详说Oracle Vault——Vault卸载
Oracle Vault是安全三个技术策略的重要组成部分。相对于其他两种,Label Security和VPD(Virtual Private Database),Oracle Vault更加体现运维体系管理建设和安全规则配置。安装配置Vault之后,Oracle原有的sys超级用户安全角色被剥离,数据、操作和资源以规则的方式进行安全限制。应该说,使用Vault之后,才能真正实现对于数据管理员行为的管制。
本篇主要介绍如何对Vault进行卸载操作,依据的版本是11gR2。注意:Oracle Vault不同版本下进行卸载的方法有一定差异,特别是在relink的过程。
1、卸载前准备
Oracle Vault在数据库中涉及几个部分:dva组件以Web App的方式绑定在OEM中、内部的dbowner和manager管理对象和角色权限调整。在正式的卸载操作之前,我们需要将数据库和各种组件进行关闭。
数据库完全关闭。
SQL> conn / as sysdba
Connected.
SQL> shutdown immediate;
Database closed.
Database dismounted.
ORACLE instance shut down.
监听程序关闭。
[oracle@SimpleLinux ~]$ lsnrctl stop
LSNRCTL for Linux: Version 11.2.0.4.0 - Production on 28-APR-2014 13:56:27
Copyright (c) 1991, 2013, Oracle. All rights reserved.
Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=SimpleLinux)(PORT=1521)))
The command completed successfully
DB Console Web应用关闭。
[oracle@SimpleLinux ~]$ emctl stop dbconsole
Oracle Enterprise Manager 11g Database Control Release 11.2.0.4.0
Copyright (c) 1996, 2013 Oracle Corporation. All rights reserved.
https://SimpleLinux:1158/em/console/aboutApplication
Stopping Oracle Enterprise Manager 11g Database Control ...
... Stopped.
[oracle@SimpleLinux ~]$ emctl status dbconsole
Oracle Enterprise Manager 11g Database Control Release 11.2.0.4.0
Copyright (c) 1996, 2013 Oracle Corporation. All rights reserved.
https://SimpleLinux:1158/em/console/aboutApplication
Oracle Enterprise Manager 11g is not running.
2、Disable Vault
Vault是一个默认情况下未激活的组件。我们进行安装Vault的过程,实际上就是将其重新打包如Oracle执行程序。进行卸载的过程,也需要重新relink Oracle应用程序。
首先进行Disable过程。
[oracle@SimpleLinux ~]$ cd $ORACLE_HOME/rdbms/lib
[oracle@SimpleLinux lib]$ make -f ins_rdbms.mk dv_off ioracle
/usr/bin/ar d /u01/app/oracle/rdbms/lib/libknlopt.a kzvidv.o
/usr/bin/ar cr /u01/app/oracle/rdbms/lib/libknlopt.a /u01/app/oracle/rdbms/lib/kzvndv.o
chmod 755 /u01/app/oracle/bin
(篇幅原因,有省略……)
- Linking Oracle
rm -f /u01/app/oracle/rdbms/lib/oracle
gcc -o /u01/app/oracle/rdbms/lib/oracle -m32 -z noexecstack -L/u01/app/oracle/rdbms/lib/ -L/u01/app/oracle/lib/ -L/u01/app/oracle/lib/stubs/ -L/u01/app/oracle/lib/ -lirc
mv /u01/app/oracle/rdbms/lib/oracle /u01/app/oracle/bin/oracle
chmod 6751 /u01/app/oracle/bin/oracle
注意:如果是在11gR2中,可以选择chopt方式进行dv的卸载。
[oracle@SimpleLinux lib]$ chopt disable dv
Writing to /u01/app/oracle/install/disable_dv.log...
/usr/bin/make -f /u01/app/oracle/rdbms/lib/ins_rdbms.mk dv_off ORACLE_HOME=/u01/app/oracle
/usr/bin/make -f /u01/app/oracle/rdbms/lib/ins_rdbms.mk ioracle ORACLE_HOME=/u01/app/oracle
启动监听器,此时Oracle通常已经自动启动。
[oracle@SimpleLinux lib]$ lsnrctl start
LSNRCTL for Linux: Version 11.2.0.4.0 - Production on 28-APR-2014 14:04:34
Copyright (c) 1991, 2013, Oracle. All rights reserved.
(篇幅原因,有省略……)
(DESCRIPTION=(ADDRESS=(PROTOCOL=ipc)(KEY=EXTPROC1521)))
The listener supports no services
The command completed successfully
[oracle@SimpleLinux lib]$ sqlplus /nolog
SQL*Plus: Release 11.2.0.4.0 Production on Mon Apr 28 14:04:41 2014
Copyright (c) 1982, 2013, Oracle. All rights reserved.
SQL> conn / as sysdba
Connected.
SQL> startup
ORA-01081: cannot start already-running ORACLE - shut it down first