cancel
Showing results for 
Search instead for 
Did you mean: 

Problem while hiding password in script backup with Oracle RMAN

tien86
Level 4
Partner

Hello,

I backup and restore OK for Oracle RAC with my script.

Now I need to hide password in backup script.

Current script ===================


if [ "$NB_ORA_FULL" = "1" ]
then
    BACKUP_TYPE="INCREMENTAL LEVEL=0"
    NB_SCHED="app-full"
elif [ "$NB_ORA_INCR" = "1" ]
then
    BACKUP_TYPE="INCREMENTAL LEVEL=1"
    NB_SCHED="app-diff"
elif [ "$NB_ORA_CINC" = "1" ]
then
    BACKUP_TYPE="INCREMENTAL LEVEL=1 CUMULATIVE"
    NB_SCHED="app-diff"
elif [ "$BACKUP_TYPE" = "" ]
then
    BACKUP_TYPE="INCREMENTAL LEVEL=0"
    NB_SCHED="app-full"
fi

.....

RUN {
ALLOCATE CHANNEL ch00   TYPE 'SBT_TAPE' PARMS='ENV=(NB_ORA_CLIENT=ora1-backup)' CONNECT='sys/oracle@oravn1';
ALLOCATE CHANNEL ch01   TYPE 'SBT_TAPE' PARMS='ENV=(NB_ORA_CLIENT=ora2-backup)' CONNECT='sys/oracle@oravn2';
SEND 'NB_ORA_SCHED=$SCHED_NAME,NB_ORA_POLICY=Backup-Oracle-oravn,NB_ORA_SERV=dr-backup-01';

BACKUP
    AS COMPRESSED BACKUPSET  
    $BACKUP_TYPE
    FORMAT 'bk_d%u_s%s_p%p_t%t'
    DATABASE;

release ch00;

release ch01;

}

===========================================

The Oracle Administrator suggest to pre allocate channel from RMAN;

CONFIGURE CHANNEL 1 DEVICE TYPE 'SBT_TAPE'  CONNECT='sys/oracle@oravn1';
CONFIGURE CHANNEL 2 DEVICE TYPE 'SBT_TAPE'  CONNECT='sys/oracle@oravn2';

But we cannot pass the value of $NB_ORA_SCHED to the channel. We need this parameter to configure SLP for each schedule.

===========================================

If we use Secure External Password Store, the Oracle Administrator worry that clients will need to change the method to connect to database. This database is in production and it make impact with such change.

===========================================

Is there a way to hide password in script ?

5 REPLIES 5

jim_dalton
Level 6

Two suggestions: if OIP can backup RAC then consider using it. The credentials you enter via the gui but they are not visible. NB Would be interesting to get Symantecs input on this because I dont know if the account info IS put somewhere thats "visible".

*Ive just read a technote, Symantec recommend not using OIP for RAC*

Second suggestion possbily for your DBA is: can an encrypted passwd be used in the script? This may not prove a good solution if you can see the encrypted version and someone else picks up on it.

Jim

RiaanBadenhorst
Level 6
Partner    VIP    Accredited Certified

Hi,

 

If you create a OS user that has access  (sysdba) to the datbase, then you don't need to specify the username/password.

You can just specify / as the connect string. NetBackup will SU to the user, and then connect as that user.

 

That's how I understand the process.

 

tien86
Level 4
Partner

we  already test OIP to backup RAC but not work. RAC has different database name and instance name of each node

@Rian: In the script, i need to connect to second node of RAC. Then I need to provide password for the second node.

 

RiaanBadenhorst
Level 6
Partner    VIP    Accredited Certified

That makes sense now. Forgot about the connection to the other instance.

 

I found this, but I don't have a RAC to test on. Don't know if it can work from within the netbackup script.

 

https://docs.oracle.com/cd/A97630_01/server.920/a96566/rcmcnctg.htm#445078

 

See the section on.

"Hiding Passwords When Connecting to Databases"

tien86
Level 4
Partner

Hello,

If RMAN connect to Catalog I cannot hide password of Catalog in script.

I just create a case to ask. Symantec staff confirmed that script cannot hide password.

So I can conclude that If I use to backup RAC with load balanced I cannot hide the password.

I have to backup RAC from 1 node.