Trouble-shooting TLS

If TLS isn't working, the following are items that can cause issues.

The certificates are not correct.
- Missing DNS information
- Wrong format.
- Certificate was not signed.
The port is not open or available.
The trusted certificate was not copied to the client side.
The client side wallet is mkstore type that doesn't support certificate import.
The RMAN settings were not updated after tnsname was updated and the certificate imported.
The upstream Recovery Appliance wallets do not have certificates from the downstream Recovery Appliance.
The upstream Recovery Appliance tnsnames.ora file does not have downstream Recovery Appliance new TCPS information.

Troubleshoot DNS

To obtain the DNS information, issues the following RACLI command on the Recovery Appliance.

racli list san

To check if the certificate has the the DNS information, make sure that the trusted certificate has no information and that the signed certificate has DNS information.

openssl x509 -text -noout -in cert.pem | grep  -i 'dns’
openssl x509 -text -noout -in <>.p12 | grep  -i 'dns'

Troubleshoot Certificates

Get certificate details from metadata table including type.

racli list certificate

Get certificate details from wallet.

orapki wallet display --wallet /raacfs/raadmin/config/ra_wallet/wallet/ --complete

User Certificates:
- Subject: CN=<>-scan.subnet1.<>.oraclevcn.com
  
  Note:
  The scan address is not the same as the trusted certificate
- Issuer: CN=Oracle DB Recovery Service Authority
Trusted Certificates:
- Subject: CN=Oracle DB Recovery Service Authority
- Issuer: CN=Oracle DB Recovery Service Authority

Tips

If the backup is not working and returns errors, check the certificates, wallet, and RMAN configuration settings.
If the backup is hanging, check the Recovery Appliance's port. Make sure TCPS port (default 8005) is open on the Recovery Appliance.

Check scan listener and the listener status of the Recovery Appliance.