TLS and Replication Setup

When replication between Recovery Appliances was established before configuring Transport Layer Security (TLS) for dual mode, the following additional steps are needed on the upstream Recovery Appliance.

Note:

If TLS is configured before replication is established, no changes are required.

Copy the Trusted Certificate

Verify that TLS is not already set up on the Recovery Appliance.

racli run check --check_name=tls_health
racli list certificate

Copy the trusted certificate to the upstream Recovery Appliance. Permissions for the certificates should be "oracle:oinstall".

Note:
Do not replace existing certifications on the upstream Recovery Appliance, which may have the same names. Use a temporary location, such as /tmp to prevent the overwriting of the existing default certificates at /raacfs/raadmin/config/cert/raCA.pem.

If the upstream Recovery Appliance is TLS enabled and shares the same trusted certification as the downstream Recovery Appliance, skip the following steps and go to the steps for updating tnsnames.ora.
Create the correct replication wallet if the upstream and downstream Recovery Appliance replication was established without using RACLI.

Note:
If the upstream and downstream Recovery Appliance replication was established using RACLI, skip this step, because the correct replication wallet should already exist.

To check that replication is managed through RACLI, run:
```
racli status replication_server [--all]
racli list replication_server [--all]
```
If creating the wallet is required, the new wallet location needs to be /raaacfs/raadmin/replication/orapki/ to be compliant with RACLI replication management. The following command asks for the wallet password and the pkcs12 certificate password.
```
orapki wallet create -wallet /raaacfs/raadmin/replication/orapki/ -auto_login
```
Import the trusted certificate into the wallet. Here is the generic command.
```
orapki wallet add -wallet /raaacfs/raadmin/replication/orapki/  --trusted_cert 
--cert <CERT_DIR>/<NAME>.pem
```
For one-way replication, the command is only issued on the upstream Recovery Appliance. For bi-directional replication, the command is issued on both Recovery Appliances.

The command asks for the wallet password and the pkcs12 certificate password. Existing credentials can be checked from the previous replication wallet with:
```
$ mkstore -wrl /raacfs/raadmin/replication/orapki/ -listCredential
$ mkstore -wrl /raacfs/raadmin/replication/orapki/ -list
$ mkstore -wrl /raacfs/raadmin/replication/orapki/ -viewEntry oracle.security.client.password1
```

Update tnsnames.ora and the Replication Server

Update tnsnames.ora file with the TCPS info.

This can be copied from tnsnames.ora file on the Recovery Appliance.

TCPS service for each Recovery Appliance is added in RDBMS ORACLE_HOME/network/Admin/tnsnames.ora when "racli alter network -–service=ra_server –-encrypt=enable” is run.
If a new wallet was created manually above, pause the replication server, update the replication server accordingly, and then resume the replication server.
- If using RACLI (23.1 and later):
  
  racli stop replication_server
  
  racli update replication_server
  
  racli start replication_server
- If using the DBMS_RA (21.1 and earlier):
  
  PAUSE_REPLICATION_SERVER
  
  UPDATE_REPLICATION_SERVER
  
  RESUME_REPLICATION_SERVER