At our site, we need to adhere to the SRR (Security Readiness Review) STIG (Security Technical Implementation Guide), and one of the security "findings" is the presence of Oracle Configuration Manager (OCM). The STIG recommends the deinstallation of OCM (which we have made part of our site standard for 10g), and it cites Oracle MetaLink Notes 369111.1 and 728989.1 as reference material for the deinstallation. Unfortunately, these Oracle documents refer to 10g, not 11g, and the script to deinstall OCM ($ORACLE_HOME/ccr/admin/scripts/dropocm.sql) is missing in 11g.
Does anyone know of a documented way to uninstall OCM in 11g? We are using Oracle 184.108.40.206 on Solaris 10.
Hmmm... That's a thought. If no one knows a documented way to uninstall OCM on 11g, I'll probably have to go with expiring and locking the account. Has anyone else run up against the requirement to uninstall OCM?
I once (accidently) allowed the dbca (or maybe it was the OUI) to create a COnfiguration Manager connection to one of my databases. At that time, I was working for a defense contractor and immediately knew this was not acceptable.
I contacted Oracle and they had to actually remove it from their side to ensure that it would be totally inaccessible in our tight security situation.
Since then, I'm always very careful not to allow Configuration Manager to connect to my database(s).
Of course, you can always do a full backup (and export) of your database and do a complete drop and recreation of the database.
I had to deal with the DCAA (defense contract audit agency) on this issue, so I feel for you.
859113.1 appears to apply to Oracle 10g only, and 11g has many differences from 10g. I'm hesitant to drop the user based on 10g documentation, especially since the 10g documentation I was using specified a script for OCM removal that does not exist on 11g.
and this seems to be for Solaris
In 11g, Oracle Support says that the missing script gets generated on-the-fly as you finish configuring OCM. Since we never configured OCM, the script does not exist. They say you can fully remove OCM by: