Deploying Oracle Secure Backup on Oracle MiniCluster

Version 2

    by Dean Halbeisen

     

    This article is intended to be a high-level how-to guide on how to deploy Oracle Secure Backup on Oracle MiniCluster S7-2. Following these steps, it takes only a few minutes to deploy and configure Oracle Secure Backup on Oracle MiniCluster systems.

     

    Table of Contents

    Introduction

     

    This article starts at the point where the Oracle MiniCluster initial installation and application installation have been completed or nearly completed. The following steps must be completed before the Oracle Secure Backup deployment process on Oracle MiniCluster can begin:

     

    • Oracle MiniCluster must be installed and configured.
    • Oracle Secure Backup must be installed on the tape management systems with the administrative server role and configured with disk pools and/or tape storage.
    • Oracle Enterprise Manager 13c host agents must be installed on each virtual machine (VM) on Oracle MiniCluster.

     

    The example deployment procedure presented in this article uses an environment that is configured as shown in Figure 1. Oracle's SPARC S7-2L servers are used as tape management systems and a StorageTek modular tape library from Oracle is used for tape storage.

     

    f1.png

    Figure 1. Example deployment of Oracle Secure Backup on Oracle MiniCluster.

     

    Planning for Deployment

     

    Similar to other backup and recovery software, Oracle Secure Backup does not require any special procedures for deployment. However, it is important that you understand the licensing policies and where to find the support matrix that lists compatible hardware and software.

     

    If you plan to use disk or tape for backup, make sure you understand the Oracle Secure Backup licensing policies before installing and configuring the Oracle Secure Backup software. Backup configuration choices can affect the licensing cost of the deployment. For more information on Oracle Secure Backup licensing, see the Oracle Secure Backup Licensing Information User Manual.

     

    The backup and recovery software run on Oracle MiniCluster must support Oracle Solaris 11 or higher. Make sure the version of Oracle Secure Backup you would like to install supports Oracle Solaris 11 or higher. A support matrix for Oracle Secure Backup 12.1 is available at oracle.com/technetwork/database/availability/osb-12-1-platforms-2420299.pdf. This document lists supported platforms, operating systems, NAS devices, and browsers.

     

    A tape drive and library compatibility matrix for Oracle Secure Backup 12.1 is available at oracle.com/technetwork/database/availability/osb-12-1-tape-matrix-2420301.pdf.

     

    For additional information and qualification details for Oracle Secure Backup, refer to Certifications at My Oracle Support.

     

    Downloading the Oracle Secure Backup Software

     

    Oracle Secure Backup is shipped in a single zip file per platform format, like many other software packages from Oracle. Download the latest version for Oracle Solaris for the SPARC (64-bit) platform from the Oracle Secure Backup Downloads web page (shown in Figure 2).

     

    f2.png

    Figure 2. Oracle Secure Backup Downloads web page.

     

    Oracle Secure Backup domains can consist of any mixture of supported platforms and operating systems, so you can have any mixture of host types in a domain. Always check My Oracle Support for the latest patches and updates for Oracle Secure Backup.

     

    Installation Prerequisites on Oracle MiniCluster

     

    No additional packages or patches are required to prepare Oracle MiniCluster to run Oracle Secure Backup. The software that ships preinstalled on Oracle MiniCluster and software installed after the initial installation of Oracle MiniCluster will generally support the latest version of Oracle Secure Backup.

     

    Security and network settings must be updated in each VM to make sure that the backup and recovery software can be run in secure environments. To enable the correct operation of backup and recovery software, you must map network services and create firewall rules that enable the software to get through the built-in firewall on all VMs in an Oracle MiniCluster system.

     

    The following three steps, which are explained in subsequent sections, must be run on each VM on the system:

     

    1. Add services configurations to the /etc/services file.
    2. Add firewall rules to the /etc/ipf/ipf.conf file.
    3. Restart the firewall.

     

    Patching Oracle MiniCluster

     

    Ideally, your Oracle MiniCluster will have been updated to the latest software levels, but this is not required. All supported versions of Oracle Secure Backup are supported on Oracle MiniCluster. Oracle Secure Backup can be installed and updated during patch cycles on Oracle MiniCluster, and it is recommended to make backups before and after applying patches on the Oracle MiniCluster VMs.

     

    Although Oracle Secure Backup is included with Oracle Database, it is not patched when Oracle MiniCluster is patched and must be maintained separately. Current patch information can be displayed using the Oracle MiniCluster management utility (see Figure 3).

     

    f3.png

    Figure 3. Example patch and update information for Oracle MiniCluster.

     

    Configuring Services for Backup and Recovery

     

    On each VM on Oracle MiniCluster, add or verify the network port configurations for Oracle Secure Backup in the /etc/services file. Depending on the code level running on the Oracle MiniCluster system, you might not need to add additional entries to these files, because the installation will set up network services for Oracle Secure Backup. Make sure to use similar settings on all servers running Oracle Secure Backup, even if these settings are not required on other systems in the backup domain.

     

    The Network Data Management Protocol (NDMP) service is required in all environments, even if your Oracle MiniCluster VMs will not act as media servers. In Oracle Secure Backup, NDMP is used to transfer data back to the media servers. The ob-daemon-low and ob-daemon-high settings specify a range of ports used for each job run on Oracle MiniCluster clients. The number of ports required is five times the number of concurrent jobs run on each VM. For example, if you want to run 20 backup jobs at the same time on the same VM, you would need 100 ports configured, as seen in the following example /etc/services file. This example file shows the entries that were added to enable Oracle Secure Backup and Oracle Enterprise Manager to run on an Oracle MiniCluster VM.

     

    ##OOS4BUR
    oms             3872/tc     # OMS - EM13C
    osb-sd          400/tc      # Oracle Secure Backup 
    ndmp            10000/tcp   # OSB Data Movement
    ob-daemon-low   28000/tcp   # OSB daemon port range start
    ob-daemon-high  28100/tcp   # OSB daemon port range stop

     

    Configuring the Firewall for Backup and Recovery

     

    In each VM, add or verify the ipfilter firewall rules for Oracle Secure Backup in the /etc/ipf/ipf.conf file. Depending on the code level running on the Oracle MiniCluster system, you might not need to add additional entries to these files, because the installation will set up firewall rules for Oracle Secure Backup. Make sure to use similar settings on all servers running Oracle Secure Backup, even if these settings are not required on other systems in the backup domain. The NDMP service is required in all environments, even if your Oracle MiniCluster VMs will not act as media servers. In Oracle Secure Backup, NDMP is used to transfer data back to the media servers.

     

    ##OOS4BUR
    pass in quick on ipmppub0 proto tcp from any port = 3872 to any keep state
    pass out quick on ipmppub0 proto tcp from any to any port = 3872 keep state
    pass in quick on ipmppub0 proto tcp from any port = 400 to any keep state
    pass out quick on ipmppub0 proto tcp from any to any port = 400 keep state
    pass in quick on ipmppub0 proto tcp from any port = 10000 to any keep state
    pass out quick on ipmppub0 proto tcp from any to any port = 10000 keep state
    pass in quick on ipmppub0 proto tcp from any port 28000 <> 28100 to any 
        keep state
    pass out quick on ipmppub0 proto tcp from any to any port 28000 <> 28100 
        keep state

     

    After adding or verifying the firewall rules in each VM, restart the firewall with the following command. Note that your session could be terminated when the firewall bounces.

     

    # svcadm restart svc:/network/ipfilter:default

     

    Installing the Oracle Secure Backup Software

     

    To start the software installation, unzip the file you downloaded to a location on the shared storage built into the Oracle MiniCluster system.

     

    The Oracle Secure Backup client should be installed on every VM on the Oracle MiniCluster system. It is not recommended to install the Oracle Secure Backup administrative server role on Oracle MiniCluster, because it is best practice for the administrative server role be installed on a standalone machine. During the installation, you can install only the client role. If you would like to use a disk pool on an NFS share, the media server role can be added after installation.

     

    In the following example, a new directory was created on the /sharedstore mount point to enable all hosts to access it. The Oracle Secure Backup installation must be run as root from the home directory of Oracle Secure Backup (/usr/local/oracle/backup) on each VM. First, change to the Oracle Secure Backup home directory, and then start the installation from the shared directory on the internal shared storage. If you have not set up the shared storage for the VMs, you can do the installation from the local storage or any other shared storage on your network. The following example shows the installation of a single VM:

     

    root@oos-dbg1-vm1-mc14-n2:~# mkdir -p /usr/local/oracle/backup
    root@oos-dbg1-vm1-mc14-n2:~# cd /usr/local/oracle/backup
    root@oos-dbg1-vm1-mc14-n2:/usr/local/oracle/backup# /sharedstore/OSB12.1.2/osb_12.1.0.2.1_solaris.sparc64_release/setup
     
    Welcome to Oracle's setup program for Oracle Secure Backup.  This
    program loads Oracle Secure Backup software to a filesystem directory
    of your choosing.
    This installation contains Oracle Secure Backup version 12.1.0.2.1.
    Please wait a moment while I learn about this host... done.
    -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -
        1. solaris64 (SPARC)
           administrative server, media server, client
    -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -
    Loading Oracle Secure Backup installation tools... done.
    Loading solaris64 administrative server, media server, client... done.
    -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -
    Loading of Oracle Secure Backup software is complete.
    Choose from one of the following options. The option you choose defines
    the software components to be installed.
    Configuration of this host is required after installation is complete.
    You can install the software on this host in one of the following ways:
        (a) administrative server and client
        (b) client
    If you are not sure which option to choose, please refer to the Oracle
    Secure Backup Installation Guide. (a or b) [a]? : b
    Do you want to change any advanced settings? (y or n) [n]: 
    Oracle Secure Backup was installed
    root@oos-dbg1-vm1-mc14-n2:/usr/local/oracle/backup# 

     

    Configuring Backups with the Oracle Secure Backup GUI

     

    After you've installed the software, you can access to GUI by navigating to the following URL. Then log in and begin the configuration for the Oracle MiniCluster VMs (see Figure 4).

     

    https://Oracle-Secure-Backup-server-name

     

    f4.png

    Figure 4. Login screen for Oracle Secure Backup GUI.

     

    Enable Extended Command Output

    After logging in to the Oracle Secure Backup GUI, click the Preferences link located near the top right of the page (see Figure 5).

     

    To help with repetitive processes and to learn more about the command-line interface (CLI), it is recommended to enable the Extended command output option under Preferences. Enabling this option will display the command-line commands used to process each screen in the GUI, and this can be a great way to learn the CLI commands for repetitive processes, such as adding hosts.

     

    f5.png

    Figure 5. Setting extended command output option in Oracle Secure Backup preferences.

     

    Enable Compression for the Domain

     

    If you are using encryption, you will likely need to use compression as well. You can enable compression on many levels. In the following example, adding a -Z to the backup options enables compression at a global level (see Figure 6). Setting up compression globally can cause performance issues on hosts where CPU resources are limited, though it is also a great way to make sure you compress all backups before encrypting them.

     

    f6.png

    Figure 6. Setting compression at a global level.

     

    To enable compression at a global level, do the following:

     

    1. Near the top of any page in the Oracle Secure Backup GUI, click Configure > Defaults And Policies > Operations.
    2. In the Backup options field, enter -Z.
    3. Click the Apply button.

     

    Enable Encryption for the Domain

     

    Using encryption is key to maintaining secured data and staying in compliance with regulatory obligations. Encryption is not required, but it is highly recommended. If you are enabling encryption at the Oracle Secure Backup level, this configuration will use software encryption that uses more CPU resources—but it is the only way to protect in-flight data. If compression is not enabled and encryption is enabled, you will be storing your backups uncompressed and nothing can compress them.

     

    To enable encryption at the global level, click Configure > Defaults And Policies > Backupencryption in the Oracle Secure Backup GUI (see Figure 7). Select the desired encryption options and then click Apply. This example turns on software encryption at the domain level with the options shown in Figure 7.

     

    f7.png

    Figure 7. Setting encryption at a global level.

     

    Adding Backup Clients

     

    Each VM on the Oracle MiniCluster system needs to be configured as an Oracle Secure Backup client. The media server role is not required, but it can be used if you're using disk pools on NFS shares.

     

    To add hosts, click Configure > Hosts > Add in the Oracle Secure Backup GUI (see Figure 8).

     

    f8.png

    Figure 8. Adding hosts as Oracle Secure Backup clients.

     

    Adding hosts is a repetitive process in the GUI, so it can be a huge time saver to use the CLI. Below is an example of the commands used to configure an Oracle MiniCluster with two admin VMs, two application VMs, and two database VMs using the same settings shown in the GUI settings in Figure 8.

     

    obtool mkhost --access 'ob' --ip 'mc14-n1.us.oracle.com' --'inservice' -
    certkeysize '1024' --algorithm 'aes256' --encryption 'required' --keytype 
    'transparent' --disablerds 'yes' --tcpipbufsize '4096' --rekeyfreq '1week' -
    roles 'client','mediaserver' 'mc14-n1'
    obtool mkhost --access 'ob' --ip 'mc14-n2.us.oracle.com' --'inservice' -
    certkeysize '1024' --algorithm 'aes256' --encryption 'required' --keytype 
    'transparent' --disablerds 'yes' --tcpipbufsize '4096' --rekeyfreq '1week' -
    roles 'client','mediaserver' 'mc14-n2'
    obtool mkhost --access 'ob' --ip 'apps-vm1-mc14-n1.us.oracle.com' --'inservice' 
    --certkeysize '1024' --algorithm 'aes256' --encryption 'required' --keytype 
    'transparent' --disablerds 'yes' --tcpipbufsize '4096' --rekeyfreq '1week' -
    roles 'client','mediaserver' 'apps-vm1-mc14-n1'
    obtool mkhost --access 'ob' --ip 'apps-vm1-mc14-n2.us.oracle.com' --'inservice' 
    --certkeysize '1024' --algorithm 'aes256' --encryption 'required' --keytype 
    'transparent' --disablerds 'yes' --tcpipbufsize '4096' --rekeyfreq '1week' -
    roles 'client','mediaserver' 'apps-vm1-mc14-n2'
    obtool mkhost --access 'ob' --ip 'oos-dbg1-vm1-mc14-n1.us.oracle.com' -
    'inservice' --certkeysize '1024' --algorithm 'aes256' --encryption 'required' -
    -keytype 'transparent' --disablerds 'yes' --tcpipbufsize '4096' --rekeyfreq
    '1week' --roles 'client','mediaserver' 'oos-dbg1-vm1-mc14-n1'
    obtool mkhost --access 'ob' --ip 'oos-dbg1-vm1-mc14-n2.us.oracle.com' -
    'inservice' --certkeysize '1024' --algorithm 'aes256' --encryption 'required' -
    -keytype 'transparent' --disablerds 'yes' --tcpipbufsize '4096' --rekeyfreq 
    '1week' --roles 'client','mediaserver' 'oos-dbg1-vm1-mc14-n2'
    obtool mkhost --access 'ob' --ip 'oos-dbg1-vm2-mc14-n1.us.oracle.com' -
    'inservice' --certkeysize '1024' --algorithm 'aes256' --encryption 'required' -
    -keytype 'transparent' --disablerds 'yes' --tcpipbufsize '4096' --rekeyfreq 
    '1week' --roles 'client','mediaserver' 'oos-dbg1-vm2-mc14-n1'
    obtool mkhost --access 'ob' --ip 'oos-dbg1-vm2-mc14-n2.us.oracle.com' -
    'inservice' --certkeysize '1024' --algorithm 'aes256' --encryption 'required' -
    -keytype 'transparent' --disablerds 'yes' --tcpipbufsize '4096' --rekeyfreq 
    '1week' --roles 'client','mediaserver' 'oos-dbg1-vm2-mc14-n2'

     

    Creating Datasets for OS File Systems

     

    Each VM type on Oracle MiniCluster has slightly different backup and recovery requirements for the file systems configured inside the VM. The following example datasets will back up most Oracle MiniCluster configurations. Keep testing the datasets until you verify that all file systems are covered and there are no errors or warnings. You can use a dataset per VM or back up multiple VMs in a single dataset, as shown in the following example.

     

    To create datasets using the Oracle Secure Backup GUI, click Backup > Datasets > Add (located near the top of any page).

     

    f9.png

    Figure 9. Creating datasets using the Oracle Secure Backup GUI.

     

    The following examples list datasets for admin VMs, application VMs, and database VMs.

     

    Admin VMs:

     

    include host mc14-n2
    include host mc14-n1
    include catalog 
    exclude oracle database files
    include path / { 
        exclude path /dev 
        exclude path /devices
        exclude path /net
        exclude path /nfs4
        exclude path /tmp
        exclude path /etc/dev
        exclude path /etc/sysevent
        exclude path /proc
        exclude path /system
        exclude name core 
        exclude name .zfs
        exclude name mcpool        
        exclude name *~ 
        }
    include path /commonfs {
         exclude name core
         exclude name .zfs
         exclude name *~
         }
    include path /etc/dfs/sharetab {
         exclude name core
         exclude name .zfs
         exclude name *~
         }
    include path /etc/mnttab {
         exclude name core
         exclude name .zfs
         exclude name *~
         }
    include path /export/home {
         exclude name core
         exclude name .zfs
         exclude name *~
         }
    include path /export/home/userid {
         exclude name core
         exclude name .zfs
         exclude name *~
         }
    include path /home {
         exclude name core
         exclude name .zfs
         exclude name *~
         }
    include path /repo {
         exclude name core
         exclude name .zfs
         exclude name *~
         }
    include path /var {
         exclude name core
         exclude name .zfs
         exclude name *~
         } 

     

    Application VMs:

     

    include host app-g1-vm1-mc14-n1
    include host app-g1-vm1-mc14-n2
    include host app-g2-vm1-mc14-n1
    include host app-g2-vm1-mc14-n2
    include catalog 
    exclude oracle database files
    include path / { 
        exclude path /dev 
        exclude path /devices
        exclude path /net
        exclude path /nfs4
        exclude path /tmp
        exclude path /etc/dev
        exclude path /etc/sysevent
        exclude path /proc
        exclude path /system
        exclude name core 
        exclude name .zfs
        exclude name *~ 
        }
    include path /etc/dfs/sharetab {
         exclude name core
         exclude name .zfs
         exclude name *~
         }
    include path /etc/mnttab {
         exclude name core
         exclude name .zfs
         exclude name *~
         }
    include path /export {
         exclude name core
         exclude name .zfs
         exclude name *~
         }
    include path /export/home {
         exclude name core
         exclude name .zfs
         exclude name *~
         }
    include path /home {
         exclude name core
         exclude name .zfs
         exclude name *~
         }
    include path /sharedstore {
         exclude name core
         exclude name .zfs
         exclude name *~
         } 
    include path /var {
         exclude name core
         exclude name .zfs
         exclude name *~
         } 
    include path /u01 {
         exclude name core
         exclude name .zfs
         exclude name *~
         } 

     

    Database VMs:

     

    include host oos-dbg1-vm1-mc14-n1
    include host oos-dbg1-vm1-mc14-n2
    include catalog 
    exclude oracle database files
    include path / { 
        exclude path /dev 
        exclude path /devices
        exclude path /net
        exclude path /nfs4
        exclude path /tmp
        exclude path /etc/dev
        exclude path /etc/sysevent
        exclude path /proc
        exclude path /system
        exclude name core 
        exclude name .zfs
        exclude name *~ 
        }
    include path /etc/dfs/sharetab {
         exclude name core
         exclude name .zfs
         exclude name *~
         }
    include path /etc/mnttab {
         exclude name core
         exclude name .zfs
         exclude name *~
         }
    include path /export {
         exclude name core
         exclude name .zfs
         exclude name *~
         }
    include path /export/home {
         exclude name core
         exclude name .zfs
         exclude name *~
         }
    include path /home {
         exclude name core
         exclude name .zfs
         exclude name *~
         }
    include path /sharedstore {
         exclude name core
         exclude name .zfs
         exclude name *~
         } 
    include path /var {
         exclude name core
         exclude name .zfs
         exclude name *~
         } 
    include path /u01 {
         exclude name core
         exclude name .zfs
         exclude name *~
         } 

     

    Creating Datasets for the /sharedstore File System

     

    Backups of directories on the /sharedstore file system need to be performed by the host that reads data from or writes data to that share or directory. In Oracle Clusterware configurations, either cluster node that reads or writes on a specific share on the shared storage can perform the backups. In the example below, each VM has its own shared directory on the /sharedstore share. Just as with host datasets, make sure the dataset runs a backup without any errors or warning messages.

     

    f10.png

    Figure 10. Example dataset configuration where each VM has its own shared directory.

     

    Create a Schedule for Full Backups

     

    Scheduling backups for Oracle MiniCluster is the same as scheduling backups for any other Oracle Secure Backup client; there is nothing specific about Oracle MiniCluster that requires a different approach.

     

    1. To start creating schedules using the Oracle Secure Backup GUI, click Backup > Schedules > Add (located near the top of any page).
    2. A list of datasets is displayed (see Figure 11). Select the datasets that you want to configure the schedule for. Once you have selected the datasets, click the Triggers button.

      f11.png

      Figure 11. List of all datasets.

       

    3. A trigger screen is displayed (see Figure 12). Select the options you want and then click the Apply button. This example configures a weekly full backup that is performed each Saturday and that will be kept for two weeks.

      f12.png

      Figure 12. Configuration to schedule a weekly full backup for one or more datasets.

       

     

    Create a Schedule for Incremental Backups

     

    Creating a schedule for incremental backups is done in the same manner as for creating full backups.

     

    1. Using the Oracle Secure Backup GUI, click Backup > Schedules > Add (located near the top of any page).
    2. A list of datasets is displayed (see Figure 13). Select the datasets that you want to configure the schedule for. Once you have selected the datasets, click the Triggers button.

      f13.png

      Figure 13. List of all datasets.

       

    3. A trigger screen is displayed (see Figure 14). Select the options you want and then click the Apply button. This example schedules a daily incremental backup that is run each day except Saturday and that will be kept for two weeks.

      f14.png

      Figure 14. Configuration to schedule a daily incremental backup for one or more datasets.

     

    Wrapping Up the Installation

     

    To complete the deployment of Oracle Secure Backup on Oracle MiniCluster, you might have other administrative procedures to apply to the backup and recovery processing. For example, you might want to consider the following when creating backups using Oracle Secure Backup:

     

    • Keep testing datasets until you are backing up the data you want without errors. Examples shown in this article will likely work on most Oracle MiniCluster systems, but testing your deployment is required.
    • Set up any duplication processing required to meet your needs:

      - Use CPINSTANCE commands in scripts to migrate data from disk to tape.

      - Use normal duplication jobs to copy tapes.

    • Set up offsite storage processing. Use normal tape vaulting jobs to manage off-site storage of encrypted backup media.

     

    See Also

     

    For more information, please see the following resources:

     

     

    About the Author

     

    Dean Halbeisen is a solutions manager at Oracle. He has over 20 years of IT experience and is an expert in enterprise computing solutions, most recently applying these practices to next-generation data center solutions, integrated systems, and Oracle engineered systems. In his current role, he is responsible for solution architecture and development around Oracle Optimized Solutions, including communicating about Oracle's systems, solutions, technology strategies, and roadmaps to customers, partners, and internal stakeholders.