Configuring Transparent Encryption RMAN Backups and Perform Restore/Recovery on Different host

Configuring encrypted RMAN Backups and Perform Restore/Recovery on Different host

Encryption mode:  Transparent Encryption of Backups

This is the default mode and uses the Oracle software KeyStore. KeyStore is a password-protected container used to store a Transparent Data Encryption (TDE) key.

 Perform encrypted RMAN Backup

·         TDE should be configured on Database. RMAN uses TDE KeyStore mentioned in the SQLNET.ora.

        Refer link  Configure TDE (Transparent Data Encryption) on Oracle Single/Multi-tenant database

·         Connect to database using RMAN and perform backup

 To configure backup encryption permanently use CONFIGURE ENCRYPTION FOR DATABASE ON;

  Or

 In the RMAN script before run block execute below command

 

RMAN> set encryption on;

 

 

·         To perform restore/recovery on same host. Since the TDE keystore files are available on same location, No other steps are needed.

 Startup nomount

Restore the controlfile

Mount the database

Restore the database

Recover the database

Open the database 

Perform encrypted RMAN backup Restore / Recovery on different host

·         Copy the RMAN Disk backup to the destination server.

·         In case of the Tape backup, Tape should be accessible from destination server.

·         On destination server set the $ORACLE_HOME/network/admin/sqlnet.ora to have TDE keystore defined.

 Sample sqlnet.ora will look like below

 $ cat sqlnet.ora

# sqlnet.ora Network Configuration File: /home/oracle/app/oracle/product/12.1.0/network/admin/sqlnet.ora

# Generated by Oracle configuration tools.

 NAMES.DIRECTORY_PATH= (TNSNAMES, EZCONNECT)

 ENCRYPTION_WALLET_LOCATION =

  (SOURCE =(METHOD = FILE)(METHOD_DATA =

    (DIRECTORY = <path>/xxwallet)))

 

DIRECTORY à Path should replace with actual path 

·         Copy the files present under TDE KeyStore (KeyStore location can be found from $ORACLE_HOME/network/admin/sqlnet.ora on the source database) to the destination keystore location which is mentioned above.

·         Perform the restore. Here we are using Duplicate command with Disk Backup.

 Below are the steps and command for duplicate

 startup nomount;

rman auxiliary /

 run

{

ALLOCATE AUXILIARY CHANNEL ch1 DEVICE TYPE DISK;

DUPLICATE DATABASE TO DUPTEST BACKUP LOCATION '/stage/rman_bkp/' ;

}

  

                Note: In case of Multitenant both CDB and PDB will be restored

 

·         In Case of Tape restore below is the sample RMAN run block.

Depends on the Backup solution SBT_TAPE parameter changes. (below is for EMC networker)

 

run {

 ALLOCATE AUXILIARY CHANNEL ch1 DEVICE TYPE 'SBT_TAPE' parms 'ENV=(NSR_SERVER=<Backup Server Name>,NSR_CLIENT=oraprd01,NSR_DATA_VOLUME_POOL=<Pool Name>)';

 duplicate target database to DUPTEST until time 'SYSDATE-1' ;

 }

 

                               

 

Issue 1

 

Error while performing restore/duplicate

 

 

ORA-19870: error while restoring backup piece /stage/rman_bkp/temp_4av3va3v_1_1

ORA-19913: unable to decrypt backup

ORA-28365: wallet is not open

 

Solution:

 

TDE keystore was missing on the destination location. Keystore/Wallet files should be present on destination server sqlnet.ora location for restore to decrypt the RMAN