Trouble-shooting TLS
This section provides some information about common TLS configuration errors.
If TLS isn't working, the following are items that can cause issues.
-
The certificates are not correct.
- Missing DNS information
- Wrong format.
- Certificate was not signed.
-
The port is not open or available.
-
The trusted certificate was not copied to the client side.
-
The client side wallet is
mkstore
type that doesn't support certificate import. -
The RMAN settings were not updated after
tnsname
was updated and the certificate imported. -
The upstream Recovery Appliance wallets do not have certificates from the downstream Recovery Appliance.
-
The upstream Recovery Appliance
tnsnames.ora
file does not have downstream Recovery Appliance new TCPS information.
Troubleshoot DNS
To obtain the DNS information, issues the following RACLI command on the Recovery Appliance.
racli list san
To check if the certificate has the the DNS information, make sure that the trusted certificate has no information and that the signed certificate has DNS information.
openssl x509 -text -noout -in cert.pem | grep -i 'dns’
openssl x509 -text -noout -in <>.p12 | grep -i 'dns'
Troubleshoot Certificates
Get certificate details from metadata table including type.
racli list certificate
Get certificate details from wallet.
orapki wallet display --wallet /raacfs/raadmin/config/ra_wallet/wallet/ --complete
-
User Certificates:
-
Subject: CN=<>-scan.subnet1.<>.oraclevcn.com
Note:
The scan address is not the same as the trusted certificate -
Issuer: CN=Oracle DB Recovery Service Authority
-
-
Trusted Certificates:
-
Subject: CN=Oracle DB Recovery Service Authority
-
Issuer: CN=Oracle DB Recovery Service Authority
-
Tips
-
If the backup is not working and returns errors, check the certificates, wallet, and RMAN configuration settings.
-
If the backup is hanging, check the Recovery Appliance's port. Make sure TCPS port (default 8005) is open on the Recovery Appliance.
Check scan listener and the listener status of the Recovery Appliance.