Product Documentation
Abstract
Beginning
in IBM Spectrum Protect version 8.1.2, several enhancements to security
settings were introduced that are relevant when an IBM Spectrum Protect™ client
connects to an IBM Spectrum Protect server version 8.1.2 and later. With these
new security settings, a V8.1.2 client communicating with a V8.1.2 server must
use Secure Sockets Layer (SSL)-based secure communications between the IBM
Spectrum Protect™ client and server.
These security enhancements are relevant for IBM Spectrum Protect for
Databases: Data Protection for Oracle because they affect how you configure the
Data Protection for Oracle password files (and associated access permissions)
using the tdpoconf utility.
Content
In
the IBM Spectrum Protect for Databases: Data Protection for Oracle User's guide
for Windows and IBM Spectrum Protect for Databases: Data Protection for Oracle
User's guide for UNIX and Linux, configuration settings are described in
the Configuration
with Default Settings topic.
Below,
the steps that relate to the configuration of password files are updated to
describe the impact of the new security settings and SSL-based communications.
This
updated topic will also be published with the next release of IBM Spectrum
Protect for Databases: Data Protection for Oracle.
Configuration with default settings
Use
the Data Protection for Oracle quick configuration option to quickly configure
with default settings and minimal configuration tasks. Setup time is minimized
and you proceed quickly to a state where you can begin backing up your Oracle
databases.
Before
you begin
Install
Data Protection for Oracle. For detailed installation instructions, see Data Protection for Oracle installation.
After Data Protection for Oracle is installed, make sure that the following
link exists:
$ORACLE_HOME/lib/libobk.a -> /usr/lib/libobk64.a
Note: If you are using Linux as your operating
system, this link is not required.
About
this task
Use
the instructions to configure Data Protection for Oracle. Change the listed
installation paths and library extensions according to the operating system you
are using.
See Configuring Data Protection for Oracle for detailed instructions on how to customize
Data Protection for Oracle for your environment and processing needs.
To
use Secure Sockets Layer (SSL)-based secure communications, each client must
use a server certificate that is self-signed by IBM Spectrum Protect. For more
information about configuring and accessing server certificates, see Configuring IBM Spectrum Protect client/server
communication with Secure Sockets Layer.
Procedure
1. Depending on your operating system, change to one
of the following directories:
o
·
AIX® 64-bit operating system:
/usr/tivoli/tsm/client/oracle/bin64
·
Linux operating
system:/opt/tivoli/tsm/client/oracle/bin64
·
Windows 64-bit Server system:
C:\Program Files\Tivoli\TSM\AgentOBA64
2.
Copy the tdpo.opt.smp file to tdpo.opt.
3. 
Edit the tdpo.opt file to include
these options:
For
UNIX and Linux, these instructions use AIX 64-bit as the example operating
system.
dsmi_orc_config
/usr/tivoli/tsm/client/oracle/bin64/dsm.opt
dsmi_log <directory with write permissions>
For
Windows, these instructions use a 64-bit Windows Server system as the example
operating system.
dsmi_orc_config
C:\Program Files\Tivoli\TSM\AgentOBA64\dsm.opt
dsmi_log C:\Program Files\Tivoli\TSM\AgentOBA64
For
more information about these options, see Available Data Protection for Oracle options.
4. Create a dsm.opt file as
follows:
In
the /usr/tivoli/tsm/client/oracle/bin64 directory, create a dsm.opt file, then
edit the file to include the following server stanza:
servername
TSMOracle
For
more information about this option and the dsm.opt file, see Define IBM Spectrum Protect options in the client options
file.
In
the C:\Program Files\Tivoli\TSM\AgentOBA64 directory, copy the dsm.smp file to
dsm.opt. Edit the dsm.opt file to include these options:
commmethod TCPip
tcpserveraddress x.x.x.x
passwordaccess generate
nodename hostname_oracle
Replace x.x.x.x with
the IP address of the IBM Spectrum Protect server to which Data Protection for
Oracle backs up data.
For
more information about these options and the dsm.opt file, see Define IBM Spectrum Protect options in the client options
file.
Tip: For Oracle 12c Release 1 (12.1) and later releases,
the Oracle home user that is specified on installation of the Oracle database
must be granted sufficient permission to access the Windows registry.
Otherwise, Data Protection for Oracle operations might fail.
5. Change the directory to
/usr/tivoli/tsm/client/api/bin64. Edit the dsm.sys file to include another
server stanza with the following options:
servername
TSMOracle
tcpserveraddress site.xyzinc.com
commmethod TCPip
nodename NodeA1
passwordaccess generate
passworddir /home/oracle
·
·
Replace site.xyzinc.com with the IP address of the IBM
Spectrum Protect server to which Data Protection for Oracle backs up data.
·
Replace /home/oracle with the Oracle
database instance user's home directory. This <oracle user> must have
write permissions to the specified directory.
For
more information about these options and the dsm.sys file, see Define IBM Spectrum Protect options in the client options
file.
6.
Register the node to the IBM Spectrum Protect server, by running the following
REG NODE command on the IBM Spectrum Protect server:
REG
NODE NodeA1 password maxnummp=n
REG
NODE NodeA1 password maxnummp=n
Where password is
the password for this node, and n is equal to the number of channels that you
are planning to use.
7.
Make sure that the <oracle user> has the following permissions:
Read
(r) permission to the following:
·
·
/usr/tivoli/tsm/client/oracle/bin64
and /usr/tivoli/tsm/client/api/bin64 directories
·
tdpo.opt, dsm.opt, and dsm.sys files
that were created as outlined in the steps above
Read
and Write permissions to the following:
·
·
C:\Program
Files\Tivoli\TSM\AgentOBA64 directory
·
tdpoerror.log and the directory where
it is stored
8. To generate the password file, run the tdpoconf password command.
For more information, see password command.
·
·
If you use the passwordaccess prompt
setting, run the tdpoconf password command as the root user to generate the
TDPO.NodeName password file.
·
If you use the passwordaccess
generate setting, run the tdpoconf password command as the <oracle
user> to generate the password file.
·
·
·
Important: When you use SSL-based secure communication, it is
recommended to use the passwordaccess generate setting.
9. Enter the same password value that was set on the server when registering
the node (as in step 6 above). If you do not want to change the password when
running the tdpoconf command, enter the same value at all three prompts.
·
·
·
Password files are created in the
directory that is specified by the passworddir option in the dsm.sys or dsm.opt
file for the Data Protection for Oracle node.
·
Depending on the client version
and/or the SSL communications that is used, the following files are created:
§
·
TSM.PWD
·
TSM.IDX, TSM.KDB, and TSM.sth
·
spclicert.crt, spclicert.kdb,
spclicert.rdb, spclicert.sth
·
o
§ Note: In
a UNIX or Linux environment, the case of the generated filenames (uppercase or
lowercase) is relevant.
·
·
The following server certificate
files (dsmcert files) are created:
§
·
dsmcert.idx
·
dsmcert.kdb
·
dsmcert.sth
·
·
For UNIX and Linux, the dscmcert
files are created in the home/oracle directory at the following location:
export/home/oracle/IBM/SpectrumProtect/certs/.
·
The dsmcert files may also be created
on the backup-archive client node in the /opt/tivoli/tsm/client/ba/bin
directory.
·
For Windows, the dsmcert files are
created on the backup-archive client in the c:\program
files\tivoli\tsm\baclient directory.
10. To access the password and server certificate files, verify the following
permissions:
·
·
Ensure that the <oracle user>
that runs the backup and restore operations has Write permission to the created
password files.
·
Ensure that the <oracle user>
has Read (r) permission to the backup-archive client directory (to access the
dsmcert files) even if a different nodename is used for the Data Protection for
Oracle node.
·
By default, local key database files
have root ownership and permissions and cannot be read by other non-root users.
If you plan to run the client as a non-root user, you must update the
permissions. For example, to grant read access to all users and groups, run the
following command: # chmod go+r dsmcert.*
·
For more information about configuring
and accessing server certificates, see Configuring IBM Spectrum Protect client/server
communication with Secure Sockets Layer.
11. Run the tdpoconf showenvironment command to view and confirm your
configuration. For more information about this command, see showenvironment command.
12. As <oracle user>, run
the RMAN backup script with the
ENV=(TDPO_OPTFILE=/usr/tivoli/tsm/client/oracle/bin64/tdpo.opt) parameter
specified.
Important: Ensure that $HOME is set to the correct
value before invoking the RMAN script.
For example:
run
{
allocate channel t1 type 'sbt_tape' parms
'ENV=(TDPO_OPTFILE=/usr/tivoli/tsm/client/oracle/bin64/tdpo.opt)';
backup
filesperset 5
format 'df_%t_%s_%p'
(database);
}
Note: The allocate channel entry is divided on two
lines after the parms option to accommodate page formatting.
For
more information about RMAN backup scripts, see RMAN and Data Protection for Oracle.
13. As <oracle user>, run
the RMAN backup script with the ENV=(TDPO_OPTFILE=C:\Program
Files\Tivoli\TSM\AgentOBA64\tdpo.opt) parameter specified.
For
example:
run
{
allocate channel t1 type 'sbt_tape' parms
'ENV=(TDPO_OPTFILE=C:\Program Files\Tivoli\TSM\AgentOBA64\tdpo.opt)';
backup
filesperset 5
format 'df_%t_%s_%p'
(database);
}
Note: The allocate channel entry is divided on two
lines after the parms option is specified to accommodate page formatting.
