Configuring TLS Data Security on the Recovery Appliance

This section provides the steps for configuring TLS Data Security on the Recovery Appliance.

RACLI commands configure the TLS (Transport Layer Security). The Recovery Appliance these TLS modes:

  • only: is https encryption alone.

  • enable: is http/https dual mode.

  • disable: is http, the default, without encryption.

The port numbers can be customized. The default ports for encryption are:

  • TCPS: 2484
  • HTTPS: 8005
  • REPL_TCPS: 2485

The default ports for non-encrypted operation are:

  • TCP: 1521
  • HTTP: 8001
  • REPL_TCP: 1522

  1. Verify with "racli list certificate" that the certificates are in the raa_certs database table. 

    # racli list certificate

Created log /opt/oracle.RecoveryAppliance/log/racli_list_certificate.20230329.1146.log
Wed Mar 29 11:46:49 2023: Start: List Certificate
Serial: 9A15CB4B76BBC52D
    Expire Time:      2024-03-28
    Certificate Type: trusted_cert
 
Serial: 95B9181340F644F0
    Expire Time:      2024-03-28
    Certificate Type: signed_cert
 
Wed Mar 29 11:46:49 2023: End: List Certificate

  2. To update the TLS mode on the Recovery Appliance that employs the certificates, issue a command similar to:

    racli alter network --service=ra_server --encrypt=enable

    Note:

    A complete Recovery Appliance outage is expected, because the whole CRS stack is restarted as part of the procedure. Additional steps are required because of this outage: pause replication, pause any backup scheduler, etc.

    The general form of the command is:

    racli alter network --service=ra_server
{ --encrypt=[enable|only|disable] }
[ --tcps_port=<VALUE>|--tcp_port=<VALUE> ]
[ --https_port=<VALUE>|--http_port=<VALUE> ]
[ --repl_tcp_port=<VALUE>|--repl_tcps_port=<VALUE>]
[ --silent ]
    --service

    Indicate the service being modified on the system. Valid value is "ra_server". Cannot be used of --network_type or its arguments.

    --network_type

    Indicate network type on the system. Cannot be used of --service or its arguments.

    --encrypt

    Specifies TLS encryption status on the system: "only" means HTTPS encryption; "enable" means dual HTTPS and HTTP; and "disable" means HTTP.

    --http_port

    Specifies HTTP port number to use. Default port is 8001.

    --https_port

    Specifies HTTPS port number to use. Default port is 8005.

    --tcp_port

    Specifies the TCP port number to use. Default port is 1521.

    --tcps_port

    Specifies TCPS port number to use. Default port is 2484

    --rep_tcps_port

    Specifies the replication TCPS port number to use. Default port is 2485.

    --rep_tcp_port

    Specifies the replication TCP port number to use. Default port is 1522.

    --silent

    When present

  3. Verify the health of the TLS.

    # racli run check --check_name=tls_health

Changing TLS Encryption on the Recovery Appliance

The "racli alter network" command configures TCPS & HTTPS, and TCP & HTTP. It has three encryption modes of operation.

  • Enable TLS Encryption: This enables dual mode TCP/TCPS and HTTP/HTTPS, and will use default ports unless otherwise specified. 

    racli alter network 
-–service=ra_server –-encrypt=enable
[ --tcps_port=<VALUE> ]
[ --https_port=<VALUE> ]
[ --repl_tcps_port=<VALUE> ]

  • Disable TLS Encryption: This enables TCP and HTTP, and will use their default ports unless otherwise specified. 

    racli alter network 
-–service=ra_server –-encrypt=disable
[ --tcp_port=<VALUE> ]
[ --http_port=<VALUE> ]
[ --repl_tcp_port=<VALUE> ]

  • Enable Only TLS Encryption: This enables only TCPS and HTTPS. The TCP and HTTP are disabled. Default ports are used unless otherwise specified. 

    racli alter network 
-–service=ra_server –-encrypt=only
[ --tcps_port=<VALUE> ]
[ --https_port=<VALUE> ]
[ --repl_tcps_port=<VALUE> ]

Validating TLS Usage

The following commands assist in monitoring the various TLS objects.