0.5. Oracle strongly recommends that you back up your database before performing any upgrade or installation.
See Also:
Oracle Database Backup and Recovery User's Guide for information on database backupsThis section covers the following topics:
You can apply the Oracle Database release 10.2.0.5 patch set to the following Oracle Database 10g Release 2 installations:
Oracle Database
Oracle Real Application Clusters
Oracle Database Client
Oracle Database Companion CD
Oracle Clusterware
Oracle Database Vault
Oracle Universal Installer Version Requirements
This patch set includes Oracle Universal Installer release 10.2.0.5, which is also installed when you install this patch set. This is to ensure that your Oracle home can be patched in the future. You should not use the Installer from the earlier maintenance release media or Oracle home.
This is not a complete software distribution. You must install it in an existing Oracle Database 10g Release 2 installation.
There are two documents related to this release of the Oracle Database patch set:
Oracle Database Patch Set Notes, 10g Release 2 (10.2.0.5) Patch Set for Oracle Solaris on SPARC (64-Bit)
Oracle Database List of Bugs Fixed, 10g Release 2 (10.2.0.5) Patch Set
Both of these documents are included with the patch set. In addition, they are available on the My Oracle Support (formerly OracleMetalink) Web site:
https://support.oracle.com
Oracle strongly recommends that you back up your database before performing any upgrade or installation. The ultimate success of your upgrade depends heavily on the design and execution of an appropriate backup strategy. To develop a backup strategy, consider the following questions:
How long can the production database remain inoperable before business consequences become intolerable?
What backup strategy should be used to meet your availability requirements?
Are backups archived in a safe, offsite location?
How quickly can backups be restored (including backups in offsite storage)?
Have recovery procedures been tested successfully?
Your backup strategy should answer all of these questions and include procedures for successfully backing up and recovering your database.
See Also:
Oracle Database Backup and Recovery User's Guide for information on database backupsIf you have created custom profiles and password complexity checks in your existing database, then you need to disable these before performing the installation. You can reenable these after the installation is complete. Use the following steps to achieve this:
Extract the profile names and associated settings for each profile that is being used. You can use a script to accomplish this.
Example 2-1 shows a sample script that extracts the profile names and settings to create an output script called, myprofiles.sql
. After the installation is complete, you can run myprofiles.sql
to restore the profile settings.
Example 2-1 Extracting Profiles
set serverout on size 100000 spool myprofiles.sql . declare l_last varchar2(30) := 'X'; l_count number := 0; begin for c in ( select profile, resource_name , limit from dba_profiles order by profile, resource_name ) loop if l_last <> c.profile then l_last := c.profile; if l_count > 0 then dbms_output.put_line(';'); end if; l_count := l_count + 1; dbms_output.put_line('create profile ' || c.profile || ' limit '); else dbms_output.put_line(' ' || c.resource_name || ' ' || c.limit); end if; end loop; dbms_output.put_line(';'); end; / . spool off
Disable the custom profiles and password complexity settings. For example:
SQL> ALTER PROFILE SomeCustomProfile LIMIT PASSWORD_REUSE_MAX UNLIMITED -- The number of times a password can be reused PASSWORD_REUSE_TIME UNLIMITED -- The number of days between reuses of a password PASSWORD_VERIFY_FUNCTION NULL /
After the Oracle Database Vault installation is complete, reenable the profiles by running the script created in Step 1.
SQL>@myprofiles.sql
Oracle Clusterware should be running for the Database Vault installer to find the existing Oracle Real Application Clusters (Oracle RAC) instances. If you have stopped Oracle Clusterware, then you should restart it before running Oracle Universal Installer. Use the following command to start Oracle Clusterware:
$CRS_HOME/bin/crsctl start crs
Note:
You must run the crsctl
command as the root
user. You need to run this command on all cluster nodes.
The crsctl start crs
command also starts the database. You will need to shut down the database before running Oracle Universal Installer.
Stop all processes running in the Oracle home, except the database listener. You must complete this task to enable Oracle Universal Installer to relink certain executables and libraries. For Oracle RAC databases, you need to stop the processes on all nodes.
Stop the processes in the following order:
Stop the Enterprise Manager Database Control process, if it is running. Use the following command:
$ORACLE_HOME/bin/emctl stop dbconsole
Stop the iSQL*Plus process, using the following command:
$ORACLE_HOME/bin/isqlplusctl stop
Shut down all database instances running from the Oracle home directory into which Oracle Database Vault is to be installed.
sqlplus SYS "AS SYSDBA" Enter password: SQL> shutdown immediate
Run Oracle Universal Installer (OUI) using the account that owns the Oracle software. This is usually the oracle
account.
However, before you start Oracle Universal Installer you must configure the environment of the oracle
user. To configure the environment, you must:
Note:
Ensure that thePATH
variable contains $ORACLE_HOME/bin
before /usr/X11R6/bin
.To set the oracle
user's environment:
Start a new terminal session, for example, an X terminal (xterm
).
Enter the following command to ensure that X Window applications can display on this system:
$ xhost fully_qualified_remote_host_name
For example:
$ xhost somehost.us.acme.com
If you are not already logged in to the system where you want to install the software, then log in to that system as the oracle
user.
If you are not logged in as the oracle
user, then switch user to oracle
:
$ su - oracle
To determine the default shell for the oracle
user, enter the following command:
$ echo $SHELL
Open the oracle
user's shell startup file in any text editor:
Bourne shell (sh
), Bash shell (bash
), or Korn shell (ksh
):
$ vi .bash_profile
C shell (csh
or tcsh
):
% vi .login
Enter or edit the following line, specifying a value of 022 for the default file mode creation mask:
umask 022
If the ORACLE_SID
, ORACLE_HOME
, or ORACLE_BASE
environment variable is set in the file, then remove the corresponding lines from the file.
Save the file, and exit from the editor.
To run the shell startup script, enter one of the following commands:
Bourne, Bash, or Korn shell:
$ . ./.profile
C shell:
% source ./.login
If you are not installing the software on the local system, then enter a command similar to the following to direct X applications to display on the local system:
Bourne, Bash, or Korn shell:
$ DISPLAY=local_host:0.0 ; export DISPLAY
C shell:
% setenv DISPLAY local_host:0.0
In this example, local_host
is the host name or IP address of the system that you want to use to display Oracle Universal Installer (your workstation or PC).
If you determined that the /tmp
directory has less than 400 MB of free disk space, then identify a file system with at least 400 MB of free space and set the TEMP
and TMPDIR
environment variables to specify a temporary directory on this file system:
Use the df -k
command to identify a suitable file system with sufficient free space.
If necessary, enter commands similar to the following to create a temporary directory on the file system that you identified, and set the appropriate permissions on the directory:
$ su - root # mkdir /mount_point/tmp # chmod a+wr /mount_point/tmp # exit
Enter commands similar to the following to set the TEMP
and TMPDIR
environment variables:
Bourne, Bash, or Korn shell:
$ TEMP=/mount_point/tmp $ TMPDIR=/mount_point/tmp $ export TEMP TMPDIR
C shell:
% setenv TEMP /mount_point/tmp % setenv TMPDIR /mount_point/tmp
Enter commands similar to the following to set the ORACLE_BASE
and ORACLE_SID environment variables:
Bourne, Bash, or Korn shell:
$ ORACLE_BASE=/u01/app/oracle $ ORACLE_SID=sales $ export ORACLE_BASE ORACLE_SID
C shell:
% setenv ORACLE_BASE /u01/app/oracle % setenv ORACLE_SID sales
In these examples, /u01/app/oracle
is the Oracle base directory that you created or identified earlier and sales
is the name that you want to call the database (typically no more than five characters).
Enter the following commands to ensure that the ORACLE_HOME
and TNS_ADMIN
environment variables are not set:
Bourne, Bash, or Korn shell:
$ unset ORACLE_HOME $ unset TNS_ADMIN
C shell:
% unsetenv ORACLE_HOME % unsetenv TNS_ADMIN
To verify that the environment has been set correctly, enter the following commands:
$ umask $ env | more
Verify that the umask
command displays a value of 22
, 022
, or 0022
and the environment variables that you set in this section have the correct values.
Run Oracle Universal Installer (OUI) to install Oracle Database Vault into an existing Oracle Database 10g Release 2 (10.2.0.5) database. You should run the installer as the software owner account that owns the current ORACLE_HOME
environment. This is normally the oracle
account.
Log in as the oracle
user. Alternatively, switch user to oracle
using the su
command. Change your current directory to the directory containing the installation files. Start Oracle Universal Installer.
./runInstaller
The following steps discuss the options you need to select:
In the Specify Installation Details screen, you need to specify the path to the Oracle home that contains the existing Oracle Database. The Destination Path box lists the Oracle home paths of all Oracle Database 10g Release 2 (10.2.0.5) Enterprise Edition databases registered with the system.
Select the Oracle home corresponding to the database into which you want to install Oracle Database Vault.
Note:
If an Oracle home does not have an Enterprise Edition of Oracle Database release 10.2.0.5 installed, then it is not displayed. You must ensure that the Oracle home has an Enterprise Edition of Oracle Database release 10.2.0.5 installed.
If an Oracle home does not have Oracle Enterprise Manager Console DB 10.2.0.5.0 installed, then it is not displayed. You must ensure that the Oracle home has Oracle Enterprise Manager Console DB 10.2.0.5.0 installed.
If an Oracle home contains an Automatic Storage Management (ASM) instance, then it is not displayed. You cannot install Oracle Database Vault into an Oracle home that also contains an ASM instance.
If an Oracle home already contains Oracle Database Vault, then it is not displayed. You cannot install Oracle Database Vault into an Oracle home more than once.
Enter a user name for the Database Vault Owner account in the Database Vault Owner field. The user name can be a minimum of 2 and maximum of 30 characters long.
Enter a password for the Database Vault Owner account in the Database Vault Owner Password field. The password can be a minimum of 8 and a maximum of 30 characters. The password must include at least one alphabet, one digit, and one nonalphanumeric character (symbol). It cannot be the same as the account names for either the Database Vault owner or the Database Vault account manager. It cannot contain any consecutive repeating characters.
Reenter the password in the Confirm Password field.
Select Create a Separate Account Manager if you want to create a separate Account Manager to manage Oracle Database Vault accounts.
In the Database Vault Account Manager field, enter a user name for the Database Vault Account Manager if you have chosen to select the Create a Separate Account Manager check box. The user name can be a minimum of 2 and a maximum of 30 characters.
Enter a password for the Database Vault Account Manager account in the Account Manager Password field. The password can be a minimum of 8 and a maximum of 30 characters. The password must include at least one alphabet, one digit, and one nonalphanumeric character (symbol). It cannot be the same as the account names for either the Database Vault owner or the Database Vault account manager. It cannot contain any consecutive repeating characters.
Reenter the password in the Confirm Password field. Click Next.
The Select Existing Database screen is displayed. A list of all databases running from the selected Oracle home is displayed. Select the database into which you wish to install Oracle Database Vault.
Note:
Oracle recommends that you install Oracle Database Vault into an Oracle home containing only a single database.
If there are multiple databases in an Oracle home, you must enable Database Vault for all the databases. You cannot have Database Vault enabled databases coexist with non-Database Vault enabled databases in the same Oracle home. In order to enable Database Vault for addtional databases in the same Oracle home, refer toAppendix C, "Running DVCA After Creating a Database Vault Database"
If a database is not listed, then check to make sure that you have followed the instructions under "Check the Database Requirements".
Enter the existing SYS
user password for the selected database in the Existing Database SYS Password field.
Reenter the SYS password in the Confirm Password field. Click Next.
Note:
At this point, the database requirements are validated.You are prompted to shut down all Oracle processes running from the Oracle home before proceeding. Shut down the Oracle processes, if you have not already done so.
See Also:
"Stop Existing Oracle Processes" for more information on stopping existing Oracle processesProduct-specific prerequisite checks are performed. Confirm that all tests have passed. Click Next to continue.
The Summary screen is displayed with the installation details. Verify the details and click Install.
The Installation screen is displayed. After the installation completes, the Database Vault Configuration Assistant (DVCA) is run automatically. DVCA helps configure the Database Vault installation.
This section lists the tasks to perform after you have completed an upgrade of your database. The following topics are discussed:
Update Environment Variables After the Upgrade (UNIX Systems Only)
Configure Oracle Database Vault on Oracle RAC Nodes (Oracle RAC Only)
Manually Deploy Oracle Database Vault Administrator (Special Cases)
Make sure you perform a full backup of the production database. See Oracle Database Backup and Recovery User's Guide for details on backing up a database.
Make sure that the following environment variables point to the correct Oracle Database Vault directories:
ORACLE_HOME
PATH
ORA_NLS10
Note:
TheORA_NLS10
environment variable replaces the ORA_NLS33
environment variable, so you may need to unset ORA_NLS33
and set ORA_NLS10
.LD_LIBRARY_PATH
Oracle strongly recommends that you change the password for each account after installation. This enables you to effectively implement the strong security provided by Oracle Database Vault.
Note:
If you are creating a database using Database Configuration Assistant, you can unlock accounts after the database is created by clicking Password Management before you exit from Database Configuration Assistant.To unlock and reset user account passwords using SQL*Plus:
Start SQL*Plus and log in using the Database Vault Account Manager account. If you did not create the Database Vault Account Manager account during installation, then you will need to log in using the Database Vault Owner account.
Enter a command similar to the following, where account
is the user account that you want to unlock and password
is the new password:
SQL> ALTER USER account [ IDENTIFIED BY password ] ACCOUNT UNLOCK;
In this example:
The ACCOUNT UNLOCK
clause unlocks the account.
The IDENTIFED BY
password
clause resets the password.
Note:
If you unlock an account but do not reset the password, then the password remains expired. The first time someone connects as that user, they must change the user's password.To permit unauthenticated access to your data through HTTP, unlock the ANONYMOUS
user account.
See Also:
Oracle Database Administrator's Guide for more information about:Unlocking and changing passwords after installation
Oracle security procedures
Best security practices
Oracle Database Vault allows you to disable remote logins with SYSDBA
privileges. This enables enhanced security for your database.
To disable remote SYSDBA
connections, re-create the password file with the nosysdba
flag set to y
(Yes). A user can still log in AS
SYSDBA
locally using Operating System (OS) authentication. However, remote connections AS SYSDBA
will fail.
Use the following syntax to re-create the password file:
orapwd file=filename password=password [entries=users] force=y nosysdba=y
Where:
file
: Name of password file (mandatory)
password
: Password for SYS
(mandatory). Enter at least six alphanumeric characters.
entries
: Maximum number of distinct DBA users
force
: Whether to overwrite the existing file
nosysdba
: Whether to enable or disable the SYS
logon
The default is no, so if you omit this flag, the password file will be created enabling SYSDBA
access for Oracle Database Vault instances.
For example:
orapwd file=$ORACLE_HOME/dbs/orapworcl password=5hjk99 force=y nosysdba=y
Note:
Do not insert spaces around the equal (=) character.When you re-create the password file, any accounts other than SYS
that were granted the SYSDBA
or SYSOPER
privileges will have those privileges removed. You will need to regrant the privileges for these accounts after you have re-created the password file.
You can reenable the ability to connect with the SYSDBA
privilege by re-creating the password file with the nosysdba
flag set to n
(No). You might need to reenable the ability to connect with SYSDBA
privileges, if certain products or utilities require it's use.
Enabling or Disabling Connecting with SYSDBA on Oracle Real Application Clusters Systems
Under a cluster file system and raw devices, the password file under $ORACLE_HOME
is in a symbolic link that points to the shared storage location in the default configuration. In this case, the orapwd
command you issue affects all nodes.
Enabling or Disabling Connecting with SYSDBA on Automatic Storage Management Systems
For Automatic Storage Management systems, you need to update each node to enable or disable the SYSDBA
connection privilege by using the orapwd
utility.
You need to start the database on all Oracle RAC nodes other than the one on which the installation is performed. Use the following command to start the database:
Note:
You needSYSDBA
privileges to run these commands.srvctl start instance -d sid -i instance_name
You need to run this command on all Oracle RAC nodes other than the node on which the Database Vault installation is performed. This step is required to enable the enhanced security features provided by Oracle Database Vault.
Note:
The dvca -action optionrac option has been deprecated and can no longer be used to configure Oracle RAC nodes.Log in to SQL*Plus as user SYS with the SYSDBA privilege.
sqlplus sys as sysdba
Enter password: password
Run the following ALTER SYSTEM
statements:
ALTER SYSTEM SET AUDIT_SYS_OPERATIONS=TRUE SCOPE=SPFILE; ALTER SYSTEM SET OS_ROLES=FALSE SCOPE=SPFILE; ALTER SYSTEM SET RECYCLEBIN='OFF' SCOPE=SPFILE; ALTER SYSTEM SET REMOTE_LOGIN_PASSWORDFILE='EXCLUSIVE' SCOPE=SPFILE; ALTER SYSTEM SET SQL92_SECURITY=TRUE SCOPE=SPFILE; ALTER SYSTEM SET OS_AUTHENT_PREFIX='' SCOPE=SPFILE;
Restart Oracle Database
$ORACLE_HOME/bin/srvctl stop database -d db_name $ORACLE_HOME/bin/srvctl start database -d db_name
Oracle Database Vault Administrator (DVA) is a browser-based graphical user interface console that you can use to manage Oracle Database Vault.
You can modify the length of time that DVA stays connected while inactive. By default, the connection duration is 35 minutes. Your session automatically gets expired after 35 minutes of inactivity.
To set the session time for Oracle Database Vault Administrator:
Back up the web.xml
file, which by default is in the $ORACLE_HOME/dv/jlib/dva_webapp/dva_webapp/WEB-INF
directory.
In a text editor, open the web.xml
file .
Search for the following setting:
<session-config> <session-timeout>35</session-timeout> </session-config>
Change the <session-timeout>
setting to the amount of time in minutes that you prefer.
Save and close the web.xml
file.
Stop and restart the DVA application.
You can use the following command to restart DVA:
emctl stop dbconsole emctl start dbconsole
If you have created an Oracle database manually, and have configured Oracle Enterprise Manager Database Control by using Enterprise Manager Configuration Assistant, you must manually deploy Oracle Database Vault Administrator. This procedure deploys Database Vault Administrator in the same OC4J container as the current Enterprise Manager, rather than creating a new application.
This section contains:
Deploying Database Vault Administrator to a Standalone OC4J Container
Deploying Database Vault Administrator to the Database Console OC4J Container
You can manually deploy Database Vault Administrator to the Oracle Application Server Containers for J2EE (OC4J) home, which by default is in the $ORACLE_HOME/oc4j/j2ee/home
directory.
To manually deploy Database Vault Administrator:
Edit the file $ORACLE_HOME/oc4j/j2ee/home/config/server.xml
. Enter the following line just before the last line that reads, </application-server>
:
<application name="dva" path="$ORACLE_HOME/dv/jlib/dva_webapp.ear" auto-start="true" />
For example:
<application name="dva" path="/u00/app/oracle/oracle/product/dv12/dv/jlib/dva_webapp.ear" auto-start="true" />
Edit the file $ORACLE_HOME/oc4j/j2ee/home/config/http-web-site.xml
. Enter the following line just above the last line that reads, </web-site>
:
<web-app application="dva" name="dva_webapp" root="/dva" />
Edit the file $ORACLE_HOME/oc4j/j2ee/home/config/global-web-application.xml
. Search for <servlet-class>oracle.jsp.runtimev2.JspServlet</servlet-class>
. Uncomment the following lines after this:
<init-param> <param-name>main_mode</param-name> <param-value>justrun</param-value> </init-param>
Create the following directory:
mkdir -p $ORACLE_HOME/dv/jlib/sysman/config
Create the database connection configuration file, emoms.properties, in the configuration directory that you just created. Add the following lines to the file:
oracle.sysman.emSDK.svlt.ConsoleMode=standalone oracle.sysman.eml.mntr.emdRepRAC=FALSE oracle.sysman.eml.mntr.emdRepDBName=oracle_sid oracle.system.eml.mntr.emdRepConnectDescriptor=TNS_connection_string
Follow these instructions:
For an Oracle RAC environment, set oracle.sysman.eml.mntr.emdRepRAC
to TRUE
.
For oracle.sysman.eml.mntr.emdRepConnectDescriptor
, you can use an alias from $ORACLE_HOME/network/admin/tnsnames.ora
. Alternatively, you can use the following syntax:
oracle.sysman.eml.mntr.emdRepConnectDescriptor= (DESCRIPTION\= (ADDRESS_LIST\=(ADDRESS\=(PROTOCOL\=TCP) (HOST\=HOSTNAME)(PORT\=PORT))) (CONNECT_DATA\= (SERVICE_NAME\=ORACLE_SID))
Ensure that the correct environment variables are set.
For example:
ORACLE_SID=orcl export ORACLE_SID ORACLE_HOME=/u00/app/oracle/product/11.1/dv export ORACLE_HOME LD_LIBRARY_PATH=$ORACLE_HOME/bin:$ORACLE_HOME/lib32:$ORACLE_HOME/lib:$ORACLE_HOME/jdbc/lib export LD_LIBRARY_PATH PATH=$ORACLE_HOME/bin:$ORACLE_HOME/jdk/bin:$PATH export PATH
Ensure that you set the LD_LIBRARY_PATH
variable to use the OCI-based JDBC libraries.
Start OC4J using the following syntax:
$ORACLE_HOME/jdk/bin/java -Djava.awt.headless=true -DEMDROOT=$ORACLE_HOME/dv/jlib -jar $ORACLE_HOME/oc4j/j2ee/home/oc4j.jar -userThreads -config $ORACLE_HOME/oc4j/j2ee/home/config/server.xml
After you complete these steps, you can start Database Vault Administrator. The HTTP port defaults to 8888 for this environment. Use the following syntax for the URL:
http://hostname:8888/dva
To manually deploy Database Vault Administrator to the Database Console OC4J container:
Stop Oracle Database Console.
UNIX: Go to the $ORACLE_HOME/bin
directory and run the following command:
./emctl stop dbconsole
Microsoft Windows: In the Administrative Services, select the Services utility, and then right-click the OracleDBConsolesid service. Select Stop from the menu.
Create a backup copy and then open the $ORACLE_HOME/oc4j/j2ee/OC4J_DBConsole_
service_name
/config/server.xml
file.
Add the following line before the </application-server>
element:
<application name="dva" path="$ORACLE_HOME/dv/jlib/dva_webapp.ear" parent="default" start="true" />
On Windows systems, replace $ORACLE_HOME
with the absolute path to your Oracle Database home.
Create a backup copy and then open the $ORACLE_HOME/oc4j/j2ee/OC4J_DBConsole_
service_name
/config/http-web-site.xml
file.
Add the following line before the </web-site> element:
<web-app application="dva" name="dva_webapp" load-on-startup="true" root="/dva" shared="true"/>
Restart Oracle Database Console.
UNIX: Go to the $ORACLE_HOME/bin
directory and run the following command:
./emctl start dbconsole
Windows: In the Administrative Services, select the Services utility, and then right-click the OracleDBConsolesid service. Select Start from the menu.
After you complete these steps, you can start Oracle Database Vault Administrator by using the following URL:
https://hostname:port/dva
For example:
https://myserver:1158/dva
If you are unsure of the port number, open the ORACLE_HOME
/
host_sid
/sysman/config/emd.properties
file and search for REPOSITORY_URL
. In most cases, the host name and port number are the same as Oracle Enterprise Manager Database Control.
The following procedures uninstall Oracle Database Vault from an Oracle Database installation. They apply to both single-instance and Oracle RAC installations.
Disable Oracle Database Vault, as described under "Step 1: Disable Oracle Database Vault" in Oracle Database Vault Administrator's Guide.
In SQL*Plus, connect as user SYS
with the SYSDBA
privilege.
CONNECT SYS/AS SYSDBA
Enter password: password
Disable the recycle bin.
To check if the recycle bin is enabled, enter the following command:
SHOW PARAMETER RECYCLEBIN
If it is enabled, then run the following SQL statement:
ALTER SYSTEM SET RECYCLEBIN = OFF;
Disabling the recycle bin does not purge or otherwise affect objects that are already in the recycle bin.
Run the following SQL script:
@$ORACLE_HOME/rdbms/admin/dvremov.sql
Manually drop the DV_OWNER
and DV_ACCTMGR
user accounts.
For example:
DROP USER dbv_owner CASCADE; DROP USER dbv_acctmgr CASCADE;
Restart the database.
For example:
SHUTDOWN IMMEDIATE STARTUP
Start OUI by invoking runInstaller
from the $ORACLE_HOME/oui/bin
directory.
In the Welcome window, select Deinstall Products.
Navigate to the correct directory and then select Database Vault 10.2.0.5 from the list.
In the confirmation window, select Yes.
Exit OUI.
Afterward, you can double-check that Oracle Database Vault is truly deinstalled by logging in to SQL*Plus and entering the following statement:
SELECT * FROM V$OPTION WHERE PARAMETER = 'Oracle Database Vault';
If Oracle Database Vault is deinstalled, the following output appears:
PARAMETER VALUE ----------------------------- ----------------------- Oracle Database Vault FALSE