Skip Headers
Oracle® Database Vault Administrator's Guide
11g Release 2 (11.2)

Part Number E10576-01
Go to Documentation Home
Home
Go to Book List
Book List
Go to Table of Contents
Contents
Go to Index
Index
Go to Master Index
Master Index
Go to Feedback page
Contact Us

Go to previous page
Previous
Go to next page
Next
View PDF

C Postinstallation Oracle Database Vault Procedures

This appendix contains:

Registering Oracle Database Vault

After you install Oracle Database Vault, you must register it with your database.

To register Oracle Database Vault:

  1. Start Database Configuration Assistant.

    • UNIX: Enter the following command at a terminal window:

      dbca
      

      By default, dbca is in the $ORACLE_HOME/bin directory.

    • Windows: From the Start menu, click All Programs. Then, click Oracle - ORACLE_HOME, Configuration and Migration Tools, and then Database Configuration Assistant.

      Alternatively, you can start Database Configuration Assistant at a command prompt:

      dbca
      

      As with UNIX, typically, dbca is in the ORACLE_BASE\ORACLE_HOME\bin directory.

  2. In the Welcome page, click Next.

    The Operations page appears.

  3. Select Configure Database Options, and then click Next.

    The Database page appears.

  4. From the list, select the database where you installed Oracle Database and then click Next.

    The Database Content page appears.

  5. Select Oracle Database Vault (and Oracle Label Security if it is not already installed), and then click Next.

    If Oracle Database Vault is already checked and its name grayed out, then it has already been registered.

    After you select Oracle Database Vault, the Oracle Database Vault Credentials page appears.

  6. Specify the name and password for the Database Vault Owner account (for example, DBVOWNER) and the Database Vault Account Manager (for example, DBVACCTMGR).

    Enter any password that is secure, according to the password guidelines described in Oracle Database Security Guide. Oracle Database Vault has additional password requirements, which are displayed if you try to create an incorrect password.

  7. Click Next.

    The Connection Mode page appears.

  8. Select either Dedicated Server Mode or Shared Server Mode (depending on the selection you made when you created this database), click Finish, and then click OK in the confirmation prompts.

    Database Configuration Assistant registers Oracle Database Vault, and then restarts the database instance.

  9. Exit Database Configuration Assistant.

After you have registered Oracle Database Vault with an Oracle database, you can start Oracle Database Vault Administrator. See "Starting Oracle Database Vault" for more information.

Checking the Locale and NLS Settings

Ensure that the value of the NLS_LANGUAGE initialization parameter matches the locale and NLS settings (either the NLS_LANG or LANG environment variables) used by the operating system of the computer on which Oracle Database is installed. If these values are inconsistent, then Database Vault Administrator does not display the default realms, command rules, rule sets, or factors.

For example, if the operating system locale (the variable $LANG) setting is en_US.UTF-8, then you must set the corresponding NLS_LANG environment variable to AMERICAN_AMERICA.AL32UTF8 and the database NLS_LANGUAGE initialization parameter value to be AMERICAN. The database NLS_LANGUAGE parameter is derived from the operating system NLS_LANG environment variable.

For more information about checking and configuring locale and NLS settings, see the appendix that covers globalization support in the Oracle Database Installation Guide for your platform.

Manually Deploying Oracle Database Vault Administrator

If you have created an Oracle database manually, and have configured Oracle Enterprise Manager Database Control by using Enterprise Manager Configuration Assistant, you must manually deploy Oracle Database Vault Administrator. This procedure deploys Database Vault Administrator in the same OC4J container as the current Enterprise Manager, rather than creating a new application.

This section contains:

Deploying Database Vault Administrator to a Standalone OC4J Container

You can manually deploy Database Vault Administrator to the following Oracle Application Server Containers for J2EE (OC4J) home:

Follow these steps to manually deploy Database Vault Administrator:

  1. Edit the file, $ORACLE_HOME/oc4j/j2ee/home/config/server.xml. Enter the following line just before the last line that reads, </application-server>:

    <application name="dva" path="$ORACLE_HOME/dv/jlib/dva_webapp.ear" auto-start="true" />
    

    For example:

    <application name="dva" path="/u00/app/oracle/oracle/product/dv12/dv/jlib/dva_webapp.ear" auto-start="true" />
    
  2. Edit the file, $ORACLE_HOME/oc4j/j2ee/home/config/http-web-site.xml. Enter the following line just above the last line that reads, </web-site>:

    <web-app application="dva" name="dva_webapp" root="/dva" />
    
  3. Edit the file, $ORACLE_HOME/oc4j/j2ee/home/config/global-web-application.xml. Search for <servlet-class>oracle.jsp.runtimev2.JspServlet</servlet-class>. Uncomment the following lines after this:

    <init-param>
       <param-name>main_mode</param-name>
       <param-value>justrun</param-value>
    </init-param>
    
  4. Create the following directory:

    mkdir -p $ORACLE_HOME/dv/jlib/sysman/config
    
  5. Create the database connection configuration file, emoms.properties, in the configuration directory that you just created. Add the following lines to the file:

    oracle.sysman.emSDK.svlt.ConsoleMode=standalone
    oracle.sysman.eml.mntr.emdRepRAC=FALSE
    oracle.sysman.eml.mntr.emdRepDBName=oracle_sid
    oracle.system.eml.mntr.emdRepConnectDescriptor=TNS_connection_string
    

    Follow these special instructions:

    • For an Oracle RAC environment, set oracle.sysman.eml.mntr.emdRepRAC to TRUE.

    • For oracle.sysman.eml.mntr.emdRepConnectDescriptor, you can use an alias from $ORACLE_HOME/network/admin/tnsnames.ora. Alternatively, you can use the following syntax:

      oracle.sysman.eml.mntr.emdRepConnectDescriptor=
        (DESCRIPTION\=
          (ADDRESS_LIST\=(ADDRESS\=(PROTOCOL\=TCP) (HOST\=HOSTNAME)(PORT\=PORT))) 
          (CONNECT_DATA\=
             (SERVICE_NAME\=ORACLE_SID))
      
  6. Start OC4J. Before starting OC4J, ensure that the correct environment variables are set.

    For example:

    ORACLE_SID=orcl
    export ORACLE_SID
    ORACLE_HOME=/u00/app/oracle/product/11.2/dv
    export ORACLE_HOME
    LD_LIBRARY_PATH=$ORACLE_HOME/bin:$ORACLE_HOME/lib:$ORACLE_HOME/jdbc/lib
    export LD_LIBRARY_PATH
    PATH=$ORACLE_HOME/bin:$ORACLE_HOME/jdk/bin:$PATH
    export PATH
    

    Set the LD_LIBRARY_PATH variable to use the OCI-based JDBC libraries.

  7. Start OC4J using the following syntax:

    $ORACLE_HOME/jdk/bin/java -Djava.awt.headless=true -DEMDROOT=$ORACLE_HOME/dv/jlib -jar $ORACLE_HOME/oc4j/j2ee/home/oc4j.jar -userThreads -config $ORACLE_HOME/oc4j/j2ee/home/config/server.xml
    

After you complete these steps, you can start Database Vault Administrator. The HTTP port defaults to 8888 for this environment. Use the following URL:

http://hostname:8888/dva

Deploying Database Vault Administrator to the Database Console OC4J Container

To manually deploy Database Vault Administrator to the Database Console OC4J container:

  1. Stop Oracle Database Console.

    • UNIX: Go to the $ORACLE_HOME/bin directory and run the following command:

      ./emctl stop dbconsole
      
    • Windows: In the Administrative Services, select the Services utility, and then right-click the OracleDBConsolesid service. Select Stop from the menu.

  2. Create a backup copy and then open the $ORACLE_HOME/oc4j/j2ee/OC4J_DBConsole_service_name/config/server.xml file.

  3. Add the following line before the </application-server> element:

    <application name="dva" path="$ORACLE_HOME/dv/jlib/dva_webapp.ear" parent="default" start="true" />
    

    On Windows systems, replace $ORACLE_HOME with the absolute path to your Oracle Database home.

  4. Create a backup copy and then open the $ORACLE_HOME/oc4j/j2ee/OC4J_DBConsole_service_name/config/http-web-site.xml file.

  5. Add the following line before the </web-site> element:

    <web-app application="dva" name="dva_webapp" load-on-startup="true" root="/dva" shared="true"/>
    
  6. Restart Oracle Database Console.

    • UNIX: Go to the $ORACLE_HOME/bin directory and run the following command:

      ./emctl start dbconsole
      
    • Windows: In the Administrative Services, select the Services utility, and then right-click the OracleDBConsolesid service. Select Start from the menu.

After you complete these steps, you can start Oracle Database Vault Administrator by using the following URL:

https://hostname:port/dva

For example:

https://myserver:1158/dva

If you are unsure of the port number, open the ORACLE_HOME/host_sid/sysman/config/emd.properties file and search for REPOSITORY_URL. In most cases, the host name and port number are the same as Oracle Enterprise Manager Database Control.

Setting the Time-Out Value for Oracle Database Vault Administrator

By default, an Oracle Database Vault session lasts 35 minutes. If you want the session to last for a different time, follow the steps in this section.

To set the session time for Oracle Database Vault Administrator:

  1. Back up the web.xml file, which by default is in the $ORACLE_HOME/dv/jlib/dva_webapp/dva_webapp/WEB-INF directory.

  2. In a text editor, open the web.xml file.

  3. Search for the following setting:

    <session-config>
     <session-timeout>35</session-timeout>
    </session-config>
    
  4. Change the <session-timeout> setting to the amount of time in minutes that you prefer.

  5. Save and close the web.xml file.

  6. Stop and restart the Database Vault Administrator.

    • UNIX: Go to the $ORACLE_HOME/bin directory and run the following command:

      ./emctl stop dbconsole
      ./emctl start dbconsole
      
    • Windows: In the Administrative Services, select the Services utility, and then right-click the OracleDBConsolesid service. Select Stop from the menu. After the console stops, select Start.

Enabling Oracle Database Vault Administrator Accessibility

You can configure Database Vault Administrator to make data accessible and usable to the disabled community. The following sections explain how to enable Database Vault Administrator for full accessibility.

Enabling Oracle Database Vault Administrator Accessibility Mode

Oracle Database Vault Administrator takes advantage of user interface development technologies that improve the responsiveness of some user operations. For example, when you navigate to a new record set in a table, Oracle Database Vault Administrator does not redisplay the entire HTML page. However, this performance-improving technology is generally not supported by screen readers. To disable this feature, and as a result, make the Database Vault Administrator HTML pages more accessible for disabled users, use the following procedure.

To enable the display of an entire HTML page:

  1. Locate the uix-config.xml configuration file.

    By default, the uix-config.xml file is in the following directory:

    $ORACLE_HOME/oc4j/j2ee/oc4j_applications/applications/em/em/WEB-INF 
    
  2. Open the uix-config.xml file using a text editor and locate the following entry:

    <!-- An alternate configuration that disables accessibility features  -->
    <default-configuration>
      <accessibility-mode>inaccessible</accessibility-mode>
    ...
    </default-configuration>
    
  3. Change the value of the accessibility-mode property from inaccessible to accessible.

  4. Save and close the uix-config.xml file.

  5. Restart Database Vault Administrator.

    See "Starting Oracle Database Vault".

Providing Textual Descriptions of Database Vault Administrator Charts

The Monitor page of Database Vault Administrator displays security policy data in a chart. However, charts do not convey information in a manner that can be read by a screen reader. To remedy this problem, you can configure Database Vault Administrator to provide a complete textual representation of each chart. By default, support for the textual representation of charts is disabled. When textual description for charts is enabled, Database Vault Administrator displays a textual representation of the chart data.

To enable the textual representation of charts:

  1. Locate the web.xml configuration file.

    To locate the web.xml file in a Oracle Database 10g installation, change directory to the following location in the Oracle home:

    $ORACLE_HOME/dv/jlib/dva_webapp/dva_webapp/WEB-INF/
    
  2. Open the web.xml file with your favorite text editor and locate the following six lines of the file:

    <!-- Uncomment this to enable textual chart descriptions
    <context-param>
    <param-name>enableChartDescription</param-name>
    <param-value>true</param-value>
    </context-param>
    -->
    
  3. Remove comments from this section by deleting the first line and the last line of this section so that the section consists of only these four lines:

    <context-param>
    <param-name>enableChartDescription</param-name>
    <param-value>true</param-value>
    </context-param>
    
  4. Save and exit the web.xml file.

  5. Restart Database Vault Administrator.

    See "Starting Oracle Database Vault".

Configuring Oracle Database Vault on Oracle RAC Nodes

After you install Oracle Database Vault for an Oracle Real Application Clusters (Oracle RAC) instance, complete the following procedure for each RAC node. This procedure assumes that you have a separate Oracle home for each node.

  1. Log in to SQL*Plus as user SYS with the SYSDBA privilege.

    sqlplus sys as sysdba
    Enter password: password
    
  2. Run the following ALTER SYSTEM statements:

    ALTER SYSTEM SET AUDIT_SYS_OPERATIONS=TRUE SCOPE=SPFILE;
    ALTER SYSTEM SET OS_ROLES=FALSE SCOPE=SPFILE; 
    ALTER SYSTEM SET RECYCLEBIN='OFF' SCOPE=SPFILE; 
    ALTER SYSTEM SET REMOTE_LOGIN_PASSWORDFILE='EXCLUSIVE' SCOPE=SPFILE;
    ALTER SYSTEM SET SQL92_SECURITY=TRUE SCOPE=SPFILE; 
    ALTER SYSTEM SET OS_AUTHENT_PREFIX='' SCOPE=SPFILE; 
    
  3. Restart Oracle Database.

    CONNECT SYS/AS SYSOPER
    Enter password: password
    
    SHUTDOWN IMMEDIATE
    STARTUP
    

Adding Languages to Oracle Database Vault

By default, Oracle Database Vault loads only the English language tables. You can use DVCA to add more languages to Oracle Database Vault by specifying the addlanguages flag to the dvca -action option.

This section includes the following topics:

Syntax for Using DVCA -action addlanguages

The syntax for using dvca -action addlanguages is as follows:

dvca -action addlanguages 
  -oh Oracle_home
  -instance Oracle_SID_name 
  -dbname database_name 
  -dbuniquename database_unique_name
  -sys_passwd SYS_password
  -dvsys_passwd DVSYS_password
  -jdbc_str jdbc_connection_string
  -languages language_list
  [-owner_account DV_owner_account_name]
  [-owner_passwd DV_owner_account_password]
  [-acctmgr_account DV_account_manager_account_name] 
  [-acctmgr_passwd DV_account_manager_password]
  [-silent] 
  [-logfile ./dvca.log] 
  [-nodecrypt]
  [-lockout] 
  [-racnode node]

In this specification:

  • -action is the action to perform. In this case the action is addlanguages.

  • -oh is the Oracle home for the Oracle RAC instance. Provide the ORACLE_HOME path.

  • -instance is the name of the database instance. You can confirm this name by querying the INSTANCE_NAME column of the V$INSTANCE view. It specified in the entry for the database instance in the listener.ora file that is on the server.

  • -dbname is the database identifier. You can confirm this name by querying the NAME column of the V$DATABASE data dictionary view.

  • -dbuniquename is the globally unique name for the database.

  • -sys_passwd is the password for the SYS user. If you enter a cleartext password on the command line, then you must include the nodecrypt option. If you omit the password, then DVCA prompts you for it. For better security, Oracle strongly recommends that you omit the password and then enter it interactively when you are prompted.

  • -dvsys_passwd is the password for the DVSYS user. If you enter a cleartext password on the command line, then you must include the nodecrypt option. If you omit the password, then DVCA prompts you for it. Preferably, omit the password and then enter the password interactively when prompted.

  • -jdbc_str is the JDBC connection string used to connect to the database. Enter the net service name (that is, the SID) as it is listed in the tnsnames.ora file, which is located in the $ORACLE_HOME/network/admin directory. For example:

    -jdbc_str jdbc:oracle:oci:@sales_orders
    
  • -languages is the list of languages to be loaded. Provide the list of languages as a string in the following format:

    • UNIX: {"language_1,language_2,language_n"}

    • Windows: {"language_1","language_2","language_n"}

    Oracle Database Vault supports the following languages:

      en: English ja: Japanese
      de: German ko: Korean
      es: Spanish pt_BR: Brazilian Portuguese
      fr: French zh_CN: Simplified Chinese
      it: Italian zh_TW: Traditional Chinese

    For example, to load German and Spanish, you would enter the following:

    • UNIX: -languages {"de,es"}

    • Windows: -languages {"de","es"}

  • -owner_account is the Oracle Database Vault Owner (DV_OWNER) account name.

  • -owner_passwd is the Oracle Database Vault Owner account password. If you enter a cleartext password on the command line, then you must include the nodecrypt option. If you omit the password, then DVCA prompts you for it. Preferably, omit the password and then enter it interactively when prompted.

  • -acctmgr_account is the Oracle Database Vault Account Manager (DV_ACCTMGR) user name.

  • -acctmgr_passwd is the Oracle Database Vault Account Manager (DV_ACCTMGR) password. If you enter a cleartext password on the command line, then you must include the nodecrypt option. If you omit the password, then DVCA prompts you for it. Preferably, omit the password and then enter it interactively when prompted.

  • -silent is the option to run in command line mode. This option is required if you are not running DVCA in an xterm window.

  • -logfile is an optional flag to specify a log file name and location. You can enter an absolute path, or enter a path that is relative to the location of the $ORACLE_HOME/bin directory.

  • -nodecrypt is the option to read plaintext passwords.

  • -lockout is the flag used to disable SYSDBA operating system authentication. (This option is deprecated.)

  • -racnode is the host name of the Oracle RAC node on which the action is being performed. Do not include the domain name with the host name.

After you enter the dvca -action addlanguages command and if you omit the passwords, you will be prompted for the passwords of the SYS, DVSYS, DV_OWNER, and DV_ACCTMGR users. For better security, enter the passwords interactively.

Procedure for Adding Languages to Oracle Database Vault

To add languages to Oracle Database Vault:

  1. Log in to SQL*Plus as a user who has been granted the DV_OWNER role.

  2. Temporarily grant the DV_PATCH_ADMIN role to the user responsible for adding languages (for example, user SYS).

    GRANT DV_PATCH_ADMIN TO SYS;
    
  3. Notify this user to use DVCA to add the languages that are needed.

    For example:

    dvca -action addlanguages 
      -oh c:\oracle\product\11.2.0\db_1 
      -instance sales_orders
      -dbname sales_db
      -dbuniquename sales_db14
      -jdbc_str jdbc:oracle:oci:@sales_orders
      -owner_account dbvowner
      -acctmgr_account dbvacctmgr
      -languages {"es","ja"}
      -silent 
      -logfile dvcalog.txt 
    
    Enter SYS password: sys_password
    Enter DVSYS password: dvsys_password
    Enter owner password: owner_password
    Enter DV account manager password: dv_acct_password
    
  4. Revoke the DV_PATCH_ADMIN role from user to whom you granted it in Step 2.

    REVOKE DV_PATCH_ADMIN FROM SYS; 
    

Deinstalling Oracle Database Vault

The following procedure removes Oracle Database Vault from an Oracle Database installation. It applies to both single-instance and Oracle RAC installations.

To deinstall Oracle Database Vault:

  1. Log in to SQL*Plus and shut down the database.

    For example, for single-instance installations:

    sqlplus sys as sysoper
    Enter password: password
    
    SHUTDOWN NORMAL
    

    At the command prompt, for each database instance in an Oracle Real Application Clusters (Oracle RAC) environment:

    srvctl stop database -d db_name
    
  2. Run the following commands to turn off the Oracle Database Vault option:

    cd $ORACLE_HOME/rdbms/lib
    make -f ins_rdbms.mk dv_off
    make -f ins_rdbms.mk ioracle
    
  3. In SQL*Plus, start the database.

    For single-instance database installations:

    STARTUP
    

    For Oracle RAC installations:

    srvctl start database -d db_name 
    
  4. Connect as user SYS with the SYSDBA privilege and then run the following SQL script:

    CONNECT SYS/AS SYSDBA
    Enter password: password
     
    @$ORACLE_HOME/rdbms/admin/dvremov.sql
    

Afterward, you can double-check that Oracle Database Vault is truly deinstalled by logging in to SQL*Plus and entering the following statement:

SELECT * FROM V$OPTION WHERE PARAMETER = 'Oracle Database Vault';

If Oracle Database Vault is deinstalled, the following output appears:

PARAMETER                     VALUE
----------------------------- -----------------------
Oracle Database Vault         FALSE

Reinstalling Oracle Database Vault

To reinstall Oracle Database Vault:

  1. Shut down the database instance in which you plan to install Oracle Database Vault.

    Log in to SQL*Plus as SYS, connecting with the SYSOPER privilege. At the SQL prompt, shut down the database. For example:

    SHUTDOWN IMMEDIATE
    
  2. Exit SQL*Plus.

    EXIT
    
  3. Stop the Oracle Database processes.

    • UNIX: Go to the $ORACLE_HOME/bin directory and run the following commands to stop the Database Console and the listener:

      ./lsnrctl stop
      ./emctl stop dbconsole
      
    • Windows: In the Windows Services tool, right-click the Oracle listener, console, and database service services, and then from the menu, select Stop. The names of these services begin with Oracle and include the name of the database instance. For example, assuming the database instance is orcl, the names would be similar to the following:

      • OracleDBConsoleorcl

      • OracleJobSchedulerORCL

      • OracleOraDB1g-home1TNSListener

      • OracleServiceORCL

  4. Run Oracle Universal Installer from the installation media.

    • UNIX: Use the following command:

      /mnt/cdrom/runInstaller
      
    • Windows: Double-click the file, setup.exe, on the installation media.

  5. In the Select a Product to Install window, select Oracle Database 11g, and then click Next.

  6. Select Advanced Installation, and then click Next.

    The Select Installation Type window appears.

  7. Select Custom, and then click Next.

    The Specify Home Details screen appears.

  8. Select the Oracle base directory and the Oracle home directory in which you want to install Oracle Database Vault. Click Next.

    By default, Oracle Universal Installer offers to create a new Oracle home for you, so ensure that you select the correct existing Oracle home. Oracle Universal Installer then verifies that your system meets the minimum requirements. Next, the Available Product Components window is displayed.

  9. Select the box corresponding to Oracle Database Vault option.

    You can find this option under Enterprise Edition Options. You also must have Oracle Label Security installed, so Oracle Universal Installer selects it for you. Oracle Universal Installer also selects Oracle Services For Microsoft Transaction Server, but if you do not need this product, you can deselect it. Then click Next.

    The Summary window is displayed.

  10. Review your choices and then click Install.

    The new products should include Oracle Database Vault J2EE Application, Oracle Database Vault option, and Oracle Label Security.

    After you click Install, the progress window is displayed. When the installation completes, Oracle Universal Installer displays the End of Installation window.

  11. Click Exit, and then click Yes to confirm the exit.

  12. Restart the services and the database instance in which you installed Oracle Database Vault.

    • UNIX: Go to the $ORACLE_HOME/bin directory and run the following commands to start the Database Console and the listener:

      ./emctl start dbconsole
      ./lsnrctl start
      

      Start SQL*Plus and then restart the database instance:

      sqlplus sys as sysoper
      Enter password: password
      Connected to an idle instance
      
      SQL> STARTUP
      
    • Windows: In the Windows Services tool, right-click the Oracle listener, console, and database service services, and then from the menu, select Start. The names of these services begin with Oracle and include the name of the database instance. For example, assuming the database instance is orcl, the names would be similar to the following:

      • OracleDBConsoleorcl

      • OracleJobSchedulerORCL (Optional; you do not need to start it for the tutorials in this guide.)

      • OracleOraDB1g-home1TNSListener

      • OracleServiceORCL (This service starts when you start OracleDBConsole.)

  13. Register Oracle Database Vault.

    See "Registering Oracle Database Vault" for more information.