Oracle® Database Vault Administrator's Guide 11g Release 1 (11.1) Part Number B31222-06 |
|
|
View PDF |
In this appendix:
After you install Oracle Database Vault, you need to register it with your database.
To register Oracle Database Vault:
Start Database Configuration Assistant.
UNIX: Enter the following command at a terminal window:
dbca
Typically, dbca
is in the $ORACLE_HOME/bin
directory.
Windows: From the Start menu, click All Programs. Then, click Oracle - ORACLE_HOME, Configuration and Migration Tools, and then Database Configuration Assistant.
Alternatively, you can start Database Configuration Assistant at a command prompt:
dbca
As with UNIX, typically, dbca
is in the ORACLE_BASE
\
ORACLE_HOME
\bin
directory.
In the Welcome page, click Next.
The Operations page appears.
Select Configure Database Options, and then click Next.
The Database page appears.
From the list, select the database where you installed Oracle Label Security and then click Next.
The Management Options page appears.
Select Keep the database configured with Database Control.
The Security Settings page appears.
Select the security option you prefer, and then click Next.
Oracle recommends that you take advantage of the enhanced security settings for this release.
The Database Components page appears.
Select Oracle Database Vault (and Oracle Label Security if it is not already installed), and then click Next.
The Oracle Database Vault Credentials page appears.
Specify the name and password for the Database Vault Owner account, and optionally, the Database Vault Account Manager.
Oracle Database Vault has different password requirements from Oracle Database. These requirements are displayed if you try to create an incorrect password. Afterward, the Connection Mode page appears.
Select either Dedicated Server Mode or Shared Server Mode (depending on the selection you made when you created this database), click Finish, and then click OK in the confirmation prompts.
Database Configuration Assistant registers Oracle Database Vault, and then restarts the database instance.
Exit Database Configuration Assistant.
If you have created an Oracle database manually, and have configured Oracle Enterprise Manager Database Control by using Enterprise Manager Configuration Assistant, you need to manually deploy Oracle Database Vault Administrator. This procedure deploys Database Vault Administrator in the same OC4J container as the current Enterprise Manager, rather than creating a new application.
To manually deploy Database Vault Administrator:
Stop Oracle Database Console.
On UNIX systems: Go to the $ORACLE_HOME/bin
directory and run the following command:
./emctl stop dbconsole
On Windows systems: In the Administrative Services, select the Services utility, and then right-click the OracleDBConsolesid service. Select Stop from the menu.
Create a backup copy and then open the $ORACLE_HOME/oc4j/j2ee/OC4JDBConsole_
service_name
/config/server.xml
file.
Add the following line before the </application-server>
element:
<application name="dva" path="$ORACLE_HOME/dv/jlib/dva_webapp.ear" parent="default" start="true" />
On Windows systems, replace $ORACLE_HOME
with the absolute path to your Oracle Database home.
Create a backup copy and then open the $ORACLE_HOME/oc4j/j2ee/OC4JDBConsole_
service_name
/config/HttpWebsite.xml
file.
Add the following line before the </web-site> element:
<web-app application="dva" name="dva_webapp" load-on-startup="true" root="/dva" shared="true"/>
Restart Oracle Database Console.
On UNIX systems: Go to the $ORACLE_HOME/bin
directory and run the following command:
./emctl start dbconsole
On Windows systems: In the Administrative Services, select the Services utility, and then right-click the OracleDBConsolesid service. Select Start from the menu.
After you complete these steps, you can start Oracle Database Vault Administrator by using the following URL:
https://hostname:port/dva
For example:
https://myserver:1158/dva
If you are unsure of the port number, open the ORACLE_HOME
/
host_sid
/sysman/config/emd.properties
file and search for REPOSITORY_URL
. In most cases, the host name and port number are the same as Oracle Enterprise Manager Database Control.
By default, an Oracle Database Vault session lasts 35 minutes. If you want the session to last for a different time, follow the steps in this section.
To set the session time for Oracle Database Vault Administrator:
Back up the web.xml file
, which by default is in the $ORACLE_HOME/dv/jlib/dva_webapp/dva_webapp/WEB-INF
directory.
In a text editor, open the web.xml
file.
Search for the following setting:
<session-config> <session-timeout>35</session-timeout> </session-config>
Change the <session-timeout>
setting to the amount of time in minutes that you prefer.
Save and close the web.xml
file.
Stop and restart the Database Vault Administrator.
On UNIX systems: Go to the $ORACLE_HOME/bin
directory and run the following command:
./emctl stop dbconsole ./emctl start dbconsole
On Windows systems: In the Administrative Services, select the Services utility, and then right-click the OracleDBConsolesid service. Select Stop from the menu. After the console stops, select Start.
After you install Oracle Database Vault for an Oracle Real Application Clusters (RAC) instance, you need to run Oracle Database Vault Configuration Assistant (DVCA) with the -action
optionrac
option on all other RAC nodes. This sets instance parameters and disables SYSDBA
operating system authentication.
You need to run this command on all Oracle RAC nodes other than the node on which the Database Vault installation is performed. This step is required to enable the enhanced security features provided by Oracle Database Vault.
This section includes the following topics:
The syntax for using dvca -action optionrac
is as follows:
dvca -action optionrac -oh Oracle_home -instance Oracle_instance_name -dbname database_name -jdbc_str jdbc_connection_string -sys_passwd SYS_password [-silent] [-logfile ./dvca.log] [-nodecrypt] [-lockout]
In this specification:
-action
is the action to perform. optionrac performs the action of updating the instance parameters for the Oracle RAC instance. This flag also provides the option of disabling SYSDBA operating system access for the instance.
-racnode
is the host name of the Oracle RAC node on which the action is being performed. Do not include the domain name with the host name.
-oh
is the Oracle home for the Oracle RAC instance. Provide the ORACLE_HOME
path.
-instance
is the name of the Database instance.
-dbname
is the database name.
-jdbc_str
is the JDBC connection string used to connect to the database. For example:
jdbc:oracle:oci:@orcl1
-sys_passwd
is the password for the SYS
user. If you use a cleartext password on the command line, you must include the nodecrypt
option. If you omit the password, DVCA prompts you for it. Preferably, omit the password and then enter it interactively when prompted.
-logfile
is an optional flag to specify a log file name and location. You can enter an absolute path, or enter a path that is relative to the location of the $ORACLE_HOME
/bin
directory.
-silent
is the option to run in command line mode. This option is required if you are not running DVCA in an xterm window.
-nodecrypt
is the option to read plaintext passwords.
-lockout
is the flag to use to disable SYSDBA
operating system authentication.
To configure Oracle Database Vault on RAC nodes:
Ensure that the listener and database instance are running on the nodes on which you run DVCA.
At a command prompt, enter the DVCA command. For example:
dvca -action optionrac
-oh c:\oracle\product\11.1.0\db_1
-jdbc_str jdbc:oracle:oci:@orcl1
-racnode mynode
-silent
-logfile ./dvcalog.txt
Enter SYS password: sys_password
By default, Oracle Database Vault loads only the English language tables. You can use DVCA to add more languages to Oracle Database Vault by specifying the addlanguages
flag to the dvca -action
option.
This section includes the following topics:
The syntax for using dvca -action addlanguages
is as follows:
dvca -action addlanguages -oh Oracle_home -instance Oracle_instance_name -dbname database_name -jdbc_str jdbc_connection_string -sys_passwd SYS_password -dvsys_passwd DVSYS_password -languages language_list [-owner_account DV_owner_account_name] [-owner_passwd DV_owner_account_password>] [-acctmgr_account DV_account_manager_account_name>] [-acctmgr_passwd DV_account_manager_password] [-silent] [-logfile ./dvca.log] [-nodecrypt] [-lockout] [-racnode node]
In this specification:
-action
is the action to perform. In this case the action is addlanguages
.
-oh
is the Oracle home for the Oracle RAC instance. Provide the ORACLE_HOME
path.
-instance
is the name of the Database instance.
-dbname
is the database name.
-sys_passwd
is the password for the SYS
user. If you use a cleartext password on the command line, you must include the nodecrypt
option. If you omit the password, DVCA prompts you for it. Preferably, omit the password and then enter it interactively when prompted.
-dvsys_passwd
is the password for the DVSYS
user. If you use a cleartext password on the command line, you must include the nodecrypt
option. If you omit the password, DVCA prompts you for it. Preferably, omit the password and then enter it interactively when prompted.
-jdbc_str
is the JDBC connection string used to connect to the database. For example:
jdbc:oracle:oci:@orcl1
-languages
is the list of languages to be loaded. Provide the list of languages as a string in the following format:
Linux: {"
language_1
,
language_2
,
language_n
"}
Windows: {"
language_1
","
language_2
","
language_n
"}
Oracle Database Vault supports the following languages:
en : English |
ja : Japanese |
|
de : German |
ko : Korean |
|
es : Spanish |
pt_BR : Brazilian Portuguese |
|
fr : French |
zh_CN : Simplified Chinese |
|
it : Italian |
zh_TW : Traditional Chinese |
For example, to load German and Spanish, you would enter the following:
Linux: -languages {"de,es"}
Windows: -languages {"es","ja"}
-owner_account
is the Oracle Database Vault Owner account name.
-owner_passwd
is the Oracle Database Vault Owner account password. If you use a cleartext password on the command line, you must include the nodecrypt
option. If you omit the password, DVCA prompts you for it. Preferably, omit the password and then enter it interactively when prompted.
-acctmgr_account
is the Oracle Database Vault Account Manager user name.
-acctmgr_passwd
is the Oracle Database Vault Account Manager password. If you use a cleartext password on the command line, you must include the nodecrypt
option. If you omit the password, DVCA prompts you for it. Preferably, omit the password and then enter it interactively when prompted.
-logfile
is an optional flag to specify a log file name and location. You can enter an absolute path, or enter a path that is relative to the location of the $ORACLE_HOME
/bin
directory.
-silent
is the option to run in command line mode. This option is required if you are not running DVCA in an xterm window.
-nodecrypt
is the option to read plaintext passwords.
-lockout
is the flag used to disable SYSDBA
operating system authentication.
To add languages to Oracle Database Vault:
Disable Oracle Database Vault by completing the following steps under "Step 1: Disable Oracle Database Vault":
Use DVCA to add the languages you want.
For example:
dvca -action addlanguages -oh c:\oracle\product\11.1.0\db_1 -instance myinstance -dbname mydbname -jdbc_str jdbc:oracle:oci:@orcl1 -languages {"es","ja"} -silent -logfile dvcalog.txt Enter SYS password: sys_password Enter DVSYS password: dvsys_password Enter owner password: owner_password Enter DV account manager password: dv_acct_password
Enable Oracle Database Vault by completing the following steps "Step 3: Enable Oracle Database Vault":