Using RMAN DUPLICATE when the target system is behind a firewall
My production servers are on the other end of a network link where they can not make connections to any of the servers in my dev/test environment, but connections from dev/test to production are fine. This is problematic:
- OEM 12c (housed in dev/test environment) can't monitor production (needs 2-way agent<->OMS comms)
- RMAN DUPLICATE doesn't work (requires connection from source to destination)
- No way to push files from production to dev/test
- And many others...
The point of this post is to talk about RMAN DUPLICATE in this situation.
As there's no outbound connectivity from prod->dev/test, I initially assumed this wouldn't be possible, however I've tried using SSH tunnels. and while it didn't work due to my previous blog post (RMAN-05531 during duplicate from active standby), the concept is fine.
Log in to the shell of the destination database, and follow the usual setup (DocID 452868.1) to create a duplicate from active database:
- Create PFILE ($ORACLE_HOME/dbs/initNEWSID.ora) with DB_NAME and COMPATIBLE parameters
- Add entries for source and duplicate in tnsnames.ora
- Verify connection from duplicate to source with tnsping
- Add entry for duplicate in listener.ora
- Create password file for duplicate database ($ORACLE_HOME/dbs/orapwNEWSID)
- Start duplicate DB in nomount mode
At this point, we need to allow for the source system to connect to the duplicate. One way to do this is using SSH tunnelling. With this we can set up a port on the source system which is tunnelled "through" the SSH connection back to the duplicate server on any port we specify. So we can direct, say, port 1522 on the source server to port 1521 on the duplicate!
Start a new SSH connection to the duplicate, then SSH to the source server, tunnelling the ports as appropriate. e.g.:
ssh -C -R1522:localhost:1521 oracle@production.domain.local
The -R switch tells the remote (source) server that if it gets any connections on port 1522, to redirect them through the SSH tunnel, to port 1521 on localhost on the local (duplicate) server, where the SSH command was run.
Lastly, we set up the source server so it knows how to talk to the duplicate.
- Edit tnsnames.ora, add a new entry for the duplicate DB with:
- SID=NEWSID
- port=1522
- host=localhost
- Confirm the source can contact the duplicate using tnsping
That's it! On the duplicate, run the RMAN DUPLICATE as normal, and everything should, theoretically, "just work".
This comment has been removed by a blog administrator.
ReplyDelete