Monday, December 20, 2021

Configuring Data Protection for Oracle when using IBM Spectrum Protect client V8.1.2 with new security settings

Product Documentation

 

Abstract

Beginning in IBM Spectrum Protect version 8.1.2, several enhancements to security settings were introduced that are relevant when an IBM Spectrum Protect™ client connects to an IBM Spectrum Protect server version 8.1.2 and later. With these new security settings, a V8.1.2 client communicating with a V8.1.2 server must use Secure Sockets Layer (SSL)-based secure communications between the IBM Spectrum Protect™ client and server.

These security enhancements are relevant for IBM Spectrum Protect for Databases: Data Protection for Oracle because they affect how you configure the Data Protection for Oracle password files (and associated access permissions) using the tdpoconf utility.

Content

In the IBM Spectrum Protect for Databases: Data Protection for Oracle User's guide for Windows and IBM Spectrum Protect for Databases: Data Protection for Oracle User's guide for UNIX and Linux, configuration settings are described in the Configuration with Default Settings topic.

Below, the steps that relate to the configuration of password files are updated to describe the impact of the new security settings and SSL-based communications.

This updated topic will also be published with the next release of IBM Spectrum Protect for Databases: Data Protection for Oracle.


Configuration with default settings

Use the Data Protection for Oracle quick configuration option to quickly configure with default settings and minimal configuration tasks. Setup time is minimized and you proceed quickly to a state where you can begin backing up your Oracle databases.

Before you begin

Install Data Protection for Oracle. For detailed installation instructions, see Data Protection for Oracle installation.



https://www.ibm.com/support/pages/system/files/support/swg/swgdocs.nsf/0/dca5b82add364023852581e9006605bb/Content/0.FC6.gif
After Data Protection for Oracle is installed, make sure that the following link exists:
$ORACLE_HOME/lib/libobk.a -> /usr/lib/libobk64.a
Note: If you are using Linux as your operating system, this link is not required.

About this task

Use the instructions to configure Data Protection for Oracle. Change the listed installation paths and library extensions according to the operating system you are using.

See Configuring Data Protection for Oracle for detailed instructions on how to customize Data Protection for Oracle for your environment and processing needs.

To use Secure Sockets Layer (SSL)-based secure communications, each client must use a server certificate that is self-signed by IBM Spectrum Protect. For more information about configuring and accessing server certificates, see Configuring IBM Spectrum Protect client/server communication with Secure Sockets Layer.

Procedure

1.      Depending on your operating system, change to one of the following directories:

o     

·         AIX® 64-bit operating system: /usr/tivoli/tsm/client/oracle/bin64

·         Linux operating system:/opt/tivoli/tsm/client/oracle/bin64

·         Windows 64-bit Server system: C:\Program Files\Tivoli\TSM\AgentOBA64

2. Copy the tdpo.opt.smp file to tdpo.opt.

3. https://www.ibm.com/support/pages/system/files/support/swg/swgdocs.nsf/0/dca5b82add364023852581e9006605bb/Content/0.1BF8.gifEdit the tdpo.opt file to include these options:

For UNIX and Linux, these instructions use AIX 64-bit as the example operating system.

dsmi_orc_config /usr/tivoli/tsm/client/oracle/bin64/dsm.opt


dsmi_log <directory with write permissions>

https://www.ibm.com/support/pages/system/files/support/swg/swgdocs.nsf/0/dca5b82add364023852581e9006605bb/Content/0.2688.gif For Windows, these instructions use a 64-bit Windows Server system as the example operating system.

dsmi_orc_config C:\Program Files\Tivoli\TSM\AgentOBA64\dsm.opt


dsmi_log C:\Program Files\Tivoli\TSM\AgentOBA64

For more information about these options, see Available Data Protection for Oracle options.

4. https://www.ibm.com/support/pages/system/files/support/swg/swgdocs.nsf/0/dca5b82add364023852581e9006605bb/Content/0.2CB0.gif Create a dsm.opt file as follows:

In the /usr/tivoli/tsm/client/oracle/bin64 directory, create a dsm.opt file, then edit the file to include the following server stanza:

servername TSMOracle

For more information about this option and the dsm.opt file, see Define IBM Spectrum Protect options in the client options file.

https://www.ibm.com/support/pages/system/files/support/swg/swgdocs.nsf/0/dca5b82add364023852581e9006605bb/Content/0.38BA.gifIn the C:\Program Files\Tivoli\TSM\AgentOBA64 directory, copy the dsm.smp file to dsm.opt. Edit the dsm.opt file to include these options:



commmethod TCPip
tcpserveraddress x.x.x.x
passwordaccess generate
nodename hostname_oracle

Replace x.x.x.x with the IP address of the IBM Spectrum Protect server to which Data Protection for Oracle backs up data.

For more information about these options and the dsm.opt file, see Define IBM Spectrum Protect options in the client options file.

Tip: For Oracle 12c Release 1 (12.1) and later releases, the Oracle home user that is specified on installation of the Oracle database must be granted sufficient permission to access the Windows registry. Otherwise, Data Protection for Oracle operations might fail.

 

5. https://www.ibm.com/support/pages/system/files/support/swg/swgdocs.nsf/0/dca5b82add364023852581e9006605bb/Content/0.40CA.gif Change the directory to /usr/tivoli/tsm/client/api/bin64. Edit the dsm.sys file to include another server stanza with the following options:

servername TSMOracle


tcpserveraddress site.xyzinc.com
commmethod TCPip
nodename NodeA1
passwordaccess generate
passworddir /home/oracle

·          

·         Replace site.xyzinc.com with the IP address of the IBM Spectrum Protect server to which Data Protection for Oracle backs up data.

·         Replace /home/oracle with the Oracle database instance user's home directory. This <oracle user> must have write permissions to the specified directory.

For more information about these options and the dsm.sys file, see Define IBM Spectrum Protect options in the client options file.

6. Register the node to the IBM Spectrum Protect server, by running the following REG NODE command on the IBM Spectrum Protect server:

https://www.ibm.com/support/pages/system/files/support/swg/swgdocs.nsf/0/dca5b82add364023852581e9006605bb/Content/0.4FE0.gif REG NODE NodeA1 password maxnummp=n

https://www.ibm.com/support/pages/system/files/support/swg/swgdocs.nsf/0/dca5b82add364023852581e9006605bb/Content/0.5AFC.gif REG NODE NodeA1 password maxnummp=n

Where password is the password for this node, and n is equal to the number of channels that you are planning to use.

7. Make sure that the <oracle user> has the following permissions:

https://www.ibm.com/support/pages/system/files/support/swg/swgdocs.nsf/0/dca5b82add364023852581e9006605bb/Content/0.6788.gif Read (r) permission to the following:

·          

·         /usr/tivoli/tsm/client/oracle/bin64 and /usr/tivoli/tsm/client/api/bin64 directories

·         tdpo.opt, dsm.opt, and dsm.sys files that were created as outlined in the steps above

https://www.ibm.com/support/pages/system/files/support/swg/swgdocs.nsf/0/dca5b82add364023852581e9006605bb/Content/0.6C40.gif Read and Write permissions to the following:

·          

·         C:\Program Files\Tivoli\TSM\AgentOBA64 directory

·         tdpoerror.log and the directory where it is stored


8. To generate the password file, run the tdpoconf password command.
For more information, see 
password command.

https://www.ibm.com/support/pages/system/files/support/swg/swgdocs.nsf/0/dca5b82add364023852581e9006605bb/Content/0.7936.gif

·          

·         If you use the passwordaccess prompt setting, run the tdpoconf password command as the root user to generate the TDPO.NodeName password file.

·         If you use the passwordaccess generate setting, run the tdpoconf password command as the <oracle user> to generate the password file.






 

·          

·          

·         Important: When you use SSL-based secure communication, it is recommended to use the passwordaccess generate setting.


9. Enter the same password value that was set on the server when registering the node (as in step 6 above). If you do not want to change the password when running the tdpoconf command, enter the same value at all three prompts.

·          

·          

·         Password files are created in the directory that is specified by the passworddir option in the dsm.sys or dsm.opt file for the Data Protection for Oracle node.

·         Depending on the client version and/or the SSL communications that is used, the following files are created:

§   

·         TSM.PWD

·         TSM.IDX, TSM.KDB, and TSM.sth

·         spclicert.crt, spclicert.kdb, spclicert.rdb, spclicert.sth

·          

o    https://www.ibm.com/support/pages/system/files/support/swg/swgdocs.nsf/0/dca5b82add364023852581e9006605bb/Content/0.8B08.gif

§  Note: In a UNIX or Linux environment, the case of the generated filenames (uppercase or lowercase) is relevant.

·          

·         The following server certificate files (dsmcert files) are created:

§   

·         dsmcert.idx

·         dsmcert.kdb

·         dsmcert.sth

https://www.ibm.com/support/pages/system/files/support/swg/swgdocs.nsf/0/dca5b82add364023852581e9006605bb/Content/0.9780.gifhttps://www.ibm.com/support/pages/system/files/support/swg/swgdocs.nsf/0/dca5b82add364023852581e9006605bb/Content/0.A3C2.gif

·          

·         For UNIX and Linux, the dscmcert files are created in the home/oracle directory at the following location: export/home/oracle/IBM/SpectrumProtect/certs/.

·         The dsmcert files may also be created on the backup-archive client node in the /opt/tivoli/tsm/client/ba/bin directory.

·         For Windows, the dsmcert files are created on the backup-archive client in the c:\program files\tivoli\tsm\baclient directory.


10. To access the password and server certificate files, verify the following permissions:

·          

·         Ensure that the <oracle user> that runs the backup and restore operations has Write permission to the created password files.

·         Ensure that the <oracle user> has Read (r) permission to the backup-archive client directory (to access the dsmcert files) even if a different nodename is used for the Data Protection for Oracle node.

·         By default, local key database files have root ownership and permissions and cannot be read by other non-root users. If you plan to run the client as a non-root user, you must update the permissions. For example, to grant read access to all users and groups, run the following command: # chmod go+r dsmcert.*

·         For more information about configuring and accessing server certificates, see Configuring IBM Spectrum Protect client/server communication with Secure Sockets Layer.


11. Run the tdpoconf showenvironment command to view and confirm your configuration. For more information about this command, see showenvironment command.

12. https://www.ibm.com/support/pages/system/files/support/swg/swgdocs.nsf/0/dca5b82add364023852581e9006605bb/Content/1.878.gif As <oracle user>, run the RMAN backup script with the ENV=(TDPO_OPTFILE=/usr/tivoli/tsm/client/oracle/bin64/tdpo.opt) parameter specified.

 

Important:  Ensure that $HOME is set to the correct value before invoking the RMAN script.


For example:
run
{
allocate channel t1 type 'sbt_tape' parms
'ENV=(TDPO_OPTFILE=/usr/tivoli/tsm/client/oracle/bin64/tdpo.opt)';

backup
filesperset 5
format 'df_%t_%s_%p'
(database);
}

Note: The allocate channel entry is divided on two lines after the parms option to accommodate page formatting.

For more information about RMAN backup scripts, see RMAN and Data Protection for Oracle.

13. https://www.ibm.com/support/pages/system/files/support/swg/swgdocs.nsf/0/dca5b82add364023852581e9006605bb/Content/1.17B4.gif As <oracle user>, run the RMAN backup script with the ENV=(TDPO_OPTFILE=C:\Program Files\Tivoli\TSM\AgentOBA64\tdpo.opt) parameter specified.

For example:


run
{
allocate channel t1 type 'sbt_tape' parms
'ENV=(TDPO_OPTFILE=C:\Program Files\Tivoli\TSM\AgentOBA64\tdpo.opt)';

backup
filesperset 5
format 'df_%t_%s_%p'
(database);
}

Note: The allocate channel entry is divided on two lines after the parms option is specified to accommodate page formatting.

 

No comments:

Post a Comment

SQL Important Queries

  How to delete rows with no where clause The following example deletes  all rows  from the  Person.Person  the table in the AdventureWork...