Saturday, August 30, 2025

Oracle Secure Backup (OSB) Features & Abilities

 

Oracle Secure Backup (OSB) is an enterprise data protection solution from Oracle that provides centralized backup management for heterogeneous file systems, Network Attached Storage (NAS), and Oracle databases. The latest version is 19.1, released in 2024.

Oracle Secure Backup (OSB) is not an appliance hardware – it’s a software product.

 

Recovery Appliance Architecture

What Is Oracle Secure Backup?

Oracle Secure Backup is a centralized network-based backup management application that provides scalable and distributed backup and recovery capabilities.

  • It facilitates backup of Oracle Databases and file system data across heterogeneous network operating systems, such as Linux, Solaris, HP-UX, AIX and Windows.
  • It supports many leading tape library and tape drive in the industry.
  • It provides data protection from malware, ransomware, and data loss, for example physical hardware loss or accidental deletion by offering scheduled and configurable file system and Recovery Manager (RMAN) backups to cloud storage, disk pools, and tape libraries.
  • It supports Internet Protocol v4 (IPv4), Internet Protocol v6 (IPv6) and mixed IPv4/IPv6 environments.
  • It works with FC-SCSI and SCSI attached devices on SAN and Gigabit Ethernet (GbE) networks.

Oracle Cloud Infrastructure allows users to store huge volumes of backup data and run Oracle Secure Backup on compute instances. You can use disk pools to provide fast backups to disk that can be staged to backup to tape.

 

Oracle Secure Backup Features

Oracle Secure Backup provides the following features:

  • Integration with other Oracle products thus enabling you to easily backup and restore both Oracle Databases and file-system data to tape

Oracle Secure Backup is fully integrated with Recovery Manager (RMAN) and Oracle Enterprise Manager. You can use Oracle Enterprise Manager to backup both file-system data and Oracle Databases to tape.

Oracle Secure Backup serves as a media management layer, through the System Backup to Tape (SBT) interface, to securely backup Oracle Databases using RMAN.

  • Support for disk pools and a wide range of tape drives and libraries that are accessible through various protocols such as SCSI, ISCSI, SAN, NDMP, and Fibre Channel
  • Centralized tape backup management

Oracle Secure Backup enables centralized backup management of diverse distributed servers and multiple platforms including UNIX, Linux, Windows, and SAN. It can backup and restore locally or over a LAN/WAN.

  • Policy-based backup management

Oracle Secure Backup provides customizable administrative policies that enable you to control backup operations in the administrative domain. Policies also enable you to control aspects of domain security.

  • Flexible interface options that provide maximum ease of use

Oracle Secure Backup functionality can be accessed using any of the following interfaces: Oracle Secure Backup Web Tool, Oracle Enterprise Manager DB Control, Oracle Enterprise Manager Cloud Control, or obtool command-line interface.

  • Maximum security options for data and inter-host communication

Inter-domain communication is secured using the Secure Socket Layer (SSL) protocol. All hosts in the Oracle Secure Backup administrative domain are identified and authenticated using SSL and X.509 certificates. Data transmission within the administrative domain is secured using encryption. You can also encrypt Oracle Database backups before they are stored to tape.

  • Automated device discovery

Oracle Secure Backup can automatically discover and configure each secondary storage device connected to certain types of NDMP servers, such as a Network Appliance filer. It can also discover devices connected to the Oracle Secure Backup media servers.

  • Automated tape library and device management that includes automated control of tape libraries

Oracle Secure Backup automates the management of tape libraries to ensure efficient and reliable use of their capabilities. It controls library robotics and enables automatic loading and unloading of volumes. It can also automatically clean tape drives in a tape library.

  • Automated media management that includes volume and backup expiration

Oracle Secure Backup enables automatic tape recycling by specifying when volumes can be recycled. You create policies to define when volumes are eligible to be recycled or rewritten.

  • Flexible, multi-level, backup options

Oracle Secure Backup enables you to create full, incremental, and differential backups.

  • Flexible options for restoring backups

Oracle Secure Backup enables you to restores backup data stored on tapes either to the original location or to an alternative server.

 

Description of Figure 1-1 follows

Architecture:

Data protection is arguably one of the most critical and daunting tasks facing IT organizations.

Ransomware threats make it necessary to store backups on immutable storage, so they can't be deleted or altered until they expire.

Managing data protection of heterogeneous servers spread across data centers and remote offices, based on private, hybrid or public cloud requires a unified solution addressing the complexities of distributed environments consisting of both database and file system data.

With a highly scalable client-server architecture, Oracle Secure Backup (OSB) delivers centralized cloud, disk, and tape backup management for the entire IT environment.

Oracle Secure Backup 19.1 supports:

NEW: OCI Object Storage buckets with retention rules for immutability or ransomware protection or regulatory compliance

 NEW: Client Direct to Cloud backup and restore operations, removing media servers from the critical data path

 Easy deployment in OCI via Marketplace image and Ansible playbooks

 Oracle database integration with Recovery Manager (RMAN) supporting versions Oracle Database 11g Release 2 to Oracle Database 23ai

 OCI object storage, all tiers (standard, infrequent access, archive)

Cloud Storage and Archive support on the Oracle Cloud Infrastructure to protect your cloud environment or to store your backups off-site.

 Enhanced “copy instance” for migrating long-term retention tape backups to OCI object storage

 Automated, policy-based staging for easy Disk-to-Disk-to-Cloud and Disk-to-Disk-to-Tape backups.

 

Functionality:

While comparable products separately license advanced features, number and size of servers and database integration, Oracle Secure Backup does not!

Oracle Secure Backup delivers comprehensive data protection management with enterprise-class features and Oracle database integration in one single solution with a simple licensing scheme based only on the number of utilized streams.

Why utilize Oracle Secure Backup?

Enterprise data protection for your entire IT environment—Protects heterogeneous file systems, OCI Compute Instances, NAS devices and built-in integration with the Oracle database on-premises and in the cloud.

 Cloud Storage support—Provides protection of cloud environments or to implement tape-less vaulting.

 Ransomware protection — Creates immutable backups in OCI Object Storage buckets with retention policies (WORM buckets)

 Faster Cloud backup and restore operations — No need to have media servers, that can become bottlenecks and single points of failure, in the data path between the client and the cloud. With Client Direct to Cloud each client can directly access cloud storage.

 Policy-driven media lifecycle management - Automates backup retention on disk, tape or cloud as well as backup image duplication and vaulting.

 Staging—Simplify data movement between different storage technologies for simple and automated Disk-to-Disk-to-Tape and Disk-to-Disk-to-Cloud backups.

 Backup encryption—Secures backup data and provides policy-based backup encryption key management.

 Cost effective—Reduces licensing and associated ongoing maintenance costs by about 75% over comparable products.

 MAA Validated for Exadata—Simplifies Exadata data protection using an Oracle Maximum Availability Architecture (MAA) Development team tested and validated tape backup solution.

 Oracle Integrated—Optimized backup to disk performance when using the ZFS Storage Appliance as an Oracle Secure Backup disk pool.

Description of Figure 1-2 follows

To install and configure OSB in tour production env this is important to review compatibility Matrix:

Secure Backup 19.1 - Tape Device Compatibility Matrix:

https://www.oracle.com/technetwork/database/availability/documentation/device-matrixosb19-1-20240515-11883487.pdf

 

About Tape Devices

Oracle Secure Backup maintains information about each tape library and tape drive so that you can use them for local and network backup and restore operations. You can configure tape devices during installation or add a new tape device to an existing administrative domain. When configuring tape devices, the basic task is to inform Oracle Secure Backup about the existence of a tape device and then specify which media server can communicate with this tape device.

 

About Backups in Immutable Buckets

Oracle Secure Backup supports the immutable buckets feature provided by Oracle Cloud Infrastructure. This feature enables Oracle Secure Backup to store backups in Oracle Cloud Infrastructure object storage and archive storage but prevents any modification or deletion of data.

Oracle Cloud Infrastructure provides different types of retention rules to safeguard the data in immutable buckets for a specified duration. When you configure retention rule for a bucket, it applies to all the objects within the bucket.

Retention Rules

For your backup data, Oracle Secure Backup helps you create and manage the following retention rules of Oracle Cloud Infrastructure:

  • Compliance rule: These rules define the duration how long a particular bucket stores an object. During this period, you can access and read the data multiple times but cannot modify or delete them. If an object has multiple compliance rules, then the object storage considers the rule with the longest time period. The retention rule also depends on the last modification time stamp of the object.

For example, an object storage bucket has three objects, A, B, and C that are either uploaded or last modified 3 months, 6 months, and 1 year ago respectively.

    • If you create a compliance rule on the bucket for 9 months duration, then the objects A and B becomes immutable immediately but object C can be modified or deleted.
    • If you change the retention duration on the bucket to 2 years, then all three objects become immutable. The object C becomes mutable after another year, object B becomes mutable after 1 year and 6 months, and object A becomes mutable after 1 year and 9 months.

Oracle Cloud Infrastructure provides an option to apply locks to these time-based retention rules. When a retention rule is locked, you can increase the retention time but cannot decrease it or delete the rule. To delete the rule, all objects in the object storage bucket must be mutable and the bucket must be deleted.

Note: You can delete an object storage bucket only if it is empty.

  • Legal hold: These rules indicate any regulatory obligation to retain a backup. A legal hold has no time period associated with it.

If a backup data in an immutable bucket has a compliance rule and you apply legal hold to it, then the legal hold takes precedence.

As a result, the data remains in the object storage beyond the time period specified in the compliance rule. The compliance rule comes into effect only after the legal hold on that bucket is removed. You cannot apply locks on a legal hold.

Using Oracle Secure Backup, you can create one time-based compliance rule and one legal hold rule for a bucket in Oracle Cloud Infrastructure object storage.

Note: To manage rules from Oracle Secure Backup, ensure that you create them using Oracle Secure Backup. You cannot use Oracle Secure Backup to modify or delete rules that were created using other sources, such as the Oracle Cloud Infrastructure console.

Overview of Backup and Media Settings Configuration

To begin managing your file-system and Oracle Database backups, install Oracle Secure Backup on your host (expect NDMP servers and NAS filers) and then configure your administrative domain.

After the administrative domain is configured, the storage devices are available to store backups.

You can perform additional configuration that enables you to manage your storage media. Configuring media families enables you to assign common characteristics to a set of tape volumes or disk pools.

A media family is a named classification of volume sets that share certain common attributes. Use media families to logically group volumes or volume sets. They ensure that volumes created at different times share common characteristics.

 

 

Oracle Secure Backup provides policy-based media management for Oracle Database backups through the use of database backup storage selector. A database backup storage selector specifies the parts of the database that need to be backed up, the media family that must be used for this backup, and the devices that can be used to store the backed-up data.

Oracle Secure Backup automatically uses the storage selections defined within a database backup storage selector while backing up an Oracle Database.

You can override the storage selections for one-time backup operations by defining alternate media management parameters in the RMAN backup script.

 

Overview of Backup Encryption

Data is vital to an organization and it must be guarded against malicious intent while it is in an active state, on production servers, or in preserved state, on backup tapes. Data center security policies enable you to restrict physical access to active data. To ensure security of backup data stored on tapes, Oracle Secure Backup provides backup encryption.

You can encrypt data at the global level, client level, and job level by setting appropriate encryption policies. You can select the required algorithm and encryption options to complete the encryption process.

Types of Backup Encryption:

Oracle Secure Backup enables you to perform the following types of encryptions:

  • Software encryption

Software encryption is supported for hosts that have the Oracle Secure Backup software installed. It is not supported for NDMP hosts or NAS filers. The data that is backed up is encrypted before it is sent over the network to the backup storage media.

When you use software encryption for a backup, all backup image instances associated with this backup are encrypted. If software encryption is not enabled at the time the backup is created, you can encrypt a backup image instance created using the original unencrypted backup if this backup image instance is being stored in a tape device that supports hardware encryption.

·         Hardware encryption

Hardware encryption is supported only for tape devices that support encryption such as the LTO5 tape drive. The tape device hardware performs the required data encryption.

If a backup that uses hardware encryption is copied to a disk pool, the backup image instance on the disk pool is unencrypted. However, if a backup is created using software encryption, you cannot use hardware encryption for backup image instances created using this backup.

 

Disaster Recovery of Oracle Secure Backup Administrative Data

To guard against the loss of data on a computer used to make backups, Oracle Secure Backup protects its own catalog and settings data. Without this metadata the backups that Oracle Secure Backup has made are just so many assorted tapes. If the real-time Oracle Secure Backup catalog data is lost, then you can use the metadata from an Oracle Secure Backup catalog backup to restore Oracle Secure Backup to the state that it was in at the time of its last catalog backup.

Data which defines an Oracle Secure Backup administrative domain resides on the administrative host in the $OSB_HOME/admin directory and usr/etc/ob directory. During an Oracle Secure Backup installation, a dataset description file OSB-CATALOG-DS is automatically generated to back up these critical directories. Ideally, you must perform a backup of these directories daily, after completing all other backups so that the latest state of the administrative host can be captured for restore, in case of a hardware failure on the administrative host.

Oracle Secure Backup catalog recovery protects only the catalog and settings on an administrative server. The operating system and other installed software are not automatically backed up.

 

About Staging

Staging lets you store one or more backup image instances in a container in preparation for automatically copying or moving the backup image instances to another container.

For Oracle Secure Backup, the staging container can be a disk pool or a cloud device. In a typical staging scenario, the backup instance would be moved from a disk pool to a tape drive.

Staging can involve multiple backup image instances and can be configured to run at scheduled times and based on certain conditions. Examples of conditions include the size of a set of backup images, the client hosts in the backup, and database information. Staging can also be done on-demand.

 

Benefits of Staging:

  • Disks have much faster random access of backup files than tapes. Tapes can be moved offsite for long-term storage. Staging allows a backup to be automatically contained on both disk and tape, thus allowing both fast restores and the benefits of being on tape.
  • Staging allows the use of multiple streams, in parallel, during backup and restore operations. In the case of backups, the data is copied to a single tape drive at a later time.
  • Staging can minimize the stop-and-reposition issue that occurs when slow clients are backed up to tape because when staging is used, slow clients can be concurrently backed up to a disk pool and then copied to tape in a single high-speed data stream.
  • Staging allows backup instances to remain on disk after they are also written to tape. Each instance can have a different expiration time so the backup could remain on the disk to restore more quickly while also being on tape for long term protection.
  • Staging can be used to create additional copies of backup image instances at an offsite location using a remote Oracle Secure Backup media server to provide additional data protection through redundancy.

 

Oracle Secure Backup Interfaces

There are four different interfaces for accessing different elements of Oracle Secure Backup:

  • The obtool command line utility provides the fundamental interface for Oracle Secure Backup functions, including configuration, media handling, and backup and restore of file-system files.
  • Oracle Enterprise Manager (OEM) offers access to most Oracle Secure Backup functions available through obtool as part of its Cloud Control interface.
  • RMAN command-line client: Used specifically for configuring and performing Oracle database backup and restore operations. 
  • Oracle Secure Backup includes its own Web-based interface, called the Oracle Secure Backup Web tool, which exposes all functions of obtool.
  • The Oracle Secure Backup Web tool is primarily intended for use in situations where Oracle Secure Backup is being used independently of an Oracle Database instance. It does not provide access to database backup and recovery functions.

The Oracle Secure Backup Web tool supports Internet Protocol v4 (IPv4), Internet Protocol v6 (IPv6), and mixed IPv4/IPv6 environments on all platforms that support IPv6.

  • Backup and restore operations for Oracle Database instances and configuration of the Oracle Secure Backup media management layer are performed through the RMAN command-line client or through Oracle Enterprise Manager.

·         Oracle Secure Backup documentation focuses on the use of Enterprise Manager wherever possible, and describes the Oracle Secure Backup Web Tool only when there is no equivalent functionality in Enterprise Manager, as in a file-system backup.

 

 

A Comparison Between OSB, ZDLRA, EXADATA

Oracle Secure Backup (OSB):

  • Type: Software (downloadable, runs on servers).
  • Purpose: Tape backup management — backs up Oracle databases (via RMAN) and file systems to tape libraries.
  • Scope: Used if you need tape backup or offsite archival.
  • Relation: Can be used with Exadata or any Oracle DB server, and can back them up to tape.
  • Usually not tied to ZDLRA, but can complement it for long-term retention to tape.

https://edelivery.oracle.com

Oracle Zero Data Loss Recovery Appliance (ZDLRA):

ZDLRA Quick Start

  • Type: Hardware appliance (like Exadata but optimized for backup).
  • Purpose: Continuous protection + centralized backup appliance for Oracle DB.
  • Features:
    • RMAN-integrated.
    • Real-time redo transport (zero-data-loss).
    • Automates backup validation, offloads backup I/O from production DB.
  • Relation with OSB:
    • ZDLRA is disk-based, not tape.
    • If you need tape archival from ZDLRA → you use OSB as the tape management software.
    • So OSB can extend ZDLRA backups to tape for long-term storage.

 

  Oracle Exadata:

 Oracle Exadata X11M Next Generation Hardware Available Everywhere | Zed  DBA's Oracle Blog

  • Type: Hardware appliance (database machine).
  • Purpose: High-performance database platform (OLTP + DW + mixed workloads).
  • Relation with OSB & ZDLRA:
    • Exadata is the production database platform.
    • Exadata databases can back up directly to tape using OSB, or to ZDLRA for continuous protection.
    • Often: Exadata (DB workloads) → ZDLRA (disk-based backup/redo capture) → OSB (tape archival).

 

To Setup and configuration and many other notes about OSB visit:

https://docs.oracle.com/en/database/oracle/secure-backup/19/obins/index.htm

No comments:

Post a Comment

Oracle CBO decisions for Join Order along with multiple tables

  Have you ever wondered how Oracle handles queries with multiple joins? How Oracle Find Best Orders of Tables in a large SQL statement? ...