GoldenGate
About Storing Oracle GoldenGate Secrets in Keystores
You can use the keystore to store secret keys for tools and external clients such as Oracle GoldenGate. The secret key must be a string adhering to Oracle identifier rules. You can add, update, or delete a client secret in an existing keystore. This section describes how to capture Transparent Data Encryption encrypted data in the Oracle GoldenGate Extract (Extract) process using classic capture mode.
TDE support when Extract is in classic capture mode requires the exchange of the following keys:
■ TDE support for Oracle GoldenGate in the classic capture mode of the Extract
process requires that an Oracle database and the Extract process share the secret to encrypt sensitive information being exchanged. The shared secret is stored
securely in the Oracle database and Oracle GoldenGate domains. The shared secret is stored in the software keystore or the HSM as the database secret.
■ The decryption key is a password known as the shared secret that is stored
securely in the Oracle database and Oracle GoldenGate domains. Only a party that has possession of the shared secret can decrypt the table and redo log keys.
After you configure the shared secret, Oracle GoldenGate Extract uses the shared secret to decrypt the data. Oracle GoldenGate Extract does not handle the master encryption key itself, nor is it aware of the keystore password. The master encryption key and password remain within the Oracle database configuration.
Oracle GoldenGate Extract only writes the decrypted data to the Oracle GoldenGate trail file, which Oracle GoldenGate persists during transit. You can protect this file using your site's operating system standard security protocols, as well as the Oracle GoldenGate AES encryption options. Oracle GoldenGate does not write the encrypted data to a discard file (specified with the DISCARDFILE parameter). The word ENCRYPTED will be written to any discard file that is in use.
Oracle GoldenGate does require that the keystore be open when processing encrypted data. There is no performance effect of Oracle GoldenGate feature on the TDE
operations.
Requirements for Capturing TDE in Oracle GoldenGate Extract Classic Capture Mode
Ensure that you meet the following requirements for Oracle GoldenGate Extract to support Transparent Data Encryption capture:
■ To maintain high security standards, ensure that the Oracle GoldenGate Extract
process runs as part of the Oracle user (the user that runs the Oracle database). That way, the keys are protected in memory by the same privileges as the Oracle user.
■ Run the Oracle GoldenGate Extract process on the same computer as the Oracle
database installation.
Configuring Transparent Data Encryption Keystore Support for Oracle GoldenGate
This section contains the following topics:
■ Step 1: Decide on a Shared Secret for the Keystore
Storing Oracle GoldenGate Secrets in a Keystore
■ Step 3: Store the TDE GoldenGate Shared Secret in the Keystore
■ Step 4: Set the TDE Oracle GoldenGate Shared Secret in the Extract Process
Step 1: Decide on a Shared Secret for the Keystore
Decide on a shared secret (that is, a password) that meets or exceeds Oracle Database password standards. Do not share this password with any user other than trusted administrators who are responsible for configuring Transparent Data Encryption to work with Oracle GoldenGate Extract.
Step 2: Configure Oracle Database for TDE Support for Oracle GoldenGate
1. Log in to the database instance as user SYS with the SYSDBA administrative privilege.
For example
sqlplus sys as sysdba Enter password: password Connected.
2. In a multitenant environment, connect to the appropriate PDB. For example:
CONNECT SYS@hrpdb AS SYSDBA Enter password: password
To find the available PDBs, query the DBA_PDBS data dictionary view. To check the current PDB, run the show con_name command.
3. Load the Oracle Database-supplied DBMS_INTERNAL_CLKM PL/SQL package. For example:
@?/app/oracle/product/12.1/rdbms/admin/prvtclkm.plb
The prvtclkm.plb file also enables Oracle GoldenGate to extract encrypted data from an Oracle database.
4. Grant the EXECUTE privilege on the DBMS_INTERNAL_CLKM PL/SQL package to the Oracle GoldenGate Extract database user.
For example:
GRANT EXECUTE ON DBMS_INTERNAL_CLKM TO psmith;
This procedure enables the Oracle database and Oracle GoldenGate Extract to exchange information.
5. Exit SQL*Plus.
Step 3: Store the TDE GoldenGate Shared Secret in the Keystore
1. Ensure that you have configured the TDE software or hardware keystore. See the following sections for more information:
■ "Configuring a Software Keystore" on page 3-1 ■ "Configuring a Hardware Keystore" on page 3-8
See Also: Oracle Database Security Guide for guidelines on creating
Storing Oracle GoldenGate Secrets in a Keystore
2. Set the Oracle GoldenGate-Transparent Data Encryption key in the keystore. The syntax is as follows:
ADMINISTER KEY MANAGEMENT ADD|UPDATE|DELETE SECRET 'secret' FOR CLIENT 'secret_identifier' [USING TAG 'tag']
IDENTIFIED BY keystore_password [WITH BACKUP [USING 'backup_identifier']]; In this specification:
■ secret is the client secret key to be stored, updated, or deleted. Enclose this setting in single quotation marks (' ').
■ secret_identifier is an alphanumeric string used to identify the secret key.
secret_identifier does not have a default value. Enclose this setting in single quotation marks (' ').
■ tag is an optional, user-defined description for the secret key to be stored. tag can be used with the ADD and UPDATE operations. Enclose this setting in single quotation marks (' '). This tag appears in the SECRET_TAG column of the V$CLIENT_SECRET view. See "Creating Custom Master Encryption Key Attributes for Reporting Purposes" on page 4-22 for more information about tags.
■ keystore_password is the password for the keystore that is configured.
■ WITH BACKUP is required in case the keystore was not backed up before the ADD,
UPDATE or DELETE operation. backup_identifier is an optional user-defined description for the backup. Enclose backup_identifier in single quotation marks (' ').
The following example adds a secret key to the keystore and creates a backup in the same directory as the keystore:
ADMINISTER KEY MANAGEMENT ADD SECRET 'some_secret' FOR CLIENT 'ORACLE_GG' USING TAG 'GoldenGate Secret' IDENTIFIED BY password WITH BACKUP USING 'GG backup';
3. Verify the entry that you just created. For example:
SELECT CLIENT, SECRET_TAG FROM V$CLIENT_SECRETS WHERE CLIENT = 'ORACLEGG'; CLIENT SECRET_TAG
--- --- ORACLEGG some_secret
4. Switch the log files. CONNECT / AS SYSDBA
ALTER SYSTEM SWITCH LOGFILE;
See Oracle Database Administrator's Guide for more information about switching log files.
See Also: "Using Transparent Data Encryption with Oracle Real Application Clusters" on page 6-4 if you are having problems using this procedure in an Oracle RAC environment
Storing Oracle GoldenGate Secrets in a Keystore
Step 4: Set the TDE Oracle GoldenGate Shared Secret in the Extract Process
1. Start the GoldenGate Software Command Interface (GGSCI) utility. For example:
ggsci
2. In the GGSCI utility, run the ENCRYPT PASSWORD command to encrypt the shared secret so that it is obfuscated within the Oracle GoldenGate Extract parameter file. ENCRYPT PASSWORD shared_secret algorithm ENCRYPTKEY keyname
In this specification:
■ shared_secret is the clear-text shared secret that you created in "Step 1: Decide on a Shared Secret for the Keystore" on page 4-38. This setting is case sensitive.
■ algorithm is one of the following values to specify AES encryption:
– AES128
– AES192
– AES256
■ keyname is the logical name of the encryption key in the ENCKEYS lookup file. Oracle GoldenGate uses this name to look up the actual key in the ENCKEYS file.
For example:
ENCRYPT PASSWORD password AES256 ENCRYPTKEY mykey1
3. In the Oracle GoldenGate Extract parameter file, set the DBOPTIONS parameter with the DECRYPTPASSWORD option.
As input, supply the encrypted shared secret and the Oracle GoldenGate-generated or user-defined decryption key.
DBOPTIONS DECRYPTPASSWORD shared_secret algorithm ENCRYPTKEY keyname In this specification:
■ shared_secret is the clear-text shared secret that you created in "Step 1: Decide on a Shared Secret for the Keystore" on page 4-38. This setting is case sensitive.
■ algorithm is one of the following values to specify AES encryption:
– AES128
– AES192
– AES256
■ keyname is the logical name of the encryption key in the ENCKEYS lookup file. For example:
DBOPTIONS DECRYPTPASSWORD AACAAAAAAAAAAAIALCKDZIRHOJBHOJUH AES256 ENCRYPTKEY mykey1
5
5