Monitoring DCL operations with Oracle DB Vault

DCL ( Data Control Languages ) operations control privileges in Database. Privileges in Oracle are granted and revoked by GRANT and REVOKE commands. Auditing these kind of operations are very critical for the security of any databases. There are three different ways to audit DCL operations in Oracle Databases.

One of them is to use audit commands like below;

audit grant any object privilege by access
audit grant any privilege by access
audit grant any role by access

The disadvantage of this method is when DBAs run GRANT  and REVOKE commands with SYSDBA role; the audit is written to a file in the database server ( in Oracle 11g version ). In that case It can be difficult to report these operations,  and DBAs can disable the audit in the database. If you use Oracle 12c version; you can collect all data in a table but still DBAs can disable audit rules.

The another method is to use AFTER GRANT OR REVOKE ON DATABASE trigger. But in this method; you have to keep all monitoring data in a special table and DBAs can easily disable this trigger and delete the audited table.

The third method is to use DB Vault. When you use the DB vault; audited data can not be deleted by DBAs,  at the same DBAs can not disable the special rule to audit DCL commands. Using the Vault is the best and secure method to monitor DCL operations in Oracle. At the same time;  you can make prevention on GRANT and REVOKE commands with DB Vault. But the disadvantage of this method is  to pay for DB vault license;

Now in this note I will show you ; how you can monitor DCL operations with DB Vault. I assume that you have some knowledge about in Oracle DB Vault.

First; Create a special rule set   named DCL_Operations. The important point in this rule set is the Audit Option. The audit option must be “Audit On Success or Failure”  ( Figure -1).

dcl01.JPG

Figure-1

Now Create a rule which is always TRUE. And This rule is associated with DLC_Operations rule set  (Figure-2).

dcl02.JPG

Figure-2

Now We can create a Command Rule for GRANT command with DLC_Operations Rule set ( Figure-3).

dcl03.JPG

Create a Command Rule for REVOKE command as well ( Figure-4).

dcl04.JPG

Figure-4

Now , your new commands should be seen like Figure – 5.

dcl05.JPG

Figure-5

Let’s check the DB Vault definitions by running a GRANT and REVOKE commands ( Figure-6)

dcl07.JPG

Now ; run the Command Rule Audit Report to see how the DB vault definitions are auditied GRANT and REVOKE commands ( Figure-7)

dcl06.JPG

As you see; we successfully audited GRANT and REVOKE commands by using DB Vault.

Thanks for reading this note.

Yusuf Anıl Akduygu

Advertisements

Privilege Analysis in Oracle 12c A Quick Overview

Privilege Analysis is a new feature of Oracle 12c . This feature comes with Oracle DB Vault. Simple you have to buy Oracle DB Vault license to use Privilege Analysis. But, you do not need to enable Oracle DB Vault to use Privilege Analysis, Because  It comes with Oracle 12c Enterprise edition.

Privilege Analysis is used for identifying unused privileges and roles in the database. Discovering the set of unused roles and privileges is important to make the database more secure. By using Privilege Analysis, we can define the least number of privileges for users and roles.

The procedure for Privilege Analysis is simple;

The First  Step;

You have to create a privilege analysis with DBMS_PRIVILEGE_CAPTURE package .

In order to use privilege analysis; CAPTURE_ADMIN  must be granted to the user.

There are four types of privilege analyses which are defined by type parameter in the DBMS_PRIVILEGE_CAPTURE package.

type        =>  DBMS_PRIVILEGE_CAPTURE.g_database is used for creating a privilege analysis for the whole database

type       =>  DBMS_PRIVILEGE_CAPTURE.g_role  is used for creating a privilege analysis for a list of roles.

type  => DBMS_PRIVILEGE_CAPTURE.g_context  is defined by a logical expression with the  SYS_CONTEXT function.

Type=> DBMS_PRIVILEGE_CAPTURE.g_role_and_context; is defined by a list of rules and logical expression.

For Example; to create a privilege analysis for the whole database we use below command

BEGIN
DBMS_PRIVILEGE_CAPTURE.create_capture(
name => 'Full Database',
type => DBMS_PRIVILEGE_CAPTURE.g_database
);
/
PL/SQL procedure successfully completed.

In order to create a privilege analysis for a set of defined roles, we use the below command.

BEGIN
DBMS_PRIVILEGE_CAPTURE.create_capture(
name => 'Listed Roles',
type => DBMS_PRIVILEGE_CAPTURE.g_role,
roles => role_name_list('RoleName1', 'RoleName2') );
END;
/

PL/SQL procedure successfully completed.

In order to create a privilege analysis for USER01 user , we use the below command.

BEGIN
DBMS_PRIVILEGE_CAPTURE.create_capture(
name => 'Conditional',
type => DBMS_PRIVILEGE_CAPTURE.g_context,
condition => 'SYS_CONTEXT(''USERENV'', ''SESSION_USER'')=''USER01'''
);
END;
/

In order to create a privilege analysis for USER01 when it uses DBA role we use the below command. By this way ; we can find for what reason USER01 uses DBA role. For example ; USER01 uses DBA role to only create  tables. In that case; we can only give create table privilege to USER01 instead of DBA role.

BEGIN
DBMS_PRIVILEGE_CAPTURE.create_capture(
name => 'Role and Condition',
type => DBMS_PRIVILEGE_CAPTURE.g_role_and_context,
roles => role_name_list('DBA'),
condition => 'SYS_CONTEXT(''USERENV'', ''SESSION_USER'')=''USER01'''
);                                                                                                                                                                      END;
/

PL/SQL procedure successfully completed.

We use the below command  to list the list of created privilege analyses.

COLUMN name FORMAT A15
COLUMN roles FORMAT A20
COLUMN context FORMAT A30

SQL> select name,type,roles,context FROM dba_priv_captures;

The Second  Step;

We start the privilege analysis with the below command.

BEGIN
DBMS_PRIVILEGE_CAPTURE.enable_capture('Privilege Analysis Name');
END;
/

PL/SQL procedure successfully completed.

 

The Third Step;

After waiting for a while; I can be one  week or  one moth.  We have  stop the privilege analysis with the below command. During that time Oracle keeps records for the privilege analysis.

BEGIN
DBMS_PRIVILEGE_CAPTURE.disable_capture('Privilege Analysis Name');
END;
/

PL/SQL procedure successfully completed.

The Fourth Step;

We should generate result for the capture with the below command;

BEGIN
DBMS_PRIVILEGE_CAPTURE.generate_result('Privilege Analysis Name');
END;
/

PL/SQL procedure successfully completed.

 

The Fifth Step;

Now we use the below views to work on our captured data.

DBA_PRIV_CAPTURES
DBA_USED_PRIVS
DBA_UNUSED_PRIVS
DBA_USED_OBJPRIVS
DBA_UNUSED_OBJPRIVS
DBA_USED_OBJPRIVS_PATH
DBA_UNUSED_OBJPRIVS_PATH
DBA_USED_SYSPRIVS
DBA_UNUSED_SYSPRIVS
DBA_USED_SYSPRIVS_PATH
DBA_UNUSED_SYSPRIVS_PATH
DBA_USED_PUBPRIVS
DBA_USED_USERPRIVS
DBA_UNUSED_USERPRIVS
DBA_USED_USERPRIVS_PATH
DBA_UNUSED_USERPRIVS_PATH

 

thanks for reading this note;

In the near future, I will give much more information about this subject.

Y. Anıl Akduygu

 

Oracle DB Vault New Features in Oracle 12c Release 1 – Part 3 :  Oracle Enterprise Manager Cloud Control to Manage DB Vault.

After Oracle 12c Release 1 version you can use all DB Vault functionality with Oracle Enterprise Manager Cloud Control . DBMS_MACADM PL/SQL package procedures and functions have included in Oracle Enterprise Manager. For each operation you can see the running script by pressing Show SQL button.

You should connect to Enterprise Manager to run  Database Vault  Administrator with  a user who has DV_OWNER role. After logon  Database Vault home page appears like this;

db-vault01

At this page ;  you can see

  • Violations that were made against to DB Vault rules
  • Database Vault Alerts
  • Audit Reports

In order to make operations on DB Vault objects; you have to go Administration section . In the below picture ; you can see Command Rules page in Administration  section.

db-vault02

If you want to see all default rules ; you should check Show Oracle defined Command Rules box.If you want to create a new command rule;  just click Create button

db-vault03

You can enter all necessary parameter to create a new Command Rule at this page. After clicking Show SQL button you can see the necessary script to create a new command rule

db-vault04

 

For example ; If you want to see all details about a Command Rule; Choose the Command rule 

db-vault05

 

And then just double click on it.

db-vault06

Another functionality of DB Vault is you can control the authorization on some database operations . For example ; you can identify which user can make data pump operations , Goldengate operations or database patching. You can define all these users  from Oracle Enterprise Manager by choosing ; Database Operation Authorization section

db-vault08

 

After choosing Database Operation Authorization section ; you can see all database operations which are controlled by DB Vault

db-vault09

 

You can add , edit or delete usernames from this page for each database operations.

As you see ; In Oracle 12c Release 1 version you can use all functionality of Oracle DB Vault and the most important thing is Oracle does not support old Oracle DB Vault Console after Oracle 12c version.  Therefore if you are a Database Vault administrator you should learn Oracle Enterprise Manager DB Vault functionality. 

Oracle DB Vault New Features in Oracle 12c R1 – Part1 : Changes at DB Vault Installation

There are many changes at Oracle DB Vault in Oracle 12c version. At this note I will give you information about  the change at DB  Vault Installation .

  1. DB Vault Installation

At Oracle 11g version you need to  relink Oracle binary before installing Oracle DB Vault. You do not need this operation in Oracle 12c.

At Oracle 11g version you need to relink binary with chopt command like below

$ chopt enable lbac

$ chopt enable dv

And You do not need in Oracl 12c vesion

In order to install and configure DB Vault In Oracle 11g version, you have to use dbca. At Oracle 12c you only need dbca to install Oracle Label Security and Oracle DB vault component . You can use DVSYS.CONFIGURE_DV packet to configure DB vault. Actually still you can do this configuration with dbca but it is optional.

DB Vault component installation is made with this page in  dbca in Oracle 12c version.

Capture

And DB Vault configuration can be made by dbca but It is optional

Capture

This gives us flexibility ; During database installation DBAs can install Oracle DB Vault without making any configuration on it. After the DB Vault installation is completed, you can make DB Vault configuration as a security officer without DBA intervention.

The below  query shows that DB Vault component is installed. But It does not mean that It is enabled.

SQL> select comp_id,status from dba_registry where comp_id in (‘OLS’,’DV’);

COMP_ID STATUS
—————————— ———–
DV VALID
OLS VALID

With DVSYS.CONFIGURE_DV; you can mention which user is DB Vault admin and which user database account manager.

SQL> BEGIN
2 DVSYS.CONFIGURE_DV (
3 dvowner_uname => ‘dvowner’,
4 dvacctmgr_uname => ‘dvacctmngr’);
5 END;
6 /

PL/SQL procedure successfully completed.

This packet is new in Oracle 12c and It gives us flexibility to security officer to configure DB vault alone. After DB Vault component installation tou do not need to rebound the database bu you need to run utlrp.sql to compile all invalid objects.

 

 

 

 

 

Installing Oracle DB Vault to Oracle 11g Database

Installing Oracle DB Vault to Oracle 11g Database

At this document; I will show you how you can install Oracle DB vault to Oracle 11g Database.

Step 1: Check If DB Vault installed before

We use GV$OPTION view to check this. I checked DB vault in two nodes RAC database.

SQL> column parameter format a25

SQL> column value format a25

SQL> SELECT * FROM gV$OPTION WHERE PARAMETER in ( ‘Oracle Database Vault’,’Oracle Label Security’);

INST_ID|PARAMETER |VALUE

———-|————————-|————————-

1|Oracle Label Security |FALSE

1|Oracle Database Vault |FALSE

2|Oracle Label Security |FALSE

2|Oracle Database Vault |FALSE

If Oracle database Vault and Oracle Label Security are already installed ( It means all TRUE returned from this query ) goto step 3;

Step 2: Enable Oracle Label Security and Oracle DB Vault

2.1 Close the Database

Shutdown Oracle database , stop listener ( If you opened a listener with this binary ) and stop enterprise manager ( If Enterprise manager uses this binary )

SQL> SHUTDOWN IMMEDIATE

$ lsnrctl stop listener

$ emctl stop dbconsole

2.2 Enable DB Vault Binaries

Now enable Oracle Label Security and Oracle database vault consequently with the following commands

$ chopt enable lbac

$ chopt enable dv

2.3 Open the Database

After enabling Oracle Label security and DB vault you have to open database and other closed applications.

SQL> startup

$ lsnrctl start listener

$ emctl start dbconsole

2.4 Check if Binaries linked properly

Now Check DB vault and Oracle Label Security.

SQL> column parameter format a25

SQL> column value format a25

SQL> SELECT * FROM gV$OPTION WHERE PARAMETER in ( ‘Oracle Database Vault’,’Oracle Label Security’);

INST_ID|PARAMETER |VALUE

———-|————————-|————————-

1|Oracle Label Security |TRUE

1|Oracle Database Vault |TRUE

2|Oracle Label Security |TRUE

2|Oracle Database Vault |TRUE

All returned values have to be TRUE

Step 3 : Install DB Vault

Now It is time  to install DB vault. Start installation with dbca

$ dbca

Choose Configure database option.

null

Chose the correct DB name to install DB vault.( If there are multiple instances at the same ORACLE_HOME)

null

Skip Enterprise Manager Configuration

null

Now Chose Oracle LAbel Security and Oracle Database Vault to install them

null

Now enter the usernames and passwords for Database Vault Owner and Account Manager separately.

null

Chose Finish to start the Installation

null

Now the installation will start

null

After this windows and the installation window will appear and shows the status of installation. After the installation finishes you can close dbca.

Now you installed Oracle DB Vault to your database. Just connect with  DB Owner and Account Manager usernames to the database to check the installation

At the following notes I will show you how you can manage Oracle DB Vault.

HOW TO UNINSTALL ORACLE DB VAULT

 

 

At this note; I will show you How you can uninstall DB vault from an Oracle 11g R2 database. This can be necessary for many reasons.

For example When  you do not want to use DB Vault option at  your  database you can decide to completely uninstall  DB Vault option.

Sometimes during installation there can be some problems and your installation halts at the middle. After solving the problem at the database, you need to uninstall uncompleted installation.

 

Configuratin is like this;

Host : Oracle Linux 6

Database : Oracle 11g R2 ( 11.2.0.4)

 

Now we can start to uninstall

Check the DB Vault is already installed first

SQL> column parameter format a40

SQL> column value format a10

 

SQL> Select parameter, value from v$option where parameter in (‘Oracle Database Vault’,’Oracle Label Security’);

 

PARAMETER                         VALUE

————————————- ———-

Oracle Label Security                   TRUE

Oracle Database Vault                   TRUE

 

Shutdown database and Stop listener

 

sqlplus / as sysdba

SQL> shutdown immediate

Database closed.

Database dismounted.

ORACLE instance shut down.

 

 

oracle@localhost admin]$ lsnrctl stop

 

LSNRCTL for Linux: Version 11.2.0.4.0 – Production on 22-SEP-2016 10:52:39

Copyright (c) 1991, 2013, Oracle.  All rights reserved.

Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=10.0.2.15)(PORT=1521)))

The command completed successfully

If you have Database Control; stop it as well.

Unlink Oracle Label Security

 

This operation is not necessary ; If you want to use Oracle Label Security you can kip this step

 

[oracle@localhost admin]$ chopt disable lbac

 

Writing to /u01/app/oracle/product/11.2.0/db_1/install/disable_lbac.log…

/usr/bin/make -f /u01/app/oracle/product/11.2.0/db_1/rdbms/lib/ins_rdbms.mk lbac_off ORACLE_HOME=/u01/app/oracle/product/11.2.0/db_1

/usr/bin/make -f /u01/app/oracle/product/11.2.0/db_1/rdbms/lib/ins_rdbms.mk ioracle ORACLE_HOME=/u01/app/oracle/product/11.2.0/db_1

 

Unlink Oracle Database Vault

 

[oracle@localhost admin]$ chopt disable dv

Writing to /u01/app/oracle/product/11.2.0/db_1/install/disable_dv.log…

/usr/bin/make -f /u01/app/oracle/product/11.2.0/db_1/rdbms/lib/ins_rdbms.mk dv_off ORACLE_HOME=/u01/app/oracle/product/11.2.0/db_1

/usr/bin/make -f /u01/app/oracle/product/11.2.0/db_1/rdbms/lib/ins_rdbms.mk ioracle ORACLE_HOME=/u01/app/oracle/product/11.2.0/db_1

 

[oracle@localhost admin]$

Start Database and listeners

 

[oracle@localhost admin]$ sqlplus / as sysdba

SQL*Plus: Release 11.2.0.4.0 Production on Thu Sep 22 10:56:23 2016

Copyright (c) 1982, 2013, Oracle.  All rights reserved.

Connected to an idle instance.

SQL> startup

ORACLE instance started.

Total System Global Area 1653518336 bytes

Fixed Size            2253784 bytes

Variable Size           1056967720 bytes

Database Buffers    587202560 bytes

Redo Buffers                7094272 bytes

Database mounted.

Database opened.

 

[oracle@localhost ~]$ lsnrctl start

 

Listening Endpoints Summary…

(DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=10.0.2.15)(PORT=1521)))

Services Summary…

Service “DB11G” has 1 instance(s).

Instance “DB11G”, status UNKNOWN, has 1 handler(s) for this service…

The command completed successfully

Find the users who have  DV_OWNER and DV_ACCTMGR roles;

 

SQL> select unique GRANTEE from dba_role_privs

where GRANTED_ROLE in (‘DV_ACCTMGR’,’DV_OWNER’)

 and grantee <> ‘DVSYS’;

 

GRANTEE

——————————

DVOWNER

DVACCTMNGR

 

Turn OFF  recyclebin   and rebound the database

 

SQL> conn / as sysdba

Connected.

 

SQL> alter system set recyclebin=off scope=spfile;

System altered.

SQL> startup force

ORACLE instance started.

Total System Global Area 1653518336 bytes

Fixed Size            2253784 bytes

Variable Size           1056967720 bytes

Database Buffers    587202560 bytes

Redo Buffers                7094272 bytes

Database mounted.

Database opened.

 

Run dvremov.sql

SQL> conn / as sysdba

Connected.

start  ?/rdbms/admin/dvremov.sql

 

.

.

.

 PL/SQL procedure successfully completed.

 

 

Manually drop DV_OWNER and DV_ACCTMNGR users

 

conn / as sysdba

SQL> drop user  DVACCTMNGR cascade;

User dropped.

SQL> drop user  DVACCTMNGR cascade;

User dropped.

 

Turn on recyclebin  and restart the database

conn / as sysdba

alter system set recyclebin=on scope=spfile;

 

Check DB Vault Option

 

SQL> column parameter format a40

SQL> column value format a10

SQL> Select parameter, value from v$option where parameter in (‘Oracle Database Vault’,’Oracle Label Security’);

 

PARAMETER                    VALUE

——————————- ———-

Oracle Label Security              FALSE

Oracle Database Vault              FALSE

 

Now Oracle DB Vault option is uninstalled from your database. If you want you can install it cleanly.

 

At this note ; I showed uninstallation of Oracle DB Vault  for Oracle 11g R2 database . For other versions there can be small differences. You can find all detailed information at the Metalink note.

How To Uninstall Or Reinstall Database Vault in 11g (Doc ID 803948.1)

Thanks Anıl Akduygu.

 

 

DB Vault Installation to Oracle 12c Container Database

12c-architecture

At my latest post I talked about Oracle DB Vault Installation to Oracle 12c non-container database. At this post I want to show you how you can install  Oracle DB Vault to Oracle 12c Container database.

Actually the task is very similar. But for the container databases; you should first install the root database; and then you can install to any pluggable database.

To continue this post ; you should have basic knowledge about Oracle Container databases.

https://oracle-base.com/articles/12c/multitenant-overview-container-database-cdb-12cr1

Before stating installation process; I wil show you my configuration

Host : Oracle 7 Linux

DB : Oracle 12c  12.1.0.2.0 with two pluggable databases  pdb1 and pdb2 and the database name is CDB3

During the installation I will connect to  the root container and pluggable  database by using below tns settings. As you know when you create a pluggable database a service is created by the name of pluggable database automatically.

at your tnsnames.ora file there should be tns entries   like that;
CDB3 =
(DESCRIPTION =
(ADDRESS = (PROTOCOL = TCP)(HOST = 192.200.11.9)(PORT = 1521))
(CONNECT_DATA =
(SERVER = DEDICATED)
(SERVICE_NAME = CDB3)
)
)

pdb1 =
(DESCRIPTION =
(ADDRESS = (PROTOCOL = TCP)(HOST = 192.200.11.9)(PORT = 1521))
(CONNECT_DATA =
(SERVER = DEDICATED)
(SERVICE_NAME = pdb1)
)
)

pdb2 =
(DESCRIPTION =
(ADDRESS = (PROTOCOL = TCP)(HOST = 192.200.11.9)(PORT = 1521))
(CONNECT_DATA =
(SERVER = DEDICATED)
(SERVICE_NAME = pdb2)
)
)

at this post; first I will install DB vault to root container and then pdb1 pluggable database.

Installing DB Vault to root container

1.  First check If DB Vault is alreday installed
SQL> connect SYSTEM@CDB3
Enter password:
Connected.
SQL> show con_name

CON_NAME
——————————
CDB$ROOT
SQL> column parameter format a25
SQL> column value format a10
SQL> SELECT parameter,value FROM gv$OPTION WHERE PARAMETER in
2 ( ‘Oracle Database Vault’,’Oracle Label Security’);

PARAMETER VALUE
————————- ———-
Oracle Label Security FALSE
Oracle Database Vault FALSE

After DBVault installation all these values become TRUE

 

2. Take  copy of some views about privileges;

At the SYSTEM user take some copy of privilege views at the root container. To compare privileges after DB vault installation.

SQL> create table a_cdb_network_acls as select * FROM cdb_network_acls;

Table created.

SQL> create table a_cdb_network_acl_privileges as select * from cdb_network_acl_privileges;

Table created.

SQL> create table a_cdb_tab_privs as Select * from cdb_tab_privs;

Table created.

SQL> create table a_cdb_sys_privs as Select * from cdb_sys_privs;

Table created.

SQL> create table a_cdb_role_privs as Select * from cdb_role_privs;

Table created.

SQL> create table a_cdb_objects as select owner,object_name,object_type from cdb_objects where status=’INVALID’ and object_type <> ‘SYNONYM’ ;

Table created.

SQL> create table a_cdb_registry as select * from cdb_registry;

Table created.

SQL>

3. Create DV Owner and DV  Account Manager User

DV owner user administers  DB Vault and DV Account Manager user administers all Oracle users. Because of the separation of duties these two users must be different.

for container databases we create common users .

connect sys as sysdba
SQL> create user c##dvowner identified by oracle CONTAINER=ALL;

User created.

SQL> create user c##dvacctmngr identified by oracle CONTAINER=ALL;

User created.

SQL> grant SET CONTAINER,CREATE SESSION to c##dvowner;

Grant succeeded.

SQL> grant SET CONTAINER,CREATE SESSION to c##dvacctmngr;

Grant succeeded.

4. Configure DB Vault

SQL>
SQL> BEGIN
2 DVSYS.CONFIGURE_DV (
3 dvowner_uname => ‘c##dvowner’,
4 dvacctmgr_uname => ‘c##dvacctmngr’);
5 END;
6 /

PL/SQL procedure successfully completed

And compile invalid objects

@?/rdbms/admin/utlrp.sql

…Database user “SYS”, database schema “APEX_040200”, user# “98” 16:45:10
…Compiled 0 out of 3014 objects considered, 0 failed compilation 16:45:10
…271 packages
…263 package bodies
…452 tables
…11 functions
…16 procedures
…3 sequences
…457 triggers
…1320 indexes
…211 views
…0 libraries
…6 types
…0 type bodies
…0 operators
…0 index types
…Begin key object existence check 16:45:10
…Completed key object existence check 16:45:11
…Setting DBMS Registry 16:45:11
…Setting DBMS Registry Complete 16:45:11
…Exiting validate 16:45:11

PL/SQL procedure successfully completed.

5. Enable DB Vault

SQL> connect c##dvowner
Enter password:
Connected.
SQL> show con_name

CON_NAME
——————————
CDB$ROOT
SQL> EXEC DBMS_MACADM.ENABLE_DV;

PL/SQL procedure successfully completed.

SQL> commit;

Commit complete.

6. Resart the Database 

Bingo DB Vault is ready now at container database.

SQL> connect sys as sysdba
Enter password:
Connected.

SQL> startup force
ORACLE instance started.

Total System Global Area 977272832 bytes
Fixed Size 2931520 bytes
Variable Size 645924032 bytes
Database Buffers 322961408 bytes
Redo Buffers 5455872 bytes
Database mounted.
Database opened.

SQL> alter pluggable database all open;

Pluggable database altered.
SQL> column parameter format a25
SQL> column value format a10
SQL> SELECT parameter,value FROM gv$OPTION WHERE PARAMETER in
2 ( ‘Oracle Database Vault’,’Oracle Label Security’);

PARAMETER VALUE
————————- ———-
Oracle Label Security TRUE
Oracle Database Vault TRUE

 

Now our aim is to install Db Vault one of the our pluggable database. For the demonstration I will install DB Vault to PDB1 pluggable database.

7. Give grants common users to connect PDB1

 

SQL> connect sys@pdb1 as sysdba
Enter password:
Connected.
SQL> show con_name

CON_NAME
——————————
PDB1
SQL> grant SET CONTAINER,CREATE SESSION to c##dvowner;

Grant succeeded.

SQL> grant SET CONTAINER,CREATE SESSION to c##dvacctmngr;

Grant succeeded.

8. Configure DB Vault at PDB1

SQL> connect sys@pdb1 as sysdba
Enter password:
Connected.
SQL> show con_name

CON_NAME
——————————
PDB1

SQL> BEGIN
2 DVSYS.CONFIGURE_DV (
3 dvowner_uname => ‘c##dvowner’,
4 dvacctmgr_uname => ‘c##dvacctmngr’);
5 END;
6 /

PL/SQL procedure successfully completed.

SQL> commit;

Commit complete.

now compile invalid objects

@?/rdbms/admin/utlrp.sql

…Database user “SYS”, database schema “APEX_040200”, user# “98” 16:59:40
…Compiled 0 out of 3014 objects considered, 0 failed compilation 16:59:41
…271 packages
…263 package bodies
…452 tables
…11 functions
…16 procedures
…3 sequences
…457 triggers
…1320 indexes
…211 views
…0 libraries
…6 types
…0 type bodies
…0 operators
…0 index types
…Begin key object existence check 16:59:41
…Completed key object existence check 16:59:41
…Setting DBMS Registry 16:59:41
…Setting DBMS Registry Complete 16:59:41
…Exiting validate 16:59:41

PL/SQL procedure successfully completed.

8. Enable DB Vault at PDB1

 

SQL> connect c##dvowner@pdb1
Enter password:
Connected.
SQL> EXEC DBMS_MACADM.ENABLE_DV;

PL/SQL procedure successfully completed.

SQL> commit;

Commit complete

 

9. Restart PDB1 pluggable database

SQL> startup force;
ORACLE instance started.

Total System Global Area 977272832 bytes
Fixed Size 2931520 bytes
Variable Size 645924032 bytes
Database Buffers 322961408 bytes
Redo Buffers 5455872 bytes
Database mounted.
Database opened.
SQL> alter pluggable database all open;

Pluggable database altered.

 

Now DB Vault is intalled to PD1 pluggable database