Oracle Database Vault in 12.2.0.1 - Part 1

 

How to Enable Oracle Label Security and Oracle Database Vault in 12.2 database

Note: Below steps were performed in Test Database for education purposes. The authors (Hayat Mohammad Khan) claim no responsibility if they are not performed as expected.

Assumption: Oracle 12.2.0.1, Container Database with one pluggable database.

Please perform the following steps:

Step (1)

SELECT VALUE FROM V$OPTION WHERE PARAMETER = 'Oracle Label Security';

EXEC LBACSYS.CONFIGURE_OLS; -- This procedure registers Oracle Label Security.

EXEC LBACSYS.OLS_ENFORCEMENT.ENABLE_OLS; -- This procedure enables it.

Step (2)

Verify if DB vault is enabled.

SQL>select value from v$option where parameter like '%Vault%';

VALUE

----------------------------------------------------------------

FALSE

Step (3)

SQL> create user c##dbowner1 identified by PAkistan123## CONTAINER = ALL;

grant create session, set container to c##dbowner1 CONTAINER = ALL;

SQL> create user c##dbmanager1 identified by PAkistan123## CONTAINER = ALL;

grant create session, set container to c##dbmanager1 CONTAINER = ALL;

--grant create session, set container to c##dbowner1 CONTAINER = ALL;

--grant create session, set container to c##dbmanager1 CONTAINER = ALL;

grant dv_owner to c##dbowner1 with admin option container=all;

grant DV_ACCTMGR to c##dbmanager1 with admin option container=all;

SQL> BEGIN

 DVSYS.CONFIGURE_DV (

   dvowner_uname         => 'c##dbowner1',

   dvacctmgr_uname       => 'c##dbmanager1');

 END;

/  

PL/SQL procedure successfully completed.

Step (4)

Compile all packages

@?/rdbms/admin/utlrp.sql

Step (5)

SQL> Connect c##dbowner1/PAkistan123##

SQL> EXEC DBMS_MACADM.ENABLE_DV;

PL/SQL procedure successfully completed.

SELECT PARAMETER, VALUE FROM V$OPTION WHERE PARAMETER in ( 'Oracle Database Vault','Oracle Label Security');

PARAMETER                                                        VALUE

-------------------------------------------------------------------------

Oracle Label Security                                            TRUE

Oracle Database Vault                                            TRUE

SELECT * FROM DVSYS.DBA_DV_STATUS;

NAME                 STATUS

-------------------- -----------

DV_CONFIGURE_STATUS  TRUE

DV_ENABLE_STATUS     TRUE

Step (6)

SQL> CONNECT / AS SYSDBA

Connected.

--DBA_PDBS  List all PDBs

SQL> show pdbs

    CON_ID CON_NAME                       OPEN MODE  RESTRICTED

---------- ------------------------------ ---------- ----------

         2 PDB$SEED                       READ ONLY  NO

         3 BILL_PDB1                      READ WRITE NO

SQL> ALTER PLUGGABLE DATABASE BILL_PDB1 CLOSE IMMEDIATE;

Pluggable database altered.

SQL> ALTER PLUGGABLE DATABASE BILL_PDB1 OPEN;

Pluggable database altered.

Step (7)

BILL_PDB1 =

  (DESCRIPTION =

    (ADDRESS = (PROTOCOL = TCP)(HOST = hostname)(PORT = 1521))

    (CONNECT_DATA =

      (SERVER = DEDICATED)

      (SERVICE_NAME = bill_pdb1)

    )

  )

SQL> conn c##dbowner1/PAkistan123##@BILL_PDB1

Connected.

SQL>

Step (8)

Shutdown immediate;

startup;

SQL> show pdbs

    CON_ID CON_NAME                       OPEN MODE  RESTRICTED

---------- ------------------------------ ---------- ----------

         2 PDB$SEED                       READ ONLY  NO

         3 BILL_PDB1                      MOUNTED

SQL> alter pluggable database BILL_PDB1 open;

Pluggable database altered.

Step (9)

Perform DB Vault Enable steps in PDB

--Logon as sys in PDB

sqlplus sys/PAkistan123##@BILL_PDB1 as sysdba

BEGIN

 DVSYS.CONFIGURE_DV (

   dvowner_uname         => 'c##dbowner1',

   dvacctmgr_uname       => 'c##dbmanager1');

 END;

/ 

PL/SQL procedure successfully completed.

--Logon as c##dbowner1 in PDB

SQL> CONN c##dbowner1/PAkistan123##@BILL_PDB1

SQL> EXEC DBMS_MACADM.ENABLE_DV;

PL/SQL procedure successfully completed.

SQL> shutdown immediate;

Pluggable Database closed.

SQL> startup

Pluggable Database opened.

SQL> SELECT VALUE FROM V$OPTION WHERE PARAMETER = 'Oracle Database Vault';

VALUE

----------------------------------------------------------------

TRUE

Step (10)

Now check if sys user is able to create new users:

--Now try to create user using SYS, it is restricted.

conn sys/PAkistan123#@BILL_PDB1 as sysdba

$ sqlplus / as sysdba

SQL> create user C##TESTUSER identified by ORacle123## container=all;

create user C##ZORAN identified by ORacle123## container=all

*

ERROR at line 1:

ORA-01031: insufficient privileges

-----try with Vault User

conn c##dbmanager1/PAkistan123##@BILL_PDB1

SQL> create user usr1 identified by ORacle123##;

User created.

Summary: Only DV manager can create users and grant them the create session privilege ( or connect role ). SYSDBA can grant system privileges as before.

Disable Database Vault:

SQL> conn c##dbowner1/PAkistan123##

Connected.

SQL> exec DVSYS.DBMS_MACADM.DISABLE_DV;

PL/SQL procedure successfully completed.

---stop / start DB and Verify:

conn / as sysdba

shut immediate;

startup;

drop user c##dbowner1 cascade;

drop user c##dbmanager1 cascade;

select * from v$option where parameter  like  '%Vault%';

Note: During enable / disable step, stop / start DB to verify status.

Hint: MACADM=>  Mandatory Access Control (MAC) ADMIN

Check Part 2 REALM Creation: https://hayatkhan75.blogspot.com/2022/08/oracle-database-vault-in-12201-part-2.html

Credit Goes to:

Book:

Pavlovic, Z. (2016). Oracle Database 12C security cookbook. Packt Publishing Limited. 

URL:

https://docs.oracle.com/database/121/DVADM/getting_started.htm#DVADM002