1 Introduction to Oracle Secure Backup

This chapter provides an introduction to Oracle Secure Backup and includes advice on planning and configuring your administrative domain.

This chapter contains these sections:

See Also:

Oracle Secure Backup Administrator's Guide for conceptual information about Oracle Secure Backup

1.1 What Is Oracle Secure Backup?

Oracle Secure Backup enables reliable data protection through file-system backup to tape. It supports every major tape drive and tape library in SAN, Gigabit Ethernet (GbE), and SCSI environments using standard tape formats.

Oracle Secure Backup supports Internet Protocol v4 (IPv4), Internet Protocol v6 (IPv6), and mixed IPv4/IPv6 environments on all platforms that support IPv6.

Using Oracle Secure Backup on your network enables you to take data from a networked host running Oracle Secure Backup or a NAS device that supports NDMP, and back up that data on a tape device on the network. That data can include ordinary file-system files and databases backed up with Recovery Manager (RMAN).

As part of the Oracle storage solution, Oracle Secure Backup provides scalable distributed backup and recovery capabilities. It reduces complexity of your backup solution, by:

  • Integrating with the Oracle stack for maximum ease of use in a single Oracle solution to back up your data from disk to tape

  • Employing single-vendor technical support for database and file-system backup and recovery to tape

  • Using existing or new hardware, with broad tape device support in SCSI, GbE, and SAN environments with dynamic tape drive sharing for maximum tape drive utilization

  • Enabling use of disk pools to store file-system backups, RMAN backups, and NDMP filer backups. Backups stored on disk pools can be moved to tape later for optimum storage space utilization.

Oracle Secure Backup eliminates integration challenges with ready-to-use tape management software that provides single-vendor support. Oracle Secure Backup also reduces your costs. When using Oracle Secure Backup with RMAN to back up and recover databases and files to and from tape, no third-party tape management software is required. Oracle Secure Backup provides the media management layer needed to use tape storage with RMAN.

Centralized administration, heterogeneous network support, and flexible scheduling simplify and automate protection of the entire Oracle environment, including database data and file-system data such as the contents of the Oracle home.

1.2 Oracle Secure Backup Features

Oracle Secure Backup provides the following features:

  • Integration with other Oracle products thus enabling you to easily backup and restore both Oracle Databases and file-system data to tape

    Oracle Secure Backup is fully integrated with Recovery Manager (RMAN) and Oracle Enterprise Manager. You can use Oracle Enterprise Manager to backup both file-system data and Oracle Databases to tape. Oracle Secure Backup serves as a media management layer, through the System Backup to Tape (SBT) interface, to securely backup Oracle Databases using RMAN.

  • Support for disk pools and a wide range of tape drives and libraries that are accessible through various protocols such as SCSI, ISCSI, SAN, NDMP, and Fibre Channel

  • Centralized tape backup management

    Oracle Secure Backup enables centralized backup management of diverse distributed servers and multiple platforms including UNIX, Linux, Windows, and SAN. It can backup and restore locally or over a LAN/WAN.

  • Policy-based backup management

    Oracle Secure Backup provides customizable administrative policies that enable you to control backup operations in the administrative domain. Policies also enable you to control aspects of domain security.

  • Flexible interface options that provide maximum ease of use

    Oracle Secure Backup functionality can be accessed using any of the following interfaces: Oracle Secure Backup Web Tool, Oracle Enterprise Manager DB Control, Oracle Enterprise Manager Cloud Control, or obtool command-line interface.

  • Maximum security options for data and inter-host communication

    Inter-domain communication is secured using the Secure Socket Layer (SSL) protocol. All hosts in the Oracle Secure Backup administrative domain are identified and authenticated using SSL and X.509 certificates. Data transmission within the administrative domain is secured using encryption. You can also encrypt Oracle Database backups before they are stored to tape.

  • Automated device discovery

    Oracle Secure Backup can automatically discover and configure each secondary storage device connected to certain types of NDMP servers, such as a Network Appliance filer. It can also discover devices connected to the Oracle Secure Backup media servers.

  • Automated tape library and device management that includes automated control of tape libraries

    Oracle Secure Backup automates the management of tape libraries to ensure efficient and reliable use of their capabilities. It controls library robotics and enables automatic loading and unloading of volumes. It can also automatically clean tape drives in a tape library.

  • Automated media management that includes volume and backup expiration

    Oracle Secure Backup enables automatic tape recycling by specifying when volumes can be recycled. You create policies to define when volumes are eligible to be recycled or rewritten.

  • Flexible, multi-level, backup options

    Oracle Secure Backup enables you to create full, incremental, and differential backups.

  • Flexible options for restoring backups

    Oracle Secure Backup enables you to restores backup data stored on tapes either to the original location or to an alternative server.

1.3 Overview of Oracle Secure Backup Concepts

This section discusses Oracle Secure Backup concepts that enable you to better understand the installation process.

This section contains these topics:

1.3.1 About Oracle Secure Backup Administrative Domains and Hosts

Oracle Secure Backup organizes hosts and tape devices into an administrative domain, representing the network of hosts containing data to be backed up, hosts with attached tape devices on which backups are stored, and each tape device with its attachment to the hosts. A host can belong to only one administrative domain. Host Roles in an Administrative Domain

Each host in an administrative domain must be assigned one or more of the following Oracle Secure Backup roles:

  • Administrative server

    Each administrative domain must have exactly one administrative server. During postinstallation configuration, the administrative server must be configured with complete data regarding the other hosts in the administrative domain, their roles, and their attached tape devices. This configuration information is maintained in a set of configuration files stored on the administrative server.

    The administrative server runs the scheduler, which starts and monitors each backup job. The scheduler also keeps a backup catalog with metadata for all backup and restore operations performed in the administrative domain.

  • Media server

    A media server is a host with at least one tape device attached to it. A media server transfers data to or from a volume loaded on one of these tape devices. A media server has at least one attachment to a tape drive or library. It might have attachments to multiple tape libraries and disk pools.

    You specify the attachments between media servers and tape devices during postinstallation configuration of Oracle Secure Backup.

  • Client

    The client role is assigned to any host that has access to file-system or database data that can be backed up or restored by Oracle Secure Backup. Any host where Oracle Secure Backup is installed can be a client, including hosts that are also media servers or the administrative server. A network-attached storage device that Oracle Secure Backup accesses through NDMP can also serve the client role.


A host can be assigned multiple roles in an administrative domain. For example, a host with a tape drive attached could be both the administrative server and media server for a network that includes several other clients. For more examples of administrative domains, see "About Oracle Secure Backup Administrative Domain: Examples". Host Naming in an Administrative Domain

You must assign each host in an administrative domain a unique name to be used in Oracle Secure Backup operations. Typically, the host name in your DNS for this host is a good choice for the Oracle Secure Backup host name. However, you can assign a different name to a host. Oracle Secure Backup Host Access Modes

Communication among hosts in an administrative domain is always based on NDMP, but implementations and versions of NDMP vary. Oracle Secure Backup supports two host access modes: primary access mode and NDMP access mode.

Primary access mode is used among hosts on which Oracle Secure Backup is installed. Oracle Secure Backup daemons run in the background on the host, communicate with the administrative server using the Oracle Secure Backup implementation of NDMP, and perform backup and restore tasks. Hosts on which databases reside are typically accessed using primary access mode.


In Oracle Enterprise Manager, primary access mode is referred to as native access mode. In the Oracle Secure Backup Web tool and the output of some obtool commands such as lshost, primary mode is referred to as OB access mode.

NDMP access mode is used to communicate with devices such as storage appliances that do not run Oracle Secure Backup natively. For example, devices from third-party vendors such as Network Appliance and EMC are supported only in NDMP access mode. Each NDMP host uses a vendor-specific implementation of the NDMP protocol to back up and restore file systems. Some devices support older versions of the NDMP protocol. When adding such devices to the administrative domain, extra parameters might be required.

Oracle Secure Backup supports NDMP versions 3 and 4, and various extensions to version 4. It automatically negotiates with other, non-Oracle NDMP components to select a mutually supported protocol version. Between its own components, Oracle Secure Backup uses NDMP version 4. When communicating with hosts that are not running Oracle Secure Backup, Oracle Secure Backup usually chooses the protocol version proposed by that host when the connection is established. You can change the NDMP protocol version with which Oracle Secure Backup communicates to a specific host. You might want to do this when testing or troubleshooting.

1.3.2 About Oracle Secure Backup Administrative Domain: Examples

Figure 1-1 shows a minimal administrative domain, in which a single host is administrative server, media server, and client. An Oracle database also runs on the same host.

Figure 1-1 Administrative Domain with One Host

Description of Figure 1-1 follows
Description of "Figure 1-1 Administrative Domain with One Host"

Figure 1-2 shows a possible Oracle Secure Backup administrative domain that includes three client hosts, one administrative server, and one media server. A NAS appliance contains ordinary file data. One client based on UNIX and another based on Windows contain databases and other file data. Oracle Secure Backup can back up to tape the non-database files on file systems accessible on client hosts. RMAN can back up to tape database files through the Oracle Secure Backup SBT interface.

Figure 1-2 Oracle Secure Backup Administrative Domain with Multiple Hosts

Description of Figure 1-2 follows
Description of "Figure 1-2 Oracle Secure Backup Administrative Domain with Multiple Hosts"

1.3.3 About Disk Pools

A disk pool is a file-system directory that acts as a repository for backup image instances. Disk pools can store file-system backups, RMAN backups of Oracle databases, and backups created by NDMP filers.

Each disk pool is represented as a device in Oracle Secure Backup. A disk pool can belong to only one administrative domain. To monitor space utilization on disk pools, you must delete expired backup image instances.

See Also:

Oracle Secure Backup Administrator's Guide for more information on managing disk pools

1.3.4 About Tape Devices

Oracle Secure Backup maintains information about each tape library and tape drive so that you can use them for local and network backup and restore operations. You can configure tape devices during installation or add a new tape device to an existing administrative domain. When configuring tape devices, the basic task is to inform Oracle Secure Backup about the existence of a tape device and then specify which media server can communicate with this tape device.

This section contains these topics: Tape Drives

A tape drive is a tape device that uses precisely controlled motors to wind a tape from one reel to another. The tape passes a read/write head as it winds. Most magnetic tape systems use small reels fixed inside a cartridge to protect the tape and make handling of the tape easier.

A magnetic cassette or tape is sequential-access storage. It has a beginning and an end, which means that to access data in the middle of the tape, a tape device must read through the beginning part of the tape until it locates the desired data.

In a typical format, a tape drive writes data to a tape in blocks. The tape drive writes each block in a single operation, leaving gaps between the blocks. The tape runs continuously during the write operation.

The block size of a block of data is the size of the block in bytes as it was written to tape. All blocks read or written during a given backup or restore operation have the same block size. The blocking factor of a block of data expresses the number of 512-byte records contained in the block. For example, the Oracle Secure Backup default blocking factor (128) results in a tape block size of 128*512 bytes or 64 KB.

The maximum blocking factor is an upper limit on the blocking factor that Oracle Secure Backup uses. This limit comes into play particularly during restores, when Oracle Secure Backup must pick an initial block size to use without knowing the actual block size on the tape. The maximum blocking factor limits this initial block size to a value that is acceptable to both the tape device and the underlying operating system.

When Oracle Secure Backup starts a backup, it decides what block size to use based on several factors. Listed in order of precedence, these factors are:

  • Blocking factor specified using the obtar -b option

    This option can also be specified as part of the operations/backupoptions policy. If this option is specified, then it overrides all other factors.

    See Also:

    Oracle Secure Backup Reference for more information on the obtar -b option and the operations/backupoptions policy

  • Configuration of the tape drive to be used

    You can specify what blocking factor, maximum blocking factor, or both that Oracle Secure Backup should use for a particular tape drive when you configure that drive. You might want to do this if you have tape drives with very different block size limits.

  • Domain-wide blocking factors or maximum blocking factors set with the media/blockingfactor and media/maxblockingfactor policies.

    See Also:

    Oracle Secure Backup Reference for more information on the media/blockingfactor and media/maxblockingfactor policies

  • The default blocking factor (128) and maximum blocking factor (128), resulting in a block size of 64K

When a blocking factor has been nominated by one or another of these factors, it must pass the following tests:

  • The block size must be less than or equal to the maximum block size (blocking factor) put in effect by whatever policies or tape drive configuration attributes are in force.

  • The block size must be supported by the tape drive and attach point in question.

    Sometimes a tape drive, device driver, or kernel operating system has a limitation that supersedes all other considerations.

When Oracle Secure Backup begins a restore operation, it does not know what block size was used to write a given tape. Because issuing a read for a too-small block would result in an error condition and a tape reposition, Oracle Secure Backup always starts a restore operation by reading the largest possible block size. This is either the current setting of the media/maxblockingfactor policy or the tape drive configuration attribute. The maximum blocking factor, therefore, must always be greater than or equal to the largest block size you ever want to restore.

After the first read from the backup image instance, Oracle Secure Backup compares the amount of data requested to the actual size of the block and adjusts the size of subsequent reads to match what is on the tape.

Each tape drive supports a specific tape format. Typical tape formats include:

  • 4mm, or Digital Audio Tape (DAT)

  • Advanced Intelligent Tape (AIT)

  • Digital Linear Tape (DLT) and Super DLT (SDLT)

  • Linear Tape-Open (LTO)

  • T9840

  • T9940

  • T10000

Information about the tape formats of tape devices supported by Oracle Secure Backup is available in the Getting Started section at the following URL:

http://www.oracle.com/technetwork/products/secure-backup/learnmore/index.html Tape Libraries

A tape library is a robotic tape device that accepts SCSI commands to move a volume between a storage element and a tape drive. A tape library is often referred to as a robotic tape device, autochanger, or medium changer.

A tape library contains one or more tape drives, slots to hold tape cartridges, and an automated method for loading tapes.Figure 1-3 illustrates a tape library that contains four tape drives.

Oracle Secure Backup automates the management of tape libraries, thereby enabling efficient and reliable use of their capabilities. Oracle Secure Backup controls the tape library robotics so that tapes can be managed easily.

Oracle Secure Backup supports the following features of tape libraries:

  • Automatic loading and unloading of volumes

    When you add a tape library to your administrative domain, it is configured in automount mode by default. In this mode, Oracle Secure Backup sends commands to the robotic arm of the tape library to mount tapes for backup and restore operations. When a new volume is needed, Oracle Secure Backup scans the tape library until it finds a suitable volume. If sufficient eligible tapes are contained in the tape library storage elements, then no operator intervention is required to load the volumes needed to store the complete backup image.

  • Barcode readers

    A barcode is a symbol code that is physically applied to volumes for identification purposes. Some tape libraries have an automated barcode reader. Oracle Secure Backup can use barcodes to identify tapes in a tape library.

  • Automatic tape drive cleaning

    Oracle Secure Backup checks for cleaning requirements when a tape is loaded into or unloaded from a tape drive. If cleaning is required, then Oracle Secure Backup loads a cleaning cartridge, waits for the cleaning cycle to complete, replaces the cleaning cartridge in its original storage element, and continues with the requested load or unload. You can also schedule a cleaning interval.

As shown in Figure 1-3, a tape library has a set of addressable elements, each of which can contain or move a tape. Libraries can contain the following types of elements:

  • Storage element (se)

    This element is an internal slot in a tape library where a tape cartridge can reside.

  • Data transfer element (dte)

    This element represents a tape device capable of reading or writing the physical volume. Typically, a data transfer element (DTE) is a tape drive used to back up or restore data on a tape.

  • Medium transport element (mte)

    This element represents the robotics mechanism used to move tapes between other elements in the tape library. Typically, a medium transport element is a robot arm that moves tape cartridges from tape library slots to tape drives.

  • Import/export element (iee)

    This is an element by which media can be imported to and exported from the tape library. Typically, an import/export element is a door-like mechanism that an operator uses to transfer tapes into and out of the library. After the door is closed, the robotic arm transfers cartridges to internal slots in the library. Because the library itself is not opened during this procedure, no re-inventory is required.

Many of the Oracle Secure Backup tape library commands require you to specify one or more tape library elements, in particular, storage elements and import/export elements. Except in the inventory display, media transport elements are never referenced. Data transfer elements are referenced only in the inventory display and indirectly by the tape drive (if any) that you select for an operation.

Oracle Secure Backup refers to elements by their abbreviation (mte, se, iee, or dte) followed by the number of the element, for example, se5, iee2, dte1. When multiple elements of a type exist, element numbering starts at 1. When only one element of a type exists, the number can be omitted. Thus, iee1 and iee both refer to the first and only import/export element. If the abbreviation is omitted, then a storage element is assumed. For example, se4 and 4 both refer to the fourth storage element. For some commands, you can specify a range of storage elements, for example, 1-5.

Oracle Secure Backup supports several tape library operations. The following operations are the most basic:

  • Inserting and extracting volumes

  • Loading and unloading volumes

  • Moving volumes

  • Importing and exporting volumes

See Also: Virtual Tape Libraries

A virtual tape library is one or more large-capacity disk drives partitioned into virtual physical tape volumes. To Oracle Secure Backup the virtual tape library appears to be a physical tape library with at least one volume and at least one tape drive. The volumes and tape drives in the virtual tape library can be configured to match common physical tapes and tape drives.

Backup operations performed to a virtual tape library complete faster than backup operations to actual tape drives, because the underlying storage device is direct access media. But a virtual tape library is not suitable for long time storage, because it has limited storage capacity. If you back up to a virtual tape library, then you can take advantage of its faster backup and then use the volume migration feature of Oracle Secure Backup to migrate the data to tapes at a later point of time. Device Names and Attachments

Because Oracle Secure Backup manages tape drive operations, it must be able to identify the tape drive and determine whether the tape drive is housed in a tape library. Oracle Secure Backup must further determine if a storage element is available for storing a volume while not in use by the tape drive. Thus, each tape device must be uniquely identified within Oracle Secure Backup by a user-defined name.

Oracle Secure Backup distinguishes a tape device and the means by which the tape device connects to a host. To be usable by Oracle Secure Backup, each tape device must have at least one attachment, which describes a data path between a host and the tape device. An attachment usually includes the identity of a host plus an attach point name in Linux or UNIX, a device name in Windows, or a NAS device name. In rare cases, additional information is needed for the attachment definition.

See Also:

1.3.5 About Cloud Storage Devices

Oracle Secure Backup cloud storage devices are used to backup and restore data to and from Oracle Cloud Infrastructure Object Storage Classic. A cloud storage device operates on a cloud storage container in the Oracle Cloud user’s identity domain. The cloud storage container acts as a repository for backup image instances. Each cloud storage device is associated with only one cloud container. The storage class for a cloud container can be either the standard storage class (object) or archive storage class (archive).

See Also:

The cloud storage device is an Oracle Secure Backup device resource. Backup jobs must be explicitly configured to use cloud storage devices. The cloud storage device can store file-system backups or RMAN backups of Oracle databases. Cloud storage devices can be accessed concurrently by multiple backup and restore jobs. The number of concurrent jobs is defined by the device’s concurrentjob setting. Each of the backup or restore job creates parallel data connections to Oracle Cloud storage. The number of parallel connections is controlled by device’s streamsperjob setting.

A cloud storage device and its associated container can belong to only one Oracle Secure Backup administrative domain. It cannot be shared between multiple Oracle Secure Backup administrative domains.

Oracle Secure Backup stores each backup image instance by splitting it into multiple segments and storing each segment as a single object in the container. The segment size defines the size of the object and is specified by the device’s segmentsize parameter.

Backup image instances remain in the cloud container until they expire, are explicitly deleted, or are migrated to a cloud archive container. Oracle Secure Backup deletes expired backup image instances only when the device’s free space threshold is exceeded; not immediately after they expire.

See Also:

Oracle Secure Backup ensures that backup data is encrypted on the client before it is written to the cloud. If the backup job does not require encryption, then Oracle Secure Backup’s client-side software encryption is automatically forced on and the encryption polices set up in the client are applied to the backup data written to the cloud storage device.

You can stage backup data to a disk pool and then move it to a cloud storage device using automated staging. The backup data in the disk pool must be encrypted in order to copy it to the cloud storage device. However, a cloud storage device cannot be used as the source device for automated staging. You can move a backup image instance from a standard storage class (object) container to an archive storage class container with a manual copy job. Both containers must be located in the same identity domain. The copy between the standard object storage container and the archive storage container does not download the data to a client.

1.4 Oracle Secure Backup Daemons

Daemons are background processes that perform Oracle Secure Backup operations. Some daemons run continuously while others run only to perform a particular task and then exit when the task is complete.

A daemon can run either on the administrative server, the media server, or a client. Oracle Secure Backup uses a combination of daemons to perform a particular backup, restore, or configuration task.

The Oracle Secure Backup daemons include the following: Service daemon, Schedule daemon, Index daemon, Apache Web Server daemon, NDMP daemon, Robot daemon, and Proxy daemon.

See Also:

Oracle Secure Backup Administrator's Guide for more information about daemons

1.5 Oracle Secure Backup Interfaces

There are four different interfaces for accessing different elements of Oracle Secure Backup:

  • The obtool command line utility provides the fundamental interface for Oracle Secure Backup functions, including configuration, media handling, and backup and restore of file-system files.

  • Oracle Enterprise Manager offers access to most Oracle Secure Backup functions available through obtool as part of its Cloud Control interface.

  • Oracle Secure Backup includes its own Web-based interface, called the Oracle Secure Backup Web tool, which exposes all functions of obtool. The Oracle Secure Backup Web tool is primarily intended for use in situations where Oracle Secure Backup is being used independently of an Oracle Database instance. It does not provide access to database backup and recovery functions.

    The Oracle Secure Backup Web tool supports Internet Protocol v4 (IPv4), Internet Protocol v6 (IPv6), and mixed IPv4/IPv6 environments on all platforms that support IPv6.

  • Backup and restore operations for Oracle Database instances and configuration of the Oracle Secure Backup media management layer are performed through the RMAN command-line client or through Oracle Enterprise Manager.


Oracle Secure Backup documentation focuses on the use of Enterprise Manager wherever possible, and describes the Oracle Secure Backup Web Tool only when there is no equivalent functionality in Enterprise Manager, as in a file-system backup.

See also: