GoldenGate software has been used by many large enterprises for Data Disaster Tolerance. For remote backup and disaster tolerance, many of these data needs to be transmitted through leased lines of the public network. Many of these data are confidential to enterprises. In order to prevent hackers from obtaining the confidential data and thereby compromising the interests of enterprises, we need to enhance the security of GoldenGate.
In addition to operating system and database-level security prevention measures, you can also develop corresponding security policies at the GoldenGate level. You can encrypt the trail file and database file locally to protect the data extracted by GoldenGate. GoldenGate can also encrypt the transmitted data during network transmission. You can customize keys to encrypt the data so that hackers cannot decrypt the data even if they have obtained the data.
The following describes several methods to protect GoldenGate and data security.
1. encrypt the trail File
It is very easy to encrypt the extract trail file. You only need to add the ENCRYPTTRAIL parameter to the Extract parameter file. The Extract process encrypts the trail files generated after parameters are added. If the trail file on the production end is encrypted, you must add the corresponding DECRYPTTRAIL parameter to the parameter file on the disaster recovery end to decrypt the trail file and then import it to the database.
Use logdump to view the GoldenGate trial file) to compare the changes in the content of the trail file before and after encryption.
Contents of Extract before encryption:
Example 1:
GGSCI OE5) 55> view params extma
EXTRACT extma
Userid GoldenGate @ orcl1, password GoldenGate
Setenv NLS_LANG = "AMERICAN_AMERICA.WE8ISO8859P1 ")
GETTRUNCATES
Reportcount every 1 MINUTES, RATE
Numfiles 50000
DISCARDFILE./dirrpt/extma. dsc, APPEND, MEGABYTES 50
WARNLONGTRANS 2 h, CHECKINTERVAL 3 m
EXTTRAIL./dirdat/ma
DBOPTIONS ALLOWUNUSEDCOLUMN
TRANLOGOPTIONS CONVERTUCS2CLOBS
DYNAMICRESOLUTION
Table scott .*;
The content of the Extract trail file is not encrypted:
Example 2:
Logdump 55> open./dirdat/ma000001
Current LogTrail is/opt/GoldenGate/orcl1/dirdat/ma000001
Logdump 56> ghdr on
Logdump 57> detail data
Logdump 58> ggstoken detail
Logdump 59> pos 0
Reading forward from RBA 0
Logdump 60> n
Logdump 65> n
___________________________________________________________________
Hdr-Ind: E x45) Partition:. x04)
UndoFlag:. x00) BeforeAfter: A x41)
RecLength: 23x0017) I/O Time: 00:09:39. 000.000
IOType: 5x05) OrigNode: 255 xff)
TransInd:. x00) FormatType: R x52)
SyskeyLen: 0x00) Incomplete:. x00)
AuditRBA: 2 AuditPos: 29881732
Continued: N x00) RecCount: 1x01)
00:09:39. 000.000 Insert Len 23 RBA 1391
Name: SCOTT. TEST
After Image: Partition 4G B
0000 0005 0000 0001 3100 0100 0a00 0000 066f 7261 | ...... 1 ...... Ora
636c 65 | cle
Column 0x0000), Len 5x0005)
0000 0001 31 |... 1
Column 1x0001), Len 10 x000a)
0000 0006 6f72 6163 6c65 |... Oracle -- clearly see words
GGS tokens:
TokenID x52 'R' ORAROWID Info x00 Length 20
4141 414d 3058 4141 4541 4141 4147 5741 4141 | AAAM0XAAEAAAAGWAAA
TokenID x4c 'l' LOGCSN Info x00 Length 6
3438 3937 3831 | 489781
TokenID x36 '6' TRANID Info x00 Length 8
392e 3130 2e32 3939 | 9.299
Then add the ENCRYPTTRAIL parameter to the parameter file to encrypt the trail file:
Example 3:
GGSCI OE5) 55> view params extma
EXTRACT extma
Userid GoldenGate @ orcl1, password GoldenGate
Setenv NLS_LANG = "AMERICAN_AMERICA.WE8ISO8859P1 ")
GETTRUNCATES
Reportcount every 1 MINUTES, RATE
Numfiles 50000
DISCARDFILE./dirrpt/extma. dsc, APPEND, MEGABYTES 50
WARNLONGTRANS 2 h, CHECKINTERVAL 3 m
ENCRYPTTRAIL
EXTTRAIL./dirdat/ma
DBOPTIONS ALLOWUNUSEDCOLUMN
TRANLOGOPTIONS CONVERTUCS2CLOBS
DYNAMICRESOLUTION
Table scott .*;
View the encrypted Extract trail file:
Example 4:
Logdump 66> open./dirdat/ma000002
Current LogTrail is/opt/GoldenGate/orcl1/dirdat/ma000002
Logdump 67> ghdr on
Logdump 68> detail data
Logdump 69> ggstoken detail
Logdump 74> n
___________________________________________________________________
Hdr-Ind: E x45) Partition:. x04)
UndoFlag:. x00) BeforeAfter: A x41)
RecLength: 24x0018) I/O Time: 00:35:13. 000.000
IOType: 5x05) OrigNode: 255 xff)
TransInd:. x01) FormatType: R x52)
SyskeyLen: 0x00) Incomplete:. x00)
AuditRBA: 2 AuditPos: 31891236
Continued: N x00) RecCount: 1x01)
00:35:13. 000.000 Insert Len 24 RBA 1212
Name: SCOTT. TEST
After Image: Partition 4G m
5e50 86ba af70 962b cc52 5bf9 a3f7 9760 7eda abd0 | ^ P... P. +. R [... '~...
-The encrypted ciphertext is unidentifiable.
C092 111e |...
Bad compressed block, found length of 34490 x86ba), RBA 1212
GGS tokens:
TokenID x52 'R' ORAROWID Info x00 Length 20
4141 414d 3058 4141 4541 4141 4147 5741 4130 | AAAM0XAAEAAAAGWAA0
The encrypted disaster recovery process is abend.
The following are the parameters and error messages of the Disaster Recovery Process:
Example 5:
GGSCI OE5) 3> view params repma
REPLICAT repma
USERID GoldenGate @ orcl2, PASSWORD GoldenGate
Setenv NLS_LANG = "AMERICAN_AMERICA.WE8ISO8859P1 ")
-- Report at 0:59
Reportcount every 30 MINUTES, RATE
Reperror default, abend
Numfiles 50000
DBOPTIONS ALLOWUNUSEDCOLUMN
MAXTRANSOPS 1, 500000
GROUPTRANSOPS 10000
CHECKPOINTSECS 40
-- HANDLECOLLISIONS
Assumetargetdefs
DISCARDFILE./dirrpt/repma. dsc, APPEND, MEGABYTES 50
GETTRUNCATES
ALLOWNOOPUPDATES
Map scott. *, target scott .*;
----- ERROR information ―――――――
Source Context:
SourceModule: [ggstd. conv. endian]
SourceID: [/mnt/ecloud/workspace/Build_FBO_OpenSys_r11.1.
1.0.11 _ 001 _ [41228]/perforce/src/gglib/ggstd/
Lenv. c]
SourceFunction: [convCompSQL]
SourceLine: [531]
ThreadBacktrace: [9] elements
: [/Opt/GoldenGate/orcl2/replicatCMessageContext ::
AddThreadContext) + 0x26) [0x82021d6]
: [/Opt/GoldenGate/orcl2/replicatCMessageFactory ::
CreateMessageCSourceContext *, unsigned int ,...) + 0x817) [0x81f8887]
: [/Opt/GoldenGate/orcl2/replicat_MSG_ERR_MAP _
COL_INDEX_INVALIDCSourceContext *, DBString <777> const &, int, int, CMessageFactory: Message-
Disposition) + 0x8b) [0x81d6c4b]
: [/Opt/GoldenGate/orcl2/replicat [0x84aa2bc]
: [/Opt/GoldenGate/orcl2/replicatggConvRecLEchar *,
File_def *, int, char, char) + 0x4d) [0x84aa3bd]
: [/Opt/GoldenGate/orcl2/replicat [0x849dd2d]
: [/Opt/GoldenGate/orcl2/replicatmain + 0x1f8b) [0x812670b]
: [/Lib/libc. so.6 _ libc_start_main + 0xdc) [0x68de8c]
: [/Opt/GoldenGate/orcl2/replicat _ gxx _ personality_v0 + 0x1b5) [0x810a171]
00:36:37 ERROR OGG-01161 Bad column index 24144) specified for table SCOTT. TEST, max columns = 2.
Based on the error information, it is estimated that the extraction process encrypts the trail file, and the Replicat process cannot be restored to the actual information, resulting in the process abend.
Add the DECRYPTTRAIL parameter to the disaster recovery parameters file to decrypt the trail file and view the process status:
Example 6:
GGSCI OE5) 3> view params repma
REPLICAT repma
USERID GoldenGate @ orcl2, PASSWORD GoldenGate
Setenv NLS_LANG = "AMERICAN_AMERICA.WE8ISO8859P1 ")
-- Report at 0:59
Reportcount every 30 MINUTES, RATE
Reperror default, abend
DECRYPTTRAIL ----- add decryption Parameters
Numfiles 50000
DBOPTIONS ALLOWUNUSEDCOLUMN
MAXTRANSOPS 1, 500000
GROUPTRANSOPS 10000
CHECKPOINTSECS 40
-- HANDLECOLLISIONS
Assumetargetdefs
DISCARDFILE./dirrpt/repma. dsc, APPEND, MEGABYTES 50
GETTRUNCATES
ALLOWNOOPUPDATES
Map scott. *, target scott .*;
GGSCI OE5) 14> info all
Program Status Group Lag Time Since Chkpt
MANAGER
Replicat running repma 00:00:00 00:00:03
After the decryption parameters are added, restart the Replicat process. The Replicat process displays the running status.
Oracle video tutorial follow: http://u.youku.com/user_video/id_UMzAzMjkxMjE2.html
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
