An Oracle White Paper

January 2015

Oracle Database Backup Service –

A Technical White Paper

1
WHY  STORE  BACKUPS  IN  THE  CLOUD?   4  
ORACLE  DATABASE  BACKUP  SERVICE  OVERVIEW   4  
ORACLE  DATABASE  CLOUD  BACKUP  MODULE  (ODCBM)   5  
COMPLETE  DATA  SECURITY   5  
COMPRESSED  BACKUPS  FOR  BETTER  PERFORMANCE   5  
SUPPORT  MATRIX   6  
BENEFITS  OF  ORACLE  DATABASE  BACKUP  SERVICE   6  
GETTING  STARTED  WITH  THE  ODBS   7  
1.  SIGN  UP  FOR  ORACLE  DATABASE  BACKUP  SERVICE  &  PURCHASE  CAPACITY.   7  
2.  REGISTER  FOR  ORACLE  TECHNOLOGY  NETWORK  (OTN)  ACCOUNT   8  
3.  INSTALL  THE  ORACLE  DATABASE  CLOUD  BACKUP  MODULE   9  
4.  EXECUTE  THE  INSTALLER   10  
5.  CONFIGURE  RECOVERY  MANAGER  (RMAN)  SETTINGS   10  
6.  CONFIGURE  ENCRYPTION   11  
7.  PERFORM  BACKUPS   11  
8.  RESTORE  &  RECOVERY   12  
CLOUD  BACKUP  BEST  PRACTICES   12  
END-­‐TO-­‐END  DATA  SECURITY   12  
PROTECTION  OF  THE  ENCRYPTION  KEY   12  
OPTIMIZING  CLOUD  BACKUP  PERFORMANCE   12  
CONCLUSION   13  
APPENDIX   14  
CONFIGURATION  FILES   14  
EXAMPLE  TEST  RUN   15  
USING  PASSWORD  ENCRYPTION   16  
USING  TRANSPARENT  DATA  ENCRYPTION   16  

2
Introduction

Cloud Computing allows users to tap into a virtually unlimited pool of computing and storage
resources over the Internet. Cloud users benefit from utility-like costs, scalability, and reliability,
as well as the ability to self-provision resources dynamically and pay only for what they use.

Enterprises deploy multi-tiered storage architectures to store their production data and
backups to reduce the overall capital and operating expenses for their storage infrastructure.
They also store their data in an offsite location for disaster recovery purposes. They prefer to
store their backup data in a location which is offsite, but at the same time immediately
accessible. For long term archives, and backups, they utilize tape vaulting and store tapes in
an offsite location. Many small and medium businesses that do not have a tape infrastructure
have to deploy some form of virtual tape or disks for storing backups and archives. Cloud
based storage offers a great alternate to tape with no upfront capital cost, no storage
management, on-demand increase of capacity, and a pay-per-use model.

Oracle Database Backup Service (ODBS) is a new backup-as-a-service offering that enables
customers to store their backups securely in the Oracle cloud. ODBS provides a transparent,
scalable, efficient, and elastic cloud storage platform for Oracle database backups. The Client
side Oracle Database Cloud Backup Module which is used with Recovery Manager (RMAN)
transparently handles the backup and restore operations. Unlike traditional tape-based offsite
storage, Cloud backups are immediately accessible whenever a restore is required.

Purpose of this document is to provide an overview of Oracle Database Backup Service. For
detailed documentation, refer to https://docs.oracle.com/cloud/latest/dbbackup_gs/.

3
Why Store Backups in the Cloud?
Good Disaster Recovery (DR) practice requires keeping usable business-critical backups offsite.
Organizations have traditionally implemented this by writing backups to tape and shipping the tapes to
be stored offsite. This is costly and operationally complex, requiring hardware, personnel, and sound
procedures to ensure that the offsite backups are up-to-date, secure, and able to be recalled and used in
the face of disaster. While shipping and secure storage are often outsourced, the IT organization of the
enterprise retains the burden of ensuring the integrity of the backups and procedures.
The pricing and operational characteristics of Cloud Storage make it a very compelling alternative to
shipping tapes offsite. Cloud storage offers pay-as-you-go, elastic self-provisioning, with low prices per
unit storage per unit time, making costs easy to predict, control, and map to the workloads of an
organization’s IT assets. Good Cloud infrastructure offers storage redundancy, security, availability and
scalability with geographic distribution that enables it to absorb a broad range of adverse events
without loss of availability. These characteristics make it an excellent alternative to writing, shipping
and storing tapes in a secure location. Last, but not least, backups are created and updated over the
network, with minimal or no operator involvement – drastically simplifying operational procedures.
Cloud services for storing backups offer business benefits in terms of elasticity in capacity and
operational expenses. It can also simplify your own infrastructure as you no longer need to provide and
manage storage (e.g., tapes that need to be rotated, shipped away, etc.).

Oracle Database Backup Service Overview

ODBS is the cloud storage solution for storing backups of on-premise Oracle databases. It is an object
storage platform that provides elastic on-demand storage capability. Cloud object management and
data transfer complexities are completely transparent to the DBAs and backup administrators as the
backups and restores between the cloud and the on-site databases are handled by the database backup
module.

Figure 1. Oracle Database Backup Service

Refer to the Oracle Public Cloud documentation at http://docs.oracle.com/cloud for more details.

4
Oracle Database Cloud Backup Module (ODCBM)
ODCBM is the cloud backup module that is installed in the database server. During the install process,
a platform specific backup module is downloaded and installed. The RMAN environment of the client
database is configured to use the cloud backup module to perform backups to ODBS. Using familiar
RMAN commands, backups and restores are transparently handled by the backup module.

Figure 2. Data Flow for the Client Module

Encrypted and compressed RMAN backup data are transmitted to ODBS using SSL.

Complete Data Security

Data security and privacy is particularly important in shared, publicly accessible environments such as
Storage Clouds. Accordingly, ODCBM enforces mandatory RMAN encryption of the backup data. . If
the backup data is not encrypted, users get an error message and the data is not backed up. RMAN
encryption of the backup data before it leaves the database server reduces the risk of theft or
unauthorized access of the data - as the backup data remains encrypted at the source, in transit, and at
rest in the Cloud. RMAN encryptions to backup to ODBS do not require licensing Advanced Security
Option.

Compressed Backups for Better Performance

RMAN backups to ODBS will skip unused and null blocks of the databases. These backups can be
further reduced in size by choosing from RMAN’s rich compression capabilities. When transmitting
backups over low-bandwidth networks, such as the public internet, any reduction in backup size is
directly realized as an increase in backup performance. RMAN compressions to backup to ODBS do
not require licensing Advanced Compression Option.

5
Support Matrix
The Oracle Database Backup Service support matrix:

Oracle Database1 10gR2, 11g, 12c (EE, SE, SE1)

Operating Systems (64bits) Linux, Solaris x86-64, SPARC, Windows, AIX, HP-UX, zLinux

RMAN Compression2 HIGH, MEDIUM, BASIC, LOW

RMAN Encryption Password, TDE, Dual-mode

Benefits of Oracle Database Backup Service

Oracle Database Backup Service’s functionality provides numerous advantages compared to other
offsite storage practices.
• Continuous Accessibility: Backups stored in ODBS are always accessible – much in the same way
local disk backups are. For restores, there is no need to call anyone and no need to ship or load the
tapes. Administrators can initiate restore operations using their standard tools (Enterprise Manager,
RMAN scripts, etc.) just as if the offsite backup was stored locally. This make restores faster and
reduce down time from days to hours/minutes compared to cases where tapes must be retrieved
from the offsite storage location.
• High Reliability: Storage Clouds are disk based. ODBS stores data redundantly across multiple
storage nodes for availability and scalability purposes.
• Unlimited Scaling and No Up-front Capital Expense: ODBS provides virtually unlimited
capacity with no up-front capital expenditure. Consequently, users need not worry about
provisioning adequate tapes or local storage to hold the required backup data.
• Easy Provisioning of Test and Dev Environments: As Cloud Backups are accessible from
anywhere via the Internet, the backups can be used to quickly clone databases to create custom test,
development, or QA environments.

1 Standard Editions require a patch for the bug 18339044 (Refer to My Oracle Support Doc ID 1640149.1)
2 Availability of the compression options depend on the Database version.

6
Getting Started with the ODBS
This section explains the overall process to purchase ODBS storage capacity, and how to download
and configure the Oracle Cloud Backup Module to use with your Oracle Database. For more details,
please refer to http://docs.oracle.com/cloud and also the Oracle Database RMAN documentation.
Figure 2 shows the overall flow of operations.

Figure 2. Data Flow for the Client Module

This section outlines the steps involved in the overall ODBS setup

1. Sign up for Oracle Database Backup Service & Purchase capacity.

From the Oracle Store (or) via ODBS portal, purchase storage capacity in 1TB blocks either on a
month-to-month basis or for longer term. The email provided for creating the account will be the
UserID.

7
After the purchase process, you will receive an email with the procedure to sign up for the account.
During the sign-up process, you can choose the Identity domain, Service Name, and Password. An
example screen shot is provided below:

Refer to http//docs.oracle.com/cloud for the latest and detailed subscription procedure.

2. Register for Oracle Technology Network (OTN) Account

An Oracle.com or OTN account is required to install the Oracle Database Cloud Backup module. New
accounts may be created by visiting the OTN website (http://otn.oracle.com) for free.

8
3. Install the Oracle Database Cloud Backup Module
Go to the OTN page for downloading the ODCBM installer.

Unzip the installer. It contains opc_install.jar and a README file. Proceed to install the Oracle
Database Cloud Backup Module by executing the installer jar file.
In this section, the following example location & parameter information are used.

Description Location / Value

Oracle Database Backup Service Related

ODBS – Account ID [email protected]

ODBS - Password myPassword

ODBS – Identity Domain myDomain

ODBS – Service Name myService

Local wallet location to store ODBS /home/oracle/OPC/wallet

credentials (-walletDir)

Local Database Related

ORACLE_BASE /orclbase

9
ORACLE_HOME /orclhome

ORACLE_SID mySID

-libDir /home/oracle/OPC/lib

Oracle Wallet for RMAN encryption $ORACLE_BASE/admin/$ORACLE_SID/wallet

(optional)

4. Execute the installer

The install tool then is invoked as shown in the following example:
$ java -jar opc_install.jar -serviceName myService -identityDomain myDomain
-opcId [email protected] -opcPass myPassword -walletDir
/home/oracle/OPC/wallet -libDir /home/oracle/OPC/lib

Oracle Database Cloud Backup Module Install Tool, build 2014-03-13

Oracle Database Cloud Backup Module credentials are valid.
Oracle Database Cloud Backup Module wallet created in directory
/home/oracle/OPC/wallet.
Oracle Database Cloud Backup Module initialization file
/orclhome/dbs/opcmySID.ora created.
Downloading Oracle Database Cloud Backup Module Software Library from file
opc_linux64.zip.
Downloaded 13165919 bytes in 204 seconds. Transfer rate was 64538
bytes/second.
Download complete.
Extracted file /home/oracle/OPC/lib/libopc.so

Example 1: Running the Cloud Backup Install Tool

Example 1 above shows how the tool automatically downloads the platform specific cloud backup
module, creates an Oracle Wallet to securely store the user’s ODBS credentials, and creates the Cloud
backup configuration file. Please refer to the accompanying README for further details.

5. Configure Recovery Manager (RMAN) Settings

During the installation process, the installer creates a configuration file named opc<SID>.ora in the
$ORACLE_HOME/dbs directory. This file contains the ODBS URL to which the backup will be
performed and the location of the wallet which holds the ODCBM credentials.
Using RMAN, configure the SBT device to use the ODBS (SBT) library.

RMAN> configure channel device type sbt parms

'SBT_LIBRARY=/orclhome/lib/libopc.so

10
ENV=(OPC_PFILE=/orclhome/dbs/opcmySID.ora)';

using target database control file instead of recovery catalog

new RMAN configuration parameters:
CONFIGURE CHANNEL DEVICE TYPE 'SBT_TAPE' PARMS
'SBT_LIBRARY=/orclhome/lib/libopc.so
SBT_PARMS=(OPC_PFILE=/orclhome/dbs/opcmySID.ora)';
new RMAN configuration parameters are successfully stored

Example 2: Configuring RMAN

Once the RMAN configuration is complete, backups to the cloud can be performed. You can use the
same RMAN commands that you regularly use for tape backups. No new commands are required for
using ODCBM.

6. Configure Encryption
ODCBM enforces RMAN backup encryption and will not permit unencrypted backups to be sent to
the Oracle Database Backup Service. If the backup is not encrypted, an error message similar to the
one shown below is returned.

RMAN-03009: failure of backup command on ORA_SBT_TAPE_1 channel at

02/14/2014 14:00:43
ORA-27030: skgfwrt: sbtwrite2 returned error
ORA-19511: non RMAN, but media manager or vendor specific failure,
error text:
KBHS-01602: backup piece 14p0jso8_1_1 is not encrypted

RMAN encrypted backups are securely created, transmitted, and stored in the cloud. Please refer to
the Oracle documentation for more details on the various RMAN encryption methodologies, and
choosing from various encryption algorithms (such as AES128 or AES256). Refer to the Appendix for
examples:

If no Oracle wallet has been configured, you can still perform encrypted backups using password based
encryption.
RMAN> set encryption on identified by "myPassword" only;

Likewise, you have to specify the same password before you perform a restore operation.
RMAN> set decryption identified by “myPassword” only;

7. Perform backups
RMAN supports binary compression of backups. For backing up to ODBS, you can choose from
HIGH, MEDIUM, BASIC, or LOW algorithms. Refer to the Oracle documentation to understand
these options to properly choose the algorithm that best fits your needs.

As an example,
RMAN> configure compression algorithm ‘MEDIUM’;

11
 RMAN> backup as compressed backupset database plus
archivelog;

• Refer to the OTN document “Advanced Compression with Oracle 11g”.

• Refer to the OTN page “Encrypt Database Backups” for details on using the encryption and
compression options together.

Refer to My Oracle Support Doc ID 1640149.1 – Oracle Database Backup Service FAQ at
http://support.oracle.com for more details.

8. Restore & Recovery

Depending on the type of fault and the recovery needed, either the entire database or specific
tablespaces or data files are to be restored and recovered. Similarly, this cloud module also supports the
new capability in Oracle Database 12c to perform Table level recovery using RMAN. If password
based encryption was used during the backup, you must provide the same password during the restore.
Likewise, if TDE mode of backup was performed, then the same encryption key is required during
restore.

All the restore and recovery operations are performed via the RMAN interface.

Cloud Backup Best Practices

End-to-End Data Security
ODCBM enforces that backups are encrypted before being transmitted to the cloud. Encrypting
backups ensures that your data is secured at the source, transmitted securely over SSL, and protected
against unauthorized access in the cloud. Encryption can also be enabled while scheduling backups in
Enterprise Manager.

Protection of the Encryption Key

The Oracle wallet or the password used during the backups need to be safe-guarded. That information
is required at the time of restore. Please refer to the OTN page for more details.

Optimizing Cloud Backup Performance

As Cloud Backups are sent over the public Internet, the backup performance depends on the WAN
network bandwidth. However, by using the right combination of RMAN parallelism and compression,
much higher effective backup rates can be attained.
• Due to public Internet network (WAN) bandwidth constraints, backups to cloud can take
significantly longer compared to backups over LAN.
• Compression helps overcome the network bandwidth limitations. Effective backup rate can
be increased multiple times if compression is used.

12
 • Using parallel streams (RMAN channels) also speeds up Cloud backups.
The following best practices are recommended to optimize the performance of Cloud Backups:
• Use multiple RMAN channels for higher parallelism resulting in full utilization of the network.
• Use multi-section backups. Oracle Database versions 11g and above allows multiple channels
to back up a single file in parallel, increasing parallelism beyond the number of datafiles to be
backed up. For example, the RMAN command to specify backup section size 1 GB is:
BACKUP DEVICE TYPE SBT DATABASE SECTION SIZE 1g;

• Use the compression algorithms available with the Oracle Database 11g Advanced
Compression Option, since these algorithms are usually faster than the default RMAN BASIC
compression. Oracle recommends using MEDIUM compression for cloud backups.
• Use a weekly full and daily incremental backup strategy. This will result in faster backups and
may help save significant amount of network bandwidth. Use the RMAN Fast Incremental
Backup feature (based on Block Change Tracking) to optimize the performance of your daily
incremental backups.

Refer to My Oracle Support Doc ID 1640149.1 – Oracle Database Backup Service FAQ at
http://support.oracle.com for more details.

Conclusion
The Oracle Database Cloud Module allows customers to use Oracle Database Backup Service as their
offsite backup storage destination. Compared to traditional tape-based offsite storage, Cloud backups
are more accessible, faster to restore under most circumstances, and more reliable, while eliminating
the overheads associated with maintaining off-site backup operations. To top it all, existing RMAN
customers can leverage all the benefits of backing up to the Cloud with minimal changes to their
existing infrastructure

13
Appendix
Configuration Files

The following table shows the various files involved in the overall Oracle Database Backup Service
configuration.

File name Location Purpose

libopc.so User specified library SBT library which enables backup to

location Oracle Cloud

opc<SID>.ora $ORACLE_HOME/dbs Contains ODBS container URL location

for the user and also the ODBS credential
wallet location

cwallet.sso User specified wallet Oracle wallet which securely stores

location ODBS credentials. This is used during
RMAN backups and restores operations.

Wallet for encryption Either $ORACLE_BASE Oracle wallet for backup encryption.
/admin/$ORCLE_SID
(optional – only needed
/wallet (or) set in sqlnet.ora
for TDE )
(or) in a user defined
location

14
Example test run
.
Running the installer:
$mkdir /home/oracle/OPC/wallet
$mkdir /home/oracle/OPC/lib
$java -jar opc_install.jar -serviceName myService -identityDomain
myDomain -opcId [email protected] -opcPass abc123 -walletDir
/home/oracle/OPC/wallet -libDir /home/oracle/OPC/lib

Oracle Public Cloud Backup Service Install Tool, build 2014-01-21

Create credential oracle.security.client.connect_string1
Oracle Public Cloud Backup Service wallet created in directory
/home/oracle/OPC/wallet.
Oracle Public Cloud Backup Service initialization file
/orclhome/dbs/opcsr12.ora created.
Downloading Oracle Public Cloud Backup Service Software Library from
file opc_linux64.zip.
Downloaded 22237663 bytes in 0 seconds.
Download complete.

Content of opc initialization parameter file :

$ cat /orclhome/dbs/opcsr12.ora
OPC_HOST=https://storage.us2.oraclecloud.com/v1/myService-myDomain
OPC_WALLET='LOCATION=file:/home/oracle/OPC/wallet
CREDENTIAL_ALIAS=alias_opc'

Cloud backup module will not allow the backups to be performed without encryption.

RMAN> set encryption off;

executing command: SET encryption
RMAN> backup datafile 7;
Starting backup at 14-FEB-14
allocated channel: ORA_SBT_TAPE_1
channel ORA_SBT_TAPE_1: SID=117 device type=SBT_TAPE
channel ORA_SBT_TAPE_1: Oracle Database Backup Service Library
channel ORA_SBT_TAPE_1: starting full datafile backup set
channel ORA_SBT_TAPE_1: specifying datafile(s) in backup set
input datafile file number=00007 name=//orclhome/dbs/tbs_22.f
channel ORA_SBT_TAPE_1: starting piece 1 at 14-FEB-14

15
RMAN-00571:
===========================================================
RMAN-00569: =============== ERROR MESSAGE STACK FOLLOWS
RMAN-00571:
===========================================================
RMAN-03009: failure of backup command on ORA_SBT_TAPE_1 channel at
02/14/2014 13:58:45
ORA-27030: skgfwrt: sbtwrite2 returned error
ORA-19511: non RMAN, but media manager or vendor specific failure,
error text:
KBHS-01602: backup piece 12p0jski_1_1 is not encrypted

Using Password Encryption

RMAN> set encryption on identified by "abc123" only;

executing command: SET encryption

RMAN> backup datafile 7;

Starting backup at 14-FEB-14

using channel ORA_SBT_TAPE_1
using channel ORA_SBT_TAPE_2
using channel ORA_SBT_TAPE_3
using channel ORA_SBT_TAPE_4
channel ORA_SBT_TAPE_1: starting full datafile backup set
channel ORA_SBT_TAPE_1: specifying datafile(s) in backup set
input datafile file number=00007 name=//orclhome/dbs/tbs_22.f
channel ORA_SBT_TAPE_1: starting piece 1 at 14-FEB-14
channel ORA_SBT_TAPE_1: finished piece 1 at 14-FEB-14
piece handle=0pp0jrl2_1_1 tag=TAG20140214T134154 comment=API Version
2.0,MMS Version 3.13.10.29
channel ORA_SBT_TAPE_1: backup set complete, elapsed time: 00:00:03
Finished backup at 14-FEB-14

Using Transparent Data Encryption

Create a wallet directory

$ mkdir $ORACLE_BASE/admin/$ORCLE_SID/wallet

SQL> alter system set encryption key identified by "abc123";

System altered.

16
Now, configure the encryption and perform backup.
RMAN> configure encryption for database on;
new RMAN configuration parameters:
CONFIGURE ENCRYPTION FOR DATABASE ON;
new RMAN configuration parameters are successfully stored

RMAN> backup datafile 7;

Starting backup at 14-FEB-14

using channel ORA_SBT_TAPE_1
channel ORA_SBT_TAPE_1: starting full datafile backup set
channel ORA_SBT_TAPE_1: specifying datafile(s) in backup set
input datafile file number=00007 name=//orclhome/dbs/tbs_22.f
channel ORA_SBT_TAPE_1: starting piece 1 at 14-FEB-14
channel ORA_SBT_TAPE_1: finished piece 1 at 14-FEB-14
piece handle=13p0jsn2_1_1 tag=TAG20140214T140002 comment=API Version
2.0,MMS Version 3.13.10.29
channel ORA_SBT_TAPE_1: backup set complete, elapsed time: 00:00:03
Finished backup at 14-FEB-14

17
 Copyright © 2010, Oracle and/or its affiliates. All rights reserved.
This document is provided for information purposes only and the contents hereof are subject to change without notice. This
Oracle Database Backup Service - TWP document is not warranted to be error-free, nor subject to any other warranties or conditions, whether expressed orally or implied in
JanuaryJadAuthor: Database High Availability law, including implied warranties and conditions of merchantability or fitness for a particular purpose. We specifically disclaim any
liability with respect to this document and no contractual obligations are formed either directly or indirectly by this document. This
Oracle Corporation document may not be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without our
World Headquarters prior written permission.
500 Oracle Parkway
Redwood Shores, CA 94065 Oracle and Java are registered trademarks of Oracle and/or its affiliates. Other names may be trademarks of their respective
U.S.A. owners.

Worldwide Inquiries: AMD, Opteron, the AMD logo, and the AMD Opteron logo are trademarks or registered trademarks of Advanced Micro Devices. Intel
Phone: +1.650.506.7000 and Intel Xeon are trademarks or registered trademarks of Intel Corporation. All SPARC trademarks are used under license and are
Fax: +1.650.506.7200 trademarks or registered trademarks of SPARC International, Inc. UNIX is a registered trademark licensed through X/Open
oracle.com Company, Ltd. 0110