6 Compliance Quickstart
Describes how to use the Recovery Appliance to achieve "compliance retention" and "legal holds."
The Recovery Appliance is installed with no compliance settings enabled.
- Customers can have and use
rasys
if desired. - Customers can have named
admin
/monitor
users if desired. - Customer can enable and disable
root
andoracle
access viassh
. - Customer can have named
ssh
users. - No compliance or immutable settings are enabled.
- No compliance or immutable settings can be enabled.
- The "
racli run check --check_name=check_ra_compliance
" returns false.
Here is the outline for setting up the Recovery Appliance for compliance retention and legal hold backups.
-
Establish the appropriate
db_user
andadmin_user
accounts and use them in the day-to-day operation of the Recovery Appliance, as given in User Roles for the Recovery Appliance. TheRASYS
andSYS
accounts are disabled. -
Create protection policies that make use of the new compliance attributes, such as
RECOVERY_WINDOW_COMPLIANCE
for how long a backup must be held on the Recovery Appliance. This is covered in Creating a Protection Policy. -
Establish the cloud location with the appropriate immutable settings
--immutable
and--temp_metadata_bucket
, as given in "racli add cloud_location".An immutable bucket is one that retains backups in cloud storage for a period specified. An immutable cloud location requires two buckets:
-
Regulatory Compliance Bucket has retention rule set and locked.
-
Temporary Metadata Bucket without retention rules.
The cloud bucket must be created in advance using the OCI Console, the ZFS console, or the OCI command line interface. Once it exists, you inform the Recovery Appliance with the "racli add cloud_location" command having the options
--immutable
and--temp_metadata_bucket
. The recommendation is one database per immutable cloud location when using legal hold operations.[root@myComputeNodeX ~]# racli add cloud_location --cloud_user=<CLOUD_USER_NAME> --host=https://<OPC_STORAGE_LOCATION> --bucket=<OCI_BUCKET_NAME> --proxy_port=<HOST_PORT> --proxy_host=<PROXY_URL> --proxy_id=<PROXY_ID> --proxy_pass=<PROXY_PASS> --streams=<NUM_STREAMS> [--enable_archive=TRUE] --archive_after_backup=<number>:[YEARS | DAYS] [--retain_after_restore=<number_hours>:HOURS] --import_all_trustcert=<X509_CERT_PATH> --immutable --temp_metadata_bucket=<metadata_bucket> [--enable_archive=true --archive_after_backup=2:DAYS --retain_after_restore=8:HOURS]
-
-
Update the job templates for archiving to tape and cloud to make use of the compliance features or the archival backup. This is covered in Creating a Tape Backup Job and for cloud Create Job Template.
Note:
When compliance is needed, the Recovery Appliance only enforces retention of the backup pieces stored locally on disk. Backups stored on external SBT locations must be protected by those target locations.
For example, assume a 6-year compliance window is needed. The protection policy is configured with 90 days Recovery Window Goal. The remainder of the 6 years on the external SBT must be enforced by the external SBT location.
In the case of OCI Object storage, the racli add cloud_location
command must include the immutable bucket options. The bucket must be created in advance of using the OCI console. The 7-year retention rule must be configured on the bucket and locked.