Protected Databases

A protected database uses a specific Recovery Appliance as a destination for centralized RMAN backup and recovery. In Figure 2-1, multiple protected databases send backups to a single centralized Recovery Appliance. Each database protected by a Recovery Appliance must use the recovery catalog in the Recovery Appliance metadata database.

To send backups to a Recovery Appliance, a protected database must be configured to allow access to the Recovery Appliance. The configuration involves creating the appropriate Recovery Appliance users and permissions, associating each protected database with a protection policy, and distributing Recovery Appliance connection credentials to each database.

This section contains the following topics:

Recovery Appliance Backup Modules

The Zero Data Loss Recovery Appliance Backup Module (Recovery Appliance Backup Module) is an Oracle-supplied SBT library that RMAN uses to transfer backup data over the network to the Recovery Appliance. An SBT library transfers data to and from a backup device type, either a tape device or Recovery Appliance. RMAN performs all backups to the Recovery Appliance, and all restores of complete backup sets, by means of this module.

The Recovery Appliance Backup Module must be installed in the following locations:

In the Oracle home of every protected database that sends backups to a Recovery Appliance

For example, a single host might have an Oracle Database 11g Oracle home, and an Oracle Database 12c Oracle home. Each Oracle home might support five protected databases, for a total of ten databases running on the host. In this case, only two Recovery Appliance Backup Modules must be installed: one in each Oracle home.
For Recovery Appliance replication environments, on every upstream Recovery Appliance that sends backups to downstream Recovery Appliances (see Replicating Backups with Recovery Appliance)

Figure 2-3 depicts an Oracle Database 11g and Oracle Database 12c protected database running on the same host. The Recovery Appliance Backup Module installed in each Oracle home communicates with the Recovery Appliance, replicates backups to a downstream Recovery Appliance.

Figure 2-3 Recovery Appliance Backup Modules

Description of "Figure 2-3 Recovery Appliance Backup Modules"

See Also:

Zero Data Loss Recovery Appliance Protected Database Configuration Guide to learn how to install the Recovery Appliance Backup Module
Oracle Database Backup and Recovery User's Guide to learn more about SBT channels and devices

Protection Policies

A protection policy is a named collection of properties that you can assign to multiple protected databases. Using a single policy for multiple databases reduces Recovery Appliance administration time, and enables you to change the properties of multiple protected databases with one operation. To accommodate databases with differing backup and recovery requirements, create as many protection policies as required.

A default installation of Recovery Appliance has the protection policies shown in Table 2-2.

Table 2-2 Default Protection Policies

Service Tier	Recovery Window	Additional Settings
Platinum	45 days on disk, 90 days on tape^Foot 1	Database backups, real-time redo transport, replication, and tape backups. All settings are mandatory.
Gold	35 days on disk, 90 days on tape	Database backups, real-time redo transport, replication, and tape backups (if tape is available).
Silver	10 days on disk, 45 days on tape	Database backups, real-time redo transport, and tape backups (if tape is available).
Bronze	3 days on disk, 30 days on tape	Database backups, and tape backups (if tape is available). There is no real-time redo transport.

^Footnote 1

Backups aged 45 days or less exist on both disk and tape, but backups aged more than 45 days exist only on tape. The Recovery Appliance creates tape backups immediately after disk backups, so the 90 day tape retention period begins at the same time as the 45 day disk retention period.

See Also:

Zero Data Loss Recovery Appliance Protected Database Configuration Guide to learn how to configure real-time redo transport

Protection Policy Attributes

A protection policy is created with the DBMS_RA.CREATE_PROTECTION_POLICY procedure or with Cloud Control. The protection policy sets some of the following attributes for all protected databases assigned to it: Some attributes are mutually exclusive. The following is a representative list of attributes to consider in new protection policies.

Table 2-3 Protection Policy Attributes (subset)

Attribute	Description
`storage_location_name`	A Recovery Appliance storage location for storing backups.
`polling_policy_name`	An optional backup polling policy that determines whether Recovery Appliance polls a storage location for backups
`recovery_window_goal`	The disk recovery window goal for the protected database.
`recovery_window_sbt`	The SBT retention period for the protected database.
`guaranteed_copy`	The guaranteed copy setting, which determines whether backups protected by this policy must be copied to tape or cloud before being considered for deletion.
`allow_backup_deletion`	Setting this to `NO` will prevent RMAN users from deleting backups on the Recovery Appliance, necessary for compliance rules. The default value is set to `YES`.
`store_and_forward`	The setting for the Backup and Redo Failover feature. This setting is used only in a protection policy defined on the alternate Recovery Appliance where the protected databases associated with this policy will redirect backups and redo in the event of an outage on the primary Recovery Appliance.
`max_retention_window`	The maximum length of time that the Recovery Appliance retains backups for databases that use this retention policy.
`unprotected_window`	The maximum acceptable difference between the current time and the latest time that the database can be restored.
`autotune_reserved_space`	This setting is used to control whether the Recovery Appliance will automatically define and update the `reserved_space` settings for databases associated with this policy.
`recovery_window_compliance`	This setting specifies a time range for each database backup in which backups will not be deleted. This value must be equal to or smaller than `recovery_window_goal`. Too large a value can result in filling `disk_reserved_space` with compliance protected backups, whereby new backups are then rejected.
`keep_compliance`	This setting prevents an administrator from using `RMAN CHANGE` command to shrink the "keep until time" specified for an archival backup. If `KEEP_COMPLIANCE` is `YES`, `KEEP FOREVER` backups will never be deleted. `NO` means the "keep until time" for an archival backup may be modified by the `RMAN CHANGE` command. `NO` is the default.
`max_reserved_space`	The maximum `disk_reserved_space` setting permitted for each database in the protection policy. The format of this value is a character string that must contain a number consisting only of the characters `0-9`, followed optionally by one of the following unit specifiers: If `max_reserved_space` is specified as NULL, the `max_reserved_space` setting for databases defaults to `2 x disk_reserved_space`.
`secure_mode`	Determines whether backups stored on the Recovery Appliance must be encrypted. `YES` means that only encrypted backup and redo are accepted by the Recovery Appliance. `NO` means unencrypted backups are allowed to be stored on the Recovery Appliance. `NO` is the default.
`level0_refresh`	If specified, the Recovery Appliance chooses some number of data files from each backup to be level 0 backups. This spreads the creation of new level 0 backup data across the `level0_refresh` interval. Specify the refresh cycle as any valid `INTERVAL DAY TO SECOND` expression, such as `INTERVAL '20' DAY` (20 days). If you set the value to 100 days, then 1% of the database will perform a level 0 backup each day. Effectively, once 100 days is complete, all datafiles will be level 0 with `RA_FORMAT=TRUE` (or Block Pool Formatted). The purpose of this option is to limit the number of Data Encryption Key (DEK) hashes required to restore a database. Each level 1 backup has a new DEK. During a restore, every block is sent to the client along with all the DEKs that are associated with them. During ingest, the DEKs are counted. When 65% of the maximum DEKs for the buffer is reached, a new level 0 refresh is set for that datafile.

You can associate an optional replication server configuration with a protection policy. The replication configuration applies to all protected databases associated with the protection policy.

When a protection policy has SECURE_MODE set to YES, then backups that are not encrypted are rejected before they can be uploaded to the Recovery Appliance, by design. When redo logs are being shipped directly to the Recovery Appliance, they also must be encrypted. However, the check for redo encryption happens after the redo log completes, so future attempts to open a new log on the Recovery Appliance are rejected. A few logs might get started before the archived log destination status shows redo being rejected. This condition clears when an encrypted redo log backup is sent to the Recovery Appliance. After which, future redo log switch are accepted on the Recovery Appliance.

Note:

Before release 21.1, any backup copy anywhere (tape or cloud) counted as a copy for a backup and would allow for deletion on the Recovery Appliance. If you had both cloud and tape, you might have incomplete backups on either cloud and tape, but the Recovery Appliance would incorrectly consider the set copied. Further with replication, the backups could be deleted on the downstream Recovery Appliance, leave backups never copied, and thus never released by the upstream Recovery Appliance.

After release 21.1, the guaranteed_copy attribute was added to the library. When guaranteed_copy is set on the library, the Recovery Appliance will not directly delete the copy in the library. [The tape/cloud manager shouldn't delete the copy either.] Each library with the guaranteed_copy attribute must have a copy of a given backup before it is eligible for deletion from the Recovery Appliance.

The APIs create_protection_policy and update_protection_policy check whether a guaranteed_copy library/template/attribute_set was available to the protection_policy before the protection_policy could have guaranteed_copy set. Other improvements protect the changing of libraries, templates, or attribute_set against the last removal of a library/template/attribute_set path from a protection_policy with the guaranteed_copy attribute set.

Recovery Windows

When creating a protection policy, you can define the following two recovery window attributes, expressed as intervals (typically days):

Disk recovery window goal

For each database assigned to the policy, Recovery Appliance attempts to support a point-in-time recovery to any time within this interval, counting backward from the current time. For example, if the recovery window goal is 15 days, and if it is noon on April 25, then the goal is the ability to perform point-in-time recovery to any time on or after noon on April 10. At noon on April 26, the goal is the ability to perform point-in-time recovery to any time on or after noon on April 11, and so on.

For disk, this interval is a goal, and not a guarantee. The Recovery Appliance might purge backups when disk space is low, in which case the goal is not always met. You can ensure that a minimum number of backups are guaranteed to be available by adjusting the reserved disk space property of each protected database.
SBT retention period

For each assigned database, backups are retained long enough on tape to support a point-in-time recovery to any time within this interval, counting backward from the current time. For SBT, this interval is a guarantee.

See Also:

"Recovery Window Goal"
""Backup Retention on Tape""
Zero Data Loss Recovery Appliance Protected Database Configuration Guide
Oracle Database Backup and Recovery User's Guide for a thorough discussion of recovery windows

Backup Polling Policies

A backup polling policy specifies:

A file system directory on shared storage where Recovery Appliance polls for backups to process (see "Backup Polling Locations")
The frequency with which Recovery Appliance polls
Whether backup data is to be deleted after being successfully processed

Assign backup polling policies to protected databases through protection policies. Each protection policy can optionally reference a polling policy.

Supported Oracle Database Releases

See My Oracle Support Note Doc ID 1995866.1 (http://support.oracle.com/epmos/faces/DocumentDisplay?id=1995866.1) for information about the Oracle database releases supported by Recovery Appliance, including the features available with each release.