1. Administrator's Guide
  2. Managing Recovery Appliance
  3. TLS Overview and Configuration
  4. Configuring TLS Data Security on the Client

Configuring TLS Data Security on the Client

This section provides the steps required to configure TLS Data Security on the Client (database).

The client requires some modifications to support TLS. The Recovery Appliance can use https encryption alone, in dual mode http/https, or without encryption http, the default.

Configuring Protected Databases to Support TLS

If you want to continue using non-TLS, update the RMAN settings by adding to CONFIGURE CHANNEL DEVICE TYPE "_RA_NO_SSL=TRUE" 

CONFIGURE CHANNEL DEVICE TYPE
'SBT_TAPE' PARMS 
'SBT_LIBRARY=<LIB_DIR>/libra.so,
ENV=(_RA_NO_SSL=TRUE,RA_WALLET=location=file:/<WRL>
     credential_alias==<DBNAME>_TCPS,_RA_TRACE_LEVEL=1000)' FORMAT '%U_%d';

An example <LIB_DIR> is /u01/app/oracle/product/19.0.0.0/dbhome_1/lib.

If you want to start using TLS, you need to perform the following steps.

  1. Run verification to see where TLS presently is.

    racli run check --check_name=tls_health
racli list certificate

  2. Copy the trusted certificate (example: raCA.pem) from Recovery Appliance host to client side <COPY_DIR>.

    Permissions for the certificates should be "oracle:oinstall".

  3. Update wallet, or create new wallet. If existing wallet was created with mkstore, create a new wallet using orapki that can accept certificates. For example: 

    orapki wallet create --wallet <WRL>
    orapki wallet create --wallet $ORACLE_HOME/dbs/Sydney

  4. Import the trusted certificate into the wallet from above. 

    orapki wallet add --wallet <WRL> --trusted_cert --cert <COPY_DIR>/<NAME3>.pem
    orapki wallet add --wallet $ORACLE_HOME/dbs/sydney --trusted_cert --cert $ORACLE_HOME/dbs/sydney/raCA.pem

  5. On a Recovery Appliance host, find the TCPS alias (example: zdlra_tcps) in $ORACLE_HOME/network/admin/tnsnames.ora file, copy it to tnsnames.ora file on client side.

  6. Update wallet to --auto_login. 

    orapki wallet create --wallet <WRL> --auto_login
    orapki wallet create --wallet $ORACLE_HOME/dbs/sydney --auto_login

  7. Update the wallet with VPC user credentials for the new TCPS alias.

    mkstore --wrl <WRL> --createCredential <DBNAME>_tcps <VPCUSER> <VPCPW>
    mkstore --wrl $ORACLE_HOME/dbs/sydney --createCredential zdlra7_tcps <VPCUSER> <VPCPW>

  8. Add the wallet path <WRL> to sqlnet.ora file.

  9. Validate on the client side using tnsping. 

    tnsping <DBNAME>_TCPS
    tnsping ZDLRA7_TCPS

  10. Connect to RMAN and update “CONFIGURE CHANNEL DEVICE” adding wallet information. 

    rman target / catalog <VPCUSER>/<VPCPW>@<DBNAME>_TCPS
    rman target / catalog <VPCUSER>/<VPCPW>@zdlra7_tcps

    Alternatively, after you type in the following command, you are prompted for the VPC user name and password.

    rman target / catalog @<DBNAME>_TCPS
    rman target / catalog @zdlra7_tcps

  11. Validate the whole process by attempting to create a backup.

    run   
{     allocate CHANNEL c1 DEVICE TYPE 'SBT_TAPE' PARMS "SBT_LIBRARY=<LIB_DIR>
        libra.so,ENV=(RA_WALLET='location=file:/<WRL>
        credential_alias=<DBNAME>_TCPS,RA_FORMAT=TRUE)";   

        backup incremental level 1 filesperset 1 section size 64g database plus archivelog not backed up filesperset 32;
        }

Validating TLS Usage

The following commands assist in monitoring the various TLS objects.