Oracle® Database Vault Administrator's Guide 11g Release 2 (11.2) Part Number E10576-01 |
|
|
View PDF |
After you install Oracle Database Vault, you must register it with your database.
To register Oracle Database Vault:
Start Database Configuration Assistant.
UNIX: Enter the following command at a terminal window:
dbca
By default, dbca
is in the $ORACLE_HOME/bin
directory.
Windows: From the Start menu, click All Programs. Then, click Oracle - ORACLE_HOME, Configuration and Migration Tools, and then Database Configuration Assistant.
Alternatively, you can start Database Configuration Assistant at a command prompt:
dbca
As with UNIX, typically, dbca
is in the ORACLE_BASE
\
ORACLE_HOME
\bin
directory.
In the Welcome page, click Next.
The Operations page appears.
Select Configure Database Options, and then click Next.
The Database page appears.
From the list, select the database where you installed Oracle Database and then click Next.
The Database Content page appears.
Select Oracle Database Vault (and Oracle Label Security if it is not already installed), and then click Next.
If Oracle Database Vault is already checked and its name grayed out, then it has already been registered.
After you select Oracle Database Vault, the Oracle Database Vault Credentials page appears.
Specify the name and password for the Database Vault Owner account (for example, DBVOWNER
) and the Database Vault Account Manager (for example, DBVACCTMGR
).
Enter any password that is secure, according to the password guidelines described in Oracle Database Security Guide. Oracle Database Vault has additional password requirements, which are displayed if you try to create an incorrect password.
Click Next.
The Connection Mode page appears.
Select either Dedicated Server Mode or Shared Server Mode (depending on the selection you made when you created this database), click Finish, and then click OK in the confirmation prompts.
Database Configuration Assistant registers Oracle Database Vault, and then restarts the database instance.
Exit Database Configuration Assistant.
After you have registered Oracle Database Vault with an Oracle database, you can start Oracle Database Vault Administrator. See "Starting Oracle Database Vault" for more information.
Ensure that the value of the NLS_LANGUAGE
initialization parameter matches the locale and NLS settings (either the NLS_LANG
or LANG
environment variables) used by the operating system of the computer on which Oracle Database is installed. If these values are inconsistent, then Database Vault Administrator does not display the default realms, command rules, rule sets, or factors.
For example, if the operating system locale (the variable $LANG
) setting is en_US.UTF-8
, then you must set the corresponding NLS_LANG
environment variable to AMERICAN_AMERICA.AL32UTF8
and the database NLS_LANGUAGE
initialization parameter value to be AMERICAN
. The database NLS_LANGUAGE
parameter is derived from the operating system NLS_LANG
environment variable.
For more information about checking and configuring locale and NLS settings, see the appendix that covers globalization support in the Oracle Database Installation Guide for your platform.
If you have created an Oracle database manually, and have configured Oracle Enterprise Manager Database Control by using Enterprise Manager Configuration Assistant, you must manually deploy Oracle Database Vault Administrator. This procedure deploys Database Vault Administrator in the same OC4J container as the current Enterprise Manager, rather than creating a new application.
This section contains:
Deploying Database Vault Administrator to a Standalone OC4J Container
Deploying Database Vault Administrator to the Database Console OC4J Container
You can manually deploy Database Vault Administrator to the following Oracle Application Server Containers for J2EE (OC4J) home:
Follow these steps to manually deploy Database Vault Administrator:
Edit the file, $ORACLE_HOME/oc4j/j2ee/home/config/server.xml
. Enter the following line just before the last line that reads, </application-server>
:
<application name="dva" path="$ORACLE_HOME/dv/jlib/dva_webapp.ear" auto-start="true" />
For example:
<application name="dva" path="/u00/app/oracle/oracle/product/dv12/dv/jlib/dva_webapp.ear" auto-start="true" />
Edit the file, $ORACLE_HOME/oc4j/j2ee/home/config/http-web-site.xml
. Enter the following line just above the last line that reads, </web-site>
:
<web-app application="dva" name="dva_webapp" root="/dva" />
Edit the file, $ORACLE_HOME/oc4j/j2ee/home/config/global-web-application.xml
. Search for <servlet-class>oracle.jsp.runtimev2.JspServlet</servlet-class>
. Uncomment the following lines after this:
<init-param> <param-name>main_mode</param-name> <param-value>justrun</param-value> </init-param>
Create the following directory:
mkdir -p $ORACLE_HOME/dv/jlib/sysman/config
Create the database connection configuration file, emoms.properties, in the configuration directory that you just created. Add the following lines to the file:
oracle.sysman.emSDK.svlt.ConsoleMode=standalone oracle.sysman.eml.mntr.emdRepRAC=FALSE oracle.sysman.eml.mntr.emdRepDBName=oracle_sid oracle.system.eml.mntr.emdRepConnectDescriptor=TNS_connection_string
Follow these special instructions:
For an Oracle RAC environment, set oracle.sysman.eml.mntr.emdRepRAC
to TRUE
.
For oracle.sysman.eml.mntr.emdRepConnectDescriptor
, you can use an alias from $ORACLE_HOME/network/admin/tnsnames.ora
. Alternatively, you can use the following syntax:
oracle.sysman.eml.mntr.emdRepConnectDescriptor= (DESCRIPTION\= (ADDRESS_LIST\=(ADDRESS\=(PROTOCOL\=TCP) (HOST\=HOSTNAME)(PORT\=PORT))) (CONNECT_DATA\= (SERVICE_NAME\=ORACLE_SID))
Start OC4J. Before starting OC4J, ensure that the correct environment variables are set.
For example:
ORACLE_SID=orcl export ORACLE_SID ORACLE_HOME=/u00/app/oracle/product/11.2/dv export ORACLE_HOME LD_LIBRARY_PATH=$ORACLE_HOME/bin:$ORACLE_HOME/lib:$ORACLE_HOME/jdbc/lib export LD_LIBRARY_PATH PATH=$ORACLE_HOME/bin:$ORACLE_HOME/jdk/bin:$PATH export PATH
Set the LD_LIBRARY_PATH
variable to use the OCI-based JDBC libraries.
Start OC4J using the following syntax:
$ORACLE_HOME/jdk/bin/java -Djava.awt.headless=true -DEMDROOT=$ORACLE_HOME/dv/jlib -jar $ORACLE_HOME/oc4j/j2ee/home/oc4j.jar -userThreads -config $ORACLE_HOME/oc4j/j2ee/home/config/server.xml
After you complete these steps, you can start Database Vault Administrator. The HTTP port defaults to 8888 for this environment. Use the following URL:
http://hostname:8888/dva
To manually deploy Database Vault Administrator to the Database Console OC4J container:
Stop Oracle Database Console.
UNIX: Go to the $ORACLE_HOME/bin
directory and run the following command:
./emctl stop dbconsole
Windows: In the Administrative Services, select the Services utility, and then right-click the OracleDBConsolesid service. Select Stop from the menu.
Create a backup copy and then open the $ORACLE_HOME/oc4j/j2ee/OC4J_DBConsole_
service_name
/config/server.xml
file.
Add the following line before the </application-server>
element:
<application name="dva" path="$ORACLE_HOME/dv/jlib/dva_webapp.ear" parent="default" start="true" />
On Windows systems, replace $ORACLE_HOME
with the absolute path to your Oracle Database home.
Create a backup copy and then open the $ORACLE_HOME/oc4j/j2ee/OC4J_DBConsole_
service_name
/config/http-web-site.xml
file.
Add the following line before the </web-site> element:
<web-app application="dva" name="dva_webapp" load-on-startup="true" root="/dva" shared="true"/>
Restart Oracle Database Console.
UNIX: Go to the $ORACLE_HOME/bin
directory and run the following command:
./emctl start dbconsole
Windows: In the Administrative Services, select the Services utility, and then right-click the OracleDBConsolesid service. Select Start from the menu.
After you complete these steps, you can start Oracle Database Vault Administrator by using the following URL:
https://hostname:port/dva
For example:
https://myserver:1158/dva
If you are unsure of the port number, open the ORACLE_HOME
/
host_sid
/sysman/config/emd.properties
file and search for REPOSITORY_URL
. In most cases, the host name and port number are the same as Oracle Enterprise Manager Database Control.
By default, an Oracle Database Vault session lasts 35 minutes. If you want the session to last for a different time, follow the steps in this section.
To set the session time for Oracle Database Vault Administrator:
Back up the web.xml file
, which by default is in the $ORACLE_HOME/dv/jlib/dva_webapp/dva_webapp/WEB-INF
directory.
In a text editor, open the web.xml
file.
Search for the following setting:
<session-config> <session-timeout>35</session-timeout> </session-config>
Change the <session-timeout>
setting to the amount of time in minutes that you prefer.
Save and close the web.xml
file.
Stop and restart the Database Vault Administrator.
UNIX: Go to the $ORACLE_HOME/bin
directory and run the following command:
./emctl stop dbconsole ./emctl start dbconsole
Windows: In the Administrative Services, select the Services utility, and then right-click the OracleDBConsolesid service. Select Stop from the menu. After the console stops, select Start.
You can configure Database Vault Administrator to make data accessible and usable to the disabled community. The following sections explain how to enable Database Vault Administrator for full accessibility.
Enabling Oracle Database Vault Administrator Accessibility Mode
Providing Textual Descriptions of Database Vault Administrator Charts
Oracle Database Vault Administrator takes advantage of user interface development technologies that improve the responsiveness of some user operations. For example, when you navigate to a new record set in a table, Oracle Database Vault Administrator does not redisplay the entire HTML page. However, this performance-improving technology is generally not supported by screen readers. To disable this feature, and as a result, make the Database Vault Administrator HTML pages more accessible for disabled users, use the following procedure.
To enable the display of an entire HTML page:
Locate the uix-config.xml
configuration file.
By default, the uix-config.xml
file is in the following directory:
$ORACLE_HOME/oc4j/j2ee/oc4j_applications/applications/em/em/WEB-INF
Open the uix-config.xml
file using a text editor and locate the following entry:
<!-- An alternate configuration that disables accessibility features --> <default-configuration> <accessibility-mode>inaccessible</accessibility-mode> ... </default-configuration>
Change the value of the accessibility-mode property from inaccessible
to accessible
.
Save and close the uix-config.xml
file.
Restart Database Vault Administrator.
The Monitor page of Database Vault Administrator displays security policy data in a chart. However, charts do not convey information in a manner that can be read by a screen reader. To remedy this problem, you can configure Database Vault Administrator to provide a complete textual representation of each chart. By default, support for the textual representation of charts is disabled. When textual description for charts is enabled, Database Vault Administrator displays a textual representation of the chart data.
To enable the textual representation of charts:
Locate the web.xml
configuration file.
To locate the web.xml
file in a Oracle Database 10g installation, change directory to the following location in the Oracle home:
$ORACLE_HOME/dv/jlib/dva_webapp/dva_webapp/WEB-INF/
Open the web.xml
file with your favorite text editor and locate the following six lines of the file:
<!-- Uncomment this to enable textual chart descriptions <context-param> <param-name>enableChartDescription</param-name> <param-value>true</param-value> </context-param> -->
Remove comments from this section by deleting the first line and the last line of this section so that the section consists of only these four lines:
<context-param> <param-name>enableChartDescription</param-name> <param-value>true</param-value> </context-param>
Save and exit the web.xml
file.
Restart Database Vault Administrator.
After you install Oracle Database Vault for an Oracle Real Application Clusters (Oracle RAC) instance, complete the following procedure for each RAC node. This procedure assumes that you have a separate Oracle home for each node.
Log in to SQL*Plus as user SYS
with the SYSDBA
privilege.
sqlplus sys as sysdba
Enter password: password
Run the following ALTER SYSTEM
statements:
ALTER SYSTEM SET AUDIT_SYS_OPERATIONS=TRUE SCOPE=SPFILE; ALTER SYSTEM SET OS_ROLES=FALSE SCOPE=SPFILE; ALTER SYSTEM SET RECYCLEBIN='OFF' SCOPE=SPFILE; ALTER SYSTEM SET REMOTE_LOGIN_PASSWORDFILE='EXCLUSIVE' SCOPE=SPFILE; ALTER SYSTEM SET SQL92_SECURITY=TRUE SCOPE=SPFILE; ALTER SYSTEM SET OS_AUTHENT_PREFIX='' SCOPE=SPFILE;
Restart Oracle Database.
CONNECT SYS/AS SYSOPER
Enter password: password
SHUTDOWN IMMEDIATE
STARTUP
By default, Oracle Database Vault loads only the English language tables. You can use DVCA to add more languages to Oracle Database Vault by specifying the addlanguages
flag to the dvca -action
option.
This section includes the following topics:
The syntax for using dvca -action addlanguages
is as follows:
dvca -action addlanguages -oh Oracle_home -instance Oracle_SID_name -dbname database_name -dbuniquename database_unique_name -sys_passwd SYS_password -dvsys_passwd DVSYS_password -jdbc_str jdbc_connection_string -languages language_list [-owner_account DV_owner_account_name] [-owner_passwd DV_owner_account_password] [-acctmgr_account DV_account_manager_account_name] [-acctmgr_passwd DV_account_manager_password] [-silent] [-logfile ./dvca.log] [-nodecrypt] [-lockout] [-racnode node]
In this specification:
-action
is the action to perform. In this case the action is addlanguages
.
-oh
is the Oracle home for the Oracle RAC instance. Provide the ORACLE_HOME
path.
-instance
is the name of the database instance. You can confirm this name by querying the INSTANCE_NAME
column of the V$INSTANCE
view. It specified in the entry for the database instance in the listener.ora
file that is on the server.
-dbname
is the database identifier. You can confirm this name by querying the NAME
column of the V$DATABASE
data dictionary view.
-dbuniquename
is the globally unique name for the database.
-sys_passwd
is the password for the SYS
user. If you enter a cleartext password on the command line, then you must include the nodecrypt
option. If you omit the password, then DVCA prompts you for it. For better security, Oracle strongly recommends that you omit the password and then enter it interactively when you are prompted.
-dvsys_passwd
is the password for the DVSYS
user. If you enter a cleartext password on the command line, then you must include the nodecrypt
option. If you omit the password, then DVCA prompts you for it. Preferably, omit the password and then enter the password interactively when prompted.
-jdbc_str
is the JDBC connection string used to connect to the database. Enter the net service name (that is, the SID) as it is listed in the tnsnames.ora
file, which is located in the $ORACLE_HOME/network/admin
directory. For example:
-jdbc_str jdbc:oracle:oci:@sales_orders
-languages
is the list of languages to be loaded. Provide the list of languages as a string in the following format:
UNIX: {"
language_1
,
language_2
,
language_n
"}
Windows: {"
language_1
","
language_2
","
language_n
"}
Oracle Database Vault supports the following languages:
en : English |
ja : Japanese |
|
de : German |
ko : Korean |
|
es : Spanish |
pt_BR : Brazilian Portuguese |
|
fr : French |
zh_CN : Simplified Chinese |
|
it : Italian |
zh_TW : Traditional Chinese |
For example, to load German and Spanish, you would enter the following:
UNIX: -languages {"de,es"}
Windows: -languages {"de","es"}
-owner_account
is the Oracle Database Vault Owner (DV_OWNER
) account name.
-owner_passwd
is the Oracle Database Vault Owner account password. If you enter a cleartext password on the command line, then you must include the nodecrypt
option. If you omit the password, then DVCA prompts you for it. Preferably, omit the password and then enter it interactively when prompted.
-acctmgr_account
is the Oracle Database Vault Account Manager (DV_ACCTMGR
) user name.
-acctmgr_passwd
is the Oracle Database Vault Account Manager (DV_ACCTMGR
) password. If you enter a cleartext password on the command line, then you must include the nodecrypt
option. If you omit the password, then DVCA prompts you for it. Preferably, omit the password and then enter it interactively when prompted.
-silent
is the option to run in command line mode. This option is required if you are not running DVCA in an xterm window.
-logfile
is an optional flag to specify a log file name and location. You can enter an absolute path, or enter a path that is relative to the location of the $ORACLE_HOME
/bin
directory.
-nodecrypt
is the option to read plaintext passwords.
-lockout
is the flag used to disable SYSDBA
operating system authentication. (This option is deprecated.)
-racnode
is the host name of the Oracle RAC node on which the action is being performed. Do not include the domain name with the host name.
After you enter the dvca -action addlanguages
command and if you omit the passwords, you will be prompted for the passwords of the SYS
, DVSYS
, DV_OWNER
, and DV_ACCTMGR
users. For better security, enter the passwords interactively.
To add languages to Oracle Database Vault:
Log in to SQL*Plus as a user who has been granted the DV_OWNER
role.
Temporarily grant the DV_PATCH_ADMIN
role to the user responsible for adding languages (for example, user SYS
).
GRANT DV_PATCH_ADMIN TO SYS;
Notify this user to use DVCA
to add the languages that are needed.
For example:
dvca -action addlanguages -oh c:\oracle\product\11.2.0\db_1 -instance sales_orders -dbname sales_db -dbuniquename sales_db14 -jdbc_str jdbc:oracle:oci:@sales_orders -owner_account dbvowner -acctmgr_account dbvacctmgr -languages {"es","ja"} -silent -logfile dvcalog.txt Enter SYS password: sys_password Enter DVSYS password: dvsys_password Enter owner password: owner_password Enter DV account manager password: dv_acct_password
Revoke the DV_PATCH_ADMIN
role from user to whom you granted it in Step 2.
REVOKE DV_PATCH_ADMIN FROM SYS;
The following procedure removes Oracle Database Vault from an Oracle Database installation. It applies to both single-instance and Oracle RAC installations.
To deinstall Oracle Database Vault:
Log in to SQL*Plus and shut down the database.
For example, for single-instance installations:
sqlplus sys as sysoper
Enter password: password
SHUTDOWN NORMAL
At the command prompt, for each database instance in an Oracle Real Application Clusters (Oracle RAC) environment:
srvctl stop database -d db_name
Run the following commands to turn off the Oracle Database Vault option:
cd $ORACLE_HOME/rdbms/lib make -f ins_rdbms.mk dv_off make -f ins_rdbms.mk ioracle
In SQL*Plus, start the database.
For single-instance database installations:
STARTUP
For Oracle RAC installations:
srvctl start database -d db_name
Connect as user SYS
with the SYSDBA
privilege and then run the following SQL script:
CONNECT SYS/AS SYSDBA
Enter password: password
@$ORACLE_HOME/rdbms/admin/dvremov.sql
Afterward, you can double-check that Oracle Database Vault is truly deinstalled by logging in to SQL*Plus and entering the following statement:
SELECT * FROM V$OPTION WHERE PARAMETER = 'Oracle Database Vault';
If Oracle Database Vault is deinstalled, the following output appears:
PARAMETER VALUE ----------------------------- ----------------------- Oracle Database Vault FALSE
To reinstall Oracle Database Vault:
Shut down the database instance in which you plan to install Oracle Database Vault.
Log in to SQL*Plus as SYS
, connecting with the SYSOPER
privilege. At the SQL prompt, shut down the database. For example:
SHUTDOWN IMMEDIATE
Exit SQL*Plus.
EXIT
Stop the Oracle Database processes.
UNIX: Go to the $ORACLE_HOME/bin
directory and run the following commands to stop the Database Console and the listener:
./lsnrctl stop ./emctl stop dbconsole
Windows: In the Windows Services tool, right-click the Oracle listener, console, and database service services, and then from the menu, select Stop. The names of these services begin with Oracle and include the name of the database instance. For example, assuming the database instance is orcl
, the names would be similar to the following:
OracleDBConsoleorcl
OracleJobSchedulerORCL
OracleOraDB1g-home1TNSListener
OracleServiceORCL
Run Oracle Universal Installer from the installation media.
UNIX: Use the following command:
/mnt/cdrom/runInstaller
Windows: Double-click the file, setup.exe
, on the installation media.
In the Select a Product to Install window, select Oracle Database 11g, and then click Next.
Select Advanced Installation, and then click Next.
The Select Installation Type window appears.
Select Custom, and then click Next.
The Specify Home Details screen appears.
Select the Oracle base directory and the Oracle home directory in which you want to install Oracle Database Vault. Click Next.
By default, Oracle Universal Installer offers to create a new Oracle home for you, so ensure that you select the correct existing Oracle home. Oracle Universal Installer then verifies that your system meets the minimum requirements. Next, the Available Product Components window is displayed.
Select the box corresponding to Oracle Database Vault option.
You can find this option under Enterprise Edition Options. You also must have Oracle Label Security installed, so Oracle Universal Installer selects it for you. Oracle Universal Installer also selects Oracle Services For Microsoft Transaction Server, but if you do not need this product, you can deselect it. Then click Next.
The Summary window is displayed.
Review your choices and then click Install.
The new products should include Oracle Database Vault J2EE Application, Oracle Database Vault option, and Oracle Label Security.
After you click Install, the progress window is displayed. When the installation completes, Oracle Universal Installer displays the End of Installation window.
Click Exit, and then click Yes to confirm the exit.
Restart the services and the database instance in which you installed Oracle Database Vault.
UNIX: Go to the $ORACLE_HOME/bin
directory and run the following commands to start the Database Console and the listener:
./emctl start dbconsole ./lsnrctl start
Start SQL*Plus and then restart the database instance:
sqlplus sys as sysoper
Enter password: password
Connected to an idle instance
SQL> STARTUP
Windows: In the Windows Services tool, right-click the Oracle listener, console, and database service services, and then from the menu, select Start. The names of these services begin with Oracle and include the name of the database instance. For example, assuming the database instance is orcl
, the names would be similar to the following:
OracleDBConsoleorcl
OracleJobSchedulerORCL (Optional; you do not need to start it for the tutorials in this guide.)
OracleOraDB1g-home1TNSListener
OracleServiceORCL (This service starts when you start OracleDBConsole.)
Register Oracle Database Vault.
See "Registering Oracle Database Vault" for more information.