Ensure that the value of the NLS_LANGUAGE initialization parameter matches the locale and NLS settings (either the NLS_LANG or LANG environment variables) used by the operating system of the computer on which Oracle Database is installed. If these values are inconsistent, then Database Vault Administrator does not display the default realms, command rules, rule sets, or factors.
For example, if the operating system locale (the variable $LANG) setting is en_US.UTF-8, then you must set the corresponding NLS_LANG environment variable to AMERICAN_AMERICA.AL32UTF8 and the database NLS_LANGUAGE initialization parameter value to be AMERICAN. The database NLS_LANGUAGE parameter is derived from the operating system NLS_LANG environment variable.
For more information about checking and configuring locale and NLS settings, see the appendix that covers globalization support in the Oracle Database Installation Guide for your platform.
If you have created an Oracle database manually, and have configured Oracle Enterprise Manager Database Control by using Enterprise Manager Configuration Assistant, you must manually deploy Oracle Database Vault Administrator. This procedure deploys Database Vault Administrator in the same OC4J container as the current Enterprise Manager, rather than creating a new application.
This section contains:
Deploying Database Vault Administrator to a Standalone OC4J Container
Deploying Database Vault Administrator to the Database Console OC4J Container
You can manually deploy Database Vault Administrator to the Oracle Application Server Containers for J2EE (OC4J) home, which by default is in the $ORACLE_HOME/oc4j/j2ee/home directory.
To manually deploy Database Vault Administrator:
Edit the file $ORACLE_HOME/oc4j/j2ee/home/config/server.xml. Enter the following line just before the last line that reads, </application-server>:
<application name="dva" path="Oracle_home_dir/dv/jlib/dva_webapp.ear" auto-start="true" />
Replace Oracle_home_dir with the relative or direct path to the Oracle home directory. (You cannot enter the $ORACLE_HOME environment variable.)
For example:
<application name="dva" path="/u00/app/oracle/oracle/product/dv12/dv/jlib/dva_webapp.ear" auto-start="true" />
Edit the file $ORACLE_HOME/oc4j/j2ee/home/config/http-web-site.xml. Enter the following line just above the last line that reads, </web-site>:
<web-app application="dva" name="dva_webapp" root="/dva" />
Edit the file $ORACLE_HOME/oc4j/j2ee/home/config/global-web-application.xml. Search for <servlet-class>oracle.jsp.runtimev2.JspServlet</servlet-class>. Uncomment the following lines after this:
<init-param> <param-name>main_mode</param-name> <param-value>justrun</param-value> </init-param>
Create the following directory:
mkdir -p $ORACLE_HOME/dv/jlib/sysman/config
Create the database connection configuration file, emoms.properties, in the configuration directory that you just created. Add the following lines to the file:
oracle.sysman.emSDK.svlt.ConsoleMode=standalone oracle.sysman.eml.mntr.emdRepRAC=FALSE oracle.sysman.eml.mntr.emdRepDBName=oracle_sid oracle.system.eml.mntr.emdRepConnectDescriptor=TNS_connection_string
Follow these instructions:
For an Oracle RAC environment, set oracle.sysman.eml.mntr.emdRepRAC to TRUE.
For oracle.sysman.eml.mntr.emdRepConnectDescriptor, you can use an alias from $ORACLE_HOME/network/admin/tnsnames.ora. Alternatively, you can use the following syntax:
oracle.sysman.eml.mntr.emdRepConnectDescriptor=
(DESCRIPTION\=
(ADDRESS_LIST\=(ADDRESS\=(PROTOCOL\=TCP) (HOST\=HOSTNAME)(PORT\=PORT)))
(CONNECT_DATA\=
(SERVICE_NAME\=ORACLE_SID))
Ensure that the correct environment variables are set.
For example:
ORACLE_SID=orcl export ORACLE_SID ORACLE_HOME=/u00/app/oracle/product/11.2 export ORACLE_HOME LD_LIBRARY_PATH=$ORACLE_HOME/bin:$ORACLE_HOME/lib:$ORACLE_HOME/jdbc/lib export LD_LIBRARY_PATH PATH=$ORACLE_HOME/bin:$ORACLE_HOME/jdk/bin:$PATH export PATH
Set the LD_LIBRARY_PATH variable to use the OCI-based JDBC libraries.
Start OC4J using the following syntax:
$ORACLE_HOME/jdk/bin/java -Djava.awt.headless=true -DEMDROOT=$ORACLE_HOME/dv/jlib -jar $ORACLE_HOME/oc4j/j2ee/home/oc4j.jar -userThreads -config $ORACLE_HOME/oc4j/j2ee/home/config/server.xml
After you complete these steps, you can start Database Vault Administrator. The HTTP port defaults to 8888 for this environment. Use the following syntax for the URL:
http://hostname:8888/dva
To manually deploy Database Vault Administrator to the Database Console OC4J container:
Stop Oracle Database Console.
UNIX: Go to the $ORACLE_HOME/bin directory and run the following command:
./emctl stop dbconsole
Windows: In the Administrative Services, select the Services utility, and then right-click the OracleDBConsolesid service. Select Stop from the menu.
Create a backup copy and then open the $ORACLE_HOME/oc4j/j2ee/OC4J_DBConsole_service_name/config/server.xml file.
Add the following line before the </application-server> element:
<application name="dva" path="$ORACLE_HOME/dv/jlib/dva_webapp.ear" parent="default" start="true" />
On both UNIX and Windows systems, replace $ORACLE_HOME with the absolute path to your Oracle Database home.
Create a backup copy and then open the $ORACLE_HOME/oc4j/j2ee/OC4J_DBConsole_service_name/config/http-web-site.xml file.
Add the following line before the </web-site> element:
<web-app application="dva" name="dva_webapp" load-on-startup="true" root="/dva" shared="true"/>
Restart Oracle Database Console.
UNIX: Go to the $ORACLE_HOME/bin directory and run the following command:
./emctl start dbconsole
Windows: In the Administrative Services, select the Services utility, and then right-click the OracleDBConsolesid service. Select Start from the menu.
After you complete these steps, you can start Oracle Database Vault Administrator by using the following URL:
https://hostname:port/dva
For example:
https://myserver:1158/dva
If you are unsure of the port number, open the ORACLE_HOME/host_sid/sysman/config/emd.properties file and search for REPOSITORY_URL. In most cases, the host name and port number are the same as Oracle Enterprise Manager Database Control.
By default, an Oracle Database Vault session lasts 35 minutes. If you want the session to last for a different time, follow the steps in this section.
To set the session time for Oracle Database Vault Administrator:
Back up the web.xml file, which by default is in the $ORACLE_HOME/dv/jlib/dva_webapp/dva_webapp/WEB-INF directory.
In a text editor, open the web.xml file.
Search for the following setting:
<session-config> <session-timeout>35</session-timeout> </session-config>
Change the <session-timeout> setting to the amount of time in minutes that you prefer.
Save and close the web.xml file.
Stop and restart the Database Vault Administrator.
UNIX: Go to the $ORACLE_HOME/bin directory and run the following command:
./emctl stop dbconsole ./emctl start dbconsole
Windows: In the Administrative Services, select the Services utility, and then right-click the OracleDBConsolesid service. Select Stop from the menu. After the console stops, select Start.
You can configure Database Vault Administrator to make data accessible and usable to the disabled community. The following sections explain how to enable Database Vault Administrator for full accessibility.
Enabling Oracle Database Vault Administrator Accessibility Mode
Providing Textual Descriptions of Database Vault Administrator Charts
Oracle Database Vault Administrator takes advantage of user interface development technologies that improve the responsiveness of some user operations. For example, when you navigate to a new record set in a table, Oracle Database Vault Administrator does not redisplay the entire HTML page. However, this performance-improving technology is generally not supported by screen readers. To disable this feature, and as a result, make the Database Vault Administrator HTML pages more accessible for disabled users, use the following procedure.
To enable the display of an entire HTML page:
Locate the uix-config.xml configuration file.
By default, the uix-config.xml file is in the following directory:
$ORACLE_HOME/oc4j/j2ee/oc4j_applications/applications/em/em/WEB-INF
Open the uix-config.xml file using a text editor and locate the following entry:
<!-- An alternate configuration that disables accessibility features --> <default-configuration> <accessibility-mode>inaccessible</accessibility-mode> ... </default-configuration>
Change the value of the accessibility-mode property from inaccessible to accessible.
Save and close the uix-config.xml file.
Restart Database Vault Administrator.
The Monitor page of Database Vault Administrator displays security policy data in a chart. However, charts do not convey information in a manner that can be read by a screen reader. To remedy this problem, you can configure Database Vault Administrator to provide a complete textual representation of each chart. By default, support for the textual representation of charts is disabled. When textual description for charts is enabled, Database Vault Administrator displays a textual representation of the chart data.
To enable the textual representation of charts:
Locate the web.xml configuration file.
To locate the web.xml file in a Oracle Database 10g installation, change directory to the following location in the Oracle home:
$ORACLE_HOME/dv/jlib/dva_webapp/dva_webapp/WEB-INF/
Open the web.xml file with your favorite text editor and locate the following six lines of the file:
<!-- Uncomment this to enable textual chart descriptions <context-param> <param-name>enableChartDescription</param-name> <param-value>true</param-value> </context-param> -->
Remove comments from this section by deleting the first line and the last line of this section so that the section consists of only these four lines:
<context-param> <param-name>enableChartDescription</param-name> <param-value>true</param-value> </context-param>
Save and exit the web.xml file.
Restart Database Vault Administrator.
After you install Oracle Database Vault for an Oracle Real Application Clusters (Oracle RAC) instance, complete the following procedure for each Oracle RAC node. This procedure assumes that you have a separate Oracle home for each node.
Log in to SQL*Plus as user SYS with the SYSDBA privilege.
sqlplus sys as sysdba
Enter password: password
Run the following ALTER SYSTEM statements:
ALTER SYSTEM SET AUDIT_SYS_OPERATIONS=TRUE SCOPE=SPFILE; ALTER SYSTEM SET OS_ROLES=FALSE SCOPE=SPFILE; ALTER SYSTEM SET RECYCLEBIN='OFF' SCOPE=SPFILE; ALTER SYSTEM SET REMOTE_LOGIN_PASSWORDFILE='EXCLUSIVE' SCOPE=SPFILE; ALTER SYSTEM SET SQL92_SECURITY=TRUE SCOPE=SPFILE;
Restart Oracle Database.
CONNECT SYS/AS SYSOPER
Enter password: password
SHUTDOWN IMMEDIATE
STARTUP
By default, Oracle Database Vault loads only the English language tables. You can add more languages by running the DBMS_MACADM.ADD_NLS_DATA procedure for each new language that you want to add. You can add more than one language to Database Vault.
To add a new language to Oracle Database Vault:
Log into SQL*Plus as a user who has been granted the DV_OWNER or DV_ADMIN role.
Run the following procedure:
EXEC DBMS_MACADM.ADD_NLS_DATA('language');
You can specify the language setting using any case. For example:
EXEC DBMS_MACADM.ADD_NLS_DATA('french');
EXEC DBMS_MACADM.ADD_NLS_DATA('JAPANESE');
Replace language with one of the following supported languages:
The following procedure removes Oracle Database Vault from an Oracle Database installation. It applies to both single-instance and Oracle RAC installations. The deinstallation process does not affect the initialization parameter settings, even those settings that were modified during the installation process.
To deinstall Oracle Database Vault:
Stop the database, Database Control console process, and listener.
For example:
sqlplus sys as sysoper Enter password: password Connected. SQL> SHUTDOWN IMMEDIATE SQL> EXIT $ emctl stop dbconsole $ lsnrctl stop [listener_name]
For Oracle RAC installations, shut down each database instance as follows:
$ srvctl stop database -d db_name
On Windows, you can stop the database, Database Control console process, and listener from the Services tool in the Control Panel. The names of Oracle Database services begin with Oracle.
Run the following commands to turn off Oracle Database Vault and Oracle Label Security:
$ cd $ORACLE_HOME/rdbms/lib $ make -f ins_rdbms.mk dv_off lbac_off ioracle
Log in to SQL*Plus and then restart the database, Database Control console process, and listener.
For example:
SQL> STARTUP
SQL> EXIT
$ emctl stop dbconsole
$ lsnrctl start [listener_name]
For each instance in an Oracle RAC installation:
$ srvctl start database -d db_name
On Windows, you can restart the database, Database Control console process, and listener from the Services tool in the Control Panel. The names of Oracle Database services begin with Oracle.
In SQL*Plus, log in as user SYS with the SYSDBA privilege.
Disable the recycle bin.
To check if the recycle bin is enabled, enter the following command:
SQL> SHOW PARAMETER RECYCLEBIN
If the recycle bin is enabled, then disable it as follows:
SQL> ALTER SYSTEM SET RECYCLEBIN = OFF SCOPE=SPFILE; SQL> SHUTDOWN IMMEDIATE SQL> STARTUP
Disabling the recycle bin does not purge or otherwise affect objects that are already in the recycle bin. For better security, keep the recycle bin disabled. See "Security Considerations for the Recycle Bin".
Run the following SQL script:
SQL> @$ORACLE_HOME/rdbms/admin/dvremov.sql
Manually drop the DV_OWNER and DV_ACCTMGR user accounts and the DV_REALM_RESOURCE and DV_REALM_OWNER roles.
SQL> DROP DBV_OWNER CASCADE; SQL> DROP DBV_ACCTMGR CASCADE; SQL> DROP DV_REALM_RESOURCE; SQL> DROP DV_REALM_OWNER;
Enable Oracle Label Security.
$ cd $ORACLE_HOME/rdbms/lib $ make -f ins_rdbms.mk lbac_on ioracle
Afterward, you can double-check that Oracle Database Vault is truly deinstalled by logging in to SQL*Plus and entering the following statement:
SQL> SELECT * FROM V$OPTION WHERE PARAMETER = 'Oracle Database Vault';
If Oracle Database Vault is deinstalled, the following output appears:
PARAMETER VALUE ----------------------------- ----------------------- Oracle Database Vault FALSE
To reinstall Oracle Database Vault, follow the procedure under "Registering (Enabling) Oracle Database Vault".