Shulou(Shulou.com)06/01 Report--

Oracle Database Vault

TOC\ o "1-3"\ h\ z\ u Oracle Database Vault PAGEREF _ Toc518292867\ h 1

1. Refer to. PAGEREF _ Toc518292868\ h 1

two。 Brief introduction. PAGEREF _ Toc518292869\ h 1

3. Vault components. PAGEREF _ Toc518292870\ h 2

3.1. Oracle Database Vault access control components... PAGEREF _ Toc518292871\ h 2

3.2. Oracle Database Vault Manager (DVA) PAGEREF _ Toc518292872\ h 3

3.3. Oracle Database Vault configuration Assistant (DVCA) PAGEREF _ Toc518292873\ h 3

3.4. Oracle Database Vault DVSYS and DVF Schemas. PAGEREF _ Toc518292874\ h 3

3.5. Oracle Database Vault PL/SQL interface and package. PAGEREF _ Toc518292875\ h 4

3.6. Oracle Database Vault and Oracle Label Security PL/SQL APIs. PAGEREF _ Toc518292876\ h 4

3.7. Oracle Database Vault reporting and monitoring tools. PAGEREF _ Toc518292877\ h 4

4. Vault installation. PAGEREF _ Toc518292878\ h 4

4.1. Check if it is installed. PAGEREF _ Toc518292879\ h 4

4.2. Shut down the database and related services. PAGEREF _ Toc518292880\ h 5

4.3. Component compilation. PAGEREF _ Toc518292881\ h 5

4.4. Call dbca deployment... PAGEREF _ Toc518292882\ h 5

4.5. Launch the DBV configuration interface. PAGEREF _ Toc518292883\ h 6

4.6. Conclusion. PAGEREF _ Toc518292884\ h 6

5. Case introduction. PAGEREF _ Toc518292885\ h 7

5.1. Example 1: drop commands are only allowed during non-business hours. PAGEREF _ Toc518292886\ h 7

5.2. Example 2: users are only allowed to log in to the database using specific tools (applications). PAGEREF _ Toc518292887\ h 8

5.3. Example 3: use the Dual Key security feature. PAGEREF _ Toc518292888\ h 9

6. Details that Oracle Vault-- uses the data pump tool. PAGEREF _ Toc518292889\ h 10

6.1. Data Pump and Vault PAGEREF _ Toc518292890\ h 11

6.2. Default behavior configuration. PAGEREF _ Toc518292891\ h 11

6.3. Additional authorization. PAGEREF _ Toc518292892\ h 11

6.4. Import sensitive data action. PAGEREF _ Toc518292893\ h 12

6.5. Conclusion and discussion. PAGEREF _ Toc518292894\ h 12

7. Vault uninstall... PAGEREF _ Toc518292895\ h 13

7.1. Prepare before uninstalling. PAGEREF _ Toc518292896\ h 13

7.2. Disable Vault PAGEREF _ Toc518292897\ h 13

7.3. Operations in the database. PAGEREF _ Toc518292898\ h 14

7.4. Conclusion. PAGEREF _ Toc518292899\ h 15

1. Referenc

Detailed description of the principle, installation and configuration of Oracle Vault--

Https://www.linuxidc.com/Linux/2014-05/101108.htm

Use technical means to limit the dangerous operation of DBA-Oracle Database Vault

Https://www.cnblogs.com/raobing/p/6174551.html

Official document

Http://www.oracle.com/technetwork/cn/tutorials/datavault-094096-zhs.html

Oracle data Security solution

Https://www.linuxidc.com/Linux/2011-12/48689p2.htm

two。 Brief introduction

As the most mature commercial database at present, Oracle database not only stabilizes its core functions, but also puts forward a lot of security operation and maintenance tool solutions for a large number of users. At the data level, Oracle has three new technologies: Virtual Private Database (VPD), Label Security, and Oracle Vault.

VPD mainly adds data access permissions to solve the data access requirements at the application level, but is not valid for SYS.

Label Security is an extension and upgrade of VPD to some extent.

Oracle Database Vault (DV) is mainly concerned with the protection of sensitive data and separation of responsibilities for Oracle databases. The data security responsibility is stripped off from the users and even sys, and the fine-grained security responsibility is allocated. As an optional component of the Oracle database, Vault requires additional file links, registration, and installation. After installing vault, Oracle will create a new user dbvowner, and it is possible for the original sys to control the operation and access to some data.

There are three core elements in Vault: Realm (domain), Factor (factor), and rule (Rule). Restrict or protect specific objects from many aspects such as data objects, operating s commands, and so on.

DV protects sensitive data mainly through Realm (Security Domain). Realm can be simply understood as a collection of sensitive data. DV specifies whether users can access Realm-protected data through the configuration of realm. If there is no access in DV, even sysdba does not have the right to access Realm-protected data, which is the core function of DV.

DV also has a very important function, Command Rules, which allows or prevents database users from executing DDL, DML and DCL commands according to certain judgment conditions, and is valid for privileged users, including sysdba. This feature is just enough to meet our need to limit dba.

Factor (authentication factor) is a factor that can be used to determine conditions, such as client hostname, client IP, etc. Oracle has some common Factor built in, and users can also create Factor,Factor themselves, which can be an expression or a return value of a stored procedure.

Rule Sets is simply a set of judgment conditions, similar to the judgment condition after SQL's where. When the judgment condition of the rule set is returned to true, DV allows the user to access data or execute specific commands. The Rule in Rule sets can be judged by citing Factor.

3. Vault components

Oracle Database Vault consists of the following sections:

1) Oracle Database Vault access control component

2) Oracle Database Vault Manager component (DVA)

3) Oracle Database Vault configuration Assistant (DVCA)

4) Oracle Database Vault DVSYS and DVF Schemas

5) Oracle Database Vault PL/SQL interface and development package

6) Oracle Database Vault and Oracle Label Security PL/SQL APIs

7) Oracle Database Vault monitoring and reporting tools

3.1. Oracle Database Vault access control component

Oracle Database Vault enables you to create the following components to secure your database instance:

Domain: a domain is a functional collection of database schemal, objects, and roles that need to be protected. For example, you can combine the database schemal, objects, and roles related to accounts, sales, or human resources into a domain. When you group these into a domain, you can use the domain to control the use of system permissions assigned to specific accounts or roles. In this way, you can provide fine-grained access control to anyone who wants to use these database schemal, objects, and roles. Chapter 4, "Configuring Realms" discusses domains in detail. .

Command rules: command rules are a special rule that allows you to control how users execute almost all SQL statements they can execute, including SELECT, ALTER SYSTEM, database definition language (DDL), and data manipulation language (DML) statements. The command rule must work with the rule set to determine whether a statement is allowed to be executed. Chapter 6, "Configuring Command Rules" discusses rule sets in detail.

Factors: factors are named variables or attributes, such as user location, database IP address, and session user, that Oracle Database Vault can identify and protect. You can use these factors for user activities, such as authorizing database accounts to link to the database, or creating filtering logic conditions to limit data visibility and manageability. Each factor can contain one or more identities, which are the specific values of the factor. A factor can contain multiple identities, depending on how the factor is retrieved or its mapping logic. Chapter 7, "Configuring Factors" discusses the factors in detail.

Rule set: a rule set is a collection of one or more rules, and you can associate a rule set with a domain's authorization, command rules, factor assignments, or security application roles. The rule set is based on the calculated value of each of these rules and how the rules are calculated (all true or any true). A rule in a rule set is an PL/SQL expression that results in "true" or "false". Chapter 5, "Configuring Rule Sets" discusses rule sets in detail.

Security application role: a security application role is a special Oracle database role that can be activated based on the calculation results of the Oracle database vault rule set. Chapter 8, "Configuring Secure Application Roles for Oracle Database Vault" discusses security application roles in detail.

To enhance the functionality of these components, Oracle Database vault provides a series of PL/SQL interfaces and packages. "Oracle Database Vault PL/SQL Interfaces and Packages" provides a general introduction.

Usually, the first step you need to do is to create a domain that contains the schema or database objects you want to protect, and then you can protect your domain by creating rules, command rules, factors, identities, rule sets, and security application roles. In addition, you can run the reporting tool to report on the activities that these components monitor and protect. Chapter 3, "Getting Started with Oracle Database Vault" provides a simple guide to familiarize yourself with the functions of Oracle Database Vault, and Chapter 16, "Oracle Database Vault Reports" provides more information on how to run reports to check configuration and other Oracle Database Vault completed activities.

3.2. Oracle Database Vault Administrator (DVA)

The Oracle Database Vault administrator is a Java program built on Oracle Database Vault's PL/SQL API. This program allows security managers who are not familiar with the PL/SQL interface to configure access control policies through a friendly user interface. The Oracle Database Vault administrator provides a number of security-related reports that can help you understand the baseline security configuration. These reports also help to indicate how the current configuration has changed compared to the baseline configuration.

Chapter 4 through Chapter 9 explain how to configure access policies through the Oracle database Vault administrator program and how to integrate Oracle Database Vault with other Oracle products. Chapter 16, "Oracle Database Vault Reports" explains the Oracle Database Vault report.

3.3. Oracle Database Vault configuration Assistant (DVCA)

To perform maintenance tasks, you can use the command line tool Oracle Database Vault configuration Assistant (DVCA). Please refer to Appendix C, "Postinstallation Oracle Database Vault Procedures" for more information.

3.4. Oracle Database Vault DVSYS and DVF Schemas

Oracle Database Vault provides DVSYS as a schema to store all database objects that need to be protected by Oracle Database Vault. DVSYS schema contains roles, views, accounts, functions, and other database objects used by Oracle Database Vault. DVF schema contains common functions that read a collection of factor values from the Oracle Database Vault access control configuration.

Chapter 10, "Oracle Database Vault Objects" describes these two schema in detail.

3.5. Oracle Database Vault PL/SQL interfaces and packages

Oracle Database Vault provides a PL/SQL interface and package that allows security administrators or application developers to configure access control policies on demand. PL/SQL stored procedures and functions enable ordinary database accounts to operate within access control policy boundaries in the context of a database session.

See Chapter 14, "Using the Oracle Database Vault PL/SQL Interfaces" and Chapter 11, "Using the DVSYS.DBMS_MACADM Package" for more information.

3.6. Oracle Database Vault and Oracle Label Security PL/SQL APIs

Oracle Database Vault provides access control capabilities that can be integrated with Oracle Label Security. Oracle Label Security is integrated with Oracle Enterprise Manager Database Control, and Oracle Enterprise Manager Database Control allows security administrators to define tag security policies that apply to database objects. Oracle Label Security also provides a set of PL/SQL API that database application developers can use to provide tag security policies.

Refer to Integrating Oracle Database Vault with Oracle Label Security for more information about how Oracle Database Vault and Oracle Label Security work together. Refer to Oracle Label Security Administrator's Guide for more information about Oracle Policy Manager.

3.7. Oracle Database Vault reporting and monitoring tools

You can generate reports based on the different activities monitored by Oracle Database Vault, and you can monitor policy changes, abnormal security attempts, database configuration and structural changes.

Refer to Chapter 16, "Oracle Database Vault Reports" for more information about the reports you can generate. Chapter 15, "Monitoring Oracle Database Vault" explains how to monitor Oracle Database Vault.

4. Vault installation 4.1. Check if it is installed

Vault is not installed in the default Enterprise Edition. We need to compile and install manually before we can use it.

We tested it with Oracle 11gR2, version number 11.2.0.4.

SQL > select * from v$version

To determine whether the current vault is installed, check the v$option view.

SQL > select * from v$option where parameter like'% Vault%'

PARAMETER VALUE

--

Oracle Database Vault FALSE

In this version, the view is installed, but the subsequent configuration prompts are not installed.

Select * from v$option where parameter like'% Vault%'

Select * from v$option where parameter like'% Security%'

4.2. Shut down the database and related services

Before installing the configuration, shut down the database, listener, and DB Console.

-- listener

[oracle@SimpleLinux ~] $lsnrctl stop

-- Console

[oracle@SimpleLinux ~] $emctl stop dbconsole

-- Database Server

SQL > shutdown immediate

4.3. Component compilation

Oracle Vault is dependent on Label Security and needs to start the configuration at the operating system level. In the Linux/Unix environment, use make for configuration links.

[oracle@SimpleLinux lib] $cd $ORACLE_HOME/rdbms/lib

[oracle@SimpleLinux lib] $make-f ins_rdbms.mk dv_on lbac_on ioracle

Note: if you need to use IPC protocol to access storage in Exadata, you need to join the ipc_rds protocol module. In addition, for the Windows platform, rename oradv11.dll.dbl in the $ORACLE_HOME/bin directory to the oradv11.dll command.

After that, restart the listener and server.

[oracle@SimpleLinux lib] $lsnrctl start

SQL > conn / as sysdba

SQL > startup

4.4. Call dbca deployment

In the interface mode that supports GUI, call dbca to start the compilation.

Click the next step Next and select the Configure Database Options project. Then select the target database.

"from options, select the upper Label Security and Vault options."

Oracle Label Security user is not system

Oracle Database Vault is SYSAUX

The name and administrator password of the Oracle Vault user owner are included in the configuration project. Note: this configuration password link is very strict, requiring a length of 8-30 digits, no duplicate characters, and including at least one punctuation mark.

Database vault owner: dbvowner password:Abcd_1234

Create a separate account administrator that distinguishes between account management and security policy management.

Database vault account manager: dbvmgr password:Abcd_1234

Select the connection method, including exclusive and shared connection methods. The last installation option.

Finally, the installation is successful, ending the GUI interface.

4.5. Launch the DBV configuration interface

Like many Oracle components, Oracle Vault can be configured through a series of API interface calls. However, because of its complexity, Oracle does not recommend direct management using API interface commands, but is configured through the provided dbv application. The method of using dbv is very similar to em and avoids the chance of errors.

To call the method of dbv, start emctl first. Then call https://192.0.2.20:1158/dva

The port number is the same as em.

User name: dbvowner

Password: Abcd_1234

HOST:192.0.2.20

PORT:1521

SID/ service: SID:orcl

Click Log in and you can see the configuration items.

4.6. Conclusion

Oracle Vault is the security policy officially recommended by Oracle for operation and maintenance. In practical application, it is mainly convenient to restrict the permissions of administrator accounts such as sys to protect core business data.

5. Case introduction 5.1. Example 1: drop commands are only allowed during non-business hours

This example is the simplest. You don't need to use Factor, you can do it with Rule Sets and Command Rules. We use the database user test to demonstrate:

1) Log in to the management page of DV:

2) create a Rule Set, whose name is "Can not drop table in business time", and select Any True, which means that if any rule (judgment condition) in the rule set is True, the result of the rule set judgment is True. In fact, All True is the equivalent of and,Any True and the equivalent of or. Audit selection: an audit of success or failure. Error handling page: error processing: show error message, failure code:-20001, failure message: Can not drop table in business time

3) create two rules to associate with the rule set:

Rule name: RULE1 rule expression: to_char (sysdate,'HH24MM') '1155'

These two RULE are also easy to understand, that is, to determine whether the current time is a business time. Here, in order to facilitate the experiment, the business time is defined as 11 RULE 45 times 11 55. This rule set determines the current time. If the current time is not within the business time, the rule set returns the business time.

4) then create a Command Rule

On the home page, click rules > create, command type selection DROP TABLE, status: enabled, user owner: SCOTT, command set: Can not drop table in business time

This Command Rule means that when the specified Rule Set returns True, the table under the drop test user is allowed, otherwise even the sysdba or the owner of the table has no right to drop table.

5) effect:

23:50:48 SCOTT@orcl > create table dept3 as select * from dept

23:51:09 SCOTT@orcl > drop table dept3

Drop table dept3

*

ERROR at line 1:

ORA-47306: 20001: Can not drop table in business time

23:51:59 @ > conn sys/oracle@s11 as sysdba

23:52:12 SYS@s11 > drop table scott.dept2

Drop table scott.dept2

ERROR at line 1:

ORA-47306: 20001: Can not drop table in business time

Other Command Rule settings such as Alter Table that we want to control are similar.

5.2. Example 2: only users are allowed to log in to the database using specific tools (applications)

In practical work, we often encounter such a situation: application developers have the password of application users, and they can connect to the production library with tools such as SQL*PLUS or PL/SQL Developer. If they confuse the production library and the test library, a tragedy may occur. The best solution is to limit the tools used by application users. Middleware should only be allowed to connect with this user, and no other tools are allowed to connect.

Factor will be used in this example. First, we create a Factor to take the Module of the user's session:

1) create a factor:

Name: Module

Factor type: Application

Factor identification: By Method

Factor assignment: By Access

Factor tag: By Self

Search method: UPPER (SYS_CONTEXT ('USERENV','MODULE'))

Click create.

2) Log in to the database with SQL*PLUS and verify the value checked out by this Factor:

SYS@orcl > select dvf.f$module from dual

F$MODULE

-

SQLPLUS@S11 (TNS V1-V3)

The way to reference Factor is DVF.F$+Factor name, log in locally on Linux, Module is shown above, and log in remotely on windows, the value of Module is "SQLPLUS.EXE".

3) create a Rule Set named "Limit SQL*PLUS" below

Create a rule set:

Name: Limit SQL*PLUS

Status: enabled

Assignment option: Any True

Error handling option:-20002

Failure message: can't login

Custom event handler option: disable handlers

4) create a rule:

RULE3: DVF.F$MODULE like 'SQLPLUS%' AND DVF.F$SESSION_USER IN (' SYS','SYSTEM','DV_MANAGER')

RULE4: DVF.F$MODULE NOT LIKE 'SQLPLUS%'

5) create a Command Rule:

Create a command rule:

Command: CONNECT

Status: enabled

Object owner:%

Object name:%

Rule sets: Limit SQL*PLUS

6) effect

According to this rule, users other than SYS,SYSTEM,DV_MANAGER cannot log in using SQL*PLUS, either locally or remotely.

23:58:44 SYS@orcl > conn / as sysdba

Connected.

00:12:28 SYS@orcl > conn scott/tiger@s11

ERROR:

ORA-47306: 20002: can't login

Warning: You are no longer connected to ORACLE.

Logging in with SQL Developer is normal:

5.3. Example 3: using the Dual Key security feature

In the real world, we want the DBA to comply with the rules, such as notifying the OGG stakeholders before changing the table structure. Or in order to increase security, major actions that DBA is required to do must be approved by the boss. DV can take advantage of Dual Key capabilities to meet this requirement.

To put it simply, we can write a stored procedure to determine whether the person who needs to be notified in the process is online, and if so, the corresponding operation is allowed. The person who needs to be notified, as long as he or she has permission to the connect database, his or her login action becomes an authorization or confirmation after being notified.

Specific steps:

1) first, authorize the administrator of DV to access the dictionary view and write stored procedures:

SQL >

GRANT CREATE PROCEDURE TO DBVOWNER

GRANT SELECT ON V_$SESSION TO DBVOWNER

2) create a stored procedure

We assume that the authorized user is "system" and the user performing the operation is "scott". The corresponding stored procedure to determine whether system is online is as follows:

CREATE OR REPLACE FUNCTION check_boss_logged_in

Return varchar2

Authid definer as

V_session_number number: = 0

V_allow varchar2 (10): = 'TRUE'

V_deny varchar2 (10): = 'FALSE'

BEGIN

SELECT COUNT (*) INTO v_session_number

FROM SYS.V_$SESSION

WHERE USERNAME = 'SYSTEM'

IF v_session_number > 0

THEN RETURN v_allow

ELSE

RETURN v_deny

END IF

END check_boss_logged_in

/

Use the DV administrator to create this Function and authorize it to DVSYS:

SQL >

Conn dbvowner/Abcd_1234

GRANT EXECUTE ON check_boss_logged_in to DVSYS

3) create a Rule Set:

Name: Dual Key

Assignment option: Any True

The rules are as follows:

RULE5:SYS_CONTEXT ('USERENV','SESSION_USER') =' SCOTT' AND DBVOWNER.CHECK_BOSS_LOGGED_IN='TRUE'

RULE6: SYS_CONTEXT ('USERENV','SESSION_USER')! =' SCOTT'

4) create a Command Rule:

Command rules:

Type: ALTER TABLE

Object owner: SCOTT

RULE SET: dual key

5) effect (failure)

The effect of this Command Rule is that if the SCOTT user wants to alter owner the table of scott, the boss user must be online at the same time, otherwise an error will be reported and there will be no permission. If someone else modifies the table under the SCOTT user, it is not subject to this restriction.

The final effect:

If the SYSTEM user is not online, the SCOTT user alter table reports an error

Only when the SCOTT user notifies the SYSTEM user, or after the approval of the SYSTEM user is obtained according to the process, and the SYSTEM user uses the action of logging in to the database to represent confirmation, the SCOTT user can modify the table structure:

6. Detailing Oracle Vault-- 's use of data pump tools

The principle of Oracle Vault is the split protection of security responsibilities. From the original assumption that the database administrator sys assumes the responsibility of security, it is transformed into a separate security personnel, dbvowner and dbvaccount manager, as the security configuration center. After that, many security zones are set up from the behavior, domain and other levels, and additional protection policies are adopted to shield the administrator.

Although database administrators can manage, they cannot access specific sensitive areas. Although security officers have the ability of security authorization, they do not have administrator data authorization (system permissions and data permissions), and security officers cannot access sensitive data.

There are some loopholes in this process, such as the administrator may change the security officer password and seize the security officer rights, so after the installation of Oracle Vault, there are some default domain and command rules that restrict the administrator strictly.

In addition, some day-to-day operations of administrators, such as using DB Control, Datapump, and Recovery Manager, run the risk of touching security domain rules. How does Oracle deal with such a situation? This article starts with the Data Pump operation and makes a brief discussion.

6.1. Data Pump and Vault

Oracle Data Pump (data pump) is a data backup management tool launched by Oracle10g later. As an evolutionary version of Exp/Imp, Data Pump supports a variety of new features and functions of Oracle, and Data Pump also has unique advantages in massive data operations.

If we carefully study the operation process of Data Pump, we can see that the process of data import by Oracle Data Pump is not a whole, but a collection of actions. For example, when data is imported into Schema schema, if the target database does not have this user, Data Pump will create this user. This process is actually a normal create user xxx statement execution.

Therefore, the process of export and import data is a process of integration of multiple permissions (system permissions). This is why the permissions for importing and exporting databases in Oracle are two role permissions (Import/Export Full Database).

Then, if the administrator (backup operator) needs to import and export sensitive data, it is necessary to touch sensitive information. How do we configure it in the Oracle Vault environment?

6.2. Default behavior configuration

At present, we choose the Oracle 11gR2 version in our experiment, and the database has been configured with Vault components. Scott data is protected so that even sys administrators cannot access it.

Create the directory object dumps in Oracle. Try to export.

$expdp\ "/ as sysdba\" directory=dumps schemas=scott dumpfile=scottvault_%U.dmp

From the error message, we can see that the essence of Data Pump is to call a series of package methods to export data. Sys users have permission to export data, but by default, if they touch sensitive information, they will fail to report an error.

6.3. Additional authorization

In the case of setting Vault, Oracle requires additional authorization for some administrative operations. The Dbms_macadm package is used to authorize specific administrative operations.

Under sys, performing an authorization operation may cause an error due to lack of permission.

In Oracle Vault, all authorization actions for sensitive areas are managed through dvowner.

SQL >

Conn dbvowner/Abcd_1234.@ora11g

Exec dbms_macadm.authorize_datapump_user ('SYS')

Call the expdp program again.

Expdp\ "/ as sysdba\" directory=dumps schemas=scott dumpfile=scottvault.dmp

The export was successful.

6.4. Import sensitive data action

At this point, we imagine a scenario. If a data object is located in the security realm, it is exported to a dmp file (or backed up to other media). After reverting to an environment, do security principles still exist?

We conduct an experimental test and import the dmp file that we just exported into the database.

-- Import the same database, different schema

Impdp\ "/ as sysdba\" dumpfile=scottvault.dmp directory=dumps remap_schema=scott:test

If the import is successful, check whether the Vault constraint exists.

SQL >

Conn sys/oracle@ora11g as sysdba

Select * from scott.emp

Select * from test.bonus

After arriving in a new environment, the data constraints disappear.

6.5. Conclusion and discussion

After finding that the import sensitive vault fails, some friends are confused and think that this is a problem defect of Oracle. On this issue, the author stands on the same position as Oracle.

First of all, the essence of Vault is a system-level control technology. Rather than a data encryption technology. If you are looking for encryption, consider TDE or application-side encryption. Vault is a control mechanism at the access level. Therefore, when the data is legally read and retained, it is a reasonable idea to be decrypted.

Second, when doing Export, Oracle Vault requires additional authorization. Oracle believes that now that security administrators have been asked to allow specific users to export sensitive data, security responsibility has been transferred out of the system and on specific users. Therefore, this is also reasonable.

Finally, the essence of Vault is to "guard against our own people". This is the level that limits the role of Oracle Vault. Security is a multi-faceted issue. There is no single technical means to avoid problems. When nothing can be trusted, we always need to believe something.

Note: in the 11gR2 version, the use of Exp/Imp in the Vault environment has been removed. Data Pump has become the only option.

7. Vault uninstall

Transfer to: https://www.linuxidc.com/Linux/2014-05/101102.htm

Oracle Vault is an important part of the three security technology strategies. Compared with the other two, Label Security and VPD (Virtual Private Database), Oracle Vault embodies the construction of operation and maintenance system management and the configuration of security rules. After installing and configuring Vault, Oracle's original sys superuser security role is stripped, and data, operations, and resources are securely restricted in a regular manner. It should be said that only after using Vault can we really control the behavior of data administrators.

This article focuses on how to uninstall Vault, based on the version 11gR2. Note: there are some differences in the methods of uninstalling different versions of Oracle Vault, especially in the relink process.

7.1. Prepare before uninstalling

Oracle Vault involves several parts in the database: dva components are bound in OEM in the form of Web App, internal dbowner and manager management objects, and role permission adjustment. Before the formal uninstall operation, we need to shut down the database and various components.

The database is completely closed.

SQL >

Conn / as sysdba

Shutdown immediate

The listener is off.

[oracle@SimpleLinux ~] $lsnrctl stop

The DB Console Web application is closed.

[oracle@SimpleLinux ~] $emctl stop dbconsole

[oracle@SimpleLinux ~] $emctl status dbconsole

7.2. Disable Vault

Vault is a component that is not activated by default. The process of installing Vault is actually repackaging it, such as the Oracle executor. The process of uninstalling also requires a re-relink Oracle application.

The Disable process is carried out first.

[oracle@SimpleLinux ~] $cd $ORACLE_HOME/rdbms/lib

[oracle@SimpleLinux lib] $make-f ins_rdbms.mk dv_off ioracle

Note: if you are in 11gR2, you can choose chopt to uninstall dv.

[oracle@SimpleLinux lib] $chopt disable dv

Writing to / u01/app/oracle/install/disable_dv.log...

/ usr/bin/make-f / u01/app/oracle/rdbms/lib/ins_rdbms.mk dv_off ORACLE_HOME=/u01/app/oracle

/ usr/bin/make-f / u01/app/oracle/rdbms/lib/ins_rdbms.mk ioracle ORACLE_HOME=/u01/app/oracle

Start the listener, by which time Oracle is usually started automatically.

[oracle@SimpleLinux lib] $lsnrctl start

Check the database to make sure it is started.

7.3. Operation in database

After finishing the link process, you also need to perform manual manipulation of some objects in the database. In some versions, you need to disable several trigger manually. The version used by the author does not need to do this.

SQL >

Alter trigger dvsys.dv_before_ddl_trg disable

Alter trigger dvsys.dv_after_ddl_trg disable

Determine the user name for the custom owner and manager.

SQL > conn sys/oracle@ora11g as sysdba

SQL > select unique GRANTEE from dba_role_privs where GRANTED_ROLE in ('DV_ACCTMGR','DV_OWNER') and grantee' DVSYS'

GRANTEE

-

DBVOWNER

DBVACCTMGR

In the 11gR1 version, updates are required.

SQL >

Update dvsys.config$ set status=0

Commit

Before operating, verify that recyclebin is closed and restart the database.

SQL >

Alter system set recyclebin=off scope=spfile

Shutdown immediate

Startup

Execute the vault uninstall script to delete the data.

SQL > @? / rdbms/admin/dvremov.sql

Function: DVSYS and DVF users and DV roles are removed

Delete user data for custom administrators and owner.

SQL >

Drop user dbvowner cascade

Drop user dbvacctmgr cascade

If you are in the 11gR1 version, you need to manually perform the network ACL authorization cancellation action. In the 11gR2 version, this process has been incorporated into the script and does not need to be executed.

SQL >

Conn / as sysdba

Exec DBMS_NETWORK_ACL_ADMIN.DROP_ACL ('/ sys/acls/dvsys-network-privileges.xml')

Commit

Enable the recyclebin function and restart the database.

SQL >

Alter system set recyclebin=on scope=spfile

Startup force

The test was deleted successfully.

SQL > col parameter for A30

SQL > select * from v$option where parameter='Oracle Database Vault'

PARAMETER VALUE

Oracle Database Vault FALSE

7.4. Conclusion

Oracle Vault is a relatively complete solution for data permissions and functional permissions. It plays an important role in practice. Write down the uninstall method and leave the friends who need it to check.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.