• Oracle RMAN 口令加密测试

    一、 测试背景

    业务希望对一些不由DBA运维的数据库配置备份设置加密,密码仅由业务同事保存,必须输入密码才能进行数据恢复。

    二、 RMAN加密方法

    rman对备份提供3种常见的加密方法:

    • 仅口令加密
    • 基于wallet的加密
    • 混合加密(口令加密+wallet加密)

    考虑业务同事需要保存密码,而基于wallet的加密配置较复杂、DBA又难以接触到相关服务器,仅口令加密方式较为合适

    设置方法

    SET ENCRYPTION IDENTIFIED BY '密码' ONLY;

    注意事项:

    • 口令务必要记得,否则后续无法会恢复数据
    • 由于set命令在单个rman会话中生效,不能作为全局设置,因此需要在rman备份脚本中加入加密设置(When used outside a RUN block, attributes changed by SET remain in effect until you exit the RMAN client.)
    • 如果不加引号,密码只能设置为字符串,不能设置为纯数字,例如 SET ENCRYPTION IDENTIFIED BY 6666666 ONLY;

    • 如果不加引号,密码中的字母均会被Oracle转为大写,因此以下3个密码实际是一样的,都被转为 SOMEPWD
    1. IDENTIFIED BY somepwd
    2. IDENTIFIED BY Somepwd
    3. IDENTIFIED BY sOmEpWd

    三、 口令加密测试

    1. 构造测试数据

    SQL> create table test(a varchar2(30));
SQL> insert into test values('encrypted');

SQL> select * from test;
A
------------------------------
encrypted

    2. 备份测试

    在备份脚本中加入口令设置,其余脚本设置项按实际修改即可(完整脚本在最后)

    ...
$ORACLE_HOME/bin/rman target ${MY_CONNECT} msglog ${RMAN_LOG_FILE} append << EOF
SET ENCRYPTION ON ALGORITHM 'AES128' IDENTIFIED BY 'W6666666' ONLY;
RUN {
...

    发起备份

    ./rmanbackup.sh

    查看备份集

    [oracle@T01 Tue]$ pwd
/data/rmanbackup/Tue
[oracle@T01 Tue]$ ll -h
total 291M
-rw-r----- 1 oracle oinstall 1.5M Nov  8 14:24 arch_orcl_fk1cakhe_1_1_20221108.bkp
-rw-r----- 1 oracle oinstall 9.9M Nov  8 14:24 c-1647672351-20221108-02
-rw-r----- 1 oracle oinstall 9.9M Nov  8 14:24 c-1647672351-20221108-03
-rw-r----- 1 oracle oinstall 1.2M Nov  8 14:24 ControlFile_orcl_fl1cakhh_1_1_20221108.bkp
-rw-r----- 1 oracle oinstall 183M Nov  8 14:24 db_orcl_level_1_ff1caked_1_1_20221108.bkp
-rw-r----- 1 oracle oinstall  74M Nov  8 14:23 db_orcl_level_1_fg1caked_1_1_20221108.bkp
-rw-r----- 1 oracle oinstall 1.2M Nov  8 14:23 db_orcl_level_1_fh1caked_1_1_20221108.bkp
-rw-r----- 1 oracle oinstall 1.1M Nov  8 14:23 db_orcl_level_1_fi1caked_1_1_20221108.bkp
-rw-r----- 1 oracle oinstall 9.8M Nov  8 14:24 snapcf_orcl.f

    3. 模拟宕机

    停库

    SQL> shutdown immediate
Database closed.
Database dismounted.
ORACLE instance shut down.

    移走数据文件

    [oracle@T01 datafile]$ mv o1_mf_users_kpkw71x8_.dbf o1_mf_users_kpkw71x8_.dbf.bak
[oracle@T01 datafile]$ pwd
/data/prd/oracle/database/oradata/ORCL/datafile

    启动数据库

    SQL> startup
ORACLE instance started.

Total System Global Area 3023110144 bytes
Fixed Size                  2232192 bytes
Variable Size             637534336 bytes
Database Buffers         2365587456 bytes
Redo Buffers               17756160 bytes
Database mounted.
ORA-01157: cannot identify/lock data file 4 - see DBWR trace file
ORA-01110: data file 4:
'/data/prd/oracle/database/oradata/ORCL/datafile/o1_mf_users_kpkw71x8_.dbf'

SQL> select status from v$instance;

STATUS
------------
MOUNTED

    4. 恢复测试

    注册恢复目录

    # 这里要mv一下,否则catalog 会认不到文件
[oracle@T01 rmanbackup]$ mv Tue/ Tue1108

RMAN> catalog start with '/data/rmanbackup/Tue1108';

using target database control file instead of recovery catalog
searching for all files that match the pattern /data/rmanbackup/Tue1108
List of Files Unknown to the Database
=====================================
File Name: /data/rmanbackup/Tue1108/db_orcl_level_1_ff1caked_1_1_20221108.bkp
File Name: /data/rmanbackup/Tue1108/db_orcl_level_1_fg1caked_1_1_20221108.bkp
File Name: /data/rmanbackup/Tue1108/db_orcl_level_1_fh1caked_1_1_20221108.bkp
File Name: /data/rmanbackup/Tue1108/db_orcl_level_1_fi1caked_1_1_20221108.bkp
File Name: /data/rmanbackup/Tue1108/snapcf_orcl.f
File Name: /data/rmanbackup/Tue1108/c-1647672351-20221108-02
File Name: /data/rmanbackup/Tue1108/arch_orcl_fk1cakhe_1_1_20221108.bkp
File Name: /data/rmanbackup/Tue1108/ControlFile_orcl_fl1cakhh_1_1_20221108.bkp
File Name: /data/rmanbackup/Tue1108/c-1647672351-20221108-03

Do you really want to catalog the above files (enter YES or NO)? YES
cataloging files...
cataloging done

List of Cataloged Files
=======================
File Name: /data/rmanbackup/Tue1108/db_orcl_level_1_ff1caked_1_1_20221108.bkp
File Name: /data/rmanbackup/Tue1108/db_orcl_level_1_fg1caked_1_1_20221108.bkp
File Name: /data/rmanbackup/Tue1108/db_orcl_level_1_fh1caked_1_1_20221108.bkp
File Name: /data/rmanbackup/Tue1108/db_orcl_level_1_fi1caked_1_1_20221108.bkp
File Name: /data/rmanbackup/Tue1108/snapcf_orcl.f
File Name: /data/rmanbackup/Tue1108/c-1647672351-20221108-02
File Name: /data/rmanbackup/Tue1108/arch_orcl_fk1cakhe_1_1_20221108.bkp
File Name: /data/rmanbackup/Tue1108/ControlFile_orcl_fl1cakhh_1_1_20221108.bkp
File Name: /data/rmanbackup/Tue1108/c-1647672351-20221108-03

    恢复数据

    ① 不使用密码

    报错,符合预期

    RMAN> restore database;

Starting restore at 08-NOV-22
allocated channel: ORA_DISK_1
channel ORA_DISK_1: SID=63 device type=DISK

channel ORA_DISK_1: starting datafile backup set restore
channel ORA_DISK_1: specifying datafile(s) to restore from backup set
channel ORA_DISK_1: restoring datafile 00003 to /data/prd/oracle/database/oradata/orcl/undotbs01.dbf
channel ORA_DISK_1: reading from backup piece /data/rmanbackup/Tue/db_orcl_level_1_fh1caked_1_1_20221108.bkp
RMAN-00571: ===========================================================
RMAN-00569: =============== ERROR MESSAGE STACK FOLLOWS ===============
RMAN-00571: ===========================================================
RMAN-03002: failure of restore command at 11/08/2022 14:27:45
ORA-19870: error while restoring backup piece /data/rmanbackup/Tue1108/db_orcl_level_1_fh1caked_1_1_20221108.bkp
ORA-19913: unable to decrypt backup
ORA-28365: wallet is not open

    ② 使用错误密码

    RMAN> set decryption identified by 'oracle';   

executing command: SET decryption
using target database control file instead of recovery catalog

RMAN> restore database;

Starting restore at 08-NOV-22
allocated channel: ORA_DISK_1
channel ORA_DISK_1: SID=63 device type=DISK
channel ORA_DISK_1: starting datafile backup set restore
channel ORA_DISK_1: specifying datafile(s) to restore from backup set
channel ORA_DISK_1: restoring datafile 00003 to /data/prd/oracle/database/oradata/orcl/undotbs01.dbf
channel ORA_DISK_1: reading from backup piece /data/rmanbackup/Tue/db_orcl_level_1_fh1caked_1_1_20221108.bkp
RMAN-00571: ===========================================================
RMAN-00569: =============== ERROR MESSAGE STACK FOLLOWS ===============
RMAN-00571: ===========================================================
RMAN-03002: failure of restore command at 11/08/2022 14:31:10
ORA-19870: error while restoring backup piece /data/rmanbackup/Tue1108/db_orcl_level_1_fh1caked_1_1_20221108.bkp
ORA-19913: unable to decrypt backup
ORA-28365: wallet is not open

    ③ 使用正确密码

    RMAN> set decryption identified by 'W6666666';
executing command: SET decryption

RMAN> restore database;

Starting restore at 08-NOV-22
using channel ORA_DISK_1
channel ORA_DISK_1: starting datafile backup set restore
channel ORA_DISK_1: specifying datafile(s) to restore from backup set
channel ORA_DISK_1: restoring datafile 00003 to /data/prd/oracle/database/oradata/orcl/undotbs01.dbf
channel ORA_DISK_1: reading from backup piece /data/rmanbackup/Tue/db_orcl_level_1_fh1caked_1_1_20221108.bkp
channel ORA_DISK_1: errors found reading piece handle=/data/rmanbackup/Tue/db_orcl_level_1_fh1caked_1_1_20221108.bkp
channel ORA_DISK_1: failover to piece handle=/data/rmanbackup/Tue1108/db_orcl_level_1_fh1caked_1_1_20221108.bkp tag=LEVEL_1_DB_2022_1108_1423
channel ORA_DISK_1: restored backup piece 1
channel ORA_DISK_1: restore complete, elapsed time: 00:00:01
channel ORA_DISK_1: starting datafile backup set restore
channel ORA_DISK_1: specifying datafile(s) to restore from backup set
channel ORA_DISK_1: restoring datafile 00004 to /data/prd/oracle/database/oradata/ORCL/datafile/o1_mf_users_kpkw71x8_.dbf
channel ORA_DISK_1: reading from backup piece /data/rmanbackup/Tue/db_orcl_level_1_fi1caked_1_1_20221108.bkp
channel ORA_DISK_1: errors found reading piece handle=/data/rmanbackup/Tue/db_orcl_level_1_fi1caked_1_1_20221108.bkp
channel ORA_DISK_1: failover to piece handle=/data/rmanbackup/Tue1108/db_orcl_level_1_fi1caked_1_1_20221108.bkp tag=LEVEL_1_DB_2022_1108_1423
channel ORA_DISK_1: restored backup piece 1
channel ORA_DISK_1: restore complete, elapsed time: 00:00:01
channel ORA_DISK_1: starting datafile backup set restore
channel ORA_DISK_1: specifying datafile(s) to restore from backup set
channel ORA_DISK_1: restoring datafile 00002 to /data/prd/oracle/database/oradata/orcl/sysaux01.dbf
channel ORA_DISK_1: reading from backup piece /data/rmanbackup/Tue/db_orcl_level_1_fg1caked_1_1_20221108.bkp
channel ORA_DISK_1: errors found reading piece handle=/data/rmanbackup/Tue/db_orcl_level_1_fg1caked_1_1_20221108.bkp
channel ORA_DISK_1: failover to piece handle=/data/rmanbackup/Tue1108/db_orcl_level_1_fg1caked_1_1_20221108.bkp tag=LEVEL_1_DB_2022_1108_1423
channel ORA_DISK_1: restored backup piece 1
channel ORA_DISK_1: restore complete, elapsed time: 00:00:15
channel ORA_DISK_1: starting datafile backup set restore
channel ORA_DISK_1: specifying datafile(s) to restore from backup set
channel ORA_DISK_1: restoring datafile 00001 to /data/prd/oracle/database/oradata/orcl/system01.dbf
channel ORA_DISK_1: reading from backup piece /data/rmanbackup/Tue/db_orcl_level_1_ff1caked_1_1_20221108.bkp
channel ORA_DISK_1: errors found reading piece handle=/data/rmanbackup/Tue/db_orcl_level_1_ff1caked_1_1_20221108.bkp
channel ORA_DISK_1: failover to piece handle=/data/rmanbackup/Tue1108/db_orcl_level_1_ff1caked_1_1_20221108.bkp tag=LEVEL_1_DB_2022_1108_1423
channel ORA_DISK_1: restored backup piece 1
channel ORA_DISK_1: restore complete, elapsed time: 00:00:45
Finished restore at 08-NOV-22

RMAN> recover database;

Starting recover at 08-NOV-22
using channel ORA_DISK_1
starting media recovery
media recovery complete, elapsed time: 00:00:01
Finished recover at 08-NOV-22

RMAN> alter database open;
database opened

RMAN> 
Recovery Manager complete.

    ⑤ 验证数据

    SQL> select * from test;

A
------------------------------
encrypted

    四、 备份脚本

    默认口令加密那行是注释的,需要用取消掉即可

    1. export ORACLE_SID=mydb
    2. export MY_CONNECT='/'
    3. export ORACLE_HOME=/u01/app/oracle/product/11.2.0/db_1
    4. export MY_BACKUP_DIR=/rmanbackup
    5. export MY_OBSOLETE_DAYS=30
    6. export MY_KEEP_DAYS=8
    7. # 限制备份速度
    8. #export MY_RATE=100M
    9. ###############################################
    10. export MY_DATE=`date +%Y_%m%d_%H%M`
    11. export HOST_NAME=`hostname`
    12. export NLS_DATE_FORMAT="YYYY-MM-DD HH24:MI:SS"
    13. if [ ! -d ${MY_BACKUP_DIR} ]
    14.         then
    15.         mkdir -p ${MY_BACKUP_DIR}
    16. fi
    17. os=`uname`
    18. echo $os
    19. export TEST_FILE=${MY_BACKUP_DIR}/test.file
    20. echo 'test' > ${TEST_FILE}
    21. # 日期转为英文格式
    22. export MY_WEEK=`env LANG=en_US.UTF-8 date | awk '{print $1}'`
    23. case ${MY_WEEK} in
    24.         Sat)
    25.         export BACKUP_TYPE="INCREMENTAL LEVEL=2 CUMULATIVE "
    26.                 ;;
    27.         Sun)
    28.         export BACKUP_TYPE="INCREMENTAL LEVEL=0"
    29.                 ;;
    30.         Mon)
    31.         export BACKUP_TYPE="INCREMENTAL LEVEL=1 CUMULATIVE"
    32.                 ;;
    33.         Tue)
    34.         export BACKUP_TYPE="INCREMENTAL LEVEL=1 CUMULATIVE"
    35.                 ;;
    36.         Wed)
    37.         export BACKUP_TYPE="INCREMENTAL LEVEL=2 CUMULATIVE"
    38.                 ;;
    39.         Thu)
    40.         export BACKUP_TYPE="INCREMENTAL LEVEL=1 CUMULATIVE"
    41.                 ;;
    42.         Fri)
    43.         export BACKUP_TYPE="INCREMENTAL LEVEL=1 CUMULATIVE"
    44.                 ;;
    45.         *)
    46.         echo 'RMAN-MY_WEEK IS ERROR' > /dev/null
    47.         exit
    48.                 ;;
    49. esac
    50. export MY_LEVEL=`echo ${BACKUP_TYPE} |  awk -F"=" '{print $2}'`
    51. export MY_LEVEL_NUMBER=`echo ${MY_LEVEL} |awk '{print $1}'`
    52. export RMAN_LOG_FILE=${MY_BACKUP_DIR}/rman_log/rman_${MY_DATE}_level_${MY_LEVEL_NUMBER}.log
    53. if [ ! -d ${MY_BACKUP_DIR}/rman_log ]
    54.         then
    55.         mkdir -p ${MY_BACKUP_DIR}/rman_log
    56. fi
    57. if [ ! -d ${MY_BACKUP_DIR}/${MY_WEEK} ]
    58.         then
    59.         mkdir -p ${MY_BACKUP_DIR}/${MY_WEEK}
    60. fi
    61.  
    62.  
    63. # Starting
    64. echo 'I Started' > ${RMAN_LOG_FILE}
    65. chmod 666 ${RMAN_LOG_FILE}
    66. echo ==== started on `date` ==== >> ${RMAN_LOG_FILE}
    67. echo ==== '                '==== >> ${RMAN_LOG_FILE}
    68. echo ==== BACKUP_TYPE IS ${BACKUP_TYPE} ==== >> ${RMAN_LOG_FILE}
    69. env >> ${RMAN_LOG_FILE}
    70. $ORACLE_HOME/bin/rman target ${MY_CONNECT} msglog ${RMAN_LOG_FILE} append << EOF
    71. # 口令加密
    72. # SET ENCRYPTION ON ALGORITHM 'AES128' IDENTIFIED BY 'W6666666' ONLY;
    73. RUN {
    74. CONFIGURE RETENTION POLICY TO RECOVERY WINDOW OF ${MY_OBSOLETE_DAYS} DAYS ;
    75. CONFIGURE BACKUP OPTIMIZATION ON;
    76. CONFIGURE DEFAULT DEVICE TYPE TO DISK;
    77. CONFIGURE CONTROLFILE AUTOBACKUP ON;
    78. CONFIGURE CONTROLFILE AUTOBACKUP FORMAT FOR DEVICE TYPE DISK TO '${MY_BACKUP_DIR}/${MY_WEEK}/%F';
    79. CONFIGURE SNAPSHOT CONTROLFILE NAME TO '${MY_BACKUP_DIR}/${MY_WEEK}/snapcf_${ORACLE_SID}.f';
    80. CONFIGURE DEVICE TYPE DISK PARALLELISM 1 BACKUP TYPE TO COMPRESSED BACKUPSET;
    81. CONFIGURE DATAFILE BACKUP COPIES FOR DEVICE TYPE DISK TO 1;
    82. CONFIGURE ARCHIVELOG BACKUP COPIES FOR DEVICE TYPE DISK TO 1;
    83. CONFIGURE CHANNEL DEVICE TYPE DISK FORMAT '${MY_BACKUP_DIR}/${MY_WEEK}/%U';
    84. CONFIGURE MAXSETSIZE TO UNLIMITED;
    85. CONFIGURE ARCHIVELOG DELETION POLICY TO NONE;
    86. # 限制备份速度
    87. #ALLOCATE CHANNEL ch00 DEVICE TYPE DISK RATE=${MY_RATE};
    88. #ALLOCATE CHANNEL ch01 DEVICE TYPE DISK RATE=${MY_RATE};
    89. #ALLOCATE CHANNEL ch02 DEVICE TYPE DISK RATE=${MY_RATE};
    90. #ALLOCATE CHANNEL ch03 DEVICE TYPE DISK RATE=${MY_RATE};
    91. ALLOCATE CHANNEL ch00 DEVICE TYPE DISK;
    92. ALLOCATE CHANNEL ch01 DEVICE TYPE DISK;
    93. ALLOCATE CHANNEL ch02 DEVICE TYPE DISK;
    94. ALLOCATE CHANNEL ch03 DEVICE TYPE DISK;
    95.         BACKUP AS COMPRESSED BACKUPSET
    96.                 $BACKUP_TYPE
    97.                 #SKIP INACCESSIBLE
    98.                 TAG level_${MY_LEVEL_NUMBER}_db_${MY_DATE}
    99.                 FILESPERSET 10
    100.                 FORMAT '${MY_BACKUP_DIR}/${MY_WEEK}/db_${ORACLE_SID}_level_${MY_LEVEL_NUMBER}_%U_%T'
    101.         DATABASE
    102.         ;
    103.         SQL 'ALTER SYSTEM CHECKPOINT';
    104.         SQL 'ALTER SYSTEM ARCHIVE LOG CURRENT';
    105. RELEASE CHANNEL ch00;
    106. RELEASE CHANNEL ch01;
    107. RELEASE CHANNEL ch02;
    108. RELEASE CHANNEL ch03;
    109. #ALLOCATE CHANNEL ch00 DEVICE TYPE DISK RATE=${MY_RATE};
    110. ALLOCATE CHANNEL ch00 DEVICE TYPE DISK;
    111.         BACKUP
    112.                 TAG arch_${MY_DATE}
    113.                 FORMAT '${MY_BACKUP_DIR}/${MY_WEEK}/arch_${ORACLE_SID}_%U_%T'
    114.         ARCHIVELOG  ALL;
    115.         BACKUP
    116.                 TAG controlfile_${MY_DATE}
    117.                 FORMAT '${MY_BACKUP_DIR}/${MY_WEEK}/ControlFile_${ORACLE_SID}_%U_%T'
    118.         CURRENT CONTROLFILE;
    119. RELEASE CHANNEL ch00;
    120. }
    121. CONFIGURE RETENTION POLICY TO RECOVERY WINDOW OF ${MY_OBSOLETE_DAYS} DAYS ;
    122. ALLOCATE CHANNEL FOR MAINTENANCE DEVICE TYPE DISK;
    123. CROSSCHECK BACKUP;
    124. CROSSCHECK ARCHIVELOG ALL;
    125. DELETE NOPROMPT BACKUP COMPLETED BEFORE 'SYSDATE-${MY_KEEP_DAYS}';
    126. DELETE NOPROMPT OBSOLETE;
    127. DELETE NOPROMPT EXPIRED BACKUP;
    128. DELETE NOPROMPT EXPIRED BACKUPSET;
    129. DELETE NOPROMPT EXPIRED ARCHIVELOG ALL;
    130. DELETE NOPROMPT ARCHIVELOG ALL COMPLETED BEFORE 'SYSDATE-8';
    131. LIST BACKUP SUMMARY;
    132. LIST BACKUP TAG 'level_${MY_LEVEL_NUMBER}_db_${MY_DATE}';
    133. LIST BACKUP TAG 'arch_${MY_DATE}';
    134. LIST BACKUP TAG 'controlfile_${MY_DATE}';
    135. EOF
    136. echo ==== $LOGMSG stop on `date` ==== >> ${RMAN_LOG_FILE}
    137. #finish
    138. exit

    参考

    SET

    Configuring the RMAN Environment: Advanced Topics - 11g Release 2 (11.2)

  • 相关阅读:
    LeetCode算法动态规划—剑指 Offer 10- II. 青蛙跳台阶问题
    1089 Insert or Merge
    我想进阿里:通宵达旦三个月,学了这些技术点(附Java思维导图)
    信息服务上线渗透检测网络安全检查报告和解决方案
    《Mybatis 手撸专栏》第7章:SQL执行器的定义和实现
    Java:使用 Graphics2D 类来绘制图像
    猿创征文|手把手玩转docker,从入门到精通
    虚拟路由冗余协议_VRRP
    Maven3种打包方式之一maven-assembly-plugin的使用
    mysql服务器数据同步
  • 原文地址:https://blog.csdn.net/Hehuyi_In/article/details/127752006