Requirements for Upgrading Databases That Use Oracle Label Security and Oracle Database Vault
You must complete these tasks before starting an upgrade with a database using Oracle Label Security or Oracle Database Vault.
- Audit Table Preupgrade and Archive Requirements
For Oracle Database releases earlier than 12.1 using Oracle Label Security and Oracle Database Vault, you must run the OLS preprocess script before you upgrade. - DBUA, AutoUpgrade, and Oracle Database Vault
If you use Database Upgrade Assistant (DBUA) to upgrade Oracle Database 12c Release 2 (12.2), Oracle Database 18c, or Oracle Database 19c, and your system uses Oracle Database Vault, then you must use this upgrade process. - Oracle Database Vault and Upgrades of Oracle Database Release 11.2
If Oracle Label Security is installed in the earlier release that you are upgrading, then grant the DV_PATCH_ADMIN role to SYS. - Granting the DV_PATCH_ADMIN Role to SYS for Oracle Database Vault
If Oracle Database Vault is enabled, then to perform checks for Oracle Data Vault, the upgrade process requires running three SQL scripts.
Parent topic: Preparing to Upgrade Oracle Database
Audit Table Preupgrade and Archive Requirements
For Oracle Database releases earlier than 12.1 using Oracle Label Security and Oracle Database Vault, you must run the OLS preprocess script before you upgrade.
If you are upgrading from a database earlier than Oracle Database release 12.1 that uses Oracle Label Security (OLS) and Oracle Database Vault, then you must first run the OLS preprocess script, olspreupgrade.sql
, to process the aud$
table contents. The OLS upgrade moves the aud$
table from the SYSTEM
schema to the SYS
schema. The olspreupgrade.sql
script is a preprocessing script required for this move.
Caution:
Running the olspreupgrade.sql
script before upgrading is mandatory for upgrading databases earlier than Oracle Database release 12.1 that use Oracle Label Security and Oracle Database Vault. Once you have upgraded to Oracle Database release 12.1, you do not have to perform the OLS preprocessing procedure going forward to patch or upgrade the database.
The olspreupgrade.sql
script creates a temporary table PREUPG_AUD$
in the SYS
schema and moves the SYSTEM.aud$
records to SYS.PREUPG_AUD$
. As a safety measure, Oracle recommends that you archive your audit trail before running the olspreupgrade.sql
script. If Oracle Label Security is installed on your database, and you are upgrading from an earlier release, then you must run the OLS preprocess script before upgrading.
See Also:
Oracle Database Security Guide for information about archiving audit trails
Oracle Label Security Administrator's Guide for information about the OLS preprocess script
DBUA, AutoUpgrade, and Oracle Database Vault
If you use Database Upgrade Assistant (DBUA) to upgrade Oracle Database 12c Release 2 (12.2), Oracle Database 18c, or Oracle Database 19c, and your system uses Oracle Database Vault, then you must use this upgrade process.
If you use DBUA to perform the upgrade, then DBUA uses the AutoUpgrade utility to complete the upgrade. However, in that case, AutoUpgrade does not automatically disable Oracle Data Vault for upgrades from Oracle Database 12c Release 2 (12.2), Oracle Database 18c (18.3), or Oracle Database 19c (19.3) to the new Oracle Database release. Before you upgrade a source Oracle Database from one of these releases, you must first disable Oracle Data Vault.
Example 2-7 Overview of Upgrade Procedure for Databases Using Oracle Data Vault
You complete an upgrade from a source database where Oracle Database Vault is enabled with the following steps:
- Disable Oracle Data Vault.
- Install the new Oracle Database release.
- Download the latest AutoUpgrade JAR file from My Oracle Support note
2485457.1, and replace the AutoUpgrade JAR file in the new Oracle Database
release, in the path
Oracle_home/rdbms/admin
- Run the AutoUpgrade utility (or Database Upgrade Assistant), and complete the upgrade.
- Enable Oracle Database Vault in the upgraded Oracle Database.
Oracle Database Vault and Upgrades of Oracle Database Release 11.2
If Oracle Label Security is installed in the earlier release that you are upgrading, then grant the DV_PATCH_ADMIN role to SYS.
If Oracle Database Vault is not installed with your release 11.2 database, then you can skip steps 2, 3, 6, and 7 in this section.
To run the OLS preprocess script on a release 11.2 database before upgrading:
-
Copy the following scripts script from the newly installed Oracle home to the Oracle home of the database that y0u want to upgrade:
-
ORACLE_HOME/rdbms/admin/olspreupgrade.sql
-
ORACLE_HOME/rdbms/admin/emremove.sql
-
ORACLE_HOME/rdbms/admin/catnoamd.sql
-
-
Start SQL*Plus and connect as
DVOWNER
to the database that you want to upgrade. -
Run the following statement:
SQL> GRANT DV_PATCH_ADMIN to SYS;
-
At the system prompt, connect SYS as SYSDBA:
CONNECT SYS AS SYSDBA
-
Run the preprocess scripts for Data Vault
ORACLE_HOME/rdbms/admin/olspreupgrade.sql ORACLE_HOME/rdbms/admin/emremove.sql ORACLE_HOME/rdbms/admin/catnoamd.sql
You may continue to run your applications on the database while the preprocess scripts are running.
-
After the
olspreupgrade.sql
completes its run successfully, start SQL*Plus and connect to the database asDVOWNER
. -
Run the following SQL statement:
SQL> REVOKE DV_PATCH_ADMIN from SYS;
Granting the DV_PATCH_ADMIN Role to SYS for Oracle Database Vault
If Oracle Database Vault is enabled, then to perform checks for Oracle Data Vault, the upgrade process requires running three SQL scripts.
The SYS user requires the DV_PATCH_ADMIN role for the following scripts:
OLS_SYS_MOVE runs olspreupgrade.sql
:
CHECK.OLS_SYS_MOVE.MIN_VERSION_INCLUSIVE=10.2
CHECK.OLS_SYS_MOVE.MAX_VERSION_EXCLUSIVE=12.1
EM_PRESENT runs emremove.sql
:
CHECK.EM_PRESENT.MIN_VERSION_INCLUSIVE=NONE
CHECK.EM_PRESENT.MAX_VERSION_EXCLUSIVE=12.1.0.1
AMD_EXISTS CHECK runs catnoamd.sql
:
CHECK.AMD_EXISTS.MIN_VERSION_INCLUSIVE=NONE
CHECK.AMD_EXISTS.MAX_VERSION_EXCLUSIVE=NONE