GoldenGate has some security features which enables us to secure and protect the data that is being processed as well as being transported over the network.
GoldenGate provides the following encryption options:
1) The data stored in extract and replicat trail files
2) Passwords used in the extract and replicat parameter files
3) Data send over TCP/IP networks
To encrypt trail or extract files, GoldenGate uses 256-key byte substitution. All records going into those files are encrypted both across any data links and within the files themselves.
To encrypt the database password or data sent across TCP/IP, GoldenGate uses Blowfish encryption.
Let us examine some of the steps involved in setting up the encryption with GoldenGate.
Generate Encryption Keys
Run the keygen command from the GoldenGate software installation home
KEYGEN (key length) (n)
Where:
(key length) is the encryption key length, up to 128 bits.
(n) represents the number of keys to generate.
[oracle@linux01 goldengate]$ ./keygen 128 4
0x0A0E5C624211E87040B50129726C0371
0x0D44A10F0A6A05101FCE1E2003F0B405
0x0F7AE63CD1C2222FFEE63B179373661A
0xBB5A266A0AFF58158771E5599E5AB84C
We will then create a text file called ENCKEYS and in this file for each key that has been generated we will provide a logical name as shown below
[oracle@linux01 goldengate]$ vi ENCKEYS
securekey1 0x0A0E5C624211E87040B50129726C0371
securekey2 0x0D44A10F0A6A05101FCE1E2003F0B405
securekey3 0x0F7AE63CD1C2222FFEE63B179373661A
securekey4 0xBB5A266A0AFF58158771E5599E5AB84C
We will then copy the ENCKEYS file to the GoldenGate software location on our target server
[oracle@linux01 goldengate]$ scp -rp ENCKEYS oracle@linux02:/home/oracle/goldengate/
Encrypt database passwords
Run GGSCI and issue the ENCRYPT PASSWORD command along with the logical name of the secure key (from the ENCKEYS file we have just created)to generate an encrypted password
GGSCI (linux01.oncalldba.com) 1> encrypt password ggs_owner encryptkey securekey1
Encrypted password: AACAAAAAAAAAAAJAUEUGODSCVGJEEIUGKJDJTFNDKEJFFFTC
Let us now test this encrypted password
GGSCI (linux01.oncalldba.com) 4> dblogin userid ggs_owner, password AACAAAAAAAAAAAJAUEUGODSCVGJEEIUGKJDJTFNDKEJFFFTC, encryptkey securekey1
Successfully logged into database.
Encrypt data sent over TCP/IP
You can encrypt captured data before GoldenGate sends it across the TCP/IP network to the target system.
On the target system, GoldenGate decrypts the data before writing it to the GoldenGate trail files. By default, data sent across the network is not encrypted.
For example in our extract parameter file we will add the ENCRYPT BLOWFISH along with the logical name for our secure encryption
key (taken from the ENCKEYS file) as shown below
RMTHOST 192.168.10.194, MGRPORT 7809, ENCRYPT BLOWFISH, KEYNAME securekey1
Encrypt Trail and Extract files
We can also encrypt the data in any local or remote trail or file.
In the Extract parameter file we use the keyword ENCRYPTTRAIL before all trails or files that you want to be encrypted.
In the Replicat parameter file, include the parameter DECRYPTTRAIL so that Replicat decrypts the data for processing.
Let us now look at an example of an Extract and Replicat parameter file where we have used all three encryption features where the GGS_OWNER database password has been encrypted, the trail files have been enabled for encryption and decryption and the TCP/IP network connectivity to the remote site also has encryption enabled.
EXTRACT ext2
USERID ggs_owner, PASSWORD AACAAAAAAAAAAAJAUEUGODSCVGJEEIUGKJDJTFNDKEJFFFTC, ENCRYPTKEY securekey1
RMTHOST 192.168.10.194, MGRPORT 7809, ENCRYPT BLOWFISH, KEYNAME securekey1
ENCRYPTTRAIL RMTTRAIL /home/oracle/goldengate/dirdat/ab
TABLE ggs_owner.myobjects;
REPLICAT rep2
HANDLECOLLISIONS
DECRYPTTRAIL
ASSUMETARGETDEFS
USERID ggs_owner, PASSWORD AACAAAAAAAAAAAJAUEUGODSCVGJEEIUGKJDJTFNDKEJFFFTC, ENCRYPTKEY securekey1
