1. Administrator's Guide
  2. Managing Recovery Appliance
  3. TLS Overview and Configuration
  4. Certificate Management
  5. Manually Creating TLS Certificates with RACLI

Manually Creating TLS Certificates with RACLI

This section details how to create TLS certificates with RACLI.

If your organization does not have or is not using a Certificate Authority (CA), these instructions allow you to create the needed trusted and signed certificates for TLS operations.

The following information is required for both the trusted and signed certificates:

  • Country Name
  • State Name
  • Organization Name
  • Organization Unit Name
  • Email Address

Generate Trusted and Signed Certificates using RACLI.

  1. With the organization information on-hand, issue an RACLI command similar to:

    # racli create certificate --country=US --state=CA --location=SF --organization=oracle 
--organization_unit=zdlra --email_address=<YOUR_EMAIL>

Created log /opt/oracle.RecoveryAppliance/log/racli_create_certificate.20230329.1110.log
Enter New Password for Certificate:
Confirm New Password for Certificate:
Wed Mar 29 11:11:22 2023: Start: Create TLS Trusted Certificate
Wed Mar 29 11:11:26 2023: End: Create TLS Trusted Certificate
Wed Mar 29 11:11:26 2023: Start: Create TLS Signed Certificate
Wed Mar 29 11:11:31 2023: End: Create TLS Signed Certificate
Certificate(s) created under /raacfs/raadmin/config/cert

    The name of the certificate created is <yourScanName>.p12, where <yourScanName> is the CN for your environment.

  2. To obtain <yourScanName> local host information and Common Name (CN) item. 

    racli list san

    Created log /opt/oracle.RecoveryAppliance/log/racli_list_san.log
    Thu May  6 16:18:33 2021: Start: List SAN
    CN = zdlra09ingest-scan1.yourdomain.com
    DNS.1 = zdlra09adm01.yourdomain.com
    DNS.2 = zdlra09adm02.yourdomain.com
    DNS.3 = zdlra09ingest-scan1.yourdomain.com
    DNS.4 = zdlra09ingest01-vip.yourdomain.com
    DNS.5 = zdlra09ingest01.yourdomain.com
    DNS.6 = zdlra09ingest02-vip.yourdomain.com
    DNS.7 = zdlra09ingest02.yourdomain.com
    Thu May  6 16:18:39 2021: End: List SAN

    In this example, <yourScanName> is "zdlra09ingest-scan1" and the certificate file is <yourScanName>.p12.

    You assign the certificate type (trusted or signed) later when added to the wallet.

Import Certificates into Wallet

Upon completion of creating the trusted and signed certificates, <yourScanName>.pem and <yourScanName>.p12 respectively, import them into the Recovery Appliance wallet for TLS.

  1. Import the certificates (trusted or signed) from the previous steps into the wallet. Here is the generic command, while specific examples are in the next steps.

    racli add certificate { [--trusted_cert=<VALUE>] |
      [--signed_cert=<VALUE>] | [--self_signed] }

    Arguments:

    • --trusted_cert=<VALUE>: Specify the full path and name of the trusted certificate to be added.
    • --signed_cert=<VALUE>: Specify the full path and name of the signed certificate in the trusted store to be added.
    • --self_signed: Specifies that Recovery Appliance will look for both certificates from designated locations. This should only be used when the certificates were created by "racli create certificate". This is not the Oracle recommended configuration, and is used only in a test environment.

      Note:

      Self-signed certificates should not be used long-term or for production. The recommendation is to use a (trusted) certificate signed by your Certification Authority.

  2. Import the signed certificate into the TLS wallet. If the certificate was created by RACLI, include the --self_signed argument. 

    racli add certificate --signed_cert=<yourDir>/<yourScanName>.p12 [--self_signed]

  3. Import the trusted certificate into the TLS wallet. If the certificate was created by RACLI, include the --self_signed argument. 

    racli add certificate --trust_cert=<yourDir>/<yourScanName>.pem [--self_signed]

  4. After importing the certificates, verify with "racli list certificate" that the certificates are in the raa_certs database table. 

    # racli list certificate

Created log /opt/oracle.RecoveryAppliance/log/racli_list_certificate.20230329.1146.log
Wed Mar 29 11:46:49 2023: Start: List Certificate
Serial: 9A15CB4B76BBC52D
    Expire Time:      2024-03-28
    Certificate Type: trusted_cert
 
Serial: 95B9181340F644F0
    Expire Time:      2024-03-28
    Certificate Type: signed_cert
 
Wed Mar 29 11:46:49 2023: End: List Certificate

  5. Continue with Configuring TLS Data Security on the Recovery Appliance followed by Configuring TLS Data Security on the Client.

After a certificate is in the raa_certs database table and when it has less than 90 validation days remaining, an incident is raised. If a certificate expires, the user is required to import a new valid certificate using RACLI to replace the old one.