OCI DBCS Clone from backup fails when Database Vault is enabled

Recently I was creating a DBCS database clone but the creation failed, luckily we could find out the node IPs through support and from the dcs-agent-debug.log we could see following statement failing:

! com.oracle.dcs.commons.exception.DcsException: DCS-10001:Internal error encountered: Failed to run SQL script: /u01/app/oracle/product/12.2.0.1/dbhome_1/rdbms/admin/utlpwdmg.sql. ********

When looking this script what it tries to do is set the default password limits for DEFAULT profile. While trying it out on the source database I noticed Database Vault was enabled which restricts modifying that profile.

Two possible workarounds since this wasn’t a production database, disable vault and take new backup which required a bounce of database or give SYS access to modify DEFAULT profile.

I opted for latter since it didn’t involve DB bounce. What I wanted to do is to give SYS grant for role DV_ACCTMGR profile, it has less privileges compared to DV_OWNER but it still can modify profiles.

[oracle@dbcs] sqlplus C##DBV_ACCTMGR_ROOT --this is DVACCTMGR role "owner"

SQL*Plus: Release 12.2.0.1.0 Production on Fri Dec 11 15:24:54 2020

Copyright (c) 1982, 2016, Oracle.  All rights reserved.

Enter password:

Connected to:
Oracle Database 12c EE Extreme Perf Release 12.2.0.1.0 - 64bit Production

SQL> grant DV_ACCTMGR to sys container=ALL;

Grant succeeded.

SQL> conn sys
Enter password:
Connected.

SQL> ALTER PROFILE DEFAULT LIMIT FAILED_LOGIN_ATTEMPTS 3; --try to modify profile to see it works

Profile altered.

After this was done I went to OCI Console and just ran a new manual backup for the instance.

Once the backup is finished I revoked the privilege from SYS.

SQL> conn C##DBV_ACCTMGR_ROOT
Enter password:
Connected.
SQL> revoke DV_ACCTMGR from sys container=all;

Revoke succeeded.

And started the clone:

After this no issues on creating DBCS clone from backup. I also have a SR open for this and will update later what Oracle thinks is required or if they will have a fix for this.

If you have production database which you would need to clone I’d be sure to verify if you can play around with grants like this.

Simo

Recent Posts

Autonomous Database Audit Logs to Logging Service Part 1

I recently came across requirement to get OCI Oracle Autonomous Database audit logs to OCI…

3 weeks ago

Connecting to Autonomous Database Running on Google Cloud

Last time I showed how to provision Autonomous Database Serverless (ADB-S) on Google Cloud. This…

2 months ago

Can you believe it? Provisioning Autonomous Database in GCP!

I bet few years back folks didn't expect that by 2024 we would be able…

3 months ago

IP Address Insights with CLI

My previous post on IP Address Insights I mentioned it wasn't yet available with CLI…

7 months ago

Thoughts on Oracle Database@Azure

This will NOT be a technical walkthrough on Oracle Database@Azure but rather my opinions and…

7 months ago

OCI Vulnerability Scanning Setup

Many times when you work for someone, they already have their own vulnerability scanning throughout…

7 months ago