Before doing it for real, I decided to do it on a database of my own,and just as well.
So before you do this, a word of warning - it stops the SYS user from being able to do stuff. In this post I go over how to re-enable it, but this is just an overview so make sure anything you do is tested. Note that it also needs a licence.
I'd also advise asking the person who requested this for a clear policy document - Database Vault is more complicated than assigning roles, and you need to know the access that is required and it needs to be written down - Database Vault will break applications if not set up correctly.
It also needs a database and listener outage, so be aware of that.
So, disclaimers and CMA done, here we go.
Here's the official documentation:
Preparing the database
Stop the database and listener, and database control if running, and enable database vault:
Set the Oracle environment to the target database:
. oraenv
(enter the ORACLE_SID)
Stop the Oracle listener (this assumes the listener name is LISTENER – if not, the name needs to be specified)
lsnrctl stop
Log into the database as SYS and shut it down:
sqlplus “/ as sysdba”
SQL> shutdown immediate
Shut down Oracle Database Control if it is running:
$ emctl stop dbconsole
Enable Oracle Database Vault by relinking:
$ cd $ORACLE_HOME/rdbms/lib
$ make -f ins_rdbms.mk dv_on lbac_on ioracle
Restart the database and listener (but not dbcontrol if it was running)
$ lsnrctl start
$ sqlplus “/ as sysdba”
SQL> startup
Create Database Control if not using Grid Control or Cloud Control
If Grid Control or Cloud control is used, this next section is not required.Run the DBCA and create database control for the database if it not in place.
(Note, you need an X-Windows server on the PC to run the DBCA)
$ dbca
I won't post all the screenshots of the dbca, just the relevant ones.
At the first screen, check "Configure Database Options" and click "Next".
The next screen will show a list of the databases - highlight the one you want to install database vault on and click "Next".
At the next screen make sure the "Configure the database with Enterprise Manager" and "Use Database Control for Database Management" items are checked. You can leave the email and backup fields blank. Click "Next"
At the next screen, make sure "Enterprise Manager Repository" is checked, and either select a tablespace or let it default to SYSAUX. Do not check "Oracle Label Security" yet. Click "Next".
At the next screen, enter the passwords as required. Click "Next".
Let the server mode default, and click on "Finish".
Click "OK" at the Confirmation screen.
It will install database control, and will show a screen with the database control URL, usually "https://host_name:port/em" - but make a note.
Click "OK" and it will exit.
Right, now that you've installed database control, or if it was already installed, you need to stop it to install Database Vault.
$ emctl stop dbconsole
Implementing Database Vault with DBCA
Restart the DBCA to implement Database Vault and Oracle Label Security$ dbca
At the first screen, select "Configure Database Options" and click "Next".
At the next screen select the database that is to have Database Vault installed, click "Next".
At the next screen, check "Oracle Label Security" and "Oracle Database Vault".
Click "Next"
At the next screen, enter a database vault owner username and password. The account manager is optional, but I'd create it just in case. I used "dbvault_owner" and "dbvault_manager" for the usernames.
You should make these passwords strong - for obvious reasons.
Click "Next".
At the next page, let the "Server Mode" default, and click "Finish".
The dbca will restart the database, so make sure that you've arranged an outage.
One thing I noticed is that if there are other databases in the same ORACLE_HOME, this is now shown on login:
Connected to:
Oracle Database 11g Enterprise Edition Release 11.2.0.3.0 - 64bit Production
With the Partitioning, Oracle Label Security, OLAP, Data Mining,
Oracle Database Vault and Real Application Testing options
This had me worried - did it mean that this would affect all the databases, and that now SYS functionality is changed. The short answer is no. These need to be enabled for the individual database through the dbca,
Once complete, you need to log into the database as the dbvault_owner and grant privileges.
Adding required privileges
To perform the necessary grants to the database vault users, sign into the database as the dbvault_owner and run the grant commands:
$ sqlplus dbvault_owner/password
SQL> grant dv_owner to dbvault_owner;
Grant succeeded.
SQL> grant dv_admin to dbvault_manager;
Grant succeeded.
So, that's it installed. Now you can log in from a browser.
Logging into the Database Vault Web Page
Log into Database Vault as the dbvault_owner from a browser.If the connection does not work, you should check the firewall settings for the host / site.
There are separate instructions on how to access database vault features from Grid / Cloud Control or Database Control, but the dva console is the preferred method as it provides full functionality.
Note the hostname and port will be site specific. For me, it is
https://andy-mga:5500/dva
After logging in, the various features can be used to restrict and grant access to database objects and commands.
Enabling Oracle Administration functionality for SYS
One thing that enabling database vault does once installed is restrict the SYS user from performing some database administration functions. These need to be enabled to allow normal administration.For example, a standard DBA task is to create users in the database, but this is restricted once Database Vault is enabled:
$ sqlplus "/ as sysdba"
SQL*Plus: Release 11.2.0.3.0 Production on Tue May 13 14:07:32 2014
Copyright (c) 1982, 2011, Oracle. All rights reserved.
Connected to:
Oracle Database 11g Enterprise Edition Release 11.2.0.3.0 - 64bit Production
With the Partitioning, Oracle Label Security, OLAP, Data Mining,
Oracle Database Vault and Real Application Testing options
SQL> create user andy identified by andy;
create user andy identified by andy
*
ERROR at line 1:
ORA-01031: insufficient privileges
To allow this again, follow this procedure:
Creating a RULE SET
Login to the database vault page.Select “Rule Sets” from the home page of the dva.
Click on Create
Call it something suitable like ‘SYS_USER_ADMIN’
Click on OK
Select it from the list and click on “Edit”
Scroll down to “Rules Associated To The Rule Set’ and click on “Create”
Use the name “SYS_USER_ADMIN”
Enter this in the expression field – dvf.f$session_user = ‘SYS’
Click on OK to save it, then on OK again.
Go back to the home page, and click on “Command Rules”
Select the “CREATE USER” item and click on “Edit”
Leave the command as “CREATE USER”, and in the “RULE SET” drop-down choose “SYS_USER_ADMIN”
Click on OK
Edit the DROP USER and repeat
Edit the ALTER USER and repeat
The sys user can now create, alter and drop users in the database.
$ sqlplus “/ as sysdba”
SQL> create user andy identified by andy;
User created.
That's Part 1.
In Part 2, I explain how to enable and restrict access to tables and schemas.