Securing & encrypting Data using Oracle Goldengate

 In this blog, we will discuss about security aspect of the GoldenGate. 

GoldenGate provides the following encryption options:

1) The data stored in extract and replicat trail files
2) Passwords used in the extract and replicat parameter files
3) Data send over TCP/IP networks

GoldenGate has built-in security features which enables us to secure and protect the data that is being processed as well as being transported over the network and the passwords.

GoldenGate can encrypt data before it sends it across the TCP/IP network to the target system. On the target system, GoldenGate decrypts the data before writing it to the GoldenGate trail files. By default, data sent across the network is not encrypted.

Steps for setting up the encryption with GoldenGate:

·       Generate Encryption Keys
·       Run the keygen command from the GoldenGate software installation home
·       Copy the GGSKEY1 file to the GoldenGate home directory on the target server
·       Encrypt database passwords

Generate Encryption Keys

Run the keygen command from the GoldenGate software installation home on source Side only.

KEYGEN (key length) (n)
Where: (key length) is the encryption key length, up to 128 bits.
(n) represents the number of keys to generate.
./keygen 128 4
0x0A0E5C624211E87040B50129726C0371
0x0D44A10F0A6A05101FCE1E2003F0B405
0x0F7AE63CD1C2222FFEE63B179373661A
0xBB5A266A0AFF58158771E5599E5AB84C

Create a text file called ENCKEYS and in this file for each key that has been generated and provide a logical name

vi ENCKEYS
ggskey1 0x0A0E5C624211E87040B50129726C0371
ggskey2 0x0D44A10F0A6A05101FCE1E2003F0B405
ggskey3 0x0F7AE63CD1C2222FFEE63B179373661A
ggskey4 0xBB5A266A0AFF58158771E5599E5AB84C

Copy the ENCKEYS file to the GoldenGate home directory on the target server

scp -rp ENCKEYS targethost:/u01/app/ogg/11.2.1.0_x

Encrypt database passwords on Source

Run ENCRYPT PASSWORD command along with the logical name of the secure key (from the GGSKEY1 file we have just created) to generate an encrypted password

GGSCI > encrypt password gg_schema_password encryptkey GGSKEY1

Encrypted password: AACAAAAAAAAAAAJAUEUGODSCVGJEEIUGKJDJTFNDKEJFFFTC

Test this encrypted password

GGSCI > dblogin userid ggs_owner, password AACAAAAAAAAAAAJAUEUGODSCVGJEEIUGKJDJTFNDKEJFFFTC, encryptkey GGSKEY1

Successfully logged into database.

Encrypt database passwords on Target

Run ENCRYPT PASSWORD command along with the logical name of the secure key (from the GGSKEY1 file we have just created) to generate an encrypted password

GGSCI > encrypt password gg_schema_password encryptkey GGSKEY1

Encrypted password: AACAAAAAAAAAAAJAUEUGODSCVGJEEIUGKJDJTFNDKEJFFFTC

Test this encrypted password

GGSCI > dblogin userid ggs_owner, password AACAAAAAAAAAAAJAUEUGODSCVGJEEIUGKJDJTFNDKEJFFFTC, encryptkey GGSKEY1

Successfully logged into database.

Add this line to Extract/Replicat(For eg):

userid Golgengate_schema_name,password AADAAAAAAAAAAAHAPEUFIGGBPBCBOBKCEEAEEAJCSEPIBHFGNDGJTBAIKJDAZCOBFBYFQFVEABSBJGPD, encryptkey ggskey1

Restart you Extract/Replicat process

Encrypt data sent over TCP/IP

In the pump parameter file add the ENCRYPT BLOWFISH along with the logical name of the secure encryption keyname generated from the previous step

RMTHOST remote hostname, MGRPORT 7809, ENCRYPT BLOWFISH, KEYNAME GGSECKEY1

Encrypt Trail and Extract files

In the extract parameter file to encrypt the data in the local or remote trail files, add the keyword ENCRYPTTRAIL before all trailfiles that needs to be encrypted.

Extract exedwa
userid ggs_owner, password AACAAAAAAAAAAAJAUEUGODSCVGJEEIUGKJDJTFNDKEJFFFTC, encryptkey GGSECKEY1

ENCRYPTTRAIL EXTTRAIL ./dirdat/fin01/la

In the Replicat parameter file, include the parameter DECRYPTTRAIL so that Replicat decrypts the data for processing.

REPLICAT rpedwa
userid ggs_owner, password AACAAAAAAAAAAAJAUEUGODSCVGJEEIUGKJDJTFNDKEJFFFTC, encryptkey GGSECKEY1
DECRYPTTRAIL

Comments

Popular posts from this blog

Restart Innodb MySQL Cluster after Complete outage(All node Down)

Oracle Block Corruption - Detection and Resolution

Install & Configure MySQL Router - MySQL InnoDB Cluster