We can use Oracle Golden Gate encryption at 3 levels.
- Message
- File
- Database Password
- Message
The transmission over TCP/IP network is encrypted.
Data is automatically decrypted by server process before saving the data to trail files at replicat server.
AES128, AES192,AES256 is used for encryption and decryption.
Step 1: Generate a key using keygen utility installed under Golden Gate installation directory
[oracle@localhost ggate]$ ./keygen 128 3 0x6817300B22EE7C17FA21DC023DC5905B 0x7D826C0D16731E0BFEB6F10B5C27F86B 0x92EDA80F09F8BF7E024C07157B895F7C
Note: We have created a key with 128 bit, so we need to use AES128 with ENCRYPT clause in Extract and Replicat file.
Step 2: Create a file with name ENCKEYS under Golden Gate installation directory and save above-generated keys with keyname and value pair :
[oracle@localhost ggate]$ vi ENCKEYS [oracle@localhost ggate]$ cat ENCKEYS key1 0x6817300B22EE7C17FA21DC023DC5905B key2 0x7D826C0D16731E0BFEB6F10B5C27F86B key3 0x92EDA80F09F8BF7E024C07157B895F7C [oracle@localhost ggate]$
Step 3: Copy this ENCKEYS file to the target destination.
[oracle@localhost dirprm]$ scp /u02/ggate/ENCKEYS 192.168.1.10:/u02/ggate/ oracle@192.168.1.10's password: ENCKEYS 100% 122 0.1KB/s 00:00 [oracle@localhost dirprm]$
Step 4: Edit your extract file and add ENCRYPT AES128 and keyname you want to use which you already assigned in ENCKEYS file
extract ext3 rmthost repserver,mgrport 7809,ENCRYPT AES128,KeyName key2 rmttrail /u02/ggate/dirdat/xy userid ggs_owner@orcl,password oracle Table HR.* ;
Step 5: Start extract
GGSCI (localhost.localdomain as ggs_owner@orcl) 32> start ext3 Sending START request to MANAGER ... EXTRACT EXT3 starting
Step 6: Check info all command to check your extract is running
GGSCI (localhost.localdomain as ggs_owner@orcl) 33> info all Program Status Group Lag at Chkpt Time Since Chkpt MANAGER RUNNING EXTRACT STOPPED EXT1 00:00:00 668:35:30 EXTRACT RUNNING EXT2 00:00:00 00:00:00 EXTRACT RUNNING EXT3 00:00:00 00:00:09
Step 7: Start the static collector process in target server with ENCRYPT clause
[oracle@localhost ggate]$ ./server -p 2000 -ENCRYPT AES128 -keyname key2 2018-10-10 03:37:15 INFO OGG-01888 TCP network is configured as OS DEFAULT SPECIFIED ACTUAL VALUE IP_DSCP 0 N/A 0 IP_TOS 0 N/A 0 TCP_NODELAY 0 N/A 0 TCP_QUICKACK 1 N/A 1 TCP_CORK 0 N/A 0 SO_SNDBUF 8192 N/A 8192 SO_RCVBUF 43690 N/A 43690.
2. Trail or Extract File Encryption
Step 1: Use EncryptTrail command in extract file to encrypt ext trail file
extract ext4 userid ggs_owner@orcl , password oracle EncryptTrail AES128 ,keyname key1 rmthost repserver,mgrport 7809 rmttrail /u02/ggate/dirdat/pq Table hr.*
Note: ENCKEYS file must be copied to the target server.
Step 2: Start the extract process
GGSCI (localhost.localdomain as ggs_owner@orcl) 43> start ext4 Sending START request to MANAGER ... EXTRACT EXT4 starting
Step 3: Edit the replicat process and add a decrypttrail clause
GGSCI (localhost.localdomain) 8> edit params rep4 replicat rep4 userid ggs_owner@stdorcl,password oracle decrypttrail AES128 keyname key1 table hr.* , map hr.*;
Step 4: Start the replicat process
GGSCI (localhost.localdomain as ggs_owner@stdorcl) 20> start rep4 Sending START request to MANAGER ... REPLICAT REP4 starting
Step 5: check with info all command
GGSCI (localhost.localdomain as ggs_owner@stdorcl) 21> info all Program Status Group Lag at Chkpt Time Since Chkpt MANAGER RUNNING REPLICAT ABENDED REP2 00:00:00 23:03:57 REPLICAT RUNNING REP4 00:00:00 00:00:01
3. Password Encryption
Step 1: Encrypt password using AES128 and key1 specified in ENCKEYS file
GGSCI (localhost.localdomain as ggs_owner@orcl) 4> encrypt password oracle AES128 ENCRYPTKEY key1 Encrypted password: AADAAAAAAAAAAAGAPFEGRBLGYBKDTJMJQHSJPJNAPJUJCAWIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA Algorithm used: AES128 GGSCI (localhost.localdomain as ggs_owner@orcl) 5>
Step 2: Use this password in you extract the file
GGSCI (localhost.localdomain as ggs_owner@orcl) 12> info ext3 EXTRACT EXT3 Last Started 2018-10-31 10:14 Status RUNNING Checkpoint Lag 00:00:00 (updated 00:00:00 ago) Process ID 10749 Log Read Checkpoint Oracle Redo Logs 2018-10-31 10:15:08 Seqno 9, RBA 25193472 SCN 0.2281607 (2281607)
Step 3: Start extract
GGSCI (localhost.localdomain as ggs_owner@orcl) 10> start ext3 Sending START request to MANAGER ... EXTRACT EXT3 starting
Step 4: Check extract status
extract ext3 rmthost repserver,mgrport 7809,ENCRYPT AES128,KeyName key2 rmttrail /u02/ggate/dirdat/xy userid ggs_owner@orcl,password AADAAAAAAAAAAAGAPFEGRBLGYBKDTJMJQHSJPJNAPJUJCAWIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA , & AES128 , ENCRYPTKEY key1 Table HR.* ;
Thank you for giving your valuable time to read the above information.
If you want to be updated with all our articles send us the Invitation or Follow us:
Telegram Channel: https://t.me/helporacle
Skant Gupta’s LinkedIn: www.linkedin.com/in/skantali/
Joel Perez’s LinkedIn: Joel Perez’s Profile
LinkedIn Group: Oracle Cloud DBAAS
Facebook Page: OracleHelp