Infrastructure at your Service

Grégory Steulet

Errors while installing Oracle Database Vault on Oracle 11.2.0.3

During one of my last consulting missions, I had to install Oracle Database Vault on an existing Oracle environment. It clearly was not a straigthforward process, since I experienced some weird errors such as: ORA-28003: password verification for the specified password failed, ORA-20001: Password length less than 8, and ORA-01917: user or role ‘LBACSYS’ does not exist.

After having a look at several log files, I found the root causes of this error. Below, you will find a solution in order to bypass this pitfall.

First of all, let’s start by checking that Oracle Database Vault has not been compiled with the current Oracle binaries:

SQL> select * from v$option where parameter like '%Oracle Database Vault%'PARAMETER                 VALUE
————————- ——————————–
Oracle Database Vault      False

In order to be able to compile Oracle with the Database Vault option, it is mandatory to install Oracle Label Security first. For both components, we can use chopt:

myserver:/users/dba/oracle> chopt enable lbac
myserver:/users/dba/oracle> chopt enable dv

 

For additional information on the chopt command, please have a look on Yann Neuhaus blog.
Once your Oracle binaries are compiled with both components, we can proceed with DBCA (DataBase Configuration Assistant):

1. Select “Configure Database Options”:

Oracle Database Vault installation

2. Select the database where you want to configure Database Vault:

Oracle Database Vault installation

3. Tick the radio button “Configure Database for local management”:

DBCA003

4. Select the option that fits your Directory Service needs best – in my case: “No, keep the database registrated”:

DBCA004

5. Select Oracle “Label Security”, “Enterprise Manager Repository” and “Oracle Database Vault”:

Oracle Database Vault installation

6. Create a Database Vault Owner with his dedicated password and optionally a Separate Account Manager. You can find more information regarding Database Vault access rights policy on Oracle Documentation on the following address: http://docs.oracle.com/cd/E11882_01/server.112/e23090/getting_started.htm

DBCA006

7. Set the DBSNMP and SYSMAN passwords:

DBCA007

8. Select the connection mode that fits your needs best. In my case it is “Dedicated Server Mode”:

DBCA008

9. A first pop-up appears, informing you that the database will be restarted:

DBCA009

10. A second pop-up appears, informing you about the database where the operations will be performed:

confirmation

It is possible that you experience the following errors during this installation:

  • ORA-28003: password verification for the specified password failed
  • ORA-20001: Password length less than 8

ORA-28003: password verification for the specified password failed

ORA-01917: user or role ‘LBACSYS’ does not exist

ORA-01917: user or role 'LBACSYS' does not exist

This error is due to the fact that Oracle is not compliant with its own security policy:

myserver:/u00/app/oracle/cfgtoollogs/dbca/souk> more labelSecurity.log

CREATE USER LBACSYS IDENTIFIED BY LBACSYS DEFAULT TABLESPACE SYSTEM*
ERROR at line 1:
ORA-28003: password verification for the specified password failed
ORA-20001: Password length less than 8

If you have such an error simply disable the password_very_function as described below:

SQL> alter profile default limit password_very_function NULL;
SQL> select profile, resource_name, limit from dba_profiles where resource_name like ‘%VERIFY_FUNCTION%';

PROFILE              RESOURCE_NAME                        LIMIT
—————–  ———————————–  ———-
DEFAULT             PASSWORD_VERIFY_FUNCTION   NULL

Once the security policy disabled, you can proceed with the Database Vault installation as explained in the beginning of this blog posting. At the end of the installation please simply reactivate the password verify function as described below:

SQL> @/u00/app/oracle/product/11.2.0.3.0/rdbms/admin/utlpwdmg.sql

Function created.

Profile altered.

Function created.

You should then verify that the password very function really is activated:

SQL> select profile, resource_name, limit from dba_profiles where resource_name like ‘%VERIFY_FUNCTION%';

PROFILE        RESOURCE_NAME              LIMIT

————– ————————– ———————-

DEFAULT        PASSWORD_VERIFY_FUNCTION   VERIFY_FUNCTION_11G

I hope this will help you to install Oracle Database Vault successfuly!

 

Leave a Reply


7 × = twenty eight

Grégory Steulet
Grégory Steulet

Chief Financial Officer (CFO)