三种Oracle RMAN备份加密策略(下)

说明:本篇参考eygle老师的作品《Oracle DBA手记4:数据安全警示录》,特此表示感谢。

 


3

 、  Oracle Wallet  加密策略    

 

Oracle Wallet是一种加密安全策略,过去我们在TDE(Oracle透明加密)部分研究过这个组件。简单的说,Oracle Wallet就是在本机上配置一个加密配置文件,通过SQL命令控制Oracle Wallet的开启关闭状态,如果Wallet关闭或者不存在,那么一些加密的信息(包括TDE和RMAN备份集合)数据就不能正常打开。

 

使用Oracle Wallet应用在RMAN备份中,可以实现类似的透明策略。而且,备份集合只能在相同的服务器(借助Wallet文件)才能正确打开。

 

首先,我们需要创建Oracle Wallet。注意:笔者使用的GI单实例ASM策略,监听器是从Grid里面执行的。

 

 

[oracle@NCR-Standby-Asm ~]$ lsnrctl status

 

LSNRCTL for Linux: Version 11.2.0.4.0 - Production on 08-JUN-2015 13:49:47

 

Copyright (c) 1991, 2013, Oracle.  All rights reserved.

 

Connecting to (ADDRESS=(PROTOCOL=tcp)(HOST=)(PORT=1521))

STATUS of the LISTENER

------------------------

Alias                     LISTENER

Version                   TNSLSNR for Linux: Version 11.2.0.4.0 - Production

Start Date                25-MAY-2015 17:39:56

Uptime                    13 days 20 hr. 9 min. 51 sec

Trace Level               off

Security                  ON: Local OS Authentication

SNMP                      OFF

Listener Parameter File   /u01/app/grid/product/11.2.0/grid/network/admin/listener.ora

Listener Log File         /u01/app/grid/diag/tnslsnr/NCR-Standby-Asm/listener/alert/log.xml

Listening Endpoints Summary...

  (DESCRIPTION=(ADDRESS=(PROTOCOL=ipc)(KEY=EXTPROC1521)))

  (DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=localhost)(PORT=1521)))

Services Summary...

Service "+ASM" has 1 instance(s).

  Instance "+ASM", status READY, has 1 handler(s) for this service...

Service "sicsstb" has 1 instance(s).

  Instance "sicsstb", status READY, has 1 handler(s) for this service...

Service "sicsstbXDB" has 1 instance(s).

  Instance "sicsstb", status READY, has 1 handler(s) for this service...

The command completed successfully

 

 

设置wallet目录位置,需要修改sqlnet.ora文件,加入特定的参数路径信息。注意:虽然监听器指向的是Grid目录位置。但是修改的sqlnet.ora文件,一定是Oracle Instance目录下的sqlnet.ora文件。否则自动创建秘钥文件过程会失败。

 

 

 

[oracle@NCR-Standby-Asm ~]$ cd $ORACLE_HOME/network/admin

[oracle@NCR-Standby-Asm admin]$ ls -l

total 24

drwxrwxr-x 2 oracle oinstall 4096 May  5 10:03 samples

-rwxrwxr-x 1 oracle oinstall  381 Dec 17  2012 shrept.lst

-rwxrwxr-x 1 oracle oinstall  327 Jun  8 15:32 sqlnet1506083PM3230.bak

-rwxrwxr-x 1 oracle oinstall  327 Jun  8 14:29 sqlnet.ora

-rwxrwxr-x 1 oracle oinstall  340 Jun  8 15:32 tnsnames1506083PM3230.bak

-rwxrwxr-x 1 oracle oinstall  340 Jun  8 16:19 tnsnames.ora

 

[oracle@NCR-Standby-Asm admin]$ cat sqlnet.ora

# Generated by Oracle configuration tools.

 

NAMES.DIRECTORY_PATH= (TNSNAMES, EZCONNECT)

 

ENCRYPTION_WALLET_LOCATION=(SOURCE=(METHOD=FILE)(METHOD_DATA=(DIRECTORY=/u02/app/oracle/admin/sicsstb/WALLET)))

 

 

进入sqlplus创建wallet文件。

 

 

[oracle@NCR-Standby-Asm admin]$ sqlplus /nolog

 

SQL*Plus: Release 11.2.0.4.0 Production on Mon Jun 8 14:29:28 2015

 

Copyright (c) 1982, 2013, Oracle.  All rights reserved.

 

SQL> conn / as sysdba

Connected.

 

SQL> alter system set encryption key authenticated by "test";

System altered.

 

 

确定wallet文件生成。

 

[oracle@NCR-Standby-Asm admin]$ pwd

/u02/app/oracle/product/11.2.0/dbhome_1/network/admin

 

[oracle@NCR-Standby-Asm admin]$ cd /u02/app/oracle/admin/sicsstb/WALLET

[oracle@NCR-Standby-Asm WALLET]$ ls -l

total 4

-rw-r--r-- 1 oracle asmadmin 2845 Jun  8 14:29 ewallet.p12

 

 

尝试关闭开启钱包操作。

 

 

SQL> alter system set encryption wallet close identified by "test";

System altered

 

SQL> alter system set encryption wallet open identified by "test"; --把wallet打开了

System altered

 

 

配置加密备份过程。

 

 

RMAN> configure encryption for database on;

 

new RMAN configuration parameters:

CONFIGURE ENCRYPTION FOR DATABASE ON;

new RMAN configuration parameters are successfully stored

 

RMAN> set encryption on;

executing command: SET encryption

 

 

备份数据库,注意此时wallet开启。

 

 

RMAN> backup database;

 

Starting backup at 08-JUN-15

using channel ORA_DISK_1

(篇幅原因,有省略……)

Starting Control File and SPFILE Autobackup at 08-JUN-15

piece handle=+RECO/sicsstb/autobackup/2015_06_08/s_881858264.262.881858265 comment=NONE

Finished Control File and SPFILE Autobackup at 08-JUN-15

 

 

备份操作是成功的,但是如果我们关闭了钱包,备份操作如何呢?

 

 

SQL> alter system set encryption wallet close identified by "test";

System altered

 

 

备份过程:

 

 

RMAN> backup database;

 

Starting backup at 08-JUN-15

using channel ORA_DISK_1

channel ORA_DISK_1: starting full datafile backup set

(篇幅原因,有省略……)

RMAN-00571: ===========================================================

RMAN-00569: =============== ERROR MESSAGE STACK FOLLOWS ===============

RMAN-00571: ===========================================================

RMAN-03009: failure of backup command on ORA_DISK_1 channel at 06/08/2015 16:39:38

ORA-19914: unable to encrypt backup

ORA-28365: wallet is not open

 

 

恢复过程测试。

 

 

RMAN> startup mount;

 

connected to target database (not started)

Oracle instance started

database mounted

 

Total System Global Area    1603411968 bytes

Fixed Size                     2253664 bytes

Variable Size               1006636192 bytes

Database Buffers             587202560 bytes

Redo Buffers                   7319552 bytes

 

 

RMAN> restore database;

 

Starting restore at 08-JUN-15

allocated channel: ORA_DISK_1

channel ORA_DISK_1: SID=131 device type=DISK

(篇幅原因,有省略……)

RMAN-00571: ===========================================================

RMAN-00569: =============== ERROR MESSAGE STACK FOLLOWS ===============

RMAN-00571: ===========================================================

RMAN-03002: failure of restore command at 06/08/2015 16:41:19

ORA-19870: error while restoring backup piece +RECO/sicsstb/backupset/2015_06_08/nnndf0_tag20150608t163709_0.261.881858229

ORA-19913: unable to decrypt backup

ORA-28365: wallet is not open

 

 

不开钱包,就不能进行还原。

 

 

SQL> alter system set encryption wallet open identified by "test";

 

System altered

 

 

RMAN> restore database;

 

Starting restore at 08-JUN-15

using channel ORA_DISK_1

 

channel ORA_DISK_1: starting datafile backup set restore

(篇幅原因,有省略…….)

channel ORA_DISK_1: restored backup piece 1

channel ORA_DISK_1: restore complete, elapsed time: 00:00:35

Finished restore at 08-JUN-15

 

RMAN> recover database;

 

Starting recover at 08-JUN-15

using channel ORA_DISK_1

 

starting media recovery

media recovery complete, elapsed time: 00:00:01

Finished recover at 08-JUN-15

 

 

这种方式比较适合本地数据恢复,如果本地异地恢复结合的方式,建议使用第三种混合策略。

 

4、混合加密策略

 

混合加密策略其实就是前面两种策略的集合。如果本地备份恢复,就可以使用wallet进行透明操作。如果是异地恢复,可以使用密码策略。

 

首先设置encryption参数。

 

 

RMAN> set encryption off;      

 

executing command: SET encryption

 

RMAN> set encryption on identified by "test"; --注意:此处没有only了。

 

executing command: SET encryption

 

 

重启还原。

 

 

RMAN> shutdown immediate;

 

database closed

database dismounted

Oracle instance shut down

 

RMAN> startup mount;

 

connected to target database (not started)

Oracle instance started

database mounted

 

Total System Global Area    1603411968 bytes

 

Fixed Size                     2253664 bytes

Variable Size               1006636192 bytes

Database Buffers             587202560 bytes

Redo Buffers                   7319552 bytes

 

 

 

RMAN> restore database;

 

Starting restore at 08-JUN-15

allocated channel: ORA_DISK_1

channel ORA_DISK_1: SID=131 device type=DISK

 

channel ORA_DISK_1: starting datafile backup set restore

channel ORA_DISK_1: specifying datafile(s) to restore from backup set

channel ORA_DISK_1: restoring datafile 00001 to +DATA/sicsstb/datafile/system.267.881856977

channel ORA_DISK_1: restoring datafile 00002 to +DATA/sicsstb/datafile/sysaux.268.881856977

channel ORA_DISK_1: restoring datafile 00003 to +DATA/sicsstb/datafile/undotbs1.269.881856977

channel ORA_DISK_1: restoring datafile 00004 to +DATA/sicsstb/datafile/users.270.881856977

channel ORA_DISK_1: reading from backup piece +RECO/sicsstb/backupset/2015_06_08/nnndf0_tag20150608t163709_0.261.881858229

RMAN-00571: ===========================================================

RMAN-00569: =============== ERROR MESSAGE STACK FOLLOWS ===============

RMAN-00571: ===========================================================

RMAN-03002: failure of restore command at 06/08/2015 16:47:42

ORA-19870: error while restoring backup piece +RECO/sicsstb/backupset/2015_06_08/nnndf0_tag20150608t163709_0.261.881858229

ORA-19913: unable to decrypt backup

ORA-28365: wallet is not open

 

 

启动钱包。

 

 

SQL> alter system set encryption wallet open identified by "test";

System altered

 

 

之后恢复正常。

 

5、结论

 

安全是当今信息技术的一个大课题,需要从技术、管理、制度和人员多层面进行配置规划,设置标准的流程规范。


上一篇:undo表空间文件丢失恢复(1)--有备份


下一篇:ORACLE 只读数据文件备份与恢复