RMAN备份与恢复之加密备份
ORACLE从10gR2开始为备份提供加密功能,通过加密获得的备份,可以保护备份文件,防止备份泄露带来的安全问题。
显示当前数据库的加密算法:
SQL>select*fromv$rman_encryption_algorithms;
ALGORITHM_IDALGORITHM_NAMEALGORITHM_DESCRIPTIONIS_RES
--------------------------------------------------------------------
1AES128AES128-bitkeyYESNO
2AES192AES192-bitkeyNONO
3AES256AES256-bitkeyNONO
RMAN>showencryptionalgorithm;
usingtargetdatabasecontrolfileinsteadofrecoverycatalog
RMANconfigurationparametersare:
CONFIGUREENCRYPTIONALGORITHM'AES128';#default
RMAN中更改加密算法:
RMAN>configureencryptionalgorithm'AES192';
口令模式加密
该加密方式通过在生成备份集是设置口令,在使用备份集时设置解密口令来实现对备份集的加密,适合转存备份集时使用。
设置备份口令:
RMAN>setencryptiononidentifiedby'oracle'only;
executingcommand:SETencryption
RMAN>run{
2>allocatechannelc1typediskformat'/u01/rman_dest/rman_users_%p_%M-%D_%t.bak';
3>backuptablespaceuserschannelc1;
4>releasechannelc1;
5>}
SQL>selectfile#,namefromv$datafile;
FILE#NAME
----------------------------------------------------------
1/u01/app/oracle/oradata/orcl_dup/system01.dbf
3/u01/app/oracle/oradata/orcl_dup/sysaux01.dbf
4/u01/app/oracle/oradata/orcl_dup/users01.dbf
5/u01/app/oracle/oradata/orcl_dup/example01.dbf
6/u01/app/oracle/oradata/orcl_dup/tts01.dbf
7/u01/app/oracle/oradata/orcl_dup/tts02.dbf
8/u01/app/oracle/oradata/orcl_dup/undotbs001.dbf
模拟损坏,进行测试
[oracle@node1~]$rm-rf/u01/app/oracle/oradata/orcl_dup/users01.dbf
RMAN>shutdownabort;
usingtargetdatabasecontrolfileinsteadofrecoverycatalog
Oracleinstanceshutdown
RMAN>startupmount;
connectedtotargetdatabase(notstarted)
Oracleinstancestarted
databasemounted
TotalSystemGlobalArea167772160bytes
FixedSize1218316bytes
VariableSize88082676bytes
DatabaseBuffers75497472bytes
RedoBuffers2973696bytes
此时恢复数据文件会提示walletisnotopen错误
RMAN>restoredatafile4;
Startingrestoreat09-JUL-14
allocatedchannel:ORA_DISK_1
channelORA_DISK_1:sid=157devtype=DISK
channelORA_DISK_1:startingdatafilebackupsetrestore
channelORA_DISK_1:specifyingdatafile(s)torestorefrombackupset
restoringdatafile00004to/u01/app/oracle/oradata/orcl_dup/users01.dbf
channelORA_DISK_1:readingfrombackuppiece/u01/rman_dest/rman_users_1_07-09_85246.bak
RMAN-00571:===========================================================
RMAN-00569:===============ERRORMESSAGESTACKFOLLOWS===============
RMAN-00571:===========================================================
RMAN-03002:failureofrestorecommandat07/09/11:05:00
ORA-19870:errorreadingbackuppiece/u01/rman_dest/rman_users_1_07-09_85246.bak
ORA-19913:unabletodecryptbackup
ORA-28365:walletisnotopen
指定解密密码
RMAN>setdecryptionidentifiedby'oracle';
executingcommand:SETdecryption
RMAN>restoredatafile4;
Startingrestoreat09-JUL-14
usingchannelORA_DISK_1
channelORA_DISK_1:startingdatafilebackupsetrestore
channelORA_DISK_1:specifyingdatafile(s)torestorefrombackupset
restoringdatafile00004to/u01/app/oracle/oradata/orcl_dup/users01.dbf
channelORA_DISK_1:readingfrombackuppiece/u01/rman_dest/rman_users_1_07-09_85246.bak
channelORA_DISK_1:restoredbackuppiece1
piecehandle=/u01/rman_dest/rman_users_1_07-09_85246.baktag=TAG0709T110003
channelORA_DISK_1:restorecomplete,elapsedtime:00:00:25
Finishedrestoreat09-JUL-14
RMAN>recoverdatafile4;
Startingrecoverat09-JUL-14
usingchannelORA_DISK_1
startingmediarecovery
mediarecoverycomplete,elapsedtime:00:00:03
Finishedrecoverat09-JUL-14
RMAN>alterdatabaseopen;
databaseopened
透明模式
该方式通过本地配置Wallet来实现本地备份集的安全,该加密方式适用于本地的备份安全维护。
OracleEncryptionWallet的简单使用配置:
SQLNET.ORA指定Wallet的地址
[oracle@node1~]$cd$ORACLE_HOME/network/admin
[oracle@node1admin]$visqlnet.ora
设置Wallet地址:
ENCRYPTION_WALLET_LOCATION=(SOURCE=(METHOD=FILE)(METHOD_DATA=(DIRECTORY=/u01/wallet)))
[oracle@node1admin]$mkdir-p/u01/wallet
SYS用户创建wallet
SQL>altersystemsetencryptionkeyauthenticatedby"oracle";
Systemaltered.
SQL>!ls/u01/wallet
ewallet.p12
打开关闭Wallet的方法
SQL>altersystemsetencryptionwalletopenidentifiedby"oracle";
Systemaltered.
SQL>altersystemsetencryptionwalletclose;
Systemaltered.
RMAN>configureencryptionfordatabaseon;
newRMANconfigurationparameters:
CONFIGUREENCRYPTIONFORDATABASEON;
newRMANconfigurationparametersaresuccessfullystored
RMAN>setencryptionon;
executingcommand:SETencryption
此时如果关闭wallet,去备份数据库会报如下错误
RMAN>backupdatabaseformat'/u01/rman_dest/orcl_whole_back_%p_%M-%D_%t.bak';
Startingbackupat09-JUL-14
usingchannelORA_DISK_1
channelORA_DISK_1:startingfulldatafilebackupset
channelORA_DISK_1:specifyingdatafile(s)inbackupset
inputdatafilefno=00001name=/u01/app/oracle/oradata/orcl_dup/system01.dbf
inputdatafilefno=00003name=/u01/app/oracle/oradata/orcl_dup/sysaux01.dbf
inputdatafilefno=00004name=/u01/app/oracle/oradata/orcl_dup/users01.dbf
inputdatafilefno=00005name=/u01/app/oracle/oradata/orcl_dup/example01.dbf
inputdatafilefno=00008name=/u01/app/oracle/oradata/orcl_dup/undotbs001.dbf
inputdatafilefno=00006name=/u01/app/oracle/oradata/orcl_dup/tts01.dbf
inputdatafilefno=00007name=/u01/app/oracle/oradata/orcl_dup/tts02.dbf
channelORA_DISK_1:startingpiece1at09-JUL-14
RMAN-00571:===========================================================
RMAN-00569:===============ERRORMESSAGESTACKFOLLOWS===============
RMAN-00571:===========================================================
RMAN-03009:failureofbackupcommandonORA_DISK_1channelat07/09/15:49:07
ORA-19914:unabletoencryptbackup
ORA-28365:walletisnotopen
打开wallet,再次执行备份即可
SQL>altersystemsetencryptionwalletopenidentifiedby"oracle";
Systemaltered.
RMAN>backupdatabaseformat'/u01/rman_dest/orcl_whole_back_%p_%M-%D_%t.bak';
inputdatafilefno=00001name=/u01/app/oracle/oradata/orcl_dup/system01.dbf
inputdatafilefno=00003name=/u01/app/oracle/oradata/orcl_dup/sysaux01.dbf
inputdatafilefno=00004name=/u01/app/oracle/oradata/orcl_dup/users01.dbf
inputdatafilefno=00005name=/u01/app/oracle/oradata/orcl_dup/example01.dbf
inputdatafilefno=00008name=/u01/app/oracle/oradata/orcl_dup/undotbs001.dbf
inputdatafilefno=00006name=/u01/app/oracle/oradata/orcl_dup/tts01.dbf
inputdatafilefno=00007name=/u01/app/oracle/oradata/orcl_dup/tts02.dbf
channelORA_DISK_1:startingpiece1at09-JUL-14
channelORA_DISK_1:finishedpiece1at09-JUL-14
piecehandle=/u01/rman_dest/orcl_whole_back_1_07-09_852479639.baktag=TAG0709T155359comment=NONE
channelORA_DISK_1:backupsetcomplete,elapsedtime:00:02:25
Finishedbackupat09-JUL-14
StartingControlFileandSPFILEAutobackupat09-JUL-14
piecehandle=/u01/FRA/orcl_dup/ORCL_DUP/autobackup/_07_09/o1_mf_s_852479786_9vsxforn_.bkpcomment=NONE
FinishedControlFileandSPFILEAutobackupat09-JUL-14
此时如果关闭wallet,rman中同样无法执行恢复数据库操作
SQL>altersystemsetencryptionwalletclose;
RMAN>restoredatabase;
Startingrestoreat09-JUL-14
usingchannelORA_DISK_1
channelORA_DISK_1:startingdatafilebackupsetrestore
channelORA_DISK_1:specifyingdatafile(s)torestorefrombackupset
restoringdatafile00001to/u01/app/oracle/oradata/orcl_dup/system01.dbf
restoringdatafile00003to/u01/app/oracle/oradata/orcl_dup/sysaux01.dbf
restoringdatafile00004to/u01/app/oracle/oradata/orcl_dup/users01.dbf
restoringdatafile00005to/u01/app/oracle/oradata/orcl_dup/example01.dbf
restoringdatafile00006to/u01/app/oracle/oradata/orcl_dup/tts01.dbf
restoringdatafile00007to/u01/app/oracle/oradata/orcl_dup/tts02.dbf
restoringdatafile00008to/u01/app/oracle/oradata/orcl_dup/undotbs001.dbf
channelORA_DISK_1:readingfrombackuppiece/u01/rman_dest/orcl_whole_back_1_07-09_852479639.bak
RMAN-00571:===========================================================
RMAN-00569:===============ERRORMESSAGESTACKFOLLOWS===============
RMAN-00571:===========================================================
RMAN-03002:failureofrestorecommandat07/09/16:21:43
ORA-19870:errorreadingbackuppiece/u01/rman_dest/orcl_whole_back_1_07-09_852479639.bak
ORA-19913:unabletodecryptbackup
ORA-28365:walletisnotopen
再次开启wallet,恢复得意顺利进行
SQL>altersystemsetencryptionwalletopenidentifiedby"oracle";
Systemaltered.
RMAN>restoredatabase;
Startingrestoreat09-JUL-14
usingchannelORA_DISK_1
channelORA_DISK_1:startingdatafilebackupsetrestore
channelORA_DISK_1:specifyingdatafile(s)torestorefrombackupset
restoringdatafile00001to/u01/app/oracle/oradata/orcl_dup/system01.dbf
restoringdatafile00003to/u01/app/oracle/oradata/orcl_dup/sysaux01.dbf
restoringdatafile00004to/u01/app/oracle/oradata/orcl_dup/users01.dbf
restoringdatafile00005to/u01/app/oracle/oradata/orcl_dup/example01.dbf
restoringdatafile00006to/u01/app/oracle/oradata/orcl_dup/tts01.dbf
restoringdatafile00007to/u01/app/oracle/oradata/orcl_dup/tts02.dbf
restoringdatafile00008to/u01/app/oracle/oradata/orcl_dup/undotbs001.dbf
channelORA_DISK_1:readingfrombackuppiece/u01/rman_dest/orcl_whole_back_1_07-09_852479639.bak
channelORA_DISK_1:restoredbackuppiece1
piecehandle=/u01/rman_dest/orcl_whole_back_1_07-09_852479639.baktag=TAG0709T155359
channelORA_DISK_1:restorecomplete,elapsedtime:00:02:08
Finishedrestoreat09-JUL-14
混合模式
所谓混合模式,就是在进行备份时,即启用口令加密,又启动透明加密。在本地模式下,启用透明模式,在异地恢复时启用口令加密。
在设置加密密码时去掉后面的only即可
RMAN>setencryptiononidentifiedby"oracle";
executingcommand:SETencryption
SQL>altersystemsetencryptionwalletopenidentifiedby"oracle";
Systemaltered.
做一次混合模式的备份
RMAN>backupdatabaseformat'/u01/rman_dest/orcl_whole_back_%p_%M-%D_%t.bak';
Startingbackupat09-JUL-14
allocatedchannel:ORA_DISK_1
channelORA_DISK_1:sid=149devtype=DISK
channelORA_DISK_1:startingfulldatafilebackupset
channelORA_DISK_1:specifyingdatafile(s)inbackupset
inputdatafilefno=00001name=/u01/app/oracle/oradata/orcl_dup/system01.dbf
inputdatafilefno=00003name=/u01/app/oracle/oradata/orcl_dup/sysaux01.dbf
inputdatafilefno=00004name=/u01/app/oracle/oradata/orcl_dup/users01.dbf
inputdatafilefno=00005name=/u01/app/oracle/oradata/orcl_dup/example01.dbf
inputdatafilefno=00008name=/u01/app/oracle/oradata/orcl_dup/undotbs001.dbf
inputdatafilefno=00006name=/u01/app/oracle/oradata/orcl_dup/tts01.dbf
inputdatafilefno=00007name=/u01/app/oracle/oradata/orcl_dup/tts02.dbf
channelORA_DISK_1:startingpiece1at09-JUL-14
channelORA_DISK_1:finishedpiece1at09-JUL-14
piecehandle=/u01/rman_dest/orcl_whole_back_1_07-09_852482195.baktag=TAG0709T163635comment=NONE
channelORA_DISK_1:backupsetcomplete,elapsedtime:00:01:36
Finishedbackupat09-JUL-14
StartingControlFileandSPFILEAutobackupat09-JUL-14
piecehandle=/u01/FRA/orcl_dup/ORCL_DUP/autobackup/_07_09/o1_mf_s_852482292_9vszvopx_.bkpcomment=NONE
FinishedControlFileandSPFILEAutobackupat09-JUL-14
启动数据库到mount模式,进行测试
RMAN>shutdownimmediate;
databaseclosed
databasedismounted
Oracleinstanceshutdown
RMAN>startupmount
connectedtotargetdatabase(notstarted)
Oracleinstancestarted
databasemounted
此时无法直接执行数据库的恢复
RMAN>restoredatabase;
Startingrestoreat09-JUL-14
allocatedchannel:ORA_DISK_1
channelORA_DISK_1:sid=157devtype=DISK
channelORA_DISK_1:startingdatafilebackupsetrestore
channelORA_DISK_1:specifyingdatafile(s)torestorefrombackupset
restoringdatafile00001to/u01/app/oracle/oradata/orcl_dup/system01.dbf
restoringdatafile00003to/u01/app/oracle/oradata/orcl_dup/sysaux01.dbf
restoringdatafile00004to/u01/app/oracle/oradata/orcl_dup/users01.dbf
restoringdatafile00005to/u01/app/oracle/oradata/orcl_dup/example01.dbf
restoringdatafile00006to/u01/app/oracle/oradata/orcl_dup/tts01.dbf
restoringdatafile00007to/u01/app/oracle/oradata/orcl_dup/tts02.dbf
restoringdatafile00008to/u01/app/oracle/oradata/orcl_dup/undotbs001.dbf
channelORA_DISK_1:readingfrombackuppiece/u01/rman_dest/orcl_whole_back_1_07-09_852482195.bak
RMAN-00571:===========================================================
RMAN-00569:===============ERRORMESSAGESTACKFOLLOWS===============
RMAN-00571:===========================================================
RMAN-03002:failureofrestorecommandat07/09/16:41:05
ORA-19870:errorreadingbackuppiece/u01/rman_dest/orcl_whole_back_1_07-09_852482195.bak
ORA-19913:unabletodecryptbackup
ORA-28365:walletisnotopen
此时启用数据库的wallet或者设置解密口令都可以进行恢复:
RMAN>setdecryptionidentifiedby'oracle';
executingcommand:SETdecryption
或者
SQL>altersystemsetencryptionwalletopenidentifiedby"oracle";
Systemaltered.
RMAN>restoredatabase;
Startingrestoreat09-JUL-14
usingchannelORA_DISK_1
channelORA_DISK_1:startingdatafilebackupsetrestore
channelORA_DISK_1:specifyingdatafile(s)torestorefrombackupset
restoringdatafile00001to/u01/app/oracle/oradata/orcl_dup/system01.dbf
restoringdatafile00003to/u01/app/oracle/oradata/orcl_dup/sysaux01.dbf
restoringdatafile00004to/u01/app/oracle/oradata/orcl_dup/users01.dbf
restoringdatafile00005to/u01/app/oracle/oradata/orcl_dup/example01.dbf
restoringdatafile00006to/u01/app/oracle/oradata/orcl_dup/tts01.dbf
restoringdatafile00007to/u01/app/oracle/oradata/orcl_dup/tts02.dbf
restoringdatafile00008to/u01/app/oracle/oradata/orcl_dup/undotbs001.dbf
channelORA_DISK_1:readingfrombackuppiece/u01/rman_dest/orcl_whole_back_1_07-09_852482195.bak
channelORA_DISK_1:restoredbackuppiece1
piecehandle=/u01/rman_dest/orcl_whole_back_1_07-09_852482195.baktag=TAG0709T163635
channelORA_DISK_1:restorecomplete,elapsedtime:00:01:46
Finishedrestoreat09-JUL-14
RMAN>recoverdatabase;
一切正常,启动数据库即可
RMAN>alterdatabaseopen;
databaseopened