Encryption in Oracle Golden Gate

We can use Oracle Golden Gate encryption at 3 levels.

• Message
• File
• Database Password

1. Message

The transmission over TCP/IP network is encrypted.

Data is automatically decrypted by server process before saving the data to trail files at replicat server.

AES128, AES192,AES256 is used for encryption and decryption.

Step 1: Generate a key using keygen utility installed under Golden Gate installation directory

[oracle@localhost ggate]$ ./keygen 128 3
0x6817300B22EE7C17FA21DC023DC5905B

0x7D826C0D16731E0BFEB6F10B5C27F86B

0x92EDA80F09F8BF7E024C07157B895F7C

Note: We have created a key with 128 bit, so we need to use AES128 with ENCRYPT clause in Extract and Replicat file.

Step 2: Create a file with name ENCKEYS under Golden Gate installation directory and save above-generated keys with keyname and value pair :

[oracle@localhost ggate]$ vi ENCKEYS
[oracle@localhost ggate]$ cat ENCKEYS 
key1 0x6817300B22EE7C17FA21DC023DC5905B

key2 0x7D826C0D16731E0BFEB6F10B5C27F86B

key3 0x92EDA80F09F8BF7E024C07157B895F7C
[oracle@localhost ggate]$

Step 3: Copy this ENCKEYS file to the target destination.

[oracle@localhost dirprm]$ scp /u02/ggate/ENCKEYS 192.168.1.10:/u02/ggate/
oracle@192.168.1.10's password: 
ENCKEYS                                                                                                                                                      100%  122     0.1KB/s   00:00    
[oracle@localhost dirprm]$

Step 4: Edit your extract file and add ENCRYPT AES128 and keyname you want to use which you already assigned in ENCKEYS file

extract ext3
rmthost repserver,mgrport 7809,ENCRYPT AES128,KeyName key2
rmttrail /u02/ggate/dirdat/xy
userid ggs_owner@orcl,password oracle
Table HR.* ;

Step 5: Start extract

GGSCI (localhost.localdomain as ggs_owner@orcl) 32> start ext3

Sending START request to MANAGER ...
EXTRACT EXT3 starting

Step 6: Check info all command to check your extract is running

GGSCI (localhost.localdomain as ggs_owner@orcl) 33> info all

Program     Status      Group       Lag at Chkpt  Time Since Chkpt

MANAGER     RUNNING                                           
EXTRACT     STOPPED     EXT1        00:00:00      668:35:30   
EXTRACT     RUNNING     EXT2        00:00:00      00:00:00    
EXTRACT     RUNNING     EXT3        00:00:00      00:00:09    

Step 7: Start the static collector process in target server with ENCRYPT clause

[oracle@localhost ggate]$ ./server -p 2000 -ENCRYPT AES128 -keyname key2

2018-10-10 03:37:15  INFO    OGG-01888  TCP network is configured as

                  OS DEFAULT          SPECIFIED           ACTUAL VALUE        
         IP_DSCP    0                   N/A                 0                 
          IP_TOS    0                   N/A                 0                 
     TCP_NODELAY    0                   N/A                 0                 
    TCP_QUICKACK    1                   N/A                 1                 
        TCP_CORK    0                   N/A                 0                 
       SO_SNDBUF    8192                N/A                 8192              
       SO_RCVBUF    43690               N/A                 43690.

2. Trail or Extract File Encryption

Step 1: Use EncryptTrail command in extract file to encrypt ext trail file

extract ext4
userid ggs_owner@orcl , password oracle
EncryptTrail AES128 ,keyname key1
rmthost repserver,mgrport 7809
rmttrail /u02/ggate/dirdat/pq
Table hr.*

Note: ENCKEYS file must be copied to the target server.

Step 2: Start the extract process

GGSCI (localhost.localdomain as ggs_owner@orcl) 43> start ext4

Sending START request to MANAGER ...
EXTRACT EXT4 starting

Step 3: Edit the replicat process and add a decrypttrail  clause

GGSCI (localhost.localdomain) 8> edit params rep4


replicat rep4
userid ggs_owner@stdorcl,password oracle
decrypttrail AES128 keyname key1
table hr.* , map hr.*;

Step 4: Start the replicat process

GGSCI (localhost.localdomain as ggs_owner@stdorcl) 20> start rep4

Sending START request to MANAGER ...
REPLICAT REP4 starting

Step 5: check with info all command

GGSCI (localhost.localdomain as ggs_owner@stdorcl) 21> info all

Program     Status      Group       Lag at Chkpt  Time Since Chkpt

MANAGER     RUNNING                                           
REPLICAT    ABENDED     REP2        00:00:00      23:03:57    
REPLICAT    RUNNING     REP4        00:00:00      00:00:01

3.  Password Encryption

Step 1: Encrypt password using AES128 and key1 specified in ENCKEYS file

GGSCI (localhost.localdomain as ggs_owner@orcl) 4> encrypt password oracle AES128 ENCRYPTKEY key1
Encrypted password:  AADAAAAAAAAAAAGAPFEGRBLGYBKDTJMJQHSJPJNAPJUJCAWIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Algorithm used:  AES128


GGSCI (localhost.localdomain as ggs_owner@orcl) 5>

Step 2: Use this password in you extract the file

GGSCI (localhost.localdomain as ggs_owner@orcl) 12> info ext3 

EXTRACT    EXT3      Last Started 2018-10-31 10:14   Status RUNNING
Checkpoint Lag       00:00:00 (updated 00:00:00 ago)
Process ID           10749
Log Read Checkpoint  Oracle Redo Logs
                     2018-10-31 10:15:08  Seqno 9, RBA 25193472
                     SCN 0.2281607 (2281607)

Step 3: Start extract

GGSCI (localhost.localdomain as ggs_owner@orcl) 10> start ext3

Sending START request to MANAGER ...
EXTRACT EXT3 starting

Step 4: Check extract status

extract ext3
rmthost repserver,mgrport 7809,ENCRYPT AES128,KeyName key2
rmttrail /u02/ggate/dirdat/xy
userid ggs_owner@orcl,password AADAAAAAAAAAAAGAPFEGRBLGYBKDTJMJQHSJPJNAPJUJCAWIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA , &
AES128 , ENCRYPTKEY key1
Table HR.* ;

Thank you for giving your valuable time to read the above information.

If you want to be updated with all our articles send us the Invitation or Follow us:

Telegram Channel: https://t.me/helporacle

Skant Gupta’s LinkedIn: www.linkedin.com/in/skantali/

Joel Perez’s LinkedIn: Joel Perez’s Profile

LinkedIn Group: Oracle Cloud DBAAS

Facebook Page: OracleHelp