1. Oracle ZFS Storage Appliance Security Guide, Release OS8.8.x
  2. Oracle ZFS Storage Appliance Security Guide
  3. Data Services
  4. Remote Replication Data Service

Remote Replication Data Service

Oracle ZFS Storage Appliance remote replication facilitates replication of projects and shares. This service enables you to view which appliances have replicated data to a specific appliance, and to control to which appliances a specific appliance can replicate.

When this service is enabled, the appliance receives replication updates from other appliances and sends replication updates for local projects and shares according to their configured actions. When the service is disabled, incoming replication updates fail, and no local projects and shares are replicated.

For the remote appliance, the REST authorization token or the password for a user with the peerSetup authorization is required to configure remote replication targets for the appliance. These targets are used to set up a replication peer connection that enables the appliances to communicate. It is not recommended to use the "root" user account.

During target creation, the token or password is used to confirm request authenticity and to produce and exchange security keys that will be used to identify the appliances in subsequent communications.

The generated keys are stored persistently as part of appliance configuration. Neither the token nor the password is stored persistently or transmitted unencrypted. All appliance communications, including this initial identity exchange, are protected with SSL.

The Oracle ZFS Storage Appliance offline replication feature reduces time, resources, and potential data errors when replicating a large dataset over a network with limited bandwidth. Offline replication exports the replication stream to a file on an NFS server, which can be physically moved to the remote target site, or optionally copied to external media for shipping. At the target site, the administrator imports the file containing the replication stream to the target appliance.

To limit access to the exported replication stream, expose the NFS share only to the IP address of the source and target appliances. To encrypt the data, enable on-disk encryption for the NFS share on the NFS server. Refer to your NFS server documentation for more information. Note that an exported replication stream is never encrypted by the appliance.

The raw crypto option is enabled by default for new actions after the raw crypto replication deferred update has been applied. Raw crypto improves the security of replications by sending data encrypted.