Password encryption requires that the DBA provide a password when creating and restoring encrypted backups. You can specify which instance performs an operation with the CONNECT channel parameter. Some organizations will require you to remove encryption for data or databases that are only for TEST or DEVELOPMENT purpose. The BACKUP BACKUPSET command can neither encrypt nor decrypt backup sets.
You can also set the snapshot control file name to a raw device. PARALLELISM for persistent channel parallelism or multiple ALLOCATE CHANNEL commands for job-level parallelism. For example, you can enter one of the following commands: You can disable the exclusion feature for cwmlite and example as follows: RMAN includes these tablespaces in future whole database backups. This technique is necessary in the following situations: When running an Oracle Real Application Clusters (Oracle RAC) database in which individual nodes do not have access to the full set of backups. To diagnose the problem, recover the database or tablespace to the SCN of the stale block read, which then generates the lost write error (ORA-752). You can combine this with the global wallet transparent backup if you like. You can use the PARMS channel parameter to specify vendor-specific information for a media manager. You can override the configured MAXSETSIZE value by specifying a MAXSETSIZE option for an individual BACKUP command. If one tape of a multivolume backup set fails, then you lose the data on all the tapes rather than just one. When renaming files with the DUPLICATE command, CONFIGURE AUXNAME is an alternative to SET NEWNAME command. Possible values are listed in V$RMAN_ENCRYPTION_ALGORITHMS. You can set the DB_LOST_WRITE_PROTECT initialization parameter to TYPICAL or FULL so that a database records buffer cache block reads in the redo log. The following procedure illustrates only one method. If you configure specific channels with numbers higher than the parallelism setting, then this setting prevents RMAN from using them. Example 6-1 Configuring Channel Parallelism for Tape Devices. When RMAN must resynchronize the recovery catalog with a read-consistent version of the control file, it creates a temporary snapshot control file. To repair a lost write on a primary database, you must initiate failover to the standby database.
You can use the MAXPIECESIZE channel parameter to set limits on the size of backup pieces. The CONFIGURE settings for duplexing only affect backups of datafiles, control files, and archived logs into backup sets, and do not affect image copies. RMAN issues an ORA-19916 error if you attempt to create encrypted RMAN backups using an SBT library other than Oracle Secure Backup. By specifying the default, OPTIMIZE FOR LOAD TRUE, Oracle optimizes CPU usage and avoids pre-compression block processing. There may be different reasons for encrypting RMAN backup. When backing up to tape, ensure that the number of copies does not exceed the number of available tape devices. Oracle Net configuration varies greatly from system to system. The default setting is NONE. Transparent encryption is best suited for day-to-day backup operations, where backups are restored to the same database from which they were created. When using the autologin wallet, encrypted backup operations can be done at any time, because the autologin wallet is always open. When a standby database applies redo during managed recovery, it reads the corresponding blocks and compares the SCNs with the SCNs in the redo log. Configuring encryption for Oracle Recovery Manager (RMAN) is always a good step in the right direction. You can reset the database master key at any time. Good combination of compression ratios and speed. The Oracle Secure Backup SBT is the only supported interface for making encrypted RMAN backups directly to tape.
In this case, you may want to set the names of datafiles in the auxiliary instance before starting the TSPITR or database duplication. This section contains the following topics: Configuring the Maximum Size of Backup Sets, Configuring the Maximum Size of Backup Pieces, Configuring Tablespaces for Exclusion from Whole Database Backups, Configuring Pre-Compression Block Processing, Basic Compression or the Advanced Compression Option. This section explained more advanced configuration options. Assume that you issue the following commands at the RMAN prompt: The backup of the users tablespace uses the configured SBT channel and the configured default MAXSETSIZE setting of 7500K. If some columns in the database are encrypted with Transparent Data Encryption, and if those columns are backed up using backup encryption, then those columns are encrypted a second time during the backup. Because BACKUP BACKUPSET copies an already-encrypted backup set to disk or tape, no decryption key is needed during BACKUP BACKUPSET. You can see the current snapshot location by running the SHOW command. If the SCN is higher, it detects a lost write on the standby database and throws an internal error (ORA-600 [3020]). When manually numbering channels, you must specify one or more channel options (for example, MAXPIECESIZE or FORMAT) for each channel. RMAN always numbers parallel channels starting with 1 and ending with the PARALLELISM setting. Encrypted backups cannot be read if they are obtained by unauthorized users. Since the performance of the various compression levels depends on the nature of the data in the database, network configuration, system resources and the type of computer system and its capabilities, Oracle cannot document universally applicable performance statistics. Using or not using persistent configuration settings control whether archived redo log backups are encrypted. Optionally, connect to a recovery catalog. Backup piece size is an issue in situations where it exceeds the maximum file size permitted by the file system or media management software. To create dual-mode encrypted backup sets, specify the SET ENCRYPTION ON IDENTIFIED BY password command in your RMAN scripts.
To create encrypted backups on disk with RMAN, the database must use the Advanced Security Option. Execute the CONFIGURE ENCRYPTION ALGORITHM command, specifying a valid value from V$RMAN_ENCRYPTION_ALGORITHMS.ALGORITHM_NAME.
When the backup sets are decrypted during a restore, the encrypted columns are returned to their original encrypted form. In contrast, you must reissue the SET NEWNAME command every time you rename files.
Oracle Data Guard Concepts and Administration to learn how to use a standby database for lost write detection and repair, Oracle Database Reference to learn about the DB_LOST_WRITE_PROTECT initialization parameter. Customer requirement (e.g, most companies requires encryption for any database file containing SSN, Credit Card number, date of birth, etc); or, Note: You don't need a wallet to implement this.
To guarantee that no lost writes have corrupted the database, you must perform media recovery from database creation, which is not a practical strategy for most database environments. In such a situation, you can set PARALLELISM to any value up to the number of devices, in this instance 20. Subsequent snapshot control files that RMAN creates use the specified filename. Configure specific channels by number when it is necessary to control the parameters set for each channel separately. The database is in consistent state, but all data after the RESETLOGS SCN is lost. Encrypted backups are decrypted automatically during restore and recovery, as long as the required decryption keys are available. The key is stored in encrypted form in the backup piece. You can also use the SEND command to send vendor-specific commands to a media manager.
When using transparent encryption, you must first configure an Oracle wallet for each database, as described in Oracle Database Advanced Security Administrator's Guide. Choosing a compression level based on your environment, network traffic characteristics (workload) and dataset is the only way to ensure that the backup set compression level can satisfy your organization's performance requirements and any applicable service level agreements. The OPTIMIZE FOR LOAD option controls pre-compression processing. You can use the command to specify the following: Whether to use transparent encryptions for backups of all database files, Whether to use transparent encryptions for backups of specific tablespaces, Which algorithm to use for encrypting backups. You can run CONFIGURE EXCLUDE FOR TABLESPACE to exclude the specified tablespace from the BACKUP DATABASE command. Table 6-1 summarizes the ways in which you can control channel behavior. The difference is that after you set the AUXNAME the first time, you do not need to reset the filename when you issue another DUPLICATE command; the AUXNAME setting remains in effect until you issue CONFIGURE AUXNAME CLEAR. While "Configuring Channels" explains the basics for configuring channels, this section explains more advanced channel topics. "Limiting the Size of Backup Sets with BACKUP MAXSETSIZE", Oracle Database Backup and Recovery Reference for BACKUP syntax. Oracle Database Backup and Recovery Reference for BACKUP and CONFIGURE syntax. "Configuring the Environment for RMAN Backups" explains the basics for configuring RMAN to make backups. RMAN supports pre-compression processing and binary compression of backup sets. The default algorithm is AES 128-bit. When you use the BACKUP BACKUPSET command with encrypted backup sets, the backup sets are backed up in encrypted form. If the block SCN on the primary database is lower than on the standby database, then it detects a lost write on the primary database and throws an external error (ORA-752).
This type of backup is known as a duplexed backup set. Restoring a password-encrypted backup requires the same password used to create the backup. RMAN needs a snapshot control file when resynchronizing with the recovery catalog or when making a backup of the current control file. This behavior ensures that the redo associated with any encrypted backup of a datafile is also encrypted. To ensure that RMAN does not connect to a dispatcher when a target database is configured for a shared server, the net service name used by RMAN must include (SERVER=DEDICATED) in the CONNECT_DATA attribute of the connect string. For example, if the default device is SBT and parallelism is set to 3, then RMAN names the channels as follows: RMAN always uses the name ORA_SBT_TAPE_n even if you configure DEVICE TYPE sbt (not the synonymous sbt_tape). Channel parallelism for backup and restore operations.
This section contains the following topics: Whether you allocate channels manually or use automatic channel allocation, you can use channel commands and options to control behavior. You can use the MAXPIECESIZE parameter of the CONFIGURE CHANNEL or ALLOCATE CHANNEL command to limit the size of backup pieces. The PARALLELISM setting is not constrained by the number of specifically configured channels. Recommended for most environments. Note: You need to set encryption off if at any point you don't need to encrypt your backup again. To configure the default backup encryption algorithm: Start RMAN and connect to a target database and a recovery catalog (if used). Scripting on this page enhances content navigation, but does not change the content in any way. You can use MAXSETSIZE to specify that each backup set should fit on one tape rather than spanning multiple tapes. The following example configures the algorithm to AES 256-bit encryption: Assume that you are performing tablespace point-in-time recovery (TSPITR) or performing data transfer with RMAN.
When restoring a dual-mode encrypted backup, you can use either the Oracle wallet or a password for decryption. BACKUP COPIES is set to 1 for each device type. Ensure that the target database is mounted or open. A tablespace does not change often and therefore should be backed up on a different schedule from other backups. Transparent encryption can create and restore encrypted backups with no DBA intervention, as long as the required Oracle key management infrastructure is available. Oracle can achieve better backup compression ratios by consolidating the free space in each data block, and setting that free space to binary zeroes. The exclusion condition applies to any datafiles that you add to this tablespace in the future. When set to FULL, the instance also records reads for read-only tablespaces. The default location for the snapshot control file is platform-specific and depends on the Oracle home of each target database. Encryption is configured for backups of the whole database or at least one tablespace. Conversely, it has no effect on data blocks that are still in their initial loaded state. The default value is given in bytes and is rounded down to the lowest kilobyte value. BACKUP COPIES command to specify how many copies of each backup piece should be created on the specified device type for the specified type of file. Enabling lost write detection is also useful when not using Data Guard. RMAN can duplex backups to either disk or tape, but cannot duplex backups to tape and disk simultaneously.