|Oracle® Secure Backup Installation and Configuration Guide
Part Number E21477-05
|PDF · Mobi · ePub|
A group of computers on your network that you manage as a common unit to perform backup and restore operations. An administrative domain must include one and only one administrative server. It can include the following:
One or more clients
One or more media servers
The host that stores configuration information and catalog files for hosts in the administrative domain. There must be one and only one administrative server for each administrative domain. One administrative server can service all clients on your network. The administrative server runs the scheduler, which starts and monitors backups within the administrative domain.
A public-domain Web server used by the Oracle Secure Backup Web tool.
A mode of certificate management in which the Certification Authority (CA) signs and then transfers identity certificates to hosts over the network. This mode of issuing certificates is vulnerable to a possible, although extremely unlikely, man-in-the-middle attack. Automated mode contrasts with manual certificate provisioning mode.
The process of obscuring backup data so that it is unusable unless decrypted. Data can be encrypted at rest, in transit, or both.
An integer that uniquely identifies a backup section.
A backup that is eligible for execution by the Oracle Secure Backup scheduler. A backup job contrasts with a backup request, which is an on-demand backup that has not yet been forwarded to the scheduler with the
backup --go command.
A backup file generated by Recovery Manager (RMAN). A backup piece is stored in a logical container called a backup set.
An on-demand backup that is held locally in obtool until you run the
backup command with the
--go option. At this point Oracle Secure Backup forwards the requests to the scheduler, at which time each backup request becomes a backup job and is eligible to run.
A description of when and how often Oracle Secure Backup should back up the files specified by a dataset. The backup schedule contains the names of each dataset file and the name of the media family to use. The part of the schedule called the trigger defines the days and times when the backups should occur. In obtool, you create a backup schedule with the
A file that contains the standard output from a particular backup dispatched by the Oracle Secure Backup scheduler.
A symbol code, also called a tag, that is physically applied to a volume for identification purposes. Oracle Secure Backup supports the use of tape libraries that have an automated means to read barcodes.
The number of 512-byte blocks to include in each block of data written to each tape drive. By default, Oracle Secure Backup writes 64K blocks to tape, which is a blocking factor of 128. Because higher blocking factors usually result in better performance, you can try a blocking factor larger than the obtar default. If you pick a value larger than is supported by the operating system of the server, then Oracle Secure Backup fails with an error.
A repository that records backups in an Oracle Secure Backup administrative domain. You can use the Oracle Secure Backup Web tool or obtool to browse the catalog and determine what files you have backed up. The catalog is stored on the administrative server.
A digitally signed statement from a Certification Authority (CA) stating that the public key (and possibly other information) of another entity has a value. The X.509 standard specifies the format of a certificate and the type of information contained in it: certificate version, serial number, algorithm ID, issuer, validity, subject, subject public key information, and extensions such as key usage (signing, encrypting, and so on). A variety of methods are used to encode, identify, and store the certificate.
An authority in a network that performs the function of binding a public key pair to an identity. The CA certifies the binding by digitally signing a certificate that contains a representation of the identity and a corresponding public key. The administrative server is the CA for an Oracle Secure Backup administrative domain.
A volume with this type of expiration policy expires when every backup piece on the volume is marked as deleted. You can make Recovery Manager (RMAN) backups, but not file-system backups, to content-managed volumes. You can use RMAN to delete a backup piece.
A one-way function that accepts a message as input and produces an encrypted string called a "hash" or "message digest" as output. Given the hash, it is computationally infeasible to retrieve the input. MD5 and SHA-1 are commonly used cryptographic hash functions.
A type of incremental backup in which Oracle Secure Backup copies only data that has changed at a lower backup level. For example, a level 3 incremental backup copies only that data that has changed since the most recent backup that is level 2 or lower.
Background processes that are assigned a task by Oracle Secure Backup during the execution of backup and restore operations. Some daemons run continually and others are started and stopped as required.
An application that controls a backup or restore operation over the Network Data Management Protocol (NDMP) through connections to a data service and tape service. The DMA is the session master, whereas the NDMP services are the slaves. In an Oracle Secure Backup administrative domain, obtar is an example of a DMA.
An application that runs on a client and provides Network Data Management Protocol (NDMP) access to database and file-system data on the primary storage system.
An Oracle Secure Backup configuration object that specifies characteristics of Recovery Manager (RMAN) SBT backups. The storage selector act as a layer between RMAN, which accesses the database, and the Oracle Secure Backup software, which manages the backup media.
The contents of a file-system backup. A dataset file describes a dataset. For example, you could create the dataset file my_data.ds to describe a dataset that includes the
/home directory on host
A directory that contains at least one dataset file. The directory groups dataset files as a set for common reference.
A text file that describes a dataset. The Oracle Secure Backup dataset language provides a text-based means to define file-system data to back up.
A set of configuration data that specifies how Oracle Secure Backup runs in an administrative domain.
The process by which Oracle Secure Backup automatically detects devices accessed through Network Data Management Protocol (NDMP) and configuration changes for such devices.
A file name in the
/dev file system on UNIX or Linux that represents a hardware tape device. A attach point does not specify data on disk, but identifies a hardware unit and the device driver that handles it. The inode of the file contains the device number, permissions, and ownership data. An attachment consists of a host name and the attach point name by which that device is accessed by Oracle Secure Backup.
A type of incremental backup in which Oracle Secure Backup copies only data that has changed at the same or lower backup level. This backup is also called a level 10 backup. Oracle Secure Backup does not support the level 10 backup on some platforms, including Network Attached Storage (NAS) devices such as a Network Appliance filer.
A set of bits computed by an Certification Authority (CA) to signify the validity of specified data. The algorithm for computing the signature makes it difficult to alter the data without invalidating the signature.
A group of computers and devices on a network that are administered as a unit with common rules and procedures. Within the internet, domains are defined by the IP address. All devices sharing a common part of the IP address are said to be in the same domain.
The number of recovered write errors divided by the total blocks written, multiplied by 100.
The means by which Oracle Secure Backup determines how a volume in a media family expires, that is, when they are eligible to be overwritten. A media family can either have a content-managed expiration policy or time-managed expiration policy.
A set of ANSI protocols for sending digital data over fiber optic cable. FDDI networks are token-passing networks, and support data rates of up to 100 Mbps. FDDI networks are typically used as backbones for wide-area networks.
A protocol used primarily among devices in a Storage Area Network (SAN).
A network made up of a multitude of computers, operating systems, and applications of different types from different vendors.
The initialization phase of a connection between two hosts in the administrative domain. After the hosts authenticate themselves to each other with identity certificates, communications between the hosts are encrypted by Secure Sockets Layer (SSL). Almost all connections are two-way authenticated; exceptions include initial host invitation to join a domain and interaction with hosts that use NDMP access mode.
An operation that backs up only the files on a client that changed after a previous backup. Oracle Secure Backup supports 9 different incremental backup levels for file-system backups. A cumulative incremental backup copies only data that changed since the most recent backup at a lower level. A differential incremental backup, which is equivalent to a level 10 backup, copies data that changed since an incremental backup at the same or lower level.
An incremental backup contrasts with a full backup, which always backs up all files regardless of when they last changed. A full backup is equivalent to an incremental backup at level 0.
A catalog created and maintained by Oracle Secure Backup that describes past, current, and pending backup jobs.
A text file report produced by Oracle Secure Backup that describes the status of selected backup and restore jobs. Oracle Secure Backup generates the report according to a user-specified job summary schedule.
A user-defined schedule for generating job summaries. You create job summary schedules with the
mksum command in obtool.
A mode of certificate management in which you must manually export the signed identity certificate for a host from the administrative server, transfer it to the host, and manually import the certificate into the wallet of the host. Unlike automated certificate provisioning mode, this mode is not vulnerable to a possible (if extremely unlikely) man-in-the-middle attack.
A computer or server that has at least one tape device connected to it. A media server is responsible for transferring data to or from the devices that are attached to it.
A synonym for primary access mode.
The mode of access for a filer or other host that uses Network Data Management Protocol (NDMP) for communications within the administrative domain. NDMP access mode contrasts with primary access mode, which uses the Oracle Secure Backup network protocol. Oracle Secure Backup uses NDMP for data transfer among hosts regardless of whether a host is accessed through the primary or NDMP access modes.
A NAS server is a computer on a network that hosts file systems. The server exposes the file systems to its clients through one or more standard protocols, most commonly Network File System (NFS) and CIFS.
An open standard protocol that defines a common architecture for backups of heterogeneous file servers on a network. This protocol allows the creation of a common agent used by the central backup application, called a data management application (DMA), to back up servers running different operating systems. With NDMP, network congestion is minimized because the data path and control path are separated. Backup can occur locally—from a file server direct to a tape drive—while management can occur centrally.
A text file that lists the hosts in your network on which Oracle Secure Backup should be installed. For each host, you can identify the Oracle Secure Backup installation type, the host name, and each tape drive attached. The install subdirectory in the Oracle Secure Backup home includes a sample network description file named obndf.
A client/server application that gives all network users access to shared files stored on computers of different types. NFS provides access to shared files through an interface called the Virtual File System (VFS) that runs on top of TCP/IP. Users can manipulate shared files as if they were stored on local disk. With NFS, computers connected to a network operate as clients while accessing remote files, and as servers while providing remote users access to local shared files. The NFS standards are publicly available and widely used.
A synonym for primary access mode.
A wallet whose data is scrambled into a form that is extremely difficult to read if the scrambling algorithm is unknown. The wallet is read-only and is not protected by a password. An obfuscated wallet supports single sign-on (SSO).
The underlying engine of Oracle Secure Backup that moves data to and from tape. obtar is a descendent of the original Berkeley UNIX tar(2) command.Although obtar is typically not accessed directly, you can use it to back up and restore files or directories specified on the command line. obtar enables the use of features not exposed through obtool or the Web tool.
The principal command-line interface to Oracle Secure Backup. You can use this tool to perform all Oracle Secure Backup configuration, backup and restore, maintenance, and monitoring operations. The obtool utility is an alternative to the Oracle Secure Backup Web tool.
A backup that is equivalent to a full backup except that it does not affect the full or incremental backup schedule. An offsite backup is useful when you want to create an backup image for offsite storage without disturbing your incremental backup schedule.
A file-system backup initiated through the
backup command in obtool or the Oracle Secure Backup Web tool. The backup is one-time-only and either runs immediately or at a specified time in the future. An on-demand backup contrasts with a scheduled backup, which is initiated by the Oracle Secure Backup scheduler.
A person whose duties include backup operations, backup schedule management, tape swaps, and error checking.
The directory in which the Oracle Secure Backup software is installed. The Oracle Secure Backup home is typically
/usr/local/oracle/backup on UNIX/Linux and
C:\Program Files\Oracle\Backup on Windows. This directory contains binaries and configuration files. The contents of the directory differ depending on which role is assigned to the host within the administrative domain.
A number between 0 and 31 used to generate unique attach point names during device configuration (for example,
/dev/obt1, and so on). Although it is not a requirement, unit numbers typically start at 0 and increment for each additional device of a given type, whether tape library or tape drive.
An account defined within an Oracle Secure Backup administrative domain. Oracle Secure Backup users exist in a separate namespace from operating system users.
The process of replacing a file on your system by restoring a file that has the same file name.
The preferred network interface for transmitting data to be backed up or restored. A network can have multiple physical connections between a client and the server performing a backup or restore on behalf of that client. For example, a network can have both Ethernet and Fiber Distributed Data Interface (FDDI) connections between a pair of hosts. PNI enables you to specify, on a client-by-client basis, which of the server's network interfaces is preferred.
An optional attribute of an Oracle Secure Backup user. A preauthorization gives an operating system user access to specified Oracle Secure Backup resources.
The mode of access for a host that uses the Oracle Secure Backup network protocol for communications within the administrative domain. Oracle Secure Backup must be installed on hosts that use primary access mode. In contrast, hosts that use NDMP access mode do not require Oracle Secure Backup to be installed. Oracle Secure Backup uses Network Data Management Protocol (NDMP) for data transfer among hosts regardless of whether a host is accessed through the primary or NDMP access modes.
A number that corresponds to a specific public key and is known only to the owner. Private and public keys exist in pairs in all public key cryptography systems. In a typical public key cryptosystem, such as RSA, a private key corresponds to exactly one public key. You can use private keys to compute signatures and decrypt data.
A file-system backup operation initiated with the
--privileged option of the
backup command. On UNIX and Linux systems, a privileged backup runs under the
root user identity. On Windows systems, the backup runs under the same account (usually
Local System) as the Oracle Secure Backup service on the Windows client.
A number associated with a particular entity intended to be known by everyone who must have trusted interactions with this entity. A public key, which is used with a corresponding private key, can encrypt communication and verify signatures.
A utility supplied with Oracle Database used for database backup, restore, and recovery. RMAN is a separate application from Oracle Secure Backup. Unlike RMAN, you can use Oracle Secure Backup to back up any file on the file system—not just database files. Oracle Secure Backup includes an SBT interface that RMAN can use to back up database files directly to tape.
The length of time that data in a volume set is not eligible to be overwritten. The retention period is an attribute of a time-managed media family. The retention period begins at the write window close time. For example, if the write window for a media family is 7 days, then a retention period of 14 days indicates that the data is eligible to be overwritten 21 days from the first write to the first volume in the volume set.
Privileges within the administrative domain that are assigned to a class. For example, the
self right is assigned to the
operator class by default. Every Oracle Secure Backup user that belongs to a class is granted the rights associated with this class.
The functions that hosts in your network can have during backup and restore operations. There are three roles in Oracle Secure Backup: administrative server, media server, and client. A host in your network can serve in any of these roles or any combination of them. For example, the administrative server can also be a client and media server.
A media management software library that Recovery Manager (RMAN) can use to back up to tertiary storage. An SBT interface conforms to a published API and is supplied by a media management vendor. Oracle Secure Backup includes an SBT interface for use with RMAN.
A file-system backup that is scheduled through the
mksched command in obtool or the Oracle Secure Backup Web tool (or is modified by the
runjob command). A backup schedule describes which files should be backed up. A trigger defined in the schedule specifies when the backup job should run.
A daemon (obscheduled) that runs on an administrative server and is responsible for managing all backup scheduling activities. The scheduler maintains a job list of backup job operations scheduled for execution.
A daemon (observiced) that runs on each host in the administrative domain that communicates through primary access mode. The service daemon provides a wide variety of services, including certificate operations.
SCSI logical unit number. A 3-bit identifier used on a SCSI bus to distinguish between up to eight devices (logical units) with the same SCSI ID. Do not confuse with Oracle Secure Backup logical unit number
A cryptographic protocol that provides secure network communication. SSL provides endpoint authentication through a certificate. Data transmitted over SSL is protected from eavesdropping, tampering or message forgery, and replay attacks.
A parallel I/O bus and protocol that permits the connection of a variety of peripherals to host computers. Connection to the SCSI bus is achieved through a host adapter and a peripheral controller.
A high-speed subnetwork of shared storage devices. A SAN is designed to assign data backup and restore functions to a secondary network so that they do not interfere with the functions and capabilities of the server.
A tape device that reads and writes data stored on a tape. Tape drives are sequential-access, which means that they must read all preceding data to read any particular piece of data. The tape drives are accessible through various protocols, including Small Computer System Interface (SCSI) and Fibre Channel. A tape drive can exist standalone or in a tape library.
Transmission Control Protocol/Internet Protocol. The suite of protocols used to connect hosts for transmitting data over networks.
The process of backing up an NDMP server that supports NDMP but does not have a locally attached backup device to another NDMP server that has an attached backup device. The backup is performed by sending the data through a TCP/IP connection to the NDMP server with the attached backup device. In this configuration, the NDMP data service exists on the NDMP server that contains the data to be backed up and the NDMP tape service exists on the NDMP server with the attached tape device.
A media family expiration policy in which every volume in a volume set can be overwritten when it reaches its volume expiration time. Oracle Secure Backup computes the volume expiration time by adding the volume creation time for the first volume in the set, the write window time, and the retention period.
For example, you set the write window for a media family to 7 days and the retention period to 14 days. Assume that Oracle Secure Backup first wrote to the first volume in the set on January 1 at noon and subsequently wrote data on 20 more volumes in the set. In this scenario, all 21 volumes in the set expire on January 22 at noon.
The part of a backup schedule that specifies the days and times at which the backups should occur.
A certificate that is considered valid without validation testing. Trusted certificates build the foundation of the system of trust. Typically, they are certificates from a trusted Certification Authority (CA).
File-system backups created with the
--unprivileged option of the
backup command. When you create or modify an Oracle Secure Backup user, you associate operating system accounts with this user. Unprivileged backups of a host run under the operating system account associate with Oracle Secure Backup user who initiates the backup.
A volume is a unit of media, such as an 8mm tape. A volume can contain multiple backup images.
The date and time on which a volume in a volume set expires. Oracle Secure Backup computes this time by adding the write window duration, if any, to the volume creation time for the first volume in the set, then adding the volume retention period.
For example, assume that a volume set belongs to a media family with a retention period of 14 days and a write window of 7 days. Assume that the volume creation time for the first volume in the set was January 1 at noon and that Oracle Secure Backup subsequently wrote data on 20 more volumes in the set. In this scenario, the volume expiration time for all 21 volumes in the set is January 22 at noon.
A unique alphanumeric identifier assigned by Oracle Secure Backup to a volume when it was labeled. The volume ID usually includes the media family name of the volume, a dash, and a unique volume sequence number. For example, a volume ID in the RMAN-DEFAULT media family could be RMAN-DEFAULT-000002.
A number recorded in the volume label that indicates the order of volumes in a volume set. The first volume in a set has sequence number 1. The volume ID for a volume usually includes the media family name of the volume, a dash, and a unique volume sequence number. For example, a volume ID for a volume in the RMAN-DEFAULT media family could be RMAN-DEFAULT-000002.
A password-protected encrypted file. An Oracle wallet is primarily designed to store X.509 certificates and their associated public key/private key pair. The contents of the wallet are only available after the wallet password has been supplied, although with an obfuscated wallet no password is required.
The period for which a volume set remains open for updates, usually by appending an additional backup image. The write window opens at the volume creation time for the first volume in the set and closes after the write window period has elapsed. After the write window close time, Oracle Secure Backup does not allow further updates to the volume set until it expires (as determined by its expiration policy), or until it is relabeled, reused, unlabeled, or forcibly overwritten.
A write window is associated with a media family. All volume sets that are members of the media family remain open for updates for the same time period.
The date and time that a volume set closes for updates. Oracle Secure Backup computes this time when it writes backup image file number 1 to the first volume in the set. If a volume set has a write window close time, then this information is located in the volume section of the volume label.
The length of time during which writing to a volume set is permitted.