Oracle® Database Vault Administrator's Guide 11g Release 2 (11.2) Part Number E10576-01 |
|
|
View PDF |
You may need to disable Oracle Database Vault to perform upgrade tasks or correct erroneous configurations. You can reenable Oracle Database Vault after you complete the corrective tasks.
Note:
Be aware that if you disable Oracle Database Vault, the privileges that were revoked from existing users and roles during installation remain in effect. See "Privileges That Are Revoked or Prevented from Existing Users and Roles" for a listing of the revoked privileges.The following situations require you to disable Oracle Database Vault:
The Oracle Database Vault user accounts have been inadvertently locked or their passwords forgotten. (See the tip under "Oracle Database Vault Accounts" for a guideline for avoiding this problem in the future.)
A rule set associated with the CONNECT
role has been configured incorrectly. This is resulting in failed database logins for all accounts, including those with the DV_OWNER
or DV_ADMIN
role, who could correct this problem.
You must perform maintenance tasks on Oracle Database Vault.
You must install any of the Oracle Database optional products or features, such as Oracle Spatial, or Oracle Multimedia, by using Database Configuration Assistant (DBCA).
You are about to install a third-party product, install an Oracle product, or perform an Oracle patch update whose installation may be prevented if Oracle Database Vault is running.
You must archive the Oracle Database Vault audit trail.
You can check if Oracle Database Vault has already been enabled or disabled by querying the V$OPTION
table. Any user can query this table. If Oracle Database Vault is enabled, the query returns TRUE
. Otherwise, it returns FALSE
.
Remember that the PARAMETER
column value is case sensitive. For example:
SELECT * FROM V$OPTION WHERE PARAMETER = 'Oracle Database Vault';
If Oracle Database Vault is enabled, the following output appears:
PARAMETER VALUE ----------------------------- ----------------------- Oracle Database Vault TRUE
This section contains the following topics:
Note:
After you disable Oracle Database Vault, you still can run the Oracle Database Vault API functions. Note also that after you disable Oracle Database Vault, theANY
privileges are available.Follow these steps to disable Oracle Database Vault on UNIX systems:
Turn off the software processes. Make sure that the environment variables, ORACLE_HOME
, ORACLE_SID
, and PATH
are correctly set.
Stop the dbconsole
process in case it is running. For both single-instance and Oracle Real Application Clusters installations, run the following command at a command prompt:
emctl stop dbconsole
For single-instance installations, shut down the database instance:
sqlplus sys as sysoper
Enter password: password
SHUTDOWN NORMAL
EXIT
For Oracle Real Application Clusters (Oracle RAC) installations, shut down each database instance as follows, from a command prompt:
srvctl stop database -d db_name
If you cannot connect to the database, then proceed to the next step.
At a command prompt, run the following commands to turn off the Oracle Database Vault option:
cd $ORACLE_HOME/rdbms/lib make -f ins_rdbms.mk dv_off ioracle
For Oracle RAC installations, run these commands on all nodes.
In SQL*Plus, start the database.
For single-instance database installations:
sqlplus sys as sysoper
Enter password: password
STARTUP
For Oracle RAC installations:
srvctl start database -d db_name
If the reason you needed to disable Oracle Database Vault was because of forgotten passwords, then connect SQL*Plus as SYS
or SYSTEM
and reset the password.
For example:
sqlplus system Enter password: password ALTER USER DBVOWNER IDENTIFIED BY password;
Follow these steps to disable Oracle Database Vault on Windows systems:
Stop the database service.
In the Control Panel, under Administrative Services, select the Services utility. Select the Standard tab, right-click the following services, and from the menu, select Stop:
OracleServiceSID
OracleHOMETNSListener
Under ORACLE_HOME
\bin
, rename the oradv
release_number
.dll
file, for example, oradv10_backup.dll
or oradv11_backup.dll
.
Restart the database service.
In the Control Panel, under Administrative Services, select the Services utility. Select the Standard tab, right-click the following services, and from the menu, select Start:
OracleServiceSID
OracleHOMETNSListener
For RAC systems, repeat these steps for each node on which the database is installed.
If the reason you needed to disable Oracle Database Vault was because of forgotten passwords, then log in to SQL*Plus as SYS
or SYSTEM
and reset the password.
For example:
sqlplus system Enter password: password ALTER USER DBVOWNER IDENTIFIED BY password;
At this stage, Oracle Database Vault is disabled. You can perform the following types of activities:
Use the Oracle Database Vault PL/SQL packages and functions. For example, to correct a login or CONNECT
rule set error, use the DBMS_MACADM
PL/SQL package or the Oracle Database Vault Administrator interface.
Note:
If you are using Oracle Database Vault Administrator, then you must start thedbconsole
process. You can check the status of the dbconsole
process by entering the following command from the $ORACLE_HOME/bin
directory of the Oracle home in which you deployed Database Vault Administrator:
./emctl status dbconsole
To start dbconsole
:
./emctl start dbconsole
Use the SYSTEM or SYS accounts to perform tasks such as creating or changing passwords, or locking and unlocking accounts. In addition to modifying regular database and administrative user accounts, you can modify passwords and the lock status of any of the Oracle Database Vault-specific accounts, such as users who have been granted the DV_ADMIN
or DV_ACCTMGR
roles. (See the tip under "Oracle Database Vault Accounts" for a guideline for avoiding this problem in the future.)
Perform the installation, upgrade, or other tasks that require security protections to be disabled. If you must run Oracle Database Vault Configuration Assistant (DVCA), ensure that the Oracle Database listener is running. To start the listener, run the following command from the $ORACLE_HOME/bin
directory:
$ ./lsnrctl start [listener_name]
This section contains the following topics:
Use the following steps to enable Oracle Database Vault on UNIX systems:
Turn off the software processes. Ensure that the environment variables, ORACLE_HOME
, ORACLE_SID
, and PATH
are correctly set.
Stop the dbconsole
process in case it is running. For both single-instance and Oracle RAC installations, use the following command:
emctl stop dbconsole
Shut down the database instance.
For single-instance installations:
sqlplus sys as sysoper
Enter password: password
SHUTDOWN NORMAL
EXIT
For Oracle RAC installations:
srvctl stop database -d db_name
At command promopt, run the following commands to turn on the Oracle Database Vault option:
cd $ORACLE_HOME/rdbms/lib make -f ins_rdbms.mk dv_on ioracle
For Oracle RAC installations, run these commands on all nodes.
In SQL*Plus, start the database:
For single-instance database installations:
sqlplus sys as sysoper
Enter password: password
STARTUP
EXIT
For Oracle RAC installations, at a command prompt:
srvctl start database -d db_name
Follow these steps to enable Oracle Database Vault on Windows systems:
Stop the database service.
In the Control Panel, under Administrative Services, select the Services utility. Select the Standard tab, right-click the following services, and from the menu, select Stop:
OracleServiceSID
OracleHOMETNSListener
Under ORACLE_HOME
\bin
, name the backup of the oradv
release_number
.dll
file to its original name.
For example, if you named it oradv10_backup.dll
, then name it back to oradv10.dll
.
Restart the database service.
In the Control Panel, under Administrative Services, select the Services utility. Select the Standard tab, right-click the following services, and from the menu, select Start:
OracleServiceSID
OracleHOMETNSListener
For Oracle RAC installations, repeat these steps for each node on which the database is installed.