Corporation Computer Drive User Manual

ManualsBrandsOracle ManualsComputer HardwareDOCUCOLOR 260

Oracle® Secure Backup

Installation and Configuration Guide

Release 10.3

E12835-06

December 2010

How to install, uninstall, and manage hardware and network

configuration in Oracle Secure Backup

Summary of content (174 pages)

PAGE 1
Oracle® Secure Backup Installation and Configuration Guide Release 10.
PAGE 3
Contents Preface ................................................................................................................................................................. ix Audience....................................................................................................................................................... Documentation Accessibility ..................................................................................................................... Related Documents ......
PAGE 4
Extracting Oracle Secure Backup from OTN Download on Linux or UNIX ................................ 2-4 Preparing to Install Oracle Secure Backup on Linux and UNIX..................................................... 2-5 Creating the Oracle Secure Backup Home .......................................................................................... 2-5 Loading Oracle Secure Backup Software on Linux or UNIX Using setup Script........................
PAGE 5
Displaying Help for Invoking obtool ........................................................................................... Starting obtool in Interactive Mode.............................................................................................. Running obtool Commands in Interactive Mode....................................................................... Redirecting obtool Input from Text Files ............................................................................
PAGE 6
Managing Security for Backup Networks Backup Network Security Overview.................................................................................................... 6-1 Planning Security for an Administrative Domain............................................................................. 6-2 Identifying Assets and Principals .................................................................................................... 6-2 Identifying Your Backup Environment Type ..........................
PAGE 7
default UNIX user ................................................................................................................................... default UNIX group ................................................................................................................................ linux ob dir and solaris64 ob dir .......................................................................................................... linux db dir and solaris64 db dir .......................................
PAGE 8
viii
PAGE 9
Preface This Preface contains these topics: ■ Audience ■ Documentation Accessibility ■ Related Documents ■ Conventions Audience This guide is intended for system administrators and database administrators who install the Oracle Secure Backup software. These administrators might also perform backup and restore operations. To use this document, you must be familiar with the operating system environment on which you plan to use Oracle Secure Backup.
PAGE 10
Access to Oracle Support Oracle customers have access to electronic support through My Oracle Support. For information, visit http://www.oracle.com/support/contact.html or visit http://www.oracle.com/accessibility/support.html if you are hearing impaired.
PAGE 11
1 Introduction to Oracle Secure Backup This chapter provides an introduction to Oracle Secure Backup and includes advice on planning and configuring your administrative domain.
PAGE 12
Oracle Secure Backup Concepts Oracle Secure Backup eliminates integration challenges with ready-to-use tape management software that provides single-vendor support. Oracle Secure Backup also reduces your costs. When using Oracle Secure Backup with RMAN to back up and recover databases and files to and from tape, no third-party tape management software is required. Oracle Secure Backup provides the media management layer needed to use tape storage with RMAN.
PAGE 13
Oracle Secure Backup Concepts Oracle Secure Backup is installed can be a client, including hosts that are also media servers or the administrative server. A network-attached storage device that Oracle Secure Backup accesses through NDMP can also serve the client role. A host can be assigned multiple roles in an administrative domain. For example, a host with a tape drive attached could be both the administrative server and media server for a network that includes several other clients.
PAGE 14
Oracle Secure Backup Concepts Oracle Secure Backup Administrative Domain: Examples Figure 1–1 shows a minimal administrative domain, in which a single host is administrative server, media server, and client. An Oracle database also runs on the same host. Figure 1–1 Administrative Domain with One Host Administrative Server, Media Server, and Client Linux Backup Recovery Manager Restore Tape ... ... ... ... ... ... ......
PAGE 15
Oracle Secure Backup Concepts Figure 1–2 Oracle Secure Backup Administrative Domain with Multiple Hosts Data Flow Oracle Secure Backup Clients NAS Appliance NDMP Oracle Secure Backup Administrative Server UNIX Oracle Secure Backup Media Server Linux Backup Oracle Secure Backup Catalog Linux Restore Tape ... ... ... ... ... ... ......
PAGE 16
Oracle Secure Backup Concepts A magnetic cassette or tape is sequential-access storage. It has a beginning and an end, which means that to access data in the middle of the tape, a tape device must read through the beginning part of the tape until it locates the desired data. In a typical format, a tape drive writes data to a tape in blocks. The tape drive writes each block in a single operation, leaving gaps between the blocks. The tape runs continuously during the write operation.
PAGE 17
Oracle Secure Backup Concepts When Oracle Secure Backup begins a restore operation, it does not know what block size was used to write a given tape. Because issuing a read for a too-small block would result in an error condition and a tape reposition, Oracle Secure Backup always starts a restore operation by reading the largest possible block size. This is either the current setting of the media/maxblockingfactor policy or the tape drive configuration attribute.
PAGE 18
Oracle Secure Backup Concepts Figure 1–3 Tape Library Tape Library Robotic Control Drive .... .... .... .... .... .... Drive ... ... ... ... ... ... ...... Device connectivity varies by device: SCSI, Fibre, and i SCSI Library robotics (mte) move tape to and from drives to slots Type drive (dte) writes data to and reads data from tape volumes Drive .... .... .... .... .... .... Drive ... ... ... ... ... ... ......
PAGE 19
Oracle Secure Backup Concepts This element is an internal slot in a tape library where a tape cartridge can reside. ■ Data transfer element (dte) This element represents a tape device capable of reading or writing the physical volume. Typically, a data transfer element (DTE) is a tape drive used to back up or restore data on a tape. ■ Medium transport element (mte) This element represents the robotics mechanism used to move tapes between other elements in the tape library.
PAGE 20
Oracle Secure Backup Interfaces limited storage capacity. If you back up to a virtual tape library, then you can take advantage of its faster backup and then use the volume migration feature of Oracle Secure Backup to migrate the data to tapes at a later point of time. Device Names and Attachments Because Oracle Secure Backup manages tape drive operations, it must be able to identify the tape drive and determine whether the tape drive is housed in a tape library.
PAGE 21
System Requirements for Oracle Secure Backup See also: ■ ■ Chapter 4, "Oracle Secure Backup User Interfaces" for details on using the different Oracle Secure Backup interfaces.
PAGE 22
Acquiring Oracle Secure Backup Installation Media See Also: Oracle Secure Backup Administrator's Guide for guidelines on the growth of the Oracle Secure Backup catalog over time Other System Requirements for Oracle Secure Backup Each host that participates in a Oracle Secure Backup administrative domain must run TCP/IP. Oracle Secure Backup uses this protocol for all communication within each of its components and between its components and other system components.
PAGE 23
Installation and Configuration Overview The contents of the CD-ROM and download archive are identical. If you download the software from OTN, then you must store the downloaded file in a temporary directory and extract the contents of the installation file. If you are installing Oracle Secure Backup on multiple platforms, then you must download the ZIP file or acquire the CD-ROM for each platform.
PAGE 24
About Upgrade Installations The administrative server requires complete information about: ■ Each media server ■ Each tape device ■ Each attachment that associates a tape device with a media server ■ Client hosts, including any Network Data Management Protocol (NDMP) clients such as Network Attached Storage (NAS) appliances This step is documented in Chapter 5, "Configuring and Managing the Administrative Domain".
PAGE 25
About Upgrade Installations Use the kill -9 command to stop each process. On Windows hosts, you must stop the Oracle Secure Backup service: 1. Open the Services applet. 2. Right-click the Oracle Secure Backup Services service. 3. Select Stop.
PAGE 26
About Upgrade Installations 1-16 Oracle Secure Backup Installation and Configuration Guide
PAGE 27
2 Installing Oracle Secure Backup on Linux or UNIX This chapter explains how to install Oracle Secure Backup on hosts running Linux or UNIX.
PAGE 28
Prerequisites for Installing Oracle Secure Backup on Linux and UNIX Note: On a Solaris media server, installob also performs some tape device configuration tasks, including installation of a required device driver, and, optionally, attach point creation required for Oracle Secure Backup to access tape devices. 3. Creating attach points on each media server This step is required for the Oracle Secure Backup device driver to access tape devices. You need the SCSI device parameters to perform this task.
PAGE 29
Prerequisites for Installing Oracle Secure Backup on Linux and UNIX The rc.modules file is necessary, and not rc.local, because rc.modules runs earlier in the start process. Note: On RedHat Enterprise Linux, you can use the following commands to add the sg module to the list of modules configured to load as root at start time: # echo modprobe sg >> /etc/rc.modules # chmod +x /etc/rc.
PAGE 30
Extracting Oracle Secure Backup from OTN Download on Linux or UNIX 0, 1, 2 and so on, and tape drives are also numbered 0, 1, 2 and so on. The maximum value for an Oracle Secure Backup logical unit number is 31. On Linux or UNIX, the resulting device special file names for tape libraries are /dev/obl1, /dev/obl2, /dev/obl3 and so on, and the names for tape drives are /dev/obt1, /dev/obt2, /dev/obt3 and so on. On Windows, the resulting tape library names are //./obl1, //./obl2, //.
PAGE 31
Creating the Oracle Secure Backup Home You now have all of the files required to install Oracle Secure Backup release 10.3. Preparing to Install Oracle Secure Backup on Linux and UNIX Perform the following actions before installing Oracle Secure Backup: ■ ■ ■ ■ Select hosts for the administrative server, media server, and client roles, as described in "Installation and Configuration Overview" on page 1-13.
PAGE 32
Loading Oracle Secure Backup Software on Linux or UNIX Using setup Script Loading Oracle Secure Backup Software on Linux or UNIX Using setup Script The setup script performs the loading process, in which packages of files required to install Oracle Secure Backup are extracted from the installation media and staged in the Oracle Secure Backup home for later use by the installob installation script.
PAGE 33
Configuring Installation Parameters in the obparameters File See Also: "Installing Oracle Secure Backup on Linux or UNIX with installob" on page 2-8 for instructions on starting installob ■ Enter yes to start the installob script. The steps for running installob are described in "Installing Oracle Secure Backup on Linux or UNIX with installob" on page 2-8. If the setup script is interrupted, then some temporary files, named OBnnnn or OBnnnn.Z, might remain in /usr/tmp. You can safely delete these files.
PAGE 34
Installing Oracle Secure Backup on Linux or UNIX with installob See Also: ■ ■ Oracle Secure Backup Administrator's Guide for more information about the preauthorized oracle user and RMAN backups. Appendix B, "Oracle Secure Backup obparameters Installation Parameters" Installing Oracle Secure Backup on Linux or UNIX with installob To install the Oracle Secure Backup software on Linux or UNIX: 1. Ensure that the SCSI parameters for each tape device available.
PAGE 35
Installing Oracle Secure Backup on Linux or UNIX with installob You determined the roles for each host when planning your administrative domain. Choose one of these options: ■ Enter a to install the software for an administrative server. If you choose this option, then installob also installs the software required for the media server and client roles. ■ Enter b to install the software for a media server. If you choose this option, then installob also installs the software required for the client role.
PAGE 36
Installing Oracle Secure Backup on Linux or UNIX with installob The practice of supplying a password in clear text on a command line or in a command script is not recommended by Oracle. It is a security vulnerability. The recommended procedure is to have the user be prompted for the password. Note: 7. Enter an e-mail address for notifications. The installob script asks for an e-mail address to which Oracle Secure Backup sends notifications.
PAGE 37
Installing Oracle Secure Backup on Linux or UNIX with installob If you choose to create attach points later, or if you add a tape device to a media server in the future, then see "Creating Attach Points with makedev" on page 2-12 for two alternative methods of completing this task. ■ Enter yes to configure tape devices now. To create attach points, the installob script asks if tape libraries are connected to this host, and if so, what the SCSI parameters are for each tape library.
PAGE 38
Installing or Uninstalling Oracle Secure Backup on AIX 9. The installob script displays a summary of installation activities during this session and exits. This installation summary does not include any information about device special file creation performed during the installob session. Installing or Uninstalling Oracle Secure Backup on AIX The installation and uninstallation procedures for AIX and Linux/UNIX are identical.
PAGE 39
Creating Attach Points with makedev Table 2–3 Information Required by makedev Platform Linux HP-UX AIX Oracle Secure Backup LUN1 x x x Device type x x x Host bus adapter x x SCSI bus address x x SCSI bus name-instance x x x Target ID x x x SCSI LUN x x x 1 Do not confuse the Oracle Secure Backup logical unit number with the SCSI LUN.
PAGE 41
Creating Attach Points with makedev In the following example, the attach point /dev/obl8 is created for the ADIC FastStor 2 library attached to scsi2 having the target id 0 and lun 0: makedev Enter logical unit number 0-31 [0]: 8 Enter 'd' if this device is a tape drive or 'l' if a SCSI-2 addressable tape library [d]: l Enter SCSI bus name: scsi2 Enter SCSI target id 0-16777215: 0 Enter SCSI logica l unit number (lun) 0-7 [0]: 0 /dev/obt8 created In this second example, the attach point /dev/obl9 is creat
PAGE 42
Creating Attach Points with makedev You can convert the hexadecimal values of lun_id and scsi_id (shown in bold) to decimal so that they are usable by the Oracle Secure Backup makdev command. After conversion, the SCSI LUN ID is 281474976710656 and the SCSI ID is 2. 3. Navigate to the install directory in your Oracle Secure Backup home. For example: # cd /usr/local/oracle/backup/install 4. Enter the makedev command at the shell prompt: # makedev 5.
PAGE 43
Creating Attach Points with makedev autoch target tape ... fcp ext_bus target autoch tape tape 4 10 8 0/1/1/1.1.0 0/1/1/1.2 0/1/1/1.2.0 schgr tgt stape CLAIMED CLAIMED CLAIMED DEVICE DEVICE DEVICE 2 9 1 8 19 20 0/2/1/0.99 0/2/1/0.99.15.255.1 0/2/1/0.99.15.255.1.3 0/2/1/0.99.15.255.1.3.0 0/2/1/0.99.15.255.1.3.1 0/2/1/0.99.15.255.1.3.2 fcp fcpdev tgt schgr stape stape CLAIMED CLAIMED CLAIMED CLAIMED CLAIMED CLAIMED INTERFACE INTERFACE DEVICE DEVICE DEVICE DEVICE 3.
PAGE 44
Creating Attach Points with makedev Identifying and Configuring Linux Attach Points Oracle recommends that you use the /dev/sg devices as attach points with Oracle Secure Backup on Linux. The use of the Oracle Secure Backup /dev/ob devices has certain limitations that may not be acceptable in some environments. For example, the LUN cannot be greater than 7, and the SCSI bus number cannot be greater than 1.
PAGE 45
Creating Attach Points with makedev driver that is included with Solaris now provides the functionality provided by the kernel driver. Enabling the Solaris sgen Driver for Changer and Sequential Devices You need to enable the Solaris sgen driver for changer and sequential devices before you install Oracle Secure Backup. Use the following steps to enable the Solaris sgen driver for sequential and changer devices: 1.
PAGE 46
Performing an Upgrade Installation on Linux or UNIX device. If you do not find these entries, reboot your host system using the following commands: touch /reconfigure reboot Utilizing sgen Attach Points The entries that are made in the /dev/scsi/changer and /dev/scsi/sequential directories when you enable the Solaris sgen driver must be used as Oracle Secure Backup targets for /dev/ob links. These entries vary depending on the version of Solaris.
PAGE 47
Uninstalling Oracle Secure Backup on Linux or UNIX Alternatively, you can terminate observiced, which stops all processes. Use the following command to end each process in the list associated with Oracle Secure Backup, where pid is the process ID of observiced: kill pid 4. Change directory to the Oracle Secure Backup home directory.
PAGE 48
Uninstalling Oracle Secure Backup on Linux or UNIX 10. The uninstallob script displays the choices you have made and asks to continue with the uninstallation on this host. Select one of the following options: ■ yes If you select this option, then the uninstallob script displays progress messages as it uninstalls Oracle Secure Backup. When it is finished, it displays the following message: Oracle Secure Backup has been successfully removed from host_name.
PAGE 49
3 Installing Oracle Secure Backup on Windows This chapter explains how to install Oracle Secure Backup on hosts that run the Windows operating system.
PAGE 50
Disabling Removable Storage Service on Windows Media Servers If you are installing Oracle Secure Backup in an Oracle Real Application Clusters (Oracle RAC) environment, then you must install Oracle Secure Backup on each node in the cluster. Note: Disabling Removable Storage Service on Windows Media Servers The Removable Storage service is used to manage removable media, drives, and libraries.
PAGE 51
Running the Oracle Secure Backup Windows Installer 7. The Oracle Secure Backup release 10.3 installation software is compressed. Save it to a temporary directory, and expand it to the osbdownload directory you created in step 2. You now have all of the files required to install Oracle Secure Backup release 10.3.
PAGE 52
Running the Oracle Secure Backup Windows Installer If you have uninstalled Oracle Secure Backup software before beginning this installation, or if you have never installed it on this computer, then the Clean Install page appears. 3. Click Next to continue. The Customer Information screen appears.
PAGE 53
Running the Oracle Secure Backup Windows Installer 4. Enter your customer information as follows: a. Enter a user name in the User Name field. b. Enter the name of your company in the Organization field. c. Select one of these options: – Anyone who uses this computer This option allows anyone who has access to this computer to use Oracle Secure Backup. – Only for me This option limits use of Oracle Secure Backup to you. Click Next to continue. The Oracle Secure Backup Setup screen appears.
PAGE 54
Running the Oracle Secure Backup Windows Installer 5. A single host can have multiple roles, which are are additive rather than exclusive. You have the following options when choosing roles: ■ To install the Windows host as client only, click Next and go to step 9. Every installation of Oracle Secure Backup on Windows includes a client installation.
PAGE 55
Running the Oracle Secure Backup Windows Installer See Also: ■ ■ ■ "Configuring Oracle Secure Backup" on page 3-14 Chapter 5, "Configuring and Managing the Administrative Domain" To install the Windows host as an administrative server, click the Administrative Server list and select This feature will be installed on local hard drive. Selecting this option removes the X from the administrative server icon and includes the administrative server role in the installation.
PAGE 56
Running the Oracle Secure Backup Windows Installer 6. If you plan to perform Oracle Database backup and restore operations with RMAN, then enable the action for Create "oracle" user in the administrative server submenu.
PAGE 57
Running the Oracle Secure Backup Windows Installer If this option is enabled, then the installer creates an Oracle Secure Backup user called oracle (with the rights of the oracle class) whose purpose is to facilitate Oracle Database backup and restore operations with Recovery Manager (RMAN).
PAGE 58
Running the Oracle Secure Backup Windows Installer Note: ■ ■ ■ ■ You are required to create the oracle user only if you plan to use Oracle Secure Backup with RMAN.
PAGE 59
Running the Oracle Secure Backup Windows Installer If you do not plan to use Oracle Secure Backup to back up your databases, then leave the Create "oracle" user option unselected. This is the default. In addition to the options described in step 6, you can perform the following actions in the Oracle Secure Backup Setup screen: ■ Click Help for detailed descriptions of the installation options. ■ Click Change to change the destination folder for the installation.
PAGE 60
Running the Oracle Secure Backup Windows Installer 8. Enter a password for the Oracle Secure Backup admin user in the Password for 'admin' user field. Enter the password again in the Re-type password for verification field. The minimum password length is determined by the minuserpasswordlen security policy. Its value at installation time is 0, which means a null password is permitted. After the installation has completed, you can change this policy to enforce a different minimum password length.
PAGE 61
Running the Oracle Secure Backup Windows Installer Note: The default from address for e-mails generated by Oracle Secure Backup is SYSTEM@fqdn, where fqdn is the fully qualified domain name of the Oracle Secure Backup administrative server. You can change this default from address after installation. See Oracle Secure Backup Reference for more information. Click Next. The Ready to Install the Program screen appears. 9. Click Install to start copying files. A progress bar appears.
PAGE 62
Configuring Oracle Secure Backup 10. Click Finish. The Oracle Secure Backup software installation on this Windows host is complete. You can now configure this installation, using the Oracle Secure Backup Configuration utility that starts automatically. Instructions on using this utility appear in "Configuring Oracle Secure Backup" on page 3-14. Configuring Oracle Secure Backup This section explains how to configure Oracle Secure Backup using the Oracle Secure Backup Configuration utility.
PAGE 63
Configuring Oracle Secure Backup 2. Click Next. The Oracle Secure Backup Service Startup screen appears. 3. Select one of these modes in which to start the Oracle Secure Backup service: ■ Automatic The Oracle Secure Backup service starts automatically when you restart your host.
PAGE 64
Configuring Oracle Secure Backup ■ Manual The Oracle Secure Backup service must be started manually by a user who is a member of the Administrators group. ■ Disabled The Oracle Secure Backup service is disabled. Click Next. The Oracle Secure Backup Service Logon screen appears. 4. By default, the Oracle Secure Backup service logs on as the Local System account, which is an administrative account. You can select option This Account to specify a different account for the Oracle Secure Backup Service.
PAGE 65
Configuring Oracle Secure Backup – The account must have backup and restore rights. – The account must be able to restore files and directories. – The account must be able to log on as a service. – The account must be able to act as part of the operating system. – The account must be able to increase quotas. – The account must be able to replace a process level token. Click Next or Finish to proceed. If you are configuring a media server, then proceed to step 5. 5.
PAGE 66
Configuring Firewalls for Oracle Secure Backup on Windows 6. Click Finish. When you have performed all of the preceding tasks, Oracle Secure Backup installation and configuration on this host is complete. Repeat this installation and configuration process for each Windows host in your administrative domain.
PAGE 67
Upgrade Installation on Windows 32-Bit Upgrade Installation on Windows 32-Bit You can upgrade your Windows 32-bit administrative server, media servers, and clients from Oracle Secure Backup release 10.2 to Oracle Secure Backup release 10.3 simply by running the Oracle Secure Backup release 10.3 installer. This is called an upgrade installation.
PAGE 68
Upgrade Installation on Windows x64 Upgrade Installation on Windows x64 Different upgrade installation procedures must be used for Windows x64 than those described in "Upgrade Installation on Windows 32-Bit" on page 3-19. You can use the following procedure to upgrade a Windows x64 administrative server or client, so long as the administrative server is not also a media server: 1. Uninstall the existing Oracle Secure Backup software, selecting the Keep option if you are upgrading an administrative server.
PAGE 69
4 Oracle Secure Backup User Interfaces This chapter introduces the interfaces that you can use with Oracle Secure Backup. The major interfaces to Oracle Secure Backup are: ■ Oracle Enterprise Manager This is the primary graphical user interface for managing Oracle Secure Backup. ■ Oracle Secure Backup Web tool This interface is used to manage file-system level backups and to perform certain other tasks not possible in Oracle Enterprise Manager.
PAGE 70
Using Oracle Secure Backup in Enterprise Manager However, you cannot use Oracle Enterprise Manager to perform file-system backup and restore operations. The Maintenance page in Oracle Enterprise Manager includes a link to the Oracle Secure Backup Web tool for such tasks. This document describes the use of Oracle Enterprise Manager for most tasks, and describes the Oracle Secure Backup Web Tool only when there is no equivalent functionality in Enterprise Manager.
PAGE 71
Using Oracle Secure Backup in Enterprise Manager Registering an Administrative Server in Oracle Enterprise Manager You can make RMAN backups to the Oracle Secure Backup SBT interface three ways: ■ Oracle Enterprise Manager Database Control ■ Oracle Enterprise Manager Grid Control ■ RMAN command-line client The Database Control console must run on the administrative server and can only back up an Oracle database on the administrative server.
PAGE 72
Using the Oracle Secure Backup Web Tool 1. Log in to the Oracle Enterprise Manager Database Control as a user with database administrator rights. 2. Go to the Oracle Secure Backup section of the Maintenance page. If the Oracle Secure Backup section does not appear in the Maintenance page, then see "Enabling Oracle Secure Backup Links in Oracle Enterprise Manager" on page 4-2. 3. Click File System Backup and Restore.
PAGE 73
Using the Oracle Secure Backup Web Tool 1. Launch your Web browser and supply the URL of the host running Oracle Secure Backup. Use the following syntax, where hostname can be a fully qualified domain name: https://hostname For example, you might invoke the following URL: https://osblin1.oracle.com 2. The browser displays a warning that the certificate is not trusted. Oracle Secure Backup installs a self-signed certificate for the Apache Web server.
PAGE 74
Using the Oracle Secure Backup Web Tool Figure 4–2 Oracle Secure Backup Home Page The main page includes the schedule times, status, job IDs, job type, and job level of recent jobs. Oracle Secure Backup provides a link for failed jobs, alerting users and administrators to potential trouble spots. The Devices link lists the tape devices associated with each job along with information concerning tape device type, device name, and status.
PAGE 75
Using the Oracle Secure Backup Web Tool Logs the current user out of the Oracle Secure Backup Web tool, clears user name and password cookies, and returns to the Login page. ■ Preferences Use this link to access settings for the following options: – Extended command output This option displays obtool commands used to perform actions and generate output pages for the Oracle Secure Backup Web Tool at the bottom of each page.
PAGE 76
Using the Oracle Secure Backup Web Tool ■ Hosts Click this link to configure one or more hosts. A host is a computer that participates in the Oracle Secure Backup administrative domain. ■ Devices Click this link to configure a tape device for use with Oracle Secure Backup. A tape device is a tape drive or tape library identified by a user-defined name. ■ Media Families Click this link to configure media families. A media family is a named classification of backup volumes.
PAGE 77
Using the Oracle Secure Backup Web Tool Figure 4–4 Oracle Secure Backup Manage Page The Manage page is divided into two main sections. One is for Maintenance, and the other is for Devices and Media. The Devices and Media section includes the following links: ■ Drives Click this link to determine the status of a volume or tape device or to mount or unmount a volume. ■ Libraries Click this link to view and control libraries.
PAGE 78
Using the Oracle Secure Backup Web Tool Click this link to manage daemons and control and view daemon properties. Web Tool Backup Page Click the Backup tab to display backup image options. Figure 4–5 shows a sample page. Figure 4–5 Oracle Secure Backup Backup Page The Backup page is divided into Operations and Settings sections. The Operations section contains the following link: ■ Backup Now Click this link to perform one-time backups of data described by an existing dataset file.
PAGE 79
Using obtool Using obtool obtool is the primary command-line interface to Oracle Secure Backup. The obtool executable is located in the bin subdirectory of the Oracle Secure Backup home. You can start obtool on any host in the administrative domain, log in to the domain as an Oracle Secure Backup user, and issue commands. All examples in this section assume that the bin subdirectory of the Oracle Secure Backup home is in your PATH.
PAGE 80
Using obtool Running obtool Commands in Interactive Mode You can enter the commands described in Oracle Secure Backup Reference at the obtool prompt.
PAGE 81
Using obtool with multiple obtool commands and redirect the obtool input to this script as follows: % obtool < /my_dir/my_script.txt obtool runs the commands from the file and then returns to the operating system prompt for your next command.
PAGE 82
Using obtool 4-14 Oracle Secure Backup Installation and Configuration Guide
PAGE 83
5 Configuring and Managing the Administrative Domain This chapter explains the basic steps involved in setting up an Oracle Secure Backup administrative domain after initial installation of the product on all of your hosts. Some steps, such as "Adding a Host to the Administrative Domain" on page 5-3, are also useful when managing an existing administrative domain.
PAGE 84
Configuring the Administrative Domain with Hosts If the administrative server is also assigned the media server role, then it is part of the administrative domain. Note: b. 3. Configure the administrative domain to include each tape device attached to this host. "Adding Tape Devices to an Administrative Domain" on page 5-10 describes this task.
PAGE 85
Configuring the Administrative Domain with Hosts ■ Host name ■ IP address ■ Assigned roles: client, media server or both ■ Whether the host is in service or not in service at the moment After adding a host to the administrative domain, Oracle recommends that you ping the host to confirm that it can be accessed by the administrative server.
PAGE 86
Configuring the Administrative Domain with Hosts The Oracle Secure Backup Web tool displays a form for entering configuration information about the host. 4. In the Host field, enter the unique name of the host in the Oracle Secure Backup administrative domain. In most cases, this name is the host name resolvable to an IP address using the host name resolution system (such as DNS or NIS) on your network. However, you can assign a different host name purely for use with Oracle Secure Backup.
PAGE 87
Configuring the Administrative Domain with Hosts Select this option for Windows, Linux and UNIX hosts that have Oracle Secure Backup installed. ■ NDMP Select this option for devices that support NDMP without an Oracle Secure Backup installation, such as a network-attached storage device. Note: OB access mode is a synonym for primary access mode. See "Oracle Secure Backup Host Access Modes" on page 1-3 for a discussion of access modes. 9.
PAGE 88
Configuring the Administrative Domain with Hosts Select this option to enter a password. ■ Set to NULL Check this to use a NULL password. The password is used to authenticate Oracle Secure Backup to this NDMP server. The practice of supplying a password in clear text on a command line or in a command script is not recommended by Oracle. It is a security vulnerability. The recommended procedure is to have the user be prompted for the password. Note: 13.
PAGE 89
Configuring the Administrative Domain with Hosts 2. Select the administrative server and click Edit. The Configure: Hosts > host_name page appears. 3. In the Roles list, shift-click to add the media server role and then click OK. The Configure: Hosts page reappears with the media server role added to the administrative server host.
PAGE 90
Configuring the Administrative Domain with Hosts Adding Backup and Restore Environment Variables to an NDMP Host Some NDMP hosts might require that you add backup and restore environment variables before they function with Oracle Secure Backup. To add backup and restore variables: 1. In the field that appears next to the Backup environment vars or Restore environment vars field, enter a name-value pair. 2. Click Add to add the name-value pair as an environment variable.
PAGE 91
Configuring the Administrative Domain with Hosts 4. Select one or more clients to use this IP address or DNS name from the Host list field. 5. Click Add. The Oracle Secure Backup Web tool displays the PNI in the IP Address: Host List field. To remove a PNI: 1. In the IP Address: Host List field, select the name of the PNI to remove. 2. Click Remove.
PAGE 92
Adding Tape Devices to an Administrative Domain Updating is useful only for hosts running Oracle Secure Backup natively. Hosts accessed in NDMP mode, such as NAS devices, do not maintain any Oracle Secure Backup state data and therefore it is not necessary to update their state information. To update a host: 1. From the Host page, select the name of the host to be updated. 2. Click Update. Removing a Host This section explains how to remove a host from an Oracle Secure Backup administrative domain.
PAGE 93
Adding Tape Devices to an Administrative Domain ■ Configuring Multihosted Device Objects See Also: "Configuring the Solaris sgen Driver to Provide Oracle Secure Backup Attach Points" on page 2-18 to learn how to create attach points for tape devices on Solaris 10 systems Tape Device Names A tape device can be assigned a logical name by the host operating system (such as nrst0a), but it also can have a worldwide name, such as nr.WWN[2:000:0090a5:0003f7]L1.a.
PAGE 94
Adding Tape Devices to an Administrative Domain ■ A storage element range that the tape device can use, if the tape drive is in a tape library Note: Oracle Secure Backup identifies each tape drive within a tape library by its data transfer element (DTE) number. You must assign each tape device a DTE number if it is installed within a tape library. DTEs are numbered 1 through n.
PAGE 95
Adding Tape Devices to an Administrative Domain 2. In the Devices section, click Libraries. The Manage: Libraries page appears. 3. Select the tape drive or tape library you want to inventory in the Devices table. 4. Select Inventory (Library | Drive) in the Library commands list. In this example, lib1 is selected. 5. Click Apply. The Manage: Libraries page appears. 6. Ensure that the Library list is set to the device you want to inventory. 7. Select the Force option.
PAGE 96
Adding Tape Devices to an Administrative Domain Figure 5–2 Devices Page Configuring a Tape Library This section explains how to configure a tape library for use with Oracle Secure Backup. To configure a tape library: 1. Disable any system software that scans and opens arbitrary SCSI targets before adding a tape device to an administrative domain.
PAGE 97
Adding Tape Devices to an Administrative Domain 9. In the World Wide Name field, enter a worldwide name for the tape device, if required. See Also: "Tape Device Names" on page 5-11 for more information on World Wide Names 10. In the Barcode reader list, select one of these options to indicate whether a barcode reader is present: ■ yes Select this option to indicate that the tape library has a barcode reader. ■ no Select this option to indicate that the tape library does not have a barcode reader.
PAGE 98
Adding Tape Devices to an Administrative Domain ejected and manually removes them. This option can be useful when the tape library has no import/export slots. 15. Enter a value in the Minimum writable volumes field. When Oracle Secure Backup scans tape devices for volumes to be moved, it looks at this minimum writable volume threshold.
PAGE 99
Adding Tape Devices to an Administrative Domain See Also: "Adding a Tape Device Attachment" on page 5-21 Configuring a Tape Drive This section explains how to configure a tape drive for use with Oracle Secure Backup. If the tape drive you want to configure is attached to a tape library, then you must configure the tape library first, as described in "Configuring a Tape Library" on page 5-14. To configure tape drives for use with Oracle Secure Backup: 1.
PAGE 100
Adding Tape Devices to an Administrative Domain 9. In the Debug mode list, select yes or no. The default is yes. 10. In the World Wide Name field, enter a worldwide name for the tape device, if required. See Also: "Tape Device Names" on page 5-11 for more information on World Wide Names 11. If the tape drive is located in a tape library, then select the tape library by name from the Library list. 12. In the DTE field, enter the data transfer element (DTE).
PAGE 101
Adding Tape Devices to an Administrative Domain ■ Storage element range or list Select this option for a numeric range of storage element addresses. Enter a range in the field, for example, 1-20. ■ All Select this option to specify all storage elements. For tape libraries with single tape drives, you can select this option to use all tapes. This is the default setting. ■ None Select this option to indicate that no storage elements have yet been specified.
PAGE 102
Adding Tape Devices to an Administrative Domain WWN: [none] new attach-point on host_name, rawname c0t0l1 host_name_c0t0l2 (new drive) WWN: [none] new attach-point on host_name, rawname c0t0l2 If there are no changed tape devices to discover, then the Oracle Secure Backup Web tool displays a message similar to the following: Info: beginning device discovery for host_name. Info: no device configuration changes found for host_name 3. Click OK to return to the Devices page.
PAGE 103
Adding Tape Devices to an Administrative Domain 1. This command creates the Oracle Secure Backup host object associated with the media server to which the VTL is attached. mkhost --access ob --ip ipname osb_media_server 2. This command creates the Oracle Secure Backup host object associated with the embedded NDMP server contained within the VTL. mkhost --access ndmp --ip ipname ndmp_server 3.
PAGE 104
Adding Tape Devices to an Administrative Domain Before configuring a device attachment, refer to the description of the mkdev command in Oracle Secure Backup Reference. The description of the aspec placeholder describes the syntax and naming conventions for device attachments. To configure a device attachment: 1. After adding or editing a device, click Attachments. 2. Select a host in the Host list. 3. In the Raw device field, enter the raw device name.
PAGE 105
Adding Tape Devices to an Administrative Domain The Oracle Secure Backup Web tool displays device attachments and other properties for the tape device you selected. 3. Click Close to exit the page. Multiple Attachments for SAN-Attached Tape Devices A tape device attached to a SAN often has multiple attachments, one for each host with local access to the tape device through its Fibre Channel interface.
PAGE 106
Verifying and Configuring Added Tape Devices If the device is configured as two separate device objects that point to the same physical device, then there is potential for contention. In this case, simultaneous backups to the these devices fail. Table 5–2 shows the incorrect configuration of a single tape library and tape drive shared by two hosts: host_a and host_b.
PAGE 107
Verifying and Configuring Added Tape Devices ■ The tape device type If a tape device is in service, then it Oracle Secure Backup can use it; if it is not in service, then Oracle Secure Backup cannot use it. When a tape device is taken out of service, no more backups are dispatched to it. To display tape device properties: 1. In the Device page, select the name of the tape device whose properties you want to display. 2. Click Show Properties.
PAGE 108
Verifying and Configuring Added Tape Devices In this example, library lib1 is verified. No errors are found. Setting Serial Number Checking You can use the Oracle Secure Backup Web tool to enable or disable tape device serial number checking. If serial number checking is enabled, then whenever Oracle Secure Backup opens a tape device, it checks the serial number of that device. If the tape device does not support serial number reporting, then Oracle Secure Backup simply opens the tape device.
PAGE 109
Verifying and Configuring Added Tape Devices 3. In the Policy column, click devices. The Configure: Defaults and Policies > Devices page appears. 4. 5. Do one of the following: a. Select Yes from the Check serial numbers list to enable tape device serial number checking. This is the default setting. b. Select No from the Check serial numbers list to disable tape device serial number checking. Click OK. The Configure: Defaults and Policies page appears with a success message.
PAGE 110
Verifying and Configuring Added Tape Devices 5-28 Oracle Secure Backup Installation and Configuration Guide
PAGE 111
6 Managing Security for Backup Networks This chapter describes how to make your backup network more secure. Oracle Secure Backup is automatically configured for network security in your administrative domain, but you can enhance that basic level of security in several ways. Secure communications among the nodes of your administrative domain concerns the encryption of network traffic among your hosts.
PAGE 112
Planning Security for an Administrative Domain Oracle Secure Backup meets these requirements in its default configuration. By default, all hosts that run Oracle Secure Backup must have their identity verified before they can join the administrative domain. A host within the domain uses an X.509 certificate for host authentication. After a Secure Sockets Layer (SSL) connection is established between hosts, control and data messages are encrypted when transmitted over the network.
PAGE 113
Planning Security for an Administrative Domain ■ Onlookers These users do not fall into any of the preceding categories of principals, but can access a larger network that contains the Oracle Secure Backup domain. Onlookers might own a host outside the domain. The relationships between assets and principals partially determine the level of security in the Oracle Secure Backup administrative domain: ■ ■ ■ In the highest level of security, the only principal with access to an asset is the owner.
PAGE 114
Planning Security for an Administrative Domain Figure 6–1 Administrative Domain with One Host Administrative Server, Media Server, and Client Linux Backup Recovery Manager Restore Tape .... .... .... .... .... .... Tape Library Oracle Database Offsite Storage This type of environment is small and isolated from the wider network. The data in this network type is probably on the low end of the sensitivity range.
PAGE 115
Planning Security for an Administrative Domain Figure 6–2 Administrative Domain with Multiple Hosts Data Flow Oracle Secure Backup Clients NAS Appliance NDMP Oracle Secure Backup Administrative Server UNIX Oracle Secure Backup Media Server Linux Backup Oracle Secure Backup Catalog Linux Restore Tape ... ... ... ... ... ... ......
PAGE 116
Planning Security for an Administrative Domain As with the single system network type, the administrative domain exists in a network environment that is secure. Administrators secure each host, tape device, and tapes by external means. Active attacks by a hacker are not likely. Administrators assume that security maintenance and administration for the domain requires almost no overhead.
PAGE 117
Planning Security for an Administrative Domain Oracle Secure Backup cannot itself provide physical or network security for any host nor verify whether such security exists. For example, Oracle Secure Backup cannot stop malicious users from performing the following illicit activities: ■ Physically compromising a host An attacker who gains physical access to a host can steal or destroy the primary or secondary storage. For example, a thief could break into an office and steal servers and tapes.
PAGE 118
Trusted Hosts Automated mode is easier to use but is vulnerable to unlikely man-in-the-middle attacks in which an attacker steals the name of a host just before you invite it to join the domain. This attacker could use the stolen host identity to join the domain illicitly. Manual mode is more difficult to use than automated mode, but is not vulnerable to the same kinds of attacks. In manual mode, the administrative server does not transmit identity certificate responses to the host.
PAGE 119
Host Authentication and Communication the media server, and host client as the client. An Oracle Secure Backup user belonging to a class that has the manage devices class right attempts to run lsvol -L library_name in obtool. If the attempt is made on client, then it fails with an illegal request from non-trusted host error. The same command succeeds when attempted on admin or media. You can turn off these trust checks by setting the Oracle Secure Backup security policy trustedhosts to off.
PAGE 120
Host Authentication and Communication creates a digital signature by submitting the message as input to a cryptographic hash function and then encrypting the output hash with a private key. The receiving host authenticates the digital signature by decrypting it with the sending host's public key.
PAGE 121
Host Authentication and Communication Automated and Manual Certificate Provisioning Mode Oracle Secure Backup provides automated and manual modes for initializing the security credentials for a client host that wants to join the domain. The automated mode is easy to use, but it has potential security vulnerabilities. The manual mode is harder to use, but it is less vulnerable to tampering. In automated certificate provisioning mode, which is the default, adding a host to the domain is transparent.
PAGE 122
Host Authentication and Communication Figure 6–4 Oracle Wallets Issues and Signs Media Server or Client (Host A) Host A Private Key Host A Identity Certificate Trusted Certificate from CA Wallet Certification Authority Obfuscated Wallet observiced Chain of Trust Administrative Server (Host B) Host B Private Key Host B Identity Certificate CA Signing Certificate Wallet Obfuscated Wallet SSL Oracle Secure Backup Encryption Wallet The administrative server has a second wallet that is used to stor
PAGE 123
Host Authentication and Communication exclude name *.p12 See Also: Oracle Secure Backup Administrator's Guide for more information on dataset statements and catalog recovery Web Server Authentication The Apache Web server for the administrative domain runs on the administrative server as the obhttpd daemon. When you issue commands through the Oracle Secure Backup Web tool, obhttpd repackages them as obtool commands and passes them to an instance of obtool running on the administrative server.
PAGE 124
Encryption of Data in Transit a host identity certificate and then change your mind, then you must reinstall the Oracle Secure Backup software on the affected host. Encryption of Data in Transit Figure 1–2, "Oracle Secure Backup Administrative Domain with Multiple Hosts" on page 1-5 illustrates the control flow and data flow within an administrative domain. Control messages exchanged by hosts in the administrative domain are encrypted by Secure Sockets Layer (SSL).
PAGE 125
Default Security Configuration ■ Unencrypted RMAN backup of a database on client_host. Oracle Secure Backup does not encrypt the data before transferring it over the network to media_server. After Oracle Secure Backup writes the data to tape, the data resides on tape in unencrypted form. ■ Unencrypted RMAN backup of a database on client_host with encryptdataintransit set to yes. Oracle Secure Backup encrypts the data before transferring it over the network to media_server.
PAGE 126
Configuring Security for the Administrative Domain ■ Disable SSL for inter-host authentication and communication by setting the securecomms security policy ■ Transmit identity certificates in manual certificate provisioning mode ■ Set the key size for a host to a value greater or less than the default of 1024 bits ■ Enable encryption for backup data in transit by setting the encryptdataintransit security policy Configuring Security for the Administrative Domain This section describes how to configu
PAGE 127
Configuring Security for the Administrative Domain Configuring Media Servers and Clients Oracle Secure Backup creates security credentials for a host when you use the Oracle Secure Backup Web tool or run the mkhost command in obtool to configure the host. The procedure differs depending on whether you add hosts in automated or manual certificate provisioning mode.
PAGE 128
Configuring Security for the Administrative Domain 7. Copy the signed identity certificate to a temporary location on the file system. 8. Enter the following command at the obcm prompt, where signed_ certificate_file is the filename of the certificate: import --file signed_certificate_file Because only one Oracle Secure Backup wallet exists on the host, you are not required to specify the --host option. For example, the following example imports the certificate from /tmp/brhost2_cert.
PAGE 129
Configuring Security for the Administrative Domain You can set the key size in the obparameters file when you install Oracle Secure Backup on the administrative server. When you install Oracle Secure Backup interactively, the install script gives you an opportunity to modify the obparameters file. To set the key size in obparameters when installing interactively: 1.
PAGE 130
Configuring Security for the Administrative Domain You can set the key size when you use the mkhost command or Oracle Secure Backup Web tool to configure a host. If you specify the --certkeysize option on the mkhost command, then the specified value overrides the default certificate key size set in the security policy. The key size applies only to the newly configured host and does not affect the key size of any other current or future hosts.
PAGE 131
Managing Certificates with obcm Managing Certificates with obcm This section explains how to use the obcm utility. You can use this utility to import certificates, export certificates, and export certificate requests. You must use obcm when you add hosts in the domain in manual rather than automated certificate provisioning mode.
PAGE 132
Managing Certificates with obcm import --file signed_certificate_file Because only one Oracle Secure Backup wallet exists on the host, you are not required to specify the --host option. For example, the following example imports the certificate from /tmp/brhost2_cert.f: import --file /tmp/brhost2_cert.f The obcm utility issues an error message if the certificate being imported does not correspond to the certificate request in the wallet. 5.
PAGE 133
A Oracle Secure Backup Directories and Files This appendix explains the structure and contents of the Oracle Secure Backup directories. This appendix contains these sections: ■ Oracle Secure Backup Home Directory ■ Administrative Server Directories and Files ■ Media Server Directories and Files ■ Client Host Directories and Files Note: Some of the directories and files listed in this appendix are not created until after a backup has been performed by Oracle Secure Backup.
PAGE 134
Administrative Server Directories and Files ■ Table A–1 Linux and UNIX Directories and Files for an Administrative Server Architecture-Independent Directories and Files for an Administrative Server Directory or File Description admin/ Administrative domain databases admin/config/ Configuration databases admin/config/class/ User class data admin/config/dataset/ Datasets admin/config/default/ Defaults and policies data admin/config/device/ Device data admin/config/duplication/ Duplication
PAGE 135
Administrative Server Directories and Files Table A–1 (Cont.) Architecture-Independent Directories and Files for an Administrative Server Directory or File Description admin/state/host/host_name/ State for host_name admin/state/scheduler/ Scheduler state admin/state/scheduler/job/ Job state apache/ Apache Web server files apache/conf/ Apache server configuration files apache/conf/ssl.crl/ Apache server certificate revocation list apache/conf/ssl.
PAGE 136
Media Server Directories and Files Table A–3 Linux and UNIX Directories and Files for an Administrative Server Directory or File Description .bin.operating_system/ Executables for operating_system, where operating_system is a derivative of the operating system name. For example, the directory for Sun Solaris is .bin.solaris. .drv.operating_system/ Device drivers for operating_system etc/ Architecture-independent executables for daemons and maintenance tools .etc.
PAGE 137
Client Host Directories and Files Table A–4 Architecture-Independent Directories for a Media Server Directory Description bin/ Executables or links to executables: ■ ■ device/ Table A–5 In an installation on a Windows operating system, this directory contains the executables for the Windows operating system. In an installation on a Linux or UNIX operating system, this directory contains links to the executables for the operating system.
PAGE 138
Client Host Directories and Files Table A–7 Architecture-Independent Directory for a Client Host Directory Description bin/ Executables or links to executables ■ ■ Table A–8 In an installation on a Windows operating system, this directory contains the executables for the Windows operating system. In an installation on a Linux or UNIX operating system, this directory contains links to the executables for the operating system.
PAGE 139
B Oracle Secure Backup obparameters Installation Parameters This appendix describes the installation parameters for Oracle Secure Backup on Linux or UNIX. You can set these parameters in the obparameters file, which is a plain text file located in the install subdirectory of the Linux or UNIX Oracle Secure Backup home. Note: The obparameters file is not used in Windows installations.
PAGE 140
start daemons at boot Table B–1 customized obparameters: Values Value Meaning no (default) Specifies that installation parameters in the obparameters file have not been changed. The value of no is set by default. yes Specifies that installation parameters in the obparameters file have been changed. start daemons at boot The installation tools can update the control file of each host to automatically start Oracle Secure Backup each time you start the system.
PAGE 141
linux ob dir and solaris64 ob dir Table B–4 create preauthorized oracle user: Values Value Meaning yes An Oracle Secure Backup user is created during installation. The parameters default UNIX user and default UNIX group specify the user and group parameters with which the Oracle Secure Backup user is created. no (default) No Oracle user is created.
PAGE 142
linux db dir and solaris64 db dir Table B–7 os-name ob dir: Parameters and Values Parameter Meaning linux ob dir Specifies Oracle Secure Backup home location for Linux hosts. The default is /usr/local/oracle/backup. solaris64 ob dir Specifies Oracle Secure Backup home location for Solaris 64-bit hosts. The default is /usr/local/oracle/backup. linux db dir and solaris64 db dir Each platform has a discrete directory in which Oracle Secure Backup retains host-specific information.
PAGE 143
default protection 1. The name of the directory in which to create the bin link. 2. The name of the directory in which to create the etc link. 3. The name of the directory in which to create the lib link. Oracle recommends using the defaults provided for this parameter. Note: Table B–10 os-name links: Parameters and Values Parameter Meaning linux links Specifies the directories where symbolic links are created for Linux hosts. The default directory list is /usr/bin/etc/lib.
PAGE 144
run obopenssl root.0 root.0 root.0 root.0 root.0 root.0 root.0 root.0 root.0 root.0 root.0 root.0 root.0 root.0 root.0 root.0 root.0 root.0 root.0 root.0 root.0 root.0 root.0 root.0 root.0 root.0 root.0 root.0 root.0 root.0 root.0 root.0 755 644 755 644 755 644 644 644 755 755 755 700 700 700 755 4755 4755 4755 755 4755 4755 4755 4755 755 4755 644 755 755 755 644 755 644 ./.wrapper ./device/* ./install/* ./help/* ./man/* ./man/man1/* ./man/man8/* ./samples/* ./samples/autoobtar ./samples/bdf2ds .
PAGE 145
C Determining Linux SCSI Parameters For the Linux and UNIX platforms, if you do not know the SCSI parameters of a tape device, then you must determine them before you begin installation. This appendix describes procedures for determining SCSI device parameters on Linux and UNIX. Determining SCSI Device Parameters on Linux To obtain tape device information on Linux, use the cat command to view the contents of /proc/scsi/scsi.
PAGE 146
Determining SCSI Device Parameters on Linux ■ The value for Lun is the SCSI LUN. For example, in this output the SCSI LUN of both tape devices is 0. By convention, the tape library and tape drive can each be assigned 0 as the Oracle Secure Backup logical unit number. Based on the output shown in Example C–1, Table C–1 summarizes the tape device information for storabck05.
PAGE 147
D Oracle Secure Backup and ACSLS This appendix describes Oracle Secure Backup support for StorageTek Automated Cartridge System Library Software (ACSLS). ACSLS is a package of server software that controls one or more Automated Cartridge Systems tape library.
PAGE 148
ACSLS and Oracle Secure Backup Figure D–1 Library with ACSLS Server ACSLS offers the following advantages: ■ Handles multiple libraries and multiple clients ■ Manages tape drive loading and unloading ■ Manages tape volume importing and exporting ■ Handles mixed media types ■ Optionally imposes access controls based on user ID, command, and volume ID ■ Supports multiple pools of scratch tapes ■ Generates inventory and configuration reports ■ Manages cleaning cartridges and cleaning operation
PAGE 149
Imports and Exports ACSLS supports virtual tapes that do not have a physical barcode attached to them. Oracle Secure Backup does not support virtual tapes within an ACS system. Oracle Secure Backup requires that all cartridges within an ACS system have properly affixed and readable barcodes. Note: The concept of a scratch pool in ACSLS is simply a blank tape.
PAGE 150
Access Controls that emptied state. Because there is only one obacslibd daemon controlling each ACS tape library, no other tape library operations are permitted until the CAP is cleared. You can control how long an outstanding request waits for the CAP to be cleared with the maxacsejectwaittime policy. Oracle Secure Backup does not support the importvol command for ACSLS tape libraries. You can use the ACSLS cmd_proc utility to enter a volume into the tape library.
PAGE 151
Installation and Configuration Unsupported Oracle Secure Backup Commands The following Oracle Secure Backup commands are not supported for ACSLS tape libraries: ■ importvol ■ extractvol ■ insertvol ■ clean ■ opendoor ■ closedoor Installation and Configuration The Oracle Secure Backup media server attached to the ACSLS server must be a Linux 32-bit media server. Oracle Secure Backup installation assumes that the ACSLS hardware and software has been correctly installed and configured.
PAGE 152
Installation and Configuration D-6 Oracle Secure Backup Installation and Configuration Guide
PAGE 153
Glossary active location A location in a tape library or tape drive. administrative domain A group of computers on your network that you manage as a common unit to perform backup and restore operations. An administrative domain must include one and only one administrative server. It can include the following: ■ One or more clients ■ One or more media servers An administrative domain can consist of a single host that assumes the roles of administrative server, media server, and client.
PAGE 154
backup image backup image The product of a backup operation. A single backup image can span multiple volumes in a volume set. The part of a backup image that fits on a single volume is called a backup section. backup image file The logical container of a backup image. A backup image consists of one file. One backup image consists of one or more backup sections. backup job A backup that is eligible for execution by the Oracle Secure Backup scheduler.
PAGE 155
cryptographic hash function blocking factor The number of 512-byte blocks to include in each block of data written to each tape drive. By default, Oracle Secure Backup writes 64K blocks to tape, which is a blocking factor of 128. Because higher blocking factors usually result in better performance, you can try a blocking factor larger than the obtar default. If you pick a value larger than is supported by the operating system of the server, then Oracle Secure Backup fails with an error.
PAGE 156
cumulative incremental backup cumulative incremental backup A type of incremental backup in which Oracle Secure Backup copies only data that has changed at a lower backup level. For example, a level 3 incremental backup copies only that data that has changed since the most recent backup that is level 2 or lower. daemons Background processes that are assigned a task by Oracle Secure Backup during the execution of backup and restore operations.
PAGE 157
filer attach point A filename in the /dev file system on UNIX or Linux that represents a hardware tape device. A attach point does not specify data on disk, but identifies a hardware unit and the device driver that handles it. The inode of the file contains the device number, permissions, and ownership data. An attachment consists of a host name and the attach point name by which that device is accessed by Oracle Secure Backup.
PAGE 158
firewall firewall A system designed to prevent unauthorized access to or from a private network. full backup An operation that backs up all of the files selected on a client. Unlike in an incremental backup, files are backed up whether they have changed since the last backup or not. heterogeneous network A network made up of a multitude of computers, operating systems, and applications of different types from different vendors.
PAGE 159
network description file logical unit number Part of the unique identifier of a tape device. See Oracle Secure Backup logical unit number and SCSI LUN. manual certificate provisioning mode A mode of certificate management in which you must manually export the signed identity certificate for a host from the administrative server, transfer it to the host, and manually import the certificate into the wallet of the host.
PAGE 160
Network File System (NFS) the host name, and each tape drive attached. The install subdirectory in the Oracle Secure Backup home includes a sample network description file named obndf. Network File System (NFS) A client/server application that gives all network users access to shared files stored on computers of different types. NFS provides access to shared files through an interface called the Virtual File System (VFS) that runs on top of TCP/IP.
PAGE 161
privileged backup and configuration files. The contents of the directory differ depending on which role is assigned to the host within the administrative domain. Oracle Secure Backup logical unit number A number between 0 and 31 used to generate unique attach point names during device configuration (for example, /dev/obt0, /dev/obt1, and so on). Although it is not a requirement, unit numbers typically start at 0 and increment for each additional device of a given type, whether tape library or tape drive.
PAGE 162
public key root user identity. On Windows systems, the backup runs under the same account (usually Local System) as the Oracle Secure Backup service on the Windows client. public key A number associated with a particular entity intended to be known by everyone who must have trusted interactions with this entity. A public key, which is used with a corresponding private key, can encrypt communication and verify signatures.
PAGE 163
tape drive service daemon A daemon (observiced) that runs on each host in the administrative domain that communicates through primary access mode. The service daemon provides a wide variety of services, including certificate operations. SCSI See Small Computer System Interface (SCSI) SCSI LUN SCSI logical unit number. A 3-bit identifier used on a SCSI bus to distinguish between up to eight devices (logical units) with the same SCSI ID.
PAGE 164
tape library tape library A medium changer that accepts Small Computer System Interface (SCSI) commands to move a volume from a storage element to a tape drive and back again. tape service A Network Data Management Protocol (NDMP) service that transfers data to and from secondary storage and allows the data management application (DMA) to manipulate and access secondary storage. TCP/IP Transmission Control Protocol/Internet Protocol.
PAGE 165
write window volume expiration time The date and time on which a volume in a volume set expires. Oracle Secure Backup computes this time by adding the write window duration, if any, to the volume creation time for the first volume in the set, then adding the volume retention period. For example, assume that a volume set belongs to a media family with a retention period of 14 days and a write window of 7 days.
PAGE 166
write window close time the volume set until it expires (as determined by its expiration policy), or until it is relabeled, reused, unlabeled, or forcibly overwritten. A write window is associated with a media family. All volume sets that are members of the media family remain open for updates for the same time period. write window close time The date and time that a volume set closes for updates.
PAGE 167
Index A access mode about, 1-3 about NDMP, 1-3 about primary, 1-3 selecting, 5-4 ACSLS about, D-1 access controls, D-4 and obtool, D-2 cartridges, D-2 communicating with, D-3 configuration, D-5 drive association, D-3 imports and exports, D-3 installation, D-5 modified obtool commands, D-4 scratch pool, D-3 scratch pool management, D-4 unsupported obtool commands, D-5 volume loading and unloading, D-3 adding hosts, 5-3 hosts in manual certificate provisioning mode, 6-17 tape device attachments, 5-21 admin us
PAGE 168
C certificate provisioning about automated mode, 6-7 about manual mode, 6-7 Certification Authority (CA), 6-10 and network security, 6-9 certkeysize policy, 6-19 client defined, 1-2 installation on Linux/UNIX, 2-8 installation on Windows, 3-6 client host directories, A-5 files, A-5 clients configuring security, 6-17 configuration file parameters ask about osb dir, B-5 create preauthorized oracle user, B-2 customized obparameters, B-1 default protection, B-5 default UNIX/LINUX group, B-3 default UNIX/LINUX u
PAGE 169
Web tool Hosts page, 5-3 Web tool Manage page, 4-8 Web tool Restore page, 4-10 DTE See data transfer element E editing host properties, 5-9 tape device properties, 5-25 e-mail address adding on Linux/UNIX, 2-10 encryptdataintransit policy, 6-14, 6-16 encryption in transit, 6-14 environment variables setting for NDMP host, 5-8 error rate setting for tape drive, 5-18 exporting identity certificates, 6-21 F Fibre Channel parameters prerequisites, 2-3 filers support for SSL, 6-9 firewalls configuring after in
PAGE 170
create preauthorized oracle user, B-2 customized obparameters, B-1 default protection, B-5 default UNIX/LINUX group, B-3 default UNIX/LINUX user, B-3 identity certificate key size, B-2 linux db dir, B-4 linux links, B-4 linux ob dir, B-3 linux temp dir, B-4 run obopenssl, B-6 solaris db dir, B-4 solaris links, B-4 solaris ob dir, B-3 solaris temp dir, B-4 solaris64 db dir, B-4 solaris64 links, B-4 solaris64 ob dir, B-3 solaris64 temp dir, B-4 start daemons at boot, B-2 installing ACSLS, D-5 installob runnin
PAGE 171
automated certificate provisioning mode, 6-17 backup environment, 6-3 Certification Authority, 6-9 Certification Authority (CA), 6-10 certkeysize, 6-19 configuring clients, 6-17 configuring media servers, 6-17 configuring the administrative server, 6-16 corporate network example, 6-6 data center example, 6-4 default configuration, 6-15 disabling SSL, 6-20 distributing identity certificates, 6-7 enabling backup encryption, 6-14 encryptdataintransit, 6-14, 6-16 exporting signed certificates, 6-21 host authent
PAGE 172
creating admin password during installation on Linux/UNIX, 2-9 creating admin user password during installation on Windows, 3-12 creating keystore password during installation on Windows, 3-11 Oracle wallet, 6-11 setting NDMP host password type, 5-5 pinging hosts, 5-9 tape device attachments, 5-22 tape devices, 5-24 port number setting for NDMP host, 5-6 preferred network interfaces (PNI) configuring, 5-8 removing, 5-9 prerequisites Fibre Channel parameters, 2-3 Linux and UNIX, 2-2 SCSI Generic driver, 2-2
PAGE 173
trusted hosts, 6-8 using obcm utility, 6-11 X.
PAGE 174
U uninstalling Oracle Secure Backup on Linux/UNIX, 2-20 Oracle Secure Backup on Windows, 3-20 uninstallob running, 2-20 updating hosts, 5-9 tape device inventory, 5-12 upgrade installation about, 1-14 on Windows 32-bit, 3-19 on Windows x64, 3-20 usage setting tape drive usage, 5-18 use list configuring for tape drive, 5-18 users default UNIX/LINUX user obparameter, B-3 V viewing host properties, 5-9 virtual tape libraries backup operations, 1-9 defined, 1-9 volumes automatic ejection, 5-15 inventory update