Quantcast
Channel: Oracle Bloggers
Viewing all articles
Browse latest Browse all 19780

Oracle GoldenGate 12c New Features: Trail Encryption and Credentials with Oracle Wallet

$
0
0

By Randy Richeson, Senior Principal Instructor for Oracle University

Students often ask if GoldenGate supports trail encryption with the Oracle Wallet. Yes, it does now! GoldenGate supported encryption with keygen and the ENCKEYS file for years. GoldenGate 12c now also supports encryption using the Oracle Wallet. This improves security and simplifies its administration.


Two types of wallets can be configured in GoldenGate 12c:

  • The wallet that holds the master key, used with trail or TCP/IP encryption and decryption, stored in the new 12c dirwlt/cwallet.sso file.
  • The wallet that holds the User Id and Password, used for authentication, stored in the new 12c dircrd/cwallet.sso - credential store - file.

 

A wallet can be created using a ‘create wallet’ command. Once created, adding a master key to an existing wallet is easy using ‘open wallet’ and ‘add masterkey’ commands.

 

GGSCI (EDLVC3R27P0) 42> open wallet

Opened wallet at location 'dirwlt'.

GGSCI (EDLVC3R27P0) 43> add masterkey

Master key 'OGG_DEFAULT_MASTERKEY' added to wallet at location 'dirwlt'.

 

Existing GUI Wallet utilities such as the Oracle Database “Oracle Wallet Manager” do not work on this version of the wallet. The default Oracle Wallet location can be changed.

 

GGSCI (EDLVC3R27P0) 44> sh ls -ltr ./dirwlt/*

-rw-r----- 1 oracle oinstall 685 May 30 05:24 ./dirwlt/cwallet.sso

GGSCI (EDLVC3R27P0) 45> info masterkey

Masterkey Name:                 OGG_DEFAULT_MASTERKEY

Creation Date:                 Fri May 30 05:24:04 2014

Version:        Creation Date:                  Status:

1               Fri May 30 05:24:04 2014        Current

 

The second wallet file stores the credential used to connect to a database, without exposing the UserId or Password in a parameter file or macro. Once configured, this file can be copied so that credentials are available to connect to the source or target database.

 

GGSCI (EDLVC3R27P0) 48> sh cp ./dircrd/cwallet.sso $GG_EURO_HOME/dircrd

GGSCI (EDLVC3R27P0) 49> sh ls -ltr ./dircrd/*

-rw-r----- 1 oracle oinstall 709 May 28 05:39 ./dircrd/cwallet.sso

 

The encryption wallet file can also be copied to the target machine so the replicat has access to the master key when decrypting any encrypted records the trail. Similar to the ENCKEYS file, the master key wallet created on the source host must either be stored in a centrally available disk or copied to all GoldenGate target hosts. The wallet is in a platform-independent format, although it is not certified for the iSeries, z/OS, or NonStop platforms.

 

GGSCI (EDLVC3R27P0) 50> sh cp ./dirwlt/cwallet.sso $GG_EURO_HOME/dirwlt

 

The new 12c UserIdAlias parameter is used to locate the credential in the wallet.

 

GGSCI (EDLVC3R27P0) 52> view param extwest

Extract extwest

Exttrail ./dirdat/ew

Useridalias gguamer

Table west.*;


The EncryptTrail parameter is used to encrypt the trail using the FIPS approved Advanced Encryption Standard and the encryption key in the wallet. EncryptTrail can be used with a primary extract or pump extract.


GGSCI (EDLVC3R27P0) 54> view param pwest

Extract pwest

Encrypttrail AES256

Rmthost easthost, mgrport 15001

Rmttrail ./dirdat/pe

Passthru

Table west.*;

 

Once the extracts are running, records can be encrypted using the wallet.

 

GGSCI (EDLVC3R27P0) 60> info extract *west

EXTRACT    EXTWEST   Last Started 2014-05-30 05:26   Status RUNNING

Checkpoint Lag       00:00:17 (updated 00:00:01 ago)

Process ID           24982

Log Read Checkpoint  Oracle Integrated Redo Logs

                     2014-05-30 05:25:53

                     SCN 0.0 (0)

EXTRACT    PWEST     Last Started 2014-05-30 05:26   Status RUNNING

Checkpoint Lag       24:02:32 (updated 00:00:05 ago)

Process ID           24983

Log Read Checkpoint  File ./dirdat/ew000004

                     2014-05-29 05:23:34.748949  RBA 1483

 

The ‘info masterkey’ command is used to confirm the wallet contains the key. The key is needed to decrypt the data read from the trail before the replicat applies changes to the target table.

 

GGSCI (EDLVC3R27P0) 41> open wallet

Opened wallet at location 'dirwlt'.

GGSCI (EDLVC3R27P0) 42> info masterkey

Masterkey Name:                 OGG_DEFAULT_MASTERKEY

Creation Date:                  Fri May 30 05:24:04 2014

Version:        Creation Date:                  Status:

1               Fri May 30 05:24:04 2014        Current

 

Once the replicat is running, records can be decrypted using the wallet.

 

GGSCI (EDLVC3R27P0) 44> info reast

REPLICAT   REAST     Last Started 2014-05-30 05:28   Status RUNNING

INTEGRATED

Checkpoint Lag       00:00:00 (updated 00:00:02 ago)

Process ID           25057

Log Read Checkpoint  File ./dirdat/pe000004

                    2014-05-30 05:28:16.000000  RBA 1546

 

There is no need for the DecryptTrail parameter when using the wallet, unlike when using the ENCKEYS file.

 

GGSCI (EDLVC3R27P0) 45> view params reast

Replicat reast

AssumeTargetDefs

Discardfile ./dirrpt/reast.dsc, purge

UserIdAlias ggueuro

Map west.*, target east.*;

 

Once a record is committed in the source table, the encryption can be verified using logdump and then querying the target table.

 

SOURCE_AMER_SQL>insert into west.branch values (50, 80071);

1 row created.

 

SOURCE_AMER_SQL>commit;

Commit complete.

 

The following encrypted record can be found using logdump.


Logdump 40 >n

2014/05/30 05:28:30.001.154 Insert               Len    28 RBA 1546

Name: WEST.BRANCH

After  Image:                                             Partition 4   G  s  

 0a3e 1ba3 d924 5c02 eade db3f 61a9 164d 8b53 4331 | .>...$\....?a..M.SC1 

 554f e65a 5185 0257                               | UO.ZQ..W 

Bad compressed block, found length of  7075 (x1ba3), RBA 1546

  GGS tokens:

TokenID x52 'R' ORAROWID         Info x00  Length   20

 4141 4157 7649 4141 4741 4141 4144 7541 4170 0001 | AAAWvIAAGAAAADuAAp.. 

TokenID x4c 'L' LOGCSN           Info x00  Length    7

 3231 3632 3934 33                                | 2162943 

TokenID x36 '6' TRANID           Info x00  Length   10

 3130 2e31 372e 3135 3031                          | 10.17.1501 


The replicat automatically decrypts this record from the trail using the wallet and then inserts the row to the target table. This select verifies the row was committed in the target table and the data is not encrypted.


TARGET_EURO_SQL>select * from branch where branch_number=50;

BRANCH_NUMBER                 BRANCH_ZIP

-------------                                   ----------

   50                                            80071

 

Book a seat in an upcoming Oracle GoldenGate 12c: Fundamentals for Oracle Ed 1 class to learn much more about using GoldenGate 12c new features with the Oracle wallet, credentials, integrated extracts, integrated replicats, coordinated replicats, the Oracle Universal Installer, a multi-tenant database, and other features.

Explore Oracle University GoldenGate classes here, or send me an email at randy.richeson[at]oracle.com if you have other questions.

About the Author:

Randy Richeson joined Oracle University as a Senior Principal Instructor in March 2005. He is an Oracle Certified Professional (10g-12c) and GoldenGate Certified Implementation Specialist (10-11g). He has taught GoldenGate since 2010 and other technical curriculums including GoldenGate Management Pack, GoldenGate Director, GoldenGate Veridata, Oracle Database, JD Edwards, PeopleSoft, and the Oracle Application Server since 1997.


Viewing all articles
Browse latest Browse all 19780

Trending Articles



<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>