Shulou(Shulou.com)05/31 Report--

This article mainly shows you "what is Oracle Vault", the content is easy to understand, clear, hope to help you solve your doubts, the following let the editor lead you to study and learn this article "what is Oracle Vault?"

As the most mature commercial database at present, Oracle database not only stabilizes its core functions, but also puts forward a lot of security operation and maintenance tool solutions for a large number of users. At the data level, Oracle has three new technologies: Virtual Private Database (VPD), Label Security, and Oracle Vault. VPD is mainly to add data access rights to solve the data access requirements at the application level, and Label Security is the expansion and upgrade of VPD to some extent. On the other hand, Vault mainly separates the security responsibility of Oracle database, strips the data security responsibility from users and even sys, and allocates the security responsibility with fine grain.

1. Brief introduction of Oracle Vault

Oracle Vault is one of the officially recommended security strategies, which is mainly used for data protection in operation and maintenance organizations. Oracle security in the traditional sense is a dominant model of "sys God". Although we have various system, role, and object permissions, and although various security manuals require us to use non-sys users for maintenance, many database administrators still use sys for all their work. Some data protection technologies, such as VPD, although they can achieve data-level control, are also ineffective for sys.

More importantly, some any class system permissions, such as select any table, once granted, the user actually controls data access to all data tables. This is a very arbitrary approach, and there are great problems lurking.

Under the control of the premise of "sys God", such a situation is uncontrollable. Because some operation and maintenance operations, such as data backup, import and export, can not avoid advanced access. "Don't do it or don't care" is the current situation of many of our operation and maintenance organizations.

Oracle Vault provides an option for sys users to cut their rights. As an optional component of the Oracle database, Vault requires additional file links, registration, and installation. After installing vault, Oracle will create a new user dbvowner, and it is possible for the original sys to control the operation and access to some data.

There are three core elements in Vault: Realm (domain), Factor (factor), and rule (Rule). Restrict or protect specific objects from many aspects, such as data objects, operation commands, etc.

In this series, we will introduce how to install, configure, and use Oracle Vault. First, we'll show you how to install vault.

2. Oracle Vault premise

Vault is not installed in the default Enterprise Edition. We need to compile and install manually before we can use it.

We tested it with Oracle 11gR2, version number 11.2.0.4.

SQL > select * from v$version

BANNER

-

Oracle Database 11g Enterprise Edition Release 11.2.0.4.0-Production

PL/SQL Release 11.2.0.4.0-Production

CORE 11.2.0.4.0 Production

TNS for Linux: Version 11.2.0.4.0-Production

NLSRTL Version 11.2.0.4.0-Production

To determine whether the current vault is installed, check the v$option view.

SQL > select * from v$option where parameter like'% Vault%'

PARAMETER VALUE

--

Oracle Database Vault FALSE

Before installing the configuration, shut down the database, listener, and DB Console.

-- listener

[oracle@SimpleLinux ~] $lsnrctl stop

LSNRCTL for Linux: Version 11.2.0.4.0-Production on 07-APR-2014 12:41:34

Copyright (c) 1991, 2013, Oracle. All rights reserved.

Connecting to (DESCRIPTION= (ADDRESS= (PROTOCOL=TCP) (HOST=SimpleLinux) (PORT=1521)

The command completed successfully

-- Console

[oracle@SimpleLinux ~] $emctl stop dbconsole

Oracle Enterprise Manager 11g Database Control Release 11.2.0.4.0

Copyright (c) 1996, 2013 Oracle Corporation. All rights reserved.

Https://SimpleLinux:1158/em/console/aboutApplication

Stopping Oracle Enterprise Manager 11g Database Control...

... Stopped.

-- Database Server

SQL > shutdown immediate

Database closed.

Database dismounted.

ORACLE instance shut down.

3. Component compilation

Oracle Vault is dependent on Label Security and needs to start the configuration at the operating system level. In the Linux/Unix environment, use make for configuration links.

[oracle@SimpleLinux lib] $cd $ORACLE_HOME/rdbms/lib

[oracle@SimpleLinux lib] $make-f ins_rdbms.mk dv_on lbac_on ioracle

/ usr/bin/ar d / u01/app/oracle/rdbms/lib/libknlopt.a kzvndv.o

/ usr/bin/ar cr / u01/app/oracle/rdbms/lib/libknlopt.a / u01/app/oracle/rdbms/lib/kzvidv.o

/ usr/bin/ar d / u01/app/oracle/rdbms/lib/libknlopt.a kzlnlbac.o

/ usr/bin/ar cr / u01/app/oracle/rdbms/lib/libknlopt.a / u01/app/oracle/rdbms/lib/kzlilbac.o

Chmod 755 / u01/app/oracle/bin

-Linking Oracle

Rm-f / u01/app/oracle/rdbms/lib/oracle

Gcc-o / u01/app/oracle/rdbms/lib/oracle-M32-z noexecstack-L/u01/app/oracle/rdbms/lib/-L/u01/app/oracle/lib/-L/u01/app/oracle/lib/stubs/-L/u01/app/oracle/lib/-lirc-lipgo-Wl,-E / u01/app/oracle/rdbms/lib/opimai.o

(for reasons of space, there are omissions. )

-L/u01/app/oracle/lib

Test!-f / u01/app/oracle/bin/oracle | |\

Mv-f / u01/app/oracle/bin/oracle / u01/app/oracle/bin/oracleO

Mv / u01/app/oracle/rdbms/lib/oracle / u01/app/oracle/bin/oracle

Chmod 6751 / u01/app/oracle/bin/oracle

Note: if you need to use IPC protocol to access storage in Exadata, you need to join the ipc_rds protocol module. In addition, for the Windows platform, rename oradv11.dll.dbl in the $ORACLE_HOME/bin directory to the oradv11.dll command.

After that, restart the listener and server.

[oracle@SimpleLinux lib] $lsnrctl start

SQL > conn / as sysdba

Connected to an idle instance.

SQL > startup

ORACLE instance started.

Total System Global Area 372449280 bytes

Fixed Size 1364732 bytes

Variable Size 281021700 bytes

4. Call dbca to start

In the interface mode that supports GUI, call dbca to start the compilation.

Click the next step Next and select the Configure Database Options project. Then select the target database.

"from options, select the upper Label Security and Vault options."

The name and administrator password of the Oracle Vault user owner are included in the configuration project. Note: this configuration password link is very strict, requiring a length of 8-30 digits, no duplicate characters, and including at least one punctuation mark.

Select the connection method, including exclusive and shared connection methods. The last installation option.

Finally, the installation is successful, ending the GUI interface.

5. Launch the DBV configuration interface

Like many Oracle components, Oracle Vault can be configured through a series of API interface calls. However, because of its complexity, Oracle does not recommend direct management using API interface commands, but is configured through the provided dbv application. The method of using dbv is very similar to em and avoids the chance of errors.

To call the method of dbv, start emctl first. Then call https://:

/ dva . The port number is the same as em.

Click Log in and you can see the configuration items.

Vault provides many default configuration contents by default. After completing the installation, our most direct observation is that the functionality of sys itself is limited.

SQL > conn sys/oracle@ora11g as sysdba

Connected to Oracle Database 11g Enterprise Edition Release 11.2.0.4.0

Connected as SYS

SQL > create user xxx identified by xxx

Create user xxx identified by xxx

ORA-01031: insufficient permissions

SQL > alter user scott identified by tiger

Alter user scott identified by tiger

ORA-01031: insufficient permissions

6. Conclusion

Oracle Vault is the security policy officially recommended by Oracle for operation and maintenance. In practical application, it is mainly convenient to restrict the permissions of administrator accounts such as sys to protect core business data.

The above is all the content of this article "what is Oracle Vault?" thank you for reading! I believe we all have a certain understanding, hope to share the content to help you, if you want to learn more knowledge, welcome to follow the industry information channel!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.