Oracle Secure Backup, Part 2: A Sample Implementation

April 24, 2007

Synopsis. With Oracle Secure Backup, Oracle now offers the capability to insure that all Recovery Manager (RMAN) backups are created and maintained in a secure fashion, all without the need for a potentially expensive and cumbersome media management layer (MML). This article – the second in this series – simulates the creation and administration of an Oracle Secured Backup environment to demonstrate how it can be used effectively in concert with existing RMAN backup and recovery scripts.

I provided a management-level discussion of the features of Oracle Secure Backup (OSB) in the previous article in this series. In this article, I’ll demonstrate how to set up an OSB environment, the construction of virtual tape libraries and tape devices to test the OSB environment, and how to utilize an OSB tape device as a target for Oracle 10gR2 Recovery Manager (RMAN) database backup operations.

Demonstration Prerequisites

To create a simulated Linux environment for this Oracle Secure Backup demonstration, I’ve installed VMWare Server on a Microsoft Windows XP environment host. I’ve also installed a CentOS 4.2 guest virtual machine to create a simulated Red Hat Enterprise Linux 4.0 environment. I’ve named this new virtual server 10gBUR (10g Backup and Recovery).

Once the Linux OS was successfully installed, I created a new Oracle 10gR2 database home using Oracle software. I then created a new Oracle 10gR2 database using the General Purpose template, making sure to create the Oracle sample schemas during the database’s creation. This yielded me a sufficient robust target for experimenting with OSB backup operations.

Setting Up Oracle Secure Backup

To obtain the most recent release of the Oracle Secure Backup software, I downloaded the OSB source files directly from the OTN website, and I then uncompressed the OSB software to a staging directory that’s accessible on my target server.

I’ve also created the default OSB directory, /usr/local/oracle/backup, on my target server. Oracle strongly recommends creating this directory ahead of time, as it greatly simplifies the initial OSB configuration. Once this directory was created, I logged in as the root user, changed my terminal session’s focus to that directory with the cd command, and initiated the installation of OSB by executing the setup shell script that’s located in the OSB staging directory:

#> mkdir /usr/local/oracle/backup
#> cd /usr/local/oracle/backup
#> /stage/osb/setup
Welcome to Oracle's setup program for Oracle Secure Backup.  This
program loads Oracle Secure Backup software from the CD-ROM to a
filesystem directory of your choosing.
This CD-ROM contains Oracle Secure Backup version
Please wait a moment while I learn about this host... done.
-  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -
You may load any of the following Oracle Secure Backup packages:
    1. linux32 (RHEL 3, RHEL 4, SuSE 9)
       administrative server, media server, client
Enter a space-separated list of packages you'd like to load.  To load all
packages, enter 'all' [1]: all
-  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -
Loading Oracle Secure Backup installation tools... done.
Using your previous obparameters file.  The new file shipped with this
    distribution of Oracle Secure Backup is called install/
Loading linux32 administrative server, media server, client... done.
-  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -
Loading of Oracle Secure Backup software from CD-ROM is complete.
You may unmount and remove the CD-ROM.
Would you like to continue Oracle Secure Backup installation with
'installob' now?  (The Oracle Secure Backup Installation Guide
contains complete information about installob.)
Please answer 'yes' or 'no' [yes]: yes
-  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -
Welcome to installob, Oracle Secure Backup's UNIX installation program.
It installs Oracle Secure Backup onto one or more UNIX or Linux systems
on your network.  (Install Oracle Secure Backup for Windows using the
CD-ROM from which you loaded this software.)
For most questions, a default answer appears enclosed in square brackets.
Press Enter to select this answer.
Please wait a few seconds while I learn about this machine... done.
Have you already reviewed and customized install/obparameters for your
Oracle Secure Backup installation [yes]? yes
-  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -
You can choose to install Oracle Secure Backup in one of two ways:
    (a) interactively, by answering questions asked by this program, or
    (b) in batch mode, by preparing a network description file
Use interactive mode to install Oracle Secure Backup on a small number
of hosts.  Use batch mode to install Oracle Secure Backup on any number
of hosts.
Which installation method would you like to use (a or b) [a]? a
-  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -
Oracle Secure Backup is not yet installed on this machine.
Oracle Secure Backup's Web server has been loaded, but is not yet configured.
You can install this host one of three ways:
    (a) administrative server
        (the host will also be able to act as a media server or client)
    (b) media server
        (the host will also be able to act as a client)
    (c) client
If you are not sure which way to install, please refer to the Oracle
Secure Backup Installation Guide. (a,b or c) [a]? a
Beginning the installation.  This will take just a minute and will produce
several lines of informational output.
Installing Oracle Secure Backup on 10gBUR (Linux version 2.6.9-34.EL)
You must now enter a password for the Oracle Secure Backup 'admin' user.
Oracle suggests you choose a password of at least 8 characters in length,
containing a mixture of alphabetic and numeric characters.
Please enter the admin password: ******
Re-type password for verification: ******
    generating links for admin installation with Web server
    updating /etc/
    checking Oracle Secure Backup's configuration file (/etc/obconfig)
    setting Oracle Secure Backup directory to /usr/local/oracle/backup in /etc/obconfig
    setting local database directory to /usr/etc/ob in /etc/obconfig
    setting temp directory to /usr/tmp in /etc/obconfig
    setting administrative directory to /usr/local/oracle/backup/admin in /etc/obconfig
    protecting the Oracle Secure Backup directory
    removing /etc/rc.d/init.d/qrserviced
    creating /etc/rc.d/init.d/observiced
    activating observiced via chkconfig
    initializing the administrative domain
Is 10gBUR connected to any tape libraries that you'd like to use with
Oracle Secure Backup [no]? no
Is 10gBUR connected to any tape drives that you'd like to use with
Oracle Secure Backup [no]? no
-  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -
Would you like to install Oracle Secure Backup on any other machine [yes]? no
Installation summary:
    Installation  Host                OS          Driver        OS Move    Reboot
        Mode      Name                Name     Installed?  Required?  Required?
    admin         10gBUR            Linux         no                no              no
Oracle Secure Backup is now ready for your use.

Configuring OSB Media Server Devices

As you can see from the prompts and answers I provided during the execution of the setup script, I’ve now successfully configured an OSB administrative server, media server and client on the same server. My next task is to configure the appropriate OSB media server devices to provide targets for backup operations.

Fortunately, I don’t need to purchase one of the supported (but generally extremely expensive!) backup appliances or tape drives to simulate OSB’s capabilities; on the contrary, I can create virtual tape devices using the obtool OSB command set. To demonstrate, I’ll create one virtual tape library with a single virtual tape drive device within that library, and configure both of them for use with Oracle backup operations.

Creating a virtual tape library. To define a virtual tape library, I’ll use obtool’s mkdev command set:

#> obtool --user admin --password oracle < /home/oracle/mklib.obp

And here’s the contents of mklib.obp:

mkdev -t library -o -S 4 -a 10gBUR:/vlib -v vlib

To break down this command and its corresponding parameter file’s syntax:

  • --user and --password: The device is created for the OSB admin user with the appropriate password. Note that the admin account is specific to OSB – it is not the same as a user account that might exist in a corresponding Oracle database.
  • -t library: Signifies that a tape library is being created.
  • -o: Tells OSB that this tape library is immediately available for use.
  • -S: Instructs OSB to create a specific number of slots for this virtual tape library.
  • -a: Constructs the path (also known as the attachment specification, or attachspec) to the tape library attachment(s) for OSB.
  • -v: Specifies the verbose option so that detailed information about the OSB media library’s creation is written to stdout.
  • vlib: The label that’s assigned to this virtual tape library.

Creating a virtual tape drive. Next, I’ll create a virtual tape drive within the virtual tape library just defined. Once again I’ll use obtool’s mkdev command, but this time with slightly different parameters:

#> obtool --user admin --password oracle < /home/oracle/mktapedev.obp

And here’s the contents of mktapedev.obp:

mkdev -t tape -o -a 10gBUR:/vt -v -l vlib -d 1 vt

To break down this parameter file’s syntax:

  • -t tape: Specifies that a tape device is being created.
  • -o: Tells OSB that this tape device is immediately available for use.
  • -a: Constructs the path to the tape device attachment.
  • -v: Specifies the verbose option so that detailed information about the OSB backup device’s creation is written to stdout.
  • -l vlib: The tape library that’s assigned to this tape device.
  • -d: The Data Transfer Element tag assigned to this virtual tape device within its virtual tape library. This tells OSB to configure just one tape.
  • vt: Finally, this is the label that’s assigned to this new virtual tape device.

One important point I learned while mastering these obtool directives that will save you a lot of grief: Be sure that the directories for the virtual tape library and devices don’t exist prior to issuing these commands! Otherwise, obtool will return some unexpected error messages and will simply fail to create the virtual tape library and virtual tape device.

Reviewing the OSB Configuration With OSB Web Interface

To confirm that OSB is ready for use, I’ll use the OSB web interface to review the configuration so far. Figure 2.1 shows the login screen that appears when I access the web interface. Once I’ve logged into the OSB web tool, I can view the status of Oracle Secure Backup devices, backup jobs, and other information, as shown in Figure 2.2.

To view the tape library and tape drive that I’ve already configured, I just click into the Configure tab as shown in Figure 2.3. I can also use the Manage tab of the OSB web tool to make modifications to the virtual tape library I’ve already created, as illustrated in Figure 2.4. Likewise, I can also modify the configuration of the virtual tape device as shown in Figure 2.5.

Configuring RMAN For Use With Oracle Secure Backup

Even though I’ve now successfully created a virtual OSB tape library and a virtual OSB tape drive, I still grant permissions to Oracle Recovery Manager (RMAN) so that it can interface directly with these OSB devices. To accomplish this, I’ll once again use the obtool command set to create a preauthorized OSB account for RMAN operations:

#> obtool --user admin --password oracle < /home/oracle/mkauthuser.obp

And here’s the contents of mkauthuser.obp:

mkuser -c oracle -p oracle -U oracle -G dba -N no -h *:*:*+rman+cmdline oracle

To break down this OSB parameter file:

  • -c: Specifies that the user should belong to the predefined oracle OSB account class.
  • -U and -G: Specifies the corresponding OS account name and OS group name for the OSB user.
  • -N no: Tells OSB that this user is not authorized to log into an NDMP server.
  • -h *:*:*+rman+cmdline: This parameter is crucial to the configuration of the user. The four sets of permissions defined here, separated by colons, permit the OSB account to perform backups (a) on any OSB host (b) owned by any OS user account (c) on any Windows domain. The rman token preauthorizes the OSB user to create RMAN backups over the standard RMAN SBT channel, while the cmdline token preauthorizes the OSB user to log into OSB.
  • oracle: Finally, this is the name of the OSB account that’s going to utilize OSB tools. Note that this is a separate account from the oracle user account on the operating system!

Using Enterprise Manager Database Control with Oracle Secure Backup

Almost done! Now that I’ve successfully configured a preauthorized OSB user account for RMAN access, I just need to make the connection between that OSB account and my Oracle database. The easiest way to do this is to use the Enterprise Manager Database Control (EMDBC) GUI interface to set up a link to the OSB administrative server.

Figure 2.6 shows what EMDBC displays when I select the Oracle Secure Backup Device and Media link on the Administration page for my database server, and Figure 2.7 shows how to provide the proper parameters to set up the link between the database server and OSB. And once the link between the database server and OSB is complete, I can also view the status of the OSB devices that are available for creating database backups via RMAN, as shown in Figure 2.8.

Creating RMAN Backups Through Oracle Secure Backup

The good news is that the hard work is done, and I can now back up my Oracle 10gR2 database directly to tape with a few simple RMAN commands. But – even better! - OSB also gives me the tools I need to back up my database’s Flash Recovery Area directly to tape as well.

Backing Up The Whole Database To An OSB Tape Device. To create a full backup of my existing Oracle database using an Oracle Secure Backup virtual tape as my target media, I simply invoke the following script within an RMAN session:


The directive DEVICE TYPE sbt instructs RMAN to look for a qualifying tape device as a target for the backup sets this command will create. Since I’ve already preauthorized the vt tape device in the OSB environment as a suitable target for RMAN backup and restoration operations, it is automatically used in this context.

Backing Up The Flash Recovery Area Directly To An OSB Tape Device. Best practices for Oracle 10g database backup and recovery now strongly recommend that sufficient disk space for a Flash Recovery Area (FRA) should be allocated as the primary target for all RMAN backup files. This is gaining wider acceptance as the cost of cheap near-line storage continues to fall in price dramatically.

However, it’s still also extremely important to back up all these recovery files to alternate media on a regular basis so that in case of disaster, a “cold metal” restoration operation is still possible. Fortunately, Oracle 10g also provides two simple RMAN commands to easily back up the contents of the Flash Recovery Area directly from disk to tape:

  • The BACKUP RECOVERY AREA; directive tells RMAN to back up all files in the Flash Recovery Area that haven’t yet been backed up to tape. This directive will search any current or previous Flash Recovery Area for qualifying files and initiate their copy to tape on the standard tape channel, SBT_TAPE.
  • Similarly, the BACKUP RECOVERY FILES; directive instructs RMAN to back up all files in either the current Flash Recovery Area or other non-FRA location that haven’t yet been backed up to tape, but are still required for point-in-time recovery based on the specified RMAN retention period. This directive also initiates an immediate copy of the required recovery files to tape media on the standard tape channel, SBT_TAPE.

To demonstrate, I first created a standard Oracle RMAN backup of my entire database to its current Flash Recovery Area, as shown in Listing 2.1. I then initiated a complete copy of these files from the Flash Recovery Area to the configured OSB tape media with the BACKUP RECOVERY AREA; directive, as shown in Listing 2.2.

Finally, to summarize what types of backups RMAN recognizes on both disk and on tape, I issued the LIST COPY; and LIST BACKUP; commands from within an RMAN command session. The resulting output is shown in Listing 2.3. Note that the backup sets that were created during my initial backup operation directly to tape are listed within backup sets 2, 3, and 4, while the result of copying the Flash Recovery Area to tape are listed within backup sets 5, 6, and 7.

Next Steps

In the next and final article in this series, I’ll demonstrate how to use this same Oracle Secure Backup (OSB) configuration to perform Oracle 10gR2 Recovery Manager (RMAN) restoration and recovery operations against previously-created RMAN backups stored within simulated OSB virtual libraries and tape devices. I’ll also wrap up my demonstration of OSB features by illustrating how it can be used for backing up and restoring sets of operating system files.

References and Additional Reading

Even though I’ve hopefully provided enough technical information in this article to encourage you to explore with these features, I also strongly suggest that you first review the corresponding detailed Oracle documentation before proceeding with any experiments. Actual implementation of these features should commence only after a crystal-clear understanding exists. Please note that I’ve drawn upon the following Oracle 10gR2 documentation for the deeper technical details of this article:

B14194-03 Oracle Backup and Recovery Reference

B14234-02 Oracle Secure Backup Administrator’s Guide

B14235-05 Oracle Secure Backup Installation Guide

B14236-02 Oracle Secure Backup Reference

B25049-01 Oracle Secure Backup Migration Guide

B32120-01 Oracle Secure Backup ReadMe


And don’t forget that the Oracle Technology Network (OTN) Oracle Secure Backup home page is an excellent source of valuable (and constantly updated!) information.

» See All Articles by Columnist Jim Czuprynski

The Network for Technology Professionals



Legal Notices, Licensing, Permissions, Privacy Policy.
Advertise | Newsletters | E-mail Offers