天天看點
傳回

Oracle 11g加密備份

預設情況下,Oracle會關閉加密功能:

RMAN> show all;

CONFIGURE ENCRYPTION FOR DATABASE OFF; # default

CONFIGURE ENCRYPTION ALGORITHM 'AES128'; # default

sys@OCP> SELECT ALGORITHM_ID,ALGORITHM_NAME FROM V$RMAN_ENCRYPTION_ALGORITHMS;

ALGORITHM_ID ALGORITHM_NAME

1 AES128
       2 AES192
       3 AES256

1、透明加密(恢複表空間tp1)

如果要配置透明加密,那在RMAN下用CONFIGURE指令,透明加密也叫錢包加密,它是RMAN的預設加密方法。

這種方法不需要設定密碼,很适合在本地的備份與恢複,如果備份不需要傳到其他的機器上,建議采用這樣的加密方法。

因為不需要密碼,隻需要配置加密/解密信任書,也就是Oracle Encryption Wallet

(1)設定透明加密,確定wallet是open的

RMAN> CONFIGURE ENCRYPTION FOR DATABASE ON;

new RMAN configuration parameters:

CONFIGURE ENCRYPTION FOR DATABASE ON;

new RMAN configuration parameters are successfully stored

RMAN> set encryption on;

executing command: SET encryption

(2)執行備份,報錯。(注意:必須打開資料庫錢包)

RMAN> backup as compressed backupset tablespace tp1;

Starting backup at 17-FEB-14

using channel ORA_DISK_1

channel ORA_DISK_1: starting compressed full datafile backup set

channel ORA_DISK_1: specifying datafile(s) in backup set

input datafile file number=00006 name=/u01/app/oracle/oradata/ocm/tp1.dbf

channel ORA_DISK_1: starting piece 1 at 17-FEB-14

RMAN-00571: ===========================================================

RMAN-00569: =============== ERROR MESSAGE STACK FOLLOWS ===============

RMAN-03009: failure of backup command on ORA_DISK_1 channel at 02/17/2014 12:28:11

ORA-19914: unable to encrypt backup

ORA-28365: wallet is not open

(3)建立一個新目錄,并指定為Wallet目錄/u01/app/oracle/admin/ocp/wallet

[oracle@mydb ocp]$ mkdir -p /u01/app/oracle/admin/ocp/wallet

配置sqlnet.ora(可以不設定)

ENCRYPTION_WALLET_LOCATION=(SOURCE=(METHOD=FILE)(METHOD_DATA=(DIRECTORY=/u01/app/oracle/admin/ocp/wallet)

))

(4)進入SQLPLUS程式,打開錢包,建立wallet,包括設定密碼、生成信任檔案、并啟動wallet。

先查視圖V$ENCRYPTION_WALLET看錢包有沒有打開

sys@OCP> col WRL_PARAMETER for a50

sys@OCP> SELECT * FROM V$ENCRYPTION_WALLET;

WRL_TYPE WRL_PARAMETER STATUS

file /u01/app/oracle/admin/ocp/wallet CLOSED

idle> alter system set wallet open identified by "guoyJoe";

System altered.

(5)簡單測試

RMAN> backup as compressed backupset tablespace tp1;

channel ORA_DISK_1: finished piece 1 at 17-FEB-14

piece handle=/u01/app/oracle/product/11.2.0/dbs/48p0rotn_1_1 tag=TAG20140217T134423 comment=NONE

channel ORA_DISK_1: backup set complete, elapsed time: 00:00:15

Finished backup at 17-FEB-14

Starting Control File and SPFILE Autobackup at 17-FEB-14

piece handle=/backup/c-2735927810-20140217-02 comment=NONE

Finished Control File and SPFILE Autobackup at 17-FEB-14

RMAN> shutdown immediate;

database closed

database dismounted

Oracle instance shut down

RMAN> startup mount;

connected to target database (not started)

Oracle instance started

database mounted

Total System Global Area 1006809088 bytes

Fixed Size 2233520 bytes

Variable Size 478153552 bytes

Database Buffers 419430400 bytes

Redo Buffers 106991616 bytes

RMAN> restore tablespace tp1;

Starting restore at 17-FEB-14

allocated channel: ORA_DISK_1

channel ORA_DISK_1: SID=18 device type=DISK

channel ORA_DISK_1: starting datafile backup set restore

channel ORA_DISK_1: specifying datafile(s) to restore from backup set

channel ORA_DISK_1: restoring datafile 00006 to /u01/app/oracle/oradata/ocm/tp1.dbf

channel ORA_DISK_1: reading from backup piece /u01/app/oracle/product/11.2.0/dbs/48p0rotn_1_1

RMAN-03002: failure of restore command at 02/17/2014 13:45:32

ORA-19870: error while restoring backup piece /u01/app/oracle/product/11.2.0/dbs/48p0rotn_1_1

ORA-19913: unable to decrypt backup

RMAN> sql 'alter system set wallet open identified by "guoyJoe"';

sql statement: alter system set wallet open identified by "guoyJoe"

channel ORA_DISK_1: piece handle=/u01/app/oracle/product/11.2.0/dbs/48p0rotn_1_1 tag=TAG20140217T134423

channel ORA_DISK_1: restored backup piece 1

channel ORA_DISK_1: restore complete, elapsed time: 00:00:25

Finished restore at 17-FEB-14

RMAN> recover tablespace tp1;

Starting recover at 17-FEB-14

starting media recovery

media recovery complete, elapsed time: 00:00:00

Finished recover at 17-FEB-14

RMAN> alter database open;

database opened

2、密碼加密(恢複表空間tp1)

為特定備份啟用密碼加密,使用SET ENCRYPTION指令,如下所示:

gyj@OCP> SELECT * FROM V$ENCRYPTION_WALLET;

RMAN> CONFIGURE ENCRYPTION FOR DATABASE off;

CONFIGURE ENCRYPTION FOR DATABASE OFF;

RMAN> set encryption on identified by "guoyJoe123" only;

piece handle=/u01/app/oracle/product/11.2.0/dbs/4qp0sa4k_1_1 tag=TAG20140217T183811 comment=NONE

piece handle=/backup/c-2735927810-20140217-0a comment=NONE

---冊除表空間tp1中的資料檔案

[oracle@mydb ocm]$ rm -rf tp1.dbf

channel ORA_DISK_1: reading from backup piece /u01/app/oracle/product/11.2.0/dbs/4qp0sa4k_1_1

RMAN-03002: failure of restore command at 02/17/2014 18:39:50

ORA-19870: error while restoring backup piece /u01/app/oracle/product/11.2.0/dbs/4qp0sa4k_1_1

RMAN> set decryption identified by "guoyJoe123";

executing command: SET decryption

using target database control file instead of recovery catalog

channel ORA_DISK_1: SID=1 device type=DISK

channel ORA_DISK_1: piece handle=/u01/app/oracle/product/11.2.0/dbs/4qp0sa4k_1_1 tag=TAG20140217T183811

3、雙模式加密

可以同時使用透明加密和密碼加密。如果使用備份在同一個資料庫中執行還原和恢複,而且有時使用備份恢複另一個資料庫,

這是一種有用的做法。如果兩種方法都有效,可以使用密碼或資料庫錢包來還原備份。恢複到遠端資料庫時,必須在恢複前指定密碼,

如下所示:

RMAN> set encryption identified by "guoyJoe12345";

RMAN>

如果僅為備份使用基于密碼的加密,請為SET ENCRYPTION添加ONLY子句:

RMAN> set encryption identified by "guoyJoe12345" only;

結果,即使ENCRYPTION的預設設定為ON(是以會使用錢包加密方法),

所有後續備份也僅使用密碼加密,這種情況一直持續到關閉密碼或完全退出RMAN時為止。

雙模式加密是前面2種方式的混合模式,就不再繼續測試了。

sql Oracle 關系型資料庫 資料庫 資料安全/隐私保護 oracle加密 ORACLE實戰 oracle備份 oracle加密修正 oracle加密解決方法
上一篇: 基于配置的前端低代碼
下一篇: 高品質開源書籍整理

繼續閱讀