1. Oracle ZFS Storage Appliance Administration Guide, Release OS8.8.x
  2. Remote Replication
  3. Remote Replication Concepts
  4. Replication Targets

Replication Targets

A replication target can be:

  • A different pool on the source appliance.

  • A separate NFS server for offline replication.

When you create a replication target, first enter a name for the target. This name is used to identify the target in the BUI and CLI of the source appliance.

Establishing a Secure Connection

The replication target and the source appliance establish a connection that enables secure communications between the source and target. Provide the following information to establish the connection:

  • Fully qualified domain name, or IPv4 or IPv6 address of the target appliance - The recommended value to use is the target's domain name.

  • Root password of the replication target - Authorizes the administrator to set up the connection on the replication target.

The source and target exchange keys that are used to securely identify each other in subsequent communications. These keys are stored as part of the appliance configuration and persist across reboots and upgrades. These keys are lost if the appliance is factory reset or reinstalled.

The root password is never stored persistently. Changing the root password on either the target or source does not require any change to the replication configuration. The password is never transmitted in the clear. The initial identity exchange - and all other replication operations - is protected with SSL.

If you need to ensure that the replication traffic goes over a particular network interface, set up a static route for the target that specifies that interface as shown in Setting Up Network Interfaces and Static Routing - BUI, CLI.

Verifying the Target Certificate

When you create a replication target, certificate verification is performed. Certificate verification consists of the following steps:

  1. Certificate hostname is checked.
  2. Certificate trust is checked.

If either the hostname check or the trust check fails, the target is not created.

Hostname Check

The value of the hostname property can be a fully qualified domain name, or an IPv4 or IPv6 address. The recommended value to use is the target's fully qualified domain name.

The hostname check verifies that the hostname that you specified for the target matches a host specified in the certificate. If you specify an IP address or an unqualified domain name for the hostname, and the certificate only has fully qualified domain names, the hostname check fails and the target is not created.

If the target is using an ASN-based certificate, specify the target's fully qualified domain name for the value of the hostname property.

The hostname check is performed by default. You can bypass the hostname check by disabling the host match option.

For stronger security, set the value of the hostname property to the target's fully qualified domain name, and make sure the host match option is enabled.

Certificate Trust Check

The certificate trust check verifies that one of the following certificates has been added to the source's trusted certificate list and is enabled for peer use:

  • The target appliance's certificate.

  • The certificate for the certificate authority that issued the target appliance's certificate.

The certificate is verified when you create or edit a target, and any time the source and target try to connect. You can also check the connection yourself at any time.

  • Create target - When you add a target, if the certificate is not trusted by the source, the certificate is presented for you to review, and you are prompted to accept or reject the certificate. If you accept the certificate, the certificate is added to the trust list of the source, and the target is created. If you reject the certificate, the certificate is not added to the trust list of the source, and the target is not created. If the certificate is already trusted, the target is created, and you are not prompted to accept the certificate.

    After the target is created, its certificate can become untrusted. For example, the source's administrator could remove the certificate from the list of trusted certificates, or the target's administrator could replace the certificate.

  • Edit target - When you apply changes, if the certificate is not trusted by the source, the certificate is presented for you to review, and you are prompted to accept or reject the certificate. If you accept the certificate, the certificate is added to the trust list of the source. If you reject the certificate, the certificate is not added to the trust list of the source.

  • Connection test - At any time, you can check whether the certificate is trusted. If the certificate is not trusted by the source, the certificate is presented for you to review, and you are prompted to accept or reject the certificate. See Testing the Connection - BUI, CLI.

  • Peer and replication connection - The certificate trust check is performed for every peer and replication connection. If the certificate is not trusted, the source rejects the connection.

Related Topics

  • Creating a Replication Target - BUI, CLI

  • Testing the Connection - BUI, CLI

  • Editing a Replication Target - BUI, CLI

Other Replication Target Considerations

If a replication source uses NIS or LDAP and directly maps these service's users or groups in the share configuration, the equivalent setup must be present on the replication target. Otherwise, replication sever and reverse operations could fail.

By default, the replication target connection is not bidirectional. For example, if an administrator configures replication from source S to target T, T cannot automatically use S as a target. However, reversing the direction of replication is supported, which automatically creates a target for S on T (if it does not already exist) so that T can replicate back to S. For more information, see Reverse the Direction of Replication.

Related Topics