Configuring Recovery Appliance Replication with TLS Using DBMS_RA

This section describes how to configure Recovery Appliance replication when TLS is in use on one or both Recovery Appliances.

Prerequisites and Assumptions

Your environment must meet the following prerequisites:

• The upstream and downstream Recovery Appliance can communicate with each other over the network.

• The downstream Recovery Appliance must be started and configured to receive backups.

The following replication cases are provided.

• Case 1: One-Way Replication; TLS disabled on Downstream

• Case 2: One-Way Replication; TLS enabled on Downstream

• Case 3: Two-Way Replication; TLS disabled on Downstream

• Case 4: Two-Way Replication; TLS enabled on Downstream

• Case 5: Two-Way Replication; TLS disabled on Upstream

• Case 6: Two-Way Replication; TLS disabled on Upstream and Downstream

Case 1: One-Way Replication; TLS disabled on Downstream

The upstream Recovery Appliance (RA1) has one-way replication to the downstream Recovery Appliance (RA2).

• The upstream Recovery Appliance can be in the mode: TLS enabled, TLS only, or TLS disabled.

• The downstream Recovery Appliance has TLS disabled.

No action is required.

Case 2: One-Way Replication; TLS enabled on Downstream

The upstream Recovery Appliance (RA1) has one-way replication to the downstream Recovery Appliance (RA2).

• The upstream Recovery Appliance (RA1) can be in the mode: TLS enabled, TLS only, or TLS disabled.

• The downstream Recovery Appliance (RA2) has TLS enabled or TLS only.

Perform these steps with RA2 as the downstream.

1. Update tnsnames.ora with the new TCPS information.

   1. On the downstream Recovery Appliance

      cat /u01/app/oracle/product/19.0.0.0/dbhome_1/network/admin/tnsnames.ora

   2. On the upstream Recovery Appliance, add a new entry or update the existing entry with the TCPS information from the downstream Recovery Appliance. For example:

      (ADDRESS = (PROTOCOL = TCPS)(HOST = <FULL_SCAN_NAME>)(PORT = 2484)

2. Update the trusted certificate, which has the pem extension, like <NAME>.pem

   1. Copy the trusted cert from the downstream Recovery Appliance to the upstream Recovery Appliance tmp directory.

      Note:

      Use either a different location or a different name if the upstream Recovery Appliance is TLS enabled so that the certificate on the upstream Recovery Appliance is not overwriteen.

      scp DS_RA:<trusted_cert> US_RA:/tmp/<different_name_trusted_cert>

   2. Prepare the password for the RA wallet.

      Note:

      Use the same password for the RA wallet and the replication wallet.

      mkstore -wrl /raacfs/raadmin/config/awallet/wallet/ -viewEntry oracle.security.client.password<NUMBER>

      • If the upstream Recovery Appliance is also TLS enabled, then the RA wallet already supports the certificates.

        orapki wallet add -wallet /raacfs/raadmin/config/ra_wallet/wallet 
        -trusted_cert -cert /tmp/<different_name_trusted_cert>

        If the replication is bi-directional, perform the same operation but treat the local Recovery Appliance as a downstream Recovery Appliance.

      • If the upstream Recovery Appliance is not TLS enabled, then the RA wallet needs to be migrated to support the certificates.

        1. List all of the current credentials.

           mkstore –wrl /raacfs/raadmin/config/ra_wallet/wallet –listCredential

        2. Back up the wallet.

           mv /raacfs/raadmin/config/ra_wallet/wallet /raacfs/raadmin/config/ra_wallet/wallet_old

        3. Create a new RA wallet.

           orapki wallet create -wallet /raacfs/raadmin/config/ra_wallet/wallet

        4. Import copied trusted certificate into the wallet.

           orapki wallet add -wallet /raacfs/raadmin/config/ra_wallet/wallet -trusted_cert 
           -cert /tmp/<different_name_trusted_cert>

        5. Update wallet to auto login.

           orapki wallet create –wallet /raacfs/raadmin/config/ra_wallet/wallet
                 -auto_login

        6. Recover all credentials into the new RA wallet. For each credential in the old wallet, perform:

           mkstore –wrl /raacfs/raadmin/config/ra_wallet/wallet 
           -createCredential <alias> <user>  <pw>

   3. Check to see that the replication wallet supports certificates.

      ls -lart  /raacfs/raadmin/replication/orapki

      This is the replication wallet standard that RACLI recommends and supports certificates.

      • If the replication wallet exists, perform:

        orapki wallet add -wallet /raacfs/raadmin/replication/orapki 
        -trusted_cert -cert /tmp/<different_name_trusted_cert>

      • If the replication wallet does not exist, perform:

        1. List credentials in current replication wallet.

           mkstore –wrl /raacfs/raadmin/replication –listCredential

        2. Create a new replication wallet.

           orapki wallet create -wallet /raacfs/raadmin/replication/orapki

        3. Import copied trusted certificate into new replication wallet.

           orapki wallet add -wallet /raacfs/raadmin/replication/orapki 
           -trusted_cert --cert /tmp/<different_name_trusted_cert>

        4. Update wallet with auto login.

           orapki wallet create –wallet /raacfs/raadmin/replication/orapki -auto_login

        5. Recover all credentials into new replication wallet

            mkstore –wrl /raacfs/raadmin/replication/orapki -createCredential <tns_alias> <repl_user> <repl_user_pw>

3. Update the replication server parameters.

   1. Pause the replication server.

       dbms_ra.pause_replication_server()

   2. Update the replication parameters.

      • wallet_path should be the new replication wallet location.

      • wallet_alias should be the alias updated in tnsnames.ora in step 1

      dbms_ra.update_replication_server() 
      wallet_path => 'file:/raacfs/raadmin/replication/orapki/’ 
      wallet_alias => ‘TNS_ALIAS’

   3. Resume the replication server

       dbms_ra.resume_replication_server()

Case 3: Two-Way Replication; TLS disabled on Downstream

The upstream Recovery Appliance (RA1) has two-way replication with the downstream Recovery Appliance (RA2).

• The upstream Recovery Appliance can be in the mode: TLS enabled or TLS only.

• The downstream Recovery Appliance has TLS disabled.

Perform this step but with RA1 as the downstream. on the downstream Recovery Appliance.

1. Update tnsnames.ora with the new TCPS information.

   1. On the downstream Recovery Appliance

      cat /u01/app/oracle/product/19.0.0.0/dbhome_1/network/admin/tnsnames.ora

   2. On the upstream Recovery Appliance, add a new entry or update the existing entry with the TCPS information from the downstream Recovery Appliance. For example:

      (ADDRESS = (PROTOCOL = TCPS)(HOST = <FULL_SCAN_NAME>)(PORT = 2484)

2. Update the trusted certificate, which has the pem extension, like <NAME>.pem

   1. Copy the trusted cert from the downstream Recovery Appliance to the upstream Recovery Appliance tmp directory.

      Note:

      Use either a different location or a different name if the upstream Recovery Appliance is TLS enabled so that the certificate on the upstream Recovery Appliance is not overwriteen.

      scp DS_RA:<trusted_cert> US_RA:/tmp/<different_name_trusted_cert>

   2. Prepare the password for the RA wallet.

      Note:

      Use the same password for the RA wallet and the replication wallet.

      mkstore -wrl /raacfs/raadmin/config/awallet/wallet/ -viewEntry oracle.security.client.password<NUMBER>

      • If the upstream Recovery Appliance is also TLS enabled, then the RA wallet already supports the certificates.

        orapki wallet add -wallet /raacfs/raadmin/config/ra_wallet/wallet 
        -trusted_cert -cert /tmp/<different_name_trusted_cert>

        If the replication is bi-directional, perform the same operation but treat the local Recovery Appliance as a downstream Recovery Appliance.

      • If the upstream Recovery Appliance is not TLS enabled, then the RA wallet needs to be migrated to support the certificates.

        1. List all of the current credentials.

           mkstore –wrl /raacfs/raadmin/config/ra_wallet/wallet –listCredential

        2. Back up the wallet.

           mv /raacfs/raadmin/config/ra_wallet/wallet /raacfs/raadmin/config/ra_wallet/wallet_old

        3. Create a new RA wallet.

           orapki wallet create -wallet /raacfs/raadmin/config/ra_wallet/wallet

        4. Import copied trusted certificate into the wallet.

           orapki wallet add -wallet /raacfs/raadmin/config/ra_wallet/wallet -trusted_cert 
           -cert /tmp/<different_name_trusted_cert>

        5. Update wallet to auto login.

           orapki wallet create –wallet /raacfs/raadmin/config/ra_wallet/wallet
                 -auto_login

        6. Recover all credentials into the new RA wallet. For each credential in the old wallet, perform:

           mkstore –wrl /raacfs/raadmin/config/ra_wallet/wallet 
           -createCredential <alias> <user>  <pw>

   3. Check to see that the replication wallet supports certificates.

      ls -lart  /raacfs/raadmin/replication/orapki

      This is the replication wallet standard that RACLI recommends and supports certificates.

      • If the replication wallet exists, perform:

        orapki wallet add -wallet /raacfs/raadmin/replication/orapki 
        -trusted_cert -cert /tmp/<different_name_trusted_cert>

      • If the replication wallet does not exist, perform:

        1. List credentials in current replication wallet.

           mkstore –wrl /raacfs/raadmin/replication –listCredential

        2. Create a new replication wallet.

           orapki wallet create -wallet /raacfs/raadmin/replication/orapki

        3. Import copied trusted certificate into new replication wallet.

           orapki wallet add -wallet /raacfs/raadmin/replication/orapki 
           -trusted_cert --cert /tmp/<different_name_trusted_cert>

        4. Update wallet with auto login.

           orapki wallet create –wallet /raacfs/raadmin/replication/orapki -auto_login

        5. Recover all credentials into new replication wallet

            mkstore –wrl /raacfs/raadmin/replication/orapki -createCredential <tns_alias> <repl_user> <repl_user_pw>

3. Update the replication server parameters.

   1. Pause the replication server.

       dbms_ra.pause_replication_server()

   2. Update the replication parameters.

      • wallet_path should be the new replication wallet location.

      • wallet_alias should be the alias updated in tnsnames.ora in step 1

      dbms_ra.update_replication_server() 
      wallet_path => 'file:/raacfs/raadmin/replication/orapki/’ 
      wallet_alias => ‘TNS_ALIAS’

   3. Resume the replication server

       dbms_ra.resume_replication_server()

Case 4: Two-Way Replication; TLS enabled on Downstream

The upstream Recovery Appliance (RA1) has two-way replication with the downstream Recovery Appliance (RA2).

• The upstream Recovery Appliance can be in the mode: TLS enabled or TLS only.

• The downstream Recovery Appliance has TLS enabled or TLS only.

Perform this step twice: once with RA1 as the downstream, and once with RA2 as the downstream.

1. Update tnsnames.ora with the new TCPS information.

   1. On the downstream Recovery Appliance

      cat /u01/app/oracle/product/19.0.0.0/dbhome_1/network/admin/tnsnames.ora

   2. On the upstream Recovery Appliance, add a new entry or update the existing entry with the TCPS information from the downstream Recovery Appliance. For example:

      (ADDRESS = (PROTOCOL = TCPS)(HOST = <FULL_SCAN_NAME>)(PORT = 2484)

2. Update the trusted certificate, which has the pem extension, like <NAME>.pem

   1. Copy the trusted cert from the downstream Recovery Appliance to the upstream Recovery Appliance tmp directory.

      Note:

      Use either a different location or a different name if the upstream Recovery Appliance is TLS enabled so that the certificate on the upstream Recovery Appliance is not overwriteen.

      scp DS_RA:<trusted_cert> US_RA:/tmp/<different_name_trusted_cert>

   2. Prepare the password for the RA wallet.

      Note:

      Use the same password for the RA wallet and the replication wallet.

      mkstore -wrl /raacfs/raadmin/config/awallet/wallet/ -viewEntry oracle.security.client.password<NUMBER>

      • If the upstream Recovery Appliance is also TLS enabled, then the RA wallet already supports the certificates.

        orapki wallet add -wallet /raacfs/raadmin/config/ra_wallet/wallet 
        -trusted_cert -cert /tmp/<different_name_trusted_cert>

        If the replication is bi-directional, perform the same operation but treat the local Recovery Appliance as a downstream Recovery Appliance.

      • If the upstream Recovery Appliance is not TLS enabled, then the RA wallet needs to be migrated to support the certificates.

        1. List all of the current credentials.

           mkstore –wrl /raacfs/raadmin/config/ra_wallet/wallet –listCredential

        2. Back up the wallet.

           mv /raacfs/raadmin/config/ra_wallet/wallet /raacfs/raadmin/config/ra_wallet/wallet_old

        3. Create a new RA wallet.

           orapki wallet create -wallet /raacfs/raadmin/config/ra_wallet/wallet

        4. Import copied trusted certificate into the wallet.

           orapki wallet add -wallet /raacfs/raadmin/config/ra_wallet/wallet -trusted_cert 
           -cert /tmp/<different_name_trusted_cert>

        5. Update wallet to auto login.

           orapki wallet create –wallet /raacfs/raadmin/config/ra_wallet/wallet
                 -auto_login

        6. Recover all credentials into the new RA wallet. For each credential in the old wallet, perform:

           mkstore –wrl /raacfs/raadmin/config/ra_wallet/wallet 
           -createCredential <alias> <user>  <pw>

   3. Check to see that the replication wallet supports certificates.

      ls -lart  /raacfs/raadmin/replication/orapki

      This is the replication wallet standard that RACLI recommends and supports certificates.

      • If the replication wallet exists, perform:

        orapki wallet add -wallet /raacfs/raadmin/replication/orapki 
        -trusted_cert -cert /tmp/<different_name_trusted_cert>

      • If the replication wallet does not exist, perform:

        1. List credentials in current replication wallet.

           mkstore –wrl /raacfs/raadmin/replication –listCredential

        2. Create a new replication wallet.

           orapki wallet create -wallet /raacfs/raadmin/replication/orapki

        3. Import copied trusted certificate into new replication wallet.

           orapki wallet add -wallet /raacfs/raadmin/replication/orapki 
           -trusted_cert --cert /tmp/<different_name_trusted_cert>

        4. Update wallet with auto login.

           orapki wallet create –wallet /raacfs/raadmin/replication/orapki -auto_login

        5. Recover all credentials into new replication wallet

            mkstore –wrl /raacfs/raadmin/replication/orapki -createCredential <tns_alias> <repl_user> <repl_user_pw>

3. Update the replication server parameters.

   1. Pause the replication server.

       dbms_ra.pause_replication_server()

   2. Update the replication parameters.

      • wallet_path should be the new replication wallet location.

      • wallet_alias should be the alias updated in tnsnames.ora in step 1

      dbms_ra.update_replication_server() 
      wallet_path => 'file:/raacfs/raadmin/replication/orapki/’ 
      wallet_alias => ‘TNS_ALIAS’

   3. Resume the replication server

       dbms_ra.resume_replication_server()

Case 5: Two-Way Replication; TLS disabled on Upstream

The upstream Recovery Appliance (RA1) has two-way replication with the downstream Recovery Appliance (RA2).

• The upstream Recovery Appliance has TLS disabled.

• The downstream Recovery Appliance has TLS enabled or TLS only.

Perform this step with RA2 as the downstream.

1. Update tnsnames.ora with the new TCPS information.

   1. On the downstream Recovery Appliance

      cat /u01/app/oracle/product/19.0.0.0/dbhome_1/network/admin/tnsnames.ora

   2. On the upstream Recovery Appliance, add a new entry or update the existing entry with the TCPS information from the downstream Recovery Appliance. For example:

      (ADDRESS = (PROTOCOL = TCPS)(HOST = <FULL_SCAN_NAME>)(PORT = 2484)

2. Update the trusted certificate, which has the pem extension, like <NAME>.pem

   1. Copy the trusted cert from the downstream Recovery Appliance to the upstream Recovery Appliance tmp directory.

      Note:

      Use either a different location or a different name if the upstream Recovery Appliance is TLS enabled so that the certificate on the upstream Recovery Appliance is not overwriteen.

      scp DS_RA:<trusted_cert> US_RA:/tmp/<different_name_trusted_cert>

   2. Prepare the password for the RA wallet.

      Note:

      Use the same password for the RA wallet and the replication wallet.

      mkstore -wrl /raacfs/raadmin/config/awallet/wallet/ -viewEntry oracle.security.client.password<NUMBER>

      • If the upstream Recovery Appliance is also TLS enabled, then the RA wallet already supports the certificates.

        orapki wallet add -wallet /raacfs/raadmin/config/ra_wallet/wallet 
        -trusted_cert -cert /tmp/<different_name_trusted_cert>

        If the replication is bi-directional, perform the same operation but treat the local Recovery Appliance as a downstream Recovery Appliance.

      • If the upstream Recovery Appliance is not TLS enabled, then the RA wallet needs to be migrated to support the certificates.

        1. List all of the current credentials.

           mkstore –wrl /raacfs/raadmin/config/ra_wallet/wallet –listCredential

        2. Back up the wallet.

           mv /raacfs/raadmin/config/ra_wallet/wallet /raacfs/raadmin/config/ra_wallet/wallet_old

        3. Create a new RA wallet.

           orapki wallet create -wallet /raacfs/raadmin/config/ra_wallet/wallet

        4. Import copied trusted certificate into the wallet.

           orapki wallet add -wallet /raacfs/raadmin/config/ra_wallet/wallet -trusted_cert 
           -cert /tmp/<different_name_trusted_cert>

        5. Update wallet to auto login.

           orapki wallet create –wallet /raacfs/raadmin/config/ra_wallet/wallet
                 -auto_login

        6. Recover all credentials into the new RA wallet. For each credential in the old wallet, perform:

           mkstore –wrl /raacfs/raadmin/config/ra_wallet/wallet 
           -createCredential <alias> <user>  <pw>

   3. Check to see that the replication wallet supports certificates.

      ls -lart  /raacfs/raadmin/replication/orapki

      This is the replication wallet standard that RACLI recommends and supports certificates.

      • If the replication wallet exists, perform:

        orapki wallet add -wallet /raacfs/raadmin/replication/orapki 
        -trusted_cert -cert /tmp/<different_name_trusted_cert>

      • If the replication wallet does not exist, perform:

        1. List credentials in current replication wallet.

           mkstore –wrl /raacfs/raadmin/replication –listCredential

        2. Create a new replication wallet.

           orapki wallet create -wallet /raacfs/raadmin/replication/orapki

        3. Import copied trusted certificate into new replication wallet.

           orapki wallet add -wallet /raacfs/raadmin/replication/orapki 
           -trusted_cert --cert /tmp/<different_name_trusted_cert>

        4. Update wallet with auto login.

           orapki wallet create –wallet /raacfs/raadmin/replication/orapki -auto_login

        5. Recover all credentials into new replication wallet

            mkstore –wrl /raacfs/raadmin/replication/orapki -createCredential <tns_alias> <repl_user> <repl_user_pw>

3. Update the replication server parameters.

   1. Pause the replication server.

       dbms_ra.pause_replication_server()

   2. Update the replication parameters.

      • wallet_path should be the new replication wallet location.

      • wallet_alias should be the alias updated in tnsnames.ora in step 1

      dbms_ra.update_replication_server() 
      wallet_path => 'file:/raacfs/raadmin/replication/orapki/’ 
      wallet_alias => ‘TNS_ALIAS’

   3. Resume the replication server

       dbms_ra.resume_replication_server()

Case 6: Two-Way Replication; TLS disabled on Upstream and Downstream

The upstream Recovery Appliance (RA1) has two-way replication with the downstream Recovery Appliance (RA2).

• The upstream Recovery Appliance has TLS disabled.

• The downstream Recovery Appliance has TLS disabled.

No action is required.