Wednesday, July 18, 2018

How to enable database vault in 12.1 oracle RAC database

Verify Database Vault


Use the below query to check if DB Vault is already registered or not.

sqlplus / as sysdba

SQL> show con_name
CON_NAME
------------------------------
CDB$ROOT

SQL> column parameter format a25
SQL> column value format a10
SQL> SELECT parameter,value FROM gv$OPTION WHERE PARAMETER in ('Oracle Database Vault','Oracle Label Security');

PARAMETER                 VALUE
------------------------- ----------
Oracle Label Security     FALSE
Oracle Database Vault     FALSE
Oracle Label Security     FALSE
Oracle Database Vault     FALSE

Note: If the returned value is FALSE, it means DB Vault is not registered and is in disable state.


Enable DB Vault at Container Level


Create DV Admin Users

First, you should create two users. One to administer DB vault and another to manage Oracle users at the database. These two users are required for the separation of duties.

sqlplus / as sysdba

SQL> create user c##dvowner identified by {Pw} CONTAINER=ALL;
User created.

SQL> create user c##dvacctmngr identified by {Pw} CONTAINER=ALL;
User created.

SQL> grant SET CONTAINER,CREATE SESSION to c##dvowner;
Grant succeeded.

SQL> grant SET CONTAINER,CREATE SESSION to c##dvacctmngr;
Grant succeeded.


Configure and Enable Database Vault


Now we can configure DB vault for registration. Then we will compile all the invalid objects.

SQL> BEGIN
DVSYS.CONFIGURE_DV (
dvowner_uname => 'c##dvowner',
dvacctmgr_uname => 'c##dvacctmngr');
END;
/  2    3    4    5    6

PL/SQL procedure successfully completed.

Compile invalid objects

SQL> @?/rdbms/admin/utlrp.sql

PL/SQL procedure successfully completed.

Enable DB Vault

SQL> connect c##dvowner
Enter password:
Connected.

SQL> show con_name
CON_NAME
------------------------------
CDB$ROOT
SQL> EXEC DBMS_MACADM.ENABLE_DV;

PL/SQL procedure successfully completed.

SQL> commit;
Commit complete.

Restart and Validate


Restart the Database. Otherwise, the value will be still FALSE when you query the table.

srvctl stop database -d
srvctl start database -d

DB Vault is ready now at container database. Use the below query for validation.

SQL> column parameter format a25
SQL> column value format a10
SQL> SELECT parameter,value FROM gv$OPTION WHERE PARAMETER in ('Oracle Database Vault','Oracle Label Security');
SQL> SQL>
PARAMETER                 VALUE
------------------------- ----------
Oracle Label Security     TRUE
Oracle Database Vault     TRUE
Oracle Label Security     TRUE
Oracle Database Vault     TRUE

Now proceed to install the DB Vault in pluggable database.


Enable DB Vault at Pluggable Level


Grant Permission for DV Admin User


Give grants to DV Admin users in pluggable database.

SQL> connect sys@PDB1 as sysdba
Enter password:
Connected.

SQL> show con_name
CON_NAME
------------------------------
PDB1

SQL> grant SET CONTAINER,CREATE SESSION to c##dvowner;
Grant succeeded.

SQL> grant SET CONTAINER,CREATE SESSION to c##dvacctmngr;
Grant succeeded.

Configure and Enable Database Vault


Now we can configure DB vault for registration and compile all the invalid objects.

SQL> BEGIN
2 DVSYS.CONFIGURE_DV (
3 dvowner_uname => ‘c##dvowner’,
4 dvacctmgr_uname => ‘c##dvacctmngr’);
5 END;
6 /
PL/SQL procedure successfully completed.

SQL> commit;
Commit complete.

Compile invalid objects

@?/rdbms/admin/utlrp.sql

PL/SQL procedure successfully completed.

Enable DB Vault for PDB

SQL> connect c##dvowner@PDB1
Enter password:
Connected.

SQL> EXEC DBMS_MACADM.ENABLE_DV;
PL/SQL procedure successfully completed.

SQL> commit;
Commit complete

Restart and Validate


Restart the pluggable Database.

SQL> connect sys@PDB1 as sysdba
Enter password:
Connected.

SQL> alter pluggable database PDB1 close immediate;

Pluggable database altered.

SQL> alter pluggable database PDB1 open;

Pluggable database altered.

Note: Bounce the PDB on Node2 as well.

DB Vault is ready now at pluggable database. Use the below query for validation.

SQL> SELECT parameter,value FROM gv$OPTION WHERE PARAMETER in ('Oracle Database Vault','Oracle Label Security');
SQL> SQL>
PARAMETER                 VALUE
------------------------- ----------
Oracle Label Security     TRUE
Oracle Database Vault     TRUE
Oracle Label Security     TRUE
Oracle Database Vault     TRUE

This completes DB Vault installation on pluggable database.


Disable DB Vault

Perform this step on both nodes

SQL> C##DVOWNER/pw

SQL> EXEC DBMS_MACADM.DISABLE_DV;
PL/SQL procedure successfully completed.

SQL> alter session set container=PDB1;
Session altered.

SQL> EXEC DBMS_MACADM.DISABLE_DV;
PL/SQL procedure successfully completed.
Restart the Database

srvctl stop database -d -o immediate
srvctl start database -d
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)