6 TLS Overview and Configuration
Transport Layer Security (TLS) is used for end-to-end communication encryption.
TLS between a Recovery Appliance and client databases involves the use of certificates that authenticate and encrypt communication.
Certificates describe the server, who it belongs to, its connection string, etc. and is issued and signed by a trusted authority. Customers may choose third-party vendors or Oracle internal CA certificate authority.
For development and testing purpose, some customers choose to use self-signed certificate, which could be created by RACLI command.
-
Trusted Certificates are generally obtained from a trusted Certified Authority (CA) through an application process (at the corporate level). These certificates are generally used between external systems. Because they were created by the CA, these certificates do not contain any local host names. The file type is
*.pem. -
Signed Certificates are created as needed and contain the local host name as well as location and organization information as part of what authenticates it. These certificates are often used between local or internal systems. Signed certificates are specific to each Recovery Appliance. The file type is
*.p12.
For TLS, both types of certificates are required.
This chapter provides general information on obtaining the certificates from a security website, as well as alternatively information on generating the certificates manually with RACLI commands. RACLI (racli create certificate) is a wrapper for openssl operations.
Whether obtained or generated, the created certificate is imported to the Recovery Appliance wallet using racli add certificate so that they are available for the network. Then, finally the
racli alter network establishes the needed encryption mode.
- enable: dual mode allows both encrypted and un-encrypted data.
- only: only encrypted data
- disable: only un-encrypted data