Recently I had some fun with backing up Oracle 12 databases under Windows. Following the online help from Veeam we created a special backup user and assigned it to the local Windows admin group and the ORA_DBA group. We then added the user to the Veeam credentials and tested the connection between the Veeam backup server and the oracle host. Keep in mind that testing the connection/credentials from within the backup job properties only tries SMB (RPC) and VIX (VMwareTools) connectivity and credentials. The test won't include any Oracle specific tests. As far as I know there is no possibility to test Oracle connections from within the VBR GUI.
After testing the connection we started the backup for the first time. The job threw a warning about having incorrect credentials for the Oracle databases and thus application-aware image processing was not possible. The error thrown was:
"Unable to perform application-aware processing of Oracle database (SID: XXXX) : Oracle error has occurred. ORA-01017: invalid username/password; logon denied --tr:Failed to create oracle session. --tr:Failed to create oracle session holder. SID: XXXX."
Backing up Oracle VMs without a proper AAIP implementation is not a good idea so we had to find the cause of this problem.
Checking the user used for connectivity belonging to the ORA_DBA group was quickly done and everything seemed to be okay. Checking the password was quicly done, too and using the account to connect with SQLPLUS was also successfully. Checking the internet there is nearly no information about the ORA-01017 error in combination with Veeam. There is indeed a KB article about an error "ORA-01031 - insufficient privileges" but this seemes to be not the same. Nevertheless I used this KB (Veeam KB2333) to have a baseline for further analysis.
KB2333 states two possible causes for this error (beside checking to really have the correct username and password....).
First check your sqlnet.ora for the SQLNET.AUTHENTICATION_SERVICES= (NTS) setting. This setting allows Windows accounts to be used as authentication source for the Oracle database instance. This setting is normally set by default during the installation but it's possible to have someone changed this after installation to higher security. The setting can have additional options not only NTS but NTS has to be included at least.
Second requirement is "The service account leveraged for Application Aware Image Processing needs to be included in the group ORA_DBA". Well, we already checked that the user VBR uses to connect to the VM is included in the group.
Checking the Veeam Oracle log files at C:\ProgramData\Veeam\Backup\OracleLib.txt we still saw the error:
oralib| ERR |Oracle session init thread failed
oralib| >> |Oracle error has occurred. ORA-01017: invalid username/password; logon denied
oralib| >> |
oralib| >> |--tr:Failed to create oracle session.
oralib| >> |An exception was thrown from thread .
Next thing to evaluate is what exactly is done during initial VSS phase. To achieve this, we checked the services started and stopped during a Veeam backup on the Oracle host. As expected during ramp up phase of the Veeam backup job a helper service is transferred to the Oracle host and started. The service is called "VeeamVSSsupport" and ist started on the "Local System" account and NOT as expected under the VBR backup user we defined within the backup job. This user is only used for transferring the bits and bytes to the Oracle VM and later it will also be used for the transaction log backup but NOT for the VSS helper service. The problem is, this service will try to get additional database information from the Oracle instance and that's the reason why the error mentioned above is thrown. As the "Local system" account is not in the ORA_DBA group (it is by default but sometimes it is deleted due to security reasons after initial installation), it is not allowed to get the needed information. As I didn't found any possibility to reconfigure the user used for the VeeamVSSsupport service I had to go the other way and give the user used by the service the appropriate rights.
To resolve this issue make sure the "NT AUTHORITY\SYSTEM" user is member of the ORA_DBA group. After adding the user to the group the backup ran without any problems.
Just one thing to mention: the transaction log backup is done via network and RMAN (not via VSS) so the user defined in the Oracle transaction log setting in the AAIP settings still has to be a member of the ORA_DBA group.