3 Configuring TLS Data Security on the Client
This section provides the steps required to configure TLS Data Security on the Client.
The client also requires some modifications to support TLS. The Recovery Appliance can use https
encryption alone, in dual mode http/https
, or without encryption http
, the default.
Configuring Protected Databases to Support TLS
If you want to continue using non-TLS, update the RMAN settings by adding to CONFIGURE CHANNEL DEVICE TYPE
"_RA_NO_SSL=TRUE
"
CONFIGURE CHANNEL DEVICE TYPE
'SBT_TAPE' PARMS
'SBT_LIBRARY=/u01/app/oracle/product/19.0.0.0/dbhome_1/lib/libra.so,
ENV=(_RA_NO_SSL=TRUE,,RA_WALLET=location=file:/<path>
credential_alias=RADB01,_RA_TRACE_LEVEL=1000)' FORMAT '%U_%d';
If you want to start using TLS, you need to perform the following steps.
-
Find the TCPS alias (example:
zdlra_tcps
) from Recovery Appliance host and copy it totnsnames.ora
file on client database. -
Update wallet, or create new one if previous one was created by
mkstore
. Create new wallet usingorapki
. For example:orapki wallet create -wallet $ORACLE_HOME/dbs/Sydney
-
Copy
raCA.pem
from Recovery Appliance host to client database and import it into wallet created or updated above.orapki wallet add -wallet $ORACLE_HOME/dbs/sydney -trusted_cert -cert $ORACLE_HOME/dbs/sydney/raCA.pem
-
Update wallet to
-auto_login
.orapki wallet create -wallet $ORACLE_HOME/dbs/sydney -auto_login
-
Create credential with new alias TCPS and
ravpc
usermkstore -wrl /u01/app/oracle/product/19.0.0.0/dbhome_1/dbs/sydney -createCredential zdlra7_tcps ravpc welcome123
-
Connect RMAN and update “
CONFIGURE CHANNEL DEVICE
” adding wallet informan target / catalog ravpc/welcome123@zdlra7_tcps
Validating TLS Usage
The following commands assist in monitoring the various TLS objects.
- racli run check --check_name=tls_health
- racli run diagnostics --tag=tls
- racli run diagnostics --tag=tls_high