During one of my last consulting missions, I had to install Oracle Database Vault on an existing Oracle environment. It clearly was not a straigthforward process, since I experienced some weird errors such as: ORA-28003: password verification for the specified password failed, ORA-20001: Password length less than 8, and ORA-01917: user or role 'LBACSYS' does not exist.
After having a look at several log files, I found the root causes of this error. Below, you will find a solution in order to bypass this pitfall.
First of all, let's start by checking that Oracle Database Vault has not been compiled with the current Oracle binaries:
SQL> select * from v$option where parameter like '%Oracle Database Vault%'
PARAMETER VALUE
------------------------- --------------------------------
Oracle Database Vault False
In order to be able to compile Oracle with the Database Vault option, it is mandatory to install Oracle Label Security first. For both components, we can use chopt:
myserver:/users/dba/oracle> chopt enable lbac
myserver:/users/dba/oracle> chopt enable dv
For additional information on the chopt command, please have a look on Yann Neuhaus blog.
Once your Oracle binaries are compiled with both components, we can proceed with DBCA (DataBase Configuration Assistant):
1. Select "Configure Database Options":
2. Select the database where you want to configure Database Vault:
3. Tick the radio button "Configure Database for local management":
4. Select the option that fits your Directory Service needs best - in my case: "No, keep the database registrated":
5. Select Oracle "Label Security", "Enterprise Manager Repository" and "Oracle Database Vault":
6. Create a Database Vault Owner with his dedicated password and optionally a Separate Account Manager. You can find more information regarding Database Vault access rights policy on Oracle Documentation on the following address: http://docs.oracle.com/cd/E11882_01/server.112/e23090/getting_started.htm
7. Set the DBSNMP and SYSMAN passwords:
8. Select the connection mode that fits your needs best. In my case it is "Dedicated Server Mode":
9. A first pop-up appears, informing you that the database will be restarted:
10. A second pop-up appears, informing you about the database where the operations will be performed:
It is possible that you experience the following errors during this installation:
- ORA-28003: password verification for the specified password failed
- ORA-20001: Password length less than 8
ORA-01917: user or role 'LBACSYS' does not exist
This error is due to the fact that Oracle is not compliant with its own security policy:
…
CREATE USER LBACSYS IDENTIFIED BY LBACSYS DEFAULT TABLESPACE SYSTEM*
ERROR at line 1:ORA-28003: password verification for the specified password failed
ORA-20001: Password length less than 8
…
If you have such an error simply disable the password_very_function as described below:
SQL> select profile, resource_name, limit from dba_profiles where resource_name like '%VERIFY_FUNCTION%';
PROFILE RESOURCE_NAME LIMIT
----------------- ----------------------------------- ----------
DEFAULT PASSWORD_VERIFY_FUNCTION NULL
Once the security policy disabled, you can proceed with the Database Vault installation as explained in the beginning of this blog posting. At the end of the installation please simply reactivate the password verify function as described below:
SQL> @/u00/app/oracle/product/11.2.0.3.0/rdbms/admin/utlpwdmg.sql
Function created.
Profile altered.
Function created.
You should then verify that the password very function really is activated:
SQL> select profile, resource_name, limit from dba_profiles where resource_name like '%VERIFY_FUNCTION%';
PROFILE RESOURCE_NAME LIMIT
-------------- -------------------------- ----------------------
DEFAULT PASSWORD_VERIFY_FUNCTION VERIFY_FUNCTION_11G
I hope this will help you to install Oracle Database Vault successfuly!