OCA/OCP Oracle 数据库12c考试指南读书笔记：第28章: Encrypting, Securing, Monitoring, and Tuning RMAN Backups

本文主要是介绍OCA/OCP Oracle 数据库12c考试指南读书笔记：第28章: Encrypting, Securing, Monitoring, and Tuning RMAN Backups，希望对大家解决编程问题提供一定的参考价值，需要的开发者们随着小编来一起学习吧！

RMAN的高级功能，包括加密，口令或wallet保护。
OSB（Oracle Secure Backup）是基于RMAN的磁带备份，命令行工具为obtool。

创建加密的RMAN备份

备份加密可采取透明加密，口令加密和双模式加密。默认加密是关闭的。
以下为默认加密设置：

configure encryption for database off;
configure encryption algorithm 'ASE128';

对备份恢复的投入，取决于数据库不可用时对生成率和业务收入的影响。

配置和使用透明加密

RMAN> configure encryption for database on;new RMAN configuration parameters:
CONFIGURE ENCRYPTION FOR DATABASE ON;
new RMAN configuration parameters are successfully stored
starting full resync of recovery catalog
full resync complete

wallet必须打开，否则报错：

RMAN> backup as compressed backupset tablespace users;Starting backup at 25-DEC-19
using channel ORA_DISK_1
using channel ORA_DISK_2
using channel ORA_DISK_3
using channel ORA_DISK_4
channel ORA_DISK_1: starting compressed full datafile backup set
channel ORA_DISK_1: specifying datafile(s) in backup set
input datafile file number=00007 name=/opt/oracle/oradata/ORCLCDB/users01.dbf
channel ORA_DISK_1: starting piece 1 at 25-DEC-19
RMAN-00571: ===========================================================
RMAN-00569: =============== ERROR MESSAGE STACK FOLLOWS ===============
RMAN-00571: ===========================================================
RMAN-03009: failure of backup command on ORA_DISK_1 channel at 12/25/2019 21:42:12
ORA-19914: unable to encrypt backup
ORA-28365: wallet is not open

修改sqlnet.ora，其中指定wallet的位置：

$ cat sqlnet.ora
NAME.DIRECTORY_PATH= (TNSNAMES, EZCONNECT, HOSTNAME)ENCRYPTION_WALLET_LOCATION= (SOURCE=(METHOD=FILE)(METHOD_DATA= (DIRECTORY=/opt/oracle/product/19c/dbhome_1/network/admin/wallet)))

创建wallet：

administer key management create keystore '/opt/oracle/product/19c/dbhome_1/network/admin/wallet' identified by "Welcome1";

$ rman target / catalog rcat_owner/Welcome1@rcatRecovery Manager: Release 19.0.0.0.0 - Production on Wed Dec 25 22:13:32 2019
Version 19.3.0.0.0Copyright (c) 1982, 2019, Oracle and/or its affiliates.  All rights reserved.connected to target database: ORCLCDB (DBID=2795391422)
connected to recovery catalog databaseRMAN> backup as compressed backupset tablespace users;Starting backup at 25-DEC-19
allocated channel: ORA_DISK_1
channel ORA_DISK_1: SID=49 device type=DISK
allocated channel: ORA_DISK_2
channel ORA_DISK_2: SID=283 device type=DISK
allocated channel: ORA_DISK_3
channel ORA_DISK_3: SID=67 device type=DISK
allocated channel: ORA_DISK_4
channel ORA_DISK_4: SID=39 device type=DISK
channel ORA_DISK_1: starting compressed full datafile backup set
channel ORA_DISK_1: specifying datafile(s) in backup set
input datafile file number=00007 name=/opt/oracle/oradata/ORCLCDB/users01.dbf
channel ORA_DISK_1: starting piece 1 at 25-DEC-19
RMAN-00571: ===========================================================
RMAN-00569: =============== ERROR MESSAGE STACK FOLLOWS ===============
RMAN-00571: ===========================================================
RMAN-03009: failure of backup command on ORA_DISK_1 channel at 12/25/2019 22:14:12
ORA-19914: unable to encrypt backup
ORA-28361: master key not yet set

若报错ORA-28365: wallet is not open，则执行以下：

SQL> administer key management set keystore open identified by "Welcome1";

若报错ORA-28361: master key not yet set，则执行以下：

SQL> administer key management set key identified by Welcome1 with backup container=ALL;
SQL> select * from V$ENCRYPTION_WALLET;WRL_TYPE             WRL_PARAMETER        STATUS                         WALLET_TYPE          WALLET_OR KEYSTORE FULLY_BAC     CON_ID
-------------------- -------------------- ------------------------------ -------------------- --------- -------- --------- ----------
FILE                 /opt/oracle/product/ OPEN                           PASSWORD             SINGLE    NONE     NO                 119c/dbhome_1/network/admin/wallet/FILE                                      CLOSED                         UNKNOWN              SINGLE    UNITED   UNDEFINED          2
FILE                                      CLOSED                         UNKNOWN              SINGLE    UNITED   UNDEFINED          3

备份成功：

RMAN> backup as compressed backupset tablespace users;Starting backup at 26-DEC-19
using channel ORA_DISK_1
using channel ORA_DISK_2
using channel ORA_DISK_3
using channel ORA_DISK_4
channel ORA_DISK_1: starting compressed full datafile backup set
channel ORA_DISK_1: specifying datafile(s) in backup set
input datafile file number=00007 name=/opt/oracle/oradata/ORCLCDB/users01.dbf
channel ORA_DISK_1: starting piece 1 at 26-DEC-19
channel ORA_DISK_1: finished piece 1 at 26-DEC-19
piece handle=/u02/fra/backups/ORCLCDB_20191226_4jukdtsp tag=TAG20191226T203121 comment=NONE
channel ORA_DISK_1: backup set complete, elapsed time: 00:00:01
Finished backup at 26-DEC-19Starting Control File and SPFILE Autobackup at 26-DEC-19
piece handle=/u02/fra/ORCLCDB/autobackup/2019_12_26/o1_mf_s_1028061086_h09b0ydn_.bkp comment=NONE
Finished Control File and SPFILE Autobackup at 26-DEC-19

使用口令加密

如果加密时使用多个口令，解密时可指定多个口令。

set encryption identified by "PWDWelcome1";
set decryption identified by "PWDWelcome1";

使用双模式加密

双模式解密时，可以用密码或wallet。因此如果key store打不开也没有关系。

set decryption on identified by "PWDWelcome1";
set decryption on identified by "PWDWelcome1" only;
RMAN> show encryption algorithm;RMAN configuration parameters for database with db_unique_name ORCLCDB are:
CONFIGURE ENCRYPTION ALGORITHM 'AES128'; # default

配置和使用ORACLE SECURE BACKUP（OSB）

OSB除数据库外，还支持文件系统。
OSB包括Admin Server，Media Server和Client（备份目标） 三个组件。

安装和配置OSB

OSB有自己的catalog，非数据库形式。安装中包括命令行工具obtool。

OSB中使用RMAN

数据库安装中包含的OSB库：

$ ls $ORACLE_HOME/lib/libosb*
/opt/oracle/product/19c/dbhome_1/lib/libosbws.so

obtool 命令

略。

监控和调优RMAN性能

监控和调优通常是事后来做，但有时也必须提前规划。例如：7x24运营使备份窗口越来越小，新应用增加了对带库的需求，数据库恢复时间需加快已满足SLA。

监控RMAN会话和任务

使用V$SESSION 和 V$PROCESS来确定与RMAN通道对应的操作系统进程。
V$SESSION_LONGOPS查看备份进度。
RMAN命令也支持调试。

使用V$SESSION 和V$PROCESS

V$PROCESS的每一行表示连接到数据库的一个操作系统进程。
V$PROCESS包括会话的详细信息，如SQL，用户名等。
这些会话也包括RMAN会话。

在RMAN中运行命令：

run {
allocate channel ch1 type disk;
allocate channel ch2 type disk;
backup as compressed backupset tablespace users;
}

然后在数据库中监控：

SQL> select sid, spid, client_info from v$process p join v$session s on (p.addr=s.paddr) where client_info like '%rman%';SID SPID                     CLIENT_INFO
---------- ------------------------ ------------------------------------275 6978                     rman channel=ch136 6980                     rman channel=ch2

如果备份任务结束但RMAN未退出，则SPID仍在，但无CLIENT_INFO。
如果有多个RMAN命令，进程可以通过set command id to 'bkup users';区分：

SQL> select sid, spid, client_info from v$process p join v$session s on (p.addr=s.paddr) where client_info like '%rman%';SID SPID                     CLIENT_INFO
---------- ------------------------ ------------------------------------275 6978                     id=bkup users,rman channel=ch136 6980                     id=bkup users,rman channel=ch2

使用V$SESSION_LONGOPS

此视图不仅仅针对RMAN，只要执行时间超过6秒的均在此视图中。
例如执行数据库全备时：

SQL> select opname, sofar, totalwork, units, time_remaining from v$session_longops where time_remaining > 0;OPNAME                                    SOFAR  TOTALWORK UNITS                            TIME_REMAINING
------------------------------------ ---------- ---------- -------------------------------- --------------
RMAN: full datafile backup                81278      96000 Blocks                                        9
RMAN: full datafile backup                10494      34560 Blocks                                       23
RMAN: aggregate input                     88320     470720 Blocks                                      165
RMAN: full datafile backup                58238     117760 Blocks                                       48
RMAN: full datafile backup                10110      37120 Blocks                                       27SQL> select opname, sofar, totalwork, units, time_remaining from v$session_longops where time_remaining > 0;OPNAME                                    SOFAR  TOTALWORK UNITS                            TIME_REMAINING
------------------------------------ ---------- ---------- -------------------------------- --------------
RMAN: full datafile backup                17662      34560 Blocks                                       17
RMAN: aggregate input                     88320     470720 Blocks                                      165
RMAN: full datafile backup                63358     117760 Blocks                                       47
RMAN: full datafile backup                16254      37120 Blocks                                       23

调试RMAN性能

可分配多个channel，因每一channel对应一个操作系统进程，因此可并行处理提升性能。

识别备份和恢复步骤

步骤包括：

• 读取（从磁盘到输入buffer）
• 拷贝（从输入buffer到输出buffer）
• 验证，非CPU密集型操作
• 压缩，CPU密集型操作
• 加密，CPU密集型操作
• 写盘（从输出buffer到输出设备）

并行Backupsets

分配多个channel实施并行是最简单的提升性能方式，不过channel的数量不应超过物理设备的数量。
对一个物理设备分配多个channel并无效果。由于ASM 磁盘组通常有多个物理设备支撑，则可以分配多个channel。
例如：

run {
allocate channel dc1 device type disk;
allocate channel dc2 device type disk;
allocate channel dc3 device type disk;
backup incremental level 0
(datafile 1,2,9 channel dc1)
(datafile 3,8,7 channel dc1)
(datafile 4,5,6 channel dc1)
as compressed backupset;
}

数据文件也可指定路径名：

(datafile '/u01/oradata/user02.dbf' channel dc1)

也可自动为每一类设备指定并行：

configu device type disk parallelism 3;

理解RMAN Multiplexing

也称为多路复用，是指从多个输入文件读，但写向同一backupset。image copy不支持多路复用。
FILESPERSET 和 MAXOPENFILES两个参数控制。前者表示backupset中可包括的输入文件数，实际的多路复用数是两个参数中较小值。

调优RMAN Channel

CONFIGURE CHANNEL 和ALLOCATE CHANNEL调节单个channel，两个命令均支持以下参数：

• MAXPIECESIZE - backup peice的最大尺寸
• RATE - 读取速率，限流而非提速
• MAXOPENFILES - 每channel最大打开输入文件数

调优BACKUP命令

BACKUP命令是针对所有Channel的。
BACKUP命令支持的与调优相关参数为：

• MAXPIECESIZE - 每channel的backup piece的最大尺寸
• FILESPERSET - 每backupset的最大文件数
• MAXOPENFILES - 每channel最大打开输入文件数
• BACKUP DURATION - 完成备份的时间

BACKUP DURATION限制了备份的时长，如果备份未完成，使用partial参数可是备份并不报错：

backup duration 2:00 partial database;

这篇关于OCA/OCP Oracle 数据库12c考试指南读书笔记：第28章: Encrypting, Securing, Monitoring, and Tuning RMAN Backups的文章就介绍到这儿，希望我们推荐的文章对编程师们有所帮助！

---