1 Introduction to Oracle Secure Backup

This chapter provides an introduction to Oracle Secure Backup and includes advice on planning and configuring your administrative domain.

This chapter contains these sections:

See Also:

Oracle Secure Backup Administrator's Guide for conceptual information about Oracle Secure Backup

What Is Oracle Secure Backup?

Oracle Secure Backup is a centralized network-based backup management application that provides scalable and distributed backup and recovery capabilities.

  • It facilitates backup of Oracle Databases and file system data across heterogeneous network operating systems, such as Linux, Solaris, HP-UX, AIX and Windows.

  • It supports many leading tape library and tape drive in the industry.

  • It provides data protection from malware, ransomware, and data loss, for example physical hardware loss or accidental deletion by offering scheduled and configurable file system and Recovery Manager (RMAN) backups to cloud storage, disk pools, and tape libraries.

  • It supports Internet Protocol v4 (IPv4), Internet Protocol v6 (IPv6) and mixed IPv4/IPv6 environments.

  • It works with FC-SCSI and SCSI attached devices on SAN and Gigabit Ethernet (GbE) networks.

Oracle Cloud Infrastructure allows users to store huge volumes of backup data and run Oracle Secure Backup on compute instances. You can use disk pools to provide fast backups to disk that can be staged to backup to tape.

Oracle Secure Backup Features

Oracle Secure Backup provides the following features:

  • Integration with other Oracle products thus enabling you to easily backup and restore both Oracle Databases and file-system data to tape

    Oracle Secure Backup is fully integrated with Recovery Manager (RMAN) and Oracle Enterprise Manager. You can use Oracle Enterprise Manager to backup both file-system data and Oracle Databases to tape. Oracle Secure Backup serves as a media management layer, through the System Backup to Tape (SBT) interface, to securely backup Oracle Databases using RMAN.

  • Support for disk pools and a wide range of tape drives and libraries that are accessible through various protocols such as SCSI, ISCSI, SAN, NDMP, and Fibre Channel

  • Centralized tape backup management

    Oracle Secure Backup enables centralized backup management of diverse distributed servers and multiple platforms including UNIX, Linux, Windows, and SAN. It can backup and restore locally or over a LAN/WAN.

  • Policy-based backup management

    Oracle Secure Backup provides customizable administrative policies that enable you to control backup operations in the administrative domain. Policies also enable you to control aspects of domain security.

  • Flexible interface options that provide maximum ease of use

    Oracle Secure Backup functionality can be accessed using any of the following interfaces: Oracle Secure Backup Web Tool, Oracle Enterprise Manager DB Control, Oracle Enterprise Manager Cloud Control, or obtool command-line interface.

  • Maximum security options for data and inter-host communication

    Inter-domain communication is secured using the Secure Socket Layer (SSL) protocol. All hosts in the Oracle Secure Backup administrative domain are identified and authenticated using SSL and X.509 certificates. Data transmission within the administrative domain is secured using encryption. You can also encrypt Oracle Database backups before they are stored to tape.

  • Automated device discovery

    Oracle Secure Backup can automatically discover and configure each secondary storage device connected to certain types of NDMP servers, such as a Network Appliance filer. It can also discover devices connected to the Oracle Secure Backup media servers.

  • Automated tape library and device management that includes automated control of tape libraries

    Oracle Secure Backup automates the management of tape libraries to ensure efficient and reliable use of their capabilities. It controls library robotics and enables automatic loading and unloading of volumes. It can also automatically clean tape drives in a tape library.

  • Automated media management that includes volume and backup expiration

    Oracle Secure Backup enables automatic tape recycling by specifying when volumes can be recycled. You create policies to define when volumes are eligible to be recycled or rewritten.

  • Flexible, multi-level, backup options

    Oracle Secure Backup enables you to create full, incremental, and differential backups.

  • Flexible options for restoring backups

    Oracle Secure Backup enables you to restores backup data stored on tapes either to the original location or to an alternative server.

Overview of Oracle Secure Backup Concepts

This section discusses Oracle Secure Backup concepts that enable you to better understand the installation process.

This section contains these topics:

About Oracle Secure Backup Administrative Domains and Hosts

Oracle Secure Backup organizes hosts and tape devices into an administrative domain, representing the network of hosts containing data to be backed up, hosts with attached tape devices on which backups are stored, and each tape device with its attachment to the hosts. A host can belong to only one administrative domain.

Host Roles in an Administrative Domain

Each host in an administrative domain must be assigned one or more of the following Oracle Secure Backup roles:

  • Administrative server

    Each administrative domain must have exactly one administrative server. During postinstallation configuration, the administrative server must be configured with complete data regarding the other hosts in the administrative domain, their roles, and their attached tape devices. This configuration information is maintained in a set of configuration files stored on the administrative server.

    The administrative server runs the scheduler, which starts and monitors each backup job. The scheduler also keeps a backup catalog with metadata for all backup and restore operations performed in the administrative domain.

  • Media server

    A media server is a host with at least one tape device attached to it. A media server transfers data to or from a volume loaded on one of these tape devices. A media server has at least one attachment to a tape drive or library. It might have attachments to multiple tape libraries and disk pools.

    You specify the attachments between media servers and tape devices during postinstallation configuration of Oracle Secure Backup.

  • Client

    The client role is assigned to any host that has access to file-system or database data that can be backed up or restored by Oracle Secure Backup. Any host where Oracle Secure Backup is installed can be a client, including hosts that are also media servers or the administrative server. A network-attached storage device that Oracle Secure Backup accesses through NDMP can also serve the client role.

Note:

A host can be assigned multiple roles in an administrative domain. For example, a host with a tape drive attached could be both the administrative server and media server for a network that includes several other clients. For more examples of administrative domains, see "About Oracle Secure Backup Administrative Domain: Examples".

See Also:

"Choosing Secure Hosts for the Administrative and Media Servers"

Host Naming in an Administrative Domain

Each host in the administrative domain must have a unique name that pairs with a unique IP address that is used for TCP/IP communication among the hosts and the media management devices.

In general, the DNS host name can be a good choice for an Oracle Secure Backup host name. Though you can assign a different name to a host, ensure that you specify the IP address as the host object's IP name while configuring Oracle Secure Backup.

Oracle Secure Backup Host Access Modes

Oracle Secure Backup administrative domain uses NDMP to communicate between Compute Hosts and Storage Area Network appliances.

Oracle Secure Backup supports two host access modes: primary access mode and NDMP access mode.

Oracle Secure Backup compute hosts run in primary access mode and have the Oracle Secure Backup software package installed on them. A group of Oracle Secure Backup daemons run in the background that enable communication between the Oracle Secure Backup administrative server, clients, and media servers for performing both file system and RMAN database backups. NDMP access mode is used for communication with SAN appliances.

Note:

In the Oracle Secure Backup Web tool and the output of some obtool commands such as lshost, primary mode is referred to as OB access mode. In Oracle Enterprise Manager, primary access mode is referred to as native access mode.

NDMP access mode is used to communicate with Storage Area Network appliances for backup and restore. Oracle's ZFS Storage Appliance and other third party vendors, such as NetApp and Dell EMC, run their own implementations of NDMP which are supported in Oracle Secure Backup. However, additional parameters specific to the vendor's implementation of NDMP may be required while adding and configuring these devices in the Oracle Secure Backup administrative domain.

About Oracle Secure Backup Administrative Domain: Examples

Figure 1-1 shows a minimal administrative domain, in which a single host is administrative server, media server, and client. An Oracle database also runs on the same host.

Figure 1-1 Administrative Domain with One Host

Description of Figure 1-1 follows
Description of "Figure 1-1 Administrative Domain with One Host"

Figure 1-2 shows a possible Oracle Secure Backup administrative domain that includes three client hosts, one administrative server, and one media server. A NAS appliance contains ordinary file data. One client based on UNIX and another based on Windows contain databases and other file data. Oracle Secure Backup can back up to tape the non-database files on file systems accessible on client hosts. RMAN can back up to tape database files through the Oracle Secure Backup SBT interface.

Figure 1-2 Oracle Secure Backup Administrative Domain with Multiple Hosts

Description of Figure 1-2 follows
Description of "Figure 1-2 Oracle Secure Backup Administrative Domain with Multiple Hosts"

About Disk Pools

A disk pool is a file-system directory that acts as a repository for backup image instances. Disk pools can store file-system backups, RMAN backups of Oracle databases, and backups created by NDMP filers.

Each disk pool is represented as a device in Oracle Secure Backup. A disk pool can belong to only one administrative domain. To monitor space utilization on disk pools, you must delete expired backup image instances.

See Also:

Oracle Secure Backup Administrator's Guide for more information on managing disk pools

About Tape Devices

Oracle Secure Backup maintains information about each tape library and tape drive so that you can use them for local and network backup and restore operations. You can configure tape devices during installation or add a new tape device to an existing administrative domain. When configuring tape devices, the basic task is to inform Oracle Secure Backup about the existence of a tape device and then specify which media server can communicate with this tape device.

This section contains these topics:

Tape Drives

A tape drive is a device that reads and writes data on magnetic tapes.

Magnetic tapes are sequential-access storage devices that provide long-term data storage. Unlike disks, the data stored on a tape does not require electricity to sustain it, hence are cost-effective and eco-friendly.

A tape drive uses precision motors to wind magnetic tapes from one reel to another. The tape passes a read/write head as it is wound. These reels are inside a tape cartridge, such as LTO series media, which is the most popular type of drive among Oracle Secure Backup users. A tape is sequential-access storage and since it has a beginning and an end, the tape drive must read through the tape in order to locate the position on the tape where the End of Media is located in order to append to a tape, or locate the position of the written data in the middle of the tape in order to perform a restore.

Tape drives write data in a block format and the block size can influence the backup data transfer rate. Each block is written in a single operation with gaps left between the blocks. The blocking factor can be adjusted to optimize the performance of backups and restores. Typically, large blocking factors are optimum for backing up large files while smaller blocking factors are optimum for backing up numerous small files.

The block size of a block of data is the size of the block in bytes as it was written to tape. All blocks read or written during a given backup or restore operation have the same block size. The blocking factor of a block of data expresses the number of 512-byte records contained in the block. For example, for a site that blocks up a large number of small files, you can set a small blocking factor to match the size of the source data, whereas for sites that back up huge files, you can specify a large blocking factor. The Oracle Secure Backup default blocking factor (128) results in a tape block size of 128*512 bytes or 64 KB.

The maximum blocking factor is an upper limit on the blocking factor that Oracle Secure Backup uses. This limit comes into play particularly during restores, when Oracle Secure Backup must pick an initial block size to use without knowing the actual block size on the tape. The maximum blocking factor limits this initial block size to a value that is acceptable to both the tape device and the underlying operating system.

You can specify the blocking factor and the maximum blocking factor. See "Configuring Tape Drives". The default value for blockingfactor and maxblockingfactor is 128 when Oracle Secure Backup is installed. You can configure domain-wide blocking and maximum blocking factors using the media/blockingfactor and media/maxblockingfactor polices. For more information about the policies, see Oracle Secure Backup Reference.

Things to consider:

  • The blockingfactor (block size) must always be less than or equal to the maxblockingfactor.

  • The tape drive itself must support the block size settings in use because often tape drives, device drivers, or operating systems have limitations which can supersede other conditions.

  • The maxblockingfactor must always be set to be greater than or equal to the largest block you will want to restore.

    When a restore operation starts, Oracle Secure Backup is not aware of the block size that was used to write a given tape. Oracle Secure Backup starts a restore by reading the largest possible block size that is maxblockingfactor. If the blocking factor is too large, Oracle Secure Backup returns an error and displays a message to increase the media/maxblockingfactor policy in obtool.

Oracle Secure Backup supports the following tape drives:
  • Linear Tape-Open (LTO)
  • T10000

Information about the tape formats of tape devices supported by Oracle Secure Backup is available at:

http://www.oracle.com/technetwork/products/secure-backup/learnmore/index.html

Tape Libraries

A tape library is a robotic tape device that operates on SCSI commands.

You can run SCSI commands to move a volume between a storage element and a tape drive. A tape library is often referred to as a medium changer.

A tape library contains one or more tape drives, slots (storage elements or se's) for holding tape cartridges, and provides an automation device to move tapes between drives and storage elements. Figure 1-3 illustrates a tape library containing four tape drives.

Figure 1-3 Tape Library

Description of Figure 1-3 follows
Description of "Figure 1-3 Tape Library"

Oracle Secure Backup supports tape libraries for managing automatic loading and unloading of volumes to and from the tape drives and storage elements to optimize efficiency.

When a tape library is first configured in Oracle Secure Backup, you must perform an initial forced inventory so that Oracle Secure Backup identifies the contents of the storage elements. Most modern tape libraries require barcode labels on the tapes to perform management operations and for vaulting to other locations. Oracle Secure Backup checks the volume ID of a tape with the barcode to facilitate managing the tape inventory and to identify the tapes required for restore and recycle operations.

After the library and drives are configured, Oracle Secure Backup is configured to automount tapes for backups. Oracle Secure Backup sends commands to the library's robotic arm indicating the tapes to move between the drives and storage elements in order to provide the resources required for a job to backup or restore data. Oracle Secure Backup scans the tape library storage elements to find a suitable volume and uses internal records to optimize tape selection. When you have adequate tapes in the storage elements, Oracle Secure Backup does not require manual loading of tapes to complete backups that span across multiple volumes.

You can configure Oracle Secure Backup to automate the drive cleaning operations. For more information about the policies, see Oracle Secure Backup Reference.

Figure 1-3 shows a tape library with its set of addressable elements:

  • Storage Elements (se) are locations where tapes can be stored and available for operations while not in use.

  • A data transfer element (DTE) is a tape drive which is used for reading and writing data to and from the tape volume.

  • Media Transfer Element (mte) is the robotic arm that moves tape cartridges from the storage elements to and from the tape drives.

  • Import Export Element (iee) is a mechanism with a door that an operator uses to transfer tapes in and out of the library. After the door is closed, the robotic arm transfers cartridges to internal slots in the library. If the library is used to move the cartridges around, outside of Oracle Secure Backup, a reinventory is required to update the identification of the storage element contents.

Oracle Secure Backup refers to elements by their abbreviation (mte, se, iee, or dte) followed by the number of the element, for example, se5, iee2, dte1. When multiple elements of a type exist, element numbering starts at 1. When only one element of a type exists, the number can be omitted. Thus, iee1 and iee both refer to the first and only import/export element. If the abbreviation is omitted, then a storage element is assumed. For example, se4 and 4 both refer to the fourth storage element. For some commands, you can specify a range of storage elements, for example, 1-5.

Oracle Secure Backup supports several tape library operations. The following operations are the most basic:

  • Inserting and extracting volumes

  • Loading and unloading volumes

  • Moving volumes

  • Importing and exporting volumes

See Also:

Oracle Secure Backup Reference for details about the tape library commands that you can run in obtool

Virtual Tape Libraries

A virtual tape library is one or more large-capacity disk drives partitioned into virtual physical tape volumes. To Oracle Secure Backup the virtual tape library appears to be a physical tape library with at least one volume and at least one tape drive. The volumes and tape drives in the virtual tape library can be configured to match common physical tapes and tape drives.

Backup operations performed to a virtual tape library complete faster than backup operations to actual tape drives, because the underlying storage device is direct access media. But a virtual tape library is not suitable for long time storage, because it has limited storage capacity. If you back up to a virtual tape library, then you can take advantage of its faster backup and then use the volume migration feature of Oracle Secure Backup to migrate the data to tapes at a later point of time.

Device Names and Attachments

Because Oracle Secure Backup manages tape drive operations, it must be able to identify the tape drive and determine whether the tape drive is housed in a tape library. Oracle Secure Backup must further determine if a storage element is available for storing a volume while not in use by the tape drive. Thus, each tape device must be uniquely identified within Oracle Secure Backup by a user-defined name.

Oracle Secure Backup distinguishes a tape device and the means by which the tape device connects to a host. To be usable by Oracle Secure Backup, each tape device must have at least one attachment, which describes a data path between a host and the tape device. An attachment usually includes the identity of a host plus an attach point name in Linux or UNIX, a device name in Windows, or a NAS device name. In rare cases, additional information is needed for the attachment definition.

See Also:

About Cloud Storage Devices

Oracle Secure Backup cloud storage devices are used to backup and restore data to and from Oracle Cloud Infrastructure Object Storage Classic and from Oracle Cloud Infrastructure Object Storage.

  • When used with Oracle Cloud Infrastructure, a cloud storage device operates on a container in the specified Oracle Cloud Infrastructure Object Storage namespace. Each cloud storage device is associated with only one container.

    Note:

    The term "identity domain" is specific to Oracle Cloud Infrastructure Classic. Oracle Cloud Infrastructure uses a new term "namespace".

    A container is a logical grouping of resources. A bucket, which is created in a user-specified container, acts as the repository for backup image instances. Multiple administrative domains can use one container. However, a bucket can be used by only one administrative domain.

    The storage class for a container in Oracle Cloud Infrastructure can be standard storage class (object), archive storage class (archive), or infrequent access storage class (infrequentaccess).

    See Also:

    Oracle Cloud Infrastructure Object Storage for more information about using Oracle Cloud Infrastructure Object Storage

  • When used with Oracle Cloud Infrastructure Classic, a cloud storage device operates on a cloud storage container in the Oracle Cloud user’s identity domain. The cloud storage container acts as a repository for backup image instances. Each cloud storage device is associated with only one cloud container. The storage class for a cloud container in Oracle Cloud Infrastructure Classic can be standard storage class (object) or archive storage class (archive).

    Note:

    The term "identity domain" is specific to Oracle Cloud Infrastructure Classic. Oracle Cloud Infrastructure uses a new term "namespace".

    A cloud storage device and its associated container can belong to only one Oracle Secure Backup administrative domain. It cannot be shared between multiple Oracle Secure Backup administrative domains.

    See Also:

Backups to Cloud Storage Devices

The cloud storage device is an Oracle Secure Backup device resource. Backup jobs must be explicitly configured to use cloud storage devices. The cloud storage device can store file-system backups or RMAN backups of Oracle databases. Cloud storage devices can be accessed concurrently by multiple backup and restore jobs. The number of concurrent jobs is defined by the device’s concurrentjob setting. Each of the backup or restore job creates parallel data connections to Oracle Cloud storage. The number of parallel connections is controlled by device’s streamsperjob setting.

Oracle Secure Backup ensures that backup data is encrypted on the client before it is written to the cloud. If the backup job does not require encryption, then Oracle Secure Backup’s client-side software encryption is automatically forced on and the encryption policies set up in the client are applied to the backup data written to the cloud storage device.

Oracle Secure Backup stores each backup image instance by splitting it into multiple segments and storing each segment as a single object in the container. The segment size defines the size of the object and is specified by the device’s segmentsize parameter.

Backup image instances remain in the cloud container until they expire, are explicitly deleted, or are migrated to a cloud archive container. Oracle Secure Backup deletes expired backup image instances only when the device’s free space threshold is exceeded; not immediately after they expire.

Cloud Storage Devices and Staging

You can stage backup data to a disk pool and then move it to a cloud storage device using automated staging. The backup data in the disk pool must be encrypted in order to copy it to the cloud storage device. However, a cloud storage device cannot be used as the source device for automated staging.

You can move a backup image instance from a standard storage class (object) container to an archive storage class (archive) container or an infrequent access storage class (infrequent access) container with a manual copy job. If both containers or buckets are located in the same identity domain, Oracle Secure Backup copies data between containers or buckets. If both containers or buckets are located in different identify domains, the data is downloaded from source device and then uploaded to the target device.

Cloud Storage Devices and System Memory Usage

The cloud device requires a certain amount of system memory from the media server attached to the device. The amount of media server system memory required is derived from the cloud device's segmentsize, streamsperjob, and concurrentjobs values, and the number of cloud devices attached to the media server.

The total amount of system memory on the media server that is needed to support Oracle Secure Backup cloud devices is derived as follows:

(# of attached cloud devices) * (concurrentjobs) * (1 + streamsperjob) * (segmentsize)

See Also:

Oracle Secure Backup Daemons

Daemons are background processes that perform Oracle Secure Backup operations. Some daemons run continuously while others run only to perform a particular task and then exit when the task is complete.

A daemon can run either on the administrative server, the media server, or a client. Oracle Secure Backup uses a combination of daemons to perform a particular backup, restore, or configuration task.

The Oracle Secure Backup daemons include the following: Service daemon, Schedule daemon, Index daemon, Apache Web Server daemon, NDMP daemon, Robot daemon, and Proxy daemon.

See Also:

Oracle Secure Backup Administrator's Guide for more information about daemons

Oracle Secure Backup Interfaces

There are four different interfaces for accessing different elements of Oracle Secure Backup:

  • The obtool command line utility provides the fundamental interface for Oracle Secure Backup functions, including configuration, media handling, and backup and restore of file-system files.

  • Oracle Enterprise Manager offers access to most Oracle Secure Backup functions available through obtool as part of its Cloud Control interface.

  • Oracle Secure Backup includes its own Web-based interface, called the Oracle Secure Backup Web tool, which exposes all functions of obtool. The Oracle Secure Backup Web tool is primarily intended for use in situations where Oracle Secure Backup is being used independently of an Oracle Database instance. It does not provide access to database backup and recovery functions.

    The Oracle Secure Backup Web tool supports Internet Protocol v4 (IPv4), Internet Protocol v6 (IPv6), and mixed IPv4/IPv6 environments on all platforms that support IPv6.

  • Backup and restore operations for Oracle Database instances and configuration of the Oracle Secure Backup media management layer are performed through the RMAN command-line client or through Oracle Enterprise Manager.

Note:

Oracle Secure Backup documentation focuses on the use of Enterprise Manager wherever possible, and describes the Oracle Secure Backup Web Tool only when there is no equivalent functionality in Enterprise Manager, as in a file-system backup.

See also: