At our site, we need to adhere to the SRR (Security Readiness Review) STIG (Security Technical Implementation Guide), and one of the security "findings" is the presence of Oracle Configuration Manager (OCM). The STIG recommends the deinstallation of OCM (which we have made part of our site standard for 10g), and it cites Oracle MetaLink Notes 369111.1 and 728989.1 as reference material for the deinstallation. Unfortunately, these Oracle documents refer to 10g, not 11g, and the script to deinstall OCM ($ORACLE_HOME/ccr/admin/scripts/dropocm.sql) is missing in 11g.
Does anyone know of a documented way to uninstall OCM in 11g? We are using Oracle 220.127.116.11 on Solaris 10.
Hmmm... That's a thought. If no one knows a documented way to uninstall OCM on 11g, I'll probably have to go with expiring and locking the account. Has anyone else run up against the requirement to uninstall OCM?
I once (accidently) allowed the dbca (or maybe it was the OUI) to create a COnfiguration Manager connection to one of my databases. At that time, I was working for a defense contractor and immediately knew this was not acceptable.
I contacted Oracle and they had to actually remove it from their side to ensure that it would be totally inaccessible in our tight security situation.
Since then, I'm always very careful not to allow Configuration Manager to connect to my database(s).
Of course, you can always do a full backup (and export) of your database and do a complete drop and recreation of the database.
I had to deal with the DCAA (defense contract audit agency) on this issue, so I feel for you.
859113.1 appears to apply to Oracle 10g only, and 11g has many differences from 10g. I'm hesitant to drop the user based on 10g documentation, especially since the 10g documentation I was using specified a script for OCM removal that does not exist on 11g.
Have you looked at this ?
and this seems to be for Solaris
Thanks for the link! The "Oracle® Database Installation Guide 11g Release 1 (11.1) for Solaris Operating System" link you provided says:
+6.3 Removing Oracle Configuration Manager+ To uninstall Oracle Configuration Manager, follow these steps: If the $ORACLE_HOME directory contains a database, remove the Oracle Configuration Manager user and the associated objects from the database by running the following script: SQL> $ORACLE_HOME/ccr/admin/scripts/dropocm.sql If the database is a repository for the Oracle E-Business Suite, log in to the database as an SYSDBA user and remove the additional objects from the database by running the following script:
+$ORACLE_HOME/ccr/admin/scripts/ebs_dropccr.sql Oracle_Applications_User+ If the database is a repository for Oracle Grid Control, log in to the database as the SYSMAN user and remove the additional objects from the database by running the following script:
+$ORACLE_HOME/ccr/admin/scripts/dropemrep_collect.sql+ To stop the Scheduler and remove the service or the crontab entry, enter the following command:
+$ORACLE_HOME/ccr/bin/deployPackages -d $ORACLE_HOME/ccr/inventory/core.jar+ Delete the ccr directory by entering the following command:
+$ rm -rf $ORACLE_HOME/ccr+ Oracle Configuration Manager is successfully uninstalled.
However, $ORACLE_HOME/ccr/admin/scripts/dropocm.sql does not exist on our system.
Unforunately I do not work for that defense contractor any more otherwise I could log into Metalink under my old CSI number and get the instructions from the TAR on how to remove it from your server.
But seriously, you can just log a TAR with Oracle and ask them to remove it and give you instructions for removing it from your server too.
In 11g, Oracle Support says that the missing script gets generated on-the-fly as you finish configuring OCM. Since we never configured OCM, the script does not exist. They say you can fully remove OCM by:
- Delete this directory:
- Drop the ORACLE_OCM account, if it exists
drop user ORACLE_OCM cascade;
- Drop the CCR account, if it exists
drop user CCR cascade;