Configuring Space-Efficient Encrypted Backups

The LIBRA.SO module supports both the legacy mode (RA21.1) and the space-efficient encrypted option (RA23.1). In both modes, the external password store is created in the same way, but then the RMAN SBT channels is configured differently.

The RMAN command to turn on encrypted backups is of the form:

CONFIGURE CHANNEL DEVICE TYPE SBT PARMS "SBT_LIBRARY=/.../rdbms/lib/libra.so, 
ENV=(RA_FORMAT=true, RA_WALLET='location=file:/.../orswlt credential_alias=myra')" ;

Once this is established, you can specify the desired encryption algorithm when performing a normal backup with your SBT job.

Compression defaults to LZO compression. If specified on the RMAN command line, it must be BASIC.

Note:

Controlfile cannot be in the same piece as incremental datafile.

The new TDE keys, however, become needed to restore older backups.

When starting with encrypted backups, a new Level 0 backup is not required. Also, re-key does not require a new Level 0.

This information applies to RA 23.1 and later.

  1. Create a secure external password store (mkstore). The following command creates an Oracle wallet that stores the credentials of the Recovery Appliance user named ravpc1: 

    $ mkstore                         \
  -wrl $ORACLE_HOME/oracle/wallet \
  -createALO                      \
  -createCredential zdlra01ingest-scan.acme.com:1521/zdlra01:dedicated ravpc1

    Refer to: Creating an Oracle Wallet on the Protected Database

  2. An RMAN SBT channel is configured with the SBT_LIBRARY parameter pointing to the Recovery Appliance backup module. The complete path of the shared library libra.so is specified. The RA_WALLET parameter represents the location of the Oracle wallet that stores the credentials used to authenticate this protected database with the Recovery Appliance. ra-scan is the SCAN of the Recovery Appliance and zdlra5 is the service name of the Recovery Appliance metadata database. 

    CONFIGURE CHANNEL DEVICE TYPE 'SBT_TAPE' 
PARMS 'SBT_LIBRARY=/u01/app/oracle/product/19.0.0.0/dbhome_1/lib/libra.so,
ENV=(RA_FORMAT=true,
RA_WALLET=location=file:/u01/app/oracle/product/19.0.0.0/dbhome_1/dbs/zdlracredential_alias=ra-scan:1521/zdlra5:dedicated)' 
FORMAT '%U_%d';

  3. In addition to this, RMAN compression and RMAN encryption needs to be configured. This can be done either one time or as part of each backup job.

    configure compression algorithm  'low';
set encryption on;
configure device type 'sbt_tape' backup type to compressed backupset;

  4. An RMAN SBT channel is allocated with the SBT_LIBRARY parameter specifying the complete path of the Recovery Appliance backup module. The ENV setting is used to specify the configuration parameters used by the Recovery Appliance backup module. ra-scan is the SCAN of the Recovery Appliance and zdlra5 is the service name of the Recovery Appliance metadata database. 

    set echo on
configure compression algorithm 'low';
set encryption on;
configure device type 'sbt_tape' backup type to compressed backupset;
RUN{ALLOCATE CHANNEL c1 DEVICE TYPE sbt_tape 
PARMS='SBT_LIBRARY=/u01/app/oracle/product/19.0.0.0/dbhome_1/lib/libra.so,
ENV=(RA_FORMAT=true, 
RA_WALLET=location=file:/u01/app/oracle/product/19.0.0.0/dbhome_1/dbs/zdlracredential_alias=ra-scan:1521/zdlra5:dedicated)' 
FORMAT '%U_%d';
BACKUP INCREMENTAL LEVEL 1 FILESPERSET 1 SECTION SIZE 64G DATABASE PLUS ARCHIVELOG NOT BACKED UP FILESPERSET 8;}

  5. The above is performed by the protected database, and the Recovery Appliance administrator does not need to know this is happening. However, the Recovery Appliance administrator can prevent un-encrypted data from being sent to the appliance. This is achieved with the CREATE_PROTECTION_POLICY or UPDATE_PROTECTION_POLICY and specifying the parameter SECURE_MODE = YES. 

    SQL> exec dbms_ra.update_protection_policy(
protection_policy_name => ‘GOLD’, 
secure_mode => ‘YES’);

  6. After this configuration, if an attempt is made to run an unencrypted (legacy) backup, an error message occurs similar to:

    RMAN-00571:
===========================================================RMAN-00569: =============== ERROR
MESSAGE STACK FOLLOWS ===============RMAN-00571:
===========================================================RMAN-03009: failure of backup
command on channel_29 channel at 01/19/2023 10:27:06ORA-27192: skgfcls: sbtclose2
returned error - failed to close fileORA-19511: non RMAN, but media
manager or vendor specific failure, error text:KBHS-01404:  See trace file
/u01/app/oracle/diag/rdbms/<dbuniquename>/<sid>/trace/sbtio_204486_140658931245376.log  for
detailsKBHS-00719: Error 'recovery
appliance Error'; ORA-64868: Only RMAN encrypted backups are supported on this Recovery
Appliance.
KBHS-00700: HTTP

  7. Additionally, if real-time redo is enabled, then the LAD parameter needs to be set ENCRYPTION=enable. 

    ALTER SYSTEM SET LOG_ARCHIVE_DEST_3='SERVICE=boston 
VALID_FOR=(ALL_LOGFILES, ALL_ROLES) 
ASYNC DB_UNIQUE_NAME=zdlra2 encryption=enable' SCOPE=BOTH;

    Without this, Recovery Appliance administrator sees the message.

    2023-01-19T18:25:41.933868+00:00
Recovery Appliance failure on ospid: 221805; 
Errors: ORA-64869: Unencrypted redo is not allowed for database <dbname>.