To determine the rights of class admin, issue the lsclass command, as shown here: ob> lsclass -l admin
Here is some sample output:
admin:
552
CHAPTER 20 ■ ORACLE SECURE BACKUP
browse backup catalogs with this access: privileged
access Oracle database backups: all
access file system backups: all
display administrative domain's configuration: yes
modify own name and password: yes
modify administrative domain's configuration: yes
modify catalog: yes
perform file system backups as self: yes
perform file system backups as privileged user: yes
list any jobs owned by user: yes
modify any jobs owned by user: yes
perform file system restores as self: yes
perform file system restores as privileged user: yes
receive email requesting operator assistance: yes
receive email describing internal errors: yes
receive email regarding expired passphrase keys: yes
query and display information about devices: yes
manage devices and change device state: yes
list any job, regardless of its owner: yes
modify any job, regardless of its owner: yes
perform Oracle database backups and restores: yes
■
Note
To display the complete syntax of an OSB command, issue the help command followed by the OSB
command.
To create an OSB user, issue the mkuser command. In the following example, OSB user apress_oracle is created and assigned with oracle rights:
ob> mkuser --class oracle apress_oracle --preauth BLLNX3:oracle+cmdline+rman The +cmdline attribute in the --preauth option grants the oracle OS user preauthorized access to obtool utility, while the +rman attribute grants Oracle Database SBT backups via RMAN. If no +rman preauthorization is defined for the server hosting the target database that you want to backup, then the RMAN backup fails with ORA-19511 error, as shown here:
ORA-19511: Error received from media manager layer, error text:
sbt__rpc_cat_query: Query for piece u8lr5bs6_1_1 failed.
(Oracle Secure Backup error: 'no preauth config found for OS user (OB tools) oracle').
If you want to view all OSB users, issue the lsuser command:
ob> lsuser
Table 20–1 describes the various OSB commands used to maintain the OSB user accounts.
553
CHAPTER 20 ■ ORACLE SECURE BACKUP
Table 20–1.
OSB Commands to Maintain OSB User
Command Meaning
mkuser
To create an OSB user.
lsuser
To display information about OSB users.
renuser
To rename an OSB user.
chuser
To modify the attributes of an OSB user.
rmuser
To delete an OSB user.
Configuring Media Families
The media family classifies and defines the characteristics of the tape volume, such as the volume ID, volume expiration, and write window. The volume ID, which is used by OSB to uniquely identify the tape volume, consists of the name of the media family affixed with a six-digit sequence number generated by OSB. For example, if the name of the media family is APRESS_BACKUP, then the first volume ID is APRESS_BACKUP-000001, the second is APRESS_BACKUP-000002, and so on.
There are two types of volume expiration policies: time-managed and content-managed. The tape volumes in a time-managed media family can expire after surpassing the expiration time; in a contentmanaged media family, they expire when all of the backup pieces on the volume are marked as deleted.
For file-system backups, you must use a time-managed media family to let OSB manage the volume expiration. For RMAN backups, you must use content-managed media family to let RMAN manage the expiration of the backup pieces on the tape volume instead of OSB. This avoids inconsistency between the RMAN metadata and contents of the tapes.
To create a time-managed media family, issue the mkmf command. In the following example, media family APRESS_OS has 7 days of write-period and 14 days of retention period. This means the volumes of media family APRESS_OS will expire and are ready for recycling after 21 days since the first backup piece is created on the tape volume:
ob> mkmf --writewindow 7days --retain 14days APRESS_OS
To create a content-managed media family, issue the mkmf, as shown here. Since the default volume expiration policy is content-managed, you can omit the --contentmanaged option.
ob> mkmf --contentmanaged APRESS_RMAN
Table 20–2 describes OSB commands used to maintain the media families.
554
CHAPTER 20 ■ ORACLE SECURE BACKUP
Table 20–2.
OSB Commands to Maintain Media Family
Command Meaning
mkmf
To create a media family.
lsmf
To display information about media families.
renmf
To rename a media family.
chmf
To modify the attributes of a media family.
rmmf
To delete a media family.
To increase security and better manage your tape backups, you may create separate media families for different environments, such as production, test, and development. In this way, the backup of the production database and test database are not sharing the same tape volumes.
Configuring Database Backup Storage Selector
The default media family for RMAN backup is RMAN-DEFAULT. To use a different media family when running RMAN backup, create a database backup storage selector using the mkssel command. In the following example, the database backup storage selector name is BLLNX3-DB11R2.ssel, which assigns the media family APRESS_RMAN for RMAN backups on Oracle database DB11R2 hosted on client server BLLNX3: ob> mkssel --host BLLNX3 --dbname DB11R2 --family APRESS_RMAN BLLNX3-DB11R2.ssel
■
Note
If an RMAN backup matches the Oracle database and/or client host defined on a database backup storage selector, then you don’t have to pass the OS environment variable OB_MEDIA_FAMILY parameter when allocating the RMAN channel for SBT_TAPE.
Refer to Table 20–3 for descriptions of OSB commands related to maintaining the database backup storage selector.
555
CHAPTER 20 ■ ORACLE SECURE BACKUP
Table 20–3. OSB Commands to Maintain Database Backup Storage Selector
Command
Meaning
mkssel
To create a database backup storage selector.
lsssel
To display information about database backup storage selectors.
renssel
To rename a database backup storage selector.
chssel
To modify the attributes of a database backup storage selector.
rmssel
To delete a database backup storage selector.
Database Backup
In Chapter 18, you learned how to use RMAN to back up database files to disk. In this section, you will use OSB and RMAN to create backups on tape. There are two ways to configure RMAN for a backup to tape:
• Allocating a channel
• Configuring a channel
The first option is to allocate an RMAN channel for SBT_TAPE inside the run{} block. In the following example, the media family APRESS_RMAN is passed as a parameter to the environment variable OB_MEDIA_FAMILY. The tape volumes will have a volume ID of APRESS_RMAN affixed with a six-digit sequence number generated by OSB.
RMAN> run {
allocate channel t1 type sbt_tape parms 'ENV=(OB_MEDIA_FAMILY=APRESS_RMAN)'; backup database;
}
You can configure multiple channels for SBT_TAPE equivalent to the number of available physical tape devices. However, if you allocate two channels and only have one physical tape device, the other channel will just wait for the tape resource to become available. You can also use the CONFIGURE
command to set the RMAN channel for SBT_TAPE, as shown here:
RMAN> configure channel device type sbt_tape
parms 'ENV=(OB_MEDIA_FAMILY=APRESS_RMAN)';
RMAN> backup device type sbt_tape database;
To monitor the backup jobs you have submitted, refer to the “OSB Job Monitoring” section in this chapter. For descriptions of other OSB media management parameters, refer to Table 20–4.
556
CHAPTER 20 ■ ORACLE SECURE BACKUP
■
Note
If no media family is explicitly passed when allocating/configuring RMAN channel for SBT_TAPE or no Database Backup Storage Selector defined for the specific host and/or database, OSB will use the default media family RMAN-DEFAULT, which is created when OSB is installed.
Table 20–4.
OSB Media Management Parameters
Parameter Meaning
OB_MEDIA_FAMILY
To specify the media family that defines the characteristics of the tape volumes.
OB_DEVICE
To specify the tape drives to use during backup.
OB_RESOURCE_WAIT_TIME
To specify the wait time for resources to become available.
OB_ENCRYPTION
To specify the OSB encryption. If this is set, then OSB does not perform further encryption.
OB_RESTORE_DEVICE
To specify the tape drives to use during restore.
Database Restore
For RMAN restore and recover, you have to allocate an RMAN channel for SBT_TAPE. In the following example, the RMAN channel for SBT_TAPE is allocated inside the run{} block: RMAN> run {
allocate channel t1 type sbt_tape;
restore database;
recover database;
}
Another option is to run the CONFIGURE command. Unlike the previous example, you must include the PARMS clause in the CONFIGURE command (if you don't use the PARMS clause, a syntax error is returned): RMAN> configure channel device type sbt_tape
parms 'ENV=(OB_MEDIA_FAMILY=APRESS_RMAN)';
RMAN> restore device type sbt_tape database;
RMAN> recover device type sbt_tape database;
Suppose you have a scenario where the production server is completely gone due to a catastrophic event, but luckily you have an offsite tape backup of the database. In addition, you are not using an RMAN recovery catalog, and control file autobackup is disabled. You discover that the latest backup of the control file is corrupted, but you are able to restore the control file from a backup taken two days ago. After mounting the database, you realize that the latest RMAN backups taken yesterday are not in the list when you issue the RMAN LIST BACKUP command (because the control file restored was from two days ago and has no knowledge of yesterday's RMAN backup).
557
CHAPTER 20 ■ ORACLE SECURE BACKUP
In this situation, the control file restored from a backup taken two days ago has no information about the backup pieces created on tape yesterday. To make the RMAN repository (control file in this scenario) aware of backup pieces on tape, do the following:
1. Configure a channel for tape.
2. Make the RMAN repository aware of the backup piece via the CATALOG
command.
Next, issue the CATALOG DEVICE TYPE SBT_TAPE BACKUPPIECE command, followed by the name of the backup piece. In this example, one backup piece is cataloged:
RMAN> catalog device type sbt_tape backuppiece 'silr06fk_1_1';
If you have multiple backup pieces that you want to catalog, you must issue the CATALOG DEVICE
TYPE SBT_TAPE BACKUPPIECE command for each individual backup piece. The key in cataloging the RMAN backup pieces on tape is you must know the exact names of the backup pieces.
■
Note
As mentioned in Chapter 19, for disk-based backups, you can easily make the RMAN repository aware of multiple backup pieces via the CATALOG START WITH
What if you don't know the names of the back pieces? One way to figure out their names is to check the RMAN log file generated during the RMAN backup. In the snippet of the RMAN log file shown here, the RMAN backup piece is silr06fk_1_1:
channel ORA_SBT_TAPE_1: finished piece 1 at 21-OCT-2010 08:29:35
piece handle=
silr06fk_1_1
tag=TAG20101021T082105 comment=API Version 2.0,MMS Version 10.3.0.2
channel ORA_SBT_TAPE_1: backup set complete, elapsed time: 00:08:26
But what if the RMAN log file is not available? You can issue the lspiece command using the obtool utility. In the following example, the output is filtered to display only the backup pieces for the hostname BLLNX3 that hosts the database DB11R2:
The following is the snippet of the output of the LSPIECE command:
POID Database Content Copy Created Host Piece name 8830 DB11R2 incremental 0 10/21.08:23 BLLNX3
silr06fk_1_1
This listing shows information such as the creation date and backup piece name. In this example, the missing RMAN backup piece is silr06fk_1_1. After you catalog the missing RMAN backup pieces, you can proceed with the RMAN restore and recovery.
File System Backup
Like any backup job, you need to define the three Ws and one H. What data to backup? When to run the backup? Where to store the backup? How the backup runs? To accomplish these 3 Ws and 1 H using OSB, you need to create a dataset file, as well configure a backup window, a schedule, and a trigger.
558
CHAPTER 20 ■ ORACLE SECURE BACKUP
Creating Dataset Files
Dataset files define the directories and files on the client hosts that you want to backup. In the following example, this dataset file specifies to include all files under the directory /home/oracle on the client hosts BLLNX1 except for files under the directory /home/oracle/temp and Oracle database-related files: include host BLLNX1
include path /home/oracle {
exclude path /home/oracle/temp
exclude oracle database files
}
To create a dataset file named bllnx1_home-oracle.ds, perform the following steps using the obtool utility, as shown here: