1. 服务器上装有两个数据库,分别是snow,lily,版本都是10.2.0.4.0, database vault都没有开启。
[oracle@snowlab ~]$ export ORACLE_SID=
snow
[oracle@snowlab ~]$ sqlplus / as sysdba
SQL> set line 100
SQL> col value for a40
SQL> col comments for a40
SQL> select version,comments from registry$history;
VERSION COMMENTS
------------------------------ ----------------------------------------
10.2.0.4 PSU 10.2.0.4.4
view recompilation
view recompilation
10.2.0.4
PSU 10.2.0.4.8
view recompilation
SQL> col parameter for a30
SQL> select * from v$option where parameter='Oracle Database Vault';
PARAMETER VALUE
------------------------------ ----------------------------------------
Oracle Database Vault
FALSE
[oracle@snowlab ~]$ export ORACLE_SID=
lily
[oracle@snowlab ~]$ sqlplus / as sysdba
SQL> set line 100
SQL> col value for a40
SQL> col comments for a40
SQL> select version,comments from registry$history;
VERSION COMMENTS
------------------------------ ----------------------------------------
10.2.0.4 PSU 10.2.0.4.4
view recompilation
view recompilation
10.2.0.4
PSU 10.2.0.4.8
view recompilation
SQL> col parameter for a30
SQL> select * from v$option where parameter='Oracle Database Vault';
PARAMETER VALUE
------------------------------ ----------------------------------------
Oracle Database Vault
FALSE
2. 确认目标数据库remote_login_passwordfile参数为EXCLUSIVE或者SHARED
show parameter remote_login_passwordfile
NAME TYPE VALUE
------------------------------------ ----------- ------------------------------
remote_login_passwordfile string EXCLUSIVE
3. 备份数据库软件和数据库
export ORACLE_SID=snow
rman target /
RMAN> backup format '/backup/snow_full_%U.bak’ database include current controlfile plus archivelog;
export ORACLE_SID=lily
rman target /
RMAN> backup format '/backup/lily_full_%U.bak' database include current controlfile plus archivelog;
cd /u01/app/oracle/product/10.2.0
tar -cvf db_1.tar db_1
4. 禁用profile
本例中数据库存在用户自定义的profile,
APP_PROFILE和
MONITORING_PROFILE
select username,profile from dba_users where profile <> 'DEFAULT';
USERNAME PROFILE
---------- --------------------
HR APP_PROFILE
DBSNMP MONITORING_PROFILE
4.1 官方文档提供了一个脚本提取profile,保存在名为myprofiles.sql中。当安装结束后执行myprofiles.sql脚本来恢复profile。
set serverout on size 100000
spool myprofiles.sql
.
declare
l_last varchar2(30) := 'X';
l_count number := 0;
begin
for c in (
select profile, resource_name , limit
from dba_profiles
order by profile, resource_name
) loop
if l_last <> c.profile then
l_last := c.profile;
if l_count > 0 then
dbms_output.put_line(';');
end if;
l_count := l_count + 1;
dbms_output.put_line('create profile ' || c.profile || ' limit ');
else
dbms_output.put_line( ' ' || c.resource_name || ' ' || c.limit);
end if;
end loop;
dbms_output.put_line(';');
end;
/
.
.
spool off
4.2 禁用profile和密码复杂性设置
SQL> ALTER PROFILE
APP_PROFILE
LIMIT
PASSWORD_REUSE_MAX UNLIMITED -- The number of times a password can be reused
PASSWORD_REUSE_TIME UNLIMITED -- The number of days between reuses of a password
PASSWORD_VERIFY_FUNCTION NULL
/
SQL> ALTER PROFILE
MONITORING_PROFILE
LIMIT
PASSWORD_REUSE_MAX UNLIMITED -- The number of times a password can be reused
PASSWORD_REUSE_TIME UNLIMITED -- The number of days between reuses of a password
PASSWORD_VERIFY_FUNCTION NULL
/
4.3 Oracle Database Vault安装结束后执行myprofiles.sql脚本来生成创建profile脚本,执行创建profile脚本来恢复设置
SQL> @myprofiles.sql
5. 停止所有Oracle进程
建议按照如下顺序执行
1. 停止Enterprise Manager Database Console进程
$ORACLE_HOME/bin/emctl stop dbconsole
2. 停止iSQL*Plus进程
$ORACLE_HOME/bin/isqlplusctl stop
3. 停止将要安装Oracle Database Vault所在的Oracle Home下所有数据库实例进程。
sqlplus / as sysdba
SQL> shutdown immediate;
4. 停止监听器
# su - oracle
$ ps -ef grep tns
$ lsnrctl stop
5. 创建database vault数据库
创建一个Database Vault数据库用来保存Database Vault Schema,该方式类似于catalog 或者 emrep数据库。安装结束后会新增一个配置工具DVCA。当同一个Oracle软件下创建的其它数据库需要启用Database Vault,可以通过DVCA工具来配置。DVCA将在目标数据库创建DV_OWNER或者DV_ACCTMGR(可选项),并且部署Database Vault Admiinstrator相关应用程序。
5.1 在这里采用DBCA创建数据库dv,用来实现上述功能,过程省略。
5.2 解压缩Database Vault软件,生成datavault目录
cd /software
unzip database_vault_Linux-x86-64_10204.zip
5.3 执行图形话安装./runInstaller
cd datavault
./runInstaller
Database Vault Owner: vault_owner
Database Vault Owner Password: dv_12345
Confirm Password: dv_12345
提示Database Vault只会安装在当前SID所在的数据库dv中
图形工具一次只能配置一个数据库。其它数据库需要使用DVCA工具配置。
此处选择dv数据库
这里的错误可以忽略,点击ok,继续执行。
此时Database Vault已经安装完成,只是DVCA在为dv数据库配置时候出错了,可以手工执行DVCA来纠正。这里我们就不对dv数据库操作了。直接对目标库snow,lily操作。
通过以下方法来检查Database Vault是否已经安装
export ORACLE_SID=dv
sqlplus / as sysdba
SYS@dv >select * from v$option where parameter='Oracle Database Vault';
PARAMETER VALUE
------------------------------ ------------------------------
Oracle Database Vault
TRUE
[oracle@snowlab ~]$ export DISPLAY=127.0.0.1:0.0
[oracle@snowlab ~]$
dvca
DVCA started
DVCA Usage:
1. dvca -action option -oh -owner_account -owner_passwd -jdbc_str -sys_passwd [-acctmgr_account ] [-acctmgr_passwd ] [-silent] [-logfile ./dvca.log] [-nodecrypt] [-lockout] [-racnode node] [-languages {["en"],["de"],["es"],["fr"],["it"],["ja"],["ko"],["pt_BR"],["zh_CN"],["zh_TW"]}]
2. dvca -action optionrac -oh -jdbc_str -sys_passwd [-silent] [-logfile ./dvca.log] [-nodecrypt] [-lockout]
3. dvca -action enable -service -sys_passwd -owner_account -owner_passwd [-silent] [-logfile ./dvca.log] [-nodecrypt] [-racnode node]
4. dvca -action disable -service -sys_passwd -owner_account -owner_passwd [-logfile ./dvca.log] [-nodecrypt] [-racnode node]
5. dvca -action deinstall -oh -jdbc_str | -service -sys_passwd [-silent] [-logfile ./dvca.log] [-nodecrypt] [-racnode node]
6. dvca -help
DVCA stopped
6. DVCA配置snow数据库
使用dvca命令可以看到帮助信息,按照提示填写目标库snow的信息就可以完成配置。
[oracle@snowlab ~]$ export DISPLAY=127.0.0.1:0.0
[oracle@snowlab ~]$
dvca -action option -oh /u01/app/oracle/product/10.2.0/db_1 -owner_account vault_owner -owner_passwd dv_12345 -nodecrypt -jdbc_str jdbc:oracle:oci:@snow snow -sys_passwd oracle
DVCA started
Executing task RESTART_SERVICES_PATCH
MANAGE_INSTANCE stop isqlplus
MANAGE_INSTANCE stop OC4J
MANAGE_INSTANCE stop OC4J result=/u01/app/oracle/product/10.2.0/db_1/bin/emctl stop dbconsole,2,OC4J Configuration issue. /u01/app/oracle/product/10.2.0/db_1/oc4j/j2ee/OC4J_DBConsole_snowlab_snow not found.
MANAGE_LISTENER start listener
MANAGE_LISTENER start listener result=/u01/app/oracle/product/10.2.0/db_1/bin/dvca_start_listener.sh,1,
MANAGE_LISTENER start listener log=
LSNRCTL for Linux: Version 10.2.0.4.0 - Production on 25-APR-2015 09:41:32
MANAGE_INSTANCE start RDBMS
Executing task SQLPLUS_CATMAC
Executing task UNLOCK_DVSYS
Executing task LOAD_NLS_FILES
load(error):java.sql.SQLException: ORA-12154: TNS:could not resolve the connect identifier specified
Executing task ACCOUNT_CREATE_OWNER
Executing task GRANT_CONNECT_OWNER
Executing task GRANT_ADMIN_DB_TRIG
Executing task GRANT_ALTER_ANY_TRIG
Executing task PASSWORD_CHANGE_DVSYS
Executing task PASSWORD_CHANGE_DVF
RULE_SYNC:TRUE
Executing task GRANT_DV_OWNER_OWNER
Executing task GRANT_DBMS_RLS_OWNER
Executing task GRANT_AUDIT_TRAIL
Executing task GRANT_DV_ACCTMGR_OWNER
COMMAND_RULES:9
Executing task ALTER_TRIGGER_BEFORE_DDL
Executing task ALTER_TRIGGER_AFTER_DDL
Executing task REVOKE_CONNECT_DVSYS
Executing task REVOKE_CONNECT_DVF
Executing task LOCK_DVSYS
Executing task LOCK_DVF
Executing task ALTER_TRIGGER_LBACSYS1
Executing task ALTER_TRIGGER_LBACSYS2
Executing task ALTER_TRIGGER_LBACSYS3
Executing task DEPLOY_DVA
DEPLOY_DVA,validate
DEPLOY_DVA get EM home
DEPLOY_DVA get EM home=/u01/app/oracle/product/10.2.0/db_1/bin/emctl getemhome,2,EM Configuration issue. /u01/app/oracle/product/10.2.0/db_1/snowlab_snow not found.
DVCA_ERROR:java.io.IOException: java.io.IOException: /u01/app/oracle/product/10.2.0/db_1/bin/dvca_getipc.sh: cannot execute
Error executing task DEPLOY_DVA:java.io.IOException: java.io.IOException: /u01/app/oracle/product/10.2.0/db_1/bin/dvca_getipc.sh: cannot execute
Executing task SQLPLUS_UTLRP
Executing task INIT_AUDIT_SYS_OPERATIONS
Executing task INIT_REMOTE_OS_AUTHENT
Executing task INIT_REMOTE_OS_ROLES
Executing task INIT_OS_ROLES
Executing task INIT_SQL92_SECURITY
Executing task INIT_OS_AUTHENT_PREFIX
Executing task INIT_REMOTE_LOGIN_PASSWORDFILE
Executing task INIT_RECYCLEBIN
Executing task RESTART_SERVICES
MANAGE_INSTANCE stop isqlplus
MANAGE_INSTANCE stop OC4J
MANAGE_INSTANCE stop OC4J result=/u01/app/oracle/product/10.2.0/db_1/bin/emctl stop dbconsole,2,OC4J Configuration issue. /u01/app/oracle/product/10.2.0/db_1/oc4j/j2ee/OC4J_DBConsole_snowlab_snow not found.
MANAGE_INSTANCE stop RDBMS
MANAGE_LISTENER stop listener
MANAGE_LISTENER start listener
MANAGE_INSTANCE start RDBMS
MANAGE_INSTANCE start OC4J
使用dvsys用户登录
[oracle@snowlab ]$
sqlplus dvsys/dv_12345
添加域,名为my_realm
DVSYS@snow >exec dbms_macadm.create_realm('my_realm','my_realm','y',1);
添加HR所有对象到域my_realm
DVSYS@snow >exec dbms_macadm.add_object_to_realm('my_realm','HR','%','%');
使用HR用户可以访问自身数据
SYS@snow >conn hr/hr
HR@snow >select * from tab;
TNAME TABTYPE CLUSTERID
------------------------------ ------- ----------
REGIONS TABLE
COUNTRIES TABLE
LOCATIONS TABLE
DEPARTMENTS TABLE
JOBS TABLE
EMPLOYEES TABLE
JOB_HISTORY TABLE
EMP_DETAILS_VIEW VIEW
8 rows selected.
HR@snow >select * from jobs;
JOB_ID JOB_TITLE MIN_SALARY MAX_SALARY
---------- ----------------------------------- ---------- ----------
AD_PRES President 20000 40000
AD_VP Administration Vice President 15000 30000
AD_ASST Administration Assistant 3000 6000
FI_MGR Finance Manager 8200 16000
FI_ACCOUNT Accountant 4200 9000
AC_MGR Accounting Manager 8200 16000
AC_ACCOUNT Public Accountant 4200 9000
SA_MAN Sales Manager 10000 20000
SA_REP Sales Representative 6000 12000
PU_MAN Purchasing Manager 8000 15000
PU_CLERK Purchasing Clerk 2500 5500
JOB_ID JOB_TITLE MIN_SALARY MAX_SALARY
---------- ----------------------------------- ---------- ----------
ST_MAN Stock Manager 5500 8500
ST_CLERK Stock Clerk 2000 5000
SH_CLERK Shipping Clerk 2500 5500
IT_PROG Programmer 4000 10000
MK_MAN Marketing Manager 9000 15000
MK_REP Marketing Representative 4000 9000
HR_REP Human Resources Representative 4000 9000
PR_REP Public Relations Representative 4500 10500
19 rows selected.
使用sys用户执行查询会被“隔离”,提示权限不足
HR@snow >conn / as sysdba
Connected.
SYS@snow >select * from hr.jobs;
select * from hr.jobs
*
ERROR at line 1:
ORA-01031: insufficient privileges
如果SYS需要对域中的HR持有权限,可以使用DVSYS用户创建“参与者”
DVSYS@snow >exec dbms_macadm.add_auth_to_realm('my_realm','SYS');
再次使用SYS用户访问HR表jobs,验证“参与者”生效了
DVSYS@snow >conn / as sysdba
Connected.
SYS@snow >select * from hr.jobs;
JOB_ID JOB_TITLE MIN_SALARY MAX_SALARY
---------- ----------------------------------- ---------- ----------
AD_PRES President 20000 40000
AD_VP Administration Vice President 15000 30000
AD_ASST Administration Assistant 3000 6000
FI_MGR Finance Manager 8200 16000
FI_ACCOUNT Accountant 4200 9000
AC_MGR Accounting Manager 8200 16000
AC_ACCOUNT Public Accountant 4200 9000
SA_MAN Sales Manager 10000 20000
SA_REP Sales Representative 6000 12000
PU_MAN Purchasing Manager 8000 15000
PU_CLERK Purchasing Clerk 2500 5500
JOB_ID JOB_TITLE MIN_SALARY MAX_SALARY
---------- ----------------------------------- ---------- ----------
ST_MAN Stock Manager 5500 8500
ST_CLERK Stock Clerk 2000 5000
SH_CLERK Shipping Clerk 2500 5500
IT_PROG Programmer 4000 10000
MK_MAN Marketing Manager 9000 15000
MK_REP Marketing Representative 4000 9000
HR_REP Human Resources Representative 4000 9000
PR_REP Public Relations Representative 4500 10500
19 rows selected.
接下来采用同样的方法来配置lily数据库
export DISPLAY=127.0.0.1:0.0
dvca -action option -oh /u01/app/oracle/product/10.2.0/db_1 -owner_account vault_owner -owner_passwd dv_12345 -nodecrypt -jdbc_str jdbc:oracle:oci:@
lily
lily
-sys_passwd oracle
全文完
来自 “ ITPUB博客 ” ,链接:http://blog.itpub.net/29047826/viewspace-1709397/,如需转载,请注明出处,否则将追究法律责任。
转载于:http://blog.itpub.net/29047826/viewspace-1709397/