Hey everyone,
Hope you’re doing good.
As already discussed in the blog, every environment which uses TDE (Transparent Data Encryption), a wallet is needed to store the encryption key.
The wallet is a file extremally important and critical for the health and well functioning of the DB, as if you lose this file (doesn’t matter if you delete the file or if the filesystem got corrupted), your DB cannot be open anymore!
So, it’s very important to take frequent backups of the wallet, so you can make sure you’ll always have a copy of your wallet in more than one place.
I will not discuss about the strategy to copy the backup to tape, cloud, etc, this must be followed by your backup policy.
The main goal of this post is to create a copy of the wallet to two different destinations (on this example, NFS locations), so, you can have more than one copy of wallet. I also recommend you to take weekly backups of your wallet.
You can schedule the script through Cron or DBMS_SCHEDULER, you can use the example on this post: here.
On this example, we’ll schedule it using Cron.
The shell script below will use the location of wallet using harded code, it’s possible to make it dinamically, but this can be done through an improvement in the next version of the script š
So, first step is to get the location of the wallet, this is defined by the value of parameter wallet_root. Let’s run the below query to get the value of wallet_root:let_root:
SQL> select name,value from v$parameter where name='wallet_root'; NAME VALUE ------------ ------------------------------ wallet_root /oracle/PB1/19300/dbs/wallet
OK, so wallet_root value is /oracle/PB1/19300/dbs/wallet. Let’s call this value as WALLET_ROOT. So, the wallet will always be on the location defined by WALLET_ROOT/tde, so, in our example: /oracle/PB1/19300/dbs/wallet/tde.
The shell script logic will be as descried below:
We’ll create a variable called bkpdate in the format YYYYMMDD, so, in our example, let’s consider the date today: 20230531
After this, we’ll define some variables: ORACLE_HOME and WALLET_ROOT.
Following, the script will enter into the directory defined by $WALLET_ROOT/tde and will check if file ewallet.p12 is present in the directory. This file is the file for wallet.
If the file is found (we are expecting this!), the wallet will be copied to two NFS locations:
/oracle/backup/wallet/PB1/
/sapcd/backup/wallet/PB1/
The backup file (executed today) will be as this example: ewallet.p12.20230531
After the copy, an email will be send informing that backup has been done. This will only work if your server is able to send e-mails. (This post will not cover this).
Replace the value of your_email@your_domain.com to your e-mail or a distribution list used by your team.
Note: this script doesn’t consider autologin file for backup, as the environment doesn’t use autologin. But you can just add the line to copy autologin file too.
#!/bin/bash export bkpdate=$(date +%Y%m%d) export ORACLE_HOME=/oracle/PB1/19300 export PATH=/bin:/usr/local/bin:/bin:/usr/bin:/usr/local/sbin:/usr/sbin:/oracle/PB1:. export WALLET_ROOT=${ORACLE_HOME}/dbs/wallet cd ${WALLET_ROOT}/tde if [ -f ewallet.p12 ] then cp ewallet.p12 /oracle/backup/wallet/PB1/ewallet.p12.${bkpdate} cp ewallet.p12 /sapcd/backup/wallet/PB1/ewallet.p12.${bkpdate} mail -s "Backup of Wallet - ${db_name} completed." your_email@your_domain.com < /dev/null else mail -s "Backup of Wallet - ${db_name} ** FAILED **." your_email@your_domain.com < /dev/null fi
Below we have the scheduling in the Cron, script will be executed every Saturday at midnight:
00 00 * * 6 /oracle/backup/wallet/PB1/PB1_backup_wallet.sh >/dev/null 2>/dev/null
Hope this helps!
Peace,
Vinicius
Related posts
2 Comments
Leave a Reply Cancel reply
This site uses Akismet to reduce spam. Learn how your comment data is processed.
Disclaimer
My postings reflect my own views and do not necessarily represent the views of my employer, Accenture.
Thank you for the sharing. I’ve been reading documentation and it suggests closing the wallet before taking a copy; is it still a valid backup if the wallet is open at the time of the copy?
Hi, thanks for your question!
You only can close your wallet if your goal is to close the DB, otherwise you can’t.
Wallet is most likely a “static” file that only changes if you rekey your TDE encryption key, merge any keystore, change the password, etc. In a daily basis operation, wallet will never change. So, it will be good to copy the wallet as proposed by the solution in the blog.