DB Vault Installation to Oracle 12c Container Database
At my latest post I talked about Oracle DB Vault Installation to Oracle 12c non-container database. At this post I want to show you how you can install Oracle DB Vault to Oracle 12c Container database.
Actually the task is very similar. But for the container databases; you should first install the root database; and then you can install to any pluggable database.
To continue this post ; you should have basic knowledge about Oracle Container databases.
https://oracle-base.com/articles/12c/multitenant-overview-container-database-cdb-12cr1
Before stating installation process; I wil show you my configuration
Host : Oracle 7 Linux
DB : Oracle 12c 12.1.0.2.0 with two pluggable databases pdb1 and pdb2 and the database name is CDB3
During the installation I will connect to the root container and pluggable database by using below tns settings. As you know when you create a pluggable database a service is created by the name of pluggable database automatically.
at your tnsnames.ora file there should be tns entries like that;
CDB3 =
(DESCRIPTION =
(ADDRESS = (PROTOCOL = TCP)(HOST = 192.200.11.9)(PORT = 1521))
(CONNECT_DATA =
(SERVER = DEDICATED)
(SERVICE_NAME = CDB3)
)
)
pdb1 =
(DESCRIPTION =
(ADDRESS = (PROTOCOL = TCP)(HOST = 192.200.11.9)(PORT = 1521))
(CONNECT_DATA =
(SERVER = DEDICATED)
(SERVICE_NAME = pdb1)
)
)
pdb2 =
(DESCRIPTION =
(ADDRESS = (PROTOCOL = TCP)(HOST = 192.200.11.9)(PORT = 1521))
(CONNECT_DATA =
(SERVER = DEDICATED)
(SERVICE_NAME = pdb2)
)
)
at this post; first I will install DB vault to root container and then pdb1 pluggable database.
Installing DB Vault to root container
1. First check If DB Vault is alreday installed
SQL> connect SYSTEM@CDB3
Enter password:
Connected.
SQL> show con_name
CON_NAME
——————————
CDB$ROOT
SQL> column parameter format a25
SQL> column value format a10
SQL> SELECT parameter,value FROM gv$OPTION WHERE PARAMETER in
2 ( ‘Oracle Database Vault’,’Oracle Label Security’);
PARAMETER VALUE
————————- ———-
Oracle Label Security FALSE
Oracle Database Vault FALSE
After DBVault installation all these values become TRUE
2. Take copy of some views about privileges;
At the SYSTEM user take some copy of privilege views at the root container. To compare privileges after DB vault installation.
SQL> create table a_cdb_network_acls as select * FROM cdb_network_acls;
Table created.
SQL> create table a_cdb_network_acl_privileges as select * from cdb_network_acl_privileges;
Table created.
SQL> create table a_cdb_tab_privs as Select * from cdb_tab_privs;
Table created.
SQL> create table a_cdb_sys_privs as Select * from cdb_sys_privs;
Table created.
SQL> create table a_cdb_role_privs as Select * from cdb_role_privs;
Table created.
SQL> create table a_cdb_objects as select owner,object_name,object_type from cdb_objects where status=’INVALID’ and object_type <> ‘SYNONYM’ ;
Table created.
SQL> create table a_cdb_registry as select * from cdb_registry;
Table created.
SQL>
3. Create DV Owner and DV Account Manager User
DV owner user administers DB Vault and DV Account Manager user administers all Oracle users. Because of the separation of duties these two users must be different.
for container databases we create common users .
connect sys as sysdba
SQL> create user c##dvowner identified by oracle CONTAINER=ALL;
User created.
SQL> create user c##dvacctmngr identified by oracle CONTAINER=ALL;
User created.
SQL> grant SET CONTAINER,CREATE SESSION to c##dvowner;
Grant succeeded.
SQL> grant SET CONTAINER,CREATE SESSION to c##dvacctmngr;
Grant succeeded.
4. Configure DB Vault
SQL>
SQL> BEGIN
2 DVSYS.CONFIGURE_DV (
3 dvowner_uname => ‘c##dvowner’,
4 dvacctmgr_uname => ‘c##dvacctmngr’);
5 END;
6 /
PL/SQL procedure successfully completed
And compile invalid objects
@?/rdbms/admin/utlrp.sql
…Database user “SYS”, database schema “APEX_040200”, user# “98” 16:45:10
…Compiled 0 out of 3014 objects considered, 0 failed compilation 16:45:10
…271 packages
…263 package bodies
…452 tables
…11 functions
…16 procedures
…3 sequences
…457 triggers
…1320 indexes
…211 views
…0 libraries
…6 types
…0 type bodies
…0 operators
…0 index types
…Begin key object existence check 16:45:10
…Completed key object existence check 16:45:11
…Setting DBMS Registry 16:45:11
…Setting DBMS Registry Complete 16:45:11
…Exiting validate 16:45:11
PL/SQL procedure successfully completed.
5. Enable DB Vault
SQL> connect c##dvowner
Enter password:
Connected.
SQL> show con_name
CON_NAME
——————————
CDB$ROOT
SQL> EXEC DBMS_MACADM.ENABLE_DV;
PL/SQL procedure successfully completed.
SQL> commit;
Commit complete.
6. Resart the Database
Bingo DB Vault is ready now at container database.
SQL> connect sys as sysdba
Enter password:
Connected.
SQL> startup force
ORACLE instance started.
Total System Global Area 977272832 bytes
Fixed Size 2931520 bytes
Variable Size 645924032 bytes
Database Buffers 322961408 bytes
Redo Buffers 5455872 bytes
Database mounted.
Database opened.
SQL> alter pluggable database all open;
Pluggable database altered.
SQL> column parameter format a25
SQL> column value format a10
SQL> SELECT parameter,value FROM gv$OPTION WHERE PARAMETER in
2 ( ‘Oracle Database Vault’,’Oracle Label Security’);
PARAMETER VALUE
————————- ———-
Oracle Label Security TRUE
Oracle Database Vault TRUE
Now our aim is to install Db Vault one of the our pluggable database. For the demonstration I will install DB Vault to PDB1 pluggable database.
7. Give grants common users to connect PDB1
SQL> connect sys@pdb1 as sysdba
Enter password:
Connected.
SQL> show con_name
CON_NAME
——————————
PDB1
SQL> grant SET CONTAINER,CREATE SESSION to c##dvowner;
Grant succeeded.
SQL> grant SET CONTAINER,CREATE SESSION to c##dvacctmngr;
Grant succeeded.
8. Configure DB Vault at PDB1
SQL> connect sys@pdb1 as sysdba
Enter password:
Connected.
SQL> show con_name
CON_NAME
——————————
PDB1
SQL> BEGIN
2 DVSYS.CONFIGURE_DV (
3 dvowner_uname => ‘c##dvowner’,
4 dvacctmgr_uname => ‘c##dvacctmngr’);
5 END;
6 /
PL/SQL procedure successfully completed.
SQL> commit;
Commit complete.
now compile invalid objects
@?/rdbms/admin/utlrp.sql
…Database user “SYS”, database schema “APEX_040200”, user# “98” 16:59:40
…Compiled 0 out of 3014 objects considered, 0 failed compilation 16:59:41
…271 packages
…263 package bodies
…452 tables
…11 functions
…16 procedures
…3 sequences
…457 triggers
…1320 indexes
…211 views
…0 libraries
…6 types
…0 type bodies
…0 operators
…0 index types
…Begin key object existence check 16:59:41
…Completed key object existence check 16:59:41
…Setting DBMS Registry 16:59:41
…Setting DBMS Registry Complete 16:59:41
…Exiting validate 16:59:41
PL/SQL procedure successfully completed.
8. Enable DB Vault at PDB1
SQL> connect c##dvowner@pdb1
Enter password:
Connected.
SQL> EXEC DBMS_MACADM.ENABLE_DV;
PL/SQL procedure successfully completed.
SQL> commit;
Commit complete
9. Restart PDB1 pluggable database
SQL> startup force;
ORACLE instance started.
Total System Global Area 977272832 bytes
Fixed Size 2931520 bytes
Variable Size 645924032 bytes
Database Buffers 322961408 bytes
Redo Buffers 5455872 bytes
Database mounted.
Database opened.
SQL> alter pluggable database all open;
Pluggable database altered.
Now DB Vault is intalled to PD1 pluggable database
Tiffany Szeto 19:44 on 27 January 2020 Permalink |
I found this document very useful. Just a couple questions: don’t you have to grant DV_ACCTMGR and
DV_OWNER roles to these newly created accounts?
LikeLike