Skip Headers
Oracle® Secure Backup Reference
Release 10.4

Part Number E21480-06
Go to Documentation Home
Home
Go to Book List
Book List
Go to Table of Contents
Contents
Go to Index
Index
Go to Feedback page
Contact Us

Go to previous page
Previous
Go to next page
Next
PDF · Mobi · ePub

6 Defaults and Policies

Oracle Secure Backup defaults and policies are configuration data that control how Oracle Secure Backup operates within an administrative domain. These policies are grouped into several policy classes. Each policy class contains policies that describe a particular area of operations.

The policy classes are as follows:

See Also:

"Policy Commands" to learn about the obtool policy commands

Backup Encryption Policies

These policies control how Oracle Secure Backup performs backup encryption. For example, you can specify whether backups must be encrypted for the entire administrative domain or for specific clients in the domain, which encryption algorithm to use for encryption, and how keys are managed.

The global algorithm, global keytype, and global rekeyfrequency policies are used to provide default values to newly created clients. The client algorithm, client keytype, and client rekeyfrequency policies define the actual values used for a given client.

The encryption policies are as follows:

algorithm

Use the algorithm policy to specify the algorithm used in encrypting backups written to tape.

At the administrative domain level, the algorithm policy specifies the default algorithm for all backups. At the client level, it specifies the default algorithm for backups from this client.

Values

Note:

The algorithms available are the same as those available in Recovery Manager (RMAN).
AES128

Uses AES 128-bit encryption. This is the default.

AES192

Uses AES 192-bit encryption.

AES256

Uses AES 256-bit encryption.

enablehardwareencryption

Use the enablehardwareencryption policy to control whether Oracle Secure Backup uses hardware-based encryption.

The LTO4 interface to hardware encryption is implemented through the SCSI specification for hardware encryption. Encryption is performed by the LTO4 drive in hardware instead of in software by Oracle Secure Backup.

Hardware-based encryption brings no changes to the existing Oracle Secure Backup encryption model. All encryption decisions, policies, key management, and settings for hardware-based encryption are identical with those for software-based encryption.

Note:

It is not possible to back up using hardware-based encryption and then restore using software-based encryption. Nor is it possible to back up using software-based encryption and then restore using hardware-base encryption.

Values

yes

Enables Oracle Secure Backup to use hardware-based encryption. This value is the default.

no

Performs software-based encryption instead of hardware-based encryption.

encryption

Use the encryption policy to specify whether data written to tape backups must be encrypted by default.

This policy can be set as a global policy for the administrative domain. It can also be overridden at the client level, using the --encryption option of the mkhost and chhost commands.

Note:

If a database backup is encrypted at the Recovery Manager (RMAN) level, then Oracle Secure Backup always writes the backup to tape in the encrypted form provided by RMAN, regardless of the setting for the encryption policy. If encryption is set to required, then Oracle Secure Backup does not encrypt the data a second time.

Values

required

Encrypts all backups, regardless of policy settings on specific clients or jobs. If this policy is enabled at the administrative domain level, then all backup data written to tape is encrypted, regardless of other policies for specific clients or settings for specific jobs. If this policy is defined at the client level, then all backup data written to tape from this client is encrypted, regardless of settings for specific jobs.

allowed

Does not encrypt backups to tape unless the policy set on a client or the settings for a job specify encryption. This is the default.

keytype

Use the keytype policy to specify the method for generating the encryption key.

Values

transparent

Generates keys randomly using the Oracle Random Number Generator as a seed for the key. The keys are stored in a host-specific key store. This is the default.

passphrase

Generates keys based on a backup administrator-supplied passphrase.

Note:

  • The backup administrator must set the passphrase for a given host using the chhost command. Until the passphrase is set, backups are encrypted in transparent mode.
  • If the passphrase is lost or forgotten, then backups created with it cannot be restored.

rekeyfrequency

Use the rekeyfrequency policy to manage how often keys are generated. Older keys are retained in a wallet-protected key store.

The rekeyfrequency policy can be defined at the global level for an entire administrative domain. The global policy can be overridden at the client level.

Values

duration

Specifies the frequency of generating keys for transparent mode encryption. Refer to "duration" for a description of the duration placeholder.

A key is automatically generated at midnight on the day when the specified duration expires. This key is then added to the wallet and is used on subsequent backup operations. Older keys are retained in the wallet for restoring older backups.

Note:

If the keytype policy is set to passphrase, then the administrator is responsible for managing key regeneration.

The default value is 30days, which means keys are generated after thirty days. Minimum duration is 1 day.

perbackup

Generates keys for each backup. Older keys are retained in the wallet for restoring older backups.

off

Does not generate keys automatically at regular intervals.

systemdefault

Specifies that this host should use the current administrative domain policy. Valid only as a client-based policy.

requireencryptablemedia

Use the requireencryptablemedia policy to control whether Oracle Secure Backup requires a tape capable of hardware encryption.

This policy is ignored if the tape drive is incapable of hardware encryption or cannot identify encryption-capable tapes.

Values

yes

Puts the job into a pending state until a hardware-encryptable tape is made available.

no

Attempts to mount a tape capable of hardware encryption. If mounting such a tape is not possible, then Oracle Secure Backup falls back to software encryption. This value is the default.

Daemon Policies

These policies control aspects of the behavior of daemons and services. For example, you can specify whether logins should be audited and control how the index daemon updates the catalog.

The daemon policies are as follows:

auditlogins

Use the auditlogins policy to audit attempts to log in to Oracle Secure Backup.

Values

yes

Enables the policy. All attempts to log in to Oracle Secure Backup are logged by the administrative observiced to its log file.

no

Disables the policy (default).

obixdmaxupdaters

Use the obixdmaxupdaters policy to specify the maximum number of catalog update processes that can operate concurrently.

The Oracle Secure Backup index daemon (obixd) is a daemon that manages the Oracle Secure Backup catalogs for each client. Oracle Secure Backup starts the index daemon at the conclusion of each backup and at other times throughout the day.

Values

n

Specifies the number of concurrent obixd daemons to allow. The default is 2.

obixdrechecklevel

Use the obixdrechecklevel policy to control the level of action by the Oracle Secure Backup index daemon to ensure that a host backup catalog is valid before making it the official catalog.

Values

structure

Specifies that the index daemon should verify that the structure of the catalog is sound after any updates to a backup catalog (default). This verification is a safeguard mechanism and is used to by the index daemon to double-check its actions after a catalog update.

content

Specifies that the index daemon should verify that the structure and content of the catalog is sound after any updates to a backup catalog. This is the most time-consuming and comprehensive method.

none

Specifies that the index daemon should take no extra action to affirm the soundness of the catalog after updates to the backup catalog. This is the fastest but also the least safe method.

obixdupdaternicevalue

Use the obixdupdaternicevalue policy to set the priority at which the index daemon runs. The higher the value, the more of the CPU the index daemon yields to other competing processes. This policy is not applicable to Windows hosts.

Values

n

Specifies the index daemon priority. The default is 0, which means that the index daemon runs at a priority assigned by the system, which is normal process priority. You can use a positive value (1 to 20) to decrease the priority, thereby making more CPU time available to other processes. To give the daemon a higher priority, enter a negative number.

webautostart

Use the webautostart policy to specify whether the Apache Web server automatically starts when you restart observiced.

Values

yes

Enables the policy.

Note:

The installation process sets webautostart to yes, which is not the default value.
no

Disables the policy (default).

webpass

Use the webpass policy to specify a password to be passed to the Web server.

If the Web server's Secure Sockets Layer (SSL) certificate requires a password (PEM pass phrase), then entering it in this policy enables observiced to pass it to the Oracle Secure Backup Web server when it is started. The password is used when decrypting certificate data stored locally on the administrative server and never leaves the computer.

Values

password

Specifies the password. By default no password is set.

Note:

The installation script configures a password for the webpass policy. You can change this password, although in normal circumstances you should not be required to do so.

windowscontrolcertificateservice

Use the windowscontrolcertificateservice to specify whether Oracle Secure Backup should attempt to put the Windows certificate service in the appropriate mode before backing up or recovering a certificate service database.

Values

yes

Specifies that Oracle Secure Backup should start the certificate service before a backup, stop it, and then restart the certificate service for a restore.

no

Disables the policy (default).

Device Policies

These policies control how a tape device is automatically detected during device discovery and when tape device write warnings are generated.

The device policies are as follows:

checkserialnumbers

Use the checkserialnumbers policy to control tape device serial number checking.

While not a requirement of the SCSI-2 standard, practically all modern tape drives and libraries support the Unit Serial Number Inquiry Page, by which a device can be programmatically interrogated for its serial number.

If the checkserialnumbers policy is enabled, then whenever Oracle Secure Backup opens a tape device, it checks the serial number of that device. If the tape device does not support serial number reporting, then Oracle Secure Backup simply opens the tape device. If the tape device does support serial number checking, then Oracle Secure Backup compares the reported serial number to the serial number stored in the device object. Three results are possible:

  • There is no serial number in the device object.

    If Oracle Secure Backup has never opened this tape drive since the device was created or the serial number policy was enabled, then it cannot have stored a serial number in the device object. In this case, the serial number is stored in the device object, and the open succeeds.

  • There is a serial number in the device object, and it matches the serial number just read from the device.

    In this case, Oracle Secure Backup opens the tape device.

  • There is a serial number in the device object, and it does not match the serial number just read from the device.

    In this case, Oracle Secure Backup returns an error message and does not open the tape device.

Note:

Oracle Secure Backup also performs serial number checking as part of the --geometry/-g option to the obtool lsdev command. This option causes an Inquiry command to be sent to the specified device, and lsdev displays its vendor, product ID, firmware version, and serial number.

Values

Yes

Specifies that serial numbers are checked whenever a tape device is opened. This is the default value.

No

Specifies that tape device serial numbers are ignored.

discovereddevicestate

Use the discovereddevicestate policy to determine whether a tape device discovered by the discoverdev command is immediately available for use by Oracle Secure Backup.

Values

in service

Specifies that discovered tape devices are available to Oracle Secure Backup immediately.

not in service

Specifies that discovered tape devices are not available to Oracle Secure Backup until explicitly placed in service (default).

errorrate

Use the errorrate policy to set the error rate. The error rate is the ratio of recovered write errors that occur during a backup job per the total number of blocks written, multiplied by 100. If the error rate for any backup is higher than this setting, then Oracle Secure Backup displays a warning message in the backup transcript.

Values

n

Specifies the error rate to be used with the tape device. The default is 8.

none

Disables error rate checking. You can disable error rate checking to avoid warning messages when working with a tape drive that does not support the Small Computer System Interface (SCSI) commands necessary to check the error rate.

maxdriveidletime

Use the maxdriveidletime policy to set how long a tape can remain idle in a tape drive after the conclusion of a backup or restore operation. When this set time is up, Oracle Secure Backup automatically unloads the tape from the tape drive.

You cannot specify this parameter on a drive-by-drive basis. You must have the modify administrative domain's configuration right to modify this policy.

Values

duration

Specifies the length of time that a tape can remain idle before Oracle Secure Backup unloads it. Refer to "duration" for a description of the duration placeholder. The default is 5minutes, which means that Oracle Secure Backup unloads a tape when it has been idle for five minutes.

Note:

The duration placeholder must be specified by some combination of seconds, minutes and hours only.

The minimum value that can be specified is 0seconds. The maximum value is 24hours. A duration of 0 results in an immediate tape unload at the conclusion of any backup or restore operation.

forever

Specifies that a tape remains in the tape drive at the conclusion of a backup or restore operation. The tape is not unloaded automatically.

maxacsejectwaittime

This policy applies only to StorageTek Automated Cartridge System Library Software (ACSLS) systems. Use the maxacsejectwaittime policy to set how long an outstanding exportvol request waits for the ACS cartridge access port to be cleared.

Values

duration

Specifies the length of time that Oracle Secure Backup waits for an ACS cartridge access port to be cleared before canceling an exportvol request.

Manual operator intervention is required to remove the tapes from the cartridge access port after an ACS exportvol operation has finished. Access to the ACSLS server is denied until the tapes are removed or a period greater than maxacsjecetwaittime has passed. Oracle recommends that you schedule exports only when a human operator is locally available and that you batch export operations such that multiple volumes are specified for each exportvol operation.

Refer to "duration" for a description of the duration placeholder. The default is 5minutes.

Note:

The duration placeholder must be specified by some combination of seconds, minutes and hours only.

The minimum value that can be specified is 0seconds. The maximum value is forever.

forever

Specifies that Oracle Secure Backup never cancels an exportvol request while waiting for an ACS cartridge access port to clear.

Index Policies

These policies control how Oracle Secure Backup generates and manages the catalog. For example, you can specify the amount of elapsed time between catalog cleanups.

The index policies are as follows:

asciiindexrepository

Use the asciiindexrepository policy to specify the directory where ASCII index files are saved before being imported into the Oracle Secure Backup catalog by the index daemon.

Values

pathname

Specifies the path name for the index files. The default path name is the admin/history/host/hostname subdirectory of the Oracle Secure Backup home.

autoindex

Use the autoindex policy to specify Oracle Secure Backup whether backup catalog data should be produced for each backup it performs.

Values

yes

Specifies that catalog data should be produced for each backup (default).

no

Specifies that catalog data should not be produced for each backup.

earliestindexcleanuptime

Use the earliestindexcleanuptime policy to specify the earliest time of day at which catalog information should cleaned up. Cleanup activities should take place during periods of lowest usage of the administrative server.

Values

time

Specifies the time in hour and minutes. Refer to "time" for a description of the time placeholder. The default value is 23:00.

generatendmpindexdata

Use the generatendmpindexdata policy to specify whether Oracle Secure Backup should produce backup catalog information when backing up a client accessed through Network Data Management Protocol (NDMP).

Values

yes

Specifies that catalog data should be produced for backups of NDMP clients (default).

no

Specifies that catalog data should not be produced for backups of NDMP clients.

indexcleanupfrequency

Use the indexcleanupfrequency policy to specify the amount of elapsed time between catalog cleanups.

Typically, you should direct Oracle Secure Backup to clean up catalogs on a regular basis. This technique eliminates stale data from the catalog and reclaims disk space. Catalog cleanup is a CPU-intensive and disk I/O-intensive activity, but Oracle Secure Backup performs all data backup and restore operations without interruption when catalog cleanup is in progress.

Values

duration

Specifies the frequency of catalog cleanup operations. Refer to "duration" for a description of the duration placeholder. The default is 21days, which means that Oracle Secure Backup cleans the catalog every three weeks.

latestindexcleanuptime

Use the latestindexcleanuptime policy to specify the latest time of day at which index catalogs can be cleaned up.

Values

time

Specifies the latest index cleanup time. Refer to "time" for a description of the time placeholder. The default value is 07:00.

maxindexbuffer

Use the maxindexbuffer policy to specify a maximum file size for the local index buffer file.

Backup performance suffers if index data is written directly to an administrative server that is busy with other tasks. To avoid this problem, Oracle Secure Backup buffers index data in a local file on the client during the backup, which reduces the number of interactions that are required with an administrative server. This policy enables you to control the maximum size to which this buffer file can grow.

Values

buffersize

Specifies the buffer size in blocks of size 1 KB. The default value is 6144, which is 6 MB. Setting the buffer size to 0 causes Oracle Secure Backup to perform no local buffering.

saveasciiindexfiles

Use the saveasciiindexfiles policy to determine whether to save or delete temporary ASCII files used by the index daemon.

When Oracle Secure Backup performs a backup, it typically generates index information that describes each file-system object it saves. Specifically, it creates a temporary ASCII file on the administrative server in the admin/history/index/client subdirectory of the Oracle Secure Backup home. When the backup completes, the index daemon imports the index information into the index catalog file for the specified client.

Values

yes

Directs Oracle Secure Backup to retain each temporary ASCII index file. This option might be useful if you have written tools to analyze the ASCII index files and generate site-specific reports.

no

Directs Oracle Secure Backup to delete each temporary ASCII index file when the backup completes (default).

Log Policies

These policies control historical logging in the administrative domain. For example, you can specify which events should be recorded in the activity log on the administrative server: all, backups only, restore operations only, and so forth.

The log policies are as follows:

adminlogevents

Use the adminlogevents policy to specify the events to be logged in the activity log on the administrative server. Separate multiple event types with a comma. By default this policy is not set, which means that no activity log is generated.

Values

backup

Logs all backup events.

backup.commandline

Logs command-line backups that specify files to be backed up on the command line.

backup.scheduler

Logs scheduled backup operations.

restore

Logs restore operations.

all

Logs everything specified by the preceding options.

adminlogfile

Use the adminlogfile policy to specify the path name for the activity log on the administrative server.

Values

pathname

Specifies the path name of a log file, for example, /var/log/admin_srvr.log. By default this policy is not set, which means that no log file is generated.

clientlogevents

Use the clientlogevents policy to specify the events to be logged in the activity log on the client host.

Values

See the values for the adminlogevents policy. By default this policy is not set.

jobretaintime

Use the jobretaintime policy to set the length of time to retain job list history.

Values

duration

Retains the job history for the specified period. The default is 30days. Refer to "duration" for a description of the duration placeholder.

logretaintime

Use the logretaintime policy to set the length of time to retain Oracle Secure Backup log files.

Several components of Oracle Secure Backup maintain log files containing diagnostic messages. This option lets you limit the size of these files, which can grow quite large. Oracle Secure Backup periodically deletes all entries older than the specified duration.

Values

duration

Retains the diagnostic logs for the specified period. The default is 7days. Refer to "duration" for a description of the duration placeholder.

transcriptretaintime

Use the transcriptretaintime policy to specify the length of time to retain Oracle Secure Backup job transcripts.

When the Oracle Secure Backup scheduler runs a job, it saves the job output in a transcript file. You can specify how long transcript files are to be retained.

Values

duration

Retains the job transcripts for the specified period. The default is 7days. Refer to "duration" for a description of the duration placeholder.

unixclientlogfile

Use the unixclientlogfile policy to specify the path name for log files on UNIX client hosts. Oracle Secure Backup logs each of the events selected for clientlogevents to this file on every UNIX client.

Values

pathname

Specifies the path name for the log files on UNIX clients. By default this policy is not set, which means that no log file is generated.

windowsclientlogfile

Use the windowsclientlogfile to specify the path name for log files on Windows client hosts. Oracle Secure Backup logs each of the events selected for clientlogevents to this file on each Windows client.

Values

pathname

Specifies the path name for the log files on Windows clients. By default this policy is not set, which means that no log file is generated.

Media Policies

These policies control domain-wide media management. For example, you can specify a retention period for tapes that are members of the null media family.

The media policies are as follows:

barcodesrequired

Use the barcodesrequired policy to determine whether every tape is required to have a readable barcode.

By default, Oracle Secure Backup does not discriminate between tapes with readable barcodes and those without. This policy ensures that Oracle Secure Backup can always solicit a tape needed for restore by using both the barcode and the volume ID. Use this feature only if every tape drive is contained in a tape library with a working barcode reader.

Values

yes

Requires tapes to have readable barcodes.

no

Does not require tapes to have readable barcodes (default).

blockingfactor

Use the blockingfactor policy to define the size of every tape block written during a backup or restore operation. You can modify this value so long as it does not exceed the limit set by the maxblockingfactor policy.

See Also:

Oracle Secure Backup Administrator's Guide for more information on blocking factors

Values

unsigned integer

Specifies the block factor in blocks of size 512 bytes. The default value is 128, which means that Oracle Secure Backup writes 64 KB blocks to tape.

maxblockingfactor

Use the maxblockingfactor policy to define the maximum size of a tape block read or written during a backup or restore operation. Blocks over this size are not readable.

See Also:

Oracle Secure Backup Administrator's Guide for more information on maximum blocking factors

Values

unsigned integer

Specifies the maximum block factor in blocks of size 512 bytes. The default value is 128, which represents a maximum block size of 64 KB. The maximum setting is 4096, which represents a maximum tape block size of 2 MB. This maximum is subject to further constraints by tape device and operating system limitations outside of the scope of Oracle Secure Backup.

overwriteblanktape

Use the overwriteblanktape policy to specify whether Oracle Secure Backup should overwrite a blank tape.

Values

yes

Overwrites blank tapes (default).

no

Does not overwrite blank tapes.

overwriteforeigntape

Use the overwriteforeigntape policy to specify whether Oracle Secure Backup should overwrite an automounted tape recorded in an unrecognizable format.

Values

yes

Overwrites tapes in an unrecognized format (default).

no

Does not overwrite tapes in an unrecognized format.

overwriteunreadabletape

Use the overwriteunreadabletape policy to specify whether Oracle Secure Backup should overwrite a tape whose first block cannot be read.

Values

yes

Overwrites unreadable tapes.

no

Does not overwrite unreadable tapes (default).

volumeretaintime

Use the volumeretaintime policy to specify a retention period for tapes that are members of the null media family.

Values

duration

Retains the volumes for the specified period. The default is disabled, which means that the volumes do not automatically expire. You can overwrite or unlabel the volume at any time. Refer to "duration" for a description of the duration placeholder.

writewindowtime

Use the writewindowtime policy to specify a write-allowed time for tapes that are members of the null media family.

Values

duration

Retains the volumes for the specified period. The default is disabled, which means that the write window never closes. Refer to "duration" for a description of the duration placeholder.

Naming Policies

This class contains a single policy, which specifies a WINS server for the administrative domain.

The naming policy is as follows:

winsserver

Use the winsserver policy to specify an IP address of a Windows Internet Name Service (WINS) server. The WINS server is used throughout the administrative domain.

Oracle Secure Backup provides the ability for UNIX systems to resolve Windows client host names through a WINS server. Setting this policy enables Oracle Secure Backup to support clients that are assigned IP addresses dynamically by WINS.

Values

wins_ip

Specifies a WINS server with the IP address wins_ip. By default this policy is not set.

NDMP Policies

These policies specify Network Data Management Protocol (NDMP) data management application (DMA) defaults. For example, you can specify a password used to authenticate Oracle Secure Backup to each NDMP server.

The NDMP policies are as follows:

authenticationtype

Use the authenticationtype policy to specify the means by which the Oracle Secure Backup Network Data Management Protocol (NDMP) client authenticates itself to an NDMP server.

You can change the authentication type for individual hosts by using the --ndmpauth option of the mkhost and chhost commands.

Values

authtype

Specifies the authentication type. Refer to "authtype" for a description of the authtype placeholder. The default is negotiated, which means that Oracle Secure Backup determines (with the NDMP server) the best authentication mode to use. Typically, you should use the default setting.

backupev

Use the backupev policy to specify backup environment variables. Oracle Secure Backup passes each variable to the client host's Network Data Management Protocol (NDMP) data service every time it backs up NDMP-accessed data.

Note:

NDMP environment variables are specific to each data service. For this reason, specify them only if you are knowledgeable about the data service implementation.

You can also select client host-specific environment variables, which are sent to the NDMP data service each time data is backed up from or recovered to the client host, by using the --backupev and --restoreev options of the mkhost and chhost commands.

Values

name=value

Specifies a backup environment variable name and value, for example, VERBOSE=y. By default the policy is not set.

backuptype

Use the backuptype policy to specify a default backup type. Backup types are specific to Network Data Management Protocol (NDMP) data services; a valid backup type for one data service can be invalid, or undesirable, for another. By default Oracle Secure Backup chooses a backup type appropriate to each data service.

You can change the backup type for individual hosts by using the --ndmpbackuptype option of the mkhost and chhost commands.

Values

ndmp-backup-type

Specifies a default backup type. Refer to "ndmp-backup-type" for a description of the ndmp-backup-type placeholder.

password

Use the password policy to specify a password used to authenticate Oracle Secure Backup to each Network Data Management Protocol (NDMP) server.

You can change the NDMP password for individual hosts by using the --ndmppass option of the mkhost and chhost commands.

Values

password

Specifies a password for NDMP authentication. By default this policy is not set, that is, the default password is null.

port

Use the port policy to specify a TCP port number for use with Network Data Management Protocol (NDMP).

You can change the TCP port for individual hosts by using the --ndmpport option of the mkhost and chhost commands.

Values

port_num

Specifies a TCP port number. The default value for port_num is 10000.

protocolversion

Use the protocolversion policy to specify a Network Data Management Protocol (NDMP) version.

Typically, you should let Oracle Secure Backup negotiate a protocol version with each NDMP server (default). If it is necessary for testing or some other purpose, then you can change the NDMP protocol version with which Oracle Secure Backup communicates with this server. If an NDMP server cannot communicate using the protocol version you select, then Oracle Secure Backup reports an error rather than using a mutually supported version.

You can change the NDMP protocol version for individual hosts by using the --ndmppver option of the mkhost and chhost commands.

Values

protocol_num

Specifies a protocol number. Refer to "protover" for a description of the protover placeholder. The default is 0, which means "as proposed by server."

restoreev

Use the restoreev policy to specify restore environment variables. Oracle Secure Backup passes each variable to the client host's Network Data Management Protocol (NDMP) data service every time it recovers NDMP-accessed data.

You can also select client host-specific environment variables, which are sent to the NDMP data service each time data is backed up from or recovered to the client host, by using the --backupev and --restoreev options of the mkhost and chhost commands.

Note:

NDMP environment variables are specific to each data service. For this reason, specify them only if you are knowledgeable with the data service implementation.

Values

name=value

Specifies a backup environment variable name and value, for example, VERBOSE=y. By default the policy is not set.

username

Use the username policy to specify the name used to authenticate Oracle Secure Backup to each Network Data Management Protocol (NDMP) server.

You can change the NDMP username for individual hosts by using the --ndmpuser option of the mkhost and chhost commands.

Values

username

Specifies a username for authentication on NDMP servers. The default is root.

Operations Policies

These policies control various backup and restore operations. For example, you can set the amount of time that a Recovery Manager (RMAN) backup job waits in the Oracle Secure Backup scheduler queue for the required resources to become available.

The operations policies are as follows:

autohistory

Use the autohistory policy to specify whether Oracle Secure Backup updates backup history data every time a client host is backed up. This history data is used to form file selection criteria for an incremental backup.

Values

yes

Updates backup history data when a client host is backed up (default). This history data is used to form file selection criteria for incremental backups.

no

Does not update backup history data when a client host is backed up.

autolabel

Use the autolabel policy to specify whether Oracle Secure Backup creates a volume label and a backup image label for a backup image whenever it backs up data.

Values

yes

Enables label generation (default).

no

Disables label generation. You should not disable label generation unless directed by Oracle Support Services.

backupimagerechecklevel

Use the backupimagerechecklevel policy to specify whether Oracle Secure Backup performs block-level verification after each backup section is completed.

Oracle Secure Backup can optionally reread each block that it writes to tape during a backup job. It provides a second verification that the backup data is readable. The first check is performed by the read-after-write logic of the tape drive immediately after the data is written.

Values

block

Performs block-level verification after each backup section is completed. Oracle Secure Backup backspaces the tape to the beginning of the backup section, reads the contents, and performs one of these actions:

  • Leaves the tape positioned after the backup section if it was the last section of the backup

  • Continues with volume swap handling if it has more data to write

Caution:

Choosing block substantially increases the amount of time it takes to back up data.
none

Performs no verification (default).

backupoptions

Use the backupoptions policy to specify additional options to apply to backups dispatched by the scheduler. Whenever the scheduler initiates a backup, it supplies the specified command-line options to obtar. For example, you can turn on diagnostic output mode in obtar by setting this value to -J.

These options apply only to backups initiated by the Oracle Secure Backup scheduler, not through the obtool command-line interface.

Values

obtar-options

Specifies user-supplied obtar options. See "obtar Options" for details on obtar options. By default no options are set.

Note:

Whatever you enter is passed directly to obtar, so be sure to specify valid options. Otherwise, your backup or restore jobs fails to run.

databuffersize

Use the databuffersize policy to control the size of the shared memory buffer used for data transfer in a local file-system backup or restore operation. It is expressed in tape blocks, and the default value is 6. The default size of this shared memory, therefore, is 6 times the current tape block size.

You can use this policy to tune backup performance. It is relevant only to file-system backup and restore operations where the client and the media server are collocated.

See Also:

"blockingfactor" for more information on tape block size

disablerds

Use the disablerds policy to specify whether Reliable Datagram Socket (RDS) is used for communication between the client and media server. Where possible, Remote Direct Memory Access (RDMA) is used along with RDS. To use RDS, the client and media server must be connected over Infiniband.

This setting, which is applicable to the entire administrative domain, can be overridden at the host level by using the --disablerds option of the chhost or mkhost commands.

See Also:

"chhost" and "mkhost" for more information about --disablerds

Values

yes

Does not use RDS over Infiniband to transfer data between the client and media server. Instead TCP/IP is used for communication.

no

Uses RDS over Infiniband to transfer data between the client and media server. This is the default setting.

fullbackupcheckpointfrequency

Use the fullbackupcheckpointfrequency policy to specify checkpoint frequency, that is, how often Oracle Secure Backup takes a checkpoint during a full backup for restartable backups.

Values

nMB

Takes a checkpoint after every n MB transferred to a volume.

nGB

Takes a checkpoint after every n GB transferred to a volume. By default, Oracle Secure Backup takes a checkpoint for every 8 GB transferred to a volume.

incrbackupcheckpointfrequency

Use the incrbackupcheckpointfrequency policy to specify checkpoint frequency, that is, how often Oracle Secure Backup takes a checkpoint during an incremental backup for restartable backups.

Values

nMB

Takes a checkpoint after every n MB transferred to a volume.

nGB

Takes a checkpoint after every n GB transferred to a volume. By default, Oracle Secure Backup takes a checkpoint for every 2 GB transferred to a volume.

Choose the period at which Oracle Secure Backup takes a checkpoint during an incremental backup for any backup that is restartable. The value is represented in volume of bytes moved. (In the default case, a checkpoint is taken for each 8 GB transferred to a volume.)

mailport

Use the mailport policy to specify the TCP/IP (Transmission Control Protocol/Internet Protocol) port number to which Oracle Secure Backup sends e-mail requests from Windows hosts.

Values

port_num

Specifies a TCP/IP port number. The default value is 25.

mailserver

Use the mailserver policy to specify the name of the host to which Oracle Secure Backup sends e-mail requests from Windows hosts.

Values

hostname

Specifies a host name. The default value is localhost.

mailfrom

Use the mailfrom policy to specify a from address for e-mails generated by Oracle Secure Backup. The default value is (none), in which case the from address is root@fqdn or SYSTEM@fqdn, where fqdn is the fully qualified domain name of the Oracle Secure Backup administrative server.

Specifying a different address can help in configurations with multiple backup domains, because it minimizes the requirement to configure the mail server to allow e-mail from each specific system.

maxcheckpointrestarts

Use the maxcheckpointrestarts policy to specify the maximum number of times Oracle Secure Backup attempts to restart an operation from the same checkpoint. If this limit is reached, then Oracle Secure Backup discards the checkpoint and restarts the backup from the beginning.

Values

n

Specifies the maximum number of restarts. The default value is 5.

positionqueryfrequency

Use the positionfrequency policy to specify the frequency at which a position record (containing the relative offset within the backup data stream) gets written to the index file.

Oracle Secure Backup uses this information during subsequent restore jobs to rapidly position a tape to the requested files.

Values

n

Specifies the position query frequency in terms of KB transferred. The default value is 1024 (1 MB), which means that information is obtained after Oracle Secure Backup writes each 1 MB (1024*1024) of data to tape.

restartablebackups

Use the restartablebackups policy to specify whether the restartable backups feature is enabled. This feature enables Oracle Secure Backup to restart certain types of failed backups from a mid-point rather than from the beginning.

Values

yes

Enables restartable backups (default).

Note:

If you use the restartable backups feature, then ensure that the /tmp directory on the administrative server is on a partition that maintains at least 1 GB of free space.
no

Disables restartable backups.

restoreoptions

Use the restoreoptions policy to specify additional options to apply to restore operations dispatched by the scheduler. Whenever the scheduler initiates a restore operation, it supplies the specified command-line options to obtar. For example, you can turn on diagnostic output mode in obtar by setting this value to -J.

Values

obtar-options

Specifies user-supplied obtar options. See "obtar Options" for details on obtar options. By default no restore options are set.

Note:

Whatever you enter is passed directly to obtar, so be sure to specify valid options. Otherwise, your backup or restore jobs fail to run.

rmanresourcewaittime

Use the rmanresourcewaittime policy to select the duration to wait for a resource.

When a Recovery Manager (RMAN) job has been started and requires certain resources, the resources might not be available immediately. The rmanresourcewaittime policy controls the amount of time that the job waits in the Oracle Secure Backup scheduler queue for the required resources to become available. If the resources are unavailable after the wait time, then the job fails with an error message. If the resources become available within the specified time, then the job completes successfully.

Values

duration

Specifies the time to wait for a resource. Refer to "duration" for a description of the duration placeholder. Note that all values are valid except disabled. The default is forever.

rmanrestorestartdelay

Use the rmanrestorestartdelay policy to select the amount of time to wait before starting a restore operation after a restore request has been received. You can use this delay to queue all requests and optimize the retrieval of data from tape.

Values

delay_time

Specifies the time to delay. Valid values are a number followed by seconds, minutes, or hours. The default is 10seconds.

useloadbalance

Use the useloadbalance policy to determine whether Oracle Secure Backup should use network load balancing while transferring data between clients and media servers.

Network load balancing distributes the load of multiple backup and restore jobs across all the network connections available between the client and media server.

See Also:

Oracle Secure Backup Installation and Configuration Guide for more information about network load balancing

Values

yes

Uses network load balancing while transferring data.

no

Does not use network load balancing while transferring data (default).

tcpbufsize

Use the tcpbufsize policy to specify the size of TCP/IP (Transmission Control Protocol/Internet Protocol) buffers used in performing backups over the network, for hosts for which no buffer size has been specified directly using mkhost or chhost. The default value for tcpbufsize is the system default.

This policy is used in tuning backup performance.

windowsskipcdfs

Use the windowsskipcdfs policy to determine whether Oracle Secure Backup should back up Windows CD-ROM file systems (CDFS).

Values

yes

Does not back up CDFS file systems (default).

no

Backs up the contents of CDFS file systems.

windowsskiplockedfiles

Use the windowsskiplockedfiles policy to determine whether Oracle Secure Backup logs an error message when it encounters a locked Windows file. Files are locked when in use by another process.

Values

yes

Skips locked files and does not write a message to the transcript or archive's index file.

no

Logs an error message to the transcript and to the archive's index file (default).

Scheduler Policies

These policies control the behavior of the scheduler. For example, you can specify a frequency at which the scheduler attempts to dispatch backup jobs.

The scheduler policies are as follows:

applybackupsfrequency

Use the applybackupsfrequency policy to specify a frequency at which the Oracle Secure Backup scheduler attempts to dispatch jobs.

Values

duration

Specifies how often the scheduler dispatches jobs. Refer to "duration" for a description of the duration placeholder. Note that the forever and disabled values are not legal. The default value is 5minutes, that is, Oracle Secure Backup attempts to dispatch jobs every five minutes.

defaultstarttime

Use the defaultstarttime policy to specify the default start time for each trigger. See the Oracle Secure Backup Administrator's Guide for more information on triggers.

Values

time

Specifies the default trigger start time. Refer to "time" for a description of the time placeholder. The default value is 00:00 (midnight).

maxdataretries

Use the maxdataretries policy to specify the maximum number of times to retry a failed client backup.

While attempting to back up a client, certain errors can occur that cause the backup to fail. (See the Oracle Secure Backup Administrator's Guide for a description of triggers.) Retryable failures include those caused by the client being unavailable because it is out of service or down, unable to communicate through the network, or has insufficient disk space for temporary backup files.

Values

n

Specifies the maximum number of times to retry. The default value is 6.

pollfrequency

Use the pollfrequency policy to specify the frequency at which Oracle Secure Backup scans the contents of the scheduler catalog for manual changes.

Values

duration

Specifies the scheduler catalog polling frequency. Refer to "duration" for a description of the duration placeholder. Note that the forever value is not legal. The default value is 30minutes.

retainbackupmetrics

Use the retainbackupmetrics policy to specify whether Oracle Secure Backup saves a summary of metrics produced by each backup operation in the client host's observiced log.

Values

yes

Saves a metric summary.

no

Does not save a metric summary (default).

Security Policies

These policies control aspects of domain security. For example, you can enable Secure Sockets Layer (SSL) encryption for backup data in transit or set the key size for each host identity certificate.

The security policies are as follows:

trustedhosts

Use the trustedhosts policy to control whether Oracle Secure Backup restricts certain operations to trusted hosts only. These operations include:

  • Use of obtar commands

  • Direct access to physical devices and libraries

  • Access to encryption keys

Values

yes

Specifies that restricted operations can be run only from an administrative or media server. If a restricted operation is attempted from a host that has only the client role, then the attempt fails with an illegal request from non-trusted host error.

no

The restricted operations can be run from any host in the administrative domain.

See Also:

Oracle Secure Backup Installation and Configuration Guide for more information on trusted hosts

autocertissue

Use the autocertissue policy to indicate whether observiced on the administrative server transmits signed certificates (certificate response messages) over the network as part of the mkhost command processing.

Values

yes

Transmits signed certificates over the network during host creation (default).

no

Does not transmit signed certificates over the network during host creation.

certkeysize

Use the certkeysize policy to indicate the key size to be used when creating the public key/private key pair used in every identity certificate in the administrative domain. Certification Authorities typically choose key sizes of 1024 or 2048.

Values

size

Specifies the size of the key in bytes. Valid values are 512, 768, 1024 (default), 2048, 3072, or 4096. Key sizes of 512 or 768 are not regarded as secure; 1024 or 2048 are regarded as secure; and 3072 or 4096 are regarded as very secure.

encryptdataintransit

Use the encryptdataintransit policy to enable Secure Sockets Layer (SSL) encryption for file-system and unencrypted Recovery Manager (RMAN) backup data before it passes over the network. This policy does not enable or disable encryption for data at rest, that is, data stored on disk or tape.

If RMAN backup data is encrypted by RMAN, then this policy does not encrypt it again.

Values

yes

Enables encryption for bulk data transferred over the network.

no

Disables encryption for bulk data transferred over the network (default).

loginduration

Use the loginduration policy to specify the amount of time a login token remains valid in obtool after it is created.

Oracle Secure Backup creates a login token each time you log in through the obtool. If a valid token exists when you invoke either tool, then you do not have to log in again.

Values

duration

Specifies the duration of the login token. Refer to "duration" for a description of the duration placeholder. The default value is 15minutes.

securecomms

Use the securecomms policy to specify whether daemon components use Secure Sockets Layer (SSL) for authentication and message integrity.

Values

yes

Enables SSL encryption for authentication and message integrity (default).

no

Disables SSL encryption for authentication and message integrity.

webinactivitytimeout

Use the webinactivitytimeout policy to specify the length of time an Oracle Secure Backup Web tool session can be inactive before you must re-authenticate it. The default value is 15 minutes.

minuserpasswordlen

Use the minuserpasswordlen security policy to specify the minimum required Oracle Secure Backup user password length. Valid values are the integers from 0 (the default value) to 16. A zero value means a null password is permitted.

This security policy only affects passwords for users created with the mkuser or chuser commands. Other passwords in the Oracle Secure Backup domain, such as NDMP host passwords, are not affected because they are not under the control of Oracle Secure Backup.

You can change the minuserpasswordlen security policy value when you install Oracle Secure Backup on UNIX and Linux by modifying the minimum user password length parameter in the obparameters file.

Vaulting Policies

These policies control how Oracle Secure Backup performs vaulting.

The vaulting policies are as follows:

autorunmmjobs

Use the autorunmmjobs policy to control whether manual intervention is needed to start a media movement job after it has been scheduled.

Values

no

If this policy is set to no, then media movement jobs are not started automatically by the scheduler. The Oracle Secure Backup operator must run the job through the obtool runjob command. This is the default value.

yes

If this policy is set to yes, then media movement jobs are started automatically by the scheduler.

Note:

Even if autorunmmjobs is set to yes, manual intervention might still be required to complete a media movement job for a variety of reasons.

autovolumerelease

Use the autovolumerelease policy to automatically release recalled volumes when restore jobs requiring those volumes have completed. Only volumes automatically recalled by Oracle Secure Backup are released.

Values

yes

Enables the policy. When all restore jobs dependent upon a volume are completed, the volume is released to be returned to its previous location.

no

Disables the policy (default).

offsitecustomerid

Use the offsitecustomerid policy to define the default customer ID string used in reports generated by Oracle Secure Backup. You can override this policy for an individual location.

minwritablevolumes

Use the minwritablevolumes policy to specify the minimum number of writable volumes that must be available in each tape library always. If the number of writable volumes in a tape library drops to less than this value, then Oracle Secure Backup initiates early rotation of volumes in that tape library.

You can override this policy for an individual location.

Values

n

Specifies the minimum number of writeable volumes for each tape library.

reportretaintime

Use the reportretaintime policy to define how long vaulting reports (pick/distribution) are retained.

Values

duration

Refer to "duration" for a description of the duration placeholder. The default value is 7days.

invretrydelay

Use the invretrydelay policy to specify how long Oracle Secure Backup waits before retrying an export operation or inventory operation to verify if a volume has been physically removed from a library.

duration

Refer to "duration" for a description of the duration placeholder. The default value is 2minutes.

maxinvretrytime

Use the maxinvretrytime policy to specify how long Oracle Secure Backup continues retrying an export or inventory operation. When this duration is completed, the job is put in an input required state, an alert e-mail is sent to the e-mail recipients in the location object, and the following prompt is displayed in the transcript:

go      - proceed with the volume movement
quit    - give up and abort this media movement job
duration

Refer to "duration" for a description of the duration placeholder. The default value is 15minutes.

Volume Duplication Policies

These policies control how Oracle Secure Backup performs volume duplication.

The volume duplication policies are as follows:

duplicateovernetwork

Use the duplicateovernetwork policy to control whether Oracle Secure Backup is allowed to duplicate a volume to a different media server than the one containing the original volume being duplicated. Oracle Secure Backup does not duplicate between tape devices attached to different media servers by default, because it requires heavy use of network bandwidth.

Values

yes

Allow duplication between tape devices attached to different media servers.

no

Disallow duplication between tape devices attached to different media servers. This is the default value.

duplicationjobpriority

Use the duplicationjobpriority policy to specify the priority of volume duplication jobs relative to other jobs.

Values

n

Specifies the priority of the job. Default: 200.

Note:

By default, backup jobs are scheduled with a priority of 100. As a result, backup jobs take precedence over volume duplication jobs by default.

duplicationoptions

Use the duplicationoptions policy to specify additional options that are used during duplication . The option values must be preceeded by a hypen (-).

Values

d

Enables debug mode. When specified, additional information is printed in the duplication job transcript. This option does not take any argument.

K mask

Specifies device driver debug options. mask is the bitwise inclusive or one of the values listed in Table B-3.

l

Does not display volume label details in duplication job transcripts during a copy operation.

N

Does not use the tape helper during the duplication operation.

n

Uses NDMP to perform the volume duplication. This is the default setting.

s

Uses the SCSI interface to perform volume duplication, instead of the NDMP protocol. This option cannot be used with –n.