OSB User Access Management

Learning Objectives

After completing this topic, you should be able to

recognize how to manage OSB users

recognize the OS permissions for an OSB user

recognize how to preauthorize OSB users

1. User access control for OSB users

Oracle Secure Backup or OSB maintains its own catalog of OSB users and their rights on
the administrative server. This is in addition to the database access and OS control.
By storing OSB access control information about the administrative server, OSB
maintains a consistent user identity across the administrative domain.

Supplement
Selecting the link title opens the resource in a new browser window.

Learning Aid
Use the learning aid Style considerations for more information on the style
considerations for the Oracle 11g Database used in this course.
A set of rights is grouped into a class, which can be assigned to multiple users. However,
each user is a member of exactly one class. An OSB user is different from an Oracle
schema user as well as an OS user.
You can assign OSB usernames and passwords that are identical to or different from
those of existing OS users. Each OSB user is associated with a single UNIX account and
a single Windows account.
These UNIX and Windows accounts are used when some component of OSB must
assume a UNIX or Windows identity when running on behalf of a given OSB user. To
configure OSB users, you must belong to a class with the modify administrative domains
configuration right.

Note

You might find it convenient to name OSB users like their OS user identity.
OSB comes with five predefined classes:
admin
The admin class is used for the overall administration of a domain. This class has all the
rights and privileges needed to modify domain configurations and perform backup and
restore operations.
operator
To perform standard day-to-day operations, the operator class is used. This class lacks
configuration privileges but has all the rights needed for backup and restore operations as
well as viewing and managing devices.
user
The user class is assigned to specific users, giving them permission to interact in a limited
way with their domains. This class is reserved for users who need to browse their own
data within the OSB catalog and perform user-based restore operations. You can also use
the mkclass command to define your own OSB user class.
oracle, and
The oracle class is similar to the operator class. This class has specific privileges to
modify the Oracle Database configuration settings. This class also has privileges to
perform Oracle Database backups and restore operations.
reader
Assigning the reader class to users enables them to view the OSB catalog data. Readers
are permitted only to modify the given name and password for their OSB user accounts.

Question
When managing user access control, which predefined class is used for day-today operations?
Options:
1.

admin

2.

operator

3.

user

4.

oracle

Answer
Option 1: This option is incorrect. The admin class is used for the overall
administration of a domain. The admin class has all the rights and privileges

needed to modify domain configurations and perform backup and restore

operations.
Option 2: This option is correct. The operator class is used for standard day-today operations. The operator class lacks configuration privileges but has all the
rights needed for backup and restore operations as well as viewing and managing
devices.
Option 3: This option is incorrect. The user class is assigned to specific users,
giving them permission to interact in a limited way with their domains. This class is
reserved for users who need to browse their own data within the OSB catalog and
perform user-based restore operations.
Option 4: This option is incorrect. The oracle class is similar to the operator
class, with specific privileges to modify Oracle Database configuration settings, as
well as to perform Oracle Database backups and restore operations.
Correct answer(s):
2. operator
Each of the predefined classes defines a set of rights or access privileges.
The browse backup catalogs with this access right can be used with five options:
privileged
Users with the privileged option can browse all directories.
notdenied
A user with the notdenied option can browse any directory for which they are not explicitly
denied access. This option differs from the permitted option in that it allows access to a
directory having no stat record stored in the catalog.
permitted
With the permitted option, users can browse a directory to which, based on OS file
ownership and protection, they have read rights.
named, and
The named option enables users to browse a directory if the UNIX user defined in the OSB
identity is listed as the owner of the directory, or the UNIX group defined in the OSB
identity matches the group of the directory. If the UNIX user defined in the OSB identity
has read rights for the directory, but is not the UNIX owner or a member of the UNIX group
associated with the directory, then the user is not able to browse the directory.
none
Users with the none option have no rights to browse any directory.

Supplement
Selecting the link title opens the resource in a new browser window.

Learning Aid
Access the learning aid Predefined classes and rights to learn about all the
predefined user classes in OSB and the rights they define.
Some of the other rights are
display administrative domains configuration
The display administrative domains configuration right allows the class member to list
objects (for example, hosts, devices, and users) in the administrative domain.
modify own name and password
The modify own name and password right allows the class member to modify certain
attributes for their own user objects (password and given name).
modify administrative domains configuration
The modify administrative domains configuration right allows the class member to edit
(create, modify, rename, and remove) all configuration data in an OSB administrative
domain. These include classes, users, hosts, devices, defaults and policies, schedules,
datasets, media families, summaries, and backup windows.
perform backups as self
The perform backups as self right allows the class member to back up only those files and
directories in which the member has access (using either UNIX user and group names or a
Windows domain account).
perform backups as privileged user, and
The perform backups as privileged user right allows the class member to back up files and
directories while acting as a privileged user (root on UNIX and as a member of the
Administrators group on Windows).
list any jobs owned by user
The list any jobs owned by user right enables the class member to view the status of
scheduled, ongoing, and completed jobs that they create. The class member can also view
transcripts for jobs that they create.
Additional rights are
modify any jobs owned by user
The modify any jobs owned by user right allows the class member to modify only jobs that
the member configured.

perform restores as self

The perform restores as self right allows class members to restore the contents of backup
images under the restrictions of the access rights imposed by the users UNIX name or
group, or the Windows domain and account.
perform restores as privileged user
The perform restores as privileged user right allows the class member to recover the
contents of backup images as a privileged user (root on UNIX and as a member of the
Administrators group on Windows).
receive email requesting operator assistance
The receive email requesting operator assistance right allows the class member to receive
email messages when OSB requires manual intervention. Occasionally, during backup and
restore operations, your assistance may be required for example, if a new tape is
required to continue a backup. In such cases, email messages are sent to all users who
belong to classes having this attribute.
receive email describing internal errors
The receive email describing internal errors right allows the class member to receive email
messages describing errors that occurred in any OSB activity.
query and display information about devices, and
The query and display information about devices right allows the class member to query
the state of all storage devices configured within the administrative domain.
manage devices and change device state
The manage devices and change device state right allows a class member to control the
state of devices.
A few more rights are
list any job, regardless of its owner
The list any job, regardless of its owner right allows the class member to view the status of
any scheduled, ongoing, and completed jobs. The right also enables the class member to
view the transcripts for any job.
modify job, regardless of its owner
The modify job, regardless of its owner right permits the class member to make changes to
any job.
perform Oracle backups and restores, and
The perform Oracle backups and restores right allows the class member to back up and
restore Oracle Databases. Users with this right are OSB users that are mapped to OS
accounts used when performing Oracle Database installations.
access Oracle backups

The access Oracle backups right specifies the type of access to Oracle Database backups
made through the System Backup to Tape, abbreviated as SBT, interface.
A class member can use the access Oracle backups right with one of the four values:

owner indicates that the user can access only SBT backups created by the user
class indicates that the user can access SBT backups created by any OSB user in the same
class

all indicates that the user can access all SBT backups, and

none indicates that the user has no access to SBT backups

SBT requests will be honored only if the OS account making the request is mapped to an
OSB user who has the Oracle database backup/restore right. In addition to this, SBT
restore, query, and remove requests will be honored only if the OS account making the
request is mapped to an OSB user whose Access Oracle backups right allows access to
the piece requested.
To configure one or more OSB users, perform the following steps:

Graphic
The Web tool Home page is opened.
1. From the Web tool Home page, click the Configure tab in the menu bar. In the Configure page,
click Users under the Basic section.
2. The Configure: Users page appears. Click the Add button to add a new user.
The Configure: Users > New Users page appears. Enter a username in the User field.
Formally, it is unrelated to any other name used in your computing environment or the
OSB administrative domain. Practically, you might find it convenient to choose OSB
usernames that are identical to users Windows or UNIX names.
Then enter a password for the user in the Password field. This password is used to log in
to OSB. The practice of supplying a password in clear text on a command line or in a
command script is not recommended by Oracle Corporation. It is a security vulnerability.
The recommended procedure is to prompt the user for the password.
Select a class from the User class drop-down list. Optionally, enter a given name in the
Given name filed. This name is for information purposes only.

Graphic

In this example, the username entered is oracle.

Remaining steps performed to configure one or more OSB users are the following:
1. Enter a UNIX name for this account in the UNIX name field. This name forms the identity of any
nonprivileged jobs run by the user on UNIX systems. If this OSB user will not or is not permitted
to run OSB jobs on UNIX systems, the user can leave this field blank.
2. Enter a UNIX group name for this account in the UNIX group field. This name forms the identity of any
nonprivileged jobs run by the user on UNIX systems.
3. In the NDMP server user drop-down list, select yes if you want OSBs NDMP server to accept a login
from this user using the username and password you have supplied. This is not required for normal OSB
operation and is typically set to no.
4. Enter the email address for the user in the Email address field. When OSB wants to communicate with
this user, such as to deliver a summary report or notify the user of a pending input request, it does so by
sending an email to this address.

Note
OSB creates the admin user when a new administrative domain is initialized. You
cannot remove the admin user.
Finally, click Apply to add the user account and remain in this page or click Cancel to
avoid the operation and move back one page.
Click OK to add the user account and return to the Users page.
The user account oracle appears in the User field on the Configure: Users > oracle page.
A message appears in the Status box informing you that the user was successfully
added.

Graphic
In addition, the message Success: user oracle created appears at the top of
the page.

2. OS permissions and preauthorization

When writing backup data to tape, you must log into Oracle Secure Backup or OSB. You
can login explicitly or transparently by using preauthorization.
OSB uses the class and rights assigned to the osbuser1 user to determine whether or
not the requested action is allowed.

In this example, the osbuser1 user can only back up and restore data accessible by the
jdoe UNIX user and the sysadmin UNIX group. The UNIX name and group are the
identity under which an unprivileged backup operation will be performed.

Graphic
In the example provided, the user is logging in explicitly with the username
osbuser1.
When an OSB user makes an unprivileged backup or restore of a host, the host is
accessed by means of an OS identity:

If a UNIX or Linux host is backed up or restored, then OSB uses the UNIX username and group
values for the OS identity.

If a Windows host is backed up or restored, then OSB uses the first triplet (domain, account,
password) that allows access to the host.
The OS user that is used to access the files being backed up depends upon the type of
backup operation such as
scheduled job
If you create a scheduled job, the backup runs in the OS namespace associated with the
OSB admin user, which is typically root on UNIX-like systems or LocalSystem on
Windows systems.
unprivileged on-demand and RMAN backups, and
If you perform an on-demand backup, the OS namespace associated with the OSB user of
the current session is used, unless you specify that the backup should run as a privileged
operation. Backup and restore requests submitted through the RMAN interface are treated
as on-demand jobs.
privileged backup
A backup that runs in privileged mode runs under the root OS identity. On Windows
systems, the backup runs under the same account as the OSB service on the Windows
client.

Question
You have created a scheduled backup job on a Windows system. What users
would you expect the backup to run under?
Options:

1.

LocalSystem

2.

root

3.

The same account as the OSB service

4.

admin

Answer
Option 1: This option is correct. If you create a scheduled job, the backup runs in
the OS namespace associated with the OSB admin user, which is typically root
on UNIX-like systems or LocalSystem on Windows systems.
Option 2: This option is incorrect. If you created a scheduled job on a UNIX-like
system, the job would run under the root user.
Option 3: This option is incorrect. If you perform an on-demand backup on a
Windows system, the backup runs under the same account as the OSB service on
the Windows client.
Option 4: This option is correct. If you create a scheduled job, the backup runs in
the OS namespace associated with the OSB admin user, which is typically
LocalSystem on Windows systems.
Correct answer(s):
1. LocalSystem
4. admin
You can preauthorize OSB users for the use of the obtool command line (cmdline),
RMAN, or both. For example, the jdoe OS user can be preauthorized to use OSB as the
osbuser1 OSB user, without having to supply an OSB username or password.
Preauthorization for file-system backups is primarily used to avoid logging in to OSB
when running custom scripts. Without cmdline preauthorization, the script would fail,
because access to OSB is not granted without user login.
RMAN preauthorization is required to successfully back up or restore Oracle Database.
Oracle Database backups are invoked from RMAN or Enterprise Manager.

Graphic
In this example, the RMAN script used is the following:
run {

allocate channel oem_sbt_backup1 type 'SBT_TAPE' format '%U';

}
When OSB receives communication from RMAN (through SBT), OSB verifies that an
OSB user meets the three requirements or criteria:
1. RMAN preauthorization on that host
2. matching the OS user identity of the Oracle instance associated with the database (which is, for example,
oracle), and
3. assignment to a class with rights to back up or restore Oracle Database

Note
If these three criteria are not successfully met, OSB does not perform the RMAN
backup or restore requests.

Question
Which statements accurately describe preauthorization?
Options:
1.

You must log in to OSB to run custom scripts for file-system backups before
preauthorization can occur

2.

RMAN preauthorization is required to successfully back up or restore Oracle

Database

3.

If an OSB user is assigned to a class with rights to back up or restore Oracle

Database, OSB performs RMAN backup requests

4.

You can preauthorize OSB users for use of the obtool command-line utility

Answer
Option 1: This option is incorrect. Preauthorization for file-system backups is
primarily used to avoid logging in to OSB when running custom scripts.
Option 2: This option is correct. RMAN preauthorization is required to
successfully back up or restore Oracle Database. Oracle Database backups are
invoked from RMAN or Enterprise Manager.
Option 3: This option is incorrect. OSB verifies that an OSB meets three
requirements or criteria. If these three criteria are not successfully met, OSB does
not perform the RMAN backup or restore requests.

Option 4: This option is correct. You can preauthorize OSB users for the use of
the obtool command line (cmdline), RMAN, or both.
Correct answer(s):
2. RMAN preauthorization is required to successfully back up or restore Oracle
Database
4. You can preauthorize OSB users for use of the obtool command-line utility
To provide preauthorized access, you can modify parameters for an existing user
account:

Graphic
This is done in the Configure: Users page, which is currently opened.
1. From the Configure: Users page, select the name of the user from the User Name box.
The user oracle is selected.
2. Click the Edit button.
Other available buttons are Add, Remove, Rename, and Change Password.
3. A page appears with the details for the user you selected. Make any required changes. To modify users,
you must be a member of a class that has this right enabled.
Details such as User class, UNIX name, and UNIX group are listed.
4. Click Apply to remain in this page. Click OK to save the changes and return to the Configure: Users
page. And click Cancel to avoid the operation and move back one page.
The other buttons available are Windows Domains and Preauthorized Access.
If your OSB user needs to initiate backup and restore operations on Windows clients,
then you must add Windows Domains information.
To configure RMAN and/or command-line preauthorization, click the Preauthorized
Access button and specify the appropriate attributes.
The combination of Hosts, OS username, and Windows domain name must be unique.
Also limit preauthorized access to selected hosts.

Graphic
These details are specified in the Configure: Users > oracle > Preauthorized
Access page that opens.
You can associate an OSB user with multiple Windows domain accounts, or you can use
a single account that applies to all Windows domains. You can configure the Windows

account information for existing OSB users who need to initiate backups and restores on
Windows clients.
To assign Windows account information to an OSB user, perform the following steps:

From the Configure: Users page, select the name of the user from the User Name box.
The user oracle is selected.

Click the Edit button.

A page appears with the details for the user you selected. Click the Windows Domains button.

The Configure: Hosts > newuser > Windows Domains page appears. Enter a Windows domain
name in the Domain name field. Type an asterisk (*) in this box for all Windows domains.

Enter a Windows user account in the Username field.

The username is entered as newuser.

Enter a Windows password in the Password field.

Click the Add button to add the Windows account information.
Other available buttons are Remove and Cancel.
The domain appears in the Domain: Username list box.

Summary
In this topic, you've learned how to manage OSB users and specify OS permissions for
OSB users. You've also learned how to preauthorize OSB users.

OSB Authentication and Encryption

Learning Objectives

After completing this topic, you should be able to

recognize how authentication works with OSB

recognize how OSB encryption works

1. Understanding OSB authentication

For hosts to securely exchange control messages and backup data within the domain,
they must first authenticate themselves to one another. Host connections are always
based on two-way authentications, with the exceptions of the initial host invitation to join a

domain and communication with NDMP servers.

In two-way authentication, the hosts participate in a handshake process whereby they
mutually decide on a cipher suite to use, exchange identity certificates, and validate that
each others certificate has been issued by a trusted Certificate Authority, abbreviated as
CA. At the end of this process, a secure and trusted communication channel is
established for the exchange of data.
The use of identity certificates and SSL prevents outside attackers from impersonating a
client in the administrative domain and accessing backup data. For example, an outside
attacker would not be able to run an application on a nondomain host that sends
messages to domain hosts that claim origin from a host within the domain.

Note
Currently, the NDMP protocol does not include a mechanism to accommodate the
negotiation of an SSL connection to NDMP filers.
OSB uses the SSL protocol to establish a secure communication channel between hosts
in an administrative domain. Any host in the domain can use a public key to send an
encrypted message to another host, but only the host with the corresponding private key
can decrypt the message.
The default key size for all hosts in the domain is 1,024 bits. If you accept this default,
then you do not need to perform any additional configuration. You can set the size of the
key to values between 512 (less secure) and 4,096 (very secure). The Advanced
Encryption Standard, also known as AES, defines three standard key lengths, which are
128-bit, 192-bit, and 256-bit.
The web server requires a signed X.509 certificate and associated public and private
keys to establish an SSL connection with a client browser. The X.509 certificate for the
web server is self-signed by the installation script when you install OSB on the
administrative server.

Note
Every client and server in the domain has a unique X.509 certificate stored in
encrypted containers called Oracle wallets.

Question
Which statements accurately describe the Oracle security technology and OSB?
Options:

1.

OSB uses the SSL protocol to establish a secure communication channel between
hosts

2.

Any host can use a public key to decrypt an encrypted message

3.

The default key size for all hosts in the domain is 256 bits

4.

The web server requires a signed X.509 certificate and associated public and private
keys to establish an SSL connection with a client browser

Answer
Option 1: This option is correct. OSB uses the SSL protocol to establish a secure
communication channel between hosts in an administrative domain.
Option 2: This option is incorrect. Any host in the domain can use a public key to
send an encrypted message to another host, but only the host with the
corresponding private key can decrypt the message.
Option 3: This option is incorrect. The default key size for all hosts in the domain
is 1,024 bits.
Option 4: This option is correct. The web server requires a signed X.509
certificate and associated public and private keys to establish an SSL connection
with a client browser. The X.509 certificate for the web server is self-signed by the
installation script when you install OSB on the administrative server.
Correct answer(s):
1. OSB uses the SSL protocol to establish a secure communication channel
between hosts
4. The web server requires a signed X.509 certificate and associated public and
private keys to establish an SSL connection with a client browser
You can modify the default security configuration in the following ways:

disable SSL for interhost authentication and communication by setting the securecomms security
policy

transmit identity certificates in manual certificate provisioning mode

set the key size for a host to a value greater or less than the default value of 1,024 bits, and

disable encryption for backup data in transit by setting the encryptdataintransit security
policy
The OSB administrative server is automatically configured as the CA upon installation.
During the installation of an administrative server, its wallets (encrypted and obfuscated)
are created along with a signing certificate and identity certificate. The administrative

server has the signing certificate, which it needs to sign the identity certificates for other
hosts. And its identity certificate, which it needs to establish authenticated SSL
connections with other hosts in the domain.
By default, wallets and identity certificates are automatically created during the installation
of media servers and clients. However, you can manually provision these certificates by
using the obcm utility.
The encrypted wallets should be backed up, whereas the obfuscated wallets should not
be backed up. If a host wallet becomes destroyed, the host must be reinstalled and
configured. This generates a new host wallet, which again is to be digitally signed by the
administrative server.
If the administrative server wallet is destroyed, the wallet must be re-created using the
--initnewdomain command.
However, if a new administrative server wallet is created, then a new wallet for each host
in the domain must be created, so that their identity certificates are digitally signed by the
new administrative server signing certificate.
Because OSB embedded wallets are used only for intradomain communication, they do
not have any direct relationship to the backup data written to tape. Therefore, if wallets
are destroyed and re-created, it does not affect the restoration of data from tape.
When you add hosts to the administrative domain, OSB creates the wallet, keys, and
certificates for each host. No additional intervention or configuration is required. All
required wallet functionality is embedded in OSB, thereby eliminating the need for other
wallet utilities.
Every host in the domain, including the administrative server, has a private key known
only to that host that is stored with the hosts identity certificate. This private key
corresponds to a public key that is made available to other hosts in the administrative
domain. Any host in the domain can use a public key to send an encrypted message to
another host, but only the host with the corresponding private key can decrypt the
message.
Oracle wallets are encrypted containers designed to store X.509 certificates. Unlike the
database encryption key wallet, the OSB wallet does not store encryption keys for data.
And OSB does not share its wallets with other Oracle products.
Besides maintaining its password-protected wallet, each host in the domain maintains an
obfuscated wallet. This version of the wallet does not require a password. The obfuscated
wallet, which is scrambled but not encrypted, enables the OSB software to run without
requiring a password during system startup.

The password for the password-protected wallet is generated by OSB and not made
available to the user. The password-protected wallet is not normally used after the
security credentials for the host have been established, because the OSB daemons use
the obfuscated wallet.
To reduce the risk of unauthorized access to obfuscated wallets, OSB does not back
them up. The obfuscated version of a wallet is named cwallet.sso. By default, the
wallet is located in these paths on the Linux, UNIX, and Windows machines.

Graphic
The wallet is located on the Linux and UNIX machines in the following path:
/usr/etc/ob/wallet
On the Windows machines, the wallet is located in the following path:
C:\Program Files\Oracle\Backup\db\wallet

Note
It is always a good practice to back up the encrypted wallet but not the obfuscated
wallet.

2. Understanding OSB encryption

Oracle Secure Backup or OSB encryption is available for both RMAN backup data
(Oracle 9i and higher) and for file-system data. OSB encrypts data on the client host. And
because there is no client software installation on Network Attached Storage, commonly
known as NAS, NAS data cannot be encrypted by OSB.
While encryption occurs outside the database, the data is encrypted prior to transport
over the network or prior to being written to a locally attached tape device. Backup clients
do not have direct access to the tape drives. Data is sent to the media server, which
applies your encryption policies.
To implement your encryption policy, you can choose among multiple levels, considering
the costs and benefits of encryption, such as performance, accessibility, and
administrative overhead.
OSB encryption keys are managed by OSB. They are stored in host-specific encrypted
key stores on the administrative server. For security purposes, encryption keys are not
stored on client machines, but instead are transmitted via SSL for encryption and
decryption. During backup or restore operations, they are held in memory at the client
host, but never saved on disk.

The backup data is encrypted on the client host before any transport. OSB backup
encryption protects data on tape (while onsite, offsite, or lost).
You can configure host encryption policies in OSB. There are many encryption options
available on the Configure: Hosts > host01 page that you can configure.
Encryption
You can specify encryption at the global or host level for all backup data (additionally at
backup or volume level for file-system data). If you specify the encryption level as
required, all data coming from this backup domain or this client must be encrypted. When
you want the decision to encrypt to be deferred to the next lower priority item, specify the
encryption level as allowed.
These options are specified by selecting the radio buttons required and allowed.
Algorithm
You can also specify the algorithm supported as aes128, aes192, or aes256 by selecting
the respective radio buttons. The default algorithm supported is aes192.
Rekey frequency
A client rekeyfrequency policy defines when a new key is generated. For example, the
policy might require that a new set of keys be generated every 30 days. Transparent keys
are automatically rekeyed. For keys that depend on a passphrase, you receive an email
notification. Additionally, OSB writes a message to the log files and the display output.
These options are specified by selecting the radio buttons duration, never, system default,
and per backup. With the duration option, you can also specify the number of days, weeks,
or months.
Key type
You can specify the Key type as transparent or passphrase. Transparent keys are
randomly generated and passphrase keys are generated based on your passphrase.
This is specified by selecting the radio buttons transparent and use passphrase. With the
use passphrase option, you can also have the passphrase verified.
Certificate keys define the level of security for host authentication and are not related to
backup encryption. The certificate key size is set to 1024 in the Certificate key size (in
bits) field.
Each newly created client gets an automatically generated key during the mkhost phase.
It remains valid for encryption until

a key renewal event occurs

you manually renew an automatically generated key, and

you change the key to a passphrase by providing a new passphrase

The passphrase itself is never stored anywhere. The hash of the passphrase and the key
generated from the passphrase are stored in the encrypted key store. OSB does not
enforce a minimum length for a passphrase.
After the new key is created, it is added to the wallet-protected key store and marked as
the active encryption key. Old encryption keys are left in the key store and used for
automatic and seamless decryption of data. If clients are removed from the backup
domain, then their key stores are still retained on the administrative server. This ensures
that you can always restore data.
Consider this scenario. You work in a data center for many customers. From your
production environment (A), your customer requests a one-time backup of his three client
hosts to create the same environment (B) as his independent test environment. Each of
the client backup files is encrypted with its own specific key. You do not want to disclose
the keys, because they are used for the regularly scheduled backups.
OSB enables cross-site backup encryption without this security threat by encrypting data
at the volume set level for a given backup job. The key for this volume set encryption is
based on a passphrase. The data is encrypted with this passphrase-generated key for all
clients that are part of this specific backup job. You, as backup administrator of Site A,
give the passphrase and encryption algorithm to Site B for the restore operation, so that
the data can be decrypted.
In all other cases, the OSB encryption keys are automatically added to the appropriate
wallet-protected key store. A transient key, however, is a one-time key used mainly for
moving data to a remote location.
By default, transient encryption keys are not stored in the key stores, but OSB provides
you the --storekey/-s option of the backup obtool command to store the key.
Before restoring data in another OSB domain, the tapes must first be imported to update
the OSB catalog. Your customer enters the passphrase during the restore operation to
decrypt the backup.
In another scenario, if backup and restore operations occur in the same domain (for
example, you must duplicate a test environment for another team), then you do not need
to provide the passphrase, because OSB knows it already.
Oracle Database backup encryption can be performed in one of two ways:

OSB encryption and

RMAN encryption

Note
RMAN encryption is available with Advanced Security Option.
There are many differences between the OSB and RMAN encryption features:
backup data
OSB encryption is used for RMAN backup data (Oracle 9i and higher) and file-system
data.
RMAN encryption, however, is used only for RMAN backup data.
level
OSB encryption for RMAN backup data is done at the global or host level. For file-system
data, encryption is done at the global, host, backup, or volume level.
RMAN can encrypt backups of Oracle Database at the database or tablespace level.
location
OSB encrypts data on the client host. While encryption occurs outside the database, the
data is encrypted prior to transport over the network or prior to being written to a locally
attached tape device.
RMAN encrypts the backup data within the database. This is generally faster than the OSB
encryption.
encryption keys
OSB encryption keys are managed by OSB and stored in host-specific encrypted key
stores on an administrative server.
The RMAN encryption keys are stored in database wallets and are managed by the
database.
algorithms
The encryption algorithms used for OSB encryption are AES128, AES192 (default), and
AES256. Embedded SSL technology provides secure transport of backup data and
messages between two-way authenticated servers.
RMAN encryption uses encryption algorithms up to 256-bit AES.
decryption, and
For decryption within the same domain, you do not have to provide a passphrase in OSB
encryption.
However, in RMAN encryption, you must provide passwords for decryption.

special requirements
OSB does not require the Advanced Security Option.
However, RMAN-encrypted backups require the Advanced Security Option and RMAN
encryptions are available with the Advanced Security Option.
When OSB encounters RMAN encrypted backups, it does not perform any additional
encryption.

Question
Identify the features of RMAN encryption.
Options:
1.

It encrypts data on the client host

2.

It uses embedded SSL technology to provide secure transport of backup data

3.

It can encrypt backups of Oracle Database on the database or tablespace level

4.

It requires the Advanced Security Option

Answer
Option 1: This option is incorrect. OSB encrypts data on the client host. Because
there is no client software installation on NAS, NAS data cannot be encrypted by
OSB.
Option 2: This option is incorrect. With OSB encryption, embedded SSL
technology provides secure transport of backup data and messages between twoway authenticated servers.
Option 3: This option is correct. RMAN can encrypt backups of Oracle Database
on the database or tablespace level. RMAN encrypts the backup data within the
database.
Option 4: This option is correct. RMAN encryption backups require the Advanced
Security Option, which offers a high level of security by supporting numerous
encryption standards.
Correct answer(s):
3. It can encrypt backups of Oracle Database on the database or tablespace level
4. It requires the Advanced Security Option

Summary

In this topic, you've learned how authentication works with OSB and how OSB encryption
works.

Configuring an OSB User and a Host Encryption Policy

Learning Objectives

After completing this topic, you should be able to

configure an OSB user

configure a host encryption policy

Exercise overview
Now that you have successfully installed the Oracle Secure Backup software, you want to
ensure the security requirements of your organization are implemented with OSB. You
want to limit access to the OSB domain and make sure that tapes are encrypted at all
times, whether they are onsite, in off-site storage, or even lost.
In this exercise, you're required to create a user, configure preauthorization, and
configure a host encryption policy.
This involves the following tasks:

creating a user

configuring preauthorization

configuring an encryption policy

Task 1: Creating a user

You first want to define a new Oracle Secure Backup user. Create a new user called
"oracle." Specify a password, user class, and UNIX name of "oracle" and a UNIX group of
"dba." The user is not an NDMP server user.

Steps list
Instructions
1. Click Users
2. Click Add
3. Type oracle in the User and Password text boxes
4. Select oracle from the User class drop-down list

Steps list
Instructions
5. Type oracle in the UNIX name text box
6. Type dba in the UNIX group text box
7. Select no from the NDMP server user drop-down list
8. Click Apply

Task 2: Configuring preauthorization

You now want to configure preauthorized access for the oracle user. Specify * for the OS
username and use the rman attribute.

Steps list
Instructions
1. Click Preauthorized Access
2. Type * in the OS username text box
3. Select rman from the Attributes list box
4. Click Add

Task 3: Configuring an encryption policy

You now want to configure a policy to encrypt all database and file system backups on
this host with Oracle Secure Backup encryption. Edit the localhost2 host to specify that
encryption is required. Accept all other default selections.

Steps list
Instructions
1. Click Configure
2. Click Hosts
3. Select localhost2 and click Edit
4. Select the required radio button associated with Encryption
5. Click Apply
6. Click OK