Monday, December 17, 2012

Installing Oracle Audit Vault 10.3 in Oracle Solaris SPARC 64Bit


1 Oracle Audit Vault Server Installation Overview
Oracle Audit Vault is a powerful software which can help enterprise consolidate their audit operations to a single source of truth.

2 Oracle Audit Vault Preinstallation Requirements

This chapter describes the tasks that you must complete before you start Oracle Universal Installer to install Oracle Audit Vault Server Release 10.3. It includes information about the following tasks:

·         Installation Fixup Scripts
·         Checking the Network Setup
·         Configure Shell Limits
·         Setting the Correct Locale

2.1 Logging In to the System as root

$ su - root
password:
#

2.2 Checking the Hardware Requirements

The following are the memory requirements for installing Oracle Audit Vault Server Release 10.3, which installs a customized, specially configured release of Oracle Database 11g Release 2 (11.2.0.3):
Minimum: 1 GB of RAM
Recommended: 2 GB of RAM or more
·         To determine the RAM size, enter the following command:
bash-3.2$ /usr/sbin/prtconf | grep "Memory size"
Memory size: 32256 Megabytes
bash-3.2$

2.2.2 System Architecture

To determine if the system architecture can run the software, enter the following command:
# /bin/isainfo -kv

This command displays the processor type. The following is the expected output of this command:
Oracle Solaris on SPARC (64-Bit):
64-bit sparcv9 kernel modules

Verify that the processor architecture matches the Oracle software release that you want to install. If you do not see the expected output, then you cannot install the software on this system.

2.2.3 Disk Space Requirements

Disk space requirements for Installing Oracle Audit Vault 10.3 is listed in below table:
Installation Type
Requirement for Software Files (GB)
Oracle Audit Vault Server
4.45

Installation Type
Disk Space for Data Files (GB)
Oracle Audit Vault Server
2.30

Amount of free disk space in the system can be seen using commands below:
# df -h
# df -k

2.2.4 Display Requirements

The minimum resolution for Oracle Audit Vault Server is 1024 x 768 or higher.

2.2.5 Run Level Requirement

Ensure that the system is started with run level 3.

2.3 Checking the Software Requirements

Depending on the products that you intend to install, verify that the following software is installed on your system:

2.3.1 Operating System Requirements

Oracle Solaris 10 U6 (5.10-2008.10) or later is required for Oracle Audit Vault Server Release 10.3.
To determine the distribution and version of Oracle Solaris installed, enter the following command:
# uname -r
5.10
In this example, the version shown is Oracle Solaris 10 (5.10). If necessary, see your operating system documentation for information about upgrading the operating system.
To determine the update level of Oracle Solaris installed, enter the following command:
$ cat /etc/release

2.3.2 Package Requirements

The following packages (or later versions) are required for Oracle Audit Vault Server Release 10.3 for Oracle Solaris:



·         SUNWarc

·         SUNWbtool

·         SUNWhea
·         SUNWlibC
·         SUNWlibm
·         SUNWlibms
·         SUNWsprot
·         SUNWtoo
·         SUNWi1of
·         SUNWi1cs (ISO8859-1)
·         SUNWi15cs (ISO8859-15)
·         SUNWxwfnt
·         SUNWcsl


Verifying Packages
To determine if the required packages are installed, enter commands similar to the following:
# pkginfo -i SUNWarc SUNWbtool SUNWhea SUNWlibC SUNWlibms SUNWsprot \
 SUNWtoo SUNWi1of SUNWi1cs SUNWi15cs SUNWxwfnt

If a package is not installed, then install it. See your operating system or software documentation for information about installing packages.

2.3.3 Patch Requirements

The following, or later, patches are required for Oracle Audit Vault Server Release 10.3 for Oracle Solaris on SPARC (64-Bit):

Solaris on SPARC (64-Bit):

Installation Type or Product
Requirement
All Installations
Patches for Oracle Solaris 10:
·         120753-06: SunOS 5.10: Microtasking libraries (libmtsk) patch
·         139574-03: SunOS 5.10
·         141444-09
·         141414-02
Database Smart Flash Cache
The following patches are required:
·         125555-03
·         140796-01
·         140899-01
·         141016-01
·         139555-08
·         141414-10
·         141736-05
Verifying Operating System Patches
To determine if an operating system patch is installed, enter a command similar to the following:
# /usr/sbin/patchadd -p | grep patch_number(without version number)

For example, to determine if any version of the 119963 patch is installed, use the following command:
# /usr/sbin/patchadd -p | grep 119963

If an operating system patch is not installed, then ask your operating system engineer to install the patch.

2.3.4 Additional Software Requirements

Make sure java 1.6 is installed in your system. Use command below to identify the version of java installed in your system.
bash-3.2$ java -version    
java version "1.6.0_31"
Java(TM) SE Runtime Environment (build 1.6.0_31-b04)
Java HotSpot(TM) Server VM (build 20.6-b01, mixed mode)
bash-3.2$

2.5 Verifying UDP and TCP Kernel Parameters

Use NDD to ensure that the kernel TCP/IP ephemeral port range is broad enough to provide enough ephemeral ports for the anticipated server workload. Ensure that the lower range is set to at least 9000 or higher, to avoid Well Known ports, and to avoid ports in the Registered Ports range commonly used by Oracle and other server ports. Set the port range high enough to avoid reserved ports for any applications you may intend to use. If the lower value of the range you have is greater than 9000, and the range is large enough for your anticipated workload, then you can ignore OUI warnings regarding the ephemeral port range.
Use the following command to check your current range for ephemerial ports:
# /usr/sbin/ndd /dev/tcp tcp_smallest_anon_port tcp_largest_anon_port
32768
65535
In the preceding example, tcp_smallest_anon_port is set to the default range (32768-65535).
If necessary for your anticipated workload or number of servers , update the UDP and TCP ephemeral port range to a broader range. For example:
# /usr/sbin/ndd -set /dev/tcp tcp_smallest_anon_port 9000
# /usr/sbin/ndd -set /dev/tcp tcp_largest_anon_port 65500
# /usr/sbin/ndd -set /dev/udp udp_smallest_anon_port 9000
# /usr/sbin/ndd -set /dev/udp udp_largest_anon_port 65500
Oracle recommends that you make these settings permanent. Refer to your system administration documentation for information about how to automate this ephemeral port range alteration on system restarts.
In order to make changes permanent edit the file /lib/svc/method/net-init using file editors like vi and add following lines:
ndd -set /dev/tcp tcp_smallest_anon_port 9000
ndd -set /dev/tcp tcp_largest_anon_port  65500
ndd -set /dev/udp udp_smallest_anon_port 9000
ndd -set /dev/udp udp_largest_anon_port  65500
Always backup the original file before making any changes.

2.6 Checking the Network Setup

Typically, the computer on which you want to install Oracle Audit Vault Server is connected to the network. The computer has local storage to store the Oracle Audit Vault Server installation. It also contains a display monitor and DVD drive. This section describes how to install Oracle Audit Vault Server on computers that do not meet the typical scenario. It describes the following cases:

·         Installing on DHCP Computers
·         Installing on Multihomed Computers
·         Installing on Computers with Multiple Aliases

2.6.1 Installing on DHCP Computers

Do not install Oracle Audit Vault Server in an environment where the IP addresses of the Audit Vault Server or the Oracle Audit Vault collection agent can change. If your environment uses DHCP, ensure that all Oracle Audit Vault systems use static IP addresses.

2.6.2 Installing on Multihomed Computers

You can install Oracle Audit Vault Server on a multihomed computer. A multihomed computer is associated with multiple IP addresses. This is typically achieved by having multiple network cards on the computer. Each IP address is associated with a host name. In addition, you can set up aliases for the host name. By default, Oracle Universal Installer uses the ORACLE_HOSTNAME environment variable setting to find the host name. If ORACLE_HOSTNAME is not set and you are installing on a computer that has multiple network cards, then Oracle Universal Installer determines the host name from the /etc/hosts file.
Clients must be able to access the computer either by using this host name or by using aliases for this host name. To verify this, ping the host name from the client computers using the short name (host name only) and the full name (host name and domain name). Both tests must be successful.

Setting the ORACLE_HOSTNAME Environment Variable
Use the following procedure to set the ORACLE_HOSTNAME environment variable. For example, if the fully qualified host name is somehost.us.example.com, then enter one of the following commands:
In Bourne, Bash, or Korn shell:
$ ORACLE_HOSTNAME=mgtav.mydomain.com.np
$ export ORACLE_HOSTNAME

In C shell:
% setenv ORACLE_HOSTNAME mgtav.mydomain.com.np

The ORACLE_HOSTNAME variable is used to create enterprise manager url at the end of the installation.

Entries of my /etc/hosts file:

#
# Internet host table
#
::1     localhost       
127.0.0.1       localhost       
100.100.100.102   mgtav       mgtav.      mgtav.mydomain.com.np    loghost

2.6.3 Installing on Computers with Multiple Aliases

A computer with multiple aliases is registered with the naming service under a single IP address but with multiple aliases. The naming service resolves any of those aliases to the same computer. Before installing Oracle Audit Vault Server on such a computer, set the ORACLE_HOSTNAME environment variable to the computer whose host name you want to use.

2.7 Creating Required Operating System Groups and Users

Log in to your system as the root user before you attempt to create these operating system groups and users.
If you are installing Oracle Audit Vault Server, it requires the following operating system groups and user:

·         The OSDBA group (dba)
You must create this group the first time you install Oracle Audit Vault software on the system. It identifies operating system user accounts that have database administrative privileges (the SYSDBA privilege). The default name for this group is dba. 

·         The OSOPER group (oper)
This is an optional group. Create this group if you want a separate group of operating system users to have a limited set of administrative privileges (the SYSOPER privilege). By default, members of the OSDBA group also have the SYSOPER privilege.
The following operating system group and user are required for all installations:

·         The Oracle Inventory group (oinstall)
You must create this group the first time you install Oracle software on the system. The usual name chosen for this group is oinstall. This group owns the Oracle inventory, which is a catalog of all Oracle software installed on the system.
Use the commands below to create the groups:

/usr/sbin/groupadd -g 101 dba
/usr/sbin/groupadd -g 102 oper
/usr/sbin/groupadd -g 100 oinstall 

2.7.1 Creating the Oracle Software Owner User

To create use enter the following command:

/usr/sbin/useradd -u 100 -g oinstall -G dba,oper -d /home/oracle -m oracle

To change the password enter the following command:

passwd oracle

2.7.2 Profile of oracle user for Audit Vault Server Home

Below is the contents of .profile file of oracle user for Audit Vault Server Home.

# This is the default standard profile provided to a user.
# They are expected to edit it to meet their own needs.
MAIL=/usr/mail/${LOGNAME:?}
TMP=/tmp; export TMP
TMPDIR=$TMP; export TMPDIR
ORACLE_BASE=/u01/app/oracle; export ORACLE_BASE
ORACLE_HOME=$ORACLE_BASE/product/10.3.0/av_1; export ORACLE_HOME
ORACLE_HOSTNAME=mgtav.mydomain.com.np; export ORACLE_HOSTNAME
ORACLE_SID=avdc; export ORACLE_SID
ORACLE_TERM=xterm; export ORACLE_TERM
PATH=/usr/sbin:/usr/ccs/bin:/usr/ucb:$PATH;
export PATH
PATH=$ORACLE_HOME/bin:$PATH; export PATH
LD_LIBRARY_PATH=$ORACLE_HOME/lib:/lib:/usr/lib:/usr/local/lib; export LD_LIBRARY_PATH
CLASSPATH=$ORACLE_HOME/JRE:$ORACLE_HOME/jlib:$ORACLE_HOME/rdbms/jlib; export CLASSPATH
export PATH
umask 022
ulimit -n 65536
#End .profile for audit vault server
2.8 Configuring Kernel Parameters on Oracle Solaris 10
To create project and add kernel parameters enter the following commands:
projadd -c "Oracle dba Group for Oracle RDBMS and Audit Vault" group.dba
projmod -s -K "project.max-sem-ids=(priv,4096,deny)" group.dba
projmod -s -K "process.max-sem-nsems=(priv,12000,deny)" group.dba
projmod -s -K "project.max-shm-ids=(priv,4096,deny)" group.dba
projmod -s -K "project.max-shm-memory=(priv,34359738368,deny)" group.dba
projmod -s -K "process.max-file-descriptor=(priv,65536,deny)" group.dba

Verify the changes using following commands:

cat /etc/projects
Or
projects -l 

Add following lines in /etc/system as root user:

set noexec_user_stack=1
set semsys:seminfo_semmns=1024
set semsys:seminfo_semvmx=32767
set rlim_fd_max=65536
set rlim_fd_cur=65536
set max_nprocs=30000
set maxuprc=16384
 

2.9 Identifying Required Software Directories

2.9.1 Oracle Base Directory

The Oracle base directory is a top-level directory for Oracle software installations.

ORACLE_BASE=/u01/app/oracle/ 

To create the Oracle Base directory, enter the following commands as the root user:
#mkdir -p /u01/app/oracle
#chown -R oracle:oinstall /u01/app/oracle
#chmod -R 775 /u01/app/oracle

2.9.2 Oracle Inventory Directory

The Oracle Inventory directory (oraInventory) stores an inventory of all software installed on the system. It is required and shared by all Oracle software installations on a single system. If you have an existing Oracle Inventory path, then Oracle Universal Installer continues to use that Oracle Inventory.

/u01/app/oraInventory/ 

#mkdir -p /u01/app/oraInventory
#chown -R oracle:oinstall /u01/app/oraInventory
#chmod -R 775 /u01/app/oraInventory

2.9.3 Oracle Home Directory

Oracle Home directory for Audit Vault server is set to the following:
$ORACLE_BASE/product/10.3.0/av_1

To create the Oracle Audit Vault Home directory, enter the following commands as the root user:
#mkdir -p /u01/app/oracle/product/10.3.0/av_1
#chown -R oracle:oinstall /u01/app/oracle/product/10.3.0
#chmod -R 775 /u01/

Following directory is needed to ensure that dbca is able to run after the rdbms installation.
#mkdir /u01/app/oracle/cfgtoollogs
#chown -R oracle:oinstall /u01/app/oracle/cfgtoollogs
#chmod -R 775 /u01/app/oracle/cfgtoollogs

2.9.4 Staging directory for Audit Vault Binaries

Download the Audit Vault 10.3 software binaries from otn.oracle.com and ftp to the location below.

/stage/audit_vault

Unzip the downloaded files using unzip utility:

unzip server.solaris.sparc64.zip

Installing the Oracle Audit Vault Server
To start the audit vault server installer go to the directory where audit vault server binaries are extracted.

cd /stage/audit_vault/server/
./runInstaller

Uncheck the check box if you do not have My Oracle Support account and click on Next button to continue.


Click on Yes to continue because we did not provide My Oracle Support account information.


Select the "Create and configure Oracle Audit Vault" and click on Next button to continue.

Select "Basic Installation" and click on Next button to continue. If you choose "Advanced Installation" you will encounter bug as mentioned in My Oracle Support Document "Advanced Audit Vault 10.3 Installation Fails with: Invalid or missing Oracle OC4J home [ID 1446663.1]".


Select "Single Instance Audit Vault Installation" and click on Next button to continue.

Provide values for required fields as shown in image below and click on Next button to continue. By default Oracle Audit Vault will create a database with SID=av.





Save the response file if you want to review it later and click on Install button to start the installation.



In a new terminal login as root user and execute the script. The output of the script is shown below.



root@mgtav # id -a
uid=0(root) gid=0(root) groups=0(root),1(other),2(bin),3(sys),4(adm),5(uucp),6(mail),7(tty),8(lp),9(nuucp),12(daemon)
root@mgtav #
root@mgtav # /u01/app/oracle/product/10.3.0/av_1/root.sh
Performing root user operation for Oracle 11g

The following environment variables are set as:
    ORACLE_OWNER= oracle
    ORACLE_HOME=  /u01/app/oracle/product/10.3.0/av_1

Enter the full pathname of the local bin directory: [/usr/local/bin]:
The contents of "dbhome" have not changed. No need to overwrite.
The contents of "oraenv" have not changed. No need to overwrite.
The contents of "coraenv" have not changed. No need to overwrite.

Entries will be added to the /var/opt/oracle/oratab file as needed by
Database Configuration Assistant when a database is created
Finished running generic part of root script.
Now product-specific root actions will be performed.
Finished product-specific root actions.
root@mgtav #

After the script is executed, click on Ok button. At the end of the installation you will see a window with the urls of the Enterprise Manager configured for Database and Audit Vault. Save these urls for later use.

Save the url at the end of the Installation:

Enterprise Manager Database Control URL - (av) :
https://mgtav.mydomain.com.np:1158/em
Audit Vault 10.3.0.0.0 URL:
https://mgtav.mydomain.com.np:1158/av

Hope this helps 



References:

Oracle® Audit Vault
Server Installation Guide 
Release 10.3 for Oracle Solaris on SPARC (64-Bit)
E23568-01