Configuring TLS Data Security on the Client

3 Configuring TLS Data Security on the Client

This section provides the steps required to configure TLS Data Security on the Client.

The client also requires some modifications to support TLS. The Recovery Appliance can use https encryption alone, in dual mode http/https, or without encryption http, the default.

Configuring Protected Databases to Support TLS

If you want to continue using non-TLS, update the RMAN settings by adding to CONFIGURE CHANNEL DEVICE TYPE "_RA_NO_SSL=TRUE"

CONFIGURE CHANNEL DEVICE TYPE
'SBT_TAPE' PARMS 
'SBT_LIBRARY=/u01/app/oracle/product/19.0.0.0/dbhome_1/lib/libra.so,
ENV=(_RA_NO_SSL=TRUE,,RA_WALLET=location=file:/<path>
     credential_alias=RADB01,_RA_TRACE_LEVEL=1000)' FORMAT '%U_%d';

If you want to start using TLS, you need to perform the following steps.

Find the TCPS alias (example: zdlra_tcps) from Recovery Appliance host and copy it to tnsnames.ora file on client database.
Update wallet, or create new one if previous one was created by mkstore. Create new wallet using orapki. For example:
```
orapki wallet create -wallet $ORACLE_HOME/dbs/Sydney
```
Copy raCA.pem from Recovery Appliance host to client database and import it into wallet created or updated above.
```
orapki wallet add -wallet $ORACLE_HOME/dbs/sydney -trusted_cert -cert $ORACLE_HOME/dbs/sydney/raCA.pem
```

Update wallet to -auto_login.

orapki wallet create -wallet $ORACLE_HOME/dbs/sydney -auto_login

Create credential with new alias TCPS and ravpc user

mkstore -wrl /u01/app/oracle/product/19.0.0.0/dbhome_1/dbs/sydney -createCredential zdlra7_tcps ravpc welcome123

Connect RMAN and update “CONFIGURE CHANNEL DEVICE” adding wallet info
```
rman target / catalog ravpc/welcome123@zdlra7_tcps
```

Validating TLS Usage

The following commands assist in monitoring the various TLS objects.

racli run check --check_name=tls_health
racli run diagnostics --tag=tls
racli run diagnostics --tag=tls_high