| Oracle® Database Vault Administrator's Guide 10g Release 2 (10.2) Part Number B25166-04 |
|
|
View PDF |
| Oracle® Database Vault Administrator's Guide 10g Release 2 (10.2) Part Number B25166-04 |
|
|
View PDF |
This chapter includes the following sections:
You must disable Oracle Database Vault to perform upgrade tasks or correct erroneous configurations. You can reenable Oracle Database Vault after you complete the corrective tasks.
The following situations require you to disable Oracle Database Vault:
The password for the Oracle Database Vault account manager (with role DV_ACCTMGR) has been forgotten.
The Database Vault Owner (with role DV_OWNER) or Database Vault Administrator (with role DV_ADMIN) accounts have been inadvertently locked out.
A rule set associated with the CONNECT role has been configured incorrectly. This is resulting in failed database logins for all accounts, including those with the DV_OWNER or DV_ADMIN role, who could correct this problem.
You must perform maintenance tasks on Oracle Database Vault.
You must install any of the Oracle Database optional products, such as Oracle Spatial Data Option or Oracle interMedia, by using Oracle Database Configuration Assistant (DBCA).
You are about to install a third-party product, install an Oracle product, or perform an Oracle patch update whose installation may be prevented if Oracle Database Vault is running.
After you disable Oracle Database Vault, you still can run the Oracle Database Vault API functions (described in Appendix D and Appendix E).
This section contains the following topics:
Follow these steps to disable Oracle Database Vault on UNIX systems:
Turn off the software processes. Make sure that the environment variables, ORACLE_HOME, ORACLE_SID, and PATH are correctly set.
Stop the dbconsole process in case it is running. For both single-instance and Oracle Real Application Clusters installations, use the following command:
$ emctl stop dbconsole
For single-instance installations, shut down the database instance:
$ sqlplus "sys / as sysoper"
Enter password: password
SQL> SHUTDOWN IMMEDIATE
SQL> EXIT
For Oracle Real Application Clusters (RAC) installations, shut down each database instance as follows:
$ srvctl stop database -d db_name -c "sys/sys_passwd as sysdba"
If you cannot connect to the database, then proceed to the next step.
Relink the Oracle executable to turn off the Oracle Database Vault option:
$ cd $ORACLE_HOME/rdbms/lib $ make -f ins_rdbms.mk dv_off $ cd $ORACLE_HOME/bin $ relink oracle
For RAC installations, run these commands on all nodes.
Start the database.
For single-instance database installations:
$ sqlplus "sys / as sysoper"
Enter password: password
SQL> STARTUP
SQL> EXIT
For RAC installations:
$ srvctl start database -d db_name -c "sys/sys_passwd as sysdba"
Run Oracle Database Vault Configuration Assistant (DVCA) to disable Oracle Database Vault using the following syntax:
$ORACLE_HOME/bin/dvca -action disable [-racnode host_name]-oh oracle_home -service service_name -sys_passwd sys_passwd -owner_account dvowner -owner_passwd dvowner_passwd -acctmgr_account dvaccount_manager -acctmgr_passwd dv_accamanger_passwd -[logfile ./dvca.log] [-nodecrypt] [-silent]
For RAC installations, run this command on all nodes.
In this specification:
action: The action to perform. enable enables Oracle Database Vault. Other options are as follows:
disable: Disables Oracle Database Vault
option: If you are using Oracle Real Application Clusters (RAC) and are setting the racnode value, include this setting to update the instance parameters for primary RAC node instance.
optionrac: Also used with the racnode value, but used for the non-primary RAC node.
racnode: If you are using Oracle Real Application Clusters (RAC), enter the name of the RAC node. Do not include the domain name.
oh: Oracle home for the database.
service: The alias for a connection in the tnsnames.ora file. Used to connect to a listener/database. For example, orcl.
sys_passwd: Password for user SYS
owner_account: Oracle Database Vault Owner account name
owner_password: Oracle Database Vault owner account password
acctmgr_account: (Optional) Oracle Database Vault Account Manager user
acctmgr_passwd: Oracle Database Vault Account Manager password (if a user name has been specified)
logfile: Optionally, specify a log file name and location. You can enter an absolute path or a path that is relative to the location of the $ORACLE_HOME/bin directory.
nodecrypt: Reads plaintext passwords as passed on the command line. You must use this option if you are passing plaintext passwords to the command.
silent: Required if you are not running Oracle Database Vault Configuration Assistant in an xterm window
See also "Running DVCA After Creating a Database Vault Database" in Appendix B in Oracle Database Vault Installation Guide for the syntax of DVCA.
Follow these steps to disable Oracle Database Vault on Windows systems:
Stop the database service.
In the Control Panel, under Administrative Services, select the Services utility. Select the Standard tab, right-click the following services, and from the menu, select Stop:
OracleServiceSID
OracleHOMETNSListener
Under ORACLE_HOME\bin, rename the oradv10.dll file, for example, oradv10_backup.dll.
Restart the database service.
In the Control Panel, under Administrative Services, select the Services utility. Select the Standard tab, right-click the following services, and from the menu, select Start:
OracleServiceSID
OracleHOMETNSListener
For RAC systems, repeat these steps for each node on which the database is installed.
With Oracle Database Vault disabled, you can restart your database and perform the following tasks, as required. Advice is as follows:
If an Oracle Database Vault owner account called MACSYS forgets his or her password, for example, you can log in to a database instance as the SYSTEM or SYS account to create a new password for the Oracle Database Vault owner account as follows
$ sqlplus "sys / as sysoper" Enter password: password SQL> PASSWORD MACSYS New password: new_password Retype new password: new_password
Similarly, to unlock a locked account, log in to the database instance as SYSTEM or SYS, and then unlock the account. For example:
SQL> ALTER USER ACCOUNT MACSYS UNLOCK;
To correct a login rule set error, use the DBMS_MACADM package or the Oracle Database Vault Administrator interface.
Note:
If you are using Oracle Database Vault Administrator, then you must start thedbconsole process. You can check the status of the dbconsole process by entering the following command from the $ORACLE_HOME/bin directory:
./emctl status dbconsole
To start dbconsole:
./emctl start dbconsole
You can perform the installation, upgrade, or other tasks that require security protections to be disabled. If you must run Oracle Database Vault Configuration Assistant (DVCA), ensure that the Oracle Database listener is running. To start the listener, run the following command from the $ORACLE_HOME/bin directory:
$ lsnrctl start
This section contains the following topics:
Use the following steps to enable Oracle Database Vault on UNIX systems:
Run Oracle Database Vault Configuration Assistant (DVCA) using the following syntax:
$ORACLE_HOME/bin/dvca -action enable [-racnode host_name]-oh oracle_home -service service_name -sys_passwd sys_passwd -owner_account dvowner -owner_passwd dvowner_passwd -acctmgr_account dvaccount_manager -acctmgr_passwd dv_accamanger_passwd -[logfile ./dvca.log] [-nodecrypt] [-silent]
For RAC installations, run this command on all nodes. See Step 4 under "Step 1: Disable Oracle Database Vault" for an explanation of the DVCA command options.
See also Appendix B, "Running DVCA After Creating a Database Vault Database" in Oracle Database Vault Installation Guide.
Turn off the software processes. Make sure that the environment variables, ORACLE_HOME, ORACLE_SID, and PATH are correctly set.
Stop the dbconsole process in case it is running.
For both single-instance and RAC installations, use the following command:
$ emctl stop dbconsole
Shut down the database instance.
For single-instance installations:
$ sqlplus "sys / as sysoper"
Enter password: password
SQL> SHUTDOWN IMMEDIATE
SQL> EXIT
For RAC installations:
$ srvctl stop database -d db_name -c "sys/sys_passwd as sysdba"
Relink the oracle executable to turn on the Oracle Database Vault option:
$ cd $ORACLE_HOME/rdbms/lib $ make -f ins_rdbms.mk dv_on $ cd $ORACLE_HOME/bin $ relink oracle
For RAC installations, run these commands on all nodes.
Start the database:
For single-instance database installations:
$ sqlplus "sys / as sysoper"
Enter password: password
SQL> STARTUP
SQL> EXIT
For RAC installations:
$ srvctl start database -d db_name -c "sys/sys_passwd as sysdba"
Follow these steps to enable Oracle Database Vault on Windows systems:
Stop the database service.
In the Control Panel, under Administrative Services, select the Services utility. Select the Standard tab, right-click the following services, and from the menu, select Stop:
OracleServiceSID
OracleHOMETNSListener
Under ORACLE_HOME\bin, name the backup of the oradv10.dll file to its original name.
For example, if you named it oradv10_backup.dll, then name it back to oradv10.dll.
Restart the database service.
In the Control Panel, under Administrative Services, select the Services utility. Select the Standard tab, right-click the following services, and from the menu, select Start:
OracleServiceSID
OracleHOMETNSListener
For RAC systems, repeat these steps for each node on which the database is installed.
