21 Backup and Restore Operations
Backups provide the ability to restore Oracle Key Vault to a previous state in the case of a failure.
- About Backing Up and Restoring Data in Oracle Key Vault
You can use Oracle Key Vault to back up and restore Oracle Key Vault data. - Oracle Key Vault Backup Destinations
A backup destination is the location where Oracle Key Vault data will be copied to and stored. - Scheduled Backups and States
Oracle Key Vault provides scheduled backup types depending on the backup destination, and different states that indicate the progress of the backup activity. - Scheduling and Managing Oracle Key Vault Backups
You can schedule Oracle Key Vault backups to specific backup destinations and times. - Restoring Oracle Key Vault Data
Oracle Key Vault data from a remote backup destination can be restored onto another Oracle Key Vault server. - Scheduling the Purging of Old Oracle Key Vault Backups
To better manage disk space used by Oracle Key Vault backups on remote destinations, you can schedule the periodic purging of old backups from them. - Manually Deleting a Local Oracle Key Vault Backup
You can manually delete a local backup by using the Oracle Key Vault management console. - Configuring Oracle ZFS Storage Appliance to Store Oracle Key Vault Backups
Oracle ZFS Storage Appliance is an enterprise storage system that is designed for the storage of data from Oracle products such as Oracle Key Vault. - Backup and Restore Best Practices
Oracle provides best practices to keep backups current so that you can recover from catastrophic failures with minimum downtime and data loss.
21.1 About Backing Up and Restoring Data in Oracle Key Vault
You can use Oracle Key Vault to back up and restore Oracle Key Vault data.
You should back up data periodically to reduce downtime and recover from unexpected data losses and system failures. You can restore a new or existing Oracle Key Vault server from a backup. When old backups are no longer needed, you can schedule their periodic deletion.
You can perform backup and restore operations from the Oracle Key Vault management console or by using the Oracle Key Vault RESTful services commands. You must be a user who has the System Administrator role to back up and restore Oracle Key Vault data. You can schedule backups at periodic intervals to run automatically at designated times. You also can run these operations on-demand to save a current snapshot of the system.
Oracle strongly recommends that you back up Oracle Key Vault data regularly on a schedule. This practice ensures that backups are current and hold the most recent data. You can use this backup to restore a new or existing Oracle Key Vault server and be fully operational with minimum data loss.
Oracle Key Vault encrypts all backed up data. When you use a remote destination, this data is copied using the secure copy protocol (SCP) or the secure file transfer protocol (SFTP). You must therefore ensure that either SCP or SFTP is supported at the remote backup destination.
Note:
Oracle Key Vault does not support backups taken as snapshot. Restoring from such snapshot backups is not supported.Parent topic: Backup and Restore Operations
21.2 Oracle Key Vault Backup Destinations
A backup destination is the location where Oracle Key Vault data will be copied to and stored.
- About the Oracle Key Vault Backup Destination
The backup destination enables the backup data to be available on Oracle Key Vault itself or on another server. - Creating a Remote Backup Destination
You can use the Oracle Key Vault management console to create a remote backup destination. - Changing Settings on a Remote Backup Destination
After you have created the backup destination, you can change the SCP or SFTP port number and details of the user account. - Deleting a Remote Backup Destination
You can delete a remote backup destination (but not the local destination) to stop future backups to that destination server.
Parent topic: Backup and Restore Operations
21.2.1 About the Oracle Key Vault Backup Destination
The backup destination enables the backup data to be available on Oracle Key Vault itself or on another server.
This ensures that you have all the relevant data to recover in case of a catastrophic failure with the Oracle Key Vault server or hardware.
The backup destination is usually another server or computer system that you have access to. You can add, delete, and modify a backup destination.
The backup operation copies Oracle Key Vault data to a backup destination of your choice. The backup destination stores the data until it is needed.
Oracle Key Vault provides two types of backup destinations: local and remote. The local backup destination resides on the Oracle Key Vault server itself, the remote one resides externally in a different server or computer system. You can create more than one backup destination for greater availability.
Local and remote backup destinations have the following characteristics:
-
Local backup destination: The local backup destination,
LOCAL
, is present by default and cannot be removed. Backups to the local backup destination are local backups.Backups to
LOCAL
are useful to save a current state of Oracle Key Vault. Because these backups are stored on disk, they could be lost in the case of hardware or other catastrophic failure. They will also not be available after a failover or switchover in a primary-standby configuration. You cannot restore the backups to a primary-standby without first unpairing the primary from the standby, nor can you restore the backups to a cluster configuration. Therefore, you should back up the data to a remote destination when using these configurations.A
LOCAL
destination can store only the last full backup and the cumulative incremental backups after that full backup. After a new full backup of the periodic backup toLOCAL
completes, Oracle Key Vault deletes the previous periodic full or cumulative incremental backup. In addition, you can also delete a backup manually. -
Remote backup destinations: Remote backup destinations reside on external servers and can be dispersed geographically for disaster recovery purposes. Backups to remote backup destinations are remote backups. To ensure that the remote backup destination does not accumulate too many backups and hence use up too much disk space, you can schedule a periodic automatic purging of these old backups.
Each backup destination on the external server is associated with a backup catalog file called
okvbackup.mgr
that Oracle Key Vault maintains at the backup destination. Theokvbackup.mgr
file catalogs the backups performed and is used to restore data.Note:
You cannot use another Oracle Key Vault server as a remote backup destination.
Caution:
-
Oracle Key Vault may not be able to find the backups if you delete or modify the backup catalog file. Therefore, do not delete or modify this file.
-
Do not configure the same remote backup destination directory for different Oracle Key Vault servers as backup destinations, because backups that happen concurrently from different Oracle Key Vault servers will overwrite each other's catalog file, with the result that Oracle Key Vault may not be able to locate the backups correctly.
-
After you restore a backup that contains a remote backup destination, do not continue to use that remote backup destination. Delete any backup jobs that are configured to send backups to that destination. Continuing to use this backup destination could corrupt the backup catalog file. Oracle Key Vault may not be able to locate backups correctly.
-
Configure each node in a multi-master cluster to send their backups to a different backup destination.
Related Topics
Parent topic: Oracle Key Vault Backup Destinations
21.2.2 Creating a Remote Backup Destination
You can use the Oracle Key Vault management console to create a remote backup destination.
/tmp
and the directory that you supplied in the Destination Path field. If the validation fails, then the backup destination is not created. If this happens, then check values for the user account on the remote server (user name and password or key) and ensure that the directory has write permissions for the user. Finally, ensure that the remote server is active.
Parent topic: Oracle Key Vault Backup Destinations
21.2.3 Changing Settings on a Remote Backup Destination
After you have created the backup destination, you can change the SCP or SFTP port number and details of the user account.
Related Topics
Parent topic: Oracle Key Vault Backup Destinations
21.2.4 Deleting a Remote Backup Destination
You can delete a remote backup destination (but not the local destination) to stop future backups to that destination server.
- Log in to the Oracle Key Vault management console as a user who has the System Administrator role.
- Select the System tab, and then Settings from the left navigation bar.
- In the System Configuration area, click Backup and Restore.
- Select Manage Backup Destinations.
- In the Manage Backup Destinations page, check the boxes for the backup destinations that you want to delete.
- Click Delete.
Parent topic: Oracle Key Vault Backup Destinations
21.3 Scheduled Backups and States
Oracle Key Vault provides scheduled backup types depending on the backup destination, and different states that indicate the progress of the backup activity.
- About Schedule Backup Types and States
You can schedule backups in Oracle Key Vault for specific times and backup destinations. - Types of Oracle Key Vault Backups
Oracle Key Vault provides two types of backup jobs that can be scheduled: one-time backups and periodic backups. - Scheduled Backup States in Oracle Key Vault
Scheduled backups have four states, which indicate whether the backup is scheduled, in progress, completed, or paused.
Parent topic: Backup and Restore Operations
21.3.1 About Schedule Backup Types and States
You can schedule backups in Oracle Key Vault for specific times and backup destinations.
The backup process starts at the scheduled time and generates a system backup, which is a file that is stored on the backup destination. There is one backup file for each completed backup.
No backup can start if another backup is in progress. You can change the schedule of backups as needs change. You can continue working with Oracle Key Vault while the backup is in progress.
A system restart will terminate any ongoing backup. If you must restart the system during the time a backup is scheduled to occur, then you can pause the backup and resume the backup after the system restarts.
Parent topic: Scheduled Backups and States
21.3.2 Types of Oracle Key Vault Backups
Oracle Key Vault provides two types of backup jobs that can be scheduled: one-time backups and periodic backups.
-
One-time backup: A one-time backup makes a full backup of the Oracle Key Vault system. You can schedule multiple one-time backup jobs, each with its own start time.
You should make one-time local backups before making significant configuration changes to Oracle Key Vault, in case you need to recover from configuration failures.
LOCAL
destinations can only store the last one-time backup. When a one-time backup toLOCAL
completes, the previous backup is deleted. -
Periodic backup: After you schedule a periodic backup, Oracle Key Vault takes a full backup at the designated start time and then puts the backup schedule in the
ACTIVE
state. After the backup period passes, another backup starts. If it has been less than 7 days since the last full backup, then the next backup will be a cumulative incremental backup, which holds changes since the last full backup. If it has been more than 7 days since the last full backup, then the next backup will be a full backup.For example, if the backup period is one day, then every seventh one is a full backup. If the backup period is 8 days, then all backups are full backups. If the backup period is 12 hours, then there are 13 cumulative backups before a full backup.
You should schedule periodic backups with a period of 1 day or less to minimize data loss.
A
LOCAL
destination can store only the last full backup and the cumulative incremental backups after that full backup. After the periodic backup schedule takes a new full backup toLOCAL
, previous periodic full and cumulative backups inLOCAL
are deleted.Cumulative incremental backups are faster than full backups. Only one periodic backup can be scheduled at any time.
Related Topics
Parent topic: Scheduled Backups and States
21.3.3 Scheduled Backup States in Oracle Key Vault
Scheduled backups have four states, which indicate whether the backup is scheduled, in progress, completed, or paused.
- ACTIVE: The backup is scheduled and will start at the next start time. (The start time is indicated in the Start Time column on the Scheduled Backups page.)
- PAUSED: All future backups are on hold and will not start even if the start time has passed. They will start when they are explicitly resumed. You can change the state from active to paused and back. Put a scheduled backup in the paused state for these situations:
- When communication between Oracle Key Vault and the remote destination is broken
- If the remote destination is unavailable
- If you want to defer the backup
- ONGOING: The backup is in progress.
- DONE: The backup is complete.
Parent topic: Scheduled Backups and States
21.4 Scheduling and Managing Oracle Key Vault Backups
You can schedule Oracle Key Vault backups to specific backup destinations and times.
You must create the backup destinations that you will use beforehand, and you can modify or delete backup schedules.
- Scheduling a Backup for Oracle Key Vault
You can schedule a one-time or a periodic backup to a local or remote backup destination. - Changing a Backup Schedule for Oracle Key Vault
You cannot change the schedule of a backup in progress. - Deleting a Backup Schedule from Oracle Key Vault
You can delete a backup schedule from the Oracle Key Vault management console. - How Primary-Standby Affects Oracle Key Vault Backups
In a primary-standby deployment, you must perform backups on the primary server. - How Using a Cluster Affects Oracle Key Vault Backups
In a multi-master cluster environment, be aware of how the backup process works in individual nodes and the entire cluster. - Protecting the Backup Using the Recovery Passphrase
Oracle Key Vault uses the recovery passphrase to control who can restore system backups.
Parent topic: Backup and Restore Operations
21.4.1 Scheduling a Backup for Oracle Key Vault
You can schedule a one-time or a periodic backup to a local or remote backup destination.
Parent topic: Scheduling and Managing Oracle Key Vault Backups
21.4.2 Changing a Backup Schedule for Oracle Key Vault
You cannot change the schedule of a backup in progress.
Parent topic: Scheduling and Managing Oracle Key Vault Backups
21.4.3 Deleting a Backup Schedule from Oracle Key Vault
You can delete a backup schedule from the Oracle Key Vault management console.
- Log in to the Oracle Key Vault management console as a user who has the System Administrator role.
- Select the System tab, and then Settings from the left navigation bar.
- In the System Configuration area, click Backup and Restore.
- Check the boxes of scheduled backups listed in the Scheduled Backup(s) page.
- Click Delete to delete the selected backup schedules.
Parent topic: Scheduling and Managing Oracle Key Vault Backups
21.4.4 How Primary-Standby Affects Oracle Key Vault Backups
In a primary-standby deployment, you must perform backups on the primary server.
Because the standby synchronizes its state with the primary, you do not need to back up the standby.
Be aware of the following behavior for failover or switchover operations in a primary-standby deployment:
-
Any backups in progress will terminate if there is a failover or a primary-standby switchover. Backups to
LOCAL
are private to the Oracle Key Vault server and therefore the local backup on the primary server is not available after a failover or switchover. -
Backups scheduled with password authentication start as usual after the failover or switchover.
-
Because backups can only be restored to standalone servers, you must unpair primary-standby deployments before you can perform a backup restore operation on the former primary.
Parent topic: Scheduling and Managing Oracle Key Vault Backups
21.4.5 How Using a Cluster Affects Oracle Key Vault Backups
In a multi-master cluster environment, be aware of how the backup process works in individual nodes and the entire cluster.
- In an Oracle Key Vault multi-master cluster environment, the replication intrinsically creates copies of data on other nodes in the cluster. However, you can still perform backups and backup-related operations on all individual Oracle Key Vault cluster nodes.
- Backups in a cluster are taken for disaster recovery in case of a complete cluster failure and should all be done on remote destinations.
- Backups can still only be restored to standalone Oracle Key Vault servers. Because a cluster node cannot be switched back to a standalone server, only remote backups should be taken.
Parent topic: Scheduling and Managing Oracle Key Vault Backups
21.4.6 Protecting the Backup Using the Recovery Passphrase
Oracle Key Vault uses the recovery passphrase to control who can restore system backups.
To restore a backup, use the Oracle Key Vault recovery passphrase from the time when the backup was initiated. This is necessary even if the recovery passphrase was changed after the backup completed. Oracle recommends that you make a new backup every time the recovery passphrase is changed to ensure that there is always a copy of the backup that is protected by the most recent recovery passphrase.
Related Topics
Parent topic: Scheduling and Managing Oracle Key Vault Backups
21.5 Restoring Oracle Key Vault Data
Oracle Key Vault data from a remote backup destination can be restored onto another Oracle Key Vault server.
This restore operation minimizes downtime and data loss.
- About the Oracle Key Vault Restore Process
The restore process replaces the database with the backup data. - Procedure for Restoring Oracle Key Vault Data
You can restore Oracle Key Vault data to a standalone server using the Oracle Key Vault management console. - Multi-Master Cluster and the Restore Operation
In a multi-master cluster deployment, you must consider several factors before you restore data to Oracle Key Vault. - Primary-Standby and the Restore Operation
In a primary-standby deployment, you must consider several factors before you restore data to Oracle Key Vault. - Certificates and the Restore Operation
A third-party certificate installed at the time of a backup will not be copied when you restore another server from this backup. - Changes Resulting from a System State Restore
Restoring an Oracle Key Vault server brings the system state back to the time when the backup last performed.
Parent topic: Backup and Restore Operations
21.5.1 About the Oracle Key Vault Restore Process
The restore process replaces the database with the backup data.
You must restore Oracle Key Vault data to a server only after ensuring that all scheduled backups on the server are completed.
Restoring data to an Oracle Key Vault server replaces the data in the server with that of the backup. The data restored is only as current as the backup. The restore operation replaces the Oracle Key Vault server with the backup. This means that some data can be lost. You might need to restore the endpoint database. Any data that is not in the backup that is getting restored will be lost. Backups can only be restored to the same version of Oracle Key Vault at which the backup was taken.
The maximum life of a backup is 1 year.
You must have the recovery passphrase that was in effect at the time of the backup in order to restore data from a backup. If you have not changed the recovery passphrase since installing Oracle Key Vault, then you must use the recovery passphrase that you created during the post-installation process.
Restoring data in Oracle Key Vault entails the following general steps:
-
Setting up the backup environment, which includes, after installing Oracle Key Vault, configuring backup destinations.
-
Performing the restore operation by determining the backup to use from a local or remote backup destination, and then providing the recovery passphrase to begin the restore process.
Parent topic: Restoring Oracle Key Vault Data
21.5.2 Procedure for Restoring Oracle Key Vault Data
You can restore Oracle Key Vault data to a standalone server using the Oracle Key Vault management console.
21.5.3 Multi-Master Cluster and the Restore Operation
In a multi-master cluster deployment, you must consider several factors before you restore data to Oracle Key Vault.
- You must restore only if all nodes in the cluster are lost.
- You must restore the backup to a standalone Oracle Key Vault server that has the same IP address as the node from which the backup was taken. Not doing so may affect the ability of endpoints to connect to the restored backup.
- After the restore operation, you must now use the restored server as the first node of a new cluster.
Parent topic: Restoring Oracle Key Vault Data
21.5.4 Primary-Standby and the Restore Operation
In a primary-standby deployment, you must consider several factors before you restore data to Oracle Key Vault.
- You must perform the restore operation only if both the primary and standby data are lost.
- You must restore the backup on a standalone Oracle Key Vault server only, even if the backup was taken from the primary.
- If you restore a backup taken from the primary node, you must use a freshly installed Oracle Key Vault server as the new standby.
- If the standby server has taken over as primary, and the former primary is lost, then there is no need to restore data from a backup to a new standby server. Just add a new standby server to the primary-standby deployment, which will automatically synchronize with the new primary.
Related Topics
Parent topic: Restoring Oracle Key Vault Data
21.5.5 Certificates and the Restore Operation
A third-party certificate installed at the time of a backup will not be copied when you restore another server from this backup.
A third-party signed console certificate in use at the time of a backup is not part of the Oracle Key Vault backup. When you restore an Oracle Key Vault server from the backup, Oracle Key Vault does not restore the third-party signed console. You must reinstall the third-party console certificate on the newly restored Oracle Key Vault server.
The Oracle Key Vault service certificates (CA or server certificate) are included in the Oracle Key Vault backup. When you restore the backup, the newly restored Oracle Key Vault server will include the service certificates from the backup. However, these certificates are from the time when the backup was taken. The restored CA or the server certificate could have expired later.
You can also perform the CA certificate rotation after the backup is taken and hence the CA certificate in the backup may be from before the CA certificate rotation was done. Because the CA certificate rotation was already done, all the endpoints have been issued new endpoint certificates with the new CA certificate created after the backup was taken. After the restore, the old CA certificate is in use and the endpoints with certificates issued using the new CA certificate will not be able to connect. When you restore a backup from before the CA certificate rotation, you must treat the old CA certificate as expired.
If the CA or the server certificate is nearing its expiration or you rotated the certificate after the backup that you restored, Oracle recommends that you rotate the CA and the server certificate right after the restore but before you proceed to set up a primary-standby or cluster deployment using the restored server.
If the CA or the server certificate is already expired, please contact Oracle Support.
As a best practice, backup the Oracle Key Vault server before and after performing a CA certificate rotation.
Related Topics
Parent topic: Restoring Oracle Key Vault Data
21.5.6 Changes Resulting from a System State Restore
Restoring an Oracle Key Vault server brings the system state back to the time when the backup last performed.
Therefore, any changes that were made after the backup was made do not exist on the restored system. For example, if a user's password was changed after the backup operation, the new password will not be available in the restored system. The restored system will have the password that was in effect when the backup was made. As another example, the user account profile parameters values are restored to the parameter values that existed at the time the backup was taken.
Note:
Restoring also changes the recovery passphrase to the one that was in effect during the backup.
You should change the user passwords, enroll the endpoints created after backup, and make other similar changes, if required. You should confirm that everything is configured correctly after restoring.
If you are not certain that you restored the correct backup, then you can restore a different one, provided that Oracle Key Vault continues to remain a standalone server. To restore another backup, first configure the remote destination of this backup on the restored Oracle Key Vault itself, and then start the restore process. You do not need to reinstall the Oracle Key Vault appliance.
When the Oracle Key Vault server has been restored and is functional, you can continue to back up Oracle Key Vault data to new remote destinations.
Oracle recomments that you change user passwords after a restore operation and backup the Oracle Key Vault.
Parent topic: Restoring Oracle Key Vault Data
21.6 Scheduling the Purging of Old Oracle Key Vault Backups
To better manage disk space used by Oracle Key Vault backups on remote destinations, you can schedule the periodic purging of old backups from them.
- About Scheduling the Purging of Old Oracle Key Vault Backups
You can automatically purge old Oracle Key Vault backups from remote destinations. - Creating a Backup Destination Policy
The Oracle Key Vault management console enables you to manage periodic purging of Oracle Key Vault backups from remote destinations. - Adding a Backup Destination Policy to a Remote Backup Destination
After you have created a backup destination policy, you can associate it with one or more remote backup destinations. - Changing a Backup Destination Policy
You can modify backup destination policies by using the Oracle Key Vault management console. - Suspending a Backup Destination Policy
You can suspend a backup destination policy for a remote backup destination by using the Oracle Key Vault management console. - Resuming a Suspended Backup Destination Policy
You can resume a suspended backup destination policy for a remote backup destination by using the Oracle Key Vault management console. - Deleting a Backup Destination Policy
You can delete a backup destination policy by using the Oracle Key Vault management console. - Finding Information about Backup Destination Policies
You can find information about backup destination policies on the Manage Backup Destinations page.
Parent topic: Backup and Restore Operations
21.6.1 About Scheduling the Purging of Old Oracle Key Vault Backups
You can automatically purge old Oracle Key Vault backups from remote destinations.
Performing a regularly scheduled removal of old Oracle Key Vault backups helps to ensure that your backup destinations have sufficient room available to store new backups. You can perform this task from either the Oracle Key Vault management console or by using the Oracle Key Vault RESTful services commands. To purge backups from a remote destination automatically at periodic intervals, you can create a backup destination policy and assign it to the remote destination. The backup destination policy defines the rules for selecting backups that should be purged. You can associate a backup destination policy with more than one remote destinations. You can suspend or resume a backup destination policy for the remote destinations individually. You must be a user who has the System Administrator role to create and assign a policy to a backup destination.
Parent topic: Scheduling the Purging of Old Oracle Key Vault Backups
21.6.2 Creating a Backup Destination Policy
The Oracle Key Vault management console enables you to manage periodic purging of Oracle Key Vault backups from remote destinations.
Parent topic: Scheduling the Purging of Old Oracle Key Vault Backups
21.6.3 Adding a Backup Destination Policy to a Remote Backup Destination
After you have created a backup destination policy, you can associate it with one or more remote backup destinations.
Note:
If a remote backup destination uses SCP as transfer method then the files associated with removed backups on the destination are replaced with zero bytes sized files. It is safe to delete these zero bytes sized files.Parent topic: Scheduling the Purging of Old Oracle Key Vault Backups
21.6.4 Changing a Backup Destination Policy
You can modify backup destination policies by using the Oracle Key Vault management console.
Parent topic: Scheduling the Purging of Old Oracle Key Vault Backups
21.6.5 Suspending a Backup Destination Policy
You can suspend a backup destination policy for a remote backup destination by using the Oracle Key Vault management console.
Parent topic: Scheduling the Purging of Old Oracle Key Vault Backups
21.6.6 Resuming a Suspended Backup Destination Policy
You can resume a suspended backup destination policy for a remote backup destination by using the Oracle Key Vault management console.
Parent topic: Scheduling the Purging of Old Oracle Key Vault Backups
21.6.7 Deleting a Backup Destination Policy
You can delete a backup destination policy by using the Oracle Key Vault management console.
- Log in to the Oracle Key Vault management console as a user who has the System Administrator role.
- Select the System tab, and then Settings from the left navigation bar.
- In the System Configuration area, click Backup and Restore.
- In the System Backup page, click Manage Backup Destinations.
- In the Manage Backup Destinations page, click Manage Policies.
- In the Manage Backup Destination Policies page, select the checkbox for the backup destination policy that you want to delete, and then click Delete.
- In the confirmation dialog box, click OK.
Parent topic: Scheduling the Purging of Old Oracle Key Vault Backups
21.6.8 Finding Information about Backup Destination Policies
You can find information about backup destination policies on the Manage Backup Destinations page.
Parent topic: Scheduling the Purging of Old Oracle Key Vault Backups
21.7 Manually Deleting a Local Oracle Key Vault Backup
You can manually delete a local backup by using the Oracle Key Vault management console.
Note:
If you delete a full periodic backup, then all of the incremental backups are also deleted.Parent topic: Backup and Restore Operations
21.8 Configuring Oracle ZFS Storage Appliance to Store Oracle Key Vault Backups
Oracle ZFS Storage Appliance is an enterprise storage system that is designed for the storage of data from Oracle products such as Oracle Key Vault.
- Step 1: Create a Storage Project in Oracle ZFS Storage Appliance
The Oracle ZFS Storage Appliance can create immutable snapshots of Oracle Key Vault backups. - Step 2: Copy the Oracle Key Vault Public Key to the Oracle ZFS Storage Appliance
The Oracle ZFS Storage Appliance storage project requires the backup key that is generated when you create an Oracle Key Vault backup. - Step 3: Complete Creating the Oracle ZFS Storage Appliance Project
With the Oracle Key Vault backup key, you can complete the configuration for the Oracle ZFS Storage Appliance project. - Step 4: Configure Oracle Key Vault to Connect to the Oracle ZFS Storage Appliance Project
The Oracle ZFS Storage Appliance storage project requires the backup key that is generated when you create an Oracle Key Vault backup.
Parent topic: Backup and Restore Operations
21.8.1 Step 1: Create a Storage Project in Oracle ZFS Storage Appliance
The Oracle ZFS Storage Appliance can create immutable snapshots of Oracle Key Vault backups.
The Oracle ZFS Storage Appliance retention period feature works well with the Oracle Key Vault backup policy feature to provide a secure and space-efficient backup solution for Oracle Key Vault.
The steps to configure Oracle ZFS Storage Appliance as a backup destination for Oracle Key Vault involve creating a user in Oracle ZFS Storage Appliance that will allow Oracle Key Vault to log in (only using Secure File Transfer Protocol (SFTP), and optionally authenticated using public key authentication). Next, you must create a project, a file system, a schedule to create immutable snapshots, and define a retention period. Finally, in Oracle Key Vault, you must define Oracle ZFS Storage Appliance as the backup destination, and then create a backup schedule.
- Log in to Oracle ZFS Storage Appliance as a user has privileges for creating backup projects.
- Select the Configuration tab, then in the Configuration page, expand Users by clicking its plus (+) sign.
- In the User Properties page, create a user who will be in charge of the Oracle Key Vault backup project. On the User Properties page, do the following:
- From the Type menu, select Local.
- In the Username and Full Name fields, enter the name of the user.
- In the Password and Confirm fields, enter the user password.
- Click ADD.
- Configure SFTP.
- In the Configuration page, expand Services.
- Under Data Services, select SFTP to enable it. This page will expand so to the SFTP Properties page so that you can add details for the SFTP configuration
- Under General Settings, confirm that the Port (for incoming connections) field is set to
218
.
- Do not exit this page; you will need to return to it in a later step to complete the backup destination creation.
21.8.2 Step 2: Copy the Oracle Key Vault Public Key to the Oracle ZFS Storage Appliance
The Oracle ZFS Storage Appliance storage project requires the backup key that is generated when you create an Oracle Key Vault backup.
- Log in to Oracle Key Vault as a user who has the System Administrator role.
- Select the System tab, and in the left navigation bar, select Settings.
- Under System Configuration select Backup and Restore.
- Select Manage Backup Destinations.
- In the Manage Backup Destinations page, click Create.
- On the Create Backup Destination page, scroll to the Public Key field.
- Copy the contents of the field, except for the line
ssh-rsa
. - Do not exit Oracle Key Vault; you need to return to it in a later step.
21.8.3 Step 3: Complete Creating the Oracle ZFS Storage Appliance Project
With the Oracle Key Vault backup key, you can complete the configuration for the Oracle ZFS Storage Appliance project.
21.8.4 Step 4: Configure Oracle Key Vault to Connect to the Oracle ZFS Storage Appliance Project
The Oracle ZFS Storage Appliance storage project requires the backup key that is generated when you create an Oracle Key Vault backup.
- Log in to Oracle Key Vault as a user who has the System Administrator role.
- Select the System tab, and in the left navigation bar, select Settings.
- Under System Configuration select Backup and Restore.
- Select Manage Backup Destinations.
- In the Manage Backup Destinations page, click Create.
- On the Create Backup Destination page, do the following:
- In the Destination Name field, enter a name for the backup destination.
- For Transfer Method, select sftp.
- For Hostname, enter the host information for the server where Oracle ZFS Storage Appliance resides, either the IP address or the name of the server.
- For Port, ensure that it matches the port number that was specified in the Oracle ZFS Storage Appliance project that you created.
- For Destination Path, enter
/export/
followed by the file system name that you gave in Oracle ZFS Storage Appliance when you configured the file system. - In the User Name field, enter the name of the user who was configured to manage the Oracle Key Vault backup project in Oracle ZFS Storage Appliance
- Click Save to create the backup destination.
- In the left navigation bar, select System Backup and then Backup.
- In the Backup page, do the following:
21.9 Backup and Restore Best Practices
Oracle provides best practices to keep backups current so that you can recover from catastrophic failures with minimum downtime and data loss.
-
Ensure that the recovery passphrase at the time of backup is accessible because you will need it to restore data from a backup.
-
Back up data any time you change the recovery passphrase.
-
Ensure that you create at least one remote backup destination in a primary-standby deployment. Because the local backup resides on the Oracle Key Vault server itself, it will be lost in a failover or switchover situation.
-
Do not edit or delete the backup catalog file that is associated with a remote backup destination, even if you stop using the backup destination. If you ever need to restore from a backup on this server, you will need the backup catalog file.
-
If you use the same remote server for multiple backup destinations, then ensure that the directories are unique so that you have distinct backup catalog files associated with each backup destination. If you fail to do this, then the backup catalog file will be overwritten during subsequent backups and become unusable.
-
When you restore a backup, do so to a standalone Oracle Key Vault server that has the same IP address as the Oracle Key Vault server on which the backup was taken. Failing to do so may result in endpoints not being able to connect to the restored backup.
-
Before you restore data, ensure that all scheduled backups are complete.
-
To create remote backup destinations successfully:
- Ensure that the servers used as remote backup destinations are enabled and active.
- Ensure that there is connectivity between Oracle Key Vault and remote server that you plan to use as a backup destination.
- Ensure that the remote server designated as a backup destination supports the secure copy protocol (SCP) or the SSH file transfer protocol (SFTP).
- Validate the user account credentials on the remote server before you create the backup destination on Oracle Key Vault.
- Ensure that the destination directory has write permissions.
- Create more than one remote backup destination on multiple servers for redundancy.
- Ensure that the destination directories are unique if you are using the same remote server for multiple backup destinations. You must do this to prevent later backups from overwriting previous ones.
-
Perform a one-time backup once every seven days.
-
Schedule a periodic backup with a period of one day. This ensures that you have a full backup once in seven days.
-
Perform a local one-time backup before system changes. You can use this backup as a restore point.
-
Backup before and after upgrading Oracle Key Vault server software.
-
Backup before and after performing critical operations such as rotating certificates.
-
Change the backup destination after each upgrade. If at all possible do not reuse the backup destination.
Parent topic: Backup and Restore Operations