3.5 Backup, Recovery, and Security Management

The management tasks discussed in previous sections represent only a portion of those that must be performed at a typical site. Many other management tasks are ordinarily the responsibility of your organization's database administrator (DBA). However, backup, recovery, and security management are often the responsibility of the Oracle Application Server administrator, so the following sections will touch upon these tasks . For details, consult the Oracle documentation.

3.5.1 Performing Backup and Recovery

Backing up your configuration and application data in such a way that it can be recovered in the event of a failure or error is an essential maintenance task for any administrator. When you back up Oracle Application Server, make sure that your backup procedures back up both Oracle Application Server itself and the contents of the Oracle Application Server infrastructure (if used); that infrastructure is frequently housed in an Oracle database.

A complete backup of your Oracle Application Server environment includes the following:

• Configuration files for the instance, the Oracle software files, and system files.

• Contents of the OracleAS Metadata Repository (if used); remember that the repository is an integral part of the infrastructure.

• Additional files associated with the Oracle environment, such as log files, configuration files for the database, and other scripts and information used by Oracle Application Server components .

Make sure that your backup plan includes backup steps for all this information.

3.5.1.1 Types of backup

As with the Oracle database, two basic types of backup are available for Oracle Application Server:

Complete, or cold, backup

With this type of backup, you back up all Oracle HOME directories in the middle tier , including the Oracle HOME for the Oracle database used for the infrastructure, a complete cold backup of the OracleAS Metadata Repository, and a complete backup of all Oracle system files.

Online, or incremental, backup

With this type of backup, you back up only the configuration files that have changed since the time of the last backup and perform an online backup of the OracleAS Metadata Repository.

With Oracle Application Server, as with any software, make sure to perform periodic complete backups as well as more frequent incremental backups . If you make a major change to your Oracle Application Server environment, take that opportunity to perform a complete backup to avoid losing the effects of this change.

Oracle Application Server farms and clusters are managed using DCM. You can use DCM directly or invoke it via Application Server Control. The DCM requires a repository, either in the database or as a set of files. If you use file-based DCM, you also have to back up (and subsequently recover) the files used as part of your backup procedure. These files are located on the repository host for the cluster or farm. If you use a database for the configuration information, standard backup procedures will also back up this information.

DCM lets you create an archive of a particular configuration. You can use this archive as a way to save known "good" configurations. This allows you to restore previous configurations if you need to do so later.

3.5.1.2 OracleAS Backup and Recovery Tool

The OracleAS Backup and Recovery Tool is a Perl script that backs up configuration files and the Metadata Repository. This tool is included on the OracleAS Application Server Repository Creation Assistant (OracleAS RepCA) CD set that comes with Oracle Application Server. The OracleAS Backup and Recovery Tool automates the process of backing up all the individual entities needed for a complete Oracle Application Server backup, as described in the previous section.

The OracleAS Backup and Recovery Tool has its own set of configuration files that indicate which directories it uses to hold the different portions of the backup. You need to install the tool for each infrastructure and middle-tier server in your environment, and edit the configuration for each instance of the tool. You can add files, directories, or groups of files and directories (using wildcards) to the configuration file.

3.5.1.3 Backup

You can use the OracleAS Backup and Recovery Tool to perform either complete or incremental backups of configuration files, the OracleAS Metadata Repository, or both. You can specify the level of an incremental backup, where each level backs up the files that have changed since the time of the last backup at the same level.

The OracleAS Backup and Recovery Tool doesn't back up or recover a OracleAS Metadata Repository that was added to an existing database. You have to handle this database through standard Oracle backup and recovery procedures in coordination with the BRT.

3.5.1.4 Recovery

You can use Oracle Application Server backups to recover your installation, whether or not you have experienced a failure that has corrupted the Metadata Repository.

If the repository has been corrupted, you have to recover it to a point in time just before the corruption occurred. If only configuration files have been lost, you can simply restore them using the OracleAS Backup and Recovery Tool. The Oracle Application Server documentation contains complete instructions for using this tool, as well as information that can help you determine which type of recovery operation you need to perform.

3.5.2 Implementing Secure Access and Management

If you are performing security management, you must have an appropriate username and password to access the Application Server Control or Grid Control tools:

Application Server Control

Use the ias_admin username and supply your assigned password to gain access to Application Server Control.

Grid Control

Use your Oracle Enterprise Manager 10 g username and password to gain access to Grid Control.

If you plan to use the Oracle Internet Directory, the default for any password that you create must be at least five characters with at least one numeric character.

The OracleAS Metadata Repository and the Grid Control Management Repository are stored in Oracle databases. Oracle database administrators or database security administrators typically uses a DBA username (e.g., SYS) and connect as SYSDBA to start these database instances and perform other operations. Doing so provides the administrator with the necessary privileges (the rights to execute certain SQL statements) that have been assigned to the DBA roles (named groups of privileges).

Administrators who access Grid Control only for the purpose of monitoring individual application servers may not be provided these extended privileges or given login access to the Application Server Control tool. The details, however, depend on how your organization decides to maintain security and grant access.

Most users of Oracle Application Server simply need user authentication. For large implementations , you may want to configure global authentication across these distributed systems for users and Grid Control administrators and their roles. Global authentication allows you to maintain a single authentication list for multiple distributed servers and to implement OracleAS Single Sign-On.

You can use OracleAS Single Sign-On for authentication when logging into Grid Control. You can also secure the communication between agents and Oracle Management Services so that HTTPS is used.

Chapter 4 describes Oracle Application Server user security and identity management in more detail. But for now, be aware that in typical three-tier implementations, Oracle Application Server runs some of the application logic, serves as an interface between the clients and database servers, and provides the Oracle Identity Management infrastructure. The Oracle Internet Directory provides directory services running as applications against an Oracle database. The directory synchronization service, provisioning integrated service, and delegated administrative service are part of the Oracle Internet Directory. Security in middle-tier applications is controlled by applications' privileges and by preserving client identities through all three tiers. You can use the Application Server Control tool to configure and change configurations of the Oracle Internet Directory and OracleAS Single Sign-On.