3 Getting Started with Oracle Database Vault

Before you can start using Oracle Database Vault, you must register it with the Oracle database. Then you can log in to it.

Topics:

Registering Oracle Database Vault with an Oracle Database

You must register Oracle Database Vault before you can use it. You can register it in a non-multitenant environment and for a multitenant environment, perform the registration based on the type of configuration you have.

Topics:

About Registering Oracle Database Vault with an Oracle Database

After you install Oracle Database, you must register (that is, configure and enable) Oracle Database Vault with the Oracle database in which it was installed.

Oracle Database includes Database Vault when you choose to include a default database in the installation process, but you must register it before you can use it. If you create a custom database, then you can use DBCA to install and enable Database Vault for it. As part of the registration process, you create the Database Vault administrative accounts. The registration process enables Oracle Label Security if it is not already enabled. This procedure applies to the current pluggable database (PDB), as well as to both single-instance and Oracle RAC installations. To check if Database Vault has already been enabled, see "Checking if Oracle Database Vault Is Enabled or Disabled".

This section explains how to register Oracle Database Vault in a non-multitenant environment, and several ways that you can register it in a multitenant environment.

Registering Oracle Database Vault in a Non-Multitenant Environment

You can register Oracle Database Vault from SQL*Plus in a non-multitenant environment.

  1. Log into the database instance as user SYS with the SYSDBA administrative privilege.

    sqlplus sys as sysdba
Enter password: password

  2. As user SYS with the SYSDBA administrative privilege, configure the Database Vault user accounts.

    BEGIN
 DVSYS.CONFIGURE_DV (
   dvowner_uname         => 'dbv_owner',
   dvacctmgr_uname       => 'dbv_acctmgr');
 END;
/

    Do not enter the names DV_OWNER, DV_ACCTMGR, or the names of any other Database Vault roles for these user accounts. These names are reserved words. "Oracle Database Vault Roles" describes the Database Vault roles.

  3. Run the utlrp.sql script to recompile invalidated objects.

    @?/rdbms/admin/utlrp.sql

    If the script gives you any instructions, follow them, and then run the script again. If the script terminates abnormally without giving any instructions, run it again.

  4. Connect as the Database Vault Owner user that you just configured.

    For example:

    CONNECT dbv_owner
Enter password: password

  5. Enable Oracle Database Vault.

    EXEC DBMS_MACADM.ENABLE_DV;

  6. Connect with the SYSDBA administrative privilege.

    CONNECT / AS SYSDBA

  7. Restart the database.

    SHUTDOWN IMMEDIATE
STARTUP

See "Verifying That Oracle Database Vault Is Configured and Enabled" to confirm that this procedure was successful. After you have registered Oracle Database Vault with an Oracle database, you can start Oracle Database Vault Administrator. See "Logging into Oracle Database Vault" for more information.

Registering Oracle Database Vault with a Common User to Manage the CDB Root

In SQL*Plus, you can register Oracle Database Vault with a common user who will manage the CDB root.

  1. In a multitenant environment, log into the root of the database instance as a user who has privileges to create users and grant the CREATE SESSION and SET CONTAINER privileges.

    For example:.

    sqlplus c##sec_admin
Enter password: password

  2. Create two user accounts to be used as the Database Vault accounts and grant them the CREATE SESSION and SET CONTAINER privileges.

    One account will be the Database Vault Owner user and the second (optional) account will be the Database Vault Account Manager account. Ensure that they have at minimum the CREATE SESSION privilege. If you decide not to create a Database Vault Account Manager account, then the Database Vault Owner will have the Database Vault Account Manager privileges. For better separation of duty, Oracle recommends that you create a Database Vault Account Manager account.

    Prepend the names of these accounts with c## or C##. For example:

    GRANT CREATE SESSION, SET CONTAINER TO c##dbv_owner_root IDENTIFIED BY password CONTAINER = ALL;
GRANT CREATE SESSION, SET CONTAINER TO c##dbv_acctmgr_root IDENTIFIED BY password CONTAINER = ALL;

  3. Connect to the root as user SYS with the SYSDBA administrative privilege

    CONNECT SYS AS SYSDBA
Enter password: password

  4. Configure the Database Vault user accounts.

    BEGIN
 DVSYS.CONFIGURE_DV (
   dvowner_uname         => 'c##dbv_owner_root',
   dvacctmgr_uname       => 'c##dbv_acctmgr_root');
 END;
/

  5. Run the utlrp.sql script to recompile invalidated objects in the root.

    @?/rdbms/admin/utlrp.sql

    If the script provides instructions, follow them, and then run the script again. If the script terminates abnormally without giving any instructions, run it again.

  6. Connect to the root as the Database Vault Owner user that you just configured.

    For example:

    CONNECT c##dbv_owner_root
Enter password: password

  7. Enable Oracle Database Vault.

    EXEC DBMS_MACADM.ENABLE_DV;

  8. Connect with the SYSDBA administrative privilege.

    CONNECT / AS SYSDBA

  9. Restart the database.

    SHUTDOWN IMMEDIATE
STARTUP

See "Verifying That Oracle Database Vault Is Configured and Enabled" to confirm that this procedure was successful. After you have registered Oracle Database Vault with an Oracle database, you can start Oracle Database Vault Administrator. See "Logging into Oracle Database Vault" for more information.

Registering Database Vault Common Users to Manage Specific PDBs

In a multitenant environment, you must register Oracle Database Vault in the root first, then in the PDBs afterward. If you try to register in a PDB first, then an ORA-47503: Database Vault is not enabled on CDB$ROOT error appears.

  1. In a multitenant environment, log into the root of the database instance as a user who has privileges to create users and to grant the CREATE SESSION and SET CONTAINER privileges.

    For example:.

    sqlplus c##sec_admin
Enter password: password

  2. If you have not already done so, then create two user accounts to be used as the Database Vault accounts.

    See Step 2 under "Registering Oracle Database Vault with a Common User to Manage the CDB Root" for more information about these accounts.

  3. Connect to the PDB to which the common users will need access.

    For example:

    CONNECT c##sec_admin@pdb_name
Enter password: password

    To find the available PDBs, query the DBA_PDBS data dictionary view. To check the current PDB, run the show con_name command.

  4. Grant the CREATE SESSION and SET CONTAINER privileges to the users.

    For example:

    GRANT CREATE SESSION, SET CONTAINER TO c##dbv_owner_root;
GRANT CREATE SESSION, SET CONTAINER TO c##dbv_acctmgr_root;

  5. Connect as user SYS with the SYSDBA administrative privilege

    CONNECT SYS@pdb_name AS SYSDBA
Enter password: password

  6. While still in the PDB, configure the Database Vault user accounts.

    For example:

    BEGIN
 DVSYS.CONFIGURE_DV (
   dvowner_uname         => 'c##dbv_owner_root',
   dvacctmgr_uname       => 'c##dbv_acctmgr_root');
 END;
/

  7. Run the utlrp.sql script to recompile invalidated objects in this PDB.

    @?/rdbms/admin/utlrp.sql

    If the script provides instructions, follow them, and then run the script again. If the script terminates abnormally without giving any instructions, run it again.

  8. Connect to the PDB as the Database Vault Owner user that you just configured.

    For example:

    CONNECT c##dbv_owner_root@pdb_name
Enter password: password

  9. Enable Oracle Database Vault.

    EXEC DBMS_MACADM.ENABLE_DV;

  10. Connect with the SYSDBA administrative privilege.

    CONNECT / AS SYSDBA

  11. Close and reopen the PDB.

    For example:

    ALTER PLUGGABLE DATABASE pdb_name CLOSE IMMEDIATE;

ALTER PLUGGABLE DATABASE pdb_name OPEN;

See "Verifying That Oracle Database Vault Is Configured and Enabled" to confirm that this procedure was successful. After you have registered Oracle Database Vault with an Oracle database, you can start Oracle Database Vault Administrator. See "Logging into Oracle Database Vault" for more information.

Registering Oracle Database Vault Common Users to Manage All Database Vault PDBs

Using SQL*Plus, you can register Oracle Database Vault common users to manage all Database Vault PDBs.

  1. In a multitenant environment, log into the root of the database instance as user SYS with the SYSDBA administrative privilege.

    sqlplus sys as sysdba
Enter password: password

  2. Ensure that Oracle Database Vault has been configured and enabled on the root.

    See "Verifying That Oracle Database Vault Is Configured and Enabled".

  3. If you have not already done so, create two user accounts to be used as the Database Vault accounts, and grant them the CREATE SESSION and SET CONTAINER privileges.

    For example:

    GRANT CREATE SESSION, SET CONTAINER TO c##dbv_owner_root IDENTIFIED BY password CONTAINER = ALL;
GRANT CREATE SESSION, SET CONTAINER TO c##dbv_acctmgr_root IDENTIFIED BY password CONTAINER = ALL;

    See Step 2 under "Registering Oracle Database Vault with a Common User to Manage the CDB Root" for more information about these accounts.

  4. As user SYS with the SYSDBA privilege, connect to the PDB to which the common users must have access.

    For example:

    CONNECT SYS@pdb_name AS SYSDBA
Enter password: password

    To find the available PDBs, query the DBA_PDBS data dictionary view. To check the current PDB, run the show con_name command.

  5. Configure the Database Vault user accounts for the PDB.

    BEGIN
 DVSYS.CONFIGURE_DV (
   dvowner_uname         => 'c##dbv_owner_root',
   dvacctmgr_uname       => 'c##dbv_acctmgr_root');
 END;
/

  6. Run the utlrp.sql script to recompile invalidated objects in this PDB.

    @?/rdbms/admin/utlrp.sql

    If the script provides instructions, follow them, and then run the script again. If the script terminates abnormally without giving any instructions, run it again.

  7. Connect to the PDB as the Database Vault Owner user that you just configured.

    For example:

    CONNECT c##dbv_owner_root
Enter password: password

    To find the available PDBs, query the DBA_PDBS data dictionary view. To check the current PDB, run the show con_name command.

  8. Enable Oracle Database Vault.

    EXEC DBMS_MACADM.ENABLE_DV;

  9. Connect with the SYSDBA administrative privilege.

    CONNECT / AS SYSDBA

  10. Close and reopen the PDB.

    For example:

    ALTER PLUGGABLE DATABASE pdb_name CLOSE IMMEDIATE;

ALTER PLUGGABLE DATABASE pdb_name OPEN;

  11. Repeat Step 4 through Step 10 for each PDB.

See "Verifying That Oracle Database Vault Is Configured and Enabled" to confirm that this procedure was successful. After you have registered Oracle Database Vault with an Oracle database, you can start Oracle Database Vault Administrator. See "Logging into Oracle Database Vault" for more information.

Plugging in a Database That Has Oracle Database Vault Enabled

From SQL*Plus, in a multitenant environment, you can plug in a database that already has Database Vault enabled.

In this scenario, the plugged in database has its own local Database Vault accounts.

To enable a common user to manage the Database Vault configuration for this PDB:

  1. Log into the PDB as the local Database Vault owner.

    For example:

    sqlplus dbv_owner@pdb_name
Enter password: password

    To find the available PDBs, query the DBA_PDBS data dictionary view. To check the current PDB, run the show con_name command.

  2. Grant the common user the CREATE SESSION and SET CONTAINER privileges, and the appropriate Database Vault roles.

    For example:

    GRANT CREATE SESSION, SET CONTAINER, DV_OWNER TO c##dbv_owner_root;
GRANT CREATE SESSION, SET CONTAINER, DV_ACCTMGR TO c##dbv_acctmgr_root;

If necessary, see "Verifying That Oracle Database Vault Is Configured and Enabled". After you have registered Oracle Database Vault with an Oracle database, you can start Oracle Database Vault Administrator. See "Logging into Oracle Database Vault" for more information.

Verifying That Oracle Database Vault Is Configured and Enabled

You can query the V$OPTION dynamic view to verify if Oracle Database is configured and enabled.

  • Query the V$OPTION dynamic view as follows:

    • To find if Oracle Database Vault is configured and enabled, run the following query, which should show the VALUE setting as TRUE:

      SELECT VALUE FROM V$OPTION WHERE PARAMETER = 'Oracle Database Vault';

    • To check if Oracle Label Security is enabled, query V$OPTION as follows:

      SELECT VALUE FROM V$OPTION WHERE PARAMETER = 'Oracle Label Security';

At this stage, you have only the two Oracle Database Vault accounts: one for the Database Vault Owner and the other for the Database Vault Account Manager. Oracle recommends that you reserve these accounts as back-up accounts, and then grant the DV_OWNER and DV_ACCTMGR roles to existing user accounts for every day use. See the tip under "Oracle Database Vault Accounts" for more information.

Logging into Oracle Database Vault

From Oracle Enterprise Manager Cloud Control (Cloud Control), you can use the Oracle Database Vault pages to administer and monitor Database Vault-protected databases from a centralized console, automate alerts, view Database Vault reports, and propagate Database Vault policies to other Database Vault-protected databases.

  1. Ensure that you have configured the Cloud Control target databases that you plan to use with Database Vault.

    See the Oracle Enterprise Manager online help and Oracle Enterprise Manager Advanced Configuration for more information about configuring target databases.

  2. If necessary, register Oracle Database Vault.

    If you have just installed Oracle Database Vault, you must register it with the database. See "Registering Oracle Database Vault with an Oracle Database" for more information.

  3. Start Cloud Control.

    For example:

    https://myserver.example.com:7799/em

  4. Log into Cloud Control as user SYSMAN.

  5. In the Cloud Control home page, from the Targets menu, select Databases.

  6. In the Databases page, select the link for the Oracle Database Vault-protected database to which you want to connect.

    The Database home page appears.

  7. From the Security menu, select Database Vault.

    The Database Login page appears.

  8. Enter the following information:

    • Username: Enter the name of a user who has been granted the appropriate Oracle Database Vault role:

      • Creating and propagating Database Vault policies: DV_OWNER or DV_ADMIN role, SELECT ANY DICTIONARY privilege

      • Viewing Database Vault alerts and reports: DV_OWNER, DV_ADMIN, or DV_SECANALYST role, SELECT ANY DICTIONARY privilege

      See "About Oracle Database Vault Roles" for more information.

    • Password: Enter your password.

    • Role: Select NORMAL from the list.

    • Save as: Select this check box if you want these credentials to be automatically filled in for you the next time that this page appears. The credentials are stored in Enterprise Manager in a secured manner. Access to these credentials depends on the user who is currently logged in.

    The Database Vault home page appears.

    Description of cc_home_page.gif follows
    Description of the illustration cc_home_page.gif

See Also:

"Using Oracle Database Vault with Oracle Enterprise Manager"

Quick Start Tutorial: Securing a Schema from DBA Access

This tutorial shows how to create a realm around the HR schema. After you create the realm, you will test the realm with a user account.

Topics:

About This Tutorial

In this tutorial, you create a simple security configuration for the HR sample database schema.

In the HR schema, the EMPLOYEES table has information such as salaries that should be hidden from most employees in the company, including those with administrative access. To accomplish this, you add the HR schema to the secured objects of the protection zone, which in Oracle Database Vault is called a realm, inside the database. Then you grant limited authorizations to this realm. Afterward, you test the realm to make sure it has been properly secured. And finally, to see how Oracle Database Vault provides an audit trail on suspicious activities like the one you will try when you test the realm, you will run a report.

Before you can use this tutorial, ensure that the HR sample schema is installed. See Oracle Database Sample Schemas for information on installing the sample schemas.

Step 1: Log On as SYSTEM to Access the HR Schema

You must enable the HR schema for this tutorial.

  1. Log into the database instance as user SYSTEM and access the HR schema.

    sqlplus system
Enter password: password

  2. In a multitenant environment, connect to the appropriate PDB.

    For example:

    CONNECT SYSTEM@my_pdb
Enter password: password

    To find the available PDBs, query the DBA_PDBS data dictionary view. To check the current PDB, run the show con_name command.

  3. Query the HR.EMPLOYEES table as follows.

    SELECT FIRST_NAME, LAST_NAME, SALARY FROM HR.EMPLOYEES WHERE ROWNUM < 10;

    Output similar to the following appears:

    FIRST_NAME           LAST_NAME                     SALARY
-------------------- ------------------------- ----------
Steven               King                           24000
Neena                Kochhar                        17000
Lex                  De Haan                        17000
Alexander            Hunold                          9000
Bruce                Ernst                           6000
David                Austin                          4800
Valli                Pataballa                       4800
Diana                Lorentz                         4200
Nancy                Greenberg                      12008

9 rows selected.

  4. If the HR schema is locked and expired, log into the database instance as the DV_ACCTMGR user and unlock and unexpire the account. For example:

    sqlplus bea_dvacctmgr -- For CDBs: sqlplus bea_dvacctmgr@hrpdb
Enter password: password

ALTER USER HR ACCOUNT UNLOCK IDENTIFIED BY password

    Replace password with a password that is secure. See Oracle Database Security Guide for the minimum requirements for creating passwords.

    As you can see, SYSTEM has access to the salary information in the EMPLOYEES table of the HR schema. This is because SYSTEM is automatically granted the DBA role, which includes the SELECT ANY TABLE system privilege.

  5. Do not exit SQL*Plus.

Step 2: Create a Realm

Realms can protect one or more schemas, individual schema objects, and database roles. Once you create a realm, you can create security restrictions that apply to the schemas and their schema objects within the realm. Your first step is to create a realm for the HR schema.

  1. Log into Oracle Database Vault Administrator from Cloud Control as a user who has been granted the DV_OWNER or DV_ADMIN role and the SELECT ANY DICTIONARY privilege.

    "Logging into Oracle Database Vault" explains how to log in.

  2. In the Administration page, under Database Vault Components, click Realms. (It should be selected by default.)

  3. In the Realms page of Oracle Database Vault Administrator, click Create.

  4. In the Create Realm page, under General, enter HR Apps after Name.

  5. In the Description field, enter Realm to protect the HR schema.

  6. After Status, ensure that Enabled is selected so that the realm can be used.

  7. Under Audit Options, ensure that Audit On Failure is selected so that you can create an audit trial later on.

  8. Click Next to display the Realm secured objects page.

  9. Click the Add button and in the Add Secured Object dialog box, enter the following information:

    • Owner: Enter HR to select the HR schema.

    • Object Type: Enter TABLE.

    • Object Name: Enter EMPLOYEES.

  10. Click OK.

    The HR.EMPLOYEES table is added to the Create Realm : Realm Secured Objects page.

  11. Click Done, and then click Finish.

At this stage, you have created the realm but you have not assigned any authorizations to it. You will take care of that later on in this tutorial.

Step 3: Create the SEBASTIAN User Account

At this stage, there are no database accounts or roles authorized to access or otherwise manipulate the database objects the realm will protect. So, the next step is to authorize database accounts or database roles so that they can have access to the schemas within the realm. You will create the SEBASTIAN user account.

  1. In SQL*Plus, connect as the Database Vault Account Manager, who has the DV_ACCTMGR role, and create the local user SEBASTIAN.

    For example:

    CONNECT bea_dvacctmgr -- Or, CONNECT bea_dvacctmgr@hrpdb
Enter password: password

GRANT CREATE SESSION TO SEBASTIAN IDENTIFIED BY password;

    Replace password with a password that is secure. See Oracle Database Security Guide for the minimum requirements for creating passwords.

  2. Connect as SYS with the SYSDBA privilege, and then grant SEBASTIAN the following additional privilege.

    CONNECT SYS AS SYSDBA -- Or, CONNECT SYS@hrpdb AS SYSDBA
Enter password: password

GRANT READ ANY TABLE TO SEBASTIAN;

Do not exit SQL*Plus; you will need it for Step 5: Test the Realm, when you test the realm.

Step 4: Create an Authorization for the Realm

At this stage, even though SEBASTIAN has the SELECT ANY TABLE privilege, he cannot select from the HR.EMPLOYEES table because it is protected by a realm.

Next, authorize user SEBASTIAN to have access to the HR Apps realm as follows:

  1. In the Realms page of Database Vault Administrator, select the HR Apps in the list of realms, and then click Edit.

  2. Click the Next button until you reach the Realm authorizations page.

  3. Click Add and then enter the following information in the Add Authorizations dialog box:

    • Realm Authorization Grantee: Enter SEBASTIAN.

    • Realm Authorization Type: Select Participant from the list.

    • Realm Authorization Ruleset: Leave this field blank.

  4. Click OK.

    The Participant (0) authorization allows the user SEBASTIAN in the HR Apps realm to manage access, manipulate, and create objects protected by the HR Apps realm. In this case, the HR user and SEBASTIAN are the only users allowed to view the EMPLOYEES table.

  5. Click Done, and then Finish.

Step 5: Test the Realm

To test the realm, try accessing the EMPLOYEES table as a user other than HR. The SYSTEM account normally has access to all objects in the HR schema, but now that you have safeguarded the EMPLOYEES table with Oracle Database Vault, this is no longer the case.

In SQL*Plus, connect as SYSTEM, and then try accessing the salary information in the EMPLOYEES table again:

CONNECT SYSTEM -- Or, CONNECT SYSTEM@hrpdb
Enter password: password

SELECT FIRST_NAME, LAST_NAME, SALARY FROM HR.EMPLOYEES WHERE ROWNUM <10;

The following output should appear:

Error at line 1:
ORA-01031: insufficient privileges

SYSTEM no longer has access to the salary information in the EMPLOYEES table. (In fact, even user SYS does not have access to this table.) However, user SEBASTIAN does have access to this information. Try the following:

CONNECT sebastian -- Or, CONNECT sebastian@hrpdb
Enter password: password

SELECT FIRST_NAME, LAST_NAME, SALARY FROM HR.EMPLOYEES WHERE ROWNUM <10;

Output similar to the following appears:

FIRST_NAME           LAST_NAME                     SALARY
-------------------- ------------------------- ----------
Steven               King                           24000
Neena                Kochhar                        17000
Lex                  De Haan                        17000
Alexander            Hunold                          9000
Bruce                Ernst                           6000
David                Austin                          4800
Valli                Pataballa                       4800
Diana                Lorentz                         4200
Nancy                Greenberg                      12008

9 rows selected.

Step 6: If Unified Auditing Is Not Enabled, Then Run a Report

Because you enabled auditing on failure for the HR Apps realm, you can generate a report to find any security violations such as the one you attempted in Step 5: Test the Realm.

  1. In SQL*Plus, connect as user SYSTEM and ensure that unified auditing is not enabled.

    CONNECT SYSTEM -- Or, CONNECT SYSTEM@hrpdb
Enter password: password

SQL> SELECT VALUE FROM V$OPTION WHERE PARAMETER = 'Unified Auditing';

    If VALUE returns TRUE, then you cannot complete this section. Go to "Step 7: Remove the Components for This Tutorial."

    If unified auditing is enabled, then you must create a unified audit policy to capture events. See Oracle Database Security Guide for information about how to create unified audit policies for Oracle Database Vault.

  2. In the Database Vault Administrator page, click Home to display the home page.

  3. In the Database Vault Home page, under Reports, select Database Vault Reports.

  4. In the Database Vault Reports page, select Database Vault Enforcement Audit Report.

  5. From the Database Vault Audit Report list, select Realm Audit Report.

  6. In the Search area, from the Command menu, select Equals and in the text field, enter SELECT. Then click Search.

    The report appears in the table that follows the Search region.

  7. Click OK to exit the report.

Oracle Database Vault generates a report listing the type of violation (in this case, the SELECT statement entered in the previous section), when and where it occurred, the login account who tried the violation, and what the violation was.

Step 7: Remove the Components for This Tutorial

You can remove the components that you created for this tutorial if you no longer need them.

  1. Drop user SEBASTIAN.

    In SQL*Plus, log on as the Oracle Database Vault account manager (for example, bea_dvacctmgr) and then drop SEBASTIAN as follows:

    sqlplus bea_dvacctmgr -- Or, CONNECT bea_dvacctmgr@hrpdb
Enter password: password

DROP USER SEBASTIAN;

  2. Delete the HR Apps realm.

    1. In the Database Vault Home page, click Administration.

    2. In the Realms page, select HR Apps from the list of realms.

    3. Click Delete, and in the Confirmation window, click Yes.

  3. If necessary, lock and expire the HR account.

    ALTER USER HR ACCOUNT LOCK PASSWORD EXPIRE;