3 Configuring TLS Data Security on the Client

This section provides the steps required to configure TLS Data Security on the Client.

The client also requires some modifications to support TLS. The Recovery Appliance can use https encryption alone, in dual mode http/https, or without encryption http, the default.

Configuring Protected Databases to Support TLS

If you want to continue using non-TLS, update the RMAN settings by adding to CONFIGURE CHANNEL DEVICE TYPE "_RA_NO_SSL=TRUE"

     credential_alias=RADB01,_RA_TRACE_LEVEL=1000)' FORMAT '%U_%d';  

If you want to start using TLS, you need to perform the following steps.

  1. Find the TCPS alias (example: zdlra_tcps) from Recovery Appliance host and copy it to tnsnames.ora file on client database.

  2. Update wallet, or create new one if previous one was created by mkstore. Create new wallet using orapki. For example:

    orapki wallet create -wallet $ORACLE_HOME/dbs/Sydney
  3. Copy raCA.pem from Recovery Appliance host to client database and import it into wallet created or updated above.

    orapki wallet add -wallet $ORACLE_HOME/dbs/sydney -trusted_cert -cert $ORACLE_HOME/dbs/sydney/raCA.pem
  4. Update wallet to -auto_login.

    orapki wallet create -wallet $ORACLE_HOME/dbs/sydney -auto_login
  5. Create credential with new alias TCPS and ravpc user

    mkstore -wrl /u01/app/oracle/product/ -createCredential zdlra7_tcps ravpc welcome123
  6. Connect RMAN and update “CONFIGURE CHANNEL DEVICE” adding wallet info

    rman target / catalog ravpc/welcome123@zdlra7_tcps

Validating TLS Usage

The following commands assist in monitoring the various TLS objects.

  • racli run check --check_name=tls_health
  • racli run diagnostics --tag=tls
  • racli run diagnostics --tag=tls_high