RSA Identity and Access

Management Platform

Database Setup and Management

Guide
V6.8.1
 Notice
Contact Information

Go to the RSA corporate website for regional Customer Support telephone and fax numbers:
www.emc.com/domains/rsa/index.htm. For sales information, contact RSA Aveksa, Inc. at [email protected]
For technical support, contact RSA Aveksa, Inc. at [email protected]. For more information about RSA Aveksa, Inc.,
visit http://www.aveksa.com.

Trademarks

RSA, the RSA Logo, Aveksa, and EMC are either registered trademarks or trademarks of EMC Corporation in the United
States and/or other countries. All other trademarks used herein are the property of their respective owners. For a list of
EMC trademarks, go to www.emc.com/legal/emc-corporation-trademarks.htm#rsa.

License Agreement

This software and the associated documentation are proprietary and confidential to EMC, are furnished under license, and
may be used and copied only in accordance with the terms of such license and with the inclusion of the copyright notice
below. This software and the documentation, and any copies thereof, may not be provided or otherwise made available
to any other person.

No title to or ownership of the software or documentation or any intellectual property rights thereto is hereby transferred.
Any unauthorized use or reproduction of this software and the documentation may be subject to civil and/or criminal
liability.

This software is subject to change without notice and should not be construed as a commitment by EMC.

Third-Party Licenses

This product may include software developed by parties other than RSA. The text of the license agreements applicable to
third-party software in this product may be viewed by launching the RSA Aveksa product and selecting the About menu.

Note on Encryption Technologies

This product may contain encryption technology. Many countries prohibit or restrict the use, import, or export of encryption
technologies, and current use, import, and export regulations should be followed when using, importing or exporting this
product.

Distribution

Use, copying, and distribution of any EMC software described in this publication requires an applicable software license.
EMC believes the information in this publication is accurate as of its publication date. The information is subject to change
without notice.

THE INFORMATION IN THIS PUBLICATION IS PROVIDED "AS IS." EMC CORPORATION MAKES NO
REPRESENTATIONS OR WARRANTIES OF ANY KIND WITH RESPECT TO THE INFORMATION IN THIS
PUBLICATION, AND SPECIFICALLY DISCLAIMS IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR
A PARTICULAR PURPOSE.

Copyright © 2013 EMC Corporation. All Rights Reserved. Published in the USA.

December 2013
 Contents
Preface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Purpose . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
What Is in This Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Text Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Related Documents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

Chapter 1: Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Database Parameter Values Worksheet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Requirements for Database Deployment (Non-RAC) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Requirements for Database Deployment (RAC) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Hardware Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Information Required for Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Getting Sample Database Configuration Scripts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

Chapter 2: Set Up the Database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Deployment Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Prepare the Oracle Database Instance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Create the Aveksa Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Create Tablespaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
Create the Aveksa Export/Import Database Directory . . . . . . . . . . . . . . . . . . . . . . . . 21
Map the Export/Import Directory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Create a Database User Password Profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Create User Schemas . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Configure the User Schema Privilege Grants . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Create a Report Context . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
Complete the Required Database Instance Configuration . . . . . . . . . . . . . . . . . . . . . . . . 25
Installing Oracle Statspack to Enhance Database Diagnostics Capabilities . . . . . . . . . . . . . 26
Verify Correct Database Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Updating the Database for RSA IAM Platform 6.8 Upgrades . . . . . . . . . . . . . . . . . . . . . . 27

Chapter 3: Maintaining the Database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

Export the AVUSER Schema/Data for a Database Backup . . . . . . . . . . . . . . . . . . . . . . . . 30
Importing AVUSER Schema/Data for a Database Restoration/Load . . . . . . . . . . . . . . . . . 30
Validate Compatibility of the Database Import . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
Removing User Schemas from the Database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32

Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33

3
Contents

4 Database Setup and Management Guide

 Preface

Purpose
This guide provides instructions on how to set up a remote Oracle database for RSA Identity and
Access Management Platform (RSA IAM Platform).

What Is in This Guide

This guide is organized as follows:

• Chapter 1, “Introduction,” on page 7 describes hardware and software requirements for the
database.
• Chapter 2, “Set Up the Database,” on page 13 describes database installation components and
requirements and how to set up the database (RAC included) used by RSA IAM Platform.

• Chapter 3, “Maintaining the Database,” on page 29 describes common database maintenance

tasks.

Text Conventions
The following text conventions are used in this document:

Element Convention Used Example

Variables Courier and Italic in angle Enter the following:

(The user supplies a value for the brackets (<>) DISPLAY=<workstation name>:0.0 export
variable.) display

On-screen text Courier The following line displays:

path=”/audit”

User-typed text Courier Enter the following path name:

C:\ABC\lib\db

Commands, tabs, menu options, Bold Servers menu

buttons, and other UI elements
requiring emphasis

5
Preface

Element Convention Used Example

Cross-references Underlined and hypertext-blue See “Related Documents” on page 6.

References to documents (title Italic Installation Guide

and number)

Related Documents
• Installation and Upgrade Guide

• Installation and Upgrade on WebLogic Guide

• Installation and Upgrade on WebSphere Guide

• Novell Identity Manager Integration Guide

• Sun Identity Manager Integration Guide

• IBM Tivoli Identity Manager Integration Guide

• Administrators Guide

• User Tasks Guide

• Collectors Guide

• Access Request Manager

• Data Access Governance Guide

• Business Role Manager Guide

• Access Fulfillment Express Guide

• Access Fulfillment Express Connector Configuration Guide

• Public Database Schema Reference

• On-Boarding Cloud Applications Guide

6 Database Setup and Management Guide

Chapter 1: Introduction

Content

• “Overview” on page 8

• “Requirements for Database Deployment (Non-RAC)” on page 9

• “Requirements for Database Deployment (RAC)” on page 9

• “Getting Sample Database Configuration Scripts” on page 11

7
Chapter 1: Introduction

Overview
This chapter describes how to set up a database instance (RAC cluster option included) used by
RSA IAM Platform (application server) in a two-tier installation scenario where you provide and
maintain an Oracle database (also referred to as the “remote database” throughout the remainder
of this guide) in your hardware infrastructure. It provides sample script download instructions and
the steps required to configure or upgrade the remote database. The database must be configured
before you install RSA IAM Platform software.

RSA IAM Platform is designed to use most (but not all) default Oracle database instance
configuration settings and installation options. This guide does not attempt to document every
Oracle configuration setting or installation option for Oracle but instead covers only those settings
or installation requirements over and above a default Oracle installation. Any modifications to the
Oracle installation or configuration beyond the Oracle defaults and what is noted in this guide may
cause functional or performance issues with RSA IAM Platform. Please contact Aveksa Support if
you want to change any installation option or configuration beyond what is documented in this
guide to ensure a supportable configuration. Review “Prepare the Oracle Database Instance” on
page 15 for specific details on RSA IAM Platform requirements.

Important: The SQL commands and configurations documented in this chapter should be
executed using a database account with sysdba privileges in the database.

This guide describes the database objects, tables ,and directories that must be created. These
include three database user schemas that RSA IAM Platform uses:

• RSA IAM Platform user. The default name is AVUSER.

• RSA IAM Platform reporting engine user. The default name is AVDWUSER.

• RSA IAM Platform public database schema user. The default name is ACMDB.

• RSA IAM Platform Aveksa Statistics Report user. The data source is AVPERF. (This is required
only if Oracle Statspack is installed on the database and you want to include Statspack data in
Aveksa Statistics Reports.) Failure to configure and use Statspack will limit reporting
information for database diagnostics. The default oracle user name is PERFSTAT. See
“Installing Oracle Statspack to Enhance Database Diagnostics Capabilities” on page 26 for
more information.

This guide references the user schemas by their default names. You can use non-default user
schema names; however, that will require additional configuration when installing RSA IAM
Platform.

Database Parameter Values Worksheet

Print the worksheet below, record parameter values (case-sensitive), and provide the worksheet to
the person who installs RSA IAM Platform. The installer require these values for the installation.

RSA IAM Platform schema user (AVUSER):

RSA IAM Platform reporting engine schema user (AVDWUSER):

RSA IAM Platform public database schema user (ACMDB):

AVUSER password:

8 Database Setup and Management Guide

 Chapter 1: Introduction

AVDWUSER password:

ACMDB password:

AVPERF username/password:

Oracle Database SID:

(RAC) TNSName that references the SCAN name:

Oracle service name:

Oracle listener Hostname:

Oracle Listener Port:

Requirements for Database Deployment (Non-RAC)

Important: Synchronize the database system clock to the system clock on the application server
where RSA IAM Platform is installed.

• Hardware requirements for the database server:

- Memory: Minimum 16GB, 32GB recommended for production servers, minimum 4GB, 8GB
recommended for development servers

- Disk: Minimum 300GB, 1TB+ recommended based on data load requirements (RAID 5 SAS
drive configuration or better highly recommended for performance)

- Processors: Dual Quad Core XEON processors (E5420 or higher)

- Network: Dual-load balanced gigabit NICs recommended

• An Oracle database (64-bit 11gR2 version 11.2.0.2 or 11.2.0.3 for RAC or non-RAC
implementation) running on a database machine that meets hardware requirements at the
deployment site

Note: Oracle 11.2.0.3 is the certified and recommended version.

• A database account with sysdba privileges to be able to perform the database system
configuration and validation tasks described in this chapter

• A UNIX root user to create appropriate physical directories and users on the server

Requirements for Database Deployment (RAC)

Important: Synchronize the database system clock to the system clock on the application server
where RSA IAM Platform is installed.

Hardware Requirements
• Cluster instances: At least two database cluster instances required for load balancing and high
availability

• Memory: Minimum 16GB, 32GB recommended for production servers, minimum 4GB, with 8GB
recommended for development servers

Database Setup and Management Guide 9

Chapter 1: Introduction

• Processors: Dual Quad Core XEON processors (X3430, 2.4 GHz or higher

• Disk: Minimum 100GB local to each node to house Oracle Home and local files. SAS drive
configuration or better highly recommended for performance.

• Storage Area Network (SAN):

- Disks: Minimum of 8 SATA/SAS drives, for a total of 2TB+ of disk space

- Volume Configuration: Recommended RAID 5 for development and production servers

(with RAID5 and RAID 0+1 recommended for production servers with higher performance
demands)

- LUN configuration: At least three LUNs should be configured and assigned iSCSI initiator
names:

• CRS1: CRS/Cluster Voting Disk, 10GB recommended

• FS1: Shared file storage space, 200GB recommended

• VOL1: Main tablespace volume, the remainder of the 2TB.

RSA recommends that an ACFS (ASM Clustered File System) share is created on the “FS1”
LUN using “asmca” (Oracle ASM Configuration Assistant) from the “ASM Cluster File
Systems” tab with the following options:

• General Purpose File System

• Register MountPoint (Our examples use /mnt/acfs-fs1.)

Note: When Oracle CRS starts up, this volume is automatically mounted. No modifications
to the /etc/fstab file are required.

• Public Network: Dual-load balanced gigabit NICs recommended

• Private Network:

- Network speed: Minimum 1Gb NIC, with 10Gb recommended for production servers

- Frame size: Jumbo frames set on the switch

Information Required for Installation

Information the database system administrator requires for installation:

• Oracle service name

• Oracle (SCAN) listener Hostname (This is a virtual host address that is served by the cluster as
a whole. It should be located in the DNS.)

• Oracle (SCAN) Listener Port (This is a virtual port.)

• Public virtual hostnames and IP addresses for all nodes in cluster

• Oracle Database SID template (For example, "avdb_" will result in instances with names
avdb_1, avdb_2, etc.)

• Private hostnames and IP addresses for all nodes on the private interconnect

• Public hostname of Storage Area Network (SAN)

10 Database Setup and Management Guide

 Chapter 1: Introduction

• Private hostname of Storage Area Network (SAN) on the private interconnect

• The name of the iSCSI Discovery initiator on the SAN

• The names of the iSCSI initiators for the other LUNs on the SAN

Getting Sample Database Configuration Scripts

You can download the database sample configuration scripts located in the DatabaseSamples
directory in the aveksa-supplement-*.zip file from the packages directory for this RSA IAM
Platform release on the Aveksa FTP site. The file includes scripts that include SQL used to set up
the database (table spaces, user schemas, and directories on the database server). The files may
be generic or contain SQL for a specific version of Oracle.

Scripts:

• aveksa_sample_tablespace_ASM_scripts.sql — Includes sample "create tablespace"

instructions for use with ASM.

• aveksa_sample_tablespace_file_scripts.sql — Includes sample "create tablespace" instructions

for use with a file system.

• aveksa_sample_ora11_db_scripts.sql — Includes the various commands to create the Aveksa

users with the required grants and settings on Oracle 11g.

• aveksa_ora11_asr_report_grants — Includes optional SQL to enable privileges for ASR reports

to acquire ipaddress for the database on Oracle 11gR2.

• aveksa_sample_sys_scripts.sql — Includes the required command samples to complete the

database configuration.

• aveksa_db_check.sql — Includes the required SQL to verify minimum file size requirements.

• aveksa_db_password_lifetime.sql — Includes a script to determine information about database

user password expiration dates.

Note: If you are using an Oracle RAC implementation, ensure that the directories referenced in the
scripts point to clustered file systems.

Database Setup and Management Guide 11

Chapter 1: Introduction

12 Database Setup and Management Guide

Chapter 2: Set Up the Database

Content

• “Overview” on page 14

• “Deployment Summary” on page 14

• “Prepare the Oracle Database Instance” on page 15

• “Create the Aveksa Objects” on page 17

• “Complete the Required Database Instance Configuration” on page 25

• “Installing Oracle Statspack to Enhance Database Diagnostics Capabilities” on page 26

• “Verify Correct Database Configuration” on page 26

• “Updating the Database for RSA IAM Platform 6.8 Upgrades” on page 27

13
Chapter 2: Set Up the Database

Overview
RSA IAM Platform requires an Oracle database instance pre-configured with the requirements
outlined in this chapter. One requirement is that database users are created with necessary Oracle
grant privileges. RSA IAM Platform creates all of its required database objects such as tables,
views, and packages when it is initially started and fully populates the database schema. Those
objects may also be modified by upgrades of RSA IAM Platform software through the RSA IAM
Platform migration process.

Deployment Summary
The deployment process includes the following steps:

1. Preparing the Oracle database instance:

a. Using a designated instance name.

b.Using a designated character set.

c. Ensuring a minimum memory configuration for both the SGA (system global area) and PGA
(program global area). You can use ASMM to set either SGA/PGA or use AMM to set
memory_target and memory_max_target. The settings are mutually exclusive.

d.Configuring the database instance with all required packages.

e. Applying select optimizer settings as startup options.

See “Prepare the Oracle Database Instance” on page 15.

2. Creating the Aveksa objects:

a. Creating a set of table spaces with the specified naming conventions.

b.Creating a set of database directories.

c. Mapping the database directories to specified physical directories.

d.Creating a database password profile.

e. Configuring the user schemas with all required settings.

f. Creating a context for RSA IAM Platform report filtering values.

See “Create the Aveksa Objects” on page 17.

3. Completing the required database instance configurations.

• Disabling the nightly job that gathers schema statistics.

See “Complete the Required Database Instance Configuration” on page 25.

See “Verify Correct Database Configuration” on page 26.

4. Verify correct database configuration.

See “Verify Correct Database Configuration” on page 26.

5. Update the database.

See “Updating the Database for RSA IAM Platform 6.8 Upgrades” on page 27.

14 Database Setup and Management Guide

 Chapter 2: Set Up the Database

Prepare the Oracle Database Instance

Do the following on the database server:

1. Create or identify the instance name that is going to be used.

2. Ensure that the database instance uses the Unicode (AL32UTF8) character set.

You can validate the character set by simply running the following SQL:

select * from NLS_DATABASE_PARAMETERS where parameter='NLS_CHARACTERSET';

Output: NLS_CHARACTERSET AL32UTF8

RSA IAM Platform will fail to start of this character set is not set for the database instance.

This character set is not the default when configuring Oracle. NLS_LENGTH_SEMANTICS is
required to be BYTE, do not change this setting to CHAR.

Note: The following steps in this section assume that your database is initialized using an spfile
and not a pfile. To determine if your database is using a pfile or an spfile, you can run the following
commands via SQL*Plus. If the first command returns a value for "ifile", then the this value is the
name and location of the pfile for your system. If an "spfile" value is found, then this is the name
and location of the spfile for your system.

show parameter ifile

show parameter spfile

One of these commands returns a value.

Convert the a pfile into an spfile if your system is using a pfile. For example:

shutdown immediate;

startup pfile=<ORACLE_HOME>/dbs/init<ORACLE_SID>.ora

create spfile='<ORACLE_HOME>/dbs/spfile<ORACLE_SID>.ora' FROM

pfile='<ORACLE_HOME>/dbs/init<ORACLE_SID>.ora';

shutdown immediate;

startup;

3. Configure memory management settings for Oracle.

ASMM AMM

Sys Mem SGA PGA Mem Target Mem Target Max

=>32G 8589934592 8589934592 16384M 17408M

=>16G 4294967296 4294967296 8192M 8704M

=>8G 2097152000 2097152000 4096M 4352M

<8G 1325400064 466616320 1709M 1709M

Database Setup and Management Guide 15

Chapter 2: Set Up the Database

Setting ASMM Values:

a. Determine the memory allocation by running the following SQL:

show parameter sga_max_size;

show parameter sga_target;

show parameter pga_aggregate_target;

b.Enter recommended values in the init*.ora file as required using values from the table above:

alter system set pga_aggregate_target=<pga_value> scope=both;

alter system set sga_max_size=8589934592 scope=spfile;

shutdown immediate;

startup;

alter system set sga_target=<sga_value> scope=both;

Setting AMM Values:

ALTER SYSTEM SET MEMORY_MAX_TARGET = <mem_max_target> SCOPE = SPFILE;

shutdown immediate;

startup;

ALTER SYSTEM SET MEMORY_TARGET = <mem_target> scope = both;

ALTER SYSTEM SET SGA_TARGET = 0 scope = both;

ALTER SYSTEM SET PGA_AGGREGATE_TARGET = 0 scope=both;

The database server must have /dev/shm configured to support the amount of memory that
Oracle will allocate (memory_max_target). To check the settings, log on to the database server
and run the command:

df -h /dev/shm

The database server should use what is "Avail."

Filesystem Size Used Avail Use% Mounted on

tmpfs 18G 176M 18G 1% /dev/shm

4. Configure adequate space for all system tablespaces (see “Configure Undo, Temp, and Redo
Sizes” on page 18).

5. Make sure that the database instance is configured with the XML_DB package. You can verify
that XML DB has been installed by simply running the SQL below:

select comp_name from dba_registry where comp_name like '%XML%';

You should see results like the following:

COMP_NAME

Oracle XML Database

16 Database Setup and Management Guide

 Chapter 2: Set Up the Database

If this package does not exist, it can be installed with the database configuration assistant
(dbca) or manually by executing the instructions found in the Oracle documentation at the
following location:

http://download.oracle.com/docs/cd/B19306_01/appdev.102/b14259/appaman.htm#CACI
BCBA

6. Specify the following database optimizer settings:

• OPTIMIZER_INDEX_COST_ADJ — Lets you tune optimizer behavior for access path

selection to make the optimizer more or less prone to selecting an index access path over a
full table scan.

• OPTIMIZER_INDEX_CACHING — Lets you adjust the behavior of cost-based optimization to

favor nested loops joins and IN-list iterators.

Run the following commands to specify the optimizer settings:

alter system set optimizer_index_cost_adj=30 scope=both;

alter system set optimizer_index_caching=50 scope=both;

7. Validate that database requirements are reflected in your base Oracle startup by validating the
spfile used by your database instance. Use this command:

SELECT NAME, Value FROM gv$parameter order by name

8. Configure the database to accommodate a minimum of 600 sessions and 400 processes by
running the following commands:

alter system set sessions=600 scope=spfile;

alter system set processes=400 scope=spfile;

Note: If your database will be serving multiple application server nodes, multiply the session
and process numbers by the number of nodes.

9. Configure the log_buffer setting to 200 MB and the log_checkpoint_interval setting to 180 MB:

alter system set log_buffer=209715200

alter system set log_checkpoint_interval=188743680

The default settings for these support online transactional processing (OLTP) systems and not
Data Warehousing systems. The larger settings are required to support data collections (which
are more Data Warehouse style activities) by RSA IAM Platform.

10. Configure the creation of deferred segments for tables to false. This is required for the Oracle
11G R2 Enterprise version.

alter system set DEFERRED_SEGMENT_CREATION = FALSE

11. Restart the database server.

Create the Aveksa Objects

Create all required table spaces, user schemas, and directories on the database server. You can
download corresponding sample instructions from the Aveksa FTP server as described in “Getting
Sample Database Configuration Scripts” on page 11.

Database Setup and Management Guide 17

Chapter 2: Set Up the Database

Create Tablespaces
The standard RSA IAM Platform database setup has eight tablespaces, four for data and four for
indices. RSA IAM Platform uses the well known tablespace names when creating the various
database objects, like tables and views, within the database. The table below reflects the
recommended sizes for the tablespaces. See the aveksa_sample_tablespace_file_scripts.sql script
for an example of creating these tablespaces using the file system, or see the
aveksa_sample_tablespace_ASM_scripts.sql script for an example of creating these tablespaces
using ASM with the recommended sizes. These sample scripts must be edited for your
configuration before you use them.

These tablespaces must be must be configured with adequate storage settings as appropriate for
your installation. The table below provides the initial, extended, and fixed size recommendations
for the tablespaces.

If you do not wish to use auto extend in your database, use the fixed size as a recommended initial
size.

Tablespace Name Initial Size Extend Size Fixed Size

DATA_256K 25M 25M 500M

DATA_1M 200M 200M 10G

DATA_25M 25M 25M 500M

DATA_50M 200M 200M 10G

INDX_256K 100M 100M 10G

INDX_1M 100M 100M 10G

INDX_25M 400M 200M 10G

INDX_50M 100M 100M 10G

You can configure your database with different tablespace names or fewer tablespaces. However,
because RSA IAM Platform uses the eight known tablespaces names internally, additional
configuration is required when installing or upgrading RSA IAM Platform.

Important: The RSA IAM Platform configuration requires that you map your tablespaces to the
names known to RSA IAM Platform. See the installation guide for you installation scenario
(WebSphere, WebLogic) for more information.

Configure Undo, Temp, and Redo Sizes

RSA IAM Platform requires minimum sizes for Oracle’s undo, temp and redo logs to perform
effectively. Temp and undo each require a minimum size of 96GB. Redo requires a minimum size
of 2.4GB. The tables below provide examples of the database commands to increase sizes for the
database files for both Oracle ASM and file system implementations. The examples below assume
you know the filesystem paths for your Oracle installation and database instance. Ensure there is
adequate disk space for the changes.

18 Database Setup and Management Guide

 Chapter 2: Set Up the Database

• Temp Logs. The examples in the following table demonstrate how to increase the temp
filespace (default 32GB) to 96GB by adding two additional temp files of 32GB each.

ASM ALTER TABLESPACE "TEMP" ADD TEMPFILE '+DG01' SIZE 128M REUSE AUTOEXTEND ON
NEXT 256M MAXSIZE 32767M;
ALTER TABLESPACE "TEMP" ADD TEMPFILE '+DG01' SIZE 128M REUSE AUTOEXTEND ON
NEXT 256M MAXSIZE 32767M;

File System ALTER TABLESPACE "TEMP" ADD TEMPFILE

'{ORACLE_BASE}/oradata/{DB_UNIQUE_NAME}/temp02.dbf' SIZE 128M REUSE
AUTOEXTEND ON NEXT 256M MAXSIZE 32767M;
ALTER TABLESPACE "TEMP" ADD TEMPFILE
'{ORACLE_BASE}/oradata/{DB_UNIQUE_NAME}/temp03.dbf' SIZE 128M REUSE
AUTOEXTEND ON NEXT 256M MAXSIZE 32767M;

• Undo Logs. The examples in the following table demonstrate how to increase the undo
filespace (default 32GB) to 96GB by adding two additional temp files of 32GB each.

ASM ALTER TABLESPACE "UNDOTBS1" ADD DATAFILE '+DG01' SIZE 128M REUSE AUTOEXTEND
ON NEXT 256M MAXSIZE 32767M;
ALTER TABLESPACE "UNDOTBS1" ADD DATAFILE '+DG01' SIZE 128M REUSE AUTOEXTEND
ON NEXT 256M MAXSIZE 32767M;

File System ALTER TABLESPACE "UNDOTBS1" ADD DATAFILE

'{ORACLE_BASE}/oradata/{DB_UNIQUE_NAME}/undotbs02.dbf' SIZE 128M REUSE
AUTOEXTEND ON NEXT 256M MAXSIZE 32767M;
ALTER TABLESPACE "UNDOTBS1" ADD DATAFILE
'{ORACLE_BASE}/oradata/{DB_UNIQUE_NAME}/undotbs03.dbf' SIZE 128M REUSE
AUTOEXTEND ON NEXT 256M MAXSIZE 32767M;

Database Setup and Management Guide 19

Chapter 2: Set Up the Database

• Redo Logs. To obtain information about your systems redo files execute the following SQL:

select * from v$logfile;

RSA IAM Platform requires sufficient redo space to function properly. It requires six redo logs of
800 MB each at a minimum. By default Oracle database is configured with three redo logs of
50MB each. The examples in the following table demonstrate how to increase the size of each
redo logs to 800MB by dropping the original three redo logs and adding three of 800MB. After
extending the default three oracle redo logs, add an additional three logs of 800MB..

ASM // Extend the existing redo logs.

alter Database Clear Logfile '+DG01/avdb/onlinelog/group_1.263.763560403';
alter Database Drop Logfile Group 1;
alter Database Add Logfile Thread 1 Group 1 '+DG01/avdb/onlinelog/group_1'
Size 800m;
alter Database Clear Logfile '+DG01/avdb/onlinelog/group_2.262.763560421';
alter Database Drop Logfile Group 2;
alter Database Add Logfile Thread 1 Group 2 '+DG01/avdb/onlinelog/group_2'
Size 800m;
alter Database Clear Logfile '+DG01/avdb/onlinelog/group_3.261.763560439';
alter Database Drop Logfile Group 3;
alter Database Add Logfile Thread 1 Group 3 '+DG01/avdb/onlinelog/group_3'
Size 800m;
// Add three additional redo logs.
alter Database Add Logfile Thread 1 Group 4 '+DG01/avdb/onlinelog/group_4'
Size 800m;
alter Database Add Logfile Thread 1 Group 5 '+DG01/avdb/onlinelog/group_5'
Size 800m;
alter Database Add Logfile Thread 1 Group 6 '+DG01/avdb/onlinelog/group_6'
Size 800m;

20 Database Setup and Management Guide

 Chapter 2: Set Up the Database

File System // Extend the existing redo logs.

alter Database Clear Logfile
'{ORACLE_BASE}/oradata/{DB_UNIQUE_NAME}/GROUP_1';
alter Database Drop Logfile Group 1;
alter Database Add Logfile Thread 1 Group 1
'{ORACLE_BASE}/oradata/{DB_UNIQUE_NAME}/group_1' Size 800m;
alter Database Clear Logfile
{ORACLE_BASE}/oradata/{DB_UNIQUE_NAME}/GROUP_2';
alter Database Drop Logfile Group 2;
alter Database Add Logfile Thread 1 Group 2
'{ORACLE_BASE}/oradata/{DB_UNIQUE_NAME}/group_2' Size 800m;
alter Database Clear Logfile
'{ORACLE_BASE}/oradata/{DB_UNIQUE_NAME}/REDO03.LOG';
alter Database Drop Logfile Group 3;
alter Database Add Logfile Thread 1 Group 3
'{ORACLE_BASE}/oradata/{DB_UNIQUE_NAME}/group_3' Size 800m
// Add three additional redo logs.
alter Database Add Logfile Thread 1 Group 4
'{ORACLE_BASE}/oradata/{DB_UNIQUE_NAME}/group_4' Size 800m
alter Database Add Logfile Thread 1 Group 5
'{ORACLE_BASE}/oradata/{DB_UNIQUE_NAME}/group_5' Size 800m
alter Database Add Logfile Thread 1 Group 6
'{ORACLE_BASE}/oradata/{DB_UNIQUE_NAME}/group_6' Size 800m

Create the Aveksa Export/Import Database Directory

The Aveksa Export/Import directory is used for the storage and retrieval of database backups (if
Aveksa-provided backup and restore scripts are used). This directory is optional if you are using
your own service tools or scripts to backup and restore the database. Otherwise, this directory is
mandatory.

You must create the directory on the database server before you begin database instance
configuration. See “Map the Export/Import Directory” on page 22 or more information. Create the
directory for the following database variable:

AVEKSA_EXPORTIMPORT_DIRECTORY (for example: /home/aveksa/AveksaExportImportDir)

Directory Permissions
The database user must be provided Read-Write permissions to the Aveksa Export/Import
directory. It is accessed by the user running the associated backup/restore scripts.

Directory Size Allotment

For the Aveksa Export/Import directory, make sure the disk where the directory is located can
accommodate at least the estimated size of your exported database backup.

Database Setup and Management Guide 21

Chapter 2: Set Up the Database

RAC Database Implementation Only

In an Oracle RAC installation, the Aveksa Export/Import directory must point to clustered file
system locations. The following instructions use an example environment variable,
CLUSTERED_FILE_SHARE, which can be freely substituted for whatever common location is
defined for your installation.

1. Make sure the mount point is owned by oracle (and not root). For example:

chown -R oracle:oinstall /mnt/acfs-fs1/*

2. Set the environment variable on all nodes to the mount point. For example:

export CLUSTERED_FILE_SHARE=/mnt/acfs-fs1

cd ${CLUSTERED_FILE_SHARE}

3. Create the directory on the file share. This is only required from one node. For example:

mkdir AveksaExportImportDir

4. Create symbolic links to the mount point. This creates the expected directory location within
the /home/aveksa root. For example:

ln -s ${CLUSTERED_FILE_SHARE}/AveksaExportImportDir
/home/oracle/AveksaExportImportDir

Map the Export/Import Directory

See the aveksa_sample_ora11_db_scripts.sql for installations using Oracle 11gR2 (11.2.0.2 or
11.2.0.3, 64-bit) for examples on how to map the directory:

Map the directory variable to the physical directories previously created as described in “Create the
Aveksa Export/Import Database Directory” on page 21:

create or replace directory AVEKSA_EXPORTIMPORT_DIRECTORY as

‘/home/oracle/AveksaExportImportDir’;

Create a Database User Password Profile

This section describes how to create a database profile for the RSA IAM Platform users that
connect to the database.

Oracle 11g has a default password expiration of 180 days. If an RSA IAM Platform database user
password were to expire, RSA IAM Platform would fail to connect to the database.

Important: If you choose to have a password policy that expires for the RSA IAM Platform users,
you will have to reconfigure database password settings when passwords expire. The sample file
aveksa_db_password_lifetime.sql shows how to obtain the password lifetime information for the
RSA IAM Platform database users.

See the aveksa_sample_ora11_db_scripts.sql for installations using Oracle 11gR2 (11.2.0.2 or

11.2.0.3, 64-bit) script for examples on how to configure a database user password profile:
Enter the following command to create the profile:

Create Profile ACMPROFILE LIMIT PASSWORD_LIFE_TIME UNLIMITED;

22 Database Setup and Management Guide

 Chapter 2: Set Up the Database

Create User Schemas

See the aveksa_sample_ora11_db_scripts.sql script for installations using Oracle 11gR2 (11.2.0.2
or 11.2.0.3, 64-bit) for examples on how to configure user schemas:

Create the following user schemas:

AVUSER (the RSA IAM Platform user)

AVDWUSER (the RSA IAM Platform reporting engine)

ACMDB (the RSA IAM Platform public database schema)

If you not using the default user schema names (AVUSER and others), substitute your user
schema names in the scripts provided.

Note: Additional configuration is required when installing RSA IAM Platform with non-default
schema names. See the installation guide for you installation scenario (WebSphere and WebLogic
only) for more information.

Command examples:

Create USER AVUSER identified by <password> profile ACMPROFILE;

ALTER USER AVUSER DEFAULT TABLESPACE DATA_1M TEMPORARY TABLESPACE TEMP;

Create USER AVDWUSER identified by <password> profile ACMPROFILE;

ALTER USER AVDWUSER DEFAULT TABLESPACE DATA_1M TEMPORARY TABLESPACE TEMP;

Create USER ACMDB identified by <password> profile ACMPROFILE;

ALTER USER ACMDB DEFAULT TABLESPACE USERS TEMPORARY TABLESPACE TEMP ACCOUNT
UNLOCK;

Record the passwords in the worksheet provided in “Database Parameter Values Worksheet” on
page 8. The passwords are required for the RSA IAM Platform installation.

Configure the User Schema Privilege Grants

See the aveksa_sample_ora11_db_scripts.sql script for installations using Oracle 11gR2 (11.2.0.2
or 11.2.0.3, 64-bit) for examples on how to configure the AVUSER, AVDWUSER, and ACMDB user
schemas:

Privilege grants:

• AVUSER

grant unlimited tablespace to AVUSER;

grant create session to AVUSER; (Used for Application server access)

grant create table to AVUSER; (Database object used for RSA IAM Platform runtime and
migration)

grant create view to AVUSER; (Database object used for RSA IAM Platform runtime and
migration)

grant create trigger to AVUSER; (Database object used for RSA IAM Platform runtime and
migration)

Database Setup and Management Guide 23

Chapter 2: Set Up the Database

grant create sequence to AVUSER; (Database object used for RSA IAM Platform runtime
and migration)

grant create synonym to AVUSER; (Database object used for RSA IAM Platform runtime and
migration)

grant create procedure to AVUSER; (Database object used for RSA IAM Platform runtime
and migration)

grant create type to AVUSER; (Database object used for RSA IAM Platform runtime and
migration)

grant create job to AVUSER; (Database object used for RSA IAM Platform runtime and
migration)

grant read, write on directory AVEKSA_EXPORTIMPORT_DIRECTORY to AVUSER; (Optional.

Used for import/export of Oracle database dumps.)

grant execute on SYS.UTL_FILE to AVUSER; (Used in the data collection process. By default
an Oracle database gives the SYS.UTL_FILE package execute grant privileges to PUBLIC. If
your database does not have this set for PUBLIC you will need to explicitly give the grant to
AVUSER as indicated. )

grant select on dba_free_space to AVUSER; (Provides database information for Aveksa

Statistics Reports)

grant select on gv_$parameter to AVUSER; (Provides database information for Aveksa

Statistics Reports)

grant execute on SYS.UTL_INADDR to AVUSER; (Provides database information for Aveksa

Statistics Reports)

grant execute ON XDB.DBMS_XMLPARSER TO AVUSER; (Used to process XML data attributes

and documents)

grant execute ON SYS.DBMS_XMLGEN TO AVUSER; (Used to process XML data attributes and
documents)

grant execute ON SYS.DBMS_LOB TO AVUSER; (Used to process large sql statements)

grant execute ON SYS.DBMS_SQL TO AVUSER; (Used to process large sql statements)

grant execute ON SYS.DBMS_SCHEDULER TO AVUSER; (Data model manipulation for custom

attributes)

Note: Oracle 11 requires additional SQL to obtain the IP address. See

aveksa_ora11_asr_report_grants.sql for the necessary SQL.

• AVDWUSER

grant unlimited tablespace to AVDWUSER; (Optional)

grant create session to AVDWUSER;

grant create synonym to AVDWUSER;

grant create procedure to AVDWUSER;

24 Database Setup and Management Guide

 Chapter 2: Set Up the Database

• ACMDB

grant unlimited tablespace to ACMDB; (Optional)

grant create session to ACMDB;

grant create synonym to ACMDB;

grant create procedure to ACMDB;

Additional grant information:

• Aveksa leverages the SYS.UTL_FILE Oracle package. Permissions to this package must be
granted to AVUSER. The package is used as part of the RSA IAM Platform collection processes.
If permissions are revoked for this package items such as the collections will fail.

• Aveksa Statistics Reports requires grants on some packages to obtain useful diagnostic
information. These are dba_free_space, gv_$parameter, and SYS.UTL_INADDR.

• Grants to execute the packages SYS.UTL_FILE and SYS.DBMS_LOB by the Oracle schema XDB
should also be verified as they are a requirement of the XML Database functionality of Oracle.
On some systems the packages DBMS_XMLPARSER and DBMS_XSLPROCESSOR must be
recompiled following the new grants.

- grant execute on SYS.UTL_FILE to XDB;

- grant execute on SYS.DBMS_LOB to XDB;

- alter PACKAGE xdb.DBMS_XMLPARSER compile body;

- alter PACKAGE xdb.DBMS_XSLPROCESSOR compile body;

• A grant to execute the XDB.DBMS_XMLPARSER package is required by AVUSER for XML

processing and metadata operations.

- grant execute ON XDB.DBMS_XMLPARSER TO AVUSER;

Create a Report Context

The report context holds the filtering values for RSA IAM Platform reports.
To create a report context, run the following command:

create or replace context AV_REPORT_CONTEXT using AVUSER.Reporting_Pkg;

Complete the Required Database Instance Configuration

See aveksa_sample_sys_scripts.sql for a sample script on how to perform this step. This script
must be edited for your configuration before you use it.
Complete database instance configuration as sysdba:

Disable the daily job that gathers schema statistics. The RSA database executes its own database
statistics collections and can conflict with this out-of-box Oracle setting.

execute dbms_auto_task_admin.disable(client_name => 'auto optimizer stats

collection', operation => NULL, window_name => NULL);

Database Setup and Management Guide 25

Chapter 2: Set Up the Database

To verify, execute the following SQL:

SELECT client_name, status FROM dba_autotask_client where client_name = 'auto

optimizer stats collection';

Confirm that the job is disabled as show in the example output:

CLIENT_NAME STATUS

-------------------------------------------------- --------

auto optimizer stats collection DISABLED

Installing Oracle Statspack to Enhance Database Diagnostics

Capabilities
Oracle Statspack collects and compiles performance and execution statistics data that RSA IAM
Platform can include in reports generated by its Aveksa Statistics Report feature. See the
Administrators Guide for information on generating Aveksa Statistics Report output that includes
data provided by Statspack.

Installation of Statspack is optional but highly recommended; it provides diagnostics data that can
indicate the causes of database performance issues that may arise.

You install Statspack on the database using the spcreate.sql script provided by Oracle. This script
is executed as 'sys' on the database. The script prompts you for information and creates the
STATSPACK schema owner, privilege grants, and objects. See Oracle documentation for complete
information on Statspack installation and Statspack capabilities.

For example, to run the script in SQL*Plus:

Create a “perfstat” table space using the spcreate.sql script for Oracle10g and 11g.

SQL> connect / as sysdba

SQL> @?/rdbms/admin/spcreate

The default username is “perfstat.” See the Installation Guide for information on changing the
username and the Statspack user password in RSA IAM Platform.

RSA recommends that the perfstat user is also configured with the same ACMPROFILE as
configured for database users (as described in“Create a Database User Password Profile” on
page 22), to prevent issues regarding password expiration.

As sys dba, execute the sql:

alter user perfstat profile ACMPROFILE;

Verify Correct Database Configuration

Use the following commands to verify that the database used by RSA IAM Platform has been
configured correctly:

Verify that the Aveksa import/export described in “Deployment Summary” on page 14 is defined:

26 Database Setup and Management Guide

 Chapter 2: Set Up the Database

select * from all_directories where directory_name in

('AVEKSA_EXPORTIMPORT_DIRECTORY');

Verify that the tables spaces described in “Create Tablespaces” on page 18 exist:

SELECT * FROM USER_TABLESPACES WHERE TABLESPACE_NAME IN

('DATA_256K','DATA_1M','DATA_25M','DATA_50M','INDX_256K','INDX_1M','INDX_25M',
'INDX_50M');

Validate the XML package exists.

select username from all_users where username='XDB';

Validate the schemas described in “Create User Schemas” on page 23 exist:

select * from all_users where username in ('AVUSER', 'AVDWUSER', 'ACMDB');

Updating the Database for RSA IAM Platform 6.8 Upgrades

If you are upgrading from a pre-5.0 version of RSA IAM Platform, you must updated these
additional privileged grants (required for Aveksa Statistics Report generation) for AVUSER:

grant select on dba_free_space to AVUSER;

grant select on gv_$parameter to AVUSER;

grant execute on SYS.UTL_INADDR to AVUSER;

The aveksa_ora11_asr_report_grants.sql file contains the necessary SQL, which is shown below:

-- this SQL creates the additional privileges to use the UTL_INADDR to obtain host
information

DECLARE

acl_path VARCHAR2(4000) := NULL;

acl_host_name VARCHAR2(4000) := '*';

acl_user_name VARCHAR2(4000) := upper('avuser');

acl_name_if_needed VARCHAR2(4000) := acl_user_name || '_ACL_NAME.xml';

acl_description_if_needed VARCHAR2(4000) := 'Granting ACL access to ' ||

acl_user_name || ' in order to use UTL_INADDR for reporting purposes.';

BEGIN

BEGIN

--find ACL for this host

SELECT acl INTO acl_path FROM dba_network_acls

WHERE host = acl_host_name

AND lower_port IS NULL AND upper_port IS NULL;

EXCEPTION WHEN no_data_found THEN null;

Database Setup and Management Guide 27

Chapter 2: Set Up the Database

END;

--add Aveksa user privileges in order to access UTL_INADDR.GET_HOST_NAME and

UTL_INADDR.GET_HOST_ADDRESS

IF ( acl_path IS NULL ) THEN

DBMS_NETWORK_ACL_ADMIN.CREATE_ACL(acl_name_if_needed,
acl_description_if_needed, acl_user_name, TRUE, 'resolve');

--DBMS_NETWORK_ACL_ADMIN.CREATE_ACL(acl_name_if_needed,
acl_description_if_needed, acl_user_name, TRUE, 'connect');

DBMS_NETWORK_ACL_ADMIN.ASSIGN_ACL(acl_name_if_needed, acl_host_name);

ELSE

IF DBMS_NETWORK_ACL_ADMIN.CHECK_PRIVILEGE(acl_path, acl_user_name, 'connect')

IS NULL THEN

DBMS_NETWORK_ACL_ADMIN.ADD_PRIVILEGE(acl_path, acl_user_name, TRUE,

'connect');

END IF;

IF DBMS_NETWORK_ACL_ADMIN.CHECK_PRIVILEGE(acl_path, acl_user_name, 'resolve')

IS NULL THEN

DBMS_NETWORK_ACL_ADMIN.ADD_PRIVILEGE(acl_path, acl_user_name, TRUE,

'resolve');

END IF;

END IF;

END;

28 Database Setup and Management Guide

Chapter 3: Maintaining the Database

Content

• “Export the AVUSER Schema/Data for a Database Backup” on page 30

• “Importing AVUSER Schema/Data for a Database Restoration/Load” on page 30

• “Removing User Schemas from the Database” on page 32

29
Chapter 3: Maintaining the Database

Export the AVUSER Schema/Data for a Database Backup

You should create a backup of your database before proceeding with re-installing or upgrading RSA
IAM Platform software. It is often useful to back up your database regularly or before making
major changes to your system. You perform the backup procedure for the RSA IAM Platform
remote Oracle database on an database server machine using Oracle's expdp data pump utility. It
creates a .dmp file of the AVUSER schema.

The dump is essentially a snapshot of the database containing all of the application data and some
environment data about a particular system environment. In the case where you intend to import
a dump from one machine to another (which must be runnng the same RSA IAM Platform version
from which the dump was created), you may be required to perform additional configuration on
the target machine.

Shut down the RSA IAM Platform server before you export a database.

Important: The dumps are upwardly compatible between Oracle versions. They are not
backwards compatible when used to import to an older version of Oracle.

Note: Ensure that the AVEKSA_EXPORTIMPORT_DIRECTORY directory has been created as

described in Chapter 2, “Set Up the Database,” on page 13 and the database process has
Read-Write permissions to the directory.
To export the AVUSER schema:

Run the following command:

expdp avuser/<password>@<Oracle_SID> DumpFile=<FileName>.dmp

Directory=Aveksa_ExportImport_Directory Schemas=avuser LogFile=<FileName>.log

Where:

Expdp is the Oracle data pump utility.

avuser/<password> is the connection string.

DumpFile is the output file name; here set with a date stamp.

Directory is an internal Oracle directory object mapped to a physical UNIX directory. It would
typically be the AveksaExportImportDir directory created when the customer-provided
database was set up.

Schemas is the database, avuser for example.

Logfile is the name of the log file generated for the export.

Importing AVUSER Schema/Data for a Database Restoration/Load

You can import a AVUSER schema/data back up for restoring a database or loading it on a new
machine. This section describes how to perform a database import for a remote database. You
perform the import procedure for the RSA IAM Platform Oracle database on the database server
machine using Oracle's impdp data pump utility. It uses a .dmp file of the AVUSER schema created
from the export process. If you intend to import a dump from one machine to another, note that
some data or configurations may be specific to the environment from which the original dump was
taken.

30 Database Setup and Management Guide

 Chapter 3: Maintaining the Database

For example, the server nodes may need to be updated; this is particularly true when moving
clustered environments. Or directory-specific locations configured for collectors may need to be
changed. After you have imported the database and run commands to update the database as
described in this section, you must validate that the data is compatible with your database. See
“Validate Compatibility of the Database Import” on page 31 for instructions.

Important: The dumps are upwardly compatible between Oracle versions. They are not
backwards compatible when used to import to an older version of Oracle.

Note: Ensure that the AVEKSA_EXPORTIMPORT_DIRECTORY directory has been created as

described in Chapter 2, “Set Up the Database,” on page 13 and the database process has
Read-Write permissions to the directory.
To import the AVUSER schema/data:

1. Shut down RSA IAM Platform.

2. Remove the avuser user from the database:

drop user AVUSER cascade;

3. Create the avuser user:

Create USER AVUSER identified by <password> profile ACMPROFILE;

ALTER USER AVUSER DEFAULT TABLESPACE DATA_1M TEMPORARY TABLESPACE TEMP;

4. Specify avuser privilege grants as specified in “Configure the User Schema Privilege Grants” on
page 23.

5. Import the schema/data

impdp avuser/<password>@<Oracle_SID> DumpFile=<SomeFileName>.dmp

Directory=Aveksa_ExportImport_Directory Schemas=avuser
LogFile=<SomeFileName>.log

6. Run these required commands as avuser to update the database:

EXEC authorization_pkg.EXPLODE_USER_ACM_ENTITLEMENTS;

EXEC DBMS_STATS.GATHER_SCHEMA_STATS('AVUSER');

EXEC DATABASE_STATISTICS.AFTER_IMPORT;

If the database does require migration, you will be prompted to migrate the database when you
access RSA IAM Platform.

7. Restart RSA IAM Platform.

Validate Compatibility of the Database Import

After you import the database on your system, determine whether the database dump is
compatible for the remote database. Determine whether these system settings from the imported
dump are set as follows:

• isAppliance = No

• isRemoteDB = Yes

• isSoftAppliance = Yes

Database Setup and Management Guide 31

Chapter 3: Maintaining the Database

To determine these values, run the following SQL as avuser:

select * from T_SYSTEM_SETTINGS where PARAMETER like 'is%';

If the values above are not set to the correct values, run the following SQL to set them to the
correct values:

update T_SYSTEM_SETTINGS set VALUE='N' where PARAMETER='isAppliance';

update T_SYSTEM_SETTINGS set VALUE='yes' where PARAMETER='isRemoteDB';

update T_SYSTEM_SETTINGS set VALUE='yes' where PARAMETER='isSoftAppliance';

If the exported database file is from an appliance and it is imported into a remote database, ensure
that the system setting for “RemoteDB” on the target system that uses the remote database is
enabled. See the RSA IAM Platform Administrators Guide for information on managing system
settings. After saving the RemoteDB setting you must restart the RSA IAM Platform application
server.

Removing User Schemas from the Database

All RSA IAM Platform data is contained in three user schemas. You can remove these schemas
required if you want to create a new database instance.
Remove the following schemas as the database administrator:

drop user AVUSER cascade;

drop user AVDWUSER cascade;

drop user ACMDB cascade;

drop user PERFSTAT cascade;

Note: Drop that user name for your installation if it differs from the default “perfstat” user name
used when statspack package was set up on the database.

You can now proceed to create the database as described in Chapter 2, “Set Up the Database,” on
page 13.

32 Database Setup and Management Guide

 Index

A validate compatibility of imported dump 31

database instance, removing user schemas 32
acmdb user database, deployment
configure grants in database 23, 25 configure user schemas privilege grants 23
create in database 23 create Aveksa objects in the database 17
automatic memory managment 15 create import/export directory 21
automatic shared memory management 15 create password profile 22
avdwuser user create tablespaces 18
configure grants in database 23, 24 create user schemas 23
create in database 23 disable schema statistics collection 25
Aveksa objects, create in database 17 optimizer settings 17
AVUSER schema/data overview 8
export 30 parameter values worksheet 8
import 30 prepare database instance 15
validate compatibility of imported dump 31 requirements 9
avuser user resource plan 25
configure grants in database 23 sample scripts 11
create in database 23 summary of procedures 14
database, RAC 9

B
backup E
database 30 export AVUSER schema 30

C I
context for report filtering values in customer- import AVUSER schema/data 30
provided database 25

O
D
optimizer settings for database 17
database Oracle memory management settings
restore 30 AMM 15
updating for compatibility with RSA Platform ASMM 15
upgrade 27 Oracle statspack, installing 26

33
Index

P
password
profile for database users 22
privilege grants, user schemas in database 23

R
Real Application Cluster (RAC) database
requirements 9
redo tablespace 18
resource plan for database 25
restore
database 30

S
sample scripts for database configuration 11

T
tablespaces for database
adjusting temp, undo, and redo sizes 18
tablespaces, create in database 18
temp tablespace 18

U
undo tablespace 18
upgrade
update database for RSA Platform version
compatibility 27
user schemas
configure grants 23

34 Database Setup and Management Guide