1. Administrator's Guide
  2. Managing Recovery Appliance
  3. Compliance Quickstart

6 Compliance Quickstart

Describes how to use the Recovery Appliance to achieve "compliance retention" and "legal holds."

The Recovery Appliance is installed with no compliance settings enabled.

  • Customers can have and use rasys if desired.
  • Customers can have named admin / monitor users if desired.
  • Customer can enable and disable root and oracle access via ssh.
  • Customer can have named ssh users.
  • No compliance or immutable settings are enabled.
  • No compliance or immutable settings can be enabled.
  • The "racli run check --check_name=check_ra_compliance" returns false.

Here is the outline for setting up the Recovery Appliance for compliance retention and legal hold backups.

  1. Establish the appropriate db_user and admin_user accounts and use them in the day-to-day operation of the Recovery Appliance, as given in User Roles for the Recovery Appliance. The RASYS and SYS accounts are disabled.

  2. Create protection policies that make use of the new compliance attributes, such as RECOVERY_WINDOW_COMPLIANCE for how long a backup must be held on the Recovery Appliance. This is covered in Creating a Protection Policy.

  3. Establish the cloud location with the appropriate immutable settings --immutable and --temp_metadata_bucket, as given in "racli add cloud_location".

    An immutable bucket is one that retains backups in cloud storage for a period specified. An immutable cloud location requires two buckets:

    • Regulatory Compliance Bucket has retention rule set and locked.

    • Temporary Metadata Bucket without retention rules.

    The cloud bucket must be created in advance using the OCI Console, the ZFS console, or the OCI command line interface. Once it exists, you inform the Recovery Appliance with the "racli add cloud_location" command having the options --immutable and --temp_metadata_bucket. The recommendation is one database per immutable cloud location when using legal hold operations. 

    [root@myComputeNodeX ~]# racli add cloud_location 
--cloud_user=<CLOUD_USER_NAME> 
--host=https://<OPC_STORAGE_LOCATION> 
--bucket=<OCI_BUCKET_NAME> 
--proxy_port=<HOST_PORT> 
--proxy_host=<PROXY_URL> 
--proxy_id=<PROXY_ID>
--proxy_pass=<PROXY_PASS>
--streams=<NUM_STREAMS> 
[--enable_archive=TRUE]
--archive_after_backup=<number>:[YEARS | DAYS]
[--retain_after_restore=<number_hours>:HOURS]
--import_all_trustcert=<X509_CERT_PATH>
--immutable 
--temp_metadata_bucket=<metadata_bucket> 
[--enable_archive=true --archive_after_backup=2:DAYS --retain_after_restore=8:HOURS]

  4. Update the job templates for archiving to tape and cloud to make use of the compliance features or the archival backup. This is covered in Creating a Tape Backup Job and for cloud Create Job Template.

Note:

When compliance is needed, the Recovery Appliance only enforces retention of the backup pieces stored locally on disk. Backups stored on external SBT locations must be protected by those target locations.

For example, assume a 6-year compliance window is needed. The protection policy is configured with 90 days Recovery Window Goal. The remainder of the 6 years on the external SBT must be enforced by the external SBT location.

In the case of OCI Object storage, the racli add cloud_location command must include the immutable bucket options. The bucket must be created in advance of using the OCI console. The 7-year retention rule must be configured on the bucket and locked.