D Upgrading from a Previous Version of Database Vault

If you have Oracle Database Vault 10g Release 2 (10.2.0.2) or Oracle Database Vault 10g Release 2 (10.2.0.3) installed, then you can upgrade it to Oracle Database Vault 10g Release 2 (10.2.0.4) without uninstalling the existing instance.

D.1 Upgrading from a 10.2.0.x Version

Use the following steps to upgrade an Oracle Database Vault 10.2.0.x installation to Oracle Database Vault 10g Release 2 (10.2.0.4):

Re-create the password file with the nosysdba=n and force=y flags, to allow the SYS user to connect AS SYSDBA. Use the following syntax:
```
orapwd file=$ORACLE_HOME/dbs/orapwSID password=password force=y nosysdba=n
```
Here SID is the Oracle system identifier (SID) of the database and password is the password for the SYS account.
Shut down the database.

To stop a single-instance database, use the following commands:
```
sqlplus SYS "AS SYSDBA"
Enter password:
SQL> shutdown immediate
```
For an Oracle Real Application Clusters (RAC) database, use the following command:
```
$ORACLE_HOME/bin/srvctl stop database -d db_name  -c "SYS/password AS SYSDBA"
```
Here db_name is the name of the database.
Relink the Oracle executable to turn off the Oracle Database Vault option. Use the following commands:
```
cd $ORACLE_HOME/rdbms/lib
make -f ins_rdbms.mk dv_off
cd $ORACLE_HOME/bin
relink oracle
```
Note:
For an Oracle Real Application Clusters (RAC) database, you must repeat the preceding commands on all nodes.
Start the database. For a single-instance database, use the following commands:
```
sqlplus SYS "AS SYSDBA"
Enter password:
SQL> startup
```
For an Oracle Real Application Clusters (RAC) database, use the following command:
```
$ORACLE_HOME/bin/srvctl start database -d db_name 
```

Unlock the DVSYS account as the SYS user:

sqlplus SYS "AS SYSDBA"
Enter password:
SQL>ALTER USER DVSYS ACCOUNT UNLOCK;

Run Oracle Database Vault Configuration Assistant (DVCA) by using the dvca -action disable option. This disables the Database Vault triggers. Use the following syntax:
```
dvca -action disable 
     -service service_name 
     -owner_account DV_owner_account_name 
    [-logfile ./dvca.log] 
    [-nodecrypt] 

Enter SYS password: sys_password
Enter owner password: owner_password
    
```
Here:
- -action is the action to perform. In this case the action is disable.
- -service is the database service name.
- -owner_account is the Oracle Database Vault Owner account name.
- -logfile is an optional flag to specify a log file name and location. You can enter an absolute path, or enter a path that is relative to the location of the $ORACLE_HOME/bin directory.
- -nodecrypt is the option to read plaintext passwords.
Install the Oracle Database Release 10.2.0.4 Patch Set.

See Also:
"Apply Oracle Database Release 10.2.0.4 Patch Set" for more information about installing the patch set

Restart the database. For a single-instance database, use the following commands:

sqlplus SYS "AS SYSDBA"
Enter password:
SQL> shutdown immediate
SQL> startup

For an Oracle Real Application Clusters (RAC) database, use the following command:

$ORACLE_HOME/bin/srvctl stop database -d db_name 
$ORACLE_HOME/bin/srvctl start database -d db_name

Connect AS SYSDBA and run the following SQL statements:

SQL> DROP FUNCTION DVSYS.REALM_SDML_AUTHORIZED ;
SQL> DROP PROCEDURE DVSYS.SYNCHRONIZE_POLICY_FOR_OBJECT;
SQL> DECLARE
          CURSOR stmt IS
                   select u.name, o.name, r.pname
                       from user$ u, obj$ o, rls$ r
                   where u.user# = o.owner#
                       and r.obj# = o.obj#
                       and bitand(r.stmt_type,65536) > 0;

                   object_schema VARCHAR2(32) := NULL;
                   object_name VARCHAR2(32) := NULL;
                   policy_name VARCHAR2(32) := NULL;

                   BEGIN
                    OPEN stmt;
                      LOOP
                           FETCH stmt INTO object_schema, object_name, policy_name;
                           EXIT WHEN stmt%NOTFOUND;
                           dbms_rls.drop_policy('"'||object_schema||'"',
                           '"'||object_name||'"',
                           '"'||policy_name||'"');
                      END LOOP;
                    Close stmt;
                   END;
                  /

Run DVCA to reconfigure Database Vault. Use the following syntax:
```
$ORACLE_HOME/bin/dvca -action option -oh oracle_home -jdbc_str
jdbc_connection_string -owner_account DV_owner_account_name 
[-acctmgr_account DV_account_manager_account_name]
[-logfile ./dvca.log] [-nodecrypt]
```
Where:
- action: The action to perform. option creates the Database Vault schema objects, creates the DV_OWNER account and the optional DV_ACCTMGR account, and deploys the Database Vault Administrator application.
- oh: The Oracle home for the database.
- jdbc_str: The JDBC connection string used to connect to the database. For example, jdbc:oracle:oci:@orcl1, where orcl1 is the net service name in the tnsnames.ora file ($ORACLE_HOME/network/admin/tnsnames.ora).
- owner_account: Oracle Database Vault Owner account name
- acctmgr_account: (Optional) Oracle Database Vault Account Manager user
- logfile: Optionally, specify a log file name and location. You can enter an absolute path or a path that is relative to the location of the $ORACLE_HOME/bin directory
- nodecrypt: Reads plaintext passwords as passed on the command line. You must use this option if you are passing plaintext passwords to the command.
Note:
You are prompted to enter the SYS, Database Vault Owner, and Database Vault Account Manager passwords.

See Also:
Appendix C, "Running DVCA After Creating a Database Vault Database" for more options available with the dvca -action option command

Run Oracle Database Vault Configuration Assistant (DVCA) by using the dvca -action enable option. This enables the Database Vault triggers. Use the following syntax:

dvca -action enable 
     -service service_name 
     -owner_account DV_owner_account_name  
    [-logfile ./dvca.log] 
    [-nodecrypt] 

Enter SYS password: sys_password
Enter owner password: owner_password

See Step 6 for details of the options used in the command.

Lock the DVSYS account. Use the following SQL statements:

SQL> CONNECT SYS "AS SYSDBA"
Enter password:
SQL> ALTER USER DVSYS ACCOUNT LOCK;

Shut down the database.

To stop a single-instance database, use the following commands:
```
sqlplus SYS "AS SYSDBA"
Enter password:
SQL> shutdown immediate
```
For an Oracle Real Application Clusters (RAC) database, use the following command:
```
$ORACLE_HOME/bin/srvctl stop database -d db_name 
```
Here db_name is the name of the database.
Relink the Oracle executable to turn on the Oracle Database Vault option. Use the following commands:
```
cd $ORACLE_HOME/rdbms/lib
make -f ins_rdbms.mk dv_on
cd $ORACLE_HOME/bin
relink oracle
```
Note:
For an Oracle Real Application Clusters (RAC) database, you must repeat the preceding commands on all nodes.
Start the database. For a single-instance database, use the following commands:
```
sqlplus SYS "AS SYSDBA"
Enter password:
SQL> startup
```
For an Oracle Real Application Clusters (RAC) database, use the following command:
```
$ORACLE_HOME/bin/srvctl start database -d db_name 
```
If you wish to disable connections with SYSDBA privileges, then re-create the password file with the nosysdba=y and force=y flags. Use the following syntax:
```
orapwd file=$ORACLE_HOME/dbs/orapwSID password=password force=y nosysdba=y
```
Here SID is the Oracle system identifier (SID) of the database and password is the password for the SYS account.