Oracle® Database Vault Administrator's Guide 10g Release 2 (10.2) Part Number B25166-23 |
|
|
PDF · Mobi · ePub |
You may need to disable Oracle Database Vault to perform upgrade tasks or correct erroneous configurations. You can reenable Oracle Database Vault after you complete the corrective tasks.
Note:
Be aware that if you disable Oracle Database Vault, the privileges that were revoked from existing users and roles during installation remain in effect. See "Privileges That Are Revoked or Prevented from Existing Users and Roles" for a listing of the revoked privileges.The following situations require you to disable Oracle Database Vault:
The Oracle Database Vault user accounts have been inadvertently locked or their passwords forgotten. (See the tip under "Oracle Database Vault Accounts" for a guideline for avoiding this problem in the future.)
A rule set associated with the CONNECT
role has been configured incorrectly. This is resulting in failed database logins for all accounts, including those with the DV_OWNER
or DV_ADMIN
role, who could correct this problem.
You must perform maintenance tasks on Oracle Database Vault.
You must install any of the Oracle Database optional products or features, such as Oracle Spatial Data Option, Oracle OLAP, or Oracle interMedia, by using Database Configuration Assistant (DBCA).
You are about to install a third-party product, install an Oracle product, or perform an Oracle patch update whose installation may be prevented if Oracle Database Vault is running.
You must archive the Oracle Database Vault audit trail.
You can check if Oracle Database Vault has is enabled or disabled by querying the V$OPTION
data dictionary view. Any user can query this view. If Oracle Database Vault is enabled, the query returns TRUE
. Otherwise, it returns FALSE
.
Remember that the PARAMETER
column value is case sensitive. For example:
SELECT * FROM V$OPTION WHERE PARAMETER = 'Oracle Database Vault';
If Oracle Database Vault is enabled, the following output appears:
PARAMETER VALUE ----------------------------- ----------------------- Oracle Database Vault TRUE
To disable Oracle Database Vault:
Stop the database, Database Control console process, and listener.
UNIX: Ensure that the environment variables, ORACLE_HOME
, ORACLE_SID
, and PATH
are correctly set. Log in to SQL*Plus as user SYS
with the SYSOPER
privilege and shut down the database. Then from the command line, stop the Database Control console process and listener.
For example:
sqlplus sys as sysoper Enter password: password SQL> SHUTDOWN IMMEDIATE SQL> EXIT $ emctl stop dbconsole $ lsnrctl stop [listener_name]
For Oracle RAC installations, shut down each database instance as follows:
$ srvctl stop database -d db_name
Windows: Stop the database, Database Control console process, and listener from the Services tool in the Control Panel. The names of Oracle Database services begin with Oracle
.
Disable the Oracle Database Vault option.
UNIX: Run the following commands:
cd $ORACLE_HOME/rdbms/lib make -f ins_rdbms.mk dv_off
For Oracle RAC installations, run these commands on all nodes.
Windows: In the ORACLE_HOME
\bin
directory, rename the oradvl0.dll
file to another name, such as oradvl0.dll.dbl
.
Restart the database, Database Control console process, and listener.
UNIX: Log in to SQL*Plus as user SYS
with the SYSOPER
privilege and restart the database. Then from the command line, restart the Database Control console process and listener.
For example:
sqlplus sys as sysoper Enter password: password SQL> STARTUP SQL> EXIT $ emctl start dbconsole $ lsnrctl start [listener_name]
For Oracle RAC installations, restart each database instance as follows:
$ srvctl start database -d db_name
Windows: Restart the database, Database Control console process, and listener from the Services tool in the Control Panel. The names of Oracle Database services begin with Oracle
.
If the reason you needed to disable Oracle Database Vault was because of forgotten passwords, then connect as SYS
or SYSTEM
and reset the password.
For example:
CONNECT SYSTEM Enter password: password ALTER USER lbrown_dvowner IDENTIFIED BY password;
At a command prompt, run Oracle Database Vault Configuration Assistant (DVCA) by using the dvca -action disable
option.
The syntax for s disable is as follows:
dvca -action disable -oh Oracle_home_directory -service service_name -instance Oracle_instance_name -dbname database_name -sys_passwd SYS_password -owner_account DV_owner_account_name -owner_passwd DV_owner_account_password [-logfile ./dvca.log] [-nodecrypt] [-racnode node]
In this specification:
-action
is the action to perform. In this case the action is disable.
-oh
is the path to the Oracle home directory. Enter the absolute path.
For example:
UNIX: -oh /u01/app/oracle/product/10.2.0/db_1
Windows: -oh c:\oracle\product\db_1
-service
is the database service name.
-instance
is the name of the database instance.
-dbname
is the database name.
-sys_passwd
is the SYS
password. If you use a cleartext password on the command line, you must include the nodecrypt
option. If you omit the password, DVCA prompts you for it. Preferably, omit the password and then enter it interactively when prompted.
-owner_account
is the Oracle Database Vault Owner account name.
-owner_passwd
is the Oracle Database Vault Owner account password. If you use a cleartext password on the command line, you must include the nodecrypt
option. If you omit the password, DVCA prompts you for it. Preferably, omit the password and then enter it interactively when prompted.
-logfile
is an optional flag to specify a log file name and location. You can enter an absolute path, or enter a path that is relative to the location of the $ORACLE_HOME
/bin
directory.
-silent
is the option to run in command line mode. This option is required if you are not running DVCA in an xterm window.
-nodecrypt
is the option to read plaintext passwords.
-lockout
is the flag to use to disable SYSDBA
operating system authentication.
For example:
dvca -action disable -oh /u01/app/oracle/product/10.2.0/db_1 -service myservicename -instance myinstance -dbname mydbname -owner_account myownername -logfile dvcalog.txt Enter SYS password: sys_password Enter owner password: owner_password
With Oracle Database Vault disabled, you can restart your database and perform the following tasks, as required. You can perform the following types of activities:
Use the Oracle Database Vault PL/SQL packages and functions. For example, to correct a login or CONNECT rule set error, use the DBMS_MACADM
package or the Oracle Database Vault Administrator interface.
Use the SYSTEM or SYS accounts to perform tasks such as creating or changing passwords. In addition to modifying regular database and administrative user accounts, you can modify passwords and the lock status of any of the Oracle Database Vault-specific accounts, such as users who have been granted the DV_ADMIN
or DV_ACCTMGR
roles. (See the tip under "Oracle Database Vault Accounts" for a guideline for avoiding this problem in the future.)
Perform the installation, upgrade, or other tasks that require security protections to be disabled. If you must run Oracle Database Vault Configuration Assistant (DVCA), ensure that the Oracle Database listener is running. To start the listener, run the following command from the $ORACLE_HOME/bin
directory:
$ ./lsnrctl start [listener_name]
To enable Oracle Database Vault:
At a command prompt, use DVCA to re-enable Oracle Database Vault.
For example:
dvca -action enable -oh /u01/app/oracle/product/10.2.0/db_1 -service myservicename -instance myinstance -dbname mydbname -owner_account myownername -logfile dvcalog.txt Enter SYS password: sys_password Enter owner password: owner_password
See Step 5 under "Step 1: Disable Oracle Database Vault" for detailed information about the DVCA syntax.
Stop the database, Database Control console process, and listener.
UNIX: Ensure that the environment variables, ORACLE_HOME
, ORACLE_SID
, and PATH
are correctly set. Log in to SQL*Plus as user SYS
with the SYSOPER
privilege and shut down the database. Then from the command line, stop the Database Control console process and listener.
For example:
sqlplus sys as sysoper Enter password: password SQL> SHUTDOWN IMMEDIATE SQL> EXIT $ emctl stop dbconsole $ lsnrctl stop [listener_name]
For Oracle RAC installations, shut down each database instance as follows:
$ srvctl stop database -d db_name
Windows: Stop the database, Database Control console process, and listener from the Services tool in the Control Panel. The names of Oracle Database services begin with Oracle
.
Enable the Oracle Database Vault option as follows:
UNIX: Run the following commands. The make
command enables both Oracle Database Vault (dv_on
) and Oracle Label Security (lbac_on
). You must enable Oracle Label Security before you can use Database Vault.
cd $ORACLE_HOME/rdbms/lib make -f ins_rdbms.mk dv_on lbac_on ioracle
Windows: In the ORACLE_HOME
\bin
directory, rename the backed up copy of the oradvl0.dll
file (for example, oradv10.dll.dbl
) to oradvl0.dll
. Ensure that the name of the Oracle Label Security executable is oraLbac10.dll
(and not oraLbac10.dll.dbl
or some other backup name). You must enable Oracle Label Security before you can use Database Vault.
Restart the database, Database Control console process, and listener.
UNIX: Ensure that the environment variables, ORACLE_HOME
, ORACLE_SID
, and PATH
are correctly set. Log in to SQL*Plus as user SYS
with the SYSOPER
privilege and restart the database. Then from the command line, restart the Database Control console process and listener.
For example:
sqlplus sys as sysoper Enter password: password SQL> STARTUP SQL> EXIT $ emctl start dbconsole $ lsnrctl start [listener_name]
For Oracle RAC installations, restart each database instance as follows:
$ srvctl start database -d db_name
Windows: Restart the database, Database Control Console process, and listener from the Services tool in the Control Panel. The names of Oracle Database services begin with Oracle
.
For Oracle RAC installations, repeat these steps for each node on which the database is installed.