Oracle DB Vault New Features in Oracle 12c R1 – Part1 : Changes at DB Vault Installation

There are many changes at Oracle DB Vault in Oracle 12c version. At this note I will give you information about  the change at DB  Vault Installation .

  1. DB Vault Installation

At Oracle 11g version you need to  relink Oracle binary before installing Oracle DB Vault. You do not need this operation in Oracle 12c.

At Oracle 11g version you need to relink binary with chopt command like below

$ chopt enable lbac

$ chopt enable dv

And You do not need in Oracl 12c vesion

In order to install and configure DB Vault In Oracle 11g version, you have to use dbca. At Oracle 12c you only need dbca to install Oracle Label Security and Oracle DB vault component . You can use DVSYS.CONFIGURE_DV packet to configure DB vault. Actually still you can do this configuration with dbca but it is optional.

DB Vault component installation is made with this page in  dbca in Oracle 12c version.

Capture

And DB Vault configuration can be made by dbca but It is optional

Capture

This gives us flexibility ; During database installation DBAs can install Oracle DB Vault without making any configuration on it. After the DB Vault installation is completed, you can make DB Vault configuration as a security officer without DBA intervention.

The below  query shows that DB Vault component is installed. But It does not mean that It is enabled.

SQL> select comp_id,status from dba_registry where comp_id in (‘OLS’,’DV’);

COMP_ID STATUS
—————————— ———–
DV VALID
OLS VALID

With DVSYS.CONFIGURE_DV; you can mention which user is DB Vault admin and which user database account manager.

SQL> BEGIN
2 DVSYS.CONFIGURE_DV (
3 dvowner_uname => ‘dvowner’,
4 dvacctmgr_uname => ‘dvacctmngr’);
5 END;
6 /

PL/SQL procedure successfully completed.

This packet is new in Oracle 12c and It gives us flexibility to security officer to configure DB vault alone. After DB Vault component installation tou do not need to rebound the database bu you need to run utlrp.sql to compile all invalid objects.

 

 

 

 

 

Advertisements

HOW TO UNINSTALL ORACLE DB VAULT

 

 

At this note; I will show you How you can uninstall DB vault from an Oracle 11g R2 database. This can be necessary for many reasons.

For example When  you do not want to use DB Vault option at  your  database you can decide to completely uninstall  DB Vault option.

Sometimes during installation there can be some problems and your installation halts at the middle. After solving the problem at the database, you need to uninstall uncompleted installation.

 

Configuratin is like this;

Host : Oracle Linux 6

Database : Oracle 11g R2 ( 11.2.0.4)

 

Now we can start to uninstall

Check the DB Vault is already installed first

SQL> column parameter format a40

SQL> column value format a10

 

SQL> Select parameter, value from v$option where parameter in (‘Oracle Database Vault’,’Oracle Label Security’);

 

PARAMETER                         VALUE

————————————- ———-

Oracle Label Security                   TRUE

Oracle Database Vault                   TRUE

 

Shutdown database and Stop listener

 

sqlplus / as sysdba

SQL> shutdown immediate

Database closed.

Database dismounted.

ORACLE instance shut down.

 

 

oracle@localhost admin]$ lsnrctl stop

 

LSNRCTL for Linux: Version 11.2.0.4.0 – Production on 22-SEP-2016 10:52:39

Copyright (c) 1991, 2013, Oracle.  All rights reserved.

Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=10.0.2.15)(PORT=1521)))

The command completed successfully

If you have Database Control; stop it as well.

Unlink Oracle Label Security

 

This operation is not necessary ; If you want to use Oracle Label Security you can kip this step

 

[oracle@localhost admin]$ chopt disable lbac

 

Writing to /u01/app/oracle/product/11.2.0/db_1/install/disable_lbac.log…

/usr/bin/make -f /u01/app/oracle/product/11.2.0/db_1/rdbms/lib/ins_rdbms.mk lbac_off ORACLE_HOME=/u01/app/oracle/product/11.2.0/db_1

/usr/bin/make -f /u01/app/oracle/product/11.2.0/db_1/rdbms/lib/ins_rdbms.mk ioracle ORACLE_HOME=/u01/app/oracle/product/11.2.0/db_1

 

Unlink Oracle Database Vault

 

[oracle@localhost admin]$ chopt disable dv

Writing to /u01/app/oracle/product/11.2.0/db_1/install/disable_dv.log…

/usr/bin/make -f /u01/app/oracle/product/11.2.0/db_1/rdbms/lib/ins_rdbms.mk dv_off ORACLE_HOME=/u01/app/oracle/product/11.2.0/db_1

/usr/bin/make -f /u01/app/oracle/product/11.2.0/db_1/rdbms/lib/ins_rdbms.mk ioracle ORACLE_HOME=/u01/app/oracle/product/11.2.0/db_1

 

[oracle@localhost admin]$

Start Database and listeners

 

[oracle@localhost admin]$ sqlplus / as sysdba

SQL*Plus: Release 11.2.0.4.0 Production on Thu Sep 22 10:56:23 2016

Copyright (c) 1982, 2013, Oracle.  All rights reserved.

Connected to an idle instance.

SQL> startup

ORACLE instance started.

Total System Global Area 1653518336 bytes

Fixed Size            2253784 bytes

Variable Size           1056967720 bytes

Database Buffers    587202560 bytes

Redo Buffers                7094272 bytes

Database mounted.

Database opened.

 

[oracle@localhost ~]$ lsnrctl start

 

Listening Endpoints Summary…

(DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=10.0.2.15)(PORT=1521)))

Services Summary…

Service “DB11G” has 1 instance(s).

Instance “DB11G”, status UNKNOWN, has 1 handler(s) for this service…

The command completed successfully

Find the users who have  DV_OWNER and DV_ACCTMGR roles;

 

SQL> select unique GRANTEE from dba_role_privs

where GRANTED_ROLE in (‘DV_ACCTMGR’,’DV_OWNER’)

 and grantee <> ‘DVSYS’;

 

GRANTEE

——————————

DVOWNER

DVACCTMNGR

 

Turn OFF  recyclebin   and rebound the database

 

SQL> conn / as sysdba

Connected.

 

SQL> alter system set recyclebin=off scope=spfile;

System altered.

SQL> startup force

ORACLE instance started.

Total System Global Area 1653518336 bytes

Fixed Size            2253784 bytes

Variable Size           1056967720 bytes

Database Buffers    587202560 bytes

Redo Buffers                7094272 bytes

Database mounted.

Database opened.

 

Run dvremov.sql

SQL> conn / as sysdba

Connected.

start  ?/rdbms/admin/dvremov.sql

 

.

.

.

 PL/SQL procedure successfully completed.

 

 

Manually drop DV_OWNER and DV_ACCTMNGR users

 

conn / as sysdba

SQL> drop user  DVACCTMNGR cascade;

User dropped.

SQL> drop user  DVACCTMNGR cascade;

User dropped.

 

Turn on recyclebin  and restart the database

conn / as sysdba

alter system set recyclebin=on scope=spfile;

 

Check DB Vault Option

 

SQL> column parameter format a40

SQL> column value format a10

SQL> Select parameter, value from v$option where parameter in (‘Oracle Database Vault’,’Oracle Label Security’);

 

PARAMETER                    VALUE

——————————- ———-

Oracle Label Security              FALSE

Oracle Database Vault              FALSE

 

Now Oracle DB Vault option is uninstalled from your database. If you want you can install it cleanly.

 

At this note ; I showed uninstallation of Oracle DB Vault  for Oracle 11g R2 database . For other versions there can be small differences. You can find all detailed information at the Metalink note.

How To Uninstall Or Reinstall Database Vault in 11g (Doc ID 803948.1)

Thanks Anıl Akduygu.