Oracle® Secure Backup Administrator's Guide Release 10.1 Part Number B14234-02 |
|
|
View PDF |
This chapter introduces Oracle Secure Backup and describes the basic architecture of an Oracle Secure Backup environment. This chapter contains the following topics:
Oracle Secure Backup supplies reliable data protection through file system backup to tape. The Oracle Secure Backup SBT interface enables you to use Recovery Manager (RMAN) to back up Oracle databases. All major tape drives and tape libraries in SAN, Gigabit Ethernet, and SCSI environments are supported.
Oracle Secure Backup enables you to do the following:
Centrally manage tape backup and restore operations of distributed, mixed-platform environments (see Oracle Secure Backup Installation Guide for supported machine architectures). You can access local and remote file systems and devices from any location in a network without using NFS or CIFS.
Back up to and restore data from Oracle Cluster File System (OCFS) on Linux and Windows.
Use wildcards and exclusion lists to specify what you want to back up.
Duplex database backups so that the same data stream goes to multiple devices. You can specify different media families or devices for each copy of the data.
Create backups that span multiple volumes.
Optimize tape resources with automatic drive sharing.
Restore data rapidly. Oracle Secure Backup uses direct-to-block positioning and direct access restore to avoid unnecessarily reading tape blocks to locate files. Oracle Secure Backup maintains a record of the tape position of all backup data in its catalog for rapid retrieval.
Maintain security and limit the users who are authorized to perform data management operations. By default, SSL is used for authentication and communication between hosts in the administrative domain.
Recovery Manager (RMAN) is an Oracle Database-specific backup and recovery utility. RMAN is a built-in part of Oracle Database and backs up, restores, and recovers database files regardless of the type of disk storage used for these files.
RMAN knows and applies the complex rules that must be followed to recover Oracle databases. If your database backup strategy needs storage resources other than local disk, then you must use RMAN in conjunction with a general-purpose network backup tool such as Oracle Secure Backup.
Oracle Secure Backup can back up all types of files on the file system. Although Oracle Secure Backup has no specialized knowledge of database backup and recovery algorithms, it can serve as a media management layer for RMAN through the SBT interface. In this capacity, Oracle Secure Backup provides the same services for RMAN as other supported third-party SBT libraries. Oracle Secure Backup is better integrated with Oracle Enterprise Manager, however, than other media managers.
Table 1-1 describes differences between RMAN and Oracle Secure Backup in terms of the type of data backed up and the type of media used for backup storage.
Table 1-1 Differences Between Oracle Secure Backup and RMAN
Type of Data | Type of Backup Storage | Oracle Secure Backup Backup and Restore | Recovery Manager Backup and Restore |
---|---|---|---|
Oracle datafiles, control files, and archived redo logs |
Tape |
Yes (only with RMAN) |
|
Oracle datafiles, control files, and archived redo logs |
Disk |
No |
Yes |
Non-database files on the file system |
Tape |
Yes |
No |
Non-database files on the file system |
Disk |
No |
No |
See Also:
Oracle Database Backup and Recovery Basics to learn about Recovery ManagerFigure 1-1 shows the interfaces that you can use to access Oracle Secure Backup.
Figure 1-1 Interfaces to Oracle Secure Backup
Users interact with Oracle Secure Backup by means of one of the following tools:
Oracle Secure Backup Web tool
The Oracle Secure Backup Web tool is a browser-based GUI that enables you to configure an administrative domain, manage the backup and restore of file system data, and browse the backup catalog.
The Web tool utilizes an Apache Web server, which runs on the administrative server. As explained in "Using the Web Tool", you can access the Web tool from any Web browser that can connect to this server.
Oracle Secure Backup command-line interface (obtool
)
Oracle Secure Backup provides a command-line program called obtool
as an alternative to the Web tool. You can log in to the administrative domain through obtool
to back up and restore file system data and to perform configuration and administration tasks.
As explained in "Using obtool", you can run the obtool
utility on any host in the administrative domain on which Oracle Secure Backup is installed.
Oracle Enterprise Manager Database Control and Grid Control
Oracle Enterprise Manager is a set of GUI-based tools for managing the Oracle environment. You can use Enterprise Manager to schedule and perform RMAN backups through the Oracle Secure Backup SBT interface. You can also perform administrative tasks such as managing media and devices within the Oracle Secure Backup administrative domain. The Enterprise Manager console includes a link to the Oracle Secure Backup Web tool.
As explained in "Using Oracle Enterprise Manager", you can use Enterprise Manager Database Control to back up a database on the administrative server. You can run Enterprise Manager Grid Control on any database host within the administrative domain and use this interface to manage all database backup and restore operations.
Recovery Manager command-line interface (rman
)
You can use the RMAN command-line interface to configure and initiate backup and restore operations that use the Oracle Secure Backup SBT interface. The RMAN utility is located in the bin
subdirectory of an Oracle home.
As explained in "Interfaces for Managing Database Backup and Recovery", you can run the RMAN command-line client on any database host so long as it can connect to the target database. For RMAN to make backups to Oracle Secure Backup, the Oracle Secure Backup SBT library must reside on the same host as the target database.
See Also:
Chapter 3, "Getting Started" for an orientation to the interfaces to Oracle Secure Backup
Oracle Enterprise Manager Administrator's Guide and the Enterprise Manager online help to learn how to use Enterprise Manager
Oracle Secure Backup Reference to learn about obtool
commands
Oracle Database Backup and Recovery Basics to learn about the Recovery Manager command-line interface
The Network Data Management Protocol (NDMP) defines a common architecture for backups of file servers on a network. NDMP specifies the format and means of transmission of messages and payload data. NDMP is an open standard protocol that is promoted and supported by industry vendors.
NDMP enables a centralized backup application, which is called the Data Management Application (DMA), to back up and restore file servers that run on different platforms. NDMP is commonly used by Network Attached Storage (NAS) devices, also known as filers, to perform backup and restore operations without requiring backup software to be installed. This model is different from the classical backup model, which requires the installation of backup software on each host.
The DMA manages backup and restore operations by establishing a TCP/IP-based control connection with an NDMP server. An NDMP server provides NDMP services, which are the NDMP interfaces to the storage devices. The data service transfers data to and from the primary disk storage, whereas the tape service transfers data to and from secondary storage such as a tape drive.
With NDMP, network congestion is minimized because the data path and control path are separated. Data transfer can occur locally—from file servers directly to and from tape drives—while management occurs centrally.
Oracle Secure Backup uses NDMP for data transfer and remote control of tape drives and tape libraries. Thus, Oracle Secure Backup supports devices connected to Windows, Linux, and UNIX hosts with Oracle Secure Backup's internal NDMP server. While Oracle Secure Backup leverages NDMP, it is transparent to users except when backing up a NAS device that requires NDMP for optimal backup operations.
In addition to Windows, Linux, and UNIX hosts, Oracle Secure Backup supports special-purpose appliances such as Network Appliance filers, Mirapoint message servers, and DinoStor tape appliances. These appliances can be backed up locally or remotely, but cannot perform the role of Oracle Secure Backup administrative server because backup software cannot be installed on them.
Although Oracle Secure Backup uses NDMP, specific NAS devices utilizing NDMP must still be tested and supported by Oracle Secure Backup.
Supported NAS devices are listed on Certify on Metalink, at the following URL:
Tape device matrixes are available at the following URL:
http://www.oracle.com/technology/products/secure-backup/
See Also:
http://www.ndmp.org
to learn more about NDMP
An administrative domain is a network of hosts that you manage as a common unit to perform backup and restore operations. To configure Oracle Secure Backup, you need to assign roles to each host in the domain. A single host can have one or more of the following roles:
Administrative server
You can assign this role to a host in your administrative domain that contains a copy of Oracle Secure Backup software. The administrative server maintains the configuration data and catalogs for the domain (see "Administrative Data"). An administrative domain has one and only one administrative server.
The administrative server runs the Oracle Secure Backup scheduler, which starts and monitors backup and restore jobs within the administrative domain. You choose your administrative server when you install Oracle Secure Backup. Note that the administrative server can co-reside on a host with other applications or function as a dedicated, single-purpose server.
Media server
You can assign this role to a host that has one or more secondary storage devices, such as tape libraries or tape drives, connected to it. An administrative domain has one or more media servers.
Client
You can assign this role to a host whose locally-accessed data is backed up by Oracle Secure Backup. An administrative domain has one or more client hosts. Most hosts defined within the administrative domain are clients.
Figure 1-2 illustrates a sample Oracle Secure Backup administrative domain. In this scenario, the domain includes five hosts: an administrative server, a media server with attached tape library, and three clients. Two of the clients run Oracle databases; the other client is a NAS appliance.
Figure 1-2 Administrative Domain with Five Hosts
Figure 1-3 illustrates a different Oracle Secure Backup administrative domain that contains a single Linux host. This host assumes the roles of administrative server, media server, and client. The host runs an Oracle database and has a tape library locally attached.
Figure 1-3 Administrative Domain with One Host
Communications with a host in an administrative domain occur through one of the following access modes:
Primary
In primary access mode, Oracle Secure Backup is installed on a host. The programming components of Oracle Secure Backup are running in the background as daemons. The daemons actively participate in managing backup and restore operations. Typically, an Oracle database resides on a host accessed through this mode.
Note:
In the Enterprise Manager GUI, primary access mode is referred to as native access mode. In the Oracle Secure Backup Web tool and the output of someobtool
commands such as lshost
, primary mode is referred to as OB access mode.NDMP
An NDMP host is a storage appliance from third-party vendors such as Network Appliance, Mirapoint, or DinoStor. An NDMP host uses a vendor-specific implementation of the NDMP protocol to back up and restore file systems. Oracle Secure Backup software is not installed on an NDMP host, but is accessible to Oracle Secure Backup through NDMP.
In Example 1-1, the lshost
command in obtool
displays the hosts in an administrative domain. The command indicates the access mode of each host—NDMP or primary (ob
)—in parentheses.
Example 1-1 Host Access Modes
ob> lshost br_filer client (via NDMP) in service stadv07 admin,mediaserver,client (via OB) in service
As explained in "Oracle Secure Backup and NDMP", Oracle Secure Backup uses NDMP for data transfer among hosts regardless of whether a host is accessed through the primary or NDMP modes. For example, a Windows administrative server uses NDMP to exchange data with a NetApp filer and a Linux client.
See Also:
Oracle Secure Backup Reference to learn about the obtool
host commands
Oracle Secure Backup organizes information about the administrative domain as a hierarchy of files in the Oracle Secure Backup home on the administrative server. The Oracle Secure Backup home is the directory in which Oracle Secure Backup is installed.
Figure 1-4 shows the directory structure of an Oracle Secure Backup home. This directory structure is the same for all platforms, but the default home is /usr/local/oracle/backup
for UNIX and Linux and C:\Program Files\Oracle\Backup
for Windows.
Figure 1-4 Directories on the Administrative Server
The administrative data includes configuration data about domain-wide entities such as classes, devices, media families, and so on. As shown in Figure 1-4, config
contains several subdirectories, each of which represents an object that Oracle Secure Backup maintains. In each object directory, Oracle Secure Backup maintains files describing the characteristics of the corresponding object.
The Oracle Secure Backup catalog contains backup-related information. The admin/history/host
directory contains subdirectories named after the hosts in the administrative domain; each of these subdirectories contains a file in which the catalog data is stored. Oracle Secure Backup also maintains backup sections, backup pieces, and volumes catalogs in the admin/state/general
subdirectory.
The Web tool and obtool
are the interfaces by which you access catalogs and configuration data. Only in exceptional circumstances do you access the administrative data directly on the file system.
See Also:
Oracle Secure Backup Installation Guide to learn more about the files and directories in the Oracle Secure Backup homeThis section explains the concept of an Oracle Secure Backup user, which is a domain-wide identity. A class is a named collection of rights assigned to this user.
Oracle Secure Backup stores information pertaining to Oracle Secure Backup users and rights on the administrative server, enabling Oracle Secure Backup to maintain a consistent user identity across the administrative domain.
Each user of an Oracle Secure Backup domain has an account and an encrypted password stored on the administrative server. An operating system user can enter the Oracle Secure Backup username and password in the Web tool or obtool
. The client program sends the password over an encrypted SSL connection to the administrative server for authentication.
The namespace for Oracle Secure Backup users is distinct from the namespaces of existing UNIX, Linux, and Windows users. Thus, if you log in to a host in the administrative domain as operating system user muthu
, and if an Oracle Secure Backup user in the domain is named muthu
, these accounts are separately managed even though the name is the same. For convenience, you may want to create an Oracle Secure Backup user with the same name and password as an operating system user.
When you create an Oracle Secure Backup user, you can associate it with UNIX and Windows accounts. These accounts are used for unprivileged backup, that is, backups that do not run with root
privileges. In contrast, privileged backup and restore operations run on a client with root
(UNIX) or Local System
(Windows) permissions.
Assume you create the Oracle Secure Backup user jdoe
and associate it with UNIX account x_usr
and Windows account w_usr
. When jdoe
uses the backup --unprivileged
command to back up a client in the domain, the jobs run under the operating system accounts associated with jdoe
. Thus, jdoe
can only back up files on a UNIX client accessible to x_usr
and files on a Windows client accessible to w_usr
.
If you have the modify administrative domain's configuration
right, then you can configure the preauthorization attribute of an Oracle Secure Backup user. You can preauthorize operating system users to make RMAN backups or log in to Oracle Secure Backup command-line utilities. For example, you can preauthorize the x_usr
UNIX user to log in to obtool
as Oracle Secure Backup user jdoe
.
You can configure user access to NDMP hosts when setting up an Oracle Secure Backup user account. Passwords for NDMP hosts are associated with the host instead of the user. You can configure the host to use the default NDMP password, a user-defined text password, or a null password. You can also configure a password authentication method such as text or MD5-encrypted.
See Also:
"Adding a Host" to learn how to add an NDMP host to an administrative domainAn Oracle Secure Backup class defines a set of rights granted to an Oracle Secure Backup user. A class is similar to a UNIX group, but it defines a finer granularity of access rights tailored to the needs of Oracle Secure Backup. As shown in Figure 1-5, you can assign multiple users to a class, each of whom is a member of only one class.
The following classes are key to understanding Oracle Secure Backup user rights:
admin
This class is used for overall administration of a domain. The admin
class has all the rights needed to modify domain configurations and perform backup and restore operations.
operator
This class is used for standard day-to-day operations. The operator
class lacks configuration rights but has all the rights needed for backup and restore operations. It also allows the user to query the state of all primary and secondary storage devices and to control the state of these devices.
oracle
This class, which is similar to the operator
class, has rights enabling users to modify Oracle database configuration settings as well as to perform Oracle database backups. Typically, class members are Oracle Secure Backup users that are mapped to operating system accounts of Oracle database installations.
user
This class is assigned to specific users and gives them permission to interact in a limited way with their domains. This class is reserved for users who need to browse their own data within the Oracle Secure Backup catalog and perform user-based restore operations.
reader
This class enables Oracle Secure Backup users to browse the catalog. Readers are only permitted to modify the given name and password for their Oracle Secure Backup user accounts.
See Also:
"Configuring Classes" for a detailed description of the rights available to each class
Oracle Secure Backup Reference to learn about the obtool
user and class commands
Oracle Secure Backup Reference to learn about the rights in the default classes