we have moved few clients to DMZ. the file system backup works for them but no luck with Oracle DB. Yes it of course, Master to client connectivity thru the NBU ports are mandatory.
But my question is that in NBU 8.1, is it changed? Like how file sytem works..I saw a forum as shown below.
"eritas started to focus on NetBackup security. NetBackup 8.0 introduced certificates for NBU environment. Master Server assigns Certificates to Clients based on UUID and it makes sure that communications between Clients and Masters are trusted. NetBackup 8.1 provides better security for clients located in a demilitarized zone (DMZ). The media server creates an HTTP tunnel to enable secure web service communication between NetBackup clients and the master server."
In any case, DB backups can work without connectivity between the client and Master? if any alternative ways, please suggest. There is no chance for opening firewall.
Nothing has changed in the ports requirements for NetBackup 8. A link to the PDF:
The information you were referring to is the secure communications that was implemented from NetBackup 8. This uses TLS and certificates to ensure comm's between the Master and client are secure and encrypted - however it still uses the normal ports, no change there.
If you want your database backups to work, then yes you will need connectivity between the Master and Client. The section below is taken from the bottom of page 10 of the document I linked above:
The client requires access to the master server to initiate user and client-initiated operations such as application backups for Oracle and SQL Server. The client must also be able to connect to the media servers in the following
If you cannot open the firewall and file-system backups are working for this client, you could do a database dump to flat files on disk and then backup from there. Not the best solution, but it would work. One of the other issues is, depending on how busy this Oracle system is - how often do you need to back up your redo logs?
If you really want a hot database backup, then you are going to have to open your firewall (or convince those in charge it is required). It can be restricted to only the DMZ clients, Master and Media server IP's. Even if you were using VMware SAN based backups, there is still some network comm's needed. The only other alternative is to put a Master and Media server in your DMZ to backup just the DMZ clients. A bit of overkill, but means you don't have to open your corporate network to the DMZ.
Hope this helps,
you are correct, I gave the dump backup approach but that's not the permanent solution. we can set sup a seperate Master inside the DMZ but it would take some time and approvals.
can we ask Veritas engineering team helps to creat/share daemons to Media server. Hence Media server will act as Ora_server for the backup and restore.
Processes such as bpdbm and bprd ONLY runs on a master server.
It can never run on a media server,
When if you attempt to start bprd on a media server (since the same binaries are installed on a media server) the process checks for SERVER config. If media server, bprd will immediately terminate.
Oracle and other client-initiated backups work like this:
Client sends request to bprd on the master server.
bprd then connects to bpdbm to verify that a valid policy exists.
Only then are the Oracle child jobs initiated.
So, impossible to run Oracle agent backups without PBX (1556) open between master and client.
One more thing - as from NBU 8.1, rman scripts that are located in a directory other db_ext, need to be 'authorized'.
Master to client connectivity is good enough for file system backups, but for Oracle backup to works client to master server connectivity must also exist.
While file systems backup are initiated from the master server, oracle RMAN initiates session to the master server (aka user initiated backup and restores).