Sunday, February 14, 2010

Oracle Database Vault

Features:

  • Protect application data from privileged users
  • Customizable separation-of-duty
  • Real time preventive controls
  • Out-of-the-box policies available for Oracle E-Business Suite, Siebel, PeopleSoft and JD Edwards EnterpriseOne Applications.


Oracle Database Vault enables you to restrict administrative access to an Oracle
database. This helps you address the most difficult security problems remaining today:
protecting against insider threats, meeting regulatory compliance requirements, and
enforcing separation of duty.
Oracle Database Vault Included in the Oracle Database Installation:
Starting with this release (11g) , Oracle Database Vault is included as an installed program
with Oracle Database, except that you must register it with the database (similar to
Oracle Label Security). You no longer must run Oracle Universal Installer to enable
Database Vault.
Integration with Oracle Enterprise Manager:
You now can perform a set of Oracle Database Vault functions from both Oracle
Database Enterprise Manager Database Control Release 11.2 and Grid Control Release
10.2.0.5. This integration also applies to Releases 9.2.0.8, 10.2.0.4, and 11.1.0.7 of Oracle Database Vault.
Components of Oracle Database Vault:

Oracle Database Vault has the following components:
Oracle Database Vault Access Control Components
Oracle Database Vault Administrator
Oracle Database Vault Configuration Assistant
Oracle Database Vault DVSYS and DVF Schemas
Oracle Database Vault PL/SQL Interfaces and Packages
Oracle Database Vault and Oracle Label Security PL/SQL APIs
Oracle Database Vault Reporting and Monitoring Tools


Oracle Database Vault Implementation:

Checking if Oracle Database Vault Is Enabled You can check if Oracle Database Vault is enabled by logging in to SQL*Plus and entering the following SELECT statement. The
PARAMETER column is case sensitive, so use the case shown here.
SELECT * FROM V$OPTION WHERE PARAMETER = 'Oracle Database Vault';

To register Oracle Database Vault:
1. Stop the database, Database Control console process, and listener.
UNIX: Log in to SQL*Plus as user SYS with the SYSOPER privilege and shut
down the database. Then from the command line, stop the Database Control
console process and listener.
For example:
sqlplus sys as sysoper
Enter password: password
SQL> SHUTDOWN IMMEDIATE
SQL> EXIT
$ emctl stop dbconsole
$ lsnrctl stop [listener_name]
For Oracle RAC installations, shut down each database instance as follows:
$ srvctl stop database -d db_name
2. Enable Oracle Database Vault as follows:
UNIX: Run the following commands. The make command enables both Oracle
Database Vault (dv_on) and Oracle Label Security (lbac_on). You must
enable Oracle Label Security before you can use Database Vault.
$ cd $ORACLE_HOME/rdbms/lib
$ make -f ins_rdbms.mk dv_on lbac_on ioracle
3. Restart the database and listener. (Do not restart the Database Control console
process yet.)
UNIX: Log in to SQL*Plus as user SYS with the SYSOPER privilege and restart
the database. Then from the command line, restart the listener.
For example:
sqlplus sys as sysoper
Enter password: password
SQL> STARTUP
SQL> EXIT
$ lsnrctl start [listener_name]
For Oracle RAC installations, restart each database instance as follows:
$ srvctl start database -d db_name
4. Start Database Configuration Assistant.
UNIX: Enter the following command at a terminal window:
dbca
5. In the Welcome page, click Next.
The Operations page appears.
6. Select Configure Database Options, and then click Next.
The Database page appears.
7. From the list, select the database where you installed Oracle Database and then
enter the name and password of a user who has been granted the DBA role. Click
Next.
The Database Content page appears.
8. Perform one of the following actions:
If Oracle Label Security is already enabled: Select the Oracle Database Vault
option, and then click Next.
If Oracle Label Security is not enabled: Select the Oracle Label Security
option so that the Oracle Database Vault option becomes available for
selection. Select the Oracle Database Vault option as well, and then click Next.
The Oracle Database Vault Credentials page appears.
9. Specify the name and password for the Database Vault Owner account (for
example, DBVOWNER) and the Database Vault Account Manager (for example,
DBVACCTMGR).
10. Click Next.
The Connection Mode page appears.
11. Select either Dedicated Server Mode or Shared Server Mode (depending on the
selection you made when you created this database), click Finish, and then click
OK in the confirmation prompts.
Database Configuration Assistant registers Oracle Database Vault, and then
restarts the database instance.
12. Exit Database Configuration Assistant.
13. Restart the Database Control console process.
UNIX: Run the following command:
$ emctl start dbconsole

No comments:

Post a Comment