B Enabling and Disabling Oracle Database Vault

You may have to disable Oracle Database Vault to perform upgrade tasks or correct erroneous configurations. You can reenable Oracle Database Vault after you complete the corrective tasks.

This chapter includes the following sections:

When You Must Disable Oracle Database Vault
Step 1: Disable Oracle Database Vault
Step 2: Perform the Required Tasks
Step 3: Enable Oracle Database Vault

B.1 When You Must Disable Oracle Database Vault

The following situations require you to disable Oracle Database Vault:

The password for the Oracle Database Vault account manager (with role DV_ACCTMGR) has been forgotten.
The Database Vault Owner (with role DV_OWNER) or Database Vault Administrator (with role DV_ADMIN) accounts have been inadvertently locked out.
A rule set associated with the CONNECT role has been configured incorrectly. This is resulting in failed database logins for all accounts, including those with the DV_OWNER or DV_ADMIN role, who could correct this problem.
You must perform maintenance tasks on Oracle Database Vault.
You must install any of the Oracle Database optional products, such as Oracle Spatial Data Option or Oracle interMedia, by using Database Configuration Assistant (DBCA).
You are about to install a third-party product, install an Oracle product, or perform an Oracle patch update whose installation may be prevented if Oracle Database Vault is running.
You need to archive the Oracle Database Vault audit trail.

B.2 Step 1: Disable Oracle Database Vault

This section contains the following topics:

Disabling Oracle Database Vault on UNIX Systems
Disabling Oracle Database Vault on Windows Systems

Note:

After you disable Oracle Database Vault, you still can run the Oracle Database Vault API functions. Note also that after you disable Oracle Database Vault, the ANY privileges are available.

B.2.1 Disabling Oracle Database Vault on UNIX Systems

Follow these steps to disable Oracle Database Vault on UNIX systems:

Turn off the software processes. Make sure that the environment variables, ORACLE_HOME, ORACLE_SID, and PATH are correctly set.

Stop the dbconsole process in case it is running. For both single-instance and Oracle Real Application Clusters installations, use the following command:
```
$ emctl stop dbconsole
```
For single-instance installations, shut down the database instance:
```
$ sqlplus "sys / as sysoper"
Enter password: password
SQL> SHUTDOWN IMMEDIATE
SQL> EXIT
```
For Oracle Real Application Clusters (RAC) installations, shut down each database instance as follows:
```
$ srvctl stop database -d db_name -c "sys/sys_passwd as sysoper"
```
If you cannot connect to the database, then proceed to the next step.
Relink the Oracle executable to turn off the Oracle Database Vault option:
```
$ cd $ORACLE_HOME/rdbms/lib
$ make -f ins_rdbms.mk dv_off
$ cd $ORACLE_HOME/bin
$ relink oracle
```
For RAC installations, run these commands on all nodes.

Start the database.

For single-instance database installations:

$ sqlplus "sys / as sysoper"
Enter password: password
SQL> STARTUP
SQL> EXIT

For RAC installations:

$ srvctl start database -d db_name -c "sys/sys_passwd as sysoper"

Run Oracle Database Vault Configuration Assistant (DVCA) by using the dvca -action disable option.

The syntax for dvca -action disable is as follows:
```
dvca -action disable 
  -service service_name 
  -instance Oracle_instance_name 
  -dbname database_name 
  -sys_passwd SYS_password 
  -owner_account DV_owner_account_name 
  -owner_passwd DV_owner_account_password 
  [-logfile ./dvca.log] 
  [-nodecrypt] 
  [-racnode node]
```
In this specification:
- -action is the action to perform. In this case the action is disable.
- -service is the database service name.
- -instance is the name of the database instance.
- -dbname is the database name.
- -sys_passwd is the SYS password. If you use a cleartext password on the command line, you must include the nodecrypt option. If you omit the password, DVCA prompts you for it.
- -owner_account is the Oracle Database Vault Owner account name.
- -owner_passwd is the Oracle Database Vault Owner account password. If you use a cleartext password on the command line, you must include the nodecrypt option. If you omit the password, DVCA prompts you for it.
- -logfile is an optional flag to specify a log file name and location. You can enter an absolute path, or enter a path that is relative to the location of the $ORACLE_HOME/bin directory.
- -silent is the option to run in command line mode. This option is required if you are not running DVCA in an xterm window.
- -nodecrypt is the option to read plaintext passwords.
- -lockout is the flag to use to disable SYSDBA operating system authentication.
For example:
```
dvca -action disable 
  -oh $ORACLE_HOME
  -service myservicename 
  -instance myinstance 
  -dbname mydbname 
  -owner_account myownername 
  -logfile dvcalog.txt 
  
Enter SYS password: sys_password
Enter owner password: owner_password
```

B.2.2 Disabling Oracle Database Vault on Windows Systems

Follow these steps to disable Oracle Database Vault on Windows systems:

Stop the database service.

In the Control Panel, under Administrative Services, select the Services utility. Select the Standard tab, right-click the following services, and from the menu, select Stop:
- OracleServiceSID
- OracleHOMETNSListener
Under ORACLE_HOME\bin, rename the oradv10.dll file, for example, oradv10_backup.dll.
Restart the database service.

In the Control Panel, under Administrative Services, select the Services utility. Select the Standard tab, right-click the following services, and from the menu, select Start:
- OracleServiceSID
- OracleHOMETNSListener
For RAC systems, repeat these steps for each node on which the database is installed.
Run Oracle Database Vault Configuration Assistant (DVCA) by using the dvca -action disable option.

The syntax for dvca -action disable is as follows:
```
dvca -action disable 
  -service service_name 
  -instance Oracle_instance_name 
  -dbname database_name 
  -sys_passwd SYS_password 
  -owner_account DV_owner_account_name 
  -owner_passwd DV_owner_account_password 
  [-logfile ./dvca.log] 
  [-nodecrypt] 
  [-racnode node]
```
In this specification:
- -action is the action to perform. In this case the action is disable.
- -service is the database service name.
- -instance is the name of the database instance.
- -dbname is the database name.
- -sys_passwd is the SYS password. If you use a cleartext password on the command line, you must include the nodecrypt option. If you omit the password, DVCA prompts you for it.
- -owner_account is the Oracle Database Vault Owner account name.
- -owner_passwd is the Oracle Database Vault Owner account password. If you use a cleartext password on the command line, you must include the nodecrypt option. If you omit the password, DVCA prompts you for it.
- -logfile is an optional flag to specify a log file name and location. You can enter an absolute path, or enter a path that is relative to the location of the $ORACLE_HOME/bin directory.
- -silent is the option to run in command line mode. This option is required if you are not running DVCA in an xterm window.
- -nodecrypt is the option to read plaintext passwords.
- -lockout is the flag to use to disable SYSDBA operating system authentication.
For example:
```
dvca -action disable 
  -oh c:\oracle\product\11.1.0\db_1
  -service myservicename 
  -instance myinstance 
  -dbname mydbname 
  -owner_account myownername 
  -logfile dvcalog.txt 

Enter SYS password: sys_password
Enter owner password: owner_password
```

B.3 Step 2: Perform the Required Tasks

With Oracle Database Vault disabled, you can restart your database and perform the following tasks, as required. Advice is as follows:

If the Oracle Database Vault owner account called MACSYS forgets his or her password, for example, you can log in to a database instance as the SYSTEM or SYS account to create a new password for the Oracle Database Vault owner account as follows
```
$ sqlplus "sys / as sysdba"
Enter password: password
Connected.
SQL> PASSWORD MACSYS
New password: new_password
Retype new password: new_password
```
Similarly, to unlock a locked account, log in to the database instance as SYSTEM or SYS, and then unlock the account. For example:
```
SQL> ALTER USER MACSYS ACCOUNT UNLOCK; 
```
To correct a login or connect rule set error, use the DBMS_MACADM package or the Oracle Database Vault Administrator interface.
Note:
If you are using Oracle Database Vault Administrator, then you must start the dbconsole process. You can check the status of the dbconsole process by entering the following command from the $ORACLE_HOME/bin directory of the Oracle home in which you deployed Database Vault Administrator:
```
./emctl status dbconsole
```
To start dbconsole:
```
./emctl start dbconsole
```
You can perform the installation, upgrade, or other tasks that require security protections to be disabled. If you must run Oracle Database Vault Configuration Assistant (DVCA), ensure that the Oracle Database listener is running. To start the listener, run the following command from the $ORACLE_HOME/bin directory:
```
$ ./lsnrctl start
```

B.4 Step 3: Enable Oracle Database Vault

This section contains the following topics:

Enabling Oracle Database Vault on UNIX Systems
Enabling Oracle Database Vault on Windows Systems

B.4.1 Enabling Oracle Database Vault on UNIX Systems

Use the following steps to enable Oracle Database Vault on UNIX systems:

Use DVCA to re-enable Oracle Database Vault.

For example:

dvca -action ensable 
  -oh $ORACLE_HOME
  -service myservicename 
  -instance myinstance 
  -dbname mydbname 
  -owner_account myownername 
  -logfile dvcalog.txt 

Enter SYS password: sys_password
Enter owner password: owner_password

See Step 4 under "Disabling Oracle Database Vault on UNIX Systems" for detailed information about the DVCA syntax.

Turn off the software processes. Make sure that the environment variables, ORACLE_HOME, ORACLE_SID, and PATH are correctly set.

Stop the dbconsole process in case it is running. For both single-instance and RAC installations, use the following command:
```
$ emctl stop dbconsole
```

Shut down the database instance.

For single-instance installations:

$ sqlplus "sys / as sysoper"
Enter password: password
Connected.
SQL> SHUTDOWN IMMEDIATE
SQL> EXIT

For RAC installations:

$ srvctl stop database -d db_name -c "sys/sys_passwd as sysoper"

Relink the oracle executable to turn on the Oracle Database Vault option:
```
$ cd $ORACLE_HOME/rdbms/lib
$ make -f ins_rdbms.mk dv_on
$ cd $ORACLE_HOME/bin
$ relink oracle
```
For RAC installations, run these commands on all nodes.

Start the database:

For single-instance database installations:

$ sqlplus "sys / as sysoper"
Enter password: password
Connected.
SQL> STARTUP
SQL> EXIT

For RAC installations:

$ srvctl start database -d db_name -c "sys/sys_passwd as sysoper"

B.4.2 Enabling Oracle Database Vault on Windows Systems

Follow these steps to enable Oracle Database Vault on Windows systems:

Use DVCA to re-enable Oracle Database Vault.

For example:

dvca -action enable 
  -oh c:\oracle\product\11.1.0\db_1
  -service myservicename 
  -instance myinstance 
  -dbname mydbname 
  -owner_account myownername 
  -logfile dvcalog.txt 

Enter SYS password: sys_password
Enter owner password: owner_password

See Step 5 under "Disabling Oracle Database Vault on Windows Systems" for detailed information about the syntax for DVCA.

///Stop the database service.

In the Control Panel, under Administrative Services, select the Services utility. Select the Standard tab, right-click the following services, and from the menu, select Stop:
- OracleServiceSID
- OracleHOMETNSListener
Under ORACLE_HOME\bin, name the backup of the oradv10.dll file to its original name.

For example, if you named it oradv10_backup.dll, then name it back to oradv10.dll.
Restart the database service.

In the Control Panel, under Administrative Services, select the Services utility. Select the Standard tab, right-click the following services, and from the menu, select Start:
- OracleServiceSID
- OracleHOMETNSListener
For RAC systems, repeat these steps for each node on which the database is installed.