|Oracle® Secure Backup Administrator's Guide
|PDF · Mobi · ePub|
This chapter introduces Oracle Secure Backup and describes the basic architecture of an Oracle Secure Backup environment. This chapter contains the following topics:
Oracle Secure Backup supplies reliable data protection through file system backup to tape. The Oracle Secure Backup SBT interface enables you to use Recovery Manager (RMAN) to back up Oracle databases. All major tape drives and tape libraries in SAN, Gigabit Ethernet, and SCSI environments are supported.
Oracle Secure Backup enables you to do the following:
Centrally manage tape backup and restore operations of distributed, mixed-platform environments (see Oracle Secure Backup Installation Guide for supported machine architectures). You can access local and remote file systems and devices from any location in a network without using NFS or CIFS.
Use wildcards and exclusion lists to specify what you want to back up.
Create backups that span multiple volumes.
Optimize tape resources with automatic drive sharing.
Restore data rapidly. Oracle Secure Backup uses direct-to-block positioning and direct access restore to avoid unnecessarily reading tape blocks to locate files. Oracle Secure Backup maintains a record of the tape position of all backup data in its catalog for rapid retrieval.
Maintain security and limit the users who are authorized to perform data management operations. By default, SSL is used for authentication and communication between hosts in the administrative domain.
Recovery Manager (RMAN) is an Oracle Database-specific backup and recovery utility. RMAN is a built-in part of Oracle Database and backs up, restores, and recovers database files regardless of the type of disk storage used for these files.
RMAN knows and applies the complex rules that must be followed to recover Oracle databases. If your database backup strategy needs storage resources other than local disk, then you must use RMAN in conjunction with a general-purpose network backup tool such as Oracle Secure Backup.
Oracle Secure Backup can back up all types of files on the file system. Although Oracle Secure Backup has no specialized knowledge of database backup and recovery algorithms, it can serve as a media management layer for RMAN through the SBT interface. In this capacity, Oracle Secure Backup provides the same services for RMAN as other supported third-party SBT libraries. Oracle Secure Backup is better integrated with Oracle Enterprise Manager, however, than other media managers.
Table 1-1 describes differences between RMAN and Oracle Secure Backup in terms of the type of data backed up and the type of media used for backup storage.
|Type of Data||Type of Backup Storage||Oracle Secure Backup Backup and Restore||Recovery Manager Backup and Restore|
Oracle datafiles, control files, and archived redo logs
Yes (only with RMAN)
Oracle datafiles, control files, and archived redo logs
Non-database files on the file system
Non-database files on the file system
See Also:Oracle Database Backup and Recovery Basics to learn about Recovery Manager
Figure 1-1 shows the interfaces that you can use to access Oracle Secure Backup.
Users interact with Oracle Secure Backup by means of one of the following tools:
Oracle Secure Backup Web tool
The Web tool utilizes an Apache Web server, which runs on the administrative server. As explained in "Using the Web Tool", you can access the Web tool from any Web browser that can connect to this server.
Oracle Secure Backup command-line interface (
Oracle Secure Backup provides a command-line program called
obtool as an alternative to the Web tool. You can log in to the administrative domain through
obtool to back up and restore file system data and to perform configuration and administration tasks.
As explained in "Using obtool", you can run the
obtool utility on any host in the administrative domain on which Oracle Secure Backup is installed.
Oracle Enterprise Manager Database Control and Grid Control
Oracle Enterprise Manager is a set of GUI-based tools for managing the Oracle environment. You can use Enterprise Manager to schedule and perform RMAN backups through the Oracle Secure Backup SBT interface. You can also perform administrative tasks such as managing media and devices within the Oracle Secure Backup administrative domain. The Enterprise Manager console includes a link to the Oracle Secure Backup Web tool.
As explained in "Using Oracle Enterprise Manager", you can use Enterprise Manager Database Control to back up a database on the administrative server. You can run Enterprise Manager Grid Control on any database host within the administrative domain and use this interface to manage all database backup and restore operations.
Recovery Manager command-line interface (
You can use the RMAN command-line interface to configure and initiate backup and restore operations that use the Oracle Secure Backup SBT interface. The RMAN utility is located in the
bin subdirectory of an Oracle home.
As explained in "Interfaces for Managing Database Backup and Recovery", you can run the RMAN command-line client on any database host so long as it can connect to the target database. For RMAN to make backups to Oracle Secure Backup, the Oracle Secure Backup SBT library must reside on the same host as the target database.
Chapter 3, "Getting Started" for an orientation to the interfaces to Oracle Secure Backup
Oracle Enterprise Manager Administrator's Guide and the Enterprise Manager online help to learn how to use Enterprise Manager
Oracle Secure Backup Reference to learn about
Oracle Database Backup and Recovery Basics to learn about the Recovery Manager command-line interface
The Network Data Management Protocol (NDMP) defines a common architecture for backups of file servers on a network. NDMP specifies the format and means of transmission of messages and payload data. NDMP is an open standard protocol that is promoted and supported by industry vendors.
NDMP enables a centralized backup application, which is called the Data Management Application (DMA), to back up and restore file servers that run on different platforms. NDMP is commonly used by Network Attached Storage (NAS) devices, also known as filers, to perform backup and restore operations without requiring backup software to be installed. This model is different from the classical backup model, which requires the installation of backup software on each host.
The DMA manages backup and restore operations by establishing a TCP/IP-based control connection with an NDMP server. An NDMP server provides NDMP services, which are the NDMP interfaces to the storage devices. The data service transfers data to and from the primary disk storage, whereas the tape service transfers data to and from secondary storage such as a tape drive.
With NDMP, network congestion is minimized because the data path and control path are separated. Data transfer can occur locally—from file servers directly to and from tape drives—while management occurs centrally.
Oracle Secure Backup uses NDMP for data transfer and remote control of tape drives and tape libraries. Thus, Oracle Secure Backup supports devices connected to Windows, Linux, and UNIX hosts with Oracle Secure Backup's internal NDMP server. While Oracle Secure Backup leverages NDMP, it is transparent to users except when backing up a NAS device that requires NDMP for optimal backup operations.
In addition to Windows, Linux, and UNIX hosts, Oracle Secure Backup supports special-purpose appliances such as Network Appliance filers, Mirapoint message servers, and DinoStor tape appliances. These appliances can be backed up locally or remotely, but cannot perform the role of Oracle Secure Backup administrative server because backup software cannot be installed on them.
Although Oracle Secure Backup uses NDMP, specific NAS devices utilizing NDMP must still be tested and supported by Oracle Secure Backup.
Tape device matrixes are available at the following URL:
An administrative domain is a network of hosts that you manage as a common unit to perform backup and restore operations. To configure Oracle Secure Backup, you need to assign roles to each host in the domain. A single host can have one or more of the following roles:
You can assign this role to a host in your administrative domain that contains a copy of Oracle Secure Backup software. The administrative server maintains the configuration data and catalogs for the domain (see "Administrative Data"). An administrative domain has one and only one administrative server.
The administrative server runs the Oracle Secure Backup scheduler, which starts and monitors backup and restore jobs within the administrative domain. You choose your administrative server when you install Oracle Secure Backup. Note that the administrative server can co-reside on a host with other applications or function as a dedicated, single-purpose server.
You can assign this role to a host whose locally-accessed data is backed up by Oracle Secure Backup. An administrative domain has one or more client hosts. Most hosts defined within the administrative domain are clients.
Figure 1-2 illustrates a sample Oracle Secure Backup administrative domain. In this scenario, the domain includes five hosts: an administrative server, a media server with attached tape library, and three clients. Two of the clients run Oracle databases; the other client is a NAS appliance.
Figure 1-3 illustrates a different Oracle Secure Backup administrative domain that contains a single Linux host. This host assumes the roles of administrative server, media server, and client. The host runs an Oracle database and has a tape library locally attached.
Communications with a host in an administrative domain occur through one of the following access modes:
In primary access mode, Oracle Secure Backup is installed on a host. The programming components of Oracle Secure Backup are running in the background as daemons. The daemons actively participate in managing backup and restore operations. Typically, an Oracle database resides on a host accessed through this mode.
Note:In the Enterprise Manager GUI, primary access mode is referred to as native access mode. In the Oracle Secure Backup Web tool and the output of some
obtoolcommands such as
lshost, primary mode is referred to as OB access mode.
An NDMP host is a storage appliance from third-party vendors such as Network Appliance, Mirapoint, or DinoStor. An NDMP host uses a vendor-specific implementation of the NDMP protocol to back up and restore file systems. Oracle Secure Backup software is not installed on an NDMP host, but is accessible to Oracle Secure Backup through NDMP.
In Example 1-1, the
lshost command in
obtool displays the hosts in an administrative domain. The command indicates the access mode of each host—NDMP or primary (
ob> lshost br_filer client (via NDMP) in service stadv07 admin,mediaserver,client (via OB) in service
As explained in "Oracle Secure Backup and NDMP", Oracle Secure Backup uses NDMP for data transfer among hosts regardless of whether a host is accessed through the primary or NDMP modes. For example, a Windows administrative server uses NDMP to exchange data with a NetApp filer and a Linux client.
Oracle Secure Backup organizes information about the administrative domain as a hierarchy of files in the Oracle Secure Backup home on the administrative server. The Oracle Secure Backup home is the directory in which Oracle Secure Backup is installed.
Figure 1-4 shows the directory structure of an Oracle Secure Backup home. This directory structure is the same for all platforms, but the default home is
/usr/local/oracle/backup for UNIX and Linux and
C:\Program Files\Oracle\Backup for Windows.
The administrative data includes configuration data about domain-wide entities such as classes, devices, media families, and so on. As shown in Figure 1-4,
config contains several subdirectories, each of which represents an object that Oracle Secure Backup maintains. In each object directory, Oracle Secure Backup maintains files describing the characteristics of the corresponding object.
The Oracle Secure Backup catalog contains backup-related information. The
admin/history/host directory contains subdirectories named after the hosts in the administrative domain; each of these subdirectories contains a file in which the catalog data is stored. Oracle Secure Backup also maintains backup sections, backup pieces, and volumes catalogs in the
See Also:Oracle Secure Backup Installation Guide to learn more about the files and directories in the Oracle Secure Backup home
This section explains the concept of an Oracle Secure Backup user, which is a domain-wide identity. A class is a named collection of rights assigned to this user.
Oracle Secure Backup stores information pertaining to Oracle Secure Backup users and rights on the administrative server, enabling Oracle Secure Backup to maintain a consistent user identity across the administrative domain.
Each user of an Oracle Secure Backup domain has an account and an encrypted password stored on the administrative server. An operating system user can enter the Oracle Secure Backup username and password in the Web tool or
obtool. The client program sends the password over an encrypted SSL connection to the administrative server for authentication.
The namespace for Oracle Secure Backup users is distinct from the namespaces of existing UNIX, Linux, and Windows users. Thus, if you log in to a host in the administrative domain as operating system user
muthu, and if an Oracle Secure Backup user in the domain is named
muthu, these accounts are separately managed even though the name is the same. For convenience, you may want to create an Oracle Secure Backup user with the same name and password as an operating system user.
When you create an Oracle Secure Backup user, you can associate it with UNIX and Windows accounts. These accounts are used for unprivileged backup, that is, backups that do not run with
root privileges. In contrast, privileged backup and restore operations run on a client with
root (UNIX) or
Local System (Windows) permissions.
Assume you create the Oracle Secure Backup user
jdoe and associate it with UNIX account
x_usr and Windows account
jdoe uses the
backup --unprivileged command to back up a client in the domain, the jobs run under the operating system accounts associated with
jdoe can only back up files on a UNIX client accessible to
x_usr and files on a Windows client accessible to
If you have the
modify administrative domain's configuration right, then you can configure the preauthorization attribute of an Oracle Secure Backup user. You can preauthorize operating system users to make RMAN backups or log in to Oracle Secure Backup command-line utilities. For example, you can preauthorize the
x_usr UNIX user to log in to
obtool as Oracle Secure Backup user
You can configure user access to NDMP hosts when setting up an Oracle Secure Backup user account. Passwords for NDMP hosts are associated with the host instead of the user. You can configure the host to use the default NDMP password, a user-defined text password, or a null password. You can also configure a password authentication method such as text or MD5-encrypted.
See Also:"Adding a Host" to learn how to add an NDMP host to an administrative domain
An Oracle Secure Backup class defines a set of rights granted to an Oracle Secure Backup user. A class is similar to a UNIX group, but it defines a finer granularity of access rights tailored to the needs of Oracle Secure Backup. As shown in Figure 1-5, you can assign multiple users to a class, each of whom is a member of only one class.
The following classes are key to understanding Oracle Secure Backup user rights:
This class is used for standard day-to-day operations. The
operator class lacks configuration rights but has all the rights needed for backup and restore operations. It also allows the user to query the state of all primary and secondary storage devices and to control the state of these devices.
This class, which is similar to the
operator class, has rights enabling users to modify Oracle database configuration settings as well as to perform Oracle database backups. Typically, class members are Oracle Secure Backup users that are mapped to operating system accounts of Oracle database installations.
This class is assigned to specific users and gives them permission to interact in a limited way with their domains. This class is reserved for users who need to browse their own data within the Oracle Secure Backup catalog and perform user-based restore operations.