Database Vault Installation and Configuration

Similar documents
An Oracle White Paper March Oracle Database Vault for SAP

Disaster Recovery: Restore Database from One Server to another Server when Different Location

1 Installation Issues and Recommendations

1 Installation Issues and Recommendations

LOSS OF FULL DATABASE AND DATABASE RECOVERY ORACLE 11g

ORACLE 11gR2 DBA. by Mr. Akal Singh ( Oracle Certified Master ) COURSE CONTENT. INTRODUCTION to ORACLE

"Charting the Course... Oracle 18c DBA I (5 Day) Course Summary

FLASHBACK RAC DATABASE TO RESTORE POINT Y. MORAN

"Charting the Course... Oracle 18c DBA I (3 Day) Course Summary

Explore the Oracle 10g database architecture. Install software with the Oracle Universal Installer (OUI)

Oracle Database Vault

SAP Business One Upgrade Strategy Overview

ADM505. Oracle Database Administration COURSE OUTLINE. Course Version: 15 Course Duration: 3 Day(s)

Security Benefits of Implementing Database Vault. -Arpita Ghatak

HA301. SAP HANA 2.0 SPS03 - Advanced Modeling COURSE OUTLINE. Course Version: 15 Course Duration:

Database Administration and Management

SAP Business One Upgrade Strategy Overview

TADM51. SAP NetWeaver AS - DB Operation (Oracle) COURSE OUTLINE. Course Version: 15 Course Duration: 5 Day(s)

BR*Tools Studio 7.10 for Oracle Multi-instance Server Standalone Part 2: Server, Database Instances and their Users

How to Recover the lost current control file, or the current control file is inconsistent with files that you need to recover??

Oracle Retail Data Model

SAP HANA Authorization (HA2)

Agile e Installation Manual for Oracle 10g for Agile e6.0.2 on Windows. Part Number: INSORAUNIX-602A

Oracle12c Release 1 New Features for Administrators (5 Days)

ORACLE DBA TRAINING IN BANGALORE

SAP Business One Integration Framework

BC414. Programming Database Updates COURSE OUTLINE. Course Version: 15 Course Duration: 2 Day(s)

Oracle Agile Engineering Data Management

Getting Started with SAP Business One 9.2, version for SAP HANA

SAP 3D Visual Enterprise 9.0: Localization of Authoring Content

HA215 SAP HANA Monitoring and Performance Analysis

DOAG Regionaltreffen Rhein-Neckar 20. Januar

HA200 SAP HANA Installation & Operations SPS10

HA240 Authorization, Security and Scenarios

Oracle Application Express: Administration 1-2

Space Manager with LiveReorg 8.5. Installation Guide

ADM535. DB2 LUW Administration for SAP COURSE OUTLINE. Course Version: Course Duration: 3 Day(s)

Performing a 32 bit to 64 bit migration using the Transportable Database RMAN feature

ADM506. Database Administration Oracle II COURSE OUTLINE. Course Version: 15 Course Duration: 2 Day(s)

CHAPTER. Upgrading to Oracle Database 11g

HA300 SAP HANA Modeling

Oracle Database 11g: New Features for Oracle 9i DBAs

HA150. SAP HANA 2.0 SPS02 - SQL and SQLScript for SAP HANA COURSE OUTLINE. Course Version: 14 Course Duration: 3 Day(s)

HA100 SAP HANA Introduction

INTERNAL USE ONLY SAP BusinessObjects EPM Add-in for Microsoft Office Support Package 17 / Patch XX Installation Procedure

Oracle Database 12c R2: Administration Workshop Ed 3 NEW

1 Copyright 2011, Oracle and/or its affiliates. All rights reserved.

SAP Landscape Transformation Replication Server

Oracle ILM Assistant Installation Guide Version 1.4

Oracle Database 11g for Experienced 9i Database Administrators

Oracle Database 12c R2: Administration Workshop Ed 3

SAP Analytics Cloud model maintenance Restoring invalid model data caused by hierarchy conflicts

FAQs OData Services SAP Hybris Cloud for Customer PUBLIC

FAQs Data Workbench SAP Hybris Cloud for Customer PUBLIC

Oracle Audit Vault. 1 Downloading the Latest Version of This Document. 2 Installing the Oracle Audit Vault Patch Set on the Audit Vault Server

Remote Monitoring User for IBM DB2 for LUW

FAQs Data Sources SAP Hybris Cloud for Customer PUBLIC

Data Protection and Privacy for Fraud Watch

Installing the Oracle Database Softwar

HA150. SAP HANA 2.0 SPS03 - SQL and SQLScript for SAP HANA COURSE OUTLINE. Course Version: 15 Course Duration:

How-To Guide SAP 3D Visual Enterprise Author 8.0 Document Version: How To Part Replace

SPNEGO SINGLE SIGN-ON USING SECURE LOGIN SERVER X.509 CLIENT CERTIFICATES

HP Database and Middleware Automation

Projects. Corporate Trainer s Profile. CMM (Capability Maturity Model) level Project Standard:- TECHNOLOGIES

Supported Fujitsu BS2000 Servers (page 1) Known Restrictions, Issues, and Workarounds (page 3) Documentation Accessibility (page 8)

DS10. Data Services - Platform and Transforms COURSE OUTLINE. Course Version: 15 Course Duration: 3 Day(s)

HA300 SAP HANA Modeling

SAP Plant Connectivity Configuration Guide for

Oracle Utilities Data Model Installation Guide. Release 12.2

TestsDumps. Latest Test Dumps for IT Exam Certification

Visual Business Configuration with SAP TM

PASS4TEST 専門 IT 認証試験問題集提供者

1 Installation Issues and Recommendations

IS4510 Compiled by: Zafar Iqbal Khan Lecturer, Dept of IS, CCES, Salaman bin Abdul Aziz University

How To Protect your Intellectual Property

Week 2 Unit 3: Creating a JDBC Application. January, 2015

Access Control 5.3 Implementation Considerations for Superuser Privilege Management ID-Based Firefighting versus Role-Based Firefighting Applies to:

SAP HANA SPS 08 - What s New? SAP HANA Modeling (Delta from SPS 07 to SPS 08) SAP HANA Product Management May, 2014

About these Release Notes

How to Set Up and Use Electronic Tax Reporting

Upgrade Oracle Applications from to R12.1.1

BOD410 SAP Lumira 2.0 Designer

HA215 SAP HANA Monitoring and Performance Analysis

Installation Issues and Recommendations

Reference manual Integrated database authentication

S4H410. SAP S/4HANA Embedded Analytics and Modeling with Core Data Services (CDS) Views COURSE OUTLINE. Course Version: 05 Course Duration: 2 Day(s)

HA150 SQL Basics for SAP HANA

Course Contents of ORACLE 9i

RECO CKPT SMON ARCH PMON RMAN DBWR

BC403 Advanced ABAP Debugging

HA240 SAP HANA 2.0 SPS02

SQL (Structured Query Language)

Device Operation Process Diagrams. SAP Mobile Secure rapid-deployment solution September 2014

ADM950. Secure SAP System Management COURSE OUTLINE. Course Version: 10 Course Duration: 2 Day(s)

Partition Wizard User s Guide SAP BusinessObjects Planning and Consolidation 10.0, version for the Microsoft platform

Question No : 1 Which three statements are true regarding the use of the Database Migration Assistant for Unicode (DMU)?

Guide to Licensed Options. SAP Sybase IQ 16.0 SP03

Exam 1Z0-061 Oracle Database 12c: SQL Fundamentals

SAP EarlyWatch Alert. SAP HANA Deployment Best Practices Active Global Support, SAP AG 2015

HA355. SAP HANA Smart Data Integration COURSE OUTLINE. Course Version: 12 Course Duration: 3 Day(s)

Transcription:

Best Practice Document Version: 1.0 2015-02-20 Installation and Configuration Guide

Document History Version Date Change 1.0 2015-02-20 Document creation 2 2015 SAP SE or an SAP affiliate company. All rights reserved. Document History

Table of Contents 1 General Information... 5 2 General Requirements... 6 3 SAP Note References... 7 3.1 Main SAP Note... 7 3.2 Database Vault Notes... 7 3.3 Security Note collection... 7 4 Installation Requirements... 8 4.1 Existence and usage of SPFILE... 8 4.2 Password file must exists... 8 4.3 Correct LISTENER configuration... 8 4.4 At least no invalid objects in Oracle system schema... 9 5 Prerequisites Check... 10 6 Preparation Steps... 11 6.1 Create a working directory <ora_dbvaultinstall> for log files... 11 6.2 Install current version of Database Vault Policy Scripts... 11 6.3 Configure SQL*Plus Prompt... 11 7 Installation Steps... 12 7.1 Check current database configuration (initial check)... 12 7.2 Create tablespace for Database Vault Repository... 12 7.3 Create new database users and database roles... 13 7.4 Enable Database Options... 13 7.4.1 Enabling Database Vault and Label Security using chopt... 13 7.4.2 Checking the Status of the Oracle Database Vault Option... 14 7.5 Adding Database Components... 15 7.5.1 Adding Database Option XML DB, Enterprise Manager Database Control (EM DBC), Oracle Label Security (OLS), Database Vault (DV)... 15 8 Configuration of Database Vault Policy for SAP... 21 9 Post-Installation Steps...22 9.1 Check database configuration (final check)... 22 9.2 Configure Status Trigger... 22 9.3 Configure Banners for Unauthorized Access and Auditing User Actions... 23 9.4 Test Connecting to Enterprise Manager Database Control and Database Vault Administrator web application (DVA)... 27 9.5 Configure DVA Session Timeout (optional step)... 28 9.6 Expire passwords/set new passwords for new created database users... 28 9.7 Create Database Vault Monitoring User(Optional)...30 Table of Contents 2015 SAP SE or an SAP affiliate company. All rights reserved. 3

10 Testing...34 10.1 Verifying Database Vault Status... 34 10.1.1 Check V$OPTION... 34 10.1.2 Check Alert Log... 34 10.1.3 Check existence of DVSYS schema... 34 10.1.4 Get instance information with BRSPACE... 35 10.2 Testing Database Vault Protection... 36 10.2.1 Connect as SAPSR3 user... 36 10.2.2 Try to create SAP table... 36 10.2.3 Try to manage database users as SYSDBA... 37 10.3 Test with BRSPACE... 38 10.3.1 Tablespace Management: creating a tablespace... 38 10.3.2 Tablespace Management: dropping a tablespace... 38 10.3.3 Tablespace Management... 38 10.4 Test with BRCONNECT... 39 10.4.1 Collect table statistics... 39 10.4.2 Update SAP table statistics for owner SAPSR3DB (Java-Stack)... 39 10.4.3 Gather dictionary stats... 39 10.5 Test with BRBACKUP/BRARCHIVE... 40 10.5.1 Database Backup: Tablespace backup... 40 10.5.2 Backup of Archive Logs... 40 10.6 Test with expdp... 41 10.7 Testing database software administration... 42 10.7.1 Grant database patching privileges to SYS... 42 10.7.2 To verify that SYS is now enabled for patching the database, run the following script 42 10.7.3 Install the patch... 42 10.7.4 Revoke database patching privileges from SYS... 42 4 2015 SAP SE or an SAP affiliate company. All rights reserved. Table of Contents

1 General Information Caution There may be slight differences depending on your OS and DB version. Note This guide shows you the basic steps to install and configure Database Vault in an SAP System OS Platform: Oracle Linux R6U3 Oracle Release: 11.2.0.3 Bundle Patch: 201306 General Information 2015 SAP SE or an SAP affiliate company. All rights reserved. 5

2 General Requirements 6 2015 SAP SE or an SAP affiliate company. All rights reserved. General Requirements

3 SAP Note References 3.1 Main SAP Note 1355140 - Using Oracle Database Vault in an SAP environment 3.2 Database Vault Notes 1355140 - Using Oracle Database Vault in an SAP environment 1502374 - Database Vault Policy Scripts for SAP (11.2) 1502377 - Enabling and Disabling Database Vault (11.2) 1595481 - Database User Management in a Database Vault Environment 1595640 - Operating System Accounts for Database Vault Administrators 1640715 - Test Scenarios for Database Vault with SAP 1597194 - Database Vault Installation Guide for SAP 1594629 - Deinstalling Oracle Database Vault 1503634 - FAQ: Oracle Database Vault 1678937 - Administration of Database Vault Enabled Databases 1605004 - Database Vault: Online Redefinition 1706104 - Installation and Deinstallation of Database Vault 1710997 - Using Personalized Database Administrator Accounts 1741523 - Oracle Database Vault Administrator 11.2 1875799 - Database Vault: Accessing selected SAP tables 3.3 Security Note collection 1868094 - Overview: Oracle Security SAP Notes SAP Note References 2015 SAP SE or an SAP affiliate company. All rights reserved. 7

4 Installation Requirements 4.1 Existence and usage of SPFILE SQL> show parameter pfile; NAME TYPE VALUE ------------------------------------ ----------- ------------------------------ spfile string /oracle/jan/112_64/dbs/spfilejan.ora 4.2 Password file must exists orajan@testpurpose 56% pwd /oracle/jan/11203/dbs orajan@testpurpose 57% ls -al grep pw -rw-r-----. 1 orajan dba 2560 Aug 26 12:17 orapwjan 4.3 Correct LISTENER configuration SQL> show parameter local_listener 8 2015 SAP SE or an SAP affiliate company. All rights reserved. Installation Requirements

4.4 At least no invalid objects in Oracle system schema SQL> select owner, object_name, object_type, status from dba_objects where status = 'INVALID' order by owner, object_name; no rows selected SQL> @?/rdbms/admin/utlrp.sql Installation Requirements 2015 SAP SE or an SAP affiliate company. All rights reserved. 9

5 Prerequisites Check Check common prerequisites (note 1355140) BR*Tools 7.20 PL 23 or above Check database with 'brconnect -u // -f check' Current version of SAPDBA Role is installed SPFILE configured Oracle password file is configured 10 2015 SAP SE or an SAP affiliate company. All rights reserved. Prerequisites Check

6 Preparation Steps 6.1 Create a working directory <ora_dbvaultinstall> for log files orajan@testpurpose 52% cd / orajan@testpurpose 53% mkdir -p ~/ora_dbvaultinstall orajan@testpurpose 54% cd ~/ora_dbvaultinstall/ 6.2 Install current version of Database Vault Policy Scripts 6.3 Configure SQL*Plus Prompt --SQLPROMPT for Database Vault SET SQLPROMPT "_user _privilege '@' _connect_identifier SQL> " Preparation Steps 2015 SAP SE or an SAP affiliate company. All rights reserved. 11

7 Installation Steps 7.1 Check current database configuration (initial check) orajan@testpurpose 72% cd ~/ora_dbvaultinstall/ orajan@testpurpose 73% sqlplus "/as sysdba" SQL*Plus: Release 11.2.0.3.0 Production on Mon Aug 26 13:53:43 2013 Copyright (c) 1982, 2011, Oracle. All rights reserved. Connected to: Oracle Database 11g Enterprise Edition Release 11.2.0.3.0-64bit Production With the Partitioning, OLAP, Data Mining and Real Application Testing options SYS AS SYSDBA @ JAN SQL> spool dv_config_check_1_begin.log SYS AS SYSDBA @ JAN SQL> @?/sap/ora_dbvault/dv_config_check.sql ********************************************************************** FINISHED - Oracle Database Vault Configuration Check for SAP ********************************************************************** PL/SQL procedure successfully completed. No errors. 7.2 Create tablespace for Database Vault Repository orajan@testpurpose 74% brspace -u // -c force -f tscreate -t SYSDBVAULT -size 200 -a yes -i 100 -m 10000 - o none 12 2015 SAP SE or an SAP affiliate company. All rights reserved. Installation Steps

7.3 Create new database users and database roles orajan@testpurpose 75% sqlplus "/as sysdba" SYS AS SYSDBA @ JAN SQL> spool dv_user_create.log SYS AS SYSDBA @ JAN SQL> @?/sap/ora_dbvault/drop_dv_user_roles.sql SYS AS SYSDBA @ JAN SQL> @?/sap/ora_dbvault/create_dv_user_roles.sql _user _privilege '@' _connect_identifier SQL> spool off 7.4 Enable Database Options Never enable DV without LBAC. Whenever you enable DV, LBAC must be enabled, too. Always enable LBAC before you enable DV. You can disable DV without disabling LBAC. 7.4.1 Enabling Database Vault and Label Security using chopt orajan@testpurpose 76% chopt enable lbac Writing to /oracle/jan/11203/install/enable_lbac.log... /usr/bin/make -f /oracle/jan/11203/rdbms/lib/ins_rdbms.mk lbac_on ORACLE_HOME=/oracle/JAN/11203 /usr/bin/make -f /oracle/jan/11203/rdbms/lib/ins_rdbms.mk ioracle ORACLE_HOME=/oracle/JAN/11203 orajan@testpurpose 77% chopt enable dv Writing to /oracle/jan/11203/install/enable_dv.log... /usr/bin/make -f /oracle/jan/11203/rdbms/lib/ins_rdbms.mk dv_on ORACLE_HOME=/oracle/JAN/11203 /usr/bin/make -f /oracle/jan/11203/rdbms/lib/ins_rdbms.mk ioracle ORACLE_HOME=/oracle/JAN/11203 Installation Steps 2015 SAP SE or an SAP affiliate company. All rights reserved. 13

7.4.2 Checking the Status of the Oracle Database Vault Option 7.4.2.1 Connect to the instance and run the following query SYS AS SYSDBA @ JAN SQL> SELECT PARAMETER, VALUE FROM V$OPTION WHERE PARAMETER = 'Oracle Database Vault'; PARAMETER ---------------------------------------------------------------- VALUE ---------------------------------------------------------------- Oracle Database Vault TRUE 7.4.2.2 Run the dv_status.sh -script orajan@testpurpose 78% $ORACLE_HOME/sap/ora_dbvault/dv_status.sh Checking Status of Oracle Database Vault and Oracle Label Security in /oracle/jan/112_64 Oracle Database Vault is enabled in /oracle/jan/112_64. Oracle Label Security is enabled in /oracle/jan/112_64. 14 2015 SAP SE or an SAP affiliate company. All rights reserved. Installation Steps

7.5 Adding Database Components SYS AS SYSDBA @ JAN SQL> SET LINESIZE 200 SYS AS SYSDBA @ JAN SQL> SET PAGESIZE 100 SYS AS SYSDBA @ JAN SQL> COL COMP_NAME FORMAT A50 SYS AS SYSDBA @ JAN SQL> select comp_id, comp_name, version, status from dba_registry; COMP_ID COMP_NAME VERSION STATUS ------------------------------ -------------------------------------------------- ------------------------------ --------------------------------- CATALOG Oracle Database Catalog Views 11.2.0.3.0 VALID CATPROC Oracle Database Packages and Types 11.2.0.3.0 VALID 7.5.1 Adding Database Option XML DB, Enterprise Manager Database Control (EM DBC), Oracle Label Security (OLS), Database Vault (DV) For test environments: Installing Enterprise manager Database Control is the recommended approach. For production environments: Installing Enterprise Manager is only recommended if you don't have a central DV installation with EM Database Control with DVA. From an SAP system copy perspective installing EM Database Control in every SAP database with Database Vault is not a good idea. orajan@testpurpose 80% lsnrctl start orajan@testpurpose 83% pwd /oracle/jan/11203/bin orajan@testpurpose 84% dbca Installation Steps 2015 SAP SE or an SAP affiliate company. All rights reserved. 15

16 2015 SAP SE or an SAP affiliate company. All rights reserved. Installation Steps

Installation Steps 2015 SAP SE or an SAP affiliate company. All rights reserved. 17

18 2015 SAP SE or an SAP affiliate company. All rights reserved. Installation Steps

Installation Steps 2015 SAP SE or an SAP affiliate company. All rights reserved. 19

20 2015 SAP SE or an SAP affiliate company. All rights reserved. Installation Steps

8 Configuration of Database Vault Policy for SAP orajan@testpurpose 73% sqlplus "/as sysdba" SYS AS SYSDBA @ JAN SQL> REM Configure Database Vault Policy for SAP SYS AS SYSDBA @ JAN SQL> connect secadmin/abcd_1234 Connected. SECADMIN @ JAN SQL> spool dv_policy_create.log SECADMIN @ JAN SQL> @?/sap/ora_dbvault/dv_policy policy create SECADMIN @ JAN SQL> connect secacctmgr/abcd_1234 Connected. SECACCTMGR @ JAN SQL> GRANT DV_ACCTMGR TO SAPCRED; Grant succeeded. SECACCTMGR @ JAN SQL> connect sapacctmgr/abcd_1234 Connected. SAPACCTMGR @ JAN SQL> REVOKE SAPCRED FROM SYS; REVOKE SAPCRED FROM SYS * ERROR at line 1: ORA-01951: ROLE 'SAPCRED' not granted to 'SYS' SAPACCTMGR @ O11 SQL> spool off Configuration of Database Vault Policy for SAP 2015 SAP SE or an SAP affiliate company. All rights reserved. 21

9 Post-Installation Steps 9.1 Check database configuration (final check) orajan@testpurpose 77% sqlplus /nolog SQL*Plus: Release 11.2.0.3.0 Production on Tue Aug 27 10:40:52 2013 Copyright (c) 1982, 2011, Oracle. All rights reserved. @ SQL> connect / as sysdba Connected. SYS AS SYSDBA @ JAN SQL> spool dv_config_check_2_end.log SYS AS SYSDBA @ JAN SQL> @?/sap/ora_dbvault/dv_config_check.sql SYS AS SYSDBA @ JAN SQL> select grantee from dba_role_privs where granted_role = 'SAPCRED'; GRANTEE ------------------------------ SAPACCTMGR 9.2 Configure Status Trigger SYS AS SYSDBA @ JAN SQL> conn / as sysdba Connected. SYS AS SYSDBA @ JAN SQL> @?/sap/ora_dbvault/create_dv_status_trigger.sql Trigger SAP_DV_CHECK_STATUS has been created. ALTER DATABASE OPEN 22 2015 SAP SE or an SAP affiliate company. All rights reserved. Post-Installation Steps

<...> Database Vault option is enabled Database Vault component is VALID. Completed: ALTER DATABASE OPEN ALTER DATABASE OPEN <...> Database Vault option is disabled Completed: ALTER DATABASE OPEN 9.3 Configure Banners for Unauthorized Access and Auditing User Actions orajan@testpurpose 78% cd $ORACLE_HOME/network/admin/ orajan@testpurpose 93% cat sqlnet.ora AUTOMATIC_IPC = ON TRACE_LEVEL_CLIENT = OFF SQLNET.EXPIRE_TIME = 5 NAMES.DIRECTORY_PATH = (TNSNAMES) NAMES.DEFAULT_DOMAIN = WORLD SQLNET.INBOUND_CONNECT_TIMEOUT = 120 SEC_USER_AUDIT_ACTION_BANNER=/oracle/JAN/11203/network/admin/auditactions.txt SEC_USER_UNAUTHORIZED_ACCESS_BANNER=/oracle/JAN/11203/network/admin/unauthaccess.txt Post-Installation Steps 2015 SAP SE or an SAP affiliate company. All rights reserved. 23

orajan@testpurpose 84% cat auditactions.txt ***** WARNING ***** This secured system is for the use of authorized users only. Unauthorized access is strictly prohibited! All activities on this system may be logged and monitored. ***** WARNING ***** orajan@testpurpose 85% cat unauthaccess.txt ***** WARNING ***** This secured system is for the use of authorized users only. Unauthorized access is strictly prohibited! All activities on this system may be logged and monitored. ***** WARNING ***** 24 2015 SAP SE or an SAP affiliate company. All rights reserved. Post-Installation Steps

SYS AS SYSDBA @ JAN SQL> startup ***** WARNING ***** This secured system is for the use of authorized users only. Unauthorized access is strictly prohibited! All activities on this system may be logged and monitored. ***** WARNING ***** ***** WARNING ***** This secured system is for the use of authorized users only. Unauthorized access is strictly prohibited! All activities on this system may be logged and monitored. ***** WARNING ***** ORACLE instance started. Total System Global Area 501059584 bytes Fixed Size 2229744 bytes Variable Size 255855120 bytes Database Buffers 234881024 bytes Redo Buffers 8093696 bytes Database mounted. ***** WARNING ***** This secured system is for the use of authorized users only. Unauthorized access is strictly prohibited! All activities on this system may be logged and monitored. ***** WARNING ***** ***** WARNING ***** This secured system is for the use of authorized users only. Unauthorized access is strictly prohibited! All activities on this system may be logged and monitored. Post-Installation Steps 2015 SAP SE or an SAP affiliate company. All rights reserved. 25

***** WARNING ***** Database opened. 26 2015 SAP SE or an SAP affiliate company. All rights reserved. Post-Installation Steps

9.4 Test Connecting to Enterprise Manager Database Control and Database Vault Administrator web application (DVA) orajan@testpurpose 95% emctl stop dbconsole Oracle Enterprise Manager 11g Database Control Release 11.2.0.3.0 Copyright (c) 1996, 2011 Oracle Corporation. All rights reserved. https://testpurpose.localdomain:1158/em/console/aboutapplication Stopping Oracle Enterprise Manager 11g Database Control...... Stopped. orajan@testpurpose 96% emctl start dbconsole Oracle Enterprise Manager 11g Database Control Release 11.2.0.3.0 Copyright (c) 1996, 2011 Oracle Corporation. All rights reserved. https://testpurpose.localdomain:1158/em/console/aboutapplication Starting Oracle Enterprise Manager 11g Database Control... started. ------------------------------------------------------------------ Logs are generated in directory /oracle/jan/11203/testpurpose.localdomain_jan/sysman/log https://testpurpose.localdomain:1158/em orajan@testpurpose 97% emctl status dbconsole Oracle Enterprise Manager 11g Database Control Release 11.2.0.3.0 Copyright (c) 1996, 2011 Oracle Corporation. All rights reserved. https://testpurpose.localdomain:1158/em/console/aboutapplication Oracle Enterprise Manager 11g is running. ------------------------------------------------------------------ Logs are generated in directory /oracle/jan/11203/testpurpose.localdomain_jan/sysman/log Post-Installation Steps 2015 SAP SE or an SAP affiliate company. All rights reserved. 27

9.5 Configure DVA Session Timeout (optional step) In file $ORACLE_HOME/dv/jlib/dva_webapp/dva_webapp/WEB-INF/web.xml search for <sessiontimeout>35</session-timeout> and modify this value. Save the file and restart Enterprise Manager Database Control <session-config> <session-timeout>70</session-timeout> </session-config> 9.6 Expire passwords/set new passwords for new created database users SECACCTMGR @ JAN SQL> ALTER USER BRTDBA PASSWORD EXPIRE; ALTER USER SECADMIN PASSWORD EXPIRE; ALTER USER SECACCTMGR PASSWORD EXPIRE; ALTER USER SAPACCTMGR PASSWORD EXPIRE; quit orajan@testpurpose 110% sqlplus brtdba SQL*Plus: Release 11.2.0.3.0 Production on Tue Aug 27 11:06:11 2013 Copyright (c) 1982, 2011, Oracle. All rights reserved. Enter password: ***** WARNING ***** This secured system is for the use of authorized users only. Unauthorized access is strictly prohibited! All activities on this system may be logged and monitored. ***** WARNING ***** ERROR: 28 2015 SAP SE or an SAP affiliate company. All rights reserved. Post-Installation Steps

ORA-28001: the password has expired Changing password for brtdba New password: Retype new password: Password changed Error accessing PRODUCT_USER_PROFILE Warning: Product user profile information not loaded! You may need to run PUPBLD.SQL as SYSTEM Connected to: Oracle Database 11g Enterprise Edition Release 11.2.0.3.0-64bit Production With the Partitioning, Oracle Label Security, OLAP, Data Mining, Oracle Database Vault and Real Application Testing options BRTDBA @ JAN SQL> Repeat the same steps for secadmin,secacctmgr and sapacctmgr users! orajan@testpurpose 112% sqlplus secadmin orajan@testpurpose 113% sqlplus secacctmgr orajan@testpurpose 114% sqlplus sapacctmgr Post-Installation Steps 2015 SAP SE or an SAP affiliate company. All rights reserved. 29

9.7 Create Database Vault Monitoring User(Optional) orajan@testpurpose 115% cd $ORACLE_HOME/sap/ora_dbvault/ orajan@testpurpose 116% sqlplus / as sysdba SYS AS SYSDBA @ JAN SQL> @tpl_create_user_secanalyst.sql ***** WARNING ***** This secured system is for the use of authorized users only. Unauthorized access is strictly prohibited! All activities on this system may be logged and monitored. ***** WARNING ***** ***** WARNING ***** This secured system is for the use of authorized users only. Unauthorized access is strictly prohibited! All activities on this system may be logged and monitored. ***** WARNING ***** Connected. Enter name for DV Security Analyst Account to be created [SECANALYST]: Connecting as security account manager SECACCTMGR to create account Enter password: ***** WARNING ***** This secured system is for the use of authorized users only. Unauthorized access is strictly prohibited! All activities on this system may be logged and monitored. ***** WARNING ***** ***** WARNING ***** This secured system is for the use of authorized users only. Unauthorized access is strictly prohibited! 30 2015 SAP SE or an SAP affiliate company. All rights reserved. Post-Installation Steps

All activities on this system may be logged and monitored. ***** WARNING ***** Error accessing PRODUCT_USER_PROFILE Warning: Product user profile information not loaded! You may need to run PUPBLD.SQL as SYSTEM Connected. Creating a new Database Vault Security Administrator Account User name: SECANALYST Password : abcd_1234 CREATE USER SECANALYST IDENTIFIED BY "abcd_1234" User created. GRANT CONNECT TO SECANALYST Role granted. PL/SQL procedure successfully completed. Connecting as security administrator SECADMIN to grant roles Enter password: ***** WARNING ***** This secured system is for the use of authorized users only. Unauthorized access is strictly prohibited! All activities on this system may be logged and monitored. ***** WARNING ***** ***** WARNING ***** This secured system is for the use of authorized users only. Unauthorized access is strictly prohibited! All activities on this system may be logged and monitored. ***** WARNING ***** Error accessing PRODUCT_USER_PROFILE Warning: Product user profile information not loaded! Post-Installation Steps 2015 SAP SE or an SAP affiliate company. All rights reserved. 31

You may need to run PUPBLD.SQL as SYSTEM Connected. GRANT DV_SECANALYST TO SECANALYST Role granted. PL/SQL procedure successfully completed. First connect with the new database user ***** WARNING ***** This secured system is for the use of authorized users only. Unauthorized access is strictly prohibited! All activities on this system may be logged and monitored. ***** WARNING ***** ***** WARNING ***** This secured system is for the use of authorized users only. Unauthorized access is strictly prohibited! All activities on this system may be logged and monitored. ***** WARNING ***** Error accessing PRODUCT_USER_PROFILE Warning: Product user profile information not loaded! You may need to run PUPBLD.SQL as SYSTEM Connected. USER ------------------------------ SECANALYST ROLE ------------------------------ DV_PUBLIC CONNECT DV_SECANALYST 32 2015 SAP SE or an SAP affiliate company. All rights reserved. Post-Installation Steps

PRIVILEGE ---------------------------------------- CREATE SESSION Disconnected from Oracle Database 11g Enterprise Edition Release 11.2.0.3.0-64bit Production With the Partitioning, Oracle Label Security, OLAP, Data Mining, Oracle Database Vault and Real Application Testing options Post-Installation Steps 2015 SAP SE or an SAP affiliate company. All rights reserved. 33

10 Testing 10.1 Verifying Database Vault Status 10.1.1 Check V$OPTION SYS AS SYSDBA @ JAN SQL> select parameter, value from v$option where parameter = 'Oracle Database Vault'; PARAMETER ---------------------------------------------------------------- VALUE ---------------------------------------------------------------- Oracle Database Vault TRUE 10.1.2 Check Alert Log Starting up: Oracle Database 11g Enterprise Edition Release 11.2.0.3.0-64bit Production With the Partitioning, Oracle Label Security, OLAP, Data Mining, ORACLE_HOME = /oracle/jan/112_64 System name: Linux Node name: testpurpose.localdomain Release: 2.6.39-200.24.1.el6uek.x86_64 Version: 1 SMP Sat Jun 23 02:39:07 EDT 2012 Machine: x86_64 10.1.3 Check existence of DVSYS schema SYS AS SYSDBA @ JAN SQL> select username from dba_users where username = 'DVSYS'; 34 2015 SAP SE or an SAP affiliate company. All rights reserved. Testing

USERNAME ------------------------------ DVSYS 10.1.4 Get instance information with BRSPACE orajan@testpurpose 80% brspace -f dbshow -c dbstate BR1001I BRSPACE 7.20 (33) BR1002I Start of BRSPACE processing: selypirv.dbw 2013-08-27 11.19.35 Information about the status of database instance JAN 1 - Instance number (number)... 1 2 - Instance thread (thread)... 1 3 - Instance status (status)... OPEN 4 - Instance start time (start)... 2013-08-27 10.52.07 5 - Oracle version (version)... 11.2.0.3.0 6 - Database creation time (create)... 2013-06-12 12.50.05 7 - Last resetlogs time (resetlogs)... 2013-06-12 12.50.05 8 - Archivelog mode (archmode)... NOARCHIVELOG 9 - Archiver status (archiver)... STOPPED 10 - Current redolog sequence (redoseq). 54 11 - Current redolog SCN (redoscn)... 912631 12 - Flashback status (flashback)... OFF 13 - Block change tracking (tracking)... OFF 14 - Data encryption (encryption)... OFF 15 - Database vault (dbvault)... ON 16 - Number of SAP connections (sapcon). 0 Testing 2015 SAP SE or an SAP affiliate company. All rights reserved. 35

10.2 Testing Database Vault Protection 10.2.1 Connect as SAPSR3 user SYS AS SYSDBA @ JAN SQL> connect SAPSR3/test1234 ***** WARNING ***** This secured system is for the use of authorized users only. Unauthorized access is strictly prohibited! All activities on this system may be logged and monitored. ***** WARNING ***** ERROR: ORA-47400: Command Rule violation for CONNECT on LOGON Warning: You are no longer connected to ORACLE. OR ERROR: ORA-47306: 20001: Connection denied. SAP security violation. Warning: You are no longer connected to ORACLE. 10.2.2 Try to create SAP table SYS AS SYSDBA @ JAN SQL> connect system/manager; SYSTEM @ JAN SQL> create table SAPSR3.TESTDV (a1 varchar(1)); create table SAPSR3.TESTDV (a1 varchar(1)) * ERROR at line 1: ORA-47401: Realm violation for CREATE TABLE on SAPSR3.TESTDV 36 2015 SAP SE or an SAP affiliate company. All rights reserved. Testing

10.2.3 Try to manage database users as SYSDBA SYSTEM @ JAN SQL> connect / as sysdba SYS AS SYSDBA @ JAN SQL> create user TESTDV identified by test1234; create user TESTDV identified by test1234 * ERROR at line 1: ORA-01031: insufficient privileges SYS AS SYSDBA @ JAN SQL> alter user SAPSR3 identified by test1234; alter user SAPSR3 identified by test1234 * ERROR at line 1: ORA-01031: insufficient privileges Testing 2015 SAP SE or an SAP affiliate company. All rights reserved. 37

10.3 Test with BRSPACE 10.3.1 Tablespace Management: creating a tablespace orajan@testpurpose 118% brspace -f tscreate -c data -f sapdata1 -t psaptestdv 10.3.2 Tablespace Management: dropping a tablespace orajan@testpurpose 120% brspace -f tsdrop -t psaptestdv 10.3.3 Tablespace Management e.g.: orajan@testpurpose 120% brspace -u / -f [tscreate tsalter tsdrop tsextend ] 38 2015 SAP SE or an SAP affiliate company. All rights reserved. Testing

10.4 Test with BRCONNECT 10.4.1 Collect table statistics orajan@testpurpose 121% brconnect -u // -c -f stats -t "DBA*" -f collect 10.4.2 Update SAP table statistics for owner SAPSR3DB (Java-Stack) orajan@testpurpose 121% brconnect -u // -c -f stats -o SAPSR3DB -t all 10.4.3 Gather dictionary stats orajan@testpurpose 122% brconnect -u // -c -f stats -t oradict_stats Testing 2015 SAP SE or an SAP affiliate company. All rights reserved. 39

10.5 Test with BRBACKUP/BRARCHIVE 10.5.1 Database Backup: Tablespace backup orajan@testpurpose 123% brbackup -u // -c -t offline -m sysdbvault -d disk -k yes 10.5.2 Backup of Archive Logs orajan@testpurpose 124% brarchive -u // -c -p initqo1.sap -save -d disk -n 2 -k yes -l E orajan@testpurpose 125% brarchive -u system -c -p initqo1.sap -save -d disk -n 2 -k yes -l E 40 2015 SAP SE or an SAP affiliate company. All rights reserved. Testing

10.6 Test with expdp SECADMIN SQL> @dv_policy export enable SECADMIN SQL> @dv_policy export status orajan@testpurpose 126% brspace -u brtdba -f tbexport -l expdp -t T100 -NDC SECADMIN SQL> @dv_policy export disable SECADMIN SQL> @dv_policy export status Testing 2015 SAP SE or an SAP affiliate company. All rights reserved. 41

10.7 Testing database software administration 10.7.1 Grant database patching privileges to SYS orajan@testpurpose 127% cd <ORACLE_HOME>/sap/ora_dbvault orajan@testpurpose 128% sqlplus secadmin SECADMIN SQL> @dv_policy patch enable a) DV_PATCH_ADMIN role is granted to SYS. b) GRANT command rule is disabled. 10.7.2 To verify that SYS is now enabled for patching the database, run the following script SQL> @dv_config_check.sql... ******************************************************* Patch Status ******************************************************* Current Patch Status : ENABLED Enabled for patching the database are the following database users: SYS... 10.7.3 Install the patch 10.7.4 Revoke database patching privileges from SYS orajan@testpurpose 129% cd <ORACLE_HOME>/sap/ora_dbvault orajan@testpurpose 130% sqlplus secadmin SECADMIN SQL> @dv_policy patch disable a) DV_PATCH_ADMIN role is revoked from SYS. b) GRANT command rule is enabled again. 42 2015 SAP SE or an SAP affiliate company. All rights reserved. Testing

Testing 2015 SAP SE or an SAP affiliate company. All rights reserved. 43

www.sap.com/contactsap 2015 SAP SE or an SAP affiliate company. All rights reserved. No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP SE or an SAP affiliate company. The information contained herein may be changed without prior notice. Some software products marketed by SAP SE and its distributors contain proprietary software components of other software vendors. National product specifications may vary. These materials are provided by SAP SE or an SAP affiliate company for informational purposes only, without representation or warranty of any kind, and SAP or its affiliated companies shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP or SAP affiliate company products and services are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothing herein should be construed as constituting an additional warranty. SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP SE (or an SAP affiliate company) in Germany and other countries. All other product and service names mentioned are the trademarks of their respective companies. Please see www.sap.com/corporate-en/legal/copyright/index.epx for additional trademark information and notices. Material Number:

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback