Configuring TLS Data Security on the Client
This section provides the steps required to configure TLS Data Security on the Client (database).
The client requires some modifications to support TLS. The Recovery Appliance can use https
encryption alone, in dual mode http/https
, or without encryption http
, the default.
Configuring Protected Databases to Support TLS
If you want to continue using non-TLS, update the RMAN settings by adding to CONFIGURE CHANNEL DEVICE TYPE
"_RA_NO_SSL=TRUE
"
CONFIGURE CHANNEL DEVICE TYPE
'SBT_TAPE' PARMS
'SBT_LIBRARY=<LIB_DIR>/libra.so,
ENV=(_RA_NO_SSL=TRUE,RA_WALLET=location=file:/<WRL>
credential_alias==<DBNAME>_TCPS,_RA_TRACE_LEVEL=1000)' FORMAT '%U_%d';
An example <LIB_DIR>
is /u01/app/oracle/product/19.0.0.0/dbhome_1/lib
.
If you want to start using TLS, you need to perform the following steps.
-
Run verification to see where TLS presently is.
racli run check --check_name=tls_health racli list certificate
-
Copy the trusted certificate (example:
raCA.pem
) from Recovery Appliance host to client side<COPY_DIR>
.Permissions for the certificates should be
"oracle:oinstall"
. -
Update wallet, or create new wallet. If existing wallet was created with
mkstore
, create a new wallet usingorapki
that can accept certificates. For example:orapki wallet create --wallet <WRL>
orapki wallet create --wallet $ORACLE_HOME/dbs/Sydney
-
Import the trusted certificate into the wallet from above.
orapki wallet add --wallet <WRL> --trusted_cert --cert <COPY_DIR>/<NAME3>.pem
orapki wallet add --wallet $ORACLE_HOME/dbs/sydney --trusted_cert --cert $ORACLE_HOME/dbs/sydney/raCA.pem
-
On a Recovery Appliance host, find the TCPS alias (example:
zdlra_tcps
) in$ORACLE_HOME/network/admin/tnsnames.ora
file, copy it totnsnames.ora
file on client side. -
Update wallet to
--auto_login
.orapki wallet create --wallet <WRL> --auto_login
orapki wallet create --wallet $ORACLE_HOME/dbs/sydney --auto_login
-
Update the wallet with VPC user credentials for the new TCPS alias.
mkstore --wrl <WRL> --createCredential <DBNAME>_tcps <VPCUSER> <VPCPW>
mkstore --wrl $ORACLE_HOME/dbs/sydney --createCredential zdlra7_tcps <VPCUSER> <VPCPW>
-
Add the wallet path
<WRL>
tosqlnet.ora
file. -
Validate on the client side using
tnsping
.tnsping <DBNAME>_TCPS
tnsping ZDLRA7_TCPS
-
Connect to RMAN and update “
CONFIGURE CHANNEL DEVICE
” adding wallet information.rman target / catalog <VPCUSER>/<VPCPW>@<DBNAME>_TCPS
rman target / catalog <VPCUSER>/<VPCPW>@zdlra7_tcps
Alternatively, after you type in the following command, you are prompted for the VPC user name and password.
rman target / catalog @<DBNAME>_TCPS
rman target / catalog @zdlra7_tcps
-
Validate the whole process by attempting to create a backup.
run { allocate CHANNEL c1 DEVICE TYPE 'SBT_TAPE' PARMS "SBT_LIBRARY=<LIB_DIR> libra.so,ENV=(RA_WALLET='location=file:/<WRL> credential_alias=<DBNAME>_TCPS,RA_FORMAT=TRUE)"; backup incremental level 1 filesperset 1 section size 64g database plus archivelog not backed up filesperset 32; }
Validating TLS Usage
The following commands assist in monitoring the various TLS objects.
racli run check --check_name=tls_health
racli run diagnostics --tag=tls
racli run diagnostics --tag=tls_high