Best Practice Document Version: 1.0 2015-02-20 Installation and Configuration Guide
Document History Version Date Change 1.0 2015-02-20 Document creation 2 2015 SAP SE or an SAP affiliate company. All rights reserved. Document History
Table of Contents 1 General Information... 5 2 General Requirements... 6 3 SAP Note References... 7 3.1 Main SAP Note... 7 3.2 Database Vault Notes... 7 3.3 Security Note collection... 7 4 Installation Requirements... 8 4.1 Existence and usage of SPFILE... 8 4.2 Password file must exists... 8 4.3 Correct LISTENER configuration... 8 4.4 At least no invalid objects in Oracle system schema... 9 5 Prerequisites Check... 10 6 Preparation Steps... 11 6.1 Create a working directory <ora_dbvaultinstall> for log files... 11 6.2 Install current version of Database Vault Policy Scripts... 11 6.3 Configure SQL*Plus Prompt... 11 7 Installation Steps... 12 7.1 Check current database configuration (initial check)... 12 7.2 Create tablespace for Database Vault Repository... 12 7.3 Create new database users and database roles... 13 7.4 Enable Database Options... 13 7.4.1 Enabling Database Vault and Label Security using chopt... 13 7.4.2 Checking the Status of the Oracle Database Vault Option... 14 7.5 Adding Database Components... 15 7.5.1 Adding Database Option XML DB, Enterprise Manager Database Control (EM DBC), Oracle Label Security (OLS), Database Vault (DV)... 15 8 Configuration of Database Vault Policy for SAP... 21 9 Post-Installation Steps...22 9.1 Check database configuration (final check)... 22 9.2 Configure Status Trigger... 22 9.3 Configure Banners for Unauthorized Access and Auditing User Actions... 23 9.4 Test Connecting to Enterprise Manager Database Control and Database Vault Administrator web application (DVA)... 27 9.5 Configure DVA Session Timeout (optional step)... 28 9.6 Expire passwords/set new passwords for new created database users... 28 9.7 Create Database Vault Monitoring User(Optional)...30 Table of Contents 2015 SAP SE or an SAP affiliate company. All rights reserved. 3
10 Testing...34 10.1 Verifying Database Vault Status... 34 10.1.1 Check V$OPTION... 34 10.1.2 Check Alert Log... 34 10.1.3 Check existence of DVSYS schema... 34 10.1.4 Get instance information with BRSPACE... 35 10.2 Testing Database Vault Protection... 36 10.2.1 Connect as SAPSR3 user... 36 10.2.2 Try to create SAP table... 36 10.2.3 Try to manage database users as SYSDBA... 37 10.3 Test with BRSPACE... 38 10.3.1 Tablespace Management: creating a tablespace... 38 10.3.2 Tablespace Management: dropping a tablespace... 38 10.3.3 Tablespace Management... 38 10.4 Test with BRCONNECT... 39 10.4.1 Collect table statistics... 39 10.4.2 Update SAP table statistics for owner SAPSR3DB (Java-Stack)... 39 10.4.3 Gather dictionary stats... 39 10.5 Test with BRBACKUP/BRARCHIVE... 40 10.5.1 Database Backup: Tablespace backup... 40 10.5.2 Backup of Archive Logs... 40 10.6 Test with expdp... 41 10.7 Testing database software administration... 42 10.7.1 Grant database patching privileges to SYS... 42 10.7.2 To verify that SYS is now enabled for patching the database, run the following script 42 10.7.3 Install the patch... 42 10.7.4 Revoke database patching privileges from SYS... 42 4 2015 SAP SE or an SAP affiliate company. All rights reserved. Table of Contents
1 General Information Caution There may be slight differences depending on your OS and DB version. Note This guide shows you the basic steps to install and configure Database Vault in an SAP System OS Platform: Oracle Linux R6U3 Oracle Release: 11.2.0.3 Bundle Patch: 201306 General Information 2015 SAP SE or an SAP affiliate company. All rights reserved. 5
2 General Requirements 6 2015 SAP SE or an SAP affiliate company. All rights reserved. General Requirements
3 SAP Note References 3.1 Main SAP Note 1355140 - Using Oracle Database Vault in an SAP environment 3.2 Database Vault Notes 1355140 - Using Oracle Database Vault in an SAP environment 1502374 - Database Vault Policy Scripts for SAP (11.2) 1502377 - Enabling and Disabling Database Vault (11.2) 1595481 - Database User Management in a Database Vault Environment 1595640 - Operating System Accounts for Database Vault Administrators 1640715 - Test Scenarios for Database Vault with SAP 1597194 - Database Vault Installation Guide for SAP 1594629 - Deinstalling Oracle Database Vault 1503634 - FAQ: Oracle Database Vault 1678937 - Administration of Database Vault Enabled Databases 1605004 - Database Vault: Online Redefinition 1706104 - Installation and Deinstallation of Database Vault 1710997 - Using Personalized Database Administrator Accounts 1741523 - Oracle Database Vault Administrator 11.2 1875799 - Database Vault: Accessing selected SAP tables 3.3 Security Note collection 1868094 - Overview: Oracle Security SAP Notes SAP Note References 2015 SAP SE or an SAP affiliate company. All rights reserved. 7
4 Installation Requirements 4.1 Existence and usage of SPFILE SQL> show parameter pfile; NAME TYPE VALUE ------------------------------------ ----------- ------------------------------ spfile string /oracle/jan/112_64/dbs/spfilejan.ora 4.2 Password file must exists orajan@testpurpose 56% pwd /oracle/jan/11203/dbs orajan@testpurpose 57% ls -al grep pw -rw-r-----. 1 orajan dba 2560 Aug 26 12:17 orapwjan 4.3 Correct LISTENER configuration SQL> show parameter local_listener 8 2015 SAP SE or an SAP affiliate company. All rights reserved. Installation Requirements
4.4 At least no invalid objects in Oracle system schema SQL> select owner, object_name, object_type, status from dba_objects where status = 'INVALID' order by owner, object_name; no rows selected SQL> @?/rdbms/admin/utlrp.sql Installation Requirements 2015 SAP SE or an SAP affiliate company. All rights reserved. 9
5 Prerequisites Check Check common prerequisites (note 1355140) BR*Tools 7.20 PL 23 or above Check database with 'brconnect -u // -f check' Current version of SAPDBA Role is installed SPFILE configured Oracle password file is configured 10 2015 SAP SE or an SAP affiliate company. All rights reserved. Prerequisites Check
6 Preparation Steps 6.1 Create a working directory <ora_dbvaultinstall> for log files orajan@testpurpose 52% cd / orajan@testpurpose 53% mkdir -p ~/ora_dbvaultinstall orajan@testpurpose 54% cd ~/ora_dbvaultinstall/ 6.2 Install current version of Database Vault Policy Scripts 6.3 Configure SQL*Plus Prompt --SQLPROMPT for Database Vault SET SQLPROMPT "_user _privilege '@' _connect_identifier SQL> " Preparation Steps 2015 SAP SE or an SAP affiliate company. All rights reserved. 11
7 Installation Steps 7.1 Check current database configuration (initial check) orajan@testpurpose 72% cd ~/ora_dbvaultinstall/ orajan@testpurpose 73% sqlplus "/as sysdba" SQL*Plus: Release 11.2.0.3.0 Production on Mon Aug 26 13:53:43 2013 Copyright (c) 1982, 2011, Oracle. All rights reserved. Connected to: Oracle Database 11g Enterprise Edition Release 11.2.0.3.0-64bit Production With the Partitioning, OLAP, Data Mining and Real Application Testing options SYS AS SYSDBA @ JAN SQL> spool dv_config_check_1_begin.log SYS AS SYSDBA @ JAN SQL> @?/sap/ora_dbvault/dv_config_check.sql ********************************************************************** FINISHED - Oracle Database Vault Configuration Check for SAP ********************************************************************** PL/SQL procedure successfully completed. No errors. 7.2 Create tablespace for Database Vault Repository orajan@testpurpose 74% brspace -u // -c force -f tscreate -t SYSDBVAULT -size 200 -a yes -i 100 -m 10000 - o none 12 2015 SAP SE or an SAP affiliate company. All rights reserved. Installation Steps
7.3 Create new database users and database roles orajan@testpurpose 75% sqlplus "/as sysdba" SYS AS SYSDBA @ JAN SQL> spool dv_user_create.log SYS AS SYSDBA @ JAN SQL> @?/sap/ora_dbvault/drop_dv_user_roles.sql SYS AS SYSDBA @ JAN SQL> @?/sap/ora_dbvault/create_dv_user_roles.sql _user _privilege '@' _connect_identifier SQL> spool off 7.4 Enable Database Options Never enable DV without LBAC. Whenever you enable DV, LBAC must be enabled, too. Always enable LBAC before you enable DV. You can disable DV without disabling LBAC. 7.4.1 Enabling Database Vault and Label Security using chopt orajan@testpurpose 76% chopt enable lbac Writing to /oracle/jan/11203/install/enable_lbac.log... /usr/bin/make -f /oracle/jan/11203/rdbms/lib/ins_rdbms.mk lbac_on ORACLE_HOME=/oracle/JAN/11203 /usr/bin/make -f /oracle/jan/11203/rdbms/lib/ins_rdbms.mk ioracle ORACLE_HOME=/oracle/JAN/11203 orajan@testpurpose 77% chopt enable dv Writing to /oracle/jan/11203/install/enable_dv.log... /usr/bin/make -f /oracle/jan/11203/rdbms/lib/ins_rdbms.mk dv_on ORACLE_HOME=/oracle/JAN/11203 /usr/bin/make -f /oracle/jan/11203/rdbms/lib/ins_rdbms.mk ioracle ORACLE_HOME=/oracle/JAN/11203 Installation Steps 2015 SAP SE or an SAP affiliate company. All rights reserved. 13
7.4.2 Checking the Status of the Oracle Database Vault Option 7.4.2.1 Connect to the instance and run the following query SYS AS SYSDBA @ JAN SQL> SELECT PARAMETER, VALUE FROM V$OPTION WHERE PARAMETER = 'Oracle Database Vault'; PARAMETER ---------------------------------------------------------------- VALUE ---------------------------------------------------------------- Oracle Database Vault TRUE 7.4.2.2 Run the dv_status.sh -script orajan@testpurpose 78% $ORACLE_HOME/sap/ora_dbvault/dv_status.sh Checking Status of Oracle Database Vault and Oracle Label Security in /oracle/jan/112_64 Oracle Database Vault is enabled in /oracle/jan/112_64. Oracle Label Security is enabled in /oracle/jan/112_64. 14 2015 SAP SE or an SAP affiliate company. All rights reserved. Installation Steps
7.5 Adding Database Components SYS AS SYSDBA @ JAN SQL> SET LINESIZE 200 SYS AS SYSDBA @ JAN SQL> SET PAGESIZE 100 SYS AS SYSDBA @ JAN SQL> COL COMP_NAME FORMAT A50 SYS AS SYSDBA @ JAN SQL> select comp_id, comp_name, version, status from dba_registry; COMP_ID COMP_NAME VERSION STATUS ------------------------------ -------------------------------------------------- ------------------------------ --------------------------------- CATALOG Oracle Database Catalog Views 11.2.0.3.0 VALID CATPROC Oracle Database Packages and Types 11.2.0.3.0 VALID 7.5.1 Adding Database Option XML DB, Enterprise Manager Database Control (EM DBC), Oracle Label Security (OLS), Database Vault (DV) For test environments: Installing Enterprise manager Database Control is the recommended approach. For production environments: Installing Enterprise Manager is only recommended if you don't have a central DV installation with EM Database Control with DVA. From an SAP system copy perspective installing EM Database Control in every SAP database with Database Vault is not a good idea. orajan@testpurpose 80% lsnrctl start orajan@testpurpose 83% pwd /oracle/jan/11203/bin orajan@testpurpose 84% dbca Installation Steps 2015 SAP SE or an SAP affiliate company. All rights reserved. 15
16 2015 SAP SE or an SAP affiliate company. All rights reserved. Installation Steps
Installation Steps 2015 SAP SE or an SAP affiliate company. All rights reserved. 17
18 2015 SAP SE or an SAP affiliate company. All rights reserved. Installation Steps
Installation Steps 2015 SAP SE or an SAP affiliate company. All rights reserved. 19
20 2015 SAP SE or an SAP affiliate company. All rights reserved. Installation Steps
8 Configuration of Database Vault Policy for SAP orajan@testpurpose 73% sqlplus "/as sysdba" SYS AS SYSDBA @ JAN SQL> REM Configure Database Vault Policy for SAP SYS AS SYSDBA @ JAN SQL> connect secadmin/abcd_1234 Connected. SECADMIN @ JAN SQL> spool dv_policy_create.log SECADMIN @ JAN SQL> @?/sap/ora_dbvault/dv_policy policy create SECADMIN @ JAN SQL> connect secacctmgr/abcd_1234 Connected. SECACCTMGR @ JAN SQL> GRANT DV_ACCTMGR TO SAPCRED; Grant succeeded. SECACCTMGR @ JAN SQL> connect sapacctmgr/abcd_1234 Connected. SAPACCTMGR @ JAN SQL> REVOKE SAPCRED FROM SYS; REVOKE SAPCRED FROM SYS * ERROR at line 1: ORA-01951: ROLE 'SAPCRED' not granted to 'SYS' SAPACCTMGR @ O11 SQL> spool off Configuration of Database Vault Policy for SAP 2015 SAP SE or an SAP affiliate company. All rights reserved. 21
9 Post-Installation Steps 9.1 Check database configuration (final check) orajan@testpurpose 77% sqlplus /nolog SQL*Plus: Release 11.2.0.3.0 Production on Tue Aug 27 10:40:52 2013 Copyright (c) 1982, 2011, Oracle. All rights reserved. @ SQL> connect / as sysdba Connected. SYS AS SYSDBA @ JAN SQL> spool dv_config_check_2_end.log SYS AS SYSDBA @ JAN SQL> @?/sap/ora_dbvault/dv_config_check.sql SYS AS SYSDBA @ JAN SQL> select grantee from dba_role_privs where granted_role = 'SAPCRED'; GRANTEE ------------------------------ SAPACCTMGR 9.2 Configure Status Trigger SYS AS SYSDBA @ JAN SQL> conn / as sysdba Connected. SYS AS SYSDBA @ JAN SQL> @?/sap/ora_dbvault/create_dv_status_trigger.sql Trigger SAP_DV_CHECK_STATUS has been created. ALTER DATABASE OPEN 22 2015 SAP SE or an SAP affiliate company. All rights reserved. Post-Installation Steps
<...> Database Vault option is enabled Database Vault component is VALID. Completed: ALTER DATABASE OPEN ALTER DATABASE OPEN <...> Database Vault option is disabled Completed: ALTER DATABASE OPEN 9.3 Configure Banners for Unauthorized Access and Auditing User Actions orajan@testpurpose 78% cd $ORACLE_HOME/network/admin/ orajan@testpurpose 93% cat sqlnet.ora AUTOMATIC_IPC = ON TRACE_LEVEL_CLIENT = OFF SQLNET.EXPIRE_TIME = 5 NAMES.DIRECTORY_PATH = (TNSNAMES) NAMES.DEFAULT_DOMAIN = WORLD SQLNET.INBOUND_CONNECT_TIMEOUT = 120 SEC_USER_AUDIT_ACTION_BANNER=/oracle/JAN/11203/network/admin/auditactions.txt SEC_USER_UNAUTHORIZED_ACCESS_BANNER=/oracle/JAN/11203/network/admin/unauthaccess.txt Post-Installation Steps 2015 SAP SE or an SAP affiliate company. All rights reserved. 23
orajan@testpurpose 84% cat auditactions.txt ***** WARNING ***** This secured system is for the use of authorized users only. Unauthorized access is strictly prohibited! All activities on this system may be logged and monitored. ***** WARNING ***** orajan@testpurpose 85% cat unauthaccess.txt ***** WARNING ***** This secured system is for the use of authorized users only. Unauthorized access is strictly prohibited! All activities on this system may be logged and monitored. ***** WARNING ***** 24 2015 SAP SE or an SAP affiliate company. All rights reserved. Post-Installation Steps
SYS AS SYSDBA @ JAN SQL> startup ***** WARNING ***** This secured system is for the use of authorized users only. Unauthorized access is strictly prohibited! All activities on this system may be logged and monitored. ***** WARNING ***** ***** WARNING ***** This secured system is for the use of authorized users only. Unauthorized access is strictly prohibited! All activities on this system may be logged and monitored. ***** WARNING ***** ORACLE instance started. Total System Global Area 501059584 bytes Fixed Size 2229744 bytes Variable Size 255855120 bytes Database Buffers 234881024 bytes Redo Buffers 8093696 bytes Database mounted. ***** WARNING ***** This secured system is for the use of authorized users only. Unauthorized access is strictly prohibited! All activities on this system may be logged and monitored. ***** WARNING ***** ***** WARNING ***** This secured system is for the use of authorized users only. Unauthorized access is strictly prohibited! All activities on this system may be logged and monitored. Post-Installation Steps 2015 SAP SE or an SAP affiliate company. All rights reserved. 25
***** WARNING ***** Database opened. 26 2015 SAP SE or an SAP affiliate company. All rights reserved. Post-Installation Steps
9.4 Test Connecting to Enterprise Manager Database Control and Database Vault Administrator web application (DVA) orajan@testpurpose 95% emctl stop dbconsole Oracle Enterprise Manager 11g Database Control Release 11.2.0.3.0 Copyright (c) 1996, 2011 Oracle Corporation. All rights reserved. https://testpurpose.localdomain:1158/em/console/aboutapplication Stopping Oracle Enterprise Manager 11g Database Control...... Stopped. orajan@testpurpose 96% emctl start dbconsole Oracle Enterprise Manager 11g Database Control Release 11.2.0.3.0 Copyright (c) 1996, 2011 Oracle Corporation. All rights reserved. https://testpurpose.localdomain:1158/em/console/aboutapplication Starting Oracle Enterprise Manager 11g Database Control... started. ------------------------------------------------------------------ Logs are generated in directory /oracle/jan/11203/testpurpose.localdomain_jan/sysman/log https://testpurpose.localdomain:1158/em orajan@testpurpose 97% emctl status dbconsole Oracle Enterprise Manager 11g Database Control Release 11.2.0.3.0 Copyright (c) 1996, 2011 Oracle Corporation. All rights reserved. https://testpurpose.localdomain:1158/em/console/aboutapplication Oracle Enterprise Manager 11g is running. ------------------------------------------------------------------ Logs are generated in directory /oracle/jan/11203/testpurpose.localdomain_jan/sysman/log Post-Installation Steps 2015 SAP SE or an SAP affiliate company. All rights reserved. 27
9.5 Configure DVA Session Timeout (optional step) In file $ORACLE_HOME/dv/jlib/dva_webapp/dva_webapp/WEB-INF/web.xml search for <sessiontimeout>35</session-timeout> and modify this value. Save the file and restart Enterprise Manager Database Control <session-config> <session-timeout>70</session-timeout> </session-config> 9.6 Expire passwords/set new passwords for new created database users SECACCTMGR @ JAN SQL> ALTER USER BRTDBA PASSWORD EXPIRE; ALTER USER SECADMIN PASSWORD EXPIRE; ALTER USER SECACCTMGR PASSWORD EXPIRE; ALTER USER SAPACCTMGR PASSWORD EXPIRE; quit orajan@testpurpose 110% sqlplus brtdba SQL*Plus: Release 11.2.0.3.0 Production on Tue Aug 27 11:06:11 2013 Copyright (c) 1982, 2011, Oracle. All rights reserved. Enter password: ***** WARNING ***** This secured system is for the use of authorized users only. Unauthorized access is strictly prohibited! All activities on this system may be logged and monitored. ***** WARNING ***** ERROR: 28 2015 SAP SE or an SAP affiliate company. All rights reserved. Post-Installation Steps
ORA-28001: the password has expired Changing password for brtdba New password: Retype new password: Password changed Error accessing PRODUCT_USER_PROFILE Warning: Product user profile information not loaded! You may need to run PUPBLD.SQL as SYSTEM Connected to: Oracle Database 11g Enterprise Edition Release 11.2.0.3.0-64bit Production With the Partitioning, Oracle Label Security, OLAP, Data Mining, Oracle Database Vault and Real Application Testing options BRTDBA @ JAN SQL> Repeat the same steps for secadmin,secacctmgr and sapacctmgr users! orajan@testpurpose 112% sqlplus secadmin orajan@testpurpose 113% sqlplus secacctmgr orajan@testpurpose 114% sqlplus sapacctmgr Post-Installation Steps 2015 SAP SE or an SAP affiliate company. All rights reserved. 29
9.7 Create Database Vault Monitoring User(Optional) orajan@testpurpose 115% cd $ORACLE_HOME/sap/ora_dbvault/ orajan@testpurpose 116% sqlplus / as sysdba SYS AS SYSDBA @ JAN SQL> @tpl_create_user_secanalyst.sql ***** WARNING ***** This secured system is for the use of authorized users only. Unauthorized access is strictly prohibited! All activities on this system may be logged and monitored. ***** WARNING ***** ***** WARNING ***** This secured system is for the use of authorized users only. Unauthorized access is strictly prohibited! All activities on this system may be logged and monitored. ***** WARNING ***** Connected. Enter name for DV Security Analyst Account to be created [SECANALYST]: Connecting as security account manager SECACCTMGR to create account Enter password: ***** WARNING ***** This secured system is for the use of authorized users only. Unauthorized access is strictly prohibited! All activities on this system may be logged and monitored. ***** WARNING ***** ***** WARNING ***** This secured system is for the use of authorized users only. Unauthorized access is strictly prohibited! 30 2015 SAP SE or an SAP affiliate company. All rights reserved. Post-Installation Steps
All activities on this system may be logged and monitored. ***** WARNING ***** Error accessing PRODUCT_USER_PROFILE Warning: Product user profile information not loaded! You may need to run PUPBLD.SQL as SYSTEM Connected. Creating a new Database Vault Security Administrator Account User name: SECANALYST Password : abcd_1234 CREATE USER SECANALYST IDENTIFIED BY "abcd_1234" User created. GRANT CONNECT TO SECANALYST Role granted. PL/SQL procedure successfully completed. Connecting as security administrator SECADMIN to grant roles Enter password: ***** WARNING ***** This secured system is for the use of authorized users only. Unauthorized access is strictly prohibited! All activities on this system may be logged and monitored. ***** WARNING ***** ***** WARNING ***** This secured system is for the use of authorized users only. Unauthorized access is strictly prohibited! All activities on this system may be logged and monitored. ***** WARNING ***** Error accessing PRODUCT_USER_PROFILE Warning: Product user profile information not loaded! Post-Installation Steps 2015 SAP SE or an SAP affiliate company. All rights reserved. 31
You may need to run PUPBLD.SQL as SYSTEM Connected. GRANT DV_SECANALYST TO SECANALYST Role granted. PL/SQL procedure successfully completed. First connect with the new database user ***** WARNING ***** This secured system is for the use of authorized users only. Unauthorized access is strictly prohibited! All activities on this system may be logged and monitored. ***** WARNING ***** ***** WARNING ***** This secured system is for the use of authorized users only. Unauthorized access is strictly prohibited! All activities on this system may be logged and monitored. ***** WARNING ***** Error accessing PRODUCT_USER_PROFILE Warning: Product user profile information not loaded! You may need to run PUPBLD.SQL as SYSTEM Connected. USER ------------------------------ SECANALYST ROLE ------------------------------ DV_PUBLIC CONNECT DV_SECANALYST 32 2015 SAP SE or an SAP affiliate company. All rights reserved. Post-Installation Steps
PRIVILEGE ---------------------------------------- CREATE SESSION Disconnected from Oracle Database 11g Enterprise Edition Release 11.2.0.3.0-64bit Production With the Partitioning, Oracle Label Security, OLAP, Data Mining, Oracle Database Vault and Real Application Testing options Post-Installation Steps 2015 SAP SE or an SAP affiliate company. All rights reserved. 33
10 Testing 10.1 Verifying Database Vault Status 10.1.1 Check V$OPTION SYS AS SYSDBA @ JAN SQL> select parameter, value from v$option where parameter = 'Oracle Database Vault'; PARAMETER ---------------------------------------------------------------- VALUE ---------------------------------------------------------------- Oracle Database Vault TRUE 10.1.2 Check Alert Log Starting up: Oracle Database 11g Enterprise Edition Release 11.2.0.3.0-64bit Production With the Partitioning, Oracle Label Security, OLAP, Data Mining, ORACLE_HOME = /oracle/jan/112_64 System name: Linux Node name: testpurpose.localdomain Release: 2.6.39-200.24.1.el6uek.x86_64 Version: 1 SMP Sat Jun 23 02:39:07 EDT 2012 Machine: x86_64 10.1.3 Check existence of DVSYS schema SYS AS SYSDBA @ JAN SQL> select username from dba_users where username = 'DVSYS'; 34 2015 SAP SE or an SAP affiliate company. All rights reserved. Testing
USERNAME ------------------------------ DVSYS 10.1.4 Get instance information with BRSPACE orajan@testpurpose 80% brspace -f dbshow -c dbstate BR1001I BRSPACE 7.20 (33) BR1002I Start of BRSPACE processing: selypirv.dbw 2013-08-27 11.19.35 Information about the status of database instance JAN 1 - Instance number (number)... 1 2 - Instance thread (thread)... 1 3 - Instance status (status)... OPEN 4 - Instance start time (start)... 2013-08-27 10.52.07 5 - Oracle version (version)... 11.2.0.3.0 6 - Database creation time (create)... 2013-06-12 12.50.05 7 - Last resetlogs time (resetlogs)... 2013-06-12 12.50.05 8 - Archivelog mode (archmode)... NOARCHIVELOG 9 - Archiver status (archiver)... STOPPED 10 - Current redolog sequence (redoseq). 54 11 - Current redolog SCN (redoscn)... 912631 12 - Flashback status (flashback)... OFF 13 - Block change tracking (tracking)... OFF 14 - Data encryption (encryption)... OFF 15 - Database vault (dbvault)... ON 16 - Number of SAP connections (sapcon). 0 Testing 2015 SAP SE or an SAP affiliate company. All rights reserved. 35
10.2 Testing Database Vault Protection 10.2.1 Connect as SAPSR3 user SYS AS SYSDBA @ JAN SQL> connect SAPSR3/test1234 ***** WARNING ***** This secured system is for the use of authorized users only. Unauthorized access is strictly prohibited! All activities on this system may be logged and monitored. ***** WARNING ***** ERROR: ORA-47400: Command Rule violation for CONNECT on LOGON Warning: You are no longer connected to ORACLE. OR ERROR: ORA-47306: 20001: Connection denied. SAP security violation. Warning: You are no longer connected to ORACLE. 10.2.2 Try to create SAP table SYS AS SYSDBA @ JAN SQL> connect system/manager; SYSTEM @ JAN SQL> create table SAPSR3.TESTDV (a1 varchar(1)); create table SAPSR3.TESTDV (a1 varchar(1)) * ERROR at line 1: ORA-47401: Realm violation for CREATE TABLE on SAPSR3.TESTDV 36 2015 SAP SE or an SAP affiliate company. All rights reserved. Testing
10.2.3 Try to manage database users as SYSDBA SYSTEM @ JAN SQL> connect / as sysdba SYS AS SYSDBA @ JAN SQL> create user TESTDV identified by test1234; create user TESTDV identified by test1234 * ERROR at line 1: ORA-01031: insufficient privileges SYS AS SYSDBA @ JAN SQL> alter user SAPSR3 identified by test1234; alter user SAPSR3 identified by test1234 * ERROR at line 1: ORA-01031: insufficient privileges Testing 2015 SAP SE or an SAP affiliate company. All rights reserved. 37
10.3 Test with BRSPACE 10.3.1 Tablespace Management: creating a tablespace orajan@testpurpose 118% brspace -f tscreate -c data -f sapdata1 -t psaptestdv 10.3.2 Tablespace Management: dropping a tablespace orajan@testpurpose 120% brspace -f tsdrop -t psaptestdv 10.3.3 Tablespace Management e.g.: orajan@testpurpose 120% brspace -u / -f [tscreate tsalter tsdrop tsextend ] 38 2015 SAP SE or an SAP affiliate company. All rights reserved. Testing
10.4 Test with BRCONNECT 10.4.1 Collect table statistics orajan@testpurpose 121% brconnect -u // -c -f stats -t "DBA*" -f collect 10.4.2 Update SAP table statistics for owner SAPSR3DB (Java-Stack) orajan@testpurpose 121% brconnect -u // -c -f stats -o SAPSR3DB -t all 10.4.3 Gather dictionary stats orajan@testpurpose 122% brconnect -u // -c -f stats -t oradict_stats Testing 2015 SAP SE or an SAP affiliate company. All rights reserved. 39
10.5 Test with BRBACKUP/BRARCHIVE 10.5.1 Database Backup: Tablespace backup orajan@testpurpose 123% brbackup -u // -c -t offline -m sysdbvault -d disk -k yes 10.5.2 Backup of Archive Logs orajan@testpurpose 124% brarchive -u // -c -p initqo1.sap -save -d disk -n 2 -k yes -l E orajan@testpurpose 125% brarchive -u system -c -p initqo1.sap -save -d disk -n 2 -k yes -l E 40 2015 SAP SE or an SAP affiliate company. All rights reserved. Testing
10.6 Test with expdp SECADMIN SQL> @dv_policy export enable SECADMIN SQL> @dv_policy export status orajan@testpurpose 126% brspace -u brtdba -f tbexport -l expdp -t T100 -NDC SECADMIN SQL> @dv_policy export disable SECADMIN SQL> @dv_policy export status Testing 2015 SAP SE or an SAP affiliate company. All rights reserved. 41
10.7 Testing database software administration 10.7.1 Grant database patching privileges to SYS orajan@testpurpose 127% cd <ORACLE_HOME>/sap/ora_dbvault orajan@testpurpose 128% sqlplus secadmin SECADMIN SQL> @dv_policy patch enable a) DV_PATCH_ADMIN role is granted to SYS. b) GRANT command rule is disabled. 10.7.2 To verify that SYS is now enabled for patching the database, run the following script SQL> @dv_config_check.sql... ******************************************************* Patch Status ******************************************************* Current Patch Status : ENABLED Enabled for patching the database are the following database users: SYS... 10.7.3 Install the patch 10.7.4 Revoke database patching privileges from SYS orajan@testpurpose 129% cd <ORACLE_HOME>/sap/ora_dbvault orajan@testpurpose 130% sqlplus secadmin SECADMIN SQL> @dv_policy patch disable a) DV_PATCH_ADMIN role is revoked from SYS. b) GRANT command rule is enabled again. 42 2015 SAP SE or an SAP affiliate company. All rights reserved. Testing
Testing 2015 SAP SE or an SAP affiliate company. All rights reserved. 43
www.sap.com/contactsap 2015 SAP SE or an SAP affiliate company. All rights reserved. No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP SE or an SAP affiliate company. The information contained herein may be changed without prior notice. Some software products marketed by SAP SE and its distributors contain proprietary software components of other software vendors. National product specifications may vary. These materials are provided by SAP SE or an SAP affiliate company for informational purposes only, without representation or warranty of any kind, and SAP or its affiliated companies shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP or SAP affiliate company products and services are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothing herein should be construed as constituting an additional warranty. SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP SE (or an SAP affiliate company) in Germany and other countries. All other product and service names mentioned are the trademarks of their respective companies. Please see www.sap.com/corporate-en/legal/copyright/index.epx for additional trademark information and notices. Material Number: