Skip Headers
Oracle® Database Vault Installation Guide
10g Release 2 (10.2) for AIX 5L Based Systems (64-Bit)
Part Number B32490-02
Go to Documentation Home
Home		 Go to Book List
Book List		 Go to Table of Contents
Contents		 Go to Index
Index		 Go to Master Index
Master Index		 Go to Feedback page
Contact Us
Go to previous page
Previous		 Go to next page
Next
View PDF

2 Installing Oracle Database Vault as an Option

This chapter includes an overview of the major steps required to install Oracle Database Vault into an existing Oracle Database 10g release 2 (10.2.0.3) database. These procedures transform an existing Oracle Database system (including associated applications) into an Oracle Database Vault system. Databases upgraded using the procedures described in this chapter can work almost in the same manner as in earlier releases and, optionally, can leverage new Oracle Database Vault functionality. For a list of changes that Database Vault makes, refer to Appendix E, "Initialization Parameters" and the Oracle Database Vault Administrator's Guide.

Note:

In order to upgrade a pre-10g release 2 Oracle Database to Oracle Database Vault, you first need to upgrade the database to a 10g release 2 (10.2.0.3) database.

See Also:

Oracle Database Upgrade Guide, 10g Release 2 (10.2) for information about upgrading your Oracle Database to Oracle Database 10g release 2.

This chapter covers the following topics:

2.1 Preinstallation and Installation Tasks

This section covers the following topics:

2.1.1 Become Familiar with the Features of Oracle Database Vault

Before you plan the upgrade process, become familiar with the features of Oracle Database Vault. The Oracle Database Vault Administrator's Guide discusses the basic features of Oracle Database Vault.

2.1.2 Check the Hardware Requirements

The system must meet the following minimum hardware requirements:

  • At least 1024 MB of physical RAM

  • The following table describes the relationship between installed RAM and the configured swap space requirement.

    RAM Swap Space
    Between 1024 MB and 2048 MB 1.5 times the size of RAM
    Between 2049 MB and 8192 MB Equal to the size of RAM
    More than 8192 MB 0.75 times the size of RAM

  • 400 MB of disk space in the /tmp directory

  • Up to 3 GB of disk space for the Oracle software, depending on the installation type

  • 1.2 GB of disk space for a preconfigured database that uses file system storage (optional)

    Note:

    The disk space requirement for databases that use Automatic Storage Management or raw device storage is described later in this chapter.

    Additional disk space, either on a file system or in an Automatic Storage Management disk group, is required for the flash recovery area if you choose to configure automated backups.

To ensure that the system meets these requirements:

  1. To determine the physical RAM size, enter the following command:

    # /usr/sbin/lsattr -E -l sys0 -a realmem

    If the size of the physical RAM is less than the required size, then you must install more memory before continuing.

  2. To determine the size of the configured swap space, enter the following command:

    # /usr/sbin/lsps -a

    If necessary, refer to the operating system documentation for information about how to configure additional swap space.

  3. To determine the amount of disk space available in the /tmp directory, enter the following command:

    # df -k /tmp

    If there is less than 400 MB of free disk space available in the /tmp directory, then complete one of the following steps:

    • Delete unnecessary files from the /tmp directory to meet the disk space requirement.

    • Set the TMP and TMPDIR environment variables when setting the oracle user's environment (described later).

    • Extend the file system that contains the /tmp directory. If necessary, contact your system administrator for information about extending file systems.

  4. To determine the amount of free disk space on the system, enter the following command:

    # df -k

    The following table shows the approximate disk space requirements for software files for each installation type:

    Installation Type Requirement for Software Files (GB)
    Enterprise Edition 2.0
    Standard Edition 3.0
    Custom (maximum) 2.5

  5. To determine whether the system architecture can run the software, enter the following command:

    # /usr/bin/getconf HARDWARE_BITMODE
64

    Note:

    The expected output of this command is 64. If you do not see the expected output, then you cannot install the software on this system.

2.1.3 Check the Operating System Requirements

Depending on the products that you intend to install, verify that the following software is installed on the system. The procedure following the table describes how to verify whether these requirements are addressed.

Note:

Oracle Universal Installer performs checks on your system to verify that it meets the listed requirements. To ensure that these checks pass, verify the requirements before you start Oracle Universal Installer.
Item Requirement
Operating system The following operating system versions and maintenance level are required:

AIX 5L version 5.2, Maintenance Level 04 or later

AIX 5L version 5.3, Maintenance Level 02 or later
Operating system filesets: The following operating system filesets are required: 
bos.adt.base
bos.adt.lib
bos.adt.libm
bos.perf.libperfstat
bos.perf.perfstat
bos.perf.proctools
xlC.aix50.rte:7.0.0.4 or later
xlC.rte:7.0.0.1 or later

To ensure that the system meets these requirements:

  1. To determine the version of AIX installed, enter the following command:

    # oslevel -r

    If the operating system version is lower than AIX 5.2.0.0 Maintenance Level 1 (5200-01), then upgrade your operating system to this level. AIX 5L version 5.2 maintenance packages are available from the following Web site:

    http://www-912.ibm.com/eserver/support/fixes/

  2. To determine whether the required filesets are installed and committed, enter a command similar to the following:

    # lslpp -l bos.adt.base bos.adt.lib bos.adt.libm bos.perf.perfstat \
 bos.perf.libperfstat bos.perf.proctools

    If a fileset is not installed and committed, then install it. Refer to your operating system or software documentation for information about installing filesets.

In addition, you need to verify that the following patches are installed on the system. The procedure following the table describes how to check these requirements.

Note:

There may be more recent versions of the patches listed installed on the system. If a listed patch is not installed, then determine whether a more recent version is installed before installing the version listed.
Installation Type or Product Requirement
All installations Authorized Problem Analysis Reports (APARs) for AIX 5L v5.2 ML 04:

  • IY63133: large percentage of CPU time spent in ldata_balance routine

  • IY64978: deadlock with concurrent renaming and unlinking under JFS

  • IY63366: dlsym returns null even for valid symbol in AIX520 ML-4

  • IY64691: chvg -b can cause corruption and crash

  • IY64737: AIO can hang in knotunlock

  • IY65001: mklvcopy on a striped lv is failing to update lvcb
All installations Authorized Problem Analysis Reports (APARs) for AIX 5L v5.3 ML 02:

  • IY58143: REQUIRED UPDATE FOR AIX 5.3

  • IY59386: libdepend.mk files are all empty

  • IY60930: Unable to delete network routes

  • IY66513: LDR_CNTRL turns on undesirable option when initialized with incorrect value

  • IY70159: krtl relocation problem

  • IY68989: eFix for write to mmapped space hangs

To ensure that the system meets these requirements:

  1. To determine whether an APAR is installed, enter a command similar to the following:

    # /usr/sbin/instfix -i -k "IY63133 IY64978 IY63366 IY64691 IY65001 IY64737 \ 
  IY64361 IY65305 IY58350 IY63533"

    If an APAR is not installed, then download it from the following Web site and install it:

    http://www-912.ibm.com/eserver/support/fixes/

  2. If you require a CSD for WebSphere MQ, then refer to the following Web site for download and installation information:

    http://www.ibm.com/software/integration/mqfamily/support/summary/aix.html

2.1.4 Check Kernel Parameters

Note:

The kernel subsystem attribute values shown in this section are recommended values only. For production database systems, Oracle recommends that you tune these values to optimize the performance of the system. See your operating system documentation for more information about tuning kernel subsystem attributes.

Verify that the kernel subsystem attributes shown in the following table are set to values greater than or equal to the recommended value shown. The procedure following the table describes how to verify and set the values.

Subsystem Attribute Recommended Value
ipc shm_max 4278190080 (4 GB minus 16 MB)

shm_min 1

shm_mni 256

shm_seg 256

ssm_threshold Set this attribute to 0 only if the rad_gh_regions[n] or gh_chunks attributes are set in the vm subsystem. Otherwise, do not change the value.
proc exec_disable_arg_limit 1

per_proc_stack_size 8388608 (8 MB)

Oracle supports up to 512 MB for this parameter.

max_per_proc_stack_size 33554432 (32 MB)

Oracle supports up to 512 MB for this parameter.

per_proc_data_size 335544320 (320MB)

max_per_proc_data_size 335544320 (320MB)

max_per_proc_address_space Equal to the size of RAM or 1073741824 (1 GB), whichever is larger.

per_proc_address_space Equal to the size of RAM or 1073741824 (1 GB), whichever is larger.
rdg msg_size 32768

max_objs 5120

max_async_req 256

max_sessions 500 (or at least 20 plus the value of the PROCESSES initialization parameter for all databases on the system, if this value is higher.)

rdg_max_auto_msg_wires 0

rdg_auto_msg_wires 0
rt aio_task_max_num 8193
vfs fifo_do_adaptive 0
vm new_wire_method 0

Note:

If the current value for any kernel subsystem attribute is higher than the value listed in this table, then except for the attributes with a recommended value of 0, do not change the value of that attribute.

To view the current value specified for these kernel subsystem attributes, and to change them if necessary:

  1. To view the current values of the subsystem attributes, enter commands similar to the following:

    # /sbin/sysconfig -q subsystem

    For example, to view attribute values for the ipc subsystem, enter the following command:

    # /sbin/sysconfig -q ipc

  2. If you must change any of the current values, then:

    1. Create a backup copy of the /etc/sysconfigtab file, for example:

      # cp /etc/sysconfigtab /etc/sysconfigtab.orig

    2. Using any text editor, create a file similar to the following, specifying the subsystems and attributes that you want to modify:

      ipc:
     shm_max = 4278190080
     shm_min = 1
     shm_mni = 256
     shm_seg = 128

proc:
     exec_disable_arg_limit = 1
     per_proc_stack_size = 8388608
     max_per_proc_stack_size = 33554432
     per_proc_data_size = 335544320
     max_per_proc_data_size = 335544320
     max_per_proc_address_space = 4294967296
     per_proc_address_space = 4294967296

    3. Enter a command similar to the following to add the subsystem attributes to the /etc/sysconfigtab file:

      # /sbin/sysconfigdb -m -f filename

      In this example, filename is the name of the file you created in step b.

    4. Enter the following command to restart the system:

      # /sbin/shutdown -r now

    5. When the system restarts, log in and switch user to root.

2.1.5 Check the Database Requirements

In order to install Oracle Database Vault, you must be running the Enterprise Edition of Oracle Database 10g release 2 (10.2.0.3). The database should also have Oracle Enterprise Manager Console DB 10.2.0.3.0 installed. In addition, the Database Vault installer requires write access to the files, oratab and oraInst.loc.

A listener must have been configured for the existing database. Oracle Net Configuration Assistant configures the listener when you first install the database. You can also use Oracle Enterprise Manager to administer listeners.

You must have an existing password file for the database. The password file authentication parameter, REMOTE_LOGIN_PASSWORDFILE must have been set to EXCLUSIVE or SHARED.

You can set the REMOTE_LOGIN_PASSWORDFILE parameter in the init.ora file. Use the orapwd utility to create and manage password files.

See Also:

Oracle Database Administrator's Guide for more information on creating and maintaining a password file

The following topics discuss applying the 10.2.0.3 patch set and installing the required components:

2.1.5.1 Install Oracle Enterprise Manager Console DB

Before installing Oracle Database Vault, you should ensure that Oracle Enterprise Manager Console DB 10.2.0.3.0 is installed. Oracle Enterprise Manager Console DB is installed using the Oracle Universal Installer (OUI). The following steps summarize installing Oracle Enterprise Manager Console DB:

  1. Run Oracle Universal Installer (OUI) and perform a custom installation to install Oracle Enterprise Manager Console DB 10.2.0.1.0. Add Oracle Enterprise Manager Console DB from the list of available product components.

  2. Apply the Oracle Database release 10.2.0.3 patch set.

Note:

You can configure the database to use Enterprise Manager Database Control by using Database Configuration Assistant (DBCA). However, configuring Enterprise Manager Database Control is not a prerequisite for installing Oracle Database Vault.

2.1.5.2 Apply Oracle Database Release 10.2.0.3 Patch Set

To install Oracle Database Vault, you need to upgrade the database to Oracle Database release 10.2.0.3. Oracle strongly recommends that you back up your database before performing any upgrade or installation.

See Also:

Oracle Database Backup and Recovery User's Guide for information on database backups

This section covers the following topics:

Patch Set Overview

You can apply the Oracle Database release 10.2.0.3 patch set to the following Oracle Database 10g release 2 installations:

  • Oracle Database

  • Oracle Real Application Clusters

  • Oracle Database Client

  • Oracle Database Companion CD

  • Oracle Clusterware

  • Oracle Database Vault

Oracle Universal Installer Version Requirements

This patch set includes Oracle Universal Installer release 10.2.0.3, which is also installed when you install this patch set. This is to ensure that your Oracle home can be patched in the future. You should not use the Installer from the earlier maintenance release media or Oracle home.

This is not a complete software distribution. You must install it in an existing Oracle Database 10g release 2 (10.2.0.1 or 10.2.0.2) installation.

Patch Set Documentation

There are two documents related to this release of the Oracle Database patch set:

  • Oracle Database Patch Set Notes, 10g Release 2 (10.2.0.3) Patch Set for AIX 5L Based Systems (64-Bit)

  • Oracle Database List of Bugs Fixed, 10g Release 2 (10.2.0.3) Patch Set

Both of these documents are included with the patch set. In addition, they are available on the OracleMetalink Web site:

http://metalink.oracle.com

2.1.6 Prepare a Backup Strategy

Oracle strongly recommends that you back up your database before performing any upgrade or installation. The ultimate success of your upgrade depends heavily on the design and execution of an appropriate backup strategy. To develop a backup strategy, consider the following questions:

  • How long can the production database remain inoperable before business consequences become intolerable?

  • What backup strategy should be used to meet your availability requirements?

  • Are backups archived in a safe, offsite location?

  • How quickly can backups be restored (including backups in offsite storage)?

  • Have recovery procedures been tested successfully?

Your backup strategy should answer all of these questions and include procedures for successfully backing up and recovering your database.

See Also:

Oracle Database Backup and Recovery User's Guide for information on database backups

2.1.7 Verify That Oracle Clusterware Is Running (RAC Only)

Oracle Clusterware should be running for the Database Vault installer to find the existing Real Application Clusters (RAC) databases. If you have stopped Oracle Clusterware, then you should restart it before running Oracle Universal Installer. Use the following command to start Oracle Clusterware:

$CRS_HOME/bin/crsctl start crs

Note:

  • You must run the crsctl command as the root user. You need to run this command on all cluster nodes.

  • The crsctl start crs command also starts the database. You will need to shut down the database before running Oracle Universal Installer.

2.1.8 Stop Existing Oracle Processes

Stop all processes running in the Oracle home. You must complete this task to enable Oracle Universal Installer to relink certain executables and libraries. For RAC databases, you need to stop the processes on all nodes.

Stop the processes in the following order:

  1. Stop the Enterprise Manager Database Control Process

  2. Stop the iSQL*Plus Process

  3. Shut Down All Database Instances

  4. Stop Existing Listeners

2.1.8.1 Stop the Enterprise Manager Database Control Process

Stop the Enterprise Manager Database Control process, if it is running. Use the following command:

$ORACLE_HOME/bin/emctl stop dbconsole

2.1.8.2 Stop the iSQL*Plus Process

Stop the iSQL*Plus process, using the following command:

$ORACLE_HOME/bin/isqlplusctl stop

2.1.8.3 Shut Down All Database Instances

Shut down all database instances running from the Oracle home directory into which Oracle Database Vault is to be installed.

sqlplus SYS "AS SYSDBA"
Enter password:
SQL> shutdown immediate

2.1.8.4 Stop Existing Listeners

Oracle Universal Installer configures and starts a default Oracle Net listener using TCP/IP port 1521. However, if an existing Oracle Net listener process is using the same port or key value, then Oracle Universal Installer can only configure the new listener, it cannot start it. To ensure that the new listener process starts during the installation, you must shut down any existing listeners before starting Oracle Universal Installer.

To determine whether an existing listener process is running and to shut it down if necessary:

  1. Switch user to oracle:

    # su - oracle

  2. Enter the following command to determine whether a listener process is running and to identify its name and the Oracle home directory in which it is installed:

    $ ps -ef | grep tnslsnr

    This command displays information about the Oracle Net listeners running on the system:

    ... oracle_home1/bin/tnslsnr LISTENER -inherit

    In this example, oracle_home1 is the Oracle home directory where the listener is installed and LISTENER is the listener name.

    Note:

    If no Oracle Net listeners are running, then refer to the "Configure the Oracle User's Environment" section to continue.

  3. Set the ORACLE_HOME environment variable to specify the appropriate Oracle home directory for the listener:

    • Bourne, Bash, or Korn shell:

      $ ORACLE_HOME=oracle_home1
$ export ORACLE_HOME

    • C or tcsh shell:

      % setenv ORACLE_HOME oracle_home1

  4. Enter the following command to identify the TCP/IP port number and IPC key value that the listener is using:

    $ $ORACLE_HOME/bin/lsnrctl status listenername

    Note:

    If the listener uses the default name LISTENER, then you do not have to specify the listener name in this command.

  5. Enter a command similar to the following to stop the listener process:

    $ $ORACLE_HOME/bin/lsnrctl stop listenername

  6. Repeat this procedure to stop all listeners running on this system.

Note:

If you are installing Database Vault for Oracle Real Application Clusters (RAC), then you need to shut down all Oracle processes on all cluster nodes. See Appendix A, "How to Stop Processes in an Existing Oracle Real Application Clusters Database" for more details.

2.1.9 Configure the Oracle User's Environment

Run Oracle Universal Installer (OUI) using the account that owns the Oracle software. This is usually the oracle account.

However, before you start Oracle Universal Installer you must configure the environment of the oracle user. To configure the environment, you must:

  • Set the default file mode creation mask (umask) to 022 in the shell startup file.

  • Set the DISPLAY environment variable.

Note:

Ensure that the PATH variable contains $ORACLE_HOME/bin before /usr/X11R6/bin.

To set the oracle user's environment:

  1. Start a new terminal session, for example, an X terminal (xterm).

  2. Enter the following command to ensure that X Window applications can display on this system:

    $ xhost fully_qualified_remote_host_name

    For example:

    $ xhost somehost.us.acme.com

  3. If you are not already logged in to the system where you want to install the software, then log in to that system as the oracle user.

  4. If you are not logged in as the oracle user, then switch user to oracle:

    $ su - oracle

  5. To determine the default shell for the oracle user, enter the following command:

    $ echo $SHELL

  6. Open the oracle user's shell startup file in any text editor:

    • Bourne shell (sh), Bash shell (bash), or Korn shell (ksh):

      $ vi .bash_profile

    • C shell (csh or tcsh):

      % vi .login

  7. Enter or edit the following line, specifying a value of 022 for the default file mode creation mask:

    umask 022

  8. If the ORACLE_SID, ORACLE_HOME, or ORACLE_BASE environment variable is set in the file, then remove the corresponding lines from the file.

  9. Save the file, and exit from the editor.

  10. To run the shell startup script, enter one of the following commands:

    • Bourne, Bash, or Korn shell:

      $ . ./.profile

    • C shell:

      % source ./.login

  11. If you are not installing the software on the local system, then enter a command similar to the following to direct X applications to display on the local system:

    • Bourne, Bash, or Korn shell:

      $ DISPLAY=local_host:0.0 ; export DISPLAY

    • C shell:

      % setenv DISPLAY local_host:0.0

    In this example, local_host is the host name or IP address of the system that you want to use to display Oracle Universal Installer (your workstation or PC).

  12. If you determined that the /tmp directory has less than 400 MB of free disk space, then identify a file system with at least 400 MB of free space and set the TEMP and TMPDIR environment variables to specify a temporary directory on this file system:

    1. Use the df -k command to identify a suitable file system with sufficient free space.

    2. If necessary, enter commands similar to the following to create a temporary directory on the file system that you identified, and set the appropriate permissions on the directory:

      $ su - root
# mkdir /mount_point/tmp
# chmod a+wr /mount_point/tmp
# exit

    3. Enter commands similar to the following to set the TEMP and TMPDIR environment variables:

      • Bourne, Bash, or Korn shell:

        $ TEMP=/mount_point/tmp
$ TMPDIR=/mount_point/tmp
$ export TEMP TMPDIR

      • C shell:

        % setenv TEMP /mount_point/tmp
% setenv TMPDIR /mount_point/tmp

  13. Enter commands similar to the following to set the ORACLE_BASE and ORACLE_SID environment variables:

    • Bourne, Bash, or Korn shell:

      $ ORACLE_BASE=/u01/app/oracle
$ ORACLE_SID=sales
$ export ORACLE_BASE ORACLE_SID

    • C shell:

      % setenv ORACLE_BASE /u01/app/oracle
% setenv ORACLE_SID sales

    In these examples, /u01/app/oracle is the Oracle base directory that you created or identified earlier and sales is the name that you want to call the database (typically no more than five characters).

  14. Enter the following commands to ensure that the ORACLE_HOME and TNS_ADMIN environment variables are not set:

    • Bourne, Bash, or Korn shell:

      $ unset ORACLE_HOME
$ unset TNS_ADMIN

    • C shell:

      % unsetenv ORACLE_HOME
% unsetenv TNS_ADMIN

  15. To verify that the environment has been set correctly, enter the following commands:

    $ umask
$ env | more

    Verify that the umask command displays a value of 22, 022, or 0022 and the environment variables that you set in this section have the correct values.

2.1.10 Run Oracle Universal Installer to Install

Run Oracle Universal Installer (OUI) to install Oracle Database Vault into an existing Oracle Database 10g release 2 (10.2.0.3) database. You should run the installer as the software owner account that owns the current ORACLE_HOME environment. This is normally the oracle account.

Log in as the oracle user. Alternatively, switch user to oracle using the su command. Change your current directory to the directory containing the installation files. Start Oracle Universal Installer.

./runInstaller

The following steps discuss the options you need to select:

  1. In the Specify Installation Details screen, you need to specify the path to the Oracle home that contains the existing Oracle Database. The Destination Path box lists the Oracle home paths of all Oracle Database release 2 (10.2.0.3) Enterprise Edition databases registered with the system.

    Select the Oracle home corresponding to the database into which you want to install Oracle Database Vault.

    Note:

    • If an Oracle home does not have an Enterprise Edition of Oracle Database release 10.2.0.3 installed, then it is not displayed. You must ensure that the Oracle home has an Enterprise Edition of Oracle Database release 10.2.0.3 installed.

    • If an Oracle home does not have Oracle Enterprise Manager Console DB 10.2.0.3.0 installed, then it is not displayed. You must ensure that the Oracle home has Oracle Enterprise Manager Console DB 10.2.0.3.0 installed.

    • If an Oracle home contains an Automatic Storage Management (ASM) instance, then it is not displayed. You cannot install Oracle Database Vault into an Oracle home that also contains an ASM instance.

    • If an Oracle home already contains Oracle Database Vault, then it is not displayed. You cannot install Oracle Database Vault into an Oracle home more than once.

  2. Enter a user name for the Database Vault Owner account in the Database Vault Owner field. The user name can be a minimum of 2 and maximum of 30 characters long.

  3. Enter a password for the Database Vault Owner account in the Database Vault Owner Password field. The password can be a minimum of 8 and a maximum of 30 characters. The password must include at least one alphabet, one digit, and one nonalphanumeric character (symbol). It cannot be the same as the account names for either the Database Vault owner or the Database Vault account manager. It cannot contain any consecutive repeating characters.

  4. Reenter the password in the Confirm Password field.

  5. Select Create a Separate Account Manager if you want to create a separate Account Manager to manage Oracle Database Vault accounts.

  6. In the Database Vault Account Manager field, enter a user name for the Database Vault Account Manager if you have chosen to select the Create a Separate Account Manager check box. The user name can be a minimum of 2 and a maximum of 30 characters.

  7. Enter a password for the Database Vault Account Manager account in the Account Manager Password field. The password can be a minimum of 8 and a maximum of 30 characters. The password must include at least one alphabet, one digit, and one nonalphanumeric character (symbol). It cannot be the same as the account names for either the Database Vault owner or the Database Vault account manager. It cannot contain any consecutive repeating characters.

  8. Reenter the password in the Confirm Password field. Click Next.

  9. The Select Existing Database screen is displayed. A list of all databases running from the selected Oracle home is displayed. Select the database into which you wish to install Oracle Database Vault.

    Note:

    • If the selected Oracle home contains more than one database, then Operating System (OS) authentication is turned off for all the databases in the Oracle home.

    • Oracle recommends that you install Oracle Database Vault into an Oracle home containing only a single database.

    • If a database is not listed, then check to make sure that you have followed the instructions under "Check the Database Requirements".

  10. Enter the existing SYS user password for the selected database in the Existing Database SYS Password field.

  11. Reenter the SYS password in the Confirm Password field. Click Next.

    Note:

    At this point, the database requirements are validated.

  12. You are prompted to shut down all Oracle processes running from the Oracle home before proceeding. Shut down the Oracle processes, if you have not already done so.

    See Also:

    "Stop Existing Oracle Processes" for more information on stopping existing Oracle processes

  13. Product-specific prerequisite checks are performed. Confirm that all tests have passed. Click Next to continue.

  14. The Summary screen is displayed with the installation details. Verify the details and click Install.

  15. The Installation screen is displayed. After the installation completes, the Database Vault Configuration Assistant (DVCA) is run automatically. DVCA helps configure the Database Vault installation.

2.2 Postinstallation Tasks

This section lists the tasks to perform after you have completed an upgrade of your database. The following topics are discussed:

2.2.1 Back Up the Database

Make sure you perform a full backup of the production database. See Oracle Database Backup and Recovery User's Guide for details on backing up a database.

2.2.2 Update Environment Variables After the Upgrade (UNIX Systems Only)

Make sure that the following environment variables point to the correct Oracle Database Vault directories:

  • ORACLE_HOME

  • PATH

  • ORA_NLS10

    Note:

    The ORA_NLS10 environment variable replaces the ORA_NLS33 environment variable, so you may need to unset ORA_NLS33 and set ORA_NLS10.

  • LD_LIBRARY_PATH

2.2.3 Change Passwords for Oracle-Supplied Accounts

Oracle strongly recommends that you change the password for each account after installation. This enables you to effectively implement the strong security provided by Oracle Database Vault.

Note:

If you are creating a database using Database Configuration Assistant, you can unlock accounts after the database is created by clicking Password Management before you exit from Database Configuration Assistant.

2.2.3.1 Using SQL*Plus to Unlock Accounts and Reset Passwords

To unlock and reset user account passwords using SQL*Plus:

  1. Start SQL*Plus and log in using the Database Vault Account Manager account. If you did not create the Database Vault Account Manager account during installation, then you will need to log in using the Database Vault Owner account.

  2. Enter a command similar to the following, where account is the user account that you want to unlock and password is the new password:

    SQL> ALTER USER account [ IDENTIFIED BY password ] ACCOUNT UNLOCK;

    In this example:

    • The ACCOUNT UNLOCK clause unlocks the account.

    • The IDENTIFED BY password clause resets the password.

    Note:

    If you unlock an account but do not reset the password, then the password remains expired. The first time someone connects as that user, they must change the user's password.

    To permit unauthenticated access to your data through HTTP, unlock the ANONYMOUS user account.

2.2.4 Enable or Disable Connections with the SYSDBA Privilege

In a default Database Vault installation, the operating system authentication to the database is disabled. In addition, connections to the database using the SYSDBA privilege (that is, those that use the AS SYSDBA clause) are disabled. This is a security feature and is implemented to prevent misuse of the SYSDBA privilege.

If a password file has been created using the orapwd utility with the nosysdba flag set to y (Yes) (the default action of a Database Vault installation), users will not be able to log in to an Oracle Database Vault instance using the SYS account or any account with SYSDBA privilege using the AS SYSDBA clause. You can reenable the ability to connect with the SYSDBA privilege by re-creating the password file with the nosysdba flag set to n (No). You might need to reenable the ability to connect with SYSDBA privileges, if certain products or utilities require it's use.

When you re-create the password file, any accounts other than SYS that were granted the SYSDBA or SYSOPER privileges will have those privileges removed. You will need to regrant the privileges for these accounts after you have re-created the password file.

Use the following syntax to run orapwd:

orapwd file=filename password=password [entries=users] force=y/n nosysdba=y/n

Where:

  • file: Name of password file (mandatory)

  • password: Password for SYS (mandatory). Enter at least six alphanumeric characters.

  • entries: Maximum number of distinct DBA users

  • force: Whether to overwrite the existing file (optional). Enter y (for yes) or n (for no)

  • nosysdba: Whether to enable or disable the SYS logon (optional for Oracle Database Vault only). Enter y (for yes) or n (for no)

    The default is no, so if you omit this flag, the password file will be created enabling SYSDBA access for Oracle Database Vault instances.

For example:

orapwd file=$ORACLE_HOME/dbs/orapworcl password=5hjk99 force=y nosysdba=n

Note:

Do not insert spaces around the equal (=) character.

See Also:

Oracle Database Administrator's Guide for more information on using the orapwd utility.

Enabling or Disabling Connecting with SYSDBA on Oracle Real Application Clusters Systems

Under a cluster file system and raw devices, the password file under $ORACLE_HOME is in a symbolic link that points to the shared storage location in the default configuration. In this case, the orapwd command you issue affects all nodes.

Enabling or Disabling Connecting with SYSDBA on Automatic Storage Management Systems

For Automatic Storage Management systems, you need to update each node to enable or disable the SYSDBA connection privilege by using the orapwd utility.

2.2.5 Start the Listener and Database on Other Nodes (RAC Only)

You need to start the listener and database on all RAC nodes other than the one on which the installation is performed. Use the following commands to start the listener and the database:

Note:

You need to enable SYSDBA connections on all nodes before running these commands. See "Enable or Disable Connections with the SYSDBA Privilege" for more information on enabling SYSDBA connections.
$ORACLE_HOME/bin/lsnrctl start LISTENER_nodename
srvctl start instance -d sid -i instance_name -c "SYS/password AS SYSDBA"

Note:

You must use the Server Control (srvctl) utility to start and stop Oracle Database Vault RAC instances. Do not use SQL*Plus to start and stop RAC instances. You need to enable SYSDBA connections before you can use the srvctl command.

2.2.6 Run DVCA to Set Instance Parameters and Lock Out SYSDBA Sessions (RAC Only)

After installing Database Vault for a Real Application Clusters (RAC) instance, you need to run Database Vault Configuration Assistant (DVCA) with the -action optionrac switch on all other RAC nodes. This sets instance parameters and disables SYSDBA operating system authentication.

You need to run this command on all RAC nodes other than the node on which the Database Vault installation is performed. This step is required to enable the enhanced security features provided by Oracle Database Vault.

Note:

The listener and database instance should be running on the nodes on which you run DVCA.

Use the following syntax to run DVCA:

# dvca -action optionrac -racnode host_name -oh oracle_home -jdbc_str jdbc_connection_string -sys_passwd sys_password \
[-logfile ./dvca.log] [-silent] [-nodecrypt] [-lockout]

Where:

  • action: The action to perform. optionrac performs the action of updating the instance parameters for the RAC instance and optionally disabling SYSDBA operating system access for the instance.

  • racnode: The host name of the RAC node on which the action is being performed. Do not include the domain name with the host name.

  • oh: The Oracle home for the RAC instance.

  • jdbc_str: The JDBC connection string used to connect to the database. For example, "jdbc:oracle:oci:@orcl1".

  • sys_password: The password for the SYS user.

  • logfile: Optionally, specify a log file name and location. You can enter an absolute path or a path that is relative to the location of the $ORACLE_HOME/bin directory.

  • silent: Required if you are not running DVCA in an xterm window.

  • nodecrypt: Reads plaintext passwords as passed on the command line.

  • lockout: Used to disable SYSDBA operating system authentication.

Note:

You can reenable SYSDBA access by re-creating the password file with the nosysdba flag set to n (No). The orapwd utility enables you to do this.

2.3 Removing Oracle Software

Use Oracle Universal Installer (OUI) to remove Oracle software from an Oracle home. The following list summarizes the steps involved:

  1. Log in as the user that owns the Oracle software. This is usually the oracle user.

  2. Shut down all processes running in the Oracle home.

  3. Start Oracle Universal Installer as follows:

    $ $ORACLE_HOME/oui/bin/runInstaller

  4. In the Welcome screen, select Deinstall Products. The Inventory screen appears. This screen lists all the Oracle homes on the system.

  5. Select the Oracle home and the products that you wish to remove. Click Remove.

See Also:

Refer to the Oracle Database Installation Guide for details on removing Oracle software

Note:

You cannot remove or uninstall the Database Vault option. However, you can disable Oracle Database Vault. Refer to Oracle Database Vault Administrator's Guide for more details.

You can also remove the entire Oracle home, as discussed earlier in this section.

Go to previous page
Previous		 Go to next page
Next
Go to Documentation Home
Home		 Go to Book List
Book List		 Go to Table of Contents
Contents		 Go to Index
Index		 Go to Master Index
Master Index		 Go to Feedback page
Contact Us