Configuring TLS Data Security on the Recovery Appliance

RACLI commands configure the TLS (Transport Layer Security). The Recovery Appliance these TLS modes:

only: is https encryption alone.
enable: is http/https dual mode.
disable: is http, the default, without encryption.

The port numbers can be customized. The default ports for encryption are:

TCPS: 2484
HTTPS: 8002
REPL_TCPS: 2485

The default ports for non-encrypted operation are:

TCP: 1521
HTTP: 8001
REPL_TCP: 1522

Verify with "racli list certificate" that the certificates are in the raa_certs database table.

# racli list certificate

Created log /opt/oracle.RecoveryAppliance/log/racli_list_certificate.20230329.1146.log
Wed Mar 29 11:46:49 2023: Start: List Certificate
Serial: 9A15CB4B76BBC52D
    Expire Time:      2024-03-28
    Certificate Type: trusted_cert
 
Serial: 95B9181340F644F0
    Expire Time:      2024-03-28
    Certificate Type: signed_cert
 
Wed Mar 29 11:46:49 2023: End: List Certificate

To update the TLS mode on the Recovery Appliance that employs the certificates, issue a command similar to:
```
racli alter network --service=ra_server --encrypt=enable
```
Note:

A complete Recovery Appliance outage is expected, because the whole CRS stack is restarted as part of the procedure. Additional steps are required because of this outage: pause replication, pause any backup scheduler, etc.

The general form of the command is:
```
racli alter network --service=ra_server
{ --encrypt=[enable|only|disable] }
[ --tcps_port=<VALUE>|--tcp_port=<VALUE> ]
[ --https_port=<VALUE>|--http_port=<VALUE> ]
[ --repl_tcp_port=<VALUE>|--repl_tcps_port=<VALUE>]
[ --silent ]
```
--service

Indicate the service being modified on the system. Valid value is "ra_server". Cannot be used of --network_type or its arguments.

--network_type

Indicate network type on the system. Cannot be used of --service or its arguments.

--encrypt

Specifies TLS encryption status on the system: "only" means HTTPS encryption; "enable" means dual HTTPS and HTTP; and "disable" means HTTP.

--http_port

Specifies HTTP port number to use. Default port is 8001.

--https_port

Specifies HTTPS port number to use. Default port is 8005.

--tcp_port

Specifies the TCP port number to use. Default port is 1521.

--tcps_port

Specifies TCPS port number to use. Default port is 2484

--rep_tcps_port

Specifies the replication TCPS port number to use. Default port is 2485.

--rep_tcp_port

Specifies the replication TCP port number to use. Default port is 1522.

--silent

When present

Verify the health of the TLS.

# racli run check --check_name=tls_health

Changing TLS Encryption on the Recovery Appliance

The "racli alter network" command configures TCPS & HTTPS, and TCP & HTTP. It has three encryption modes of operation.

Enable TLS Encryption: This enables dual mode TCP/TCPS and HTTP/HTTPS, and will use default ports unless otherwise specified.

racli alter network 
-–service=ra_server –-encrypt=enable
[ --tcps_port=<VALUE> ]
[ --https_port=<VALUE> ]
[ --repl_tcps_port=<VALUE> ]

Disable TLS Encryption: This enables TCP and HTTP, and will use their default ports unless otherwise specified.

racli alter network 
-–service=ra_server –-encrypt=disable
[ --tcp_port=<VALUE> ]
[ --http_port=<VALUE> ]
[ --repl_tcp_port=<VALUE> ]

Enable Only TLS Encryption: This enables only TCPS and HTTPS. The TCP and HTTP are disabled. Default ports are used unless otherwise specified.
```
racli alter network 
-–service=ra_server –-encrypt=only
[ --tcps_port=<VALUE> ]
[ --https_port=<VALUE> ]
[ --repl_tcps_port=<VALUE> ]
```

Validating TLS Usage

The following commands assist in monitoring the various TLS objects.

racli run check --check_name=tls_health
racli run diagnostics --tag=tls
racli run diagnostics --tag=tls_high