2 Installing Oracle Database Vault

2.1.1 Become Familiar with the Features of Oracle Database Vault

Before you plan the upgrade process, become familiar with the features of Oracle Database Vault. The Oracle Database Vault Administrator's Guide discusses the basic features of Oracle Database Vault.

2.1.2 Check the Hardware Requirements

Table 2–1 discusses the hardware requirements for Oracle Database Vault:

To ensure that the system meets these requirements, follow these steps:

1. Determine the physical RAM size. For a computer using Windows 2003, for example, double-click System in the Windows Control Panel and click the General tab. If the size of the physical RAM installed in the system is less than the required size, then you must install more memory before continuing.

2. Determine the size of the configured virtual memory (also known as paging file size). For a computer using Windows 2003, for example, double-click System in the Control Panel, click the Advanced tab, and click Settings in the Performance section. Then click the Advanced tab. The virtual memory is listed in the Virtual Memory section.

   If necessary, see your operating system documentation for information about how to configure additional virtual memory.

3. Determine the amount of free disk space on the system. For a computer using Windows 2003, for example, double-click My Computer, right-click the drive where the Oracle software is to be installed, and select Properties.

4. Determine the amount of disk space available in the temp directory. This is equivalent to the total amount of free disk space, minus what will be needed for the Oracle software to be installed.

   If there is less than 400 MB of disk space available in the temp directory, then first delete all unnecessary files. If the temp disk space is still less than 400 MB, then set the TEMP or TMP environment variable to point to a different hard drive. For a computer using Windows 2003, for example, double-click System in the Control Panel, click the Advanced tab, and click Environment Variables.

2.1.3 Check the Software Requirements

Oracle Database Vault is installed in an existing Oracle home. All software requirements that were met while installing Oracle Database 10g Release 2 (10.2) are sufficient for Oracle Database Vault.

Table 2-2 lists the software requirements for Oracle Database Vault.

https://support.oracle.com

https://support.oracle.com

2.1.4 Check the Database Requirements

In order to install Oracle Database Vault, you must be running the Enterprise Edition of Oracle Database 10g Release 2 (10.2.0.5). The database should also have Oracle Enterprise Manager Console DB 10.2.0.5.0 installed. In addition, the Database Vault installer requires write access to the files, oratab and oraInst.loc.

A listener must have been configured for the existing database. Oracle Net Configuration Assistant configures the listener when you first install the database. You can also use Oracle Enterprise Manager to administer listeners.

You must have an existing password file for the database. The password file authentication parameter, REMOTE_LOGIN_PASSWORDFILE must have been set to EXCLUSIVE or SHARED.

You can set the REMOTE_LOGIN_PASSWORDFILE parameter in the init.ora file. Use the orapwd utility to create and manage password files.

The following topics discuss applying the 10.2.0.5 patch set and installing the required components:

• Install Oracle Enterprise Manager Console DB

• Apply Oracle Database Release 10.2.0.5 Patch Set

https://support.oracle.com

2.1.5 Prepare a Backup Strategy

Oracle strongly recommends that you back up your database before performing any upgrade or installation. The ultimate success of your upgrade depends heavily on the design and execution of an appropriate backup strategy. To develop a backup strategy, consider the following questions:

• How long can the production database remain inoperable before business consequences become intolerable?

• What backup strategy should be used to meet your availability requirements?

• Are backups archived in a safe, offsite location?

• How quickly can backups be restored (including backups in offsite storage)?

• Have recovery procedures been tested successfully?

Your backup strategy should answer all of these questions and include procedures for successfully backing up and recovering your database.

2.1.6 Disable Custom Profiles (If Any)

If you have created custom profiles and password complexity checks in your existing database, then you need to disable these before performing the installation. You can reenable these after the installation is complete. Use the following steps to achieve this:

1. Extract the profile names and associated settings for each profile that is being used. You can use a script to accomplish this.

   Example 2-1 shows a sample script that extracts the profile names and settings to create an output script called, myprofiles.sql. After the installation is complete, you can run myprofiles.sql to restore the profile settings.

   Example 2-1 Extracting Profiles

   set serverout on size 100000
    spool myprofiles.sql
    .
    declare
    l_last varchar2(30) := 'X';
    l_count number := 0;
    begin
        for c in (
            select profile, resource_name , limit
            from dba_profiles
            order by profile, resource_name
        ) loop
            if l_last <> c.profile then
                l_last := c.profile;
                if l_count > 0 then
                    dbms_output.put_line(';');
                end if;
                l_count := l_count + 1;
                dbms_output.put_line('create profile ' || c.profile || ' limit ');
            else
                dbms_output.put_line('    ' || c.resource_name || ' ' || c.limit);
            end if;
        end loop;
        dbms_output.put_line(';');
    end;
    /
    .
    spool off 
   

2. Disable the custom profiles and password complexity settings. For example:

   SQL> ALTER PROFILE SomeCustomProfile LIMIT
   PASSWORD_REUSE_MAX UNLIMITED -- The number of times a password can be reused
   PASSWORD_REUSE_TIME UNLIMITED -- The number of days between reuses of a password
   PASSWORD_VERIFY_FUNCTION NULL
   /
   

3. After the Oracle Database Vault installation is complete, reenable the profiles by running the script created in Step 1.

   SQL>@myprofiles.sql

2.1.7 Verify That Oracle Clusterware Is Running (Oracle RAC Only)

Oracle Clusterware should be running for the Database Vault installer to find the existing Oracle Real Application Clusters (Oracle RAC) databases. If you have stopped Oracle Clusterware, then you should restart it before running Oracle Universal Installer. Use the following command to start Oracle Clusterware:

C:/> CRS_HOME/bin/crsctl start crs

2.1.8 Stop Existing Oracle Processes

Stop all processes running in the Oracle home, except the database listener. You must complete this task to enable Oracle Universal Installer to relink certain executables and libraries. For Oracle RAC databases, you need to stop the processes on all nodes.

Stop the processes in the following order:

1. Stop the Enterprise Manager Database Control Process

2. Stop the iSQL*Plus Process

3. Shut Down All Database Instances

4. Stop Oracle Services

C:\> ORACLE_HOME\bin\emctl stop dbconsole

C:\> ORACLE_HOME\bin\isqlplusctl stop

sqlplus SYS "AS SYSOPER"
Enter password:
SQL> shutdown immediate

2.1.9 Run Oracle Universal Installer to Install

You can use the graphical user interface (GUI) provided by Oracle Universal Installer to install Oracle Database. The following steps discuss installing Database Vault using Oracle Universal Installer:

1. Log on as a member of the Administrators group.

   If you are installing on a Primary Domain Controller (PDC) or a Backup Domain Controller (BDC), log on as a member of the Domain Administrators group.

2. Insert Oracle Database Vault installation media and navigate to the database directory. Alternatively, navigate to the directory where you downloaded or copied the installation files.

   Use the same installation media to install Oracle Database Vault on all supported Windows platforms.

3. Double-click setup.exe to start Oracle Universal Installer.

4. In the Specify Installation Details screen, you need to specify the path to the Oracle home that contains the existing Oracle Database. The Destination Path box lists the Oracle home paths of all Oracle Database 10g Release 2 (10.2.0.5) Enterprise Edition databases registered with the system.

   Select the Oracle home corresponding to the database into which you want to install Oracle Database Vault.

   Note:

   • If an Oracle home does not have an Enterprise Edition of Oracle Database 10g Release 2 (10.2.0.5) installed, then it is not displayed. You must ensure that the Oracle home has an Enterprise Edition of Oracle Database 10g Release 2 (10.2.0.5) installed.

   • If an Oracle home does not have Oracle Enterprise Manager Console DB 10.2.0.5.0 installed, then it is not displayed. You must ensure that the Oracle home has Oracle Enterprise Manager Console DB 10.2.0.5.0 installed.

   • If an Oracle home contains an Automatic Storage Management (ASM) instance, then it is not displayed. You cannot install Oracle Database Vault into an Oracle home that also contains an ASM instance.

   • If an Oracle home already contains Oracle Database Vault, then it is not displayed. You cannot install Oracle Database Vault into an Oracle home more than once.

   • Oracle Clusterware should be running for the Database Vault installer to find the existing Oracle Real Application Clusters (Oracle RAC) databases. Ensure that Oracle Clusterware is running before installing Oracle Database Vault. You can use the crsctl command to start Oracle Clusterware.

5. Enter a user name for the Database Vault Owner account in the Database Vault Owner field. The user name can be a minimum of 2 and maximum of 30 characters long.

6. Enter a password for the Database Vault Owner account in the Database Vault Owner Password field. The password can be a minimum of 8 and a maximum of 30 characters. The password must include at least one alphabet, one digit, and one nonalphanumeric character (symbol). It cannot be the same as the account names for either the Database Vault owner or the Database Vault account manager. It cannot contain any consecutive repeating characters.

7. Reenter the password in the Confirm Password field.

8. Select Create a Separate Account Manager if you want to create a separate Account Manager to manage Oracle Database Vault accounts.

9. In the Database Vault Account Manager field, enter a user name for the Database Vault Account Manager if you have chosen to select the Create a Separate Account Manager check box. The user name can be a minimum of 2 and a maximum of 30 characters.

10. Enter a password for the Database Vault Account Manager account in the Account Manager Password field. The password can be a minimum of 8 and a maximum of 30 characters. The password must include at least one alphabet, one digit, and one nonalphanumeric character (symbol). It cannot be the same as the account names for either the Database Vault owner or the Database Vault account manager. It cannot contain any consecutive repeating characters.

11. Reenter the password in the Confirm Password field. Click Next.

12. The Select Existing Database screen is displayed. A list of all databases running from the selected Oracle home is displayed. Select the database into which you wish to install Oracle Database Vault.

    Note:

    • Oracle recommends that you install Oracle Database Vault into an Oracle home containing only a single database.

      If there are multiple databases in an Oracle home, you must enable Database Vault for all the databases. You cannot have Database Vault enabled databases coexist with non-Database Vault enabled databases in the same Oracle home. In order to enable Database Vault for addtional databases in the same Oracle home, refer to Appendix C, "Running DVCA After Creating a Database Vault Database"

    • If a database is not listed, then check to make sure that you have followed the instructions under "Check the Database Requirements".

13. Enter the existing SYS user password for the selected database in the Existing Database SYS Password field.

14. Reenter the SYS password in the Confirm Password field. Click Next.

    Note:

    At this point, the database requirements are validated.

15. You are prompted to shut down all Oracle processes running from the Oracle home before proceeding. Shut down the Oracle processes, if you have not already done so.

    See Also:

    "Stop Existing Oracle Processes" for more information on stopping existing Oracle processes

16. Product-specific prerequisite checks are performed. Confirm that all tests have passed. Click Next to continue.

17. The Summary screen is displayed with the installation details. Verify the details and click Install.

18. The Installation screen is displayed. After the installation completes, the Database Vault Configuration Assistant (DVCA) is run automatically. DVCA helps configure the Database Vault installation.

2.2.1 Back Up the Database

Make sure you perform a full backup of the production database. See Oracle Database Backup and Recovery User's Guide for details on backing up a database.

2.2.2 Change Passwords for Oracle-Supplied Accounts

Oracle strongly recommends that you change the password for each account after installation. This enables you to effectively implement the strong security provided by Oracle Database Vault.

2.2.3 Disable Remote SYSDBA Connections (Optional)

Oracle Database Vault allows you to disable remote logins with SYSDBA privileges. This enables enhanced security for your database.

To disable remote SYSDBA connections, re-create the password file with the nosysdba flag set to y (Yes). A user can still log in AS SYSDBA locally using Operating System (OS) authentication. However, remote connections AS SYSDBA will fail.

Use the following syntax to re-create the password file:

C:\> ORACLE_HOME\bin\orapwd file=filename password=password [entries=users] force=y nosysdba=y

Where:

• file: Name of password file (mandatory)

• password: Password for SYS (mandatory). Enter at least six alphanumeric characters.

• entries: Maximum number of distinct DBA users

• force: Whether to overwrite the existing file

• nosysdba: Whether to enable or disable the SYS logon

  The default is no, so if you omit this flag, the password file will be created enabling SYSDBA access for Oracle Database Vault instances.

For example:

C:\> oracle\product\10.2.0\db_1\bin\orapwd
file=C:\oracle\product\10.2.0\db_1\dbs\orapwORCL password=5hjk99 force=y
nosysdba=y

When you re-create the password file, any accounts other than SYS that were granted the SYSDBA or SYSOPER privileges will have those privileges removed. You will need to regrant the privileges for these accounts after you have re-created the password file.

You can reenable the ability to connect with the SYSDBA privilege by re-creating the password file with the nosysdba flag set to n (No). You might need to reenable the ability to connect with SYSDBA privileges, if certain products or utilities require it's use.

2.2.4 Start the Database on Other Nodes (Oracle RAC Only)

You need to start the database on all Oracle RAC nodes other than the one on which the installation is performed. Use the following command to start the listener and the database:

C:\> ORACLE_HOME\bin\srvctl start instance -d sid -i InstanceName

2.2.5 Configure Oracle Database Vault on Oracle RAC Nodes (Oracle RAC Only)

After you install Oracle Database Vault for an Oracle Real Application Clusters (Oracle RAC) instance, complete the following procedure for each Oracle RAC node. This procedure assumes that you have a separate Oracle home for each node.

1. Log in to SQL*Plus as user SYS with the SYSDBA privilege.

   sqlplus SYS "AS SYSDBA"
   Enter password:
   

2. Run the following ALTER SYSTEM statements:

   SQL> ALTER SYSTEM SET AUDIT_SYS_OPERATIONS=TRUE SCOPE=SPFILE;
   SQL> ALTER SYSTEM SET OS_ROLES=FALSE SCOPE=SPFILE; 
   SQL> ALTER SYSTEM SET RECYCLEBIN='OFF' SCOPE=SPFILE; 
   SQL> ALTER SYSTEM SET REMOTE_LOGIN_PASSWORDFILE='EXCLUSIVE' SCOPE=SPFILE;
   SQL> ALTER SYSTEM SET SQL92_SECURITY=TRUE SCOPE=SPFILE; 
   SQL> ALTER SYSTEM SET OS_AUTHENT_PREFIX='' SCOPE=SPFILE;
   

3. Restart Oracle Database.

   C:\> ORACLE_HOME\bin\srvctl stop database -d db_name
   C:\> ORACLE_HOME\bin\srvctl start database -d db_name
   

2.2.6 Manually Deploy Oracle Database Vault Administrator (Special Cases)

If you have created an Oracle database manually, and have configured Oracle Enterprise Manager Database Control by using Enterprise Manager Configuration Assistant, you must manually deploy Oracle Database Vault Administrator. This procedure deploys Database Vault Administrator in the same OC4J container as the current Enterprise Manager, rather than creating a new application.

This section contains:

• Deploying Database Vault Administrator to a Standalone OC4J Container

• Deploying Database Vault Administrator to the Database Console OC4J Container

http://hostname:8888/dva

https://hostname:port/dva

https://myserver:1158/dva

2.2.7 Restart Enterprise Manager Database Control

Restart Enterprise Manager Database Control by using the following commands:

C:\> ORACLE_HOME\bin\emctl stop dbconsole
C:\> ORACLE_HOME\bin\emctl start dbconsole

2.2.8 Setting the Timeout Value for DVA (Optional)

Oracle Database Vault Administrator (DVA) is a browser-based graphical user interface console that you can use to manage Oracle Database Vault.

You can modify the length of time that DVA stays connected while inactive. By default, the connection duration is 35 minutes. Your session automatically gets expired after 35 minutes of inactivity.

To set the session time for Oracle Database Vault Administrator:

1. Back up the web.xml file, which by default is in the ORACLE_HOME\dv\jlib\dva_webapp\dva_webapp\WEB-INF directory.

2. In a text editor, open the web.xml file .

3. Search for the following setting:

   <session-config>
    <session-timeout>35</session-timeout>
   </session-config>
   

4. Change the <session-timeout> setting to the amount of time in minutes that you prefer.

5. Save and close the web.xml file.

6. Stop and restart the DVA application.

   You can use the following command to restart DVA:

   emctl stop dbconsole
   emctl start dbconsole
   

2.3.1 Step 1: Deconfigure Oracle Database Vault

1. Disable Oracle Database Vault, as described under "Step 1: Disable Oracle Database Vault" in Oracle Database Vault Administrator's Guide.

2. In SQL*Plus, connect as user SYS with the SYSDBA privilege.

   CONNECT SYS/AS SYSDBA
   Enter password: password
   

3. Disable the recycle bin.

   To check if the recycle bin is enabled, enter the following command:

   SHOW PARAMETER RECYCLEBIN
   

   If it is enabled, then run the following SQL statement:

   ALTER SYSTEM SET RECYCLEBIN = OFF SCOPE=SPFILE;
   

   Disabling the recycle bin does not purge or otherwise affect objects that are already in the recycle bin.

4. Run the following SQL script:

   ORACLE_HOME\rdbms\admin\dvremov.sql
   

5. Manually drop the DV_OWNER and DV_ACCTMGR user accounts.

   For example:

   DROP USER dbv_owner CASCADE;
   DROP USER dbv_acctmgr CASCADE;
   

6. Restart the database.

   For example:

   SHUTDOWN IMMEDIATE
   STARTUP
   

2.3.2 Step 2: Deinstall Oracle Database Vault

1. Start OUI by invoking setup.exe from the ORACLE_HOME\oui\bin directory.

2. In the Welcome window, select Deinstall Products.

3. Navigate to the correct directory and then select Database Vault 10.2.0.5 from the list.

4. In the confirmation window, select Yes.

5. Exit OUI.

Afterward, you can double-check that Oracle Database Vault is truly deinstalled by logging in to SQL*Plus and entering the following statement:

SELECT * FROM V$OPTION WHERE PARAMETER = 'Oracle Database Vault';

If Oracle Database Vault is deinstalled, the following output appears:

PARAMETER                     VALUE
----------------------------- -----------------------
Oracle Database Vault         FALSE