<Insert Picture Here>

Create, configure and manage Disaster Recovery in Oracle Cloud for

On-Premises database
Kamran Aghayev A.
Oracle Certified Master, ACE Director
 About me

• Database Team Leader at AzerCell Telecom

• Oracle Certified Master
• Oracle ACE Director
• Author of the “OCM 11g Study Guide”
• Author of the “RMAN Backup and Recovery”
• Blogger at http://www.kamranagayev.com
• President of Azerbaijan Oracle User Group (AzerOUG)
OracleVideoTutorials.com
 The Requisite Room Survey

How many of you had failure with production database

that has not DR

How many of you still running mission critical database

without Standby?

How many of you placed Standby database in the same data

center with production database?
 Building Disaster Recovery in Oracle Cloud

Introduction to Data Guard in Oracle Cloud

Security requirement of Data Guard in Oracle Cloud

Deploying the DR to the cloud

Encryption configuration in On-Premises and in Oracle Cloud

Instantiate Data Guard Standby

Managing Data Guard in the Cloud

 Data Guard in Oracle Cloud

DG_ONE
/u01/oradata/control01.ctl

/u02/oradata/control02.ctl
Data Guard in the
same Data Center
DG_TWO
/u01/oradata/control01.ctl

/u02/oradata/control02.ctl
Data Guard in Oracle Cloud
Data Guard in Oracle Cloud
Data Guard in Oracle Cloud
Data Guard in Oracle Cloud
 Data Guard in Oracle Cloud

DG_ONE
/u01/oradata/control01.ctl

/u02/oradata/control02.ctl
Data Guard in the
same Data Center
DG_TWO
/u01/oradata/control01.ctl

/u02/oradata/control02.ctl
Data Guard in Oracle Cloud
 Data Guard in Oracle Cloud

There are two options for DR to the cloud using Oracle Database Cloud
Services:

- Data Guard utilizing Enterprise Edition Service or High Performance Service.

- Active Data Guard utilizing the Extreme Performance Service or Exadata Service

- provides advanced features for data protection

- offloads read-only workload and backups from a production database
 Data Guard in Oracle Cloud
DR in Oracle Cloud provides the following capabilities:

- Ability to monitor the standby database

- Ability to switchover or failover the on-premises database for the planned outage
activate standby database (perform switchover) and convert it back to synchronized
standby mode
- Building development and test environment based on the Standby database
- Offloading read-only production workloads to the cloud
- Offloading backups to the cloud
 Service Level Requirements

Availability:
Recovery Time Objective (RTO) describes the maximum acceptable downtime should
an outage occur

Data Protection:
Recovery Point Objective (RPO) describes the maximum amount of data loss that can
be tolerated

Performance
Database response time may be different after failover if less capacity – compute,
memory, I/O, etc, are provisioned at the standby system than in the on-premises
production system
 Security Requirements

Using Oracle Transparent Data Encryption (TDE) to encrypt primary and standby
databases at rest

- Additional CPU overhead: Encryption requires additional CPU cycles to calculate

encrypted and decrypted values.

- Lower data compression: Encrypted data compresses poorly because it must reveal no
information about the original plain text data

- Key management: Encryption is only as strong as the key used to encrypt

Oracle Net encryption is also required for encryption-in-flight for other redo
changes that are not encrypted by TDE
 Deploying the DR to the cloud

Create an Oracle Cloud account

Configure the Network

Encrypt the On-Premise database

Create a Standby Database

Perform Switchover/Failover

Enable runtime monitoring

Create database service
Create database service
Create database service
Create database service
Create database service
 Configuring Network

Enable SSH tunneling to the cloud

Securing port connectivity to the cloud
Creating Security IP list

Creating Security Rule

Oracle Net Encryption Configuration
Prompt-less SSH from Oracle Cloud to on-premises machine
 Cloud Network Configuration

By default, 1521 port is disabled

Remove the default listener
Create Security List and add On-Premises IP lists
 Cloud Network Configuration

Create a Security Application and provide new port number

 Cloud Network Configuration

Create a new Security Rule and configure Standby listener.ora file to use the
new port for accepting connections from the specified IP addresses
 Encrypting On-Premise database

TDE tablespace encryption can only be enabled during the creation of a tablespace. Existing
tablespaces cannot be altered to enable TDE in 11g. A Data Guard Transient Logical Standby
Database can be used to limit the impact to application performance and availability during
conversion to TDE tablespace encryption.

Data is exported from the transient logical standby using Oracle Data Pump, the existing
tablespace is dropped and a new TDE enabled tablespace is created followed by an import.
 Encrypting On-Premise database
1. Verify that the Data Guard configuration is healthy and contains no gaps.
2. Create the encryption wallet, and set the master key.
3. Copy the wallet files to all nodes in the configuration (Oracle RAC primary nodes and all
standby nodes).
4. Place the standby in a mounted state with recovery stopped.
5. On the standby: Encrypt data files in-place and in parallel.
6. On the standby: Restart redo apply and catch up.
7. Execute a Data Guard switchover making the encrypted standby the new primary and the
unencrypted primary the new standby.
8. On the NEW standby: Place the new standby database in a mounted state with recovery
stopped.
9. On the NEW standby: Encrypt data files in-place and in parallel.
10. On the NEW standby: Restart redo apply and catch up.
11. Optionally execute a Data Guard switchover to reestablish the original configuration.
 Enabling Transparent Data Encryption

1. Create encryption wallet

Set the wallet location in the sqlnet.ora on all nodes of primary and standby.

ENCRYPTION_WALLET_LOCATION =
(SOURCE =
(METHOD = FILE) (METHOD_DATA =
(DIRECTORY = /u01/app/oracle/admin/TDE/$ORACLE_SID) ) )

2. Create the corresponding directory on all nodes with the proper ORACLE_SID.
mkdir -p /u01/app/oracle/admin/TDE/$ORACLE_SID

3. Set the Master Encryption Key

ALTER SYSTEM SET ENCRYPTION KEY IDENTIFIED BY "AbCdEfGh!";
 Enabling Transparent Data Encryption

4. Open the keystore and set the encryption key

ADMINISTER KEY MANAGEMENT SET KEYSTORE OPEN IDENTIFIED BY "AbCdEfGh!";
ADMINISTER KEY MANAGEMENT SET KEY IDENTIFIED BY "AbCdEfGh!" WITH BACKUP USING 'TDE';

5. Create Auto-login wallet

ADMINISTER KEY MANAGEMENT CREATE AUTO_LOGIN KEYSTORE FROM KEYSTORE

'/u01/app/oracle/admin/TDE/$ORACLE_SID' IDENTIFIED BY “AbCdEfGh!”;

6. Restart the standby database to mounted mode.

$ srvctl stop database -d
$ srvctl start database -d -o mount
 Enabling Transparent Data Encryption

7. Stop the recovery

DGMGRL> edit database tdestby set state=APPLY-OFF;

8. Generate the commands for the data files to be encrypted.

SQL> SELECT 'alter database datafile '
|| CHR (39) || df.name || CHR (39) || ' encrypt;' COMMAND
FROM v$tablespace ts, v$datafile df
WHERE ts.ts# = df.ts#
AND ( ts.name NOT IN ('SYSTEM', 'SYSAUX') AND ts.name NOT IN (SELECT
VALUE FROM gv$parameter WHERE name = 'undo_tablespace'));

alter database datafile '+DATA/TDESTBY/DATAFILE/users.1163.910254789' encrypt;

alter database datafile '+DATA/TDESTBY/DATAFILE/users.1133.909661023' encrypt;
 Enabling Transparent Data Encryption

9. Convert datafiles in parallel.

SQL> alter database datafile '+DATA/TDESTBY/DATAFILE/users.1163.910254789' encrypt;

Database altered.

SQL> alter database datafile '+DATA/TDESTBY/DATAFILE/users.1133.909661023' encrypt;

Database altered.

10. Optional: Use DBVERIFY to confirm used blocks are encrypted.

$ dbv file=+DATAC1/TDESTBY/DATAFILE/users.1161.910254777 USERID=/

Total Pages Marked Corrupt : 0
Total Pages Influx : 0
Total Pages Encrypted : 751075 <-- Total Pages Examined - Total Pages Empty
 Enabling Transparent Data Encryption

11. Restart recovery.

DGMGRL> edit database tdestby set state=APPLY-ON;

12. Switchover.
DGMGRL> switchover to tdestby;
 Instantiate Data Guard Standby

Create from On-Premises production

Create from Oracle Database Backup Cloud Service

Create Standby database from
On-Premises production
 Create Standby database from On-Premises production

Configure prompt-less ssh in both On-Premises and Cloud hosts

$ ssh-keygen
$ scp ~/.ssh/id_rsa.pub oracle@:~/.ssh/id_rsa.pub_cloud
$ cat ~/.ssh/id_rsa.pub_cloud >> ~/.ssh/authorized_users
$ chmod 700 ~/.ssh/authorized_users

Oracle Restart Installation

Adding swap space might be required

Make sure to select the installation option ‘Install Oracle Grid Infrastructure
Software Only’
 Create Standby database from On-Premises production

Create Standby Redo Logs on the Primary On-Premises Database

- SRLs should be created the same size as the largest of the Online Redo Logs(ORLs)
- Additionally, the MAA Best practice for standby redo logs is that there is the same number of
groups as there are groups of online redo logs plus 1

SQL> alter database add standby logfile thread 1 group 4 (‘+RECO’) size 100m;

Drop the default database from the cloud machine

$dbca -silent -deleteDatabase -sourceDB STBY -sysDBAUserName sys -
sysDBAPassword syspass
 Create Standby database from On-Premises production

Configure Oracle Net Encryption

SQLNET.ENCRYPTION_SERVER = requested (for On-Premises)

SQLNET.ENCRYPTION_SERVER = required (for Cloud)
SQLNET.ENCRYPTION_TYPES_SERVER = (RC4_256, AES256) (both)
SQLNET.ENCRYPTION_CLIENT = requested (both)
SQLNET.ENCRYPTION_TYPES_CLIENT = (RC4_256, AES256) (both)

Configure TNS entries for redo transport

Entries of each databases are needed in both On-Premises and Cloud hosts
As there is no DNS in the primary and standby hosts, use IP address to resolve the servers
 Create Standby database from On-Premises production

Create a password and initialization file in the Oracle Cloud host

$ORACLE_HOME/bin/orapwd file=$ORACLE_HOME/dbs/orapwINSTANCE_NAME
password=oracle

Edit initialization parameter file as follows:

db_name=PRODDB
db_unique_name=STBDB
sga_target=900M

Start the auxiliary instance

export ORACLE_SID=STBDB
sqlplus / as sysdba
startup nomount pfile=‘/tmp/pfile.ora’;
 Create Standby database from On-Premises production

Configuring TDE before proceeding the creation process

Create encryption wallet (sqlnet.ora)

Create password based keystore
Open the wallet and set the encryption key
Create auto-login wallet
Copy the generated keyfiles to standby and primary hosts
 Create Standby database using
RMAN Duplicate from Active Script
 RMAN Duplicate from Active Script
connect target sys/pass@onpremis
connect auxiliary sys/pass@clouddb
run {
allocate channel prmy1 type disk;"
allocate auxiliary channel stby1 type disk;
allocate auxiliary channel stby2 type disk;
duplicate target database for standby from active database spfile
PARAMETER_VALUE_CONVERT= 'PRODDB', 'STBDB'"
set db_unique_name='STBDB'"
set control_files='/u02/oradata/STBDB/control01.ctl'"
set log_file_name_convert='/u01/oradata/redo','/u02/oradata/logfiles'
set db_file_name_convert='/u01/oradata/redo','/u02/oradata/logfiles'
set db_recovery_file_dest='/home/oracle/flash_recovery_area'"
dorecover
}
Create Standby database using Oracle
Database Backup Cloud Service
 From Oracle Database Backup Cloud Service

Install the Cloud Backup Tool to the On-Premises

[oracle@onprem ~]$ mkdir wallet lib

[oracle@onprem tmp]$ java -jar opc_install.jar -serviceName Storage -
identityDomain yourIdentityDomain -opcID YourOpcId -opcPass YourOpcPassword
-walletDir /home/oracle/wallet -libDir /home/oracle/lib
Downloading Oracle Database Cloud Backup Module Software Library from file
opc_linux64.zip.
Downloaded 26528348 bytes in 12 seconds. Transfer rate was 2210695
bytes/second.
Download complete.
[oracle@onprem tmp]$

RMAN> CONFIGURE CHANNEL DEVICE TYPE ‘SBT_TAPE’

PARMS ‘SBT_LIBRARY=/home/oracle/lib/libopc.so
ENV=(OPC_PFILE=/u03/oracle/product/11.2.4/db_1/dbs/opcPROD.ora)’;

RMAN> CONFIGURE COMPRESSION ALGORITHM ‘HIGH’;

RMAN> CONFIGURE DEFAULT DEVICE TYPE TO ‘SBT_TAPE’;
 From Oracle Database Backup Cloud Service

RMAN> SET ENCRYPTION ON IDENTIFIED BY “mypass” ONLY;

RMAN> BACKUP DATABASE PLUS ARCHIVELOG;

Install the Cloud Backup Tool to Oracle Cloud machine

RMAN> set decryption identified by “mypass”;

RMAN> run
2> {
3> allocate channel t1 type ‘SBT_TAPE’
PARMS ‘SBT_LIBRARY=/home/oracle/lib/libopc.so
ENV=(OPC_PFILE=/u01/app/oracle/product/11.2.0/dbhome_1/dbs/opcPROD.ora
)’;
4> set dbid=345613202;
5> restore spfile to pfile ‘/tmp/pfile.ora’ from autobackup;
6> }
 From Oracle Database Backup Cloud Service
SQL> startup nomount force;
RMAN> set decryption identified by “mypass”;
RMAN> run
{
allocate channel t1 type ‘SBT_TAPE’
PARMS ‘SBT_LIBRARY=/home/oracle/lib/libopc.so
ENV=(OPC_PFILE=/u01/app/oracle/product/11.2.0/dbhome_1/dbs/opcPROD.ora)’;

set dbid=345613202;

restore controlfile from autobackup;

shutdown immediate;
startup mount;
set newname for database to ‘/u04/app/oracle/oradata/%U.dbf’;
restore database;
switch datafile all;

alter database rename file ‘/u03/oracle/oradata/PROD/redo03.log’ to

‘/u04/app/oracle/oradata/redo03.log’;
alter database rename file ‘/u03/oracle/oradata/PROD/redo02.log’ to
‘/u04/app/oracle/oradata/redo02.log’;
recover database;
alter database open resetlogs;
}
Managing Data Guard in Oracle Cloud
 Perform Data Guard Health Check

Oracle provides several automated health check tools that can be downloaded from My
Oracle Support

ORAchk applicable to generic platform (suitable for Database Cloud Service)

Exachk applicable to Exadata Database Machine (suitable for Exadata Cloud Service)
Perform Data Guard Health Check
 Perform Data Guard Health Check

• Use Active Guard to offload read-only workload to the standby database to make sure that the standby
is ready for the production

• Periodically place Standby database in read-write mode to validate its readiness for production load

• Take Standby snapshots for the patch installation tests and upgrades

Data Guard VALIDATE DATABASE (Applicable from Oracle Database 12c onward)

DGMGRL> validate database stby;

 Using Standby for patch apply test

• Standby database can be used to test patch apply

• Rolling upgrade of the database

• Build the data guard between two 11g database

• Convert physical standby to logical standby

• Upgrade the standby database to 12c and validate

• Perform switch over and upgrade the new standby

 Evaluate Patch on Standby Database

• Convert the standby database into a snapshot standby

• Perform any required SQL installation steps for the patch on the snapshot standby.

• Use Oracle Real Application Testing to evaluate stability and performance of the new software
using real application workload.

• After testing is complete, convert the snapshot standby back to a physical standby. Conversion
back to a physical standby will roll back changes made by Oracle Real Application Testing
workload replay, and made by SQL installation steps for the patch.
 Performing Switchover/Failover of the Standby database

Run the following command to change the role of the primary database to standby
database:

SQL> ALTER DATABASE COMMIT TO SWITCHOVER TO PHYSICAL STANDBY WITH

SESSION SHUTDOWN;

SQL> SHUT IMMEDIATE

SQL> STARTUP MOUNT

SQL> ALTER DATABASE COMMIT TO SWITCHOVER TO PRIMARY WITH SESSION

SHUTDOWN;
 Performing Switchover/Failover of the Standby database

• Use VALIDATE DATABASE command in DGMGRL:

DGMGRL> validate database stby;

Database Role: Physical standby database

Primary Database: pri

Ready for Switchover: Yes

Ready for Failover: Yes (Primary Running)

DGMGRL> switchover to ;
 Performing Switchover/Failover of the Standby database

DGMGRL> failover to stby;

Performing failover NOW, please wait...
Failover succeeded, new primary is "stby

SQL> shutdown abort

SQL> startup mount
DGMGRL> reinstate database pri
Reinstating database "pri", please wait...
 Using dbaascli utility to manage Data Guard in Cloud

In a Database Cloud Service database deployment, you can use the Oracle Database Cloud
Service console or the dataguard subcommand of the dbaascli utility to perform many Data Guard
operations

To check the status of the configuration, run:

$ dbaascli dataguard status [--details yes|no] [--password password]

Initiate the switchover to the standby database:

$ dbaascli dataguard switchover [--password password]

Initiate the failover to the standby database:

$ dbaascli dataguard failover [--force yes|no] [--password password]

Reinstating a Failed Primary Database

$ dbaascli dataguard reinstate [--password password]
Questions?

धन्यवाद
Thanks for coming!!

http://www.kamranagayev.com
http://www.ocmguide.com
http://www.oraclevideotutorials.com