Documente Academic
Documente Profesional
Documente Cultură
Learning Objectives
Supplement
Selecting the link title opens the resource in a new browser window.
Learning Aid
Use the learning aid Style considerations for more information on the style
considerations for the Oracle 11g Database used in this course.
A set of rights is grouped into a class, which can be assigned to multiple users. However,
each user is a member of exactly one class. An OSB user is different from an Oracle
schema user as well as an OS user.
You can assign OSB usernames and passwords that are identical to or different from
those of existing OS users. Each OSB user is associated with a single UNIX account and
a single Windows account.
These UNIX and Windows accounts are used when some component of OSB must
assume a UNIX or Windows identity when running on behalf of a given OSB user. To
configure OSB users, you must belong to a class with the modify administrative domains
configuration right.
Note
You might find it convenient to name OSB users like their OS user identity.
OSB comes with five predefined classes:
admin
The admin class is used for the overall administration of a domain. This class has all the
rights and privileges needed to modify domain configurations and perform backup and
restore operations.
operator
To perform standard day-to-day operations, the operator class is used. This class lacks
configuration privileges but has all the rights needed for backup and restore operations as
well as viewing and managing devices.
user
The user class is assigned to specific users, giving them permission to interact in a limited
way with their domains. This class is reserved for users who need to browse their own
data within the OSB catalog and perform user-based restore operations. You can also use
the mkclass command to define your own OSB user class.
oracle, and
The oracle class is similar to the operator class. This class has specific privileges to
modify the Oracle Database configuration settings. This class also has privileges to
perform Oracle Database backups and restore operations.
reader
Assigning the reader class to users enables them to view the OSB catalog data. Readers
are permitted only to modify the given name and password for their OSB user accounts.
Question
When managing user access control, which predefined class is used for day-today operations?
Options:
1.
admin
2.
operator
3.
user
4.
oracle
Answer
Option 1: This option is incorrect. The admin class is used for the overall
administration of a domain. The admin class has all the rights and privileges
Supplement
Selecting the link title opens the resource in a new browser window.
Learning Aid
Access the learning aid Predefined classes and rights to learn about all the
predefined user classes in OSB and the rights they define.
Some of the other rights are
display administrative domains configuration
The display administrative domains configuration right allows the class member to list
objects (for example, hosts, devices, and users) in the administrative domain.
modify own name and password
The modify own name and password right allows the class member to modify certain
attributes for their own user objects (password and given name).
modify administrative domains configuration
The modify administrative domains configuration right allows the class member to edit
(create, modify, rename, and remove) all configuration data in an OSB administrative
domain. These include classes, users, hosts, devices, defaults and policies, schedules,
datasets, media families, summaries, and backup windows.
perform backups as self
The perform backups as self right allows the class member to back up only those files and
directories in which the member has access (using either UNIX user and group names or a
Windows domain account).
perform backups as privileged user, and
The perform backups as privileged user right allows the class member to back up files and
directories while acting as a privileged user (root on UNIX and as a member of the
Administrators group on Windows).
list any jobs owned by user
The list any jobs owned by user right enables the class member to view the status of
scheduled, ongoing, and completed jobs that they create. The class member can also view
transcripts for jobs that they create.
Additional rights are
modify any jobs owned by user
The modify any jobs owned by user right allows the class member to modify only jobs that
the member configured.
The access Oracle backups right specifies the type of access to Oracle Database backups
made through the System Backup to Tape, abbreviated as SBT, interface.
A class member can use the access Oracle backups right with one of the four values:
owner indicates that the user can access only SBT backups created by the user
class indicates that the user can access SBT backups created by any OSB user in the same
class
all indicates that the user can access all SBT backups, and
Graphic
The Web tool Home page is opened.
1. From the Web tool Home page, click the Configure tab in the menu bar. In the Configure page,
click Users under the Basic section.
2. The Configure: Users page appears. Click the Add button to add a new user.
The Configure: Users > New Users page appears. Enter a username in the User field.
Formally, it is unrelated to any other name used in your computing environment or the
OSB administrative domain. Practically, you might find it convenient to choose OSB
usernames that are identical to users Windows or UNIX names.
Then enter a password for the user in the Password field. This password is used to log in
to OSB. The practice of supplying a password in clear text on a command line or in a
command script is not recommended by Oracle Corporation. It is a security vulnerability.
The recommended procedure is to prompt the user for the password.
Select a class from the User class drop-down list. Optionally, enter a given name in the
Given name filed. This name is for information purposes only.
Graphic
Note
OSB creates the admin user when a new administrative domain is initialized. You
cannot remove the admin user.
Finally, click Apply to add the user account and remain in this page or click Cancel to
avoid the operation and move back one page.
Click OK to add the user account and return to the Users page.
The user account oracle appears in the User field on the Configure: Users > oracle page.
A message appears in the Status box informing you that the user was successfully
added.
Graphic
In addition, the message Success: user oracle created appears at the top of
the page.
In this example, the osbuser1 user can only back up and restore data accessible by the
jdoe UNIX user and the sysadmin UNIX group. The UNIX name and group are the
identity under which an unprivileged backup operation will be performed.
Graphic
In the example provided, the user is logging in explicitly with the username
osbuser1.
When an OSB user makes an unprivileged backup or restore of a host, the host is
accessed by means of an OS identity:
If a UNIX or Linux host is backed up or restored, then OSB uses the UNIX username and group
values for the OS identity.
If a Windows host is backed up or restored, then OSB uses the first triplet (domain, account,
password) that allows access to the host.
The OS user that is used to access the files being backed up depends upon the type of
backup operation such as
scheduled job
If you create a scheduled job, the backup runs in the OS namespace associated with the
OSB admin user, which is typically root on UNIX-like systems or LocalSystem on
Windows systems.
unprivileged on-demand and RMAN backups, and
If you perform an on-demand backup, the OS namespace associated with the OSB user of
the current session is used, unless you specify that the backup should run as a privileged
operation. Backup and restore requests submitted through the RMAN interface are treated
as on-demand jobs.
privileged backup
A backup that runs in privileged mode runs under the root OS identity. On Windows
systems, the backup runs under the same account as the OSB service on the Windows
client.
Question
You have created a scheduled backup job on a Windows system. What users
would you expect the backup to run under?
Options:
1.
LocalSystem
2.
root
3.
4.
admin
Answer
Option 1: This option is correct. If you create a scheduled job, the backup runs in
the OS namespace associated with the OSB admin user, which is typically root
on UNIX-like systems or LocalSystem on Windows systems.
Option 2: This option is incorrect. If you created a scheduled job on a UNIX-like
system, the job would run under the root user.
Option 3: This option is incorrect. If you perform an on-demand backup on a
Windows system, the backup runs under the same account as the OSB service on
the Windows client.
Option 4: This option is correct. If you create a scheduled job, the backup runs in
the OS namespace associated with the OSB admin user, which is typically
LocalSystem on Windows systems.
Correct answer(s):
1. LocalSystem
4. admin
You can preauthorize OSB users for the use of the obtool command line (cmdline),
RMAN, or both. For example, the jdoe OS user can be preauthorized to use OSB as the
osbuser1 OSB user, without having to supply an OSB username or password.
Preauthorization for file-system backups is primarily used to avoid logging in to OSB
when running custom scripts. Without cmdline preauthorization, the script would fail,
because access to OSB is not granted without user login.
RMAN preauthorization is required to successfully back up or restore Oracle Database.
Oracle Database backups are invoked from RMAN or Enterprise Manager.
Graphic
In this example, the RMAN script used is the following:
run {
Note
If these three criteria are not successfully met, OSB does not perform the RMAN
backup or restore requests.
Question
Which statements accurately describe preauthorization?
Options:
1.
You must log in to OSB to run custom scripts for file-system backups before
preauthorization can occur
2.
3.
4.
You can preauthorize OSB users for use of the obtool command-line utility
Answer
Option 1: This option is incorrect. Preauthorization for file-system backups is
primarily used to avoid logging in to OSB when running custom scripts.
Option 2: This option is correct. RMAN preauthorization is required to
successfully back up or restore Oracle Database. Oracle Database backups are
invoked from RMAN or Enterprise Manager.
Option 3: This option is incorrect. OSB verifies that an OSB meets three
requirements or criteria. If these three criteria are not successfully met, OSB does
not perform the RMAN backup or restore requests.
Option 4: This option is correct. You can preauthorize OSB users for the use of
the obtool command line (cmdline), RMAN, or both.
Correct answer(s):
2. RMAN preauthorization is required to successfully back up or restore Oracle
Database
4. You can preauthorize OSB users for use of the obtool command-line utility
To provide preauthorized access, you can modify parameters for an existing user
account:
Graphic
This is done in the Configure: Users page, which is currently opened.
1. From the Configure: Users page, select the name of the user from the User Name box.
The user oracle is selected.
2. Click the Edit button.
Other available buttons are Add, Remove, Rename, and Change Password.
3. A page appears with the details for the user you selected. Make any required changes. To modify users,
you must be a member of a class that has this right enabled.
Details such as User class, UNIX name, and UNIX group are listed.
4. Click Apply to remain in this page. Click OK to save the changes and return to the Configure: Users
page. And click Cancel to avoid the operation and move back one page.
The other buttons available are Windows Domains and Preauthorized Access.
If your OSB user needs to initiate backup and restore operations on Windows clients,
then you must add Windows Domains information.
To configure RMAN and/or command-line preauthorization, click the Preauthorized
Access button and specify the appropriate attributes.
The combination of Hosts, OS username, and Windows domain name must be unique.
Also limit preauthorized access to selected hosts.
Graphic
These details are specified in the Configure: Users > oracle > Preauthorized
Access page that opens.
You can associate an OSB user with multiple Windows domain accounts, or you can use
a single account that applies to all Windows domains. You can configure the Windows
account information for existing OSB users who need to initiate backups and restores on
Windows clients.
To assign Windows account information to an OSB user, perform the following steps:
From the Configure: Users page, select the name of the user from the User Name box.
The user oracle is selected.
A page appears with the details for the user you selected. Click the Windows Domains button.
The Configure: Hosts > newuser > Windows Domains page appears. Enter a Windows domain
name in the Domain name field. Type an asterisk (*) in this box for all Windows domains.
Summary
In this topic, you've learned how to manage OSB users and specify OS permissions for
OSB users. You've also learned how to preauthorize OSB users.
Note
Currently, the NDMP protocol does not include a mechanism to accommodate the
negotiation of an SSL connection to NDMP filers.
OSB uses the SSL protocol to establish a secure communication channel between hosts
in an administrative domain. Any host in the domain can use a public key to send an
encrypted message to another host, but only the host with the corresponding private key
can decrypt the message.
The default key size for all hosts in the domain is 1,024 bits. If you accept this default,
then you do not need to perform any additional configuration. You can set the size of the
key to values between 512 (less secure) and 4,096 (very secure). The Advanced
Encryption Standard, also known as AES, defines three standard key lengths, which are
128-bit, 192-bit, and 256-bit.
The web server requires a signed X.509 certificate and associated public and private
keys to establish an SSL connection with a client browser. The X.509 certificate for the
web server is self-signed by the installation script when you install OSB on the
administrative server.
Note
Every client and server in the domain has a unique X.509 certificate stored in
encrypted containers called Oracle wallets.
Question
Which statements accurately describe the Oracle security technology and OSB?
Options:
1.
OSB uses the SSL protocol to establish a secure communication channel between
hosts
2.
3.
The default key size for all hosts in the domain is 256 bits
4.
The web server requires a signed X.509 certificate and associated public and private
keys to establish an SSL connection with a client browser
Answer
Option 1: This option is correct. OSB uses the SSL protocol to establish a secure
communication channel between hosts in an administrative domain.
Option 2: This option is incorrect. Any host in the domain can use a public key to
send an encrypted message to another host, but only the host with the
corresponding private key can decrypt the message.
Option 3: This option is incorrect. The default key size for all hosts in the domain
is 1,024 bits.
Option 4: This option is correct. The web server requires a signed X.509
certificate and associated public and private keys to establish an SSL connection
with a client browser. The X.509 certificate for the web server is self-signed by the
installation script when you install OSB on the administrative server.
Correct answer(s):
1. OSB uses the SSL protocol to establish a secure communication channel
between hosts
4. The web server requires a signed X.509 certificate and associated public and
private keys to establish an SSL connection with a client browser
You can modify the default security configuration in the following ways:
disable SSL for interhost authentication and communication by setting the securecomms security
policy
set the key size for a host to a value greater or less than the default value of 1,024 bits, and
disable encryption for backup data in transit by setting the encryptdataintransit security
policy
The OSB administrative server is automatically configured as the CA upon installation.
During the installation of an administrative server, its wallets (encrypted and obfuscated)
are created along with a signing certificate and identity certificate. The administrative
server has the signing certificate, which it needs to sign the identity certificates for other
hosts. And its identity certificate, which it needs to establish authenticated SSL
connections with other hosts in the domain.
By default, wallets and identity certificates are automatically created during the installation
of media servers and clients. However, you can manually provision these certificates by
using the obcm utility.
The encrypted wallets should be backed up, whereas the obfuscated wallets should not
be backed up. If a host wallet becomes destroyed, the host must be reinstalled and
configured. This generates a new host wallet, which again is to be digitally signed by the
administrative server.
If the administrative server wallet is destroyed, the wallet must be re-created using the
--initnewdomain command.
However, if a new administrative server wallet is created, then a new wallet for each host
in the domain must be created, so that their identity certificates are digitally signed by the
new administrative server signing certificate.
Because OSB embedded wallets are used only for intradomain communication, they do
not have any direct relationship to the backup data written to tape. Therefore, if wallets
are destroyed and re-created, it does not affect the restoration of data from tape.
When you add hosts to the administrative domain, OSB creates the wallet, keys, and
certificates for each host. No additional intervention or configuration is required. All
required wallet functionality is embedded in OSB, thereby eliminating the need for other
wallet utilities.
Every host in the domain, including the administrative server, has a private key known
only to that host that is stored with the hosts identity certificate. This private key
corresponds to a public key that is made available to other hosts in the administrative
domain. Any host in the domain can use a public key to send an encrypted message to
another host, but only the host with the corresponding private key can decrypt the
message.
Oracle wallets are encrypted containers designed to store X.509 certificates. Unlike the
database encryption key wallet, the OSB wallet does not store encryption keys for data.
And OSB does not share its wallets with other Oracle products.
Besides maintaining its password-protected wallet, each host in the domain maintains an
obfuscated wallet. This version of the wallet does not require a password. The obfuscated
wallet, which is scrambled but not encrypted, enables the OSB software to run without
requiring a password during system startup.
The password for the password-protected wallet is generated by OSB and not made
available to the user. The password-protected wallet is not normally used after the
security credentials for the host have been established, because the OSB daemons use
the obfuscated wallet.
To reduce the risk of unauthorized access to obfuscated wallets, OSB does not back
them up. The obfuscated version of a wallet is named cwallet.sso. By default, the
wallet is located in these paths on the Linux, UNIX, and Windows machines.
Graphic
The wallet is located on the Linux and UNIX machines in the following path:
/usr/etc/ob/wallet
On the Windows machines, the wallet is located in the following path:
C:\Program Files\Oracle\Backup\db\wallet
Note
It is always a good practice to back up the encrypted wallet but not the obfuscated
wallet.
The backup data is encrypted on the client host before any transport. OSB backup
encryption protects data on tape (while onsite, offsite, or lost).
You can configure host encryption policies in OSB. There are many encryption options
available on the Configure: Hosts > host01 page that you can configure.
Encryption
You can specify encryption at the global or host level for all backup data (additionally at
backup or volume level for file-system data). If you specify the encryption level as
required, all data coming from this backup domain or this client must be encrypted. When
you want the decision to encrypt to be deferred to the next lower priority item, specify the
encryption level as allowed.
These options are specified by selecting the radio buttons required and allowed.
Algorithm
You can also specify the algorithm supported as aes128, aes192, or aes256 by selecting
the respective radio buttons. The default algorithm supported is aes192.
Rekey frequency
A client rekeyfrequency policy defines when a new key is generated. For example, the
policy might require that a new set of keys be generated every 30 days. Transparent keys
are automatically rekeyed. For keys that depend on a passphrase, you receive an email
notification. Additionally, OSB writes a message to the log files and the display output.
These options are specified by selecting the radio buttons duration, never, system default,
and per backup. With the duration option, you can also specify the number of days, weeks,
or months.
Key type
You can specify the Key type as transparent or passphrase. Transparent keys are
randomly generated and passphrase keys are generated based on your passphrase.
This is specified by selecting the radio buttons transparent and use passphrase. With the
use passphrase option, you can also have the passphrase verified.
Certificate keys define the level of security for host authentication and are not related to
backup encryption. The certificate key size is set to 1024 in the Certificate key size (in
bits) field.
Each newly created client gets an automatically generated key during the mkhost phase.
It remains valid for encryption until
RMAN encryption
Note
RMAN encryption is available with Advanced Security Option.
There are many differences between the OSB and RMAN encryption features:
backup data
OSB encryption is used for RMAN backup data (Oracle 9i and higher) and file-system
data.
RMAN encryption, however, is used only for RMAN backup data.
level
OSB encryption for RMAN backup data is done at the global or host level. For file-system
data, encryption is done at the global, host, backup, or volume level.
RMAN can encrypt backups of Oracle Database at the database or tablespace level.
location
OSB encrypts data on the client host. While encryption occurs outside the database, the
data is encrypted prior to transport over the network or prior to being written to a locally
attached tape device.
RMAN encrypts the backup data within the database. This is generally faster than the OSB
encryption.
encryption keys
OSB encryption keys are managed by OSB and stored in host-specific encrypted key
stores on an administrative server.
The RMAN encryption keys are stored in database wallets and are managed by the
database.
algorithms
The encryption algorithms used for OSB encryption are AES128, AES192 (default), and
AES256. Embedded SSL technology provides secure transport of backup data and
messages between two-way authenticated servers.
RMAN encryption uses encryption algorithms up to 256-bit AES.
decryption, and
For decryption within the same domain, you do not have to provide a passphrase in OSB
encryption.
However, in RMAN encryption, you must provide passwords for decryption.
special requirements
OSB does not require the Advanced Security Option.
However, RMAN-encrypted backups require the Advanced Security Option and RMAN
encryptions are available with the Advanced Security Option.
When OSB encounters RMAN encrypted backups, it does not perform any additional
encryption.
Question
Identify the features of RMAN encryption.
Options:
1.
2.
3.
4.
Answer
Option 1: This option is incorrect. OSB encrypts data on the client host. Because
there is no client software installation on NAS, NAS data cannot be encrypted by
OSB.
Option 2: This option is incorrect. With OSB encryption, embedded SSL
technology provides secure transport of backup data and messages between twoway authenticated servers.
Option 3: This option is correct. RMAN can encrypt backups of Oracle Database
on the database or tablespace level. RMAN encrypts the backup data within the
database.
Option 4: This option is correct. RMAN encryption backups require the Advanced
Security Option, which offers a high level of security by supporting numerous
encryption standards.
Correct answer(s):
3. It can encrypt backups of Oracle Database on the database or tablespace level
4. It requires the Advanced Security Option
Summary
In this topic, you've learned how authentication works with OSB and how OSB encryption
works.
Exercise overview
Now that you have successfully installed the Oracle Secure Backup software, you want to
ensure the security requirements of your organization are implemented with OSB. You
want to limit access to the OSB domain and make sure that tapes are encrypted at all
times, whether they are onsite, in off-site storage, or even lost.
In this exercise, you're required to create a user, configure preauthorization, and
configure a host encryption policy.
This involves the following tasks:
creating a user
configuring preauthorization
Steps list
Instructions
1. Click Users
2. Click Add
3. Type oracle in the User and Password text boxes
4. Select oracle from the User class drop-down list
Steps list
Instructions
5. Type oracle in the UNIX name text box
6. Type dba in the UNIX group text box
7. Select no from the NDMP server user drop-down list
8. Click Apply
Steps list
Instructions
1. Click Preauthorized Access
2. Type * in the OS username text box
3. Select rman from the Attributes list box
4. Click Add
Steps list
Instructions
1. Click Configure
2. Click Hosts
3. Select localhost2 and click Edit
4. Select the required radio button associated with Encryption
5. Click Apply
6. Click OK