Why Oracle Database Vault?
In a traditional Oracle database, users with powerful privileges such as SYS or DBA can access sensitive application data. While these privileges are required for database administration, they can also pose security and compliance risks.
Oracle Database Vault addresses this by enforcing separation of duties and restricting access to sensitive data, even for privileged users.
Common use cases include:
- Protecting HR employee records
- Securing Finance and payroll data
- Meeting compliance requirements such as SOX, PCI-DSS, and HIPAA
- Restricting privileged users from accessing application data
Step 1. Verify Current Database Vault and Oracle Label Security Status
Start the database.
SQL> STARTUP
ORACLE instance started.
Total System Global Area 1560278096 bytes
Fixed Size 9135184 bytes
Variable Size 385875968 bytes
Database Buffers 1157627904 bytes
Redo Buffers 7639040 bytes
Database mounted.
Database opened.
Connect to the CDB root.
SQL> SHOW CON_NAME
CON_NAME
CDB$ROOT
Verify whether Database Vault is enabled.
SQL> SELECT value FROM v$option WHERE parameter = ‘Oracle Database Vault’;
VALUE—–
FALSE
Verify whether Oracle Label Security is enabled.
SQL> SELECT value FROM v$option WHERE parameter = ‘Oracle Label Security’;
VALUE—–FALSE
Step 2. Check Database Vault and Oracle Label Security Status Views
Check the Database Vault status.
SQL> SELECT * FROM SYS.DBA_DV_STATUS;
NAME STATUS
———————- —————–
DV_APP_PROTECTION NOT CONFIGURED
DV_CONFIGURE_STATUS FALSE
DV_ENABLE_STATUS FALSE
Check the Oracle Label Security status.
SQL> SELECT * FROM DBA_OLS_STATUS;
NAME STATUS DESCRIPTION
———————– —— ——————————————–
OLS_CONFIGURE_STATUS FALSE Determines if OLS is configured
OLS_DIRECTORY_STATUS FALSE Determines if OID is enabled with OLS
OLS_ENABLE_STATUS FALSE Determines if OLS is enabled
Step 3. Create the Required Database Vault Administrative Users
Database Vault requires two administrative users:
- Database Vault Owner (DV Owner)
- Database Vault Account Manager (DV Account Manager)
Create the Database Vault Owner.
SQL> CREATE USER C##DBV_OWNER_ROOT
IDENTIFIED BY manager1
CONTAINER = ALL;
User created.
SQL> GRANT CREATE SESSION TO C##DBV_OWNER_ROOT
CONTAINER = ALL;
Grant succeeded.
SQL> GRANT SET CONTAINER
TO C##DBV_OWNER_ROOT;
Grant succeeded.
Create the Database Vault Account Manager.
SQL> CREATE USER C##DBV_ACCTMGR_ROOT
IDENTIFIED BY manager1
CONTAINER = ALL;
User created.
SQL> GRANT CREATE SESSION TO C##DBV_ACCTMGR_ROOT
CONTAINER = ALL;
Grant succeeded.
SQL> GRANT SET CONTAINER
TO C##DBV_ACCTMGR_ROOT;
Grant succeeded.
Database Vault Administrative Roles
Oracle Database Vault uses two administrative accounts:
- Database Vault Owner (DV Owner)– Manages Database Vault configuration, realms, command rules, and security policies.
- Database Vault Account Manager (DV Account Manager)– Manages database user accounts, passwords, and account administration without requiring SYS privileges.
This separation helps reduce security risks by ensuring that no single administrator has unrestricted control over both database management and security policies.
Step 4. Configure Database Vault
From the CDB root, execute the CONFIGURE_DV procedure to register the Database Vault Owner and Database Vault Account Manager.
SQL> BEGIN CONFIGURE_DV(
dvowner_uname => ‘C##DBV_OWNER_ROOT’,
dvacctmgr_uname => ‘C##DBV_ACCTMGR_ROOT’,
force_local_dvowner => TRUE );
END;
/
PL/SQL procedure successfully completed.
Step 5. Recompile Invalid Objects
After configuring Database Vault, recompile any invalid database objects.
SQL> @?/rdbms/admin/utlrp.sql
Step 6. Enable Database Vault
Important: The ENABLE_DV procedure must be executed by the Database Vault Owner account, not by SYS.
Connect as the Database Vault Owner.
SQL> CONNECT C##DBV_OWNER_ROOT/manager1;
Connected.
SQL> SHOW USER
USER is “C##DBV_OWNER_ROOT”
Enable Database Vault.
SQL> EXEC DBMS_MACADM.ENABLE_DV;
PL/SQL procedure successfully completed.
Note:
- Execute DBMS_MACADM.ENABLE_DV only as the Database Vault Owner.
- Running this procedure as SYS is not supported.
Step 7. Restart the Database
Reconnect as SYSDBA.
SQL> CONNECT / AS SYSDBA;
Connected.
Shut down the database.
SQL> SHUT IMMEDIATE;
Database closed.
Database dismounted.
ORACLE instance shut down.
Start the database.
SQL> STARTUP
ORACLE instance started.
Total System Global Area 1560278096 bytes
Fixed Size 9135184 bytes
Variable Size 402653184 bytes
Database Buffers 1140850688 bytes
Redo Buffers 7639040 bytes
Database mounted.
Database opened.
Step 8. Verify Database Vault and Oracle Label Security
Verify that you are connected to the CDB root.
SQL> SHOW CON_NAME
CON_NAME
CDB$ROOT
Check the Database Vault status.
SQL> SELECT * FROM SYS.DBA_DV_STATUS;
NAME STATUS
———————- —————–
DV_APP_PROTECTION NOT CONFIGURED
DV_CONFIGURE_STATUS TRUEDV_ENABLE_STATUS TRUE
Check the Oracle Label Security status.
SQL> SELECT * FROM DBA_OLS_STATUS;
NAME STATUS DESCRIPTION
———————– —— ——————————————–
OLS_CONFIGURE_STATUS TRUE Determines if OLS is configured
OLS_DIRECTORY_STATUS FALSE Determines if OID is enabled with OLS
OLS_ENABLE_STATUS TRUE Determines if OLS is enabled
Verify that the Database Vault option is enabled.
SQL> SELECT VALUE FROM V$OPTION WHERE PARAMETER = ‘Oracle Database Vault’;
VALUE—–
TRUE
Verify that Oracle Label Security is enabled.
SQL> SELECT VALUE FROM V$OPTION WHERE PARAMETER = ‘Oracle Label Security’;
VALUE—–TRUE
Post-Implementation Validation
After enabling Database Vault, verify the following:
- Database Vault is enabled in V$OPTION.
- Oracle Label Security is enabled.
- DBA_DV_STATUSshows DV_CONFIGURE_STATUS = TRUE and DV_ENABLE_STATUS = TRUE.
- DBA_OLS_STATUSshows OLS_CONFIGURE_STATUS = TRUE and OLS_ENABLE_STATUS = TRUE.
These checks confirm that Database Vault has been configured successfully.
Production Considerations
- Perform the configuration during a maintenance window, as a database restart is required.
- Test the configuration in a non-production environment before implementing it in production.
- Ensure administrative accounts use strong passwords and are managed securely.
- Validate application connectivity after enabling Database Vault.
Summary
After completing the above steps:
- Database Vault is configured successfully.
- Oracle Label Security is configured automatically as part of the Database Vault configuration.
- Database Vault Owner (C##DBV_OWNER_ROOT) manages Database Vault policies and realms.
- Database Vault Account Manager (C##DBV_ACCTMGR_ROOT) manages user accounts without requiring SYS privileges.
- DBA_DV_STATUSshould display:
o DV_CONFIGURE_STATUS = TRUE
o DV_ENABLE_STATUS = TRUE
- DBA_OLS_STATUSshould display:
o OLS_CONFIGURE_STATUS = TRUE
o OLS_ENABLE_STATUS = TRUE
- Both Oracle Database Vault and Oracle Label Security options should return TRUE from the V$OPTION view, confirming that the features are successfully configured and enabled.