Forum Stats

  • 3,728,711 Users
  • 2,245,678 Discussions
  • 7,853,708 Comments

Discussions

Deploying Oracle Secure Backup on Oracle MiniCluster

steph-choyer-Oracle
steph-choyer-Oracle Member Posts: 101
edited August 2017 in Optimized Solutions

by Dean Halbeisen

This article is intended to be a high-level how-to guide on how to deploy Oracle Secure Backup on Oracle MiniCluster S7-2. Following these steps, it takes only a few minutes to deploy and configure Oracle Secure Backup on Oracle MiniCluster systems.

Table of Contents

image

Introduction

This article starts at the point where the Oracle MiniCluster initial installation and application installation have been completed or nearly completed. The following steps must be completed before the Oracle Secure Backup deployment process on Oracle MiniCluster can begin:

  • Oracle MiniCluster must be installed and configured.
  • Oracle Secure Backup must be installed on the tape management systems with the administrative server role and configured with disk pools and/or tape storage.
  • Oracle Enterprise Manager 13c host agents must be installed on each virtual machine (VM) on Oracle MiniCluster.

The example deployment procedure presented in this article uses an environment that is configured as shown in Figure 1. Oracle's SPARC S7-2L servers are used as tape management systems and a StorageTek modular tape library from Oracle is used for tape storage.

f1.png

Figure 1. Example deployment of Oracle Secure Backup on Oracle MiniCluster.

Planning for Deployment

Similar to other backup and recovery software, Oracle Secure Backup does not require any special procedures for deployment. However, it is important that you understand the licensing policies and where to find the support matrix that lists compatible hardware and software.

If you plan to use disk or tape for backup, make sure you understand the Oracle Secure Backup licensing policies before installing and configuring the Oracle Secure Backup software. Backup configuration choices can affect the licensing cost of the deployment. For more information on Oracle Secure Backup licensing, see the Oracle Secure Backup Licensing Information User Manual.

The backup and recovery software run on Oracle MiniCluster must support Oracle Solaris 11 or higher. Make sure the version of Oracle Secure Backup you would like to install supports Oracle Solaris 11 or higher. A support matrix for Oracle Secure Backup 12.1 is available at oracle.com/technetwork/database/availability/osb-12-1-platforms-2420299.pdf. This document lists supported platforms, operating systems, NAS devices, and browsers.

A tape drive and library compatibility matrix for Oracle Secure Backup 12.1 is available at oracle.com/technetwork/database/availability/osb-12-1-tape-matrix-2420301.pdf.

For additional information and qualification details for Oracle Secure Backup, refer to Certifications at My Oracle Support.

Downloading the Oracle Secure Backup Software

Oracle Secure Backup is shipped in a single zip file per platform format, like many other software packages from Oracle. Download the latest version for Oracle Solaris for the SPARC (64-bit) platform from the Oracle Secure Backup Downloads web page (shown in Figure 2).

f2.png

Figure 2. Oracle Secure Backup Downloads web page.

Oracle Secure Backup domains can consist of any mixture of supported platforms and operating systems, so you can have any mixture of host types in a domain. Always check My Oracle Support for the latest patches and updates for Oracle Secure Backup.

Installation Prerequisites on Oracle MiniCluster

No additional packages or patches are required to prepare Oracle MiniCluster to run Oracle Secure Backup. The software that ships preinstalled on Oracle MiniCluster and software installed after the initial installation of Oracle MiniCluster will generally support the latest version of Oracle Secure Backup.

Security and network settings must be updated in each VM to make sure that the backup and recovery software can be run in secure environments. To enable the correct operation of backup and recovery software, you must map network services and create firewall rules that enable the software to get through the built-in firewall on all VMs in an Oracle MiniCluster system.

The following three steps, which are explained in subsequent sections, must be run on each VM on the system:

  1. Add services configurations to the /etc/services file.
  2. Add firewall rules to the /etc/ipf/ipf.conf file.
  3. Restart the firewall.

Patching Oracle MiniCluster

Ideally, your Oracle MiniCluster will have been updated to the latest software levels, but this is not required. All supported versions of Oracle Secure Backup are supported on Oracle MiniCluster. Oracle Secure Backup can be installed and updated during patch cycles on Oracle MiniCluster, and it is recommended to make backups before and after applying patches on the Oracle MiniCluster VMs.

Although Oracle Secure Backup is included with Oracle Database, it is not patched when Oracle MiniCluster is patched and must be maintained separately. Current patch information can be displayed using the Oracle MiniCluster management utility (see Figure 3).

f3.png

Figure 3. Example patch and update information for Oracle MiniCluster.

Configuring Services for Backup and Recovery

On each VM on Oracle MiniCluster, add or verify the network port configurations for Oracle Secure Backup in the /etc/services file. Depending on the code level running on the Oracle MiniCluster system, you might not need to add additional entries to these files, because the installation will set up network services for Oracle Secure Backup. Make sure to use similar settings on all servers running Oracle Secure Backup, even if these settings are not required on other systems in the backup domain.

The Network Data Management Protocol (NDMP) service is required in all environments, even if your Oracle MiniCluster VMs will not act as media servers. In Oracle Secure Backup, NDMP is used to transfer data back to the media servers. The ob-daemon-low and ob-daemon-high settings specify a range of ports used for each job run on Oracle MiniCluster clients. The number of ports required is five times the number of concurrent jobs run on each VM. For example, if you want to run 20 backup jobs at the same time on the same VM, you would need 100 ports configured, as seen in the following example /etc/services file. This example file shows the entries that were added to enable Oracle Secure Backup and Oracle Enterprise Manager to run on an Oracle MiniCluster VM.

##OOS4BUR
oms             3872/tc     # OMS - EM13C
osb-sd          400/tc      # Oracle Secure Backup 
ndmp            10000/tcp   # OSB Data Movement
ob-daemon-low   28000/tcp   # OSB daemon port range start
ob-daemon-high  28100/tcp   # OSB daemon port range stop

Configuring the Firewall for Backup and Recovery

In each VM, add or verify the ipfilter firewall rules for Oracle Secure Backup in the /etc/ipf/ipf.conf file. Depending on the code level running on the Oracle MiniCluster system, you might not need to add additional entries to these files, because the installation will set up firewall rules for Oracle Secure Backup. Make sure to use similar settings on all servers running Oracle Secure Backup, even if these settings are not required on other systems in the backup domain. The NDMP service is required in all environments, even if your Oracle MiniCluster VMs will not act as media servers. In Oracle Secure Backup, NDMP is used to transfer data back to the media servers.

##OOS4BUR
pass in quick on ipmppub0 proto tcp from any port = 3872 to any keep state
pass out quick on ipmppub0 proto tcp from any to any port = 3872 keep state
pass in quick on ipmppub0 proto tcp from any port = 400 to any keep state
pass out quick on ipmppub0 proto tcp from any to any port = 400 keep state
pass in quick on ipmppub0 proto tcp from any port = 10000 to any keep state
pass out quick on ipmppub0 proto tcp from any to any port = 10000 keep state
pass in quick on ipmppub0 proto tcp from any port 28000 <> 28100 to any 
    keep state
pass out quick on ipmppub0 proto tcp from any to any port 28000 <> 28100 
    keep state

After adding or verifying the firewall rules in each VM, restart the firewall with the following command. Note that your session could be terminated when the firewall bounces.

# svcadm restart svc:/network/ipfilter:default

Installing the Oracle Secure Backup Software

To start the software installation, unzip the file you downloaded to a location on the shared storage built into the Oracle MiniCluster system.

The Oracle Secure Backup client should be installed on every VM on the Oracle MiniCluster system. It is not recommended to install the Oracle Secure Backup administrative server role on Oracle MiniCluster, because it is best practice for the administrative server role be installed on a standalone machine. During the installation, you can install only the client role. If you would like to use a disk pool on an NFS share, the media server role can be added after installation.

In the following example, a new directory was created on the /sharedstore mount point to enable all hosts to access it. The Oracle Secure Backup installation must be run as root from the home directory of Oracle Secure Backup (/usr/local/oracle/backup) on each VM. First, change to the Oracle Secure Backup home directory, and then start the installation from the shared directory on the internal shared storage. If you have not set up the shared storage for the VMs, you can do the installation from the local storage or any other shared storage on your network. The following example shows the installation of a single VM:

[email protected]:~# mkdir -p /usr/local/oracle/backup
[email protected]:~# cd /usr/local/oracle/backup
[email protected]:/usr/local/oracle/backup# /sharedstore/OSB12.1.2/osb_12.1.0.2.1_solaris.sparc64_release/setup
 
Welcome to Oracle's setup program for Oracle Secure Backup.  This
program loads Oracle Secure Backup software to a filesystem directory
of your choosing.
This installation contains Oracle Secure Backup version 12.1.0.2.1.
Please wait a moment while I learn about this host... done.
-  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -
    1. solaris64 (SPARC)
       administrative server, media server, client
-  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -
Loading Oracle Secure Backup installation tools... done.
Loading solaris64 administrative server, media server, client... done.
-  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -
Loading of Oracle Secure Backup software is complete.
Choose from one of the following options. The option you choose defines
the software components to be installed.
Configuration of this host is required after installation is complete.
You can install the software on this host in one of the following ways:
    (a) administrative server and client
    (b) client
If you are not sure which option to choose, please refer to the Oracle
Secure Backup Installation Guide. (a or b) [a]? : b
Do you want to change any advanced settings? (y or n) [n]: 
Oracle Secure Backup was installed
[email protected]:/usr/local/oracle/backup# 

Configuring Backups with the Oracle Secure Backup GUI

After you've installed the software, you can access to GUI by navigating to the following URL. Then log in and begin the configuration for the Oracle MiniCluster VMs (see Figure 4).

https://Oracle-Secure-Backup-server-name

f4.png

Figure 4. Login screen for Oracle Secure Backup GUI.

Enable Extended Command Output

After logging in to the Oracle Secure Backup GUI, click the Preferences link located near the top right of the page (see Figure 5).

To help with repetitive processes and to learn more about the command-line interface (CLI), it is recommended to enable the Extended command output option under Preferences. Enabling this option will display the command-line commands used to process each screen in the GUI, and this can be a great way to learn the CLI commands for repetitive processes, such as adding hosts.

f5.png

Figure 5. Setting extended command output option in Oracle Secure Backup preferences.

Enable Compression for the Domain

If you are using encryption, you will likely need to use compression as well. You can enable compression on many levels. In the following example, adding a -Z to the backup options enables compression at a global level (see Figure 6). Setting up compression globally can cause performance issues on hosts where CPU resources are limited, though it is also a great way to make sure you compress all backups before encrypting them.

f6.png

Figure 6. Setting compression at a global level.

To enable compression at a global level, do the following:

  1. Near the top of any page in the Oracle Secure Backup GUI, click Configure > Defaults And Policies > Operations.
  2. In the Backup options field, enter -Z.
  3. Click the Apply button.

Enable Encryption for the Domain

Using encryption is key to maintaining secured data and staying in compliance with regulatory obligations. Encryption is not required, but it is highly recommended. If you are enabling encryption at the Oracle Secure Backup level, this configuration will use software encryption that uses more CPU resources—but it is the only way to protect in-flight data. If compression is not enabled and encryption is enabled, you will be storing your backups uncompressed and nothing can compress them.

To enable encryption at the global level, click Configure > Defaults And Policies > Backupencryption in the Oracle Secure Backup GUI (see Figure 7). Select the desired encryption options and then click Apply. This example turns on software encryption at the domain level with the options shown in Figure 7.

f7.png

Figure 7. Setting encryption at a global level.

Adding Backup Clients

Each VM on the Oracle MiniCluster system needs to be configured as an Oracle Secure Backup client. The media server role is not required, but it can be used if you're using disk pools on NFS shares.

To add hosts, click Configure > Hosts > Add in the Oracle Secure Backup GUI (see Figure 8).

f8.png

Figure 8. Adding hosts as Oracle Secure Backup clients.

Adding hosts is a repetitive process in the GUI, so it can be a huge time saver to use the CLI. Below is an example of the commands used to configure an Oracle MiniCluster with two admin VMs, two application VMs, and two database VMs using the same settings shown in the GUI settings in Figure 8.

obtool mkhost --access 'ob' --ip 'mc14-n1.us.oracle.com' --'inservice' -
certkeysize '1024' --algorithm 'aes256' --encryption 'required' --keytype 
'transparent' --disablerds 'yes' --tcpipbufsize '4096' --rekeyfreq '1week' -
roles 'client','mediaserver' 'mc14-n1'
obtool mkhost --access 'ob' --ip 'mc14-n2.us.oracle.com' --'inservice' -
certkeysize '1024' --algorithm 'aes256' --encryption 'required' --keytype 
'transparent' --disablerds 'yes' --tcpipbufsize '4096' --rekeyfreq '1week' -
roles 'client','mediaserver' 'mc14-n2'
obtool mkhost --access 'ob' --ip 'apps-vm1-mc14-n1.us.oracle.com' --'inservice' 
--certkeysize '1024' --algorithm 'aes256' --encryption 'required' --keytype 
'transparent' --disablerds 'yes' --tcpipbufsize '4096' --rekeyfreq '1week' -
roles 'client','mediaserver' 'apps-vm1-mc14-n1'
obtool mkhost --access 'ob' --ip 'apps-vm1-mc14-n2.us.oracle.com' --'inservice' 
--certkeysize '1024' --algorithm 'aes256' --encryption 'required' --keytype 
'transparent' --disablerds 'yes' --tcpipbufsize '4096' --rekeyfreq '1week' -
roles 'client','mediaserver' 'apps-vm1-mc14-n2'
obtool mkhost --access 'ob' --ip 'oos-dbg1-vm1-mc14-n1.us.oracle.com' -
'inservice' --certkeysize '1024' --algorithm 'aes256' --encryption 'required' -
-keytype 'transparent' --disablerds 'yes' --tcpipbufsize '4096' --rekeyfreq
'1week' --roles 'client','mediaserver' 'oos-dbg1-vm1-mc14-n1'
obtool mkhost --access 'ob' --ip 'oos-dbg1-vm1-mc14-n2.us.oracle.com' -
'inservice' --certkeysize '1024' --algorithm 'aes256' --encryption 'required' -
-keytype 'transparent' --disablerds 'yes' --tcpipbufsize '4096' --rekeyfreq 
'1week' --roles 'client','mediaserver' 'oos-dbg1-vm1-mc14-n2'
obtool mkhost --access 'ob' --ip 'oos-dbg1-vm2-mc14-n1.us.oracle.com' -
'inservice' --certkeysize '1024' --algorithm 'aes256' --encryption 'required' -
-keytype 'transparent' --disablerds 'yes' --tcpipbufsize '4096' --rekeyfreq 
'1week' --roles 'client','mediaserver' 'oos-dbg1-vm2-mc14-n1'
obtool mkhost --access 'ob' --ip 'oos-dbg1-vm2-mc14-n2.us.oracle.com' -
'inservice' --certkeysize '1024' --algorithm 'aes256' --encryption 'required' -
-keytype 'transparent' --disablerds 'yes' --tcpipbufsize '4096' --rekeyfreq 
'1week' --roles 'client','mediaserver' 'oos-dbg1-vm2-mc14-n2'

Creating Datasets for OS File Systems

Each VM type on Oracle MiniCluster has slightly different backup and recovery requirements for the file systems configured inside the VM. The following example datasets will back up most Oracle MiniCluster configurations. Keep testing the datasets until you verify that all file systems are covered and there are no errors or warnings. You can use a dataset per VM or back up multiple VMs in a single dataset, as shown in the following example.

To create datasets using the Oracle Secure Backup GUI, click Backup > Datasets > Add (located near the top of any page).

f9.png

Figure 9. Creating datasets using the Oracle Secure Backup GUI.

The following examples list datasets for admin VMs, application VMs, and database VMs.

Admin VMs:

include host mc14-n2
include host mc14-n1
include catalog 
exclude oracle database files
include path / { 
    exclude path /dev 
    exclude path /devices
    exclude path /net
    exclude path /nfs4
    exclude path /tmp
    exclude path /etc/dev
    exclude path /etc/sysevent
    exclude path /proc
    exclude path /system
    exclude name core 
    exclude name .zfs
    exclude name mcpool        
    exclude name *~ 
    }
include path /commonfs {
     exclude name core
     exclude name .zfs
     exclude name *~
     }
include path /etc/dfs/sharetab {
     exclude name core
     exclude name .zfs
     exclude name *~
     }
include path /etc/mnttab {
     exclude name core
     exclude name .zfs
     exclude name *~
     }
include path /export/home {
     exclude name core
     exclude name .zfs
     exclude name *~
     }
include path /export/home/userid {
     exclude name core
     exclude name .zfs
     exclude name *~
     }
include path /home {
     exclude name core
     exclude name .zfs
     exclude name *~
     }
include path /repo {
     exclude name core
     exclude name .zfs
     exclude name *~
     }
include path /var {
     exclude name core
     exclude name .zfs
     exclude name *~
     } 

Application VMs:

include host app-g1-vm1-mc14-n1
include host app-g1-vm1-mc14-n2
include host app-g2-vm1-mc14-n1
include host app-g2-vm1-mc14-n2
include catalog 
exclude oracle database files
include path / { 
    exclude path /dev 
    exclude path /devices
    exclude path /net
    exclude path /nfs4
    exclude path /tmp
    exclude path /etc/dev
    exclude path /etc/sysevent
    exclude path /proc
    exclude path /system
    exclude name core 
    exclude name .zfs
    exclude name *~ 
    }
include path /etc/dfs/sharetab {
     exclude name core
     exclude name .zfs
     exclude name *~
     }
include path /etc/mnttab {
     exclude name core
     exclude name .zfs
     exclude name *~
     }
include path /export {
     exclude name core
     exclude name .zfs
     exclude name *~
     }
include path /export/home {
     exclude name core
     exclude name .zfs
     exclude name *~
     }
include path /home {
     exclude name core
     exclude name .zfs
     exclude name *~
     }
include path /sharedstore {
     exclude name core
     exclude name .zfs
     exclude name *~
     } 
include path /var {
     exclude name core
     exclude name .zfs
     exclude name *~
     } 
include path /u01 {
     exclude name core
     exclude name .zfs
     exclude name *~
     } 

Database VMs:

include host oos-dbg1-vm1-mc14-n1
include host oos-dbg1-vm1-mc14-n2
include catalog 
exclude oracle database files
include path / { 
    exclude path /dev 
    exclude path /devices
    exclude path /net
    exclude path /nfs4
    exclude path /tmp
    exclude path /etc/dev
    exclude path /etc/sysevent
    exclude path /proc
    exclude path /system
    exclude name core 
    exclude name .zfs
    exclude name *~ 
    }
include path /etc/dfs/sharetab {
     exclude name core
     exclude name .zfs
     exclude name *~
     }
include path /etc/mnttab {
     exclude name core
     exclude name .zfs
     exclude name *~
     }
include path /export {
     exclude name core
     exclude name .zfs
     exclude name *~
     }
include path /export/home {
     exclude name core
     exclude name .zfs
     exclude name *~
     }
include path /home {
     exclude name core
     exclude name .zfs
     exclude name *~
     }
include path /sharedstore {
     exclude name core
     exclude name .zfs
     exclude name *~
     } 
include path /var {
     exclude name core
     exclude name .zfs
     exclude name *~
     } 
include path /u01 {
     exclude name core
     exclude name .zfs
     exclude name *~
     } 

Creating Datasets for the /sharedstore File System

Backups of directories on the /sharedstore file system need to be performed by the host that reads data from or writes data to that share or directory. In Oracle Clusterware configurations, either cluster node that reads or writes on a specific share on the shared storage can perform the backups. In the example below, each VM has its own shared directory on the /sharedstore share. Just as with host datasets, make sure the dataset runs a backup without any errors or warning messages.

f10.png

Figure 10. Example dataset configuration where each VM has its own shared directory.

Create a Schedule for Full Backups

Scheduling backups for Oracle MiniCluster is the same as scheduling backups for any other Oracle Secure Backup client; there is nothing specific about Oracle MiniCluster that requires a different approach.

  1. To start creating schedules using the Oracle Secure Backup GUI, click Backup > Schedules > Add (located near the top of any page).
  2. A list of datasets is displayed (see Figure 11). Select the datasets that you want to configure the schedule for. Once you have selected the datasets, click the Triggers button.

    f11.png

    Figure 11. List of all datasets.

  3. A trigger screen is displayed (see Figure 12). Select the options you want and then click the Apply button. This example configures a weekly full backup that is performed each Saturday and that will be kept for two weeks.

    f12.png

    Figure 12. Configuration to schedule a weekly full backup for one or more datasets.

Create a Schedule for Incremental Backups

Creating a schedule for incremental backups is done in the same manner as for creating full backups.

  1. Using the Oracle Secure Backup GUI, click Backup > Schedules > Add (located near the top of any page).
  2. A list of datasets is displayed (see Figure 13). Select the datasets that you want to configure the schedule for. Once you have selected the datasets, click the Triggers button.

    f13.png

    Figure 13. List of all datasets.

  3. A trigger screen is displayed (see Figure 14). Select the options you want and then click the Apply button. This example schedules a daily incremental backup that is run each day except Saturday and that will be kept for two weeks.

    f14.png

    Figure 14. Configuration to schedule a daily incremental backup for one or more datasets.

Wrapping Up the Installation

To complete the deployment of Oracle Secure Backup on Oracle MiniCluster, you might have other administrative procedures to apply to the backup and recovery processing. For example, you might want to consider the following when creating backups using Oracle Secure Backup:

  • Keep testing datasets until you are backing up the data you want without errors. Examples shown in this article will likely work on most Oracle MiniCluster systems, but testing your deployment is required.
  • Set up any duplication processing required to meet your needs:

    - Use CPINSTANCE commands in scripts to migrate data from disk to tape.

    - Use normal duplication jobs to copy tapes.

  • Set up offsite storage processing. Use normal tape vaulting jobs to manage off-site storage of encrypted backup media.

See Also

For more information, please see the following resources:

About the Author

Dean Halbeisen is a solutions manager at Oracle. He has over 20 years of IT experience and is an expert in enterprise computing solutions, most recently applying these practices to next-generation data center solutions, integrated systems, and Oracle engineered systems. In his current role, he is responsible for solution architecture and development around Oracle Optimized Solutions, including communicating about Oracle's systems, solutions, technology strategies, and roadmaps to customers, partners, and internal stakeholders.

Sign In or Register to comment.