Professional Documents
Culture Documents
------------------------------------------------
This is the recommended approach. Starting from Oracle GoldenGate 12.1.2, Oracle
Wallet is integrated into Oracle GoldenGate to manage encryption keys.
The master key and wallet encryption process includes the following steps:
a. Users have to create a master-key wallet and add a master key to the wallet.
b. Oracle GoldenGate automatically generates a new encryption key and use it to
encrypt every new trail file. The encryption key is included in the trail header
and is encrypted using the master key.
c. Oracle GoldenGate on the target will decrypt the encryption key with the shared
master key, and then use the encryption key to decrypt the trail file.
GGSCI> sh ls dirwlt
cwallet.sso
The preceding example doesn't specify a master key name. GoldenGate will create
the key under the default name, OGG_DEFAULT_MASTERKEY. You can create a master key
with a name shown as follows:
The example creates a master key named ggcs. You tell Oracle GoldenGate to use the
master key by configuring the the MASTERKEYNAME parameter. in GLOBALS file.By
default, Oracle GoldenGate will pick up the latest version.
GLOBALS:
MASTERKEYNAME [VERSION ]
MASTERKEYNAME ggcs
The following example shows how we can check the masterkey details.
GGSCI (ip-172-30-3-169.ec2.internal) 2> open wallet
Opened wallet at location 'dirwlt'.
You can also renew masterkeys to create a new encryption key with a different bit
order.
ENCRYPTTRAIL AES192
ENCRYPTTRAIL
When extract directly write to the remote host, the encryption using
REMOTEHOSTOPTIONS syntax is shown as follows:
The decryption is mostly automatic, which means we don't need to use DECRYPTTRAIL
unless our want to create a decrypted trail file in the pump.
encyptkey1 0x74E8701BD5DFB21F559ECB34594ED437
encyptkey2 0x4E62863FE5C8AA70DA9B4A3D80250C34
encyptkey3 0x9900ED62CC0FEB77D3841D52E28C957D
When we encrypt the trail file, we need to specify the key name along with the
encryption algorithm used.
a. Users need to create the ENCKEYS and copy the file to all of the related Oracle
GoldenGate systems.
b. Oracle GoldenGate use the defined encryption key encrypt the trail files.
c. Oracle GoldenGate on the target will decrypt the encryption key.
Oracle GoldenGate provides the keygen utility to generated encryption keys. The
following example creates a AES256 key and create a new ENCKEYS file.
> vi ENCKEYS
> more ENCKEYS
keyaes2561 0x75EBF271E0588D443B8B3259200AB23BBF41E92EC5BAF83E6FE3B83153AA6844
We have to copy the ENCKEYS file to every system where the encryption and
decryption are performed.
MACRO #exception_handler
BEGIN
, TARGET ggadm.exception_tbl
, COLMAP ( rep_name = "REPGDRDS"
, table_name = @GETENV ("GGHEADER", "TABLENAME")
, errno = @GETENV ("LASTERR", "DBERRNUM")
, dberrmsg = @GETENV ("LASTERR", "DBERRMSG")
, optype = @GETENV ("LASTERR", "OPTYPE")
, errtype = @GETENV ("LASTERR", "ERRTYPE")
, logrba = @GETENV ("GGHEADER", "LOGRBA")
, logposition = @GETENV ("GGHEADER", "LOGPOSITION")
, committimestamp = @GETENV ("GGHEADER", "COMMITTIMESTAMP"))
, INSERTALLRECORDS
, EXCEPTIONSONLY;
END;
reperror(1413, exception)
useridalias ggadmin_tgt
DDLERROR 1918 IGNORE RETRYOP MAXRETRIES 3 RETRYDELAY 10
DDLERROR 1435 IGNORE RETRYOP MAXRETRIES 3 RETRYDELAY 10
dboptions integratedparams(parallelism 2)
decrypttrail aes256 keyname keyaes2561
discardfile ./dirrpt/repgdrds.dsc,append megabytes 50
ddl include all
map awsuser.member, TARGET pdb1.pmdemo.member;