By Randy Richeson, Senior Principal Instructor for Oracle University
Students often ask if GoldenGate supports trail encryption with the Oracle Wallet. Yes, it does now! GoldenGate supported encryption with keygen and the ENCKEYS file for years. GoldenGate 12c now also supports encryption using the Oracle Wallet. This improves security and simplifies its administration.
Two types of wallets can be configured in GoldenGate 12c:
- The wallet that holds the master key, used with trail or TCP/IP encryption and decryption, stored in the new 12c dirwlt/cwallet.sso file.
- The wallet that holds the User Id and Password, used for authentication, stored in the new 12c dircrd/cwallet.sso - credential store - file.
A wallet can be created using a ‘create wallet’ command. Once created, adding a master key to an existing wallet is easy using ‘open wallet’ and ‘add masterkey’ commands.
GGSCI (EDLVC3R27P0) 42> open wallet
Opened wallet at location 'dirwlt'.
GGSCI (EDLVC3R27P0) 43> add masterkey
Master key 'OGG_DEFAULT_MASTERKEY' added to wallet at location 'dirwlt'.
Existing GUI Wallet utilities such as the Oracle Database “Oracle Wallet Manager” do not work on this version of the wallet. The default Oracle Wallet location can be changed.
GGSCI (EDLVC3R27P0) 44> sh ls -ltr ./dirwlt/*
-rw-r----- 1 oracle oinstall 685 May 30 05:24 ./dirwlt/cwallet.sso
GGSCI (EDLVC3R27P0) 45> info masterkey
Masterkey Name: OGG_DEFAULT_MASTERKEY
Creation Date: Fri May 30 05:24:04 2014
Version: Creation Date: Status:
1 Fri May 30 05:24:04 2014 Current
The second wallet file stores the credential used to connect to a database, without exposing the UserId or Password in a parameter file or macro. Once configured, this file can be copied so that credentials are available to connect to the source or target database.
GGSCI (EDLVC3R27P0) 48> sh cp ./dircrd/cwallet.sso $GG_EURO_HOME/dircrd
GGSCI (EDLVC3R27P0) 49> sh ls -ltr ./dircrd/*
-rw-r----- 1 oracle oinstall 709 May 28 05:39 ./dircrd/cwallet.sso
The encryption wallet file can also be copied to the target machine so the replicat has access to the master key when decrypting any encrypted records the trail. Similar to the ENCKEYS file, the master key wallet created on the source host must either be stored in a centrally available disk or copied to all GoldenGate target hosts. The wallet is in a platform-independent format, although it is not certified for the iSeries, z/OS, or NonStop platforms.
GGSCI (EDLVC3R27P0) 50> sh cp ./dirwlt/cwallet.sso $GG_EURO_HOME/dirwlt
The new 12c UserIdAlias parameter is used to locate the credential in the wallet.
GGSCI (EDLVC3R27P0) 52> view param extwest
Extract extwest
Exttrail ./dirdat/ew
Useridalias gguamer
Table west.*;
The EncryptTrail parameter is used to encrypt the trail using the FIPS approved Advanced Encryption Standard and the encryption key in the wallet. EncryptTrail can be used with a primary extract or pump extract.
GGSCI (EDLVC3R27P0) 54> view param pwest
Extract pwest
Encrypttrail AES256
Rmthost easthost, mgrport 15001
Rmttrail ./dirdat/pe
Passthru
Table west.*;
Once the extracts are running, records can be encrypted using the wallet.
GGSCI (EDLVC3R27P0) 60> info extract *west
EXTRACT EXTWEST Last Started 2014-05-30 05:26 Status RUNNING
Checkpoint Lag 00:00:17 (updated 00:00:01 ago)
Process ID 24982
Log Read Checkpoint Oracle Integrated Redo Logs
2014-05-30 05:25:53
SCN 0.0 (0)
EXTRACT PWEST Last Started 2014-05-30 05:26 Status RUNNING
Checkpoint Lag 24:02:32 (updated 00:00:05 ago)
Process ID 24983
Log Read Checkpoint File ./dirdat/ew000004
2014-05-29 05:23:34.748949 RBA 1483
The ‘info masterkey’ command is used to confirm the wallet contains the key. The key is needed to decrypt the data read from the trail before the replicat applies changes to the target table.
GGSCI (EDLVC3R27P0) 41> open wallet
Opened wallet at location 'dirwlt'.
GGSCI (EDLVC3R27P0) 42> info masterkey
Masterkey Name: OGG_DEFAULT_MASTERKEY
Creation Date: Fri May 30 05:24:04 2014
Version: Creation Date: Status:
1 Fri May 30 05:24:04 2014 Current
Once the replicat is running, records can be decrypted using the wallet.
GGSCI (EDLVC3R27P0) 44> info reast
REPLICAT REAST Last Started 2014-05-30 05:28 Status RUNNING
INTEGRATED
Checkpoint Lag 00:00:00 (updated 00:00:02 ago)
Process ID 25057
Log Read Checkpoint File ./dirdat/pe000004
2014-05-30 05:28:16.000000 RBA 1546
There is no need for the DecryptTrail parameter when using the wallet, unlike when using the ENCKEYS file.
GGSCI (EDLVC3R27P0) 45> view params reast
Replicat reast
AssumeTargetDefs
Discardfile ./dirrpt/reast.dsc, purge
UserIdAlias ggueuro
Map west.*, target east.*;
Once a record is committed in the source table, the encryption can be verified using logdump and then querying the target table.
SOURCE_AMER_SQL>insert into west.branch values (50, 80071);
1 row created.
SOURCE_AMER_SQL>commit;
Commit complete.
The following encrypted record can be found using logdump.
Logdump 40 >n
2014/05/30 05:28:30.001.154 Insert Len 28 RBA 1546
Name: WEST.BRANCH
After Image: Partition 4 G s
0a3e 1ba3 d924 5c02 eade db3f 61a9 164d 8b53 4331 | .>...$\....?a..M.SC1
554f e65a 5185 0257 | UO.ZQ..W
Bad compressed block, found length of 7075 (x1ba3), RBA 1546
GGS tokens:
TokenID x52 'R' ORAROWID Info x00 Length 20
4141 4157 7649 4141 4741 4141 4144 7541 4170 0001 | AAAWvIAAGAAAADuAAp..
TokenID x4c 'L' LOGCSN Info x00 Length 7
3231 3632 3934 33 | 2162943
TokenID x36 '6' TRANID Info x00 Length 10
3130 2e31 372e 3135 3031 | 10.17.1501
The replicat automatically decrypts this record from the trail using the wallet and then inserts the row to the target table. This select verifies the row was committed in the target table and the data is not encrypted.
TARGET_EURO_SQL>select * from branch where branch_number=50;
BRANCH_NUMBER BRANCH_ZIP
------------- ----------
50 80071
Book a seat in an upcoming Oracle GoldenGate 12c: Fundamentals for Oracle Ed 1 class to learn much more about using GoldenGate 12c new features with the Oracle wallet, credentials, integrated extracts, integrated replicats, coordinated replicats, the Oracle Universal Installer, a multi-tenant database, and other features.
Explore Oracle University GoldenGate classes here, or send me an email at randy.richeson[at]oracle.com if you have other questions.
About the Author:
 | Randy Richeson joined Oracle University as a Senior Principal Instructor in March 2005. He is an Oracle Certified Professional (10g-12c) and GoldenGate Certified Implementation Specialist (10-11g). He has taught GoldenGate since 2010 and other technical curriculums including GoldenGate Management Pack, GoldenGate Director, GoldenGate Veridata, Oracle Database, JD Edwards, PeopleSoft, and the Oracle Application Server since 1997. |