A Miscellaneous Programs

This appendix describes the following miscellaneous Oracle Secure Backup programs:

A.1 makedev


Use the makedev tool to configure a tape device for use with Oracle Secure Backup. This tool provides an alternative to creating a device special file with installob.


You must run this utility as root on a Linux or UNIX system.

Usage Notes

Note the following aspects of makedev usage:

  • The makedev tool creates device special files for a UNIX media server. For each tape drive that you define, makedev creates one special file. For each tape library you define, makedev creates a single device file.

  • The makedev tool prompts you for any required information that you do not supply on the command line. You can respond to any prompt with a question mark (?) to display more information.


install/makedev [ -u unit ] [ -d  ] [ -b bus ] [ -t target ] [ -l lun ] [ -f ]
[ -n ] [ -x ] [ -y ] [ -z ] [ -h | ? | -? ] [ -dr | -mh ]


-u unit

Creates the device special file for the tape device specified by Oracle Secure Backup logical unit number, which can range in value from 0 through 31.

The Oracle Secure Backup logical unit number of a tape device is a number assigned by you and used by makedev to create unique filenames for the tape devices connected to the media server. Although it is not a requirement, unit numbers usually start at 0.


Uses the default value for each unspecified option instead of prompting for it. Note that you must always specify a unit number (-u) even if you use this option.

-b bus

Specifies the SCSI bus number, address, or instance (depending on operating system type), to which the tape device is attached.

Table A-1 lists the default SCSI bus designation for each supported operating system type.

Table A-1 Default SCSI Bus Designations

Operating System Default SCSI Bus Type


esp0 (driver name/instance)

-t target

Specifies the SCSI target ID of the tape device, which can range from 0 through 15. The default depends on the logical unit number that you specified with the -u option.

-l lun

Specifies the SCSI LUN of the tape device. Most operating systems support only LUN 0 and 1.The default LUN is 0.

Be careful not to confuse the SCSI LUN with the Oracle Secure Backup logical unit number. The LUN is part of the hardware address of the tape device; the Oracle Secure Backup logical unit number is part of the device special file name.


Replaces any existing files or drivers without prompting for confirmation. By default, makedev prompts you to confirm replacement of any existing device special files.


Displays the commands that is processed by makedev to generate device special files, but does not actually create the files.


Displays all commands as they are processed by makedev.


Traces entry and exit from each subscript as it is processed by makedev.

-z (AIX only)

Generates a trace file, makedev.trc, in the current directory. This file contains the output of the methods used to define and configure the tape device.

[ -h | | -? ]

Displays a summary of makedev usage. You might be required to type -\? instead of -? to avoid shell wildcard expansion.


Creates special files for a tape drive. This the default.


Creates special files for a SCSI tape library.


Example A-1 Creating a Device Special File for a Tape Drive

This example uses makedev to create a device special file. The example creates a special file for a tape drive, unit 0, at the default SCSI bus and target.

# install/makedev -u 0 -d

A.2 obcleanup


Use the obcleanup tool to generate an editable file listing the volumes in the Oracle Secure Backup catalog and to remove unneeded records.

If previously used volumes are unlabeled or overwritten, then the index daemon automatically removes expired backups from the catalog at the interval set by the indexcleanupfrequency index policy (the default is 21 days). In this case, no manual intervention is necessary.

If volumes expire but are not unlabeled or overwritten, then their catalog entries persist unless you remove them with obcleanup. You can also use obcleanup to remove references to volumes that are no longer needed but are not set to expire. Because the catalogs can consume considerable disk space, you might want to run obcleanup periodically to keep the admin subdirectory of the Oracle Secure Backup home to a manageable size.


The obcleanup utility operates only on the administrative server.

Usage Notes

When you run the obcleanup program on the command line, it lists the contents of the catalogs in a file, which is opened in an editor. The default text editor is set by the EDITOR environment variable. On Linux and UNIX, the default is /bin/vi if the EDITOR environment variable is not set. On Windows the default is Notepad.

Each line in the file contains a reference to a volume that you could purge from the catalogs. For example:

#Item Identification                  Created     Where Notes
#---- ---------------------------- -------------- ----- ---------------------
    1 VOL000001                  2004/06/07.15:51 IS  IX volume is full 

Volumes that have expiration policies associated with them are noted in this file. If you have discarded or overwritten tapes, then use a text editor to delete the lines corresponding to these tapes from the file, save the modified file, and exit the editor.

After you delete records from the generated file and save it, obixd runs in the background and automatically removes the deleted records from the catalogs. You can configure the obixd cycle time in the index policy. The default cycle time is 21 days.


etc/obcleanup [ -a ] [ -d ] [ -s { d | v | t } ] [ -v ]...
etc/obcleanup [ -V ]



Shows individual archive records in addition to volume records.


Shows previously deleted records.


Sorts the list by date (d), volume ID (v), or volume tag (t).


Operates in verbose mode. The more -v options you specify, the more verbose the output.


Displays the obcleanup version and exits.


Example A-2 Sample Output from obcleanup

This example shows the editable file generated by the obcleanup utility for host brhost2.

% etc/obcleanup

# This file lists all volumes described in Oracle Secure Backup's
# "volumes" and "index" databases on brhost2.
# Edit this file to delete entries from Oracle Secure Backup's databases.
# Delete each line whose corresponding database entry you want
# to remove.  Do not change the contents of the undeleted lines!
# Once you've finished, save your changes and exit the editor.
# obcleanup will ask you to confirm these changes before applying
# them to the databases.
#Item Identification                  Created     Where Notes
#---- ---------------------------- -------------- ----- ---------------------
    1 tag 00000105                                IS
    2 tag 00000110                                IS
    3 tag 00000111                                IS
    4 tag 00000121                                IS
    5 tag 00000155                                IS
    6 tag 00000156                                IS
    7 tag 00000157                                IS
    8 tag 00000158                                IS
    9 tag AEA649S                                 IS
   10 tag AEA650S                                 IS
   11 tag AEA655S                                 IS
   12 tag AFX935                                  IS
   13 tag AFX936                                  IS
   14 tag AFX936                                  IS
   15 full-000001             2008/01/17.18:12    IX
   16 full-000002             2008/01/17.18:12    IX
   17 full-000003             2008/01/17.18:12    IX
   18 full-000004             2008/06/05.01:02    IX
   19 full-000005             2008/07/04.01:02    IX
   20 full-000006             2008/08/06.01:04    IX
   21 full-000007             2008/09/06.01:00    IX
   22 full-000008             2008/09/06.01:00    IX
   23 full-000009             2008/11/04.15:05    IX
   24 full-000010             2008/11/04.15:05    IX

A.3 obcm


Use the obcm tool to renew, export, or import an identity certificate, to manage the encryption key wallet, to update domain certificates, and to create a wallet used for cloud storage devices. Importing or exporting an identity certificate is required if you do not accept the default Oracle Secure Backup security behavior, which is for the Certification Authority (CA) to issue a signed certificate to each host over the network.

When using a cloud storage device, use the obcm tool to create and manage the cloud wallet.

The observiced daemon on the administrative server acts as the CA. The CA has two responsibilities for certificates: it accepts certificate signing requests from hosts within the system as part of the mkhost process and sends signed certificates back to the requesting host.

In manual certificate provisioning mode, you run obcm export --certificate on the administrative server to export a signed certificate for the newly configured host. You must manually transfer this signed certificate to the newly configured host.

After manually transferring the certificate to the host, run obcm import on the newly configured host to import the signed certificate into the host's wallet. In this case, obcm directly accesses the wallet of the host. After it has made changes to the local wallet, obcm notifies the local observiced so that the local observiced can re-create the obfuscated wallet.


All obcm commands should be run as root in Linux or UNIX or as an administrative user in Windows.

You must have write permissions in the wallet directory, which by default is /usr/etc/ob/wallet on Linux and UNIX and C:\Program Files\Oracle\Backup\db\wallet on Windows.


obcm chpass --keywallet/-k name 
  [ --newpass/-n new_psword ] [ --oldpass/-o old_psword ]
obcm decertify [ --nq | --resign ]
obcm display [--cloudwallet/-c | --idwallet/-i | --keywallet/-k | --crl/-l]
   [--password/-p password] [--verbose/-v]
obcm export { --certificate/-c | --request/-r } --file/-f cert_file 
  --host/-h hostname
obcm import --file/-f signed_certificate_file
obcm mkow --keywallet/-k key_wallet [ --password/-p psword ]
obcm recertifydomain [ --nocomm/-h ] [ --expires/-e months ] [ --noquery/--nq ]
obcm ca [ enable | disable ] certification authority
obcm verifycomm
obcm wallet [--create/-c] [--cloudwallet/-L | --wpath/-w wallet path] [--add/-a certificate path] 


chpass --keywallet/-k name [--newpass/-n new_psword [--oldpass/-o old_psword]

Changes the password for the Oracle Secure Backup encryption key wallet. The --keywallet argument is required. If --newpass or --oldpass is not specified, then you are prompted for the corresponding password.

decertify [--nq | --resign]

Deletes local host certification data. If you specify --nq, then the command does not display a confirmation message. If you do not specify this option, then the command displays a confirmation message. "Command Execution in Interactive Mode" describes the message.

Specify the --resign option to remove the client host from the Oracle Secure Backup administrative domain. This option is necessary when moving a host from one backup domain to another.

For proper decertification of a host, Oracle recommends that you first close all obtool sessions and Oracle Secure Backup processes running on that host.

If you run obcm decertify as a user other than root in Linux or UNIX or an administrative user in Windows, then Oracle Secure Backup does not display an error but the host is not decertified. An attempt to decertify the administrative server fails with an error. The obcm decertify command can be run more than once on other hosts, but only the first operation actually decertifies the host.

You can use the rmhost --nocomm/-N hostname command to remove a decertified host from the Oracle Secure Backup domain.

To recertify a decertified host, Oracle recommends that you use the updatehost command with the recertify option, rather than using the rmhost and mkhost commands in obtool. Because the rmhost and the mkhost commands remove the host and then add it back in to the domain, they attribute some Oracle Secure Backup objects as deleted. The rmhost command also deletes the catalog restore data for that host.

display {[ cloudwallet/-c | -idwallet/-I ] | [ keywallet/-k | --crl/-l]} [password/-p password] [verbose/-v]

Displays the contents of the identity, encryption key, or cloud wallet. The --crl option displays the certificate revocation list. If no wallet type is specified, then data from the identity wallet is displayed. You can use the --password option to display the contents of the password-protected encryption key wallet. This can be useful during a recovery from a lost catalog, when the obfuscated version of the encryption key wallet has been lost.

export {--certificate/-c | --request/-r} [--file/-f cert_file] [--host/-h hostname]

The --certificate option exports a signed certificate chain for the specified host to the specified text file. The --request option exports a certificate request for the specified host to the specified text file. Both the --file and --hostname arguments are required.

import [--file/ -f signed_certificate_chain]

Imports a signed_certificate_chainfrom the specified text file. The --file argument is required.

mkow [--keywallet/-k key_wallet] [--password/-p password]

Re-creates the obfuscated encryption key wallet with the existing password, in instances like Oracle Secure Backup disaster recovery. If --password is not specified, then you are prompted for the password.

recertifydomain [ --nocomm/-h ] [ --expires/-e months ] [ --noquery/--nq ]
Triggers the renewal of the signing certificate of your domain. This command must be run on the administrative host.

Use the --nocomm option to request the renewal of certification authority, with no interaction with other Oracle Secure Backup components. Note that in the case where the Oracle Secure Backup service daemon cannot start, using the --nocomm parameter is mandatory.

Use the --expires option to set the lifetime duration, in months, for the renewed certificates in your domain. This value overrides the lifetime set using the certlifetime policy.

Using the --expires parameter is mandatory in the following scenarios:
  • The certificates have already expired.

  • obcm version is executing within an Oracle Secure Backup or prior domain.

Before using the obcm recertifydomain command, you must meet the following requirements:

  • Ensure that observiced is running on your domain

  • Temporarily suspend the backup scheduler

  • Ensure that the current host is the administrative server

  • Ensure that there are no active or pending jobs

ca [ enable | disable ] certification authority
Manages host certification on support versions of Oracle Secure Backup. This command temporarily enables or disables recertification of signing certificates.

To permanently disable renewal of certificates, see how to renew certificates in manual certificate provisioning mode in the Oracle Secure Backup Installation and Configuration Guide..

Verifies the validity of host certificates by determining whether obcm can successfully communicate with observiced. Run this command to diagnose connection errors in your domain.
wallet [--create/-c] [--cloudwallet/-L | --wpath/-w wallet path] [--add/-a certificate path]
Creates a user wallet and imports certificates into the wallet. The following are the wallet options:
  • --cloudwallet

    indicates that the certificate management function will be applied to the cloud wallet
  • --wpath specifies a path for the wallet to be created

  • --add adds a trust point to the wallet

    using the specified certificate


Example A-3 Exporting a Signed Certificate Chain

This example exports a signed certificate chain for host new_client to the file new_client_cert.f. The utility runs on the administrative server.

obcm export -c -f /tmp/new_client_cert.f -h new_client 

Example A-4 Importing a Signed Certificate Chain

This example imports a signed certificate chain from the file client_cert.f. The utility is run on the host being added to the administrative domain.

obcm import -f /tmp/new_client_cert.f

Example A-5 Creating a Cloud Wallet Containing Trust Points Using Certificate Files

This example creates a cloud wallet containing trust points using certificate files.

  1. Create a cloud wallet, entering a password when prompted:
    #obcm wallet --create --cloudwallet 
    Wallet Password: 
  2. Add the downloaded certificate to the cloud wallet just created. Use the same password you used when you created the cloud wallet:
    #obcm wallet --cloudwallet --add /tmp/cacertificate1.crt 
    Wallet password: 
  3. Add the intermediate CA certificate. Use the same password you used when you created the cloud wallet:
    #obcm wallet --cloudwallet --add /tmp/cacertificate2.crt
    Wallet Password: 
  4. You can use the obcm command display --cloudwallet -v to validate that the certificates were added correctly to the cloud wallet. The output should show two trust points in the wallet, as follows:
    There are 0 certificate requests in the wallet
    There are 0 certificates in the wallet
    There are 2 trust points in the wallet
    Trust point:
        DN: CN=Symantec Class 3 Secure Server CA - G4,OU=Symantec Trust Network,O=Symantec Corporation,C=US
        Issuer: CN=VeriSign Class 3 Public Primary Certification Authority - G5,OU=(c) 2006 VeriSign\, Inc. - For 
                authorized use only,OU=VeriSign Trust Network,O=VeriSign\, Inc.,C=US
        Type: NZDST_CLEAR_PTP
        Public key size: 2048
        Key usage: CA CERT SIGNING
        Serial number: 0x513FB9743870B73440418D30930699FF
        Version: NZTTVERSION_X509v3
        Signature algorithm: NZDCATSHA256RSA
        Valid from: 2013/10/31.00:00:00 (UTC)
        Valid to:   2023/10/30.23:59:59 (UTC)
    Trust point:
        DN: CN=VeriSign Class 3 Public Primary Certification Authority - G5,OU=(c) 2006 VeriSign\, Inc. - For 
            authorized use only,OU=VeriSign Trust Network,O=VeriSign\, Inc.,C=US
        Issuer: CN=VeriSign Class 3 Public Primary Certification Authority - G5,OU=(c) 2006 VeriSign\, Inc. - For 
                authorized use only,OU=VeriSign Trust Network,O=VeriSign\, Inc.,C=US
        Type: NZDST_CLEAR_PTP
        Public key size: 2048
        Key usage: CA CERT SIGNING
        Serial number: 0x18DAD19E267DE8BB4A2158CDCC6B3B4A
        Version: NZTTVERSION_X509v3
        Signature algorithm: NZDCATSHA1RSA
        Valid from: 2006/11/08.00:00:00 (UTC)
        Valid to:   2036/07/16.23:59:59 (UTC)

A.4 uninstallob


Use the uninstallob tool to uninstall Oracle Secure Backup from your system. The uninstallob script gives the user the choice to save the administrative directory if uninstalling an administrative server or to save the system's identity if uninstalling a media server or client.


You must run this utility as root on a Linux or UNIX system.




Example A-6 Uninstalling Oracle Secure Backup

This example uses uninstallob to uninstall Oracle Secure Backup from an administrative server.

# install/uninstallob
Do you want to save the admin directory (y or n) [y]? :y
Do you want to continue (y or n) [n]? : y
Oracle Secure Backup was successfully uninstalled