Concurrent Managers Status shows ”Target node/queue unavailable”

Issue: Concurrent Managers Status shows  ”Target node/queue unavailable”  in Concurrent–>Manager–>Administer Screen form.

Solution:
Ensure Database is Running and Middle Tier Services are down.

Connect sqlplus as apps user and run the following :
EXEC FND_CONC_CLONE.SETUP_CLEAN;
commit;


Run AutoConfig on all tiers, firstly on the DB tier and then the APPS tiers and webtier to repopulate the required systemtables

Run the CMCLEAN.SQL script from the referenced note below (don’t forget to commit).

Note.134007.1 – ‘CMCLEAN.SQL – Non Destructive Script to Clean Concurrent  Manager Tables‘

Start the middle tier services including your concurrent manager.

Retest the issue.

The Default Rulesets "Allow Oracle Data Pump Operation" and "Allow Scheduler Job"

The default rulesets "Allow Oracle Data Pump Operation" and "Allow Scheduler Job" are not present in 11.2.0.3.

However, the restrictions on using data pump and database scheduler in a database vault environment still hold good. This means that these restrictions can no longer be disabled by disabling the rule sets "Allow Oracle Data Pump Operation" and "Allow Scheduler Job".

The statement SELECT ENABLED FROM FROM DVSYS.DBA_DV_RULE_SET WHERE RULE_SET_NAME = 'Allow Oracle Data Pump Operation'; from product documentation does not work.

SQL> SELECT ENABLED
FROM DVSYS.DBA_DV_RULE_SET
WHERE RULE_SET_NAME = 'Allow Oracle Data Pump Operation';
no rows selected


Cause
This is expected behavior starting with 11.2.0.3 .

The restrictions that were present in the pre-11203 Database Vault on the use of data pump and database scheduler in a Database Vault environment are present in 11.2.0.3 , but not implemented through rule sets in 11.2.0.3.


Solution
References to these rule sets in 11.2.0.3 product documentation have been classified as documentation BUG 13700537.

To perform datapump operations and use scheduler in a DV enabled environment, use the guidelines mentioned in Database Vault Administrator Guide 11.2

The Default Rulesets "Allow Oracle Data Pump Operation" and "Allow Scheduler Job" Are Absent in 11.2.0.3. (Doc ID 1424133.1)

ORA-31626 ORA-31633 ORA-06512 ORA-47401

Datapump Export with Database Vault Fails for SYSTEM User

expdp directory=expimp dumpfile=expimp.dmp logfile=expimp.log full=Y

Export: Release 11.2.0.3.0 - Production on Apr 7 07:09:19 2013
Copyright (c) 1982, 2011, Oracle and/or its affiliates.  All rights reserved.
Username: system/manager
Connected to: Oracle Database 11g Enterprise Edition Release 11.2.0.3.0 - 64bit Production
With the Partitioning, Oracle Label Security, OLAP, Data Mining,
Oracle Database Vault and Real Application Testing options
ORA-31626: job does not exist
ORA-31633: unable to create master table "SYSTEM.SYS_EXPORT_FULL_05"
ORA-06512: at "SYS.DBMS_SYS_ERROR", line 95
ORA-06512: at "SYS.KUPV$FT", line 1020
ORA-47401: Realm violation for CREATE TABLE on SYSTEM.SYS_EXPORT_FULL_05


Solution
Add SYSTEM user to the "Oracle Data Dictionary" realm

BEGIN
DVSYS.DBMS_MACADM.ADD_AUTH_TO_REALM(
realm_name => 'Oracle Data Dictionary',
grantee => 'SYSTEM');
END;
/

How to Check and Enable/Disable Oracle Binary Options using Oracle 11.2 new feature – chopt utility

From Oracle 11R2, any specific components can be enabled/disabled with the help of chopt utility. The chopt tool is a command-line utility that is located in the ORACLE_HOME\bin directory.

The syntax for chopt tool:

chopt [ enable | disable] db_option

bash-3.00$ chopt

usage:

chopt <enable|disable> <option>

options:
dm = Oracle Data Mining RDBMS Files
dv = Oracle Database Vault option
lbac = Oracle Label Security
olap = Oracle OLAP
partitioning = Oracle Partitioning
rat = Oracle Real Application Testing


Steps:

1. Shut down the database SID=orcl with srvctl or SQL*Plus:

srvctl stop database -d myDb -> clusterware env

SQL> shu immediate -> single instance

2. Stop the database service, OracleServiceSID, using the services.msc.

3. Run the following commands:

cd %ORACLE_HOME%/bin

chopt enable lbac

- to enable Oracle Label Security

4. Start the database service, OracleServiceSID, using the services.msc.

5. Start up the database:

srvctl start database -d myDb

SQL> startup

example:

bash-3.00$ chopt enable lbac

Writing to /oracle11g/u01/app/oracle/product/11.2.0/install/enable_lbac.log...
%s_unixOSDMakePath% -f /oracle11g/u01/app/oracle/product/11.2.0/rdbms/lib/ins_rdbms.mk lbac_on
%s_unixOSDMakePath% -f /oracle11g/u01/app/oracle/product/11.2.0/rdbms/lib/ins_rdbms.mk ioracle
s_unixOSDMakePath is nothing but make command

To verify options is enable/disable, enter:

bash-3.00$ cd $ORACLE_HOME/rdbms/lib
bash-3.00$ /usr/ccs/bin/ar -t libknlopt.a | grep -c kzlibac.o
1
bash-3.00$
where kzlibac.o denotes Oracle Label Security

If the output is 0, the option is disabled.
If the output is 1, the option is enabled.

The output are maintained in “$ORACLE_HOME/install/” path

bash-3.00$ pwd
/oracle11g/u01/app/oracle/product/11.2.0/install
bash-3.00$ ls -lrt
-rwxrwxr-x   1 ora11g   dba11     259989 Dec 16 21:21 make.log
-rw-r--r--   1 ora11g   dba11        190 Dec 29 18:47 enable_lbac.log
The installed component at the time of oracle home installation can be found in $ORACLE_HOME/install/make.log path.

How to Check and Enable/Disable Oracle Binary Options [ID 948061.1]

How to Disable and Enable a Database vault Realm

By default, when we create a realm, it is enabled. We can disable a realm (for example, for system maintenance such as patch updates) and then enable it again afterward.

To disable or enable a realm:

a) In the Oracle Database Vault Administration page, select Realms.

b) In the Realms page, select the realm you want to disable or enable, and then select Edit.

c) In the Edit Realm page, under Status in the General section, select either Disabled or Enabled.

d) Click OK.

How To Uninstall Or Reinstall Database Vault in 11gR2

1) Stop Database Control, the listener and the database

2) Disable Database Vault :
chopt disable dv

3) Start the listener and the database.

4) Identify the DV_OWNER and DV_ACCTMGR users that were configured:
select unique GRANTEE from dba_role_privs
where GRANTED_ROLE in ('DV_ACCTMGR','DV_OWNER')
and grantee <> 'DVSYS';

5) Run script dvremov.sql as SYSDBA after setting parameter recyclebin to OFF:
conn / as sysdba
alter system set recyclebin=off scope=spfile;

shutdown immediate
startup
run ?/rdbms/admin/dvremov.sql

After this only DVSYS and DVF users and DV roles are removed, but the security admin and account manager accounts are not removed as they are considered custom database accounts. They have to be removed manually, use the usernames obtained in step 5. (take care not to drop any users that you may have granted these roles manually):

conn / as sysdba
drop user &DV_OWNER cascade;
drop user &DV_ACCTMGR cascade;

dvremov.sql just removes the DV components and does not affect in any way OLS.

6) Turn on recycle bin if it was turned off before


At this stage Database Vault is removed from the database and the binaries are relinked with dv_off. If Database Vault is not needed (all you wanted to do was to remove/uninstall it) then stop here and restart the database. If Database Vault needs to be enabled then do the following:

1) Stop Database Control, listener and database.

2) Enable DV :
chopt enable dv

3) Start the listener and the database

4) Run DBCA again to register Database Vault. If it is not possible to run the DBCA GUI then run dbca silently:
dbca -silent -configureDatabase
-sourceDB <source database sid>
[-sysDBAUserName <user name with SYSDBA privileges>
-sysDBAPassword <password for sysDBAUserName user name>]
-addDBOption DV,OMS
-dvUserName <DV owner>
-dvUserPassword <DV owner passwd>
-dvAccountManagerName <DV acctmgr>
-dvAccountManagerPassword <DV acctmgr passwd>

How To Uninstall Or Reinstall Database Vault in 11gR1 and 11.2.0.1

Sometimes you require to uninstall or reinstall the database vault.These Steps are valid for 11gR1 and 11.2.0.1 database.For 11gR2(11.2.0.2 & others) please check my another Blog How To Uninstall Or Reinstall Database Vault in 11gR2

1) Stop Database Control, the listener and the database

2) Disable Database Vault :
cd $ORACLE_HOME/rdbms/lib
make -f ins_rdbms.mk dv_off ioracle

3) Start the listener and the database.

4) Disable the Database Vault triggers :
conn / as sysdba
alter trigger dvsys.dv_before_ddl_trg disable;
alter trigger dvsys.dv_after_ddl_trg disable;

5) Identify the DV_OWNER and DV_ACCTMGR users that were configured:
select unique GRANTEE from dba_role_privs
where GRANTED_ROLE in ('DV_ACCTMGR','DV_OWNER')
and grantee <> 'DVSYS';

6) Run script dvremov.sql as SYSDBA after setting parameter recyclebin to OFF:
Note: In 11.2.0.1 run the following statements before running dvremov.sql:

update dvsys.config$ set status=0;
commit;

conn / as sysdba
alter system set recyclebin=off scope=spfile;

shutdown immediate
startup

run ?/rdbms/admin/dvremov.sql

After this only DVSYS and DVF users and DV roles are removed, but the security admin and account manager accounts are not removed as they are considered custom database accounts. They have to be removed manually, use the usernames obtained in step 5. (take care not to drop any users that you may have granted these roles manually):

conn / as sysdba
drop user &DV_OWNER cascade;
drop user &DV_ACCTMGR cascade;

dvremov.sql just removes the DV components and does not affect in any way OLS.

7) Run dbms_network_acl_admin.drop_acl (In 11gR2 this is included in dvremov.sql) :
conn / as sysdba
exec DBMS_NETWORK_ACL_ADMIN.DROP_ACL ('/sys/acls/dvsys-network-privileges.xml');
commit;

8) Turn on recycle bin if it was turned off before


At this stage Database Vault is removed from the database and the binaries are relinked with dv_off. If Database Vault is not needed (all you wanted to do was to remove/uninstall it) then stop here and restart the database. If Database Vault needs to be enabled then do the following:

1) Stop Database Control, listener and database.

2) Enable DV :
sqlplus / as sysdba
shutdown immediate

cd $ORACLE_HOME/rdbms/lib
make -f ins_rdbms.mk dv_on ioracle

3) Start the listener and the database

4) Run DBCA again to register Database Vault. If it is not possible to run the DBCA GUI then run dbca silently:

dbca -silent -configureDatabase
-sourceDB <source database sid>
[-sysDBAUserName <user name with SYSDBA privileges>
-sysDBAPassword <password for sysDBAUserName user name>]
-addDBOption DV,OMS
-dvUserName <DV owner>
-dvUserPassword <DV owner passwd>
-dvAccountManagerName <DV acctmgr>
-dvAccountManagerPassword <DV acctmgr passwd>

Script to check the Database Vault Realms, Command Rules and Rule Sets

1) Listing the Database Vault realms: 

set linesize 2000
set lines 1000 pages 499
column realm_name format a40
column col1 format a30
column col2 format a30 Heading "Owner / Grantee "
column col3 format a30 Heading "Object Type/Rule Set Name"
column col4 format a30 Heading "Object Name/Auth Options"
break on realm_name skip 3

select * from (
SELECT realm_Name , 'protected objects' col5, owner col2 , object_type col3 ,object_name col4
FROM dvsys.dba_dv_realm_object
union
select REALM_NAME ,'authorizations' col5, GRANTEE col2 ,AUTH_RULE_SET_NAME col3 , AUTH_OPTIONS col4
from dvsys.dba_dv_realm_auth )
order by realm_name asc ,col5 desc
/


2) Listing the Database Vault command rules: 

set linesize 2000
set lines 1000 pages 499
column COMMAND format a30
column RULE_SET_NAME format a30
column OBJECT_OWNER format a30
column OBJECT_NAME format a30
column ENABLED format a30
column PRIVILEGE_SCOPE format a30
select * from dvsys.DBA_DV_COMMAND_RULE;


3) Listing the Database Vault rules and rule sets:

column RULE_SET_NAME format a30
column RULE_NAME format a50
column RULE_EXPR format a60
column ENABLED format a8
column RULE_ORDER format 9999
break on RULE_SET_NAME skip 3

select * from dvsys.DBA_DV_RULE_SET_RULE;

Script To List The Database Vault Realms, Command Rules And Rule Sets (Doc ID 1352556.1)

How to Enable and Disable Oracle Database vault

How to Enable the database vault in Oracle 11gR2

1) Stop the database, Database Control console process, and listener
SQL> SHUTDOWN IMMEDIATE
SQL> EXIT
$ emctl stop dbconsole
$ lsnrctl stop [listener_name]


2) Enable Oracle Database Vault as follows:
$ cd $ORACLE_HOME/rdbms/lib
$ make -f ins_rdbms.mk dv_on lbac_on ioracle
or
chopt enable lbac
chopt enable dv


3) Restart the database, Database Control console process, and listener
SQL> STARTUP
SQL> EXIT
$ emctl start dbconsole
$ lsnrctl start [listener_name]


How to Disable the database vault in Oracle 11gR2

1) Stop the database, Database Control console process, and listener.
SQL> SHUTDOWN IMMEDIATE
SQL> EXIT
$ emctl stop dbconsole
$ lsnrctl stop


2) Disable Oracle Database Vault as follows:
$ cd $ORACLE_HOME/rdbms/lib
$ make -f ins_rdbms.mk dv_off ioracle
or
chopt disable dv
chopt disable lbac

3) Restart the database, Database Control console process, and listener
SQL> STARTUP
SQL> EXIT
$ emctl start dbconsole
$ lsnrctl start [listener_name]

How to check the status of Database Vault

We can check the status of database vault either from the database or from Oracle home binaries


1) select * from v$option where parameter like '%Oracle Database Vault%';

PARAMETER                VALUE
------------------------- ----------
Oracle Database Vault     TRUE

TRUE means DV is enabled



2) $ cd $ORACLE_HOME/rdbms/lib
   $ ar -t libknlopt.a | grep dv

kzvndv.o shows that DV option is DISABLED
kzvidv.o shows that DV option is ENABLED



3) $ ar -t libknlopt.a | grep -c kzvidv.o

For IBM AIX
$ ar -X64 -t libknlopt.a | grep -c kzvidv.o

If the output is 0, the DV option is disabled.
If the output is 1, the DV option is enabled.

APP-FND-02704: Unable to alter user APPS to change password

Error while changing the APPS password using FNDCPASS after integrating Database vault with E-Business suite

FNDCPASS apps/apps 0 Y system/manager SYSTEM APPLSYS welcome123

[appltest@TEST ~]$ cat L3312766.log
+---------------------------------------------------------------------------+
Application Object Library: Version : 12.0.0
Copyright (c) 1979, 1999, Oracle Corporation. All rights reserved.
 module:
+---------------------------------------------------------------------------+
Current system time is 01-MAR-2014 09:58:07
+---------------------------------------------------------------------------+
Working...
APP-FND-02704: Unable to alter user APPS to change password.
+---------------------------------------------------------------------------+
Concurrent request completed
Current system time is 01-MAR-2014 09:58:35
+---------------------------------------------------------------------------+

Solution:
Use DBVACCTMGR instead of system

FNDCPASS apps/apps 0 Y DBVACCTMGR/DBV123 SYSTEM APPLSYS welcome123