Requirements for Upgrading Databases That Use Oracle Label Security and Oracle Database Vault

You must complete these tasks before starting an upgrade with a database using Oracle Label Security or Oracle Database Vault.

Audit Table Preupgrade and Archive Requirements

For Oracle Database releases earlier than 12.1 using Oracle Label Security and Oracle Database Vault, you must run the OLS preprocess script before you upgrade.

If you are upgrading from a database earlier than Oracle Database release 12.1 that uses Oracle Label Security (OLS) and Oracle Database Vault, then you must first run the OLS preprocess script, olspreupgrade.sql, to process the aud$ table contents. The OLS upgrade moves the aud$ table from the SYSTEM schema to the SYS schema. The olspreupgrade.sql script is a preprocessing script required for this move.

Caution:

Running the olspreupgrade.sql script before upgrading is mandatory for upgrading databases earlier than Oracle Database release 12.1 that use Oracle Label Security and Oracle Database Vault. Once you have upgraded to Oracle Database release 12.1, you do not have to perform the OLS preprocessing procedure going forward to patch or upgrade the database.

The olspreupgrade.sql script creates a temporary table PREUPG_AUD$ in the SYS schema and moves the SYSTEM.aud$ records to SYS.PREUPG_AUD$. As a safety measure, Oracle recommends that you archive your audit trail before running the olspreupgrade.sql script. If Oracle Label Security is installed on your database, and you are upgrading from an earlier release, then you must run the OLS preprocess script before upgrading.

See Also:

Oracle Database Security Guide for information about archiving audit trails

Oracle Label Security Administrator's Guide for information about the OLS preprocess script

DBUA, AutoUpgrade, and Oracle Database Vault

If you use Database Upgrade Assistant (DBUA) to upgrade Oracle Database 12c Release 2 (12.2), Oracle Database 18c, or Oracle Database 19c, and your system uses Oracle Database Vault, then you must use this upgrade process.

If you use DBUA to perform the upgrade, then DBUA uses the AutoUpgrade utility to complete the upgrade. However, in that case, AutoUpgrade does not automatically disable Oracle Data Vault for upgrades from Oracle Database 12c Release 2 (12.2), Oracle Database 18c (18.3), or Oracle Database 19c (19.3) to the new Oracle Database release. Before you upgrade a source Oracle Database from one of these releases, you must first disable Oracle Data Vault.

Example 2-7 Overview of Upgrade Procedure for Databases Using Oracle Data Vault

You complete an upgrade from a source database where Oracle Database Vault is enabled with the following steps:

  1. Disable Oracle Data Vault.
  2. Install the new Oracle Database release.
  3. Download the latest AutoUpgrade JAR file from My Oracle Support note 2485457.1, and replace the AutoUpgrade JAR file in the new Oracle Database release, in the path Oracle_home/rdbms/admin
  4. Run the AutoUpgrade utility (or Database Upgrade Assistant), and complete the upgrade.
  5. Enable Oracle Database Vault in the upgraded Oracle Database.

Oracle Database Vault and Upgrades of Oracle Database Release 11.2

If Oracle Label Security is installed in the earlier release that you are upgrading, then grant the DV_PATCH_ADMIN role to SYS.

If Oracle Database Vault is not installed with your release 11.2 database, then you can skip steps 2, 3, 6, and 7 in this section.

To run the OLS preprocess script on a release 11.2 database before upgrading:

  1. Copy the following scripts script from the newly installed Oracle home to the Oracle home of the database that y0u want to upgrade:

    • ORACLE_HOME/rdbms/admin/olspreupgrade.sql

    • ORACLE_HOME/rdbms/admin/emremove.sql

    • ORACLE_HOME/rdbms/admin/catnoamd.sql

  2. Start SQL*Plus and connect as DVOWNER to the database that you want to upgrade.

  3. Run the following statement:

    SQL> GRANT DV_PATCH_ADMIN to SYS;
    
  4. At the system prompt, connect SYS as SYSDBA:

    CONNECT SYS AS SYSDBA
    
  5. Run the preprocess scripts for Data Vault

    ORACLE_HOME/rdbms/admin/olspreupgrade.sql
    ORACLE_HOME/rdbms/admin/emremove.sql
    ORACLE_HOME/rdbms/admin/catnoamd.sql
    

    You may continue to run your applications on the database while the preprocess scripts are running.

  6. After the olspreupgrade.sql completes its run successfully, start SQL*Plus and connect to the database as DVOWNER.

  7. Run the following SQL statement:

    SQL> REVOKE DV_PATCH_ADMIN from SYS;

Granting the DV_PATCH_ADMIN Role to SYS for Oracle Database Vault

If Oracle Database Vault is enabled, then to perform checks for Oracle Data Vault, the upgrade process requires running three SQL scripts.

The SYS user requires the DV_PATCH_ADMIN role for the following scripts:

OLS_SYS_MOVE runs olspreupgrade.sql:

CHECK.OLS_SYS_MOVE.MIN_VERSION_INCLUSIVE=10.2 
CHECK.OLS_SYS_MOVE.MAX_VERSION_EXCLUSIVE=12.1

EM_PRESENT runs emremove.sql:

CHECK.EM_PRESENT.MIN_VERSION_INCLUSIVE=NONE
CHECK.EM_PRESENT.MAX_VERSION_EXCLUSIVE=12.1.0.1

AMD_EXISTS CHECK runs catnoamd.sql:

CHECK.AMD_EXISTS.MIN_VERSION_INCLUSIVE=NONE 
CHECK.AMD_EXISTS.MAX_VERSION_EXCLUSIVE=NONE