cancel
Showing results for 
Search instead for 
Did you mean: 

Oracle Intelligent Policy - OS Credentials

Thorsten_Jens
Level 4

Hi,

we are currently evaluating the use of OIP for our Oracle backups. Reading the documentation, I am under the impression that I absolutely need OS credentials, while database credentials are optional. The problem with that is that the OS oracle users (Solaris/Linux) do not have passwords and can only be used by being root first and using su.

Will we still be able to use OIP somewhow?

1 ACCEPTED SOLUTION

Accepted Solutions

Thorsten_Jens
Level 4

Thanks for your suggestions. We ended up adding another "simple" account with local authentication, without Kerberos.

View solution in original post

14 REPLIES 14

Tousif
Level 6

Hello 

Have you tried to use the root user and password to add that instance?

 

Regards,


@Tousif wrote:

Have you tried to use the root user and password to add that instance?


The problem is that no user can access these servers directly or has a local password. Only SSH Single Sign On via Kerberos, and it's sudo/su from there on.

Marianne
Moderator
Moderator
Partner    VIP    Accredited Certified

IMHO, OS credentials would mean OS-level username and password for the oracle user. 
My assumpsion is based on this extract from the manual:

Enter the OS Credentials. You may have to contact the Oracle DBA for the correct credentials.

In another section of the manual (logging on and using BAR on the client), we see this wrt OS credentials:

■ OS authentication for Oracle:
Log on to NetBackup as an Oracle DBA UNIX account that includes sysdba privileges.

@Marianne: That's what I am reading as well. Sounds like we won't be able to use OIP if we can't provide "direct" credentials of a local OS user.

Marianne
Moderator
Moderator
Partner    VIP    Accredited Certified

OIP needs the Oracle DBA to work with you on initial config. 

There is this in manual as well:

Oracle DBAs can use the nboraadm command on the NetBackup client to manage instances, instance groups, and their credentials. This command is very useful in environments where the Oracle credentials are known only by the DBAs and not by the NetBackup administrators.

@Marianne: Yeah, I know. The problem is not that the credentials are only known to the DBA, it's that they are unknown to everybody (by design, not by negligence). No one can log by username/password, only Kerberos SSO and then su to the user with appropriate rights.

Nicolai
Moderator
Moderator
Partner    VIP   

You cannot backup what you can't access ;)

Netbackup needs to know the dba password - but it will be encrypted in Netbackup and not accessible for users.

Have the dba type in the password for the oracle user on the Netbackup console, and you are ready to go. When they change the password , so do they need to do on Netbackup console.

@Nicolai: There IS no password for the oracle user.

Hello,

All Linux/Unix box maintain the local root user for disaster situation to manage the server.

We need User and password  root/oracle to add the instance. Without this information I don't think you can able to add instance.

The NetBackup need credential to authenticate and connect to instance.

 If you using single sing in user & password. The password get change as per company policy, then even if you add that instance successfully,  You have to referesh the authentication each every time in NBU whenever password get change.

I would recommend to create oracle local user to connect the instance.

Regards,

 

Marianne
Moderator
Moderator
Partner    VIP    Accredited Certified

@Thorsten_Jens wrote:

@Marianne: Yeah, I know. The problem is not that the credentials are only known to the DBA, it's that they are unknown to everybody (by design, not by negligence). No one can log by username/password, only Kerberos SSO and then su to the user with appropriate rights.


So the ' su to the user with appropriate rights' is the Oracle user credentials that need to be entered. 
Have you tried that?

Else the Oracle dba will need to use the ' su to the user with appropriate rights' to create manual scrips or else use the 'nboraadm' command as per instructions in the manual.


@Marianne wrote:

So the ' su to the user with appropriate rights' is the Oracle user credentials that need to be entered. 
Have you tried that?

Else the Oracle dba will need to use the ' su to the user with appropriate rights' to create manual scrips or else use the 'nboraadm' command as per instructions in the manual.


The process is

1. SSH login via Kerberos -> no password

2. "sudo -i" to become root -> no password

3. "su - oracle" -> no password

I guess our environment is just too weird for OIP so we'll have to stick with the "old" scripts solution.

Nicolai
Moderator
Moderator
Partner    VIP   

Please be aware that just because you are not prompted for a password, it doesn't mean the password doesn't exist.

On a Linux/UNIX box switching user from root doesn't require a password because you from going from a higher to a lower privileged account.

 

Mouse
Moderator
Moderator
Partner    VIP    Accredited Certified

I am pretty sure that OIP configuration in this scenario is not much different from using scripts.

You can use either OS or Oracle authentication like normal scripts do, but the fact DBAs use passwordless login through Kerberized SSH is not that relevant as this authentication is handled by a PAM module to obtain a forwardable ticket from the source machine where the SSH session is initiated from.

Now when you start a new backup process and need to authenticate you will need to have a user with credentials, they may be even Windows domain credentials stored in AD to create a new Kerberos ticket, if you still want to use Kerberos of course. In this case, DBAs can key in the password through nboraadm without involving NBU admins

Thorsten_Jens
Level 4

Thanks for your suggestions. We ended up adding another "simple" account with local authentication, without Kerberos.