Skip Headers
Oracle® Database Vault Administrator's Guide
10g Release 2 (10.2)

Part Number B25166-23
Go to Documentation Home
Home
Go to Book List
Book List
Go to Table of Contents
Contents
Go to Index
Index
Go to Master Index
Master Index
Go to Feedback page
Contact Us

Go to previous page
Previous
Go to next page
Next
PDF · Mobi · ePub

B Disabling and Enabling Oracle Database Vault

This appendix contains:

When You Must Disable Oracle Database Vault

You may need to disable Oracle Database Vault to perform upgrade tasks or correct erroneous configurations. You can reenable Oracle Database Vault after you complete the corrective tasks.

Note:

Be aware that if you disable Oracle Database Vault, the privileges that were revoked from existing users and roles during installation remain in effect. See "Privileges That Are Revoked or Prevented from Existing Users and Roles" for a listing of the revoked privileges.

The following situations require you to disable Oracle Database Vault:

Checking if Oracle Database Vault Is Enabled or Disabled

You can check if Oracle Database Vault has is enabled or disabled by querying the V$OPTION data dictionary view. Any user can query this view. If Oracle Database Vault is enabled, the query returns TRUE. Otherwise, it returns FALSE.

Remember that the PARAMETER column value is case sensitive. For example:

SELECT * FROM V$OPTION WHERE PARAMETER = 'Oracle Database Vault';

If Oracle Database Vault is enabled, the following output appears:

PARAMETER                     VALUE
----------------------------- -----------------------
Oracle Database Vault         TRUE

Step 1: Disable Oracle Database Vault

To disable Oracle Database Vault:

  1. Stop the database, Database Control console process, and listener.

    • UNIX: Ensure that the environment variables, ORACLE_HOME, ORACLE_SID, and PATH are correctly set. Log in to SQL*Plus as user SYS with the SYSOPER privilege and shut down the database. Then from the command line, stop the Database Control console process and listener.

      For example:

      sqlplus sys as sysoper
      Enter password: password
      
      SQL> SHUTDOWN IMMEDIATE
      SQL> EXIT
      
      $ emctl stop dbconsole
      $ lsnrctl stop [listener_name]
      

      For Oracle RAC installations, shut down each database instance as follows:

      $ srvctl stop database -d db_name
      
    • Windows: Stop the database, Database Control console process, and listener from the Services tool in the Control Panel. The names of Oracle Database services begin with Oracle.

  2. Disable the Oracle Database Vault option.

    • UNIX: Run the following commands:

      cd $ORACLE_HOME/rdbms/lib
      make -f ins_rdbms.mk dv_off
      

      For Oracle RAC installations, run these commands on all nodes.

    • Windows: In the ORACLE_HOME\bin directory, rename the oradvl0.dll file to another name, such as oradvl0.dll.dbl.

  3. Restart the database, Database Control console process, and listener.

    • UNIX: Log in to SQL*Plus as user SYS with the SYSOPER privilege and restart the database. Then from the command line, restart the Database Control console process and listener.

      For example:

      sqlplus sys as sysoper
      Enter password: password
      
      SQL> STARTUP
      SQL> EXIT
      
      $ emctl start dbconsole
      $ lsnrctl start [listener_name]
      

      For Oracle RAC installations, restart each database instance as follows:

      $ srvctl start database -d db_name
      
    • Windows: Restart the database, Database Control console process, and listener from the Services tool in the Control Panel. The names of Oracle Database services begin with Oracle.

  4. If the reason you needed to disable Oracle Database Vault was because of forgotten passwords, then connect as SYS or SYSTEM and reset the password.

    For example:

    CONNECT SYSTEM
    Enter password: password
    
    ALTER USER lbrown_dvowner IDENTIFIED BY password;
    
  5. At a command prompt, run Oracle Database Vault Configuration Assistant (DVCA) by using the dvca -action disable option.

    The syntax for s disable is as follows:

    dvca -action disable 
      -oh Oracle_home_directory
      -service service_name 
      -instance Oracle_instance_name 
      -dbname database_name 
      -sys_passwd SYS_password 
      -owner_account DV_owner_account_name 
      -owner_passwd DV_owner_account_password 
      [-logfile ./dvca.log] 
      [-nodecrypt] 
      [-racnode node]
    

    In this specification:

    • -action is the action to perform. In this case the action is disable.

    • -oh is the path to the Oracle home directory. Enter the absolute path.

      For example:

      • UNIX: -oh /u01/app/oracle/product/10.2.0/db_1

      • Windows: -oh c:\oracle\product\db_1

    • -service is the database service name.

    • -instance is the name of the database instance.

    • -dbname is the database name.

    • -sys_passwd is the SYS password. If you use a cleartext password on the command line, you must include the nodecrypt option. If you omit the password, DVCA prompts you for it. Preferably, omit the password and then enter it interactively when prompted.

    • -owner_account is the Oracle Database Vault Owner account name.

    • -owner_passwd is the Oracle Database Vault Owner account password. If you use a cleartext password on the command line, you must include the nodecrypt option. If you omit the password, DVCA prompts you for it. Preferably, omit the password and then enter it interactively when prompted.

    • -logfile is an optional flag to specify a log file name and location. You can enter an absolute path, or enter a path that is relative to the location of the $ORACLE_HOME/bin directory.

    • -silent is the option to run in command line mode. This option is required if you are not running DVCA in an xterm window.

    • -nodecrypt is the option to read plaintext passwords.

    • -lockout is the flag to use to disable SYSDBA operating system authentication.

    For example:

    dvca -action disable 
      -oh /u01/app/oracle/product/10.2.0/db_1
      -service myservicename 
      -instance myinstance 
      -dbname mydbname 
      -owner_account myownername 
      -logfile dvcalog.txt 
      
    Enter SYS password: sys_password
    Enter owner password: owner_password
    

Step 2: Perform the Required Tasks

With Oracle Database Vault disabled, you can restart your database and perform the following tasks, as required. You can perform the following types of activities:

Step 3: Enable Oracle Database Vault

To enable Oracle Database Vault:

  1. At a command prompt, use DVCA to re-enable Oracle Database Vault.

    For example:

    dvca -action enable 
      -oh /u01/app/oracle/product/10.2.0/db_1
      -service myservicename 
      -instance myinstance 
      -dbname mydbname 
      -owner_account myownername 
      -logfile dvcalog.txt 
    
    Enter SYS password: sys_password
    Enter owner password: owner_password
    

    See Step 5 under "Step 1: Disable Oracle Database Vault" for detailed information about the DVCA syntax.

  2. Stop the database, Database Control console process, and listener.

    • UNIX: Ensure that the environment variables, ORACLE_HOME, ORACLE_SID, and PATH are correctly set. Log in to SQL*Plus as user SYS with the SYSOPER privilege and shut down the database. Then from the command line, stop the Database Control console process and listener.

      For example:

      sqlplus sys as sysoper
      Enter password: password
      
      SQL> SHUTDOWN IMMEDIATE
      SQL> EXIT
      
      $ emctl stop dbconsole
      $ lsnrctl stop [listener_name]
      

      For Oracle RAC installations, shut down each database instance as follows:

      $ srvctl stop database -d db_name
      
    • Windows: Stop the database, Database Control console process, and listener from the Services tool in the Control Panel. The names of Oracle Database services begin with Oracle.

  3. Enable the Oracle Database Vault option as follows:

    • UNIX: Run the following commands. The make command enables both Oracle Database Vault (dv_on) and Oracle Label Security (lbac_on). You must enable Oracle Label Security before you can use Database Vault.

      cd $ORACLE_HOME/rdbms/lib
      make -f ins_rdbms.mk dv_on lbac_on ioracle
      
    • Windows: In the ORACLE_HOME\bin directory, rename the backed up copy of the oradvl0.dll file (for example, oradv10.dll.dbl) to oradvl0.dll. Ensure that the name of the Oracle Label Security executable is oraLbac10.dll (and not oraLbac10.dll.dbl or some other backup name). You must enable Oracle Label Security before you can use Database Vault.

  4. Restart the database, Database Control console process, and listener.

    • UNIX: Ensure that the environment variables, ORACLE_HOME, ORACLE_SID, and PATH are correctly set. Log in to SQL*Plus as user SYS with the SYSOPER privilege and restart the database. Then from the command line, restart the Database Control console process and listener.

      For example:

      sqlplus sys as sysoper
      Enter password: password
      
      SQL> STARTUP
      SQL> EXIT
      
      $ emctl start dbconsole
      $ lsnrctl start [listener_name]
      

      For Oracle RAC installations, restart each database instance as follows:

      $ srvctl start database -d db_name
      
    • Windows: Restart the database, Database Control Console process, and listener from the Services tool in the Control Panel. The names of Oracle Database services begin with Oracle.

  5. For Oracle RAC installations, repeat these steps for each node on which the database is installed.