Discovering TLS-Enabled Recovery Appliance

Enterprise Manager (Cloud Control) requires a few extra steps to discover TLS-enabled Recovery Appliances and TLS-enabled databases.

• The Recovery Appliance should be configured to use TCPS (TLS). Refer to TLS Overview.

• The EM wallet or the EM Agent wallet needs to be updated, or created if it didn't already exist.

  • Refer to: Monitoring TLS-enabled Targets

  • Refer to Monitoring TLS-enabled Targets with EM Agents

Discovering a Recovery Appliance using TLS requires that the TCPS port and protocol be specified when discovering the cluster, the Recovery Appliance database, and the Recovery Appliance target.

The ZDLRA discovery wizard has an option to upload the Recovery Appliance certificate to EM. The certificate is saved in EM and used when protected databases are configured to backup to this Recovery Appliance. Certificates not added during discovery can also be added after discovery with Recovery Appliance->Target Setup->TLS Trust Certificate..

Migrating TCP to TCPS Recovery Appliance

If the Recovery Appliance was already discovered in EM using TCP:

1. Create the EM wallet on both the OMS and the agent. Add the Recovery Appliance certificate(s) to the wallet. Set the EM properties.

2. Edit the port/protocol properties for the cluster and cluster database target associated with the Recovery Appliance.

3. Edit the port/protocol properties for the Recovery Appliance target itself. Upload the Recovery Appliance certificates to EM. They are used when protected databases are configured.

   From theCluster Target home page in EM, select Cluster->Target Setup->Monitoring Configuration

4. Update Scan Port to be the TCPS port.

5. From the Cluster Database home page in EM, select Cluster Database->Target Setup->Monitoring Configuration

6. In the Instances section, edit each instance and update the Port and Connection Protocol.

7. From the Recovery Appliance home page in EM, select Recovery Appliance->Target Setup->Monitoring Configuration

8. Update all ports and protocols, including ones for the backup scan and replication scans (if needed).

Discovery and Monitoring of Database Targets using TLS

1. Discover the database in EM, making sure to specify the TCPS port and protocol.

   Refer to Discovering and Adding Database Targets.

2. If this is a cluster database, specify the TCPS port for the underlying Cluster SCAN port.

3. While discovering the Cluster database, change the port for the individual database instances to be TCPS ports.

4. If the database has already been discovered in EM using TCP, migrate this to use TCPS.

   1. Ensure that the OMS and Agent wallets have been configured as above.

   2. Ensure that OMS wallet and agent wallet(s) have the DB certificate.

   3. Change the monitoring configuration for the database. Note that if this is a cluster database, you should change the SCAN port for the underlying cluster and set the TCPS port for all the instances of the cluster database.

Configuring the protected database to backup to the TLS-enabled Recovery Appliance

Prerequisites:

• Add the database to the Recovery Appliance using the Recovery Appliance->Protected Databases page.

• Add the Recovery Appliance certificate to EM using the Recovery Appliance->Target Setup->TLS Trusted Certificate menu item

1. Go to the Database home page in EM. Navigate to the Database->Availability->Backup and Recovery->Configure Backup page.

2. Select Recovery Appliance as the destination and specify the database host credentials.

3. Select the Recovery Appliance, VPC user and Protocol to use. The Protocol field offers the choice of TCP and TCPS protocols ONLY if the Recovery Appliance is in dual mode.

   The Configure Backup workflow detects if the database already has an existing wallet and populate the location of the wallet if one is found.

   If the wallet is a password-protected wallet, specify the generic password credential needed to open the wallet. A generic password credential can only be created using emcli today.

   $  emcli create_named_credential -auth_target_type='<system>'  
   -cred_type=GenericPassword -cred_name="<credName>" -attributes="GENERIC_PASSWORD:<walletPassword>"

   Run this command as-is with the exception of these two variables.

   • credName is the name of the generic named credential you are creating.

   • walletPassword is the password for the database wallet.

4. Select other options as desired and then click Submit.

   A deployment procedure is submitted to configure the database. A link to this procedure is displayed in the confirmation box.

   You can also navigate to the Enterprise->Provisioning and Patching->Procedure Activity menu item to see the deployment procedure execution details.

5. If the database has already been configured to backup to a Recovery Appliance, the Configure Backup page appears when you go to Availability->Backup and Recovery->Configure Backup.

   Provide the host credential and then invoke the Change Configuration action in the Actions menu on the right-hand corner to:

   • Change the Recovery Appliance details, or

   • Change any of the backup options (protocol, enable/disable real time redo, parallelism).

Scheduling Backups from the Datase to the Recovery Appliance

After successful configuration of backups, go to the Availability->Backup and Recovery->Schedule Backup menu item from the database home page.

On the Schedule Backup page, specify the host credentials for the database host and select how often you'd like the backups to be sent. The suggested backup strategy for backups to the Recovery Appliance is to send incremental backups daily.