Tuesday, December 21, 2021

Backing up Oracle Key Vault from your datacenter to OCI

  This is the second of a multi-part blog series walking through how to copy your TDE encrypted on premise Oracle Database to an OCI VM in the oracle cloud. This blog post will focus on how to leverage OKV (Oracle Key Vault) to help with storing, backing up, and migrating encryption keys. In this post I will walk through backing up OKV to both a local ZFS, and an OCI bucket.

The first part of this series went through how to migrate a database from on premise to the OCI cloud using the Oracle Database Cloud Backup Module. You can find it here.

I will add to this first by including how to migrate my OKV (Oracle Key Vault) environment to OCI to allow me to restore my encrypted database in OKV.

I am going to skip over how to migrate migrate my database to using OKV. If you are starting at the beginning (small database no encryption), the steps to get to this next blog post are.

  1. Create a new database for testing.
  2. Implement Advanced Security (TDE) which is covered in my post here.
  3. Migrating from a local wallet to OKV which is covered in my post here.
At this point my database (ocitest),  is using my OKV environment on premise, and I am ready to backup and restore my OKV host along with my database.

Backup the database to an OCI bucket


First I am going to back my database up to an OCI bucket.

I am going to set my channels and perform a level 0 backup with archive logs.

NOTE: It is encrypted using the encryption key from OKV, rather than a password.


### Default device is tape
CONFIGURE DEFAULT DEVICE TYPE TO 'SBT_TAPE';


### Ensure autobackups are sent to my bucket
CONFIGURE CONTROLFILE AUTOBACKUP FORMAT FOR DEVICE TYPE SBT_TAPE TO '%F'; # default


### Backup set is a compressed backupset (this is included for free with the backup module)
CONFIGURE DEVICE TYPE 'SBT_TAPE' PARALLELISM 4 BACKUP TYPE TO COMPRESSED BACKUPSET;

### Channel configuration
CONFIGURE CHANNEL DEVICE TYPE 'SBT_TAPE' PARMS  'SBT_LIBRARY=/home/oracle/ocicloud/lib/libopc.so,SBT_PARMS=(OPC_PFILE=/home/oracle/ocicloud/config/migtestbackup.ora)';

### Encryption is on
CONFIGURE ENCRYPTION FOR DATABASE ON;
CONFIGURE ENCRYPTION ALGORITHM 'AES128'; # default

### Compression is medium
CONFIGURE COMPRESSION ALGORITHM 'MEDIUM' AS OF RELEASE 'DEFAULT' OPTIMIZE FOR LOAD TRUE;


Configure ZFSSA as a destination

Step # 1 Add a dedicated user on the ZFSSA to own the backups.

Log onto the ZFSSA console and go to "Configuration" => "Users". Add a new user to be the owner of the OKV backups on the ZFSSA.  Click add when completed.



Step # 2 Retrieve the public SSH key from OKV.

Log onto the OKV console and go to "system" => "Settings" ==> "Backup and Restore". Click on "Backup and Restore" and then "Manage Backup destinations".  Once there click on "Create" to add a new backup destination.

On the screen below you want capture the "Public Key", which is the strings AFTER the "ssh-rsa".  You can save this in notepad, or some sort of scratch pad without the beginning line.


Step # 3 Add the user to the ZFSSA with the public key

Now go back to the ZFFSA console, and log into the configuration for SFTP. This can be under "SERVICES" => "SFTP". Click on "SFTP", and you will see the screen in the background below.  Click on the "+" to the left of "Keys".  On the window that pops up you will enter the "Public Key" characters you previously saved, and the "user" that you created as the owner of the OKV backups. Once you complete this click on "ADD" to add the OKV Public Key to the ZFSSA.



Step # 4 Add a new Project/Share to hold the OKV backups

Add a new project to hold the backups.  With the project, navigate to the "General" tab, and go to to bottom of the window and change the "Default Settings".  For this project, the "user" should be the user you created on the ZFS. This ensures that the OKV backups are separate from other backups on the ZFS, and are only accessible by the new users.



Then set the protocol for the project to be SFTP as the only read/write protocol on the "Protocols" tab.


Navigate to the "Snapshots" tab and we will now create 3 immutable snapshots taken every day.
Ensure you click on "Enable retention policy for Scheduled Snapshots"
Under the Snapshots section, click on the “Schedules” tab and click on the “+” next to it.
Change the desired frequency of the snapshot to daily for a daily backup that matches the OKV backup.
Change the “scheduled time” to a time of day following the daily backup.
Decide how many backups in total you wish to keep. This is the “KEEP AT MOST”.
Change the “RETENTION” to “Locked” with the drop down to ensure the backups will be immutable:
Decide how many backups you wish to keep as immutable. This is the “RETENTION”.
Click on “Apply”.


And then add a new share to the project to backups.

Step # 5 Add the ZFSSA as a destination.

Go back to OKV and navigate back to the “Create Backup Destination” under “System”.
On the “create Backup Destination” page 
give the “Destination Name” the name you want to use for the ZFS.  
Change “Transfer Method” to “sftp” using the radio button.
Enter the “Hostname” for the ZFS. This can be either the IP or the DNS name.
Under the “Port” ensure the port matches the ZFS port used for “SFTP”, which defaults to 218.
Enter the “Destination Path” which is “/export/” followed by the share name given in step 021.
Enter the “User Name” which is the user created in step 006 and the user that owns the share from step 021.
Click on “Save”


Backup OKV to  ZFSSA 

With the “Backup” screen
Give your backup a descriptive name
Leave the start time (or change it to the time to run the backup).
Choose the destination entered in step 022
Change the dial to “PERIODIC” to schedule a regular backup
Chose the frequency for the backup
Click on Schedule.


Once the first backup completes you will see it on this "Backup and Restore" window.


Backup   ZFSSA to OCI

 

Now that we have our backup sent to the ZFSSA, we need to configure the ZFSSA to send the backup to an OCI bucket.  Navigate to "SERVICES" => "Cloud" on the ZFSSA, and click on the "+" sign to the left of "Targets" top add a new cloud target.  On the window that pops up, enter the authentication information for your cloud bucket in OCI (It should be set as immutable). 

In the “Add Cloud Target” window enter.
Name of the cloud target, if you are setting up multiple targets to different buckets having the bucket name is most descriptive
The location is https://objectstorage.{cloud location for your tenancy and bucket}.oraclecloud.com
Bucket name from the previous step.
“User” which is the user OCID from the previous steps
“Tenancy” which is the Tenancy OCID from the previous steps
“Private key” associated with the public key assigned with OCI.
Any proxy information and bandwidth information if needed.
Click on “ADD”.


Navigate to your project, and go to the "Snapshots" tab. You should see the snapshots that have been created and click on the Symbol under clones that looks like a globe.


Once there, choose the target you previously created, and send the backup as "tar" format. and click on "APPLY", this will send a copy of your OKV backup (which is encrypted) to your bucket in OCI as an offsite backup.




No comments:

Post a Comment