Select Page

Using OSB Cloud Module with EC2 IAM

Dave Liddell | | November 25, 2011

Oracle’s OSB Cloud Module allows you to backup to S3.  By default OSB Cloud Module will create buckets using generated names from your EC2 login. For example if your login is myaccount@gmail.com, your default buckets would be: oracle-data-myaccount-1 and oracle-log-myaccount-1.  If you already have buckets setup that you want to use and need to lock down permissions using EC2’s IAM feature, then you’ll need to do some extra work to change the bucket OSB uses and allow access. It’s clear that OSB Cloud Module wasn’t created with IAM in mind, possibly due to release dates, but there are several security and administrative reasons you may want to use it in conjunction with IAM.  Much of this configuration is undocumented but can be tracked down with a little work. This article assumes that you already have OSB Cloud Module and RMAN setup and that you are using credentials you created using IAM.  If you need to setup OSB Cloud Module some documentation on doing so is available here: http://www.oracle.com/technetwork/topics/cloud/osbws-readme-083624.html If you need to setup OSB Cloud Module on 10g, some information on doing so is available here. In order to change the bucket and lock down permissions you’ll need to use some undocumented settings.  You can find these settings by running strings on the OSB shared object:

[oracle@proddb-1 ~]$ strings /opt/oracle/product/10.2.0/db_1/lib/libosbws11.so | grep ^OSB … OSB_WS_PFILE OSB_WS_HOST OSB_WS_PROXY OSB_WS_BUCKET OSB_WS_LOCATION OSB_WS_CHUNK_SIZE OSB_WS_LICENSE_ID OSB_WS_LICENSE_MAX_SESSIONS OSB_WS_WALLET

We’ll specify our custom bucket name by setting OSB_WS_BUCKET in your osbws*.ora: OSB_WS_BUCKET=mybucket When naming your bucket, you must adhere to the S3 bucket naming policies as the OSB Cloud Module will fail on upper case letters, etc.  The S3 bucket naming polices are:

Naming Buckets and Keys

Though buckets can be named with any alpha-numeric character, following some simple naming rules will ensure that you can reference your bucket using the convention .s3.amazonaws.com.

  1. Use 3 to 63 characters.
  2. Use only lower case letters (at least one), numbers, ‘.’ and ‘-‘.
  3. Don’t start or end the bucket name with ‘.’ and don’t follow or precede a ‘.’ with a ‘-‘.

Keys can be named with any properly encoded UTF-8 character. Literal ‘+’ characters should always be URL encoded. (http://aws.amazon.com/articles/1904) You can determine what permissions are needed by watching tcpdump and filtering requests to S3 while running the installation and backup commands.  Luckily we’ve done that work for you so here’s what you need to get things setup: Initially, you’ll need some extra permissions to run the installer. After osbws_install.jar is run, you can then remove the permissions for CreateBucket (the first statement) and the statement to access the default buckets (oracle-[data|log]–1). Change “mybucket” and “myaccount” to appropriate identifiers for your setup:

{ “Statement”: [ { “Sid”: “Stmt1319046639298”, “Action”: [ “s3:CreateBucket” ], “Effect”: “Allow”, “Resource”: [ “*” ] } ] } { “Statement”: [ { “Sid”: “Stmt1319047275324”, “Action”: [ “s3:GetObject”, “s3:GetObjectVersion” ], “Effect”: “Allow”, “Resource”: [ “*” ] } ] } { “Statement”: [ { “Action”: [ “s3:ListAllMyBuckets” ], “Effect”: “Allow”, “Resource”: “arn:aws:s3:::*” }, { “Action”: “s3:*”, “Effect”: “Allow”, “Resource”: [“arn:aws:s3:::mybucket”, “arn:aws:s3:::mybucket/*”, “arn:aws:s3:::oracle-log-myaccount-1”, “arn:aws:s3:::oracle-log-myaccount-1/*”, “arn:aws:s3:::oracle-data-myaccount-1”, “arn:aws:s3:::oracle-data-myaccount-1/*”, “arn:aws:s3:::oracle-sbt-license/*”, “arn:aws:s3:::oracle-sbt-license”] } ] }

One unexpected permission is the “oracle-sbt-license” bucket. This is not a bucket created by OSB under your account, but instead, a public bucket belonging to Oracle. Curiously, even though it’s a public bucket, the IAM user needs explicit permissions specified for it or access will fail.

Oracle EPM Cloud Vs. On-Premises: What’s the Difference?

EPM applications help measure the business performance. This post will help you choose the best EPM solutions for your organization’s needs and objectives.

Bobby Ellis | April 10, 2018

Hyperion Myth #9: SOX Audit Requests Are Time-consuming

With serious financial penalties, SOX audits can be intimidating — but they don’t have to be. Find out how you can use Datavail’s software to automatically prove SOX compliance.

Jonathan Berry | March 13, 2018

12c Upgrade Bug with SQL Tuning Advisor

This blog post outlines steps to take on Oracle upgrade 11.2 to 12.1 if you’re having performance problems. Oracle offers a patch and work around to BUG 20540751.

Megan Elphingstone | March 22, 2017

Work with Us

Let’s have a conversation about what you need to succeed and how we can help get you there.

CONTACT US

Work for Us

Where do you want to take your career? Explore exciting opportunities to join our team.

EXPLORE JOBS