Configure Oracle Database Vault on Oracle CDB$ROOT

-

Configure Oracle Database Vault on Oracle CDB$ROOT

Oracle Database Vault (DV) strengthens the security posture of the Oracle database by enforcing separation of duties and restricting access, even for highly privileged users. While DV is often configured at the PDB level, enterprise environments typically require securing the CDB$ROOT itself to protect the entire multitenant architecture.

This blog walks through the complete process of enabling and verifying Oracle Database Vault on CDB$ROOT in an Oracle 19c environment.

Step 1: Verify DV and OLS Status

Before starting, check if Database Vault and Oracle Label Security (OLS) are installed and verify their status.

sql
COL DESCRIPTION FORMAT A40
SET LINES 900

SELECT * FROM SYS.DBA_DV_STATUS;
SELECT * FROM DBA_OLS_STATUS;

If the components are not installed, install them using DBCA or the Oracle-provided scripts.

Step 2: Create DV Owner and Account Manager Users

You must create common users to manage Database Vault. These accounts should be container-wide.

sql
GRANT CREATE SESSION, SET CONTAINER 
TO c##dv_owner_root IDENTIFIED BY ORacle1234## CONTAINER = ALL;

GRANT CREATE SESSION, SET CONTAINER 
TO c##dv_acctmgr_root IDENTIFIED BY ORacle1234## CONTAINER = ALL;

These will be designated later as the DV Owner and DV Account Manager.

Step 3: Configure Database Vault

Connect as a CDB-level SYSDBA and configure DV.

sql
BEGIN
  CONFIGURE_DV (
    dvowner_uname        => 'c##dv_owner_root',
    dvacctmgr_uname      => 'c##dv_acctmgr_root',
    force_local_dvowner  => FALSE
  );
END;
/

Alternatively:

sql
EXEC CONFIGURE_DV('c##dv_owner_root','c##dv_acctmgr_root');

Step 4: Recompile Invalid Objects

After configuration, recompile invalid objects to ensure all DV packages are valid.

sql
@?/rdbms/admin/utlrp.sql

Step 5: Enable Database Vault

Connect as the DV Owner and enable DV enforcement.

sql
CONNECT c##dv_owner_root@CDB$ROOT
EXEC DBMS_MACADM.ENABLE_DV;

This activates DV, enforcing realms and command rules at the CDB level.

Step 6: Restart the Container Database

Restart the database to finalize configuration.

sql
CONNECT / AS SYSDBA
SHUTDOWN IMMEDIATE
STARTUP

Step 7: Verify Status After Restart

After restart, confirm DV and OLS are enabled.

sql
SELECT * FROM SYS.DBA_DV_STATUS;
SELECT * FROM DBA_OLS_STATUS;

Both should now show ENABLED.

Conclusion

Configuring Database Vault at the CDB$ROOT level allows DBAs to:

  • Enforce separation of duties

  • Protect sensitive metadata

  • Restrict unauthorized access across all PDBs

This setup is essential in regulated environments where security and compliance are top priorities.

Continue strengthening your security posture by defining realms, command rules, and authorized accounts to match your organization’s requirements.

Author: Bidhan Mandal
Oracle Apps DBA | Oracle Database Vault Specialist | OCI Architect
Visit: https://bidhandba.blogspot.com

Comments

Post a Comment

Popular posts from this blog

Configure Oracle Database Vault Realms

-
Configure Oracle Database Vault Realms to Secure the HR Schema Oracle Database Vault (DV) is a powerful security feature that enables fine-grained access control by enforcing security policies that protect sensitive data. One of the most important components in Database Vault is the Realm , which creates a security boundary around database objects to prevent unauthorized access — even by highly privileged users. In this blog, we’ll walk through the step-by-step process of configuring a Realm to secure the HR schema in an Oracle Database 19c environment. You’ll learn how to: Create a Realm Add objects to it Restrict access Enable auditing for security tracking What is a Realm? A Realm in Oracle Database Vault defines a logical security boundary around one or more database objects. Once a Realm is in place, no one — not even privileged users like DBAs — can access the protected objects without being explicitly authorized. Realms are ideal for: Securing sensitive ap...
Read more

Configure Transparent Database Encryption (TDE) in Oracle CDB

-
   Configure Transparent Database Encryption (TDE) in Oracle CDB Transparent Data Encryption (TDE) is a vital Oracle feature used to secure sensitive data at rest by encrypting database files. In this guide, we'll walk through configuring TDE in a CDB (Container Database) environment and demonstrate its effectiveness with a test tablespace and HR schema. Prerequisites Oracle Database (12c and above, preferably 19c or later) File system access to create wallets Appropriate privileges to administer TDE and manage tablespaces Step 1: Create a New Tablespace in PDB Connect to the PDB and create a new tablespace: sql SQL > CREATE TABLE SPACE userstab DATAFILE '/opt/oracle/oradata/XE/XEPDB1/userstab01.dbf' SIZE 1 G; Tablespace created. Step 2:Install the Sample HR Schema Install the sample HR schema into the newly created userstab tablespace: sql SQL > @? / demo / schema / human_resources / hr_main.sql This will create and populate HR sc...
Read more

Cloning Oracle E-Business Suite 12.2.11: RMAN + Rapid Clone

-
Cloning Oracle E-Business Suite (EBS) environments is a critical part of managing development, testing, and DR landscapes. In this post, we walk through the process of cloning EBS 12.2.11 from a production environment to a non-production one using RMAN active duplication and Oracle Rapid Clone utilities . Clone Scenario Source Database CDB : PRODCDB Source PDB : prod Target Database CDB : RNDCDB Target PDB : RND Step 1: Prepare the Target Server Create Required Directories mkdir -p /u01/oracle/RNDCDB mkdir -p /u01/oracle/RND mkdir -p /u01/oracle/clone_logs Verify Swap Space (Must be ≥ 16GB) free -h Step 2: Run Pre-Clone on Source Database Tier cd $ORACLE_HOME/appsutil/scripts/prod_PRODCDB perl adpreclone.pl dbTier Application Tier cd $ADMIN_SCRIPTS_HOME perl adpreclone.pl appsTier  Step 3: Clone the CDB with RMAN 3.1: Startup Target CDB in NOMOUNT Mode export ORACLE_SID=RNDCDB sqlplus / as sysdba STARTUP NOMOUNT; 3.2: Run RMAN Active Duplicate rman target sys@PRODCDB auxiliary sy...
Read more