Securing & encrypting Data using Oracle Goldengate
In this blog, we will discuss about security aspect of the GoldenGate.
GoldenGate provides the following encryption options:
1) The data stored in extract and replicat trail files
2) Passwords used in the extract and replicat parameter files
3) Data send over TCP/IP networks
GoldenGate has built-in security features which enables us to
secure and protect the data that is being processed as well as being
transported over the network and the passwords.
GoldenGate can encrypt data
before it sends it across the TCP/IP network to the target system. On the
target system, GoldenGate decrypts the data before writing it to the GoldenGate
trail files. By default, data sent across the network is not encrypted.
Steps for setting up the encryption with GoldenGate:
· Run the keygen command from the GoldenGate software installation home
· Copy the GGSKEY1 file to the GoldenGate home directory on the target server
· Encrypt database passwords
Generate Encryption Keys
Run the keygen command from the GoldenGate software installation
home on source Side only.
KEYGEN (key length) (n)
Where: (key length) is the encryption key length, up to 128 bits.
(n) represents the number of keys to generate.
./keygen 128 4
0x0A0E5C624211E87040B50129726C0371
0x0D44A10F0A6A05101FCE1E2003F0B405
0x0F7AE63CD1C2222FFEE63B179373661A
0xBB5A266A0AFF58158771E5599E5AB84C
Create a text file called ENCKEYS
and in this file for each key that has been generated and provide a logical
name
vi ENCKEYS
ggskey1 0x0A0E5C624211E87040B50129726C0371
ggskey2 0x0D44A10F0A6A05101FCE1E2003F0B405
ggskey3 0x0F7AE63CD1C2222FFEE63B179373661A
ggskey4 0xBB5A266A0AFF58158771E5599E5AB84C
Copy the ENCKEYS file to the
GoldenGate home directory on the target
server
scp -rp ENCKEYS
targethost:/u01/app/ogg/11.2.1.0_x
Encrypt database passwords on
Source
Run ENCRYPT PASSWORD command
along with the logical name of the secure key (from the GGSKEY1 file we have
just created) to generate an encrypted password
GGSCI > encrypt password gg_schema_password
encryptkey GGSKEY1
Encrypted password:
AACAAAAAAAAAAAJAUEUGODSCVGJEEIUGKJDJTFNDKEJFFFTC
Test this encrypted password
GGSCI > dblogin userid ggs_owner, password
AACAAAAAAAAAAAJAUEUGODSCVGJEEIUGKJDJTFNDKEJFFFTC, encryptkey GGSKEY1
Successfully logged into database.
Encrypt database passwords on
Target
Run ENCRYPT PASSWORD command
along with the logical name of the secure key (from the GGSKEY1 file we have
just created) to generate an encrypted password
GGSCI > encrypt password gg_schema_password
encryptkey GGSKEY1
Encrypted password:
AACAAAAAAAAAAAJAUEUGODSCVGJEEIUGKJDJTFNDKEJFFFTC
Test this encrypted password
GGSCI > dblogin userid ggs_owner, password
AACAAAAAAAAAAAJAUEUGODSCVGJEEIUGKJDJTFNDKEJFFFTC, encryptkey GGSKEY1
Successfully logged into database.
Add this line to Extract/Replicat(For
eg):
userid Golgengate_schema_name,password AADAAAAAAAAAAAHAPEUFIGGBPBCBOBKCEEAEEAJCSEPIBHFGNDGJTBAIKJDAZCOBFBYFQFVEABSBJGPD,
encryptkey ggskey1
Restart you Extract/Replicat process
In the pump parameter file add the ENCRYPT BLOWFISH along with the logical name of the secure encryption keyname generated from the previous step
RMTHOST remote hostname, MGRPORT 7809, ENCRYPT BLOWFISH, KEYNAME GGSECKEY1
Encrypt Trail and Extract files
In the extract parameter file to encrypt the data in the local or remote trail files, add the keyword ENCRYPTTRAIL before all trailfiles that needs to be encrypted.
Extract exedwa
userid ggs_owner, password AACAAAAAAAAAAAJAUEUGODSCVGJEEIUGKJDJTFNDKEJFFFTC, encryptkey GGSECKEY1
ENCRYPTTRAIL EXTTRAIL ./dirdat/fin01/la
In the Replicat parameter file, include the parameter DECRYPTTRAIL so that Replicat decrypts the data for processing.
REPLICAT rpedwa
userid ggs_owner, password AACAAAAAAAAAAAJAUEUGODSCVGJEEIUGKJDJTFNDKEJFFFTC, encryptkey GGSECKEY1
DECRYPTTRAIL
You can learn more about oracle database administration:
Pro Oracle GoldenGate for the DBA
Oracle Security Tools Installation and Configuration
Comments
Post a Comment
Please do not enter any spam link in comment Section suggestions are Always Appreciated. Thanks.. !