三種Oracle RMAN備份加密策略（下）

 

 

說明：本篇參考eygle老師的作品《Oracle DBA手記4：資料安全警示錄》，特此表示感謝。

3

、Oracle Wallet加密策略

 

Oracle Wallet是一種加密安全策略，過去我們在TDE（Oracle透明加密）部分研究過這個元件。簡單的說，Oracle Wallet就是在本機上配置一個加密配置檔案，透過SQL命令控制Oracle Wallet的開啟關閉狀態，如果Wallet關閉或者不存在，那麼一些加密的資訊（包括TDE和RMAN備份集合）資料就不能正常開啟。

 

使用Oracle Wallet應用在RMAN備份中，可以實現類似的透明策略。而且，備份集合只能在相同的伺服器（藉助Wallet檔案）才能正確開啟。

 

首先，我們需要建立Oracle Wallet。注意：筆者使用的GI單例項ASM策略，監聽器是從Grid裡面執行的。

 

 

[oracle@NCR-Standby-Asm ~]$ lsnrctl status

 

LSNRCTL for Linux: Version 11.2.0.4.0 - Production on 08-JUN-2015 13:49:47

 

Copyright (c) 1991, 2013, Oracle.  All rights reserved.

 

Connecting to (ADDRESS=(PROTOCOL=tcp)(HOST=)(PORT=1521))

STATUS of the LISTENER

------------------------

Alias                     LISTENER

Version                   TNSLSNR for Linux: Version 11.2.0.4.0 - Production

Start Date                25-MAY-2015 17:39:56

Uptime                    13 days 20 hr. 9 min. 51 sec

Trace Level               off

Security                  ON: Local OS Authentication

SNMP                      OFF

Listener Parameter File   /u01/app/grid/product/11.2.0/grid/network/admin/listener.ora

Listener Log File         /u01/app/grid/diag/tnslsnr/NCR-Standby-Asm/listener/alert/log.xml

Listening Endpoints Summary...

  (DESCRIPTION=(ADDRESS=(PROTOCOL=ipc)(KEY=EXTPROC1521)))

  (DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=localhost)(PORT=1521)))

Services Summary...

Service "+ASM" has 1 instance(s).

  Instance "+ASM", status READY, has 1 handler(s) for this service...

Service "sicsstb" has 1 instance(s).

  Instance "sicsstb", status READY, has 1 handler(s) for this service...

Service "sicsstbXDB" has 1 instance(s).

  Instance "sicsstb", status READY, has 1 handler(s) for this service...

The command completed successfully

 

 

設定wallet目錄位置，需要修改sqlnet.ora檔案，加入特定的引數路徑資訊。注意：雖然監聽器指向的是Grid目錄位置。但是修改的sqlnet.ora檔案，一定是Oracle Instance目錄下的sqlnet.ora檔案。否則自動建立秘鑰檔案過程會失敗。

 

 

 

[oracle@NCR-Standby-Asm ~]$ cd $ORACLE_HOME/network/admin

[oracle@NCR-Standby-Asm admin]$ ls -l

total 24

drwxrwxr-x 2 oracle oinstall 4096 May  5 10:03 samples

-rwxrwxr-x 1 oracle oinstall  381 Dec 17  2012 shrept.lst

-rwxrwxr-x 1 oracle oinstall  327 Jun  8 15:32 sqlnet1506083PM3230.bak

-rwxrwxr-x 1 oracle oinstall  327 Jun  8 14:29 sqlnet.ora

-rwxrwxr-x 1 oracle oinstall  340 Jun  8 15:32 tnsnames1506083PM3230.bak

-rwxrwxr-x 1 oracle oinstall  340 Jun  8 16:19 tnsnames.ora

 

[oracle@NCR-Standby-Asm admin]$ cat sqlnet.ora

# Generated by Oracle configuration tools.

 

NAMES.DIRECTORY_PATH= (TNSNAMES, EZCONNECT)

 

ENCRYPTION_WALLET_LOCATION=(SOURCE=(METHOD=FILE)(METHOD_DATA=(DIRECTORY=/u02/app/oracle/admin/sicsstb/WALLET)))

 

 

進入sqlplus建立wallet檔案。

 

 

[oracle@NCR-Standby-Asm admin]$ sqlplus /nolog

 

SQL*Plus: Release 11.2.0.4.0 Production on Mon Jun 8 14:29:28 2015

 

Copyright (c) 1982, 2013, Oracle.  All rights reserved.

 

SQL> conn / as sysdba

Connected.

 

SQL> alter system set encryption key authenticated by "test";

System altered.

 

 

確定wallet檔案生成。

 

[oracle@NCR-Standby-Asm admin]$ pwd

/u02/app/oracle/product/11.2.0/dbhome_1/network/admin

 

[oracle@NCR-Standby-Asm admin]$ cd /u02/app/oracle/admin/sicsstb/WALLET

[oracle@NCR-Standby-Asm WALLET]$ ls -l

total 4

-rw-r--r-- 1 oracle asmadmin 2845 Jun  8 14:29 ewallet.p12

 

 

嘗試關閉開啟錢包操作。

 

 

SQL> alter system set encryption wallet close identified by "test";

System altered

 

SQL> alter system set encryption wallet open identified by "test"; --把wallet開啟了

System altered

 

 

配置加密備份過程。

 

 

RMAN> configure encryption for database on;

 

new RMAN configuration parameters:

CONFIGURE ENCRYPTION FOR DATABASE ON;

new RMAN configuration parameters are successfully stored

 

RMAN> set encryption on;

executing command: SET encryption

 

 

備份資料庫，注意此時wallet開啟。

 

 

RMAN> backup database;

 

Starting backup at 08-JUN-15

using channel ORA_DISK_1

（篇幅原因，有省略……）

Starting Control File and SPFILE Autobackup at 08-JUN-15

piece handle=+RECO/sicsstb/autobackup/2015_06_08/s_881858264.262.881858265 comment=NONE

Finished Control File and SPFILE Autobackup at 08-JUN-15

 

 

備份操作是成功的，但是如果我們關閉了錢包，備份操作如何呢？

 

 

SQL> alter system set encryption wallet close identified by "test";

System altered

 

 

備份過程：

 

 

RMAN> backup database;

 

Starting backup at 08-JUN-15

using channel ORA_DISK_1

channel ORA_DISK_1: starting full datafile backup set

（篇幅原因，有省略……）

RMAN-00571: ===========================================================

RMAN-00569: =============== ERROR MESSAGE STACK FOLLOWS ===============

RMAN-00571: ===========================================================

RMAN-03009: failure of backup command on ORA_DISK_1 channel at 06/08/2015 16:39:38

ORA-19914: unable to encrypt backup

ORA-28365: wallet is not open

 

 

恢復過程測試。

 

 

RMAN> startup mount;

 

connected to target database (not started)

Oracle instance started

database mounted

 

Total System Global Area    1603411968 bytes

Fixed Size                     2253664 bytes

Variable Size               1006636192 bytes

Database Buffers             587202560 bytes

Redo Buffers                   7319552 bytes

 

 

RMAN> restore database;

 

Starting restore at 08-JUN-15

allocated channel: ORA_DISK_1

channel ORA_DISK_1: SID=131 device type=DISK

（篇幅原因，有省略……）

RMAN-00571: ===========================================================

RMAN-00569: =============== ERROR MESSAGE STACK FOLLOWS ===============

RMAN-00571: ===========================================================

RMAN-03002: failure of restore command at 06/08/2015 16:41:19

ORA-19870: error while restoring backup piece +RECO/sicsstb/backupset/2015_06_08/nnndf0_tag20150608t163709_0.261.881858229

ORA-19913: unable to decrypt backup

ORA-28365: wallet is not open

 

 

不開錢包，就不能進行還原。

 

 

SQL> alter system set encryption wallet open identified by "test";

 

System altered

 

 

RMAN> restore database;

 

Starting restore at 08-JUN-15

using channel ORA_DISK_1

 

channel ORA_DISK_1: starting datafile backup set restore

（篇幅原因，有省略…….）

channel ORA_DISK_1: restored backup piece 1

channel ORA_DISK_1: restore complete, elapsed time: 00:00:35

Finished restore at 08-JUN-15

 

RMAN> recover database;

 

Starting recover at 08-JUN-15

using channel ORA_DISK_1

 

starting media recovery

media recovery complete, elapsed time: 00:00:01

Finished recover at 08-JUN-15

 

 

這種方式比較適合本地資料恢復，如果本地異地恢復結合的方式，建議使用第三種混合策略。

 

4、混合加密策略

 

混合加密策略其實就是前面兩種策略的集合。如果本地備份恢復，就可以使用wallet進行透明操作。如果是異地恢復，可以使用密碼策略。

 

首先設定encryption引數。

 

 

RMAN> set encryption off;      

 

executing command: SET encryption

 

RMAN> set encryption on identified by "test"; --注意：此處沒有only了。

 

executing command: SET encryption

 

 

重啟還原。

 

 

RMAN> shutdown immediate;

 

database closed

database dismounted

Oracle instance shut down

 

RMAN> startup mount;

 

connected to target database (not started)

Oracle instance started

database mounted

 

Total System Global Area    1603411968 bytes

 

Fixed Size                     2253664 bytes

Variable Size               1006636192 bytes

Database Buffers             587202560 bytes

Redo Buffers                   7319552 bytes

 

 

 

RMAN> restore database;

 

Starting restore at 08-JUN-15

allocated channel: ORA_DISK_1

channel ORA_DISK_1: SID=131 device type=DISK

 

channel ORA_DISK_1: starting datafile backup set restore

channel ORA_DISK_1: specifying datafile(s) to restore from backup set

channel ORA_DISK_1: restoring datafile 00001 to +DATA/sicsstb/datafile/system.267.881856977

channel ORA_DISK_1: restoring datafile 00002 to +DATA/sicsstb/datafile/sysaux.268.881856977

channel ORA_DISK_1: restoring datafile 00003 to +DATA/sicsstb/datafile/undotbs1.269.881856977

channel ORA_DISK_1: restoring datafile 00004 to +DATA/sicsstb/datafile/users.270.881856977

channel ORA_DISK_1: reading from backup piece +RECO/sicsstb/backupset/2015_06_08/nnndf0_tag20150608t163709_0.261.881858229

RMAN-00571: ===========================================================

RMAN-00569: =============== ERROR MESSAGE STACK FOLLOWS ===============

RMAN-00571: ===========================================================

RMAN-03002: failure of restore command at 06/08/2015 16:47:42

ORA-19870: error while restoring backup piece +RECO/sicsstb/backupset/2015_06_08/nnndf0_tag20150608t163709_0.261.881858229

ORA-19913: unable to decrypt backup

ORA-28365: wallet is not open

 

 

啟動錢包。

 

 

SQL> alter system set encryption wallet open identified by "test";

System altered

 

 

之後恢復正常。

 

5、結論

 

安全是當今資訊科技的一個大課題，需要從技術、管理、制度和人員多層面進行配置規劃，設定標準的流程規範。