Oracle GoldenGate Security Configuration series: Control GoldenGate using the ticket sec File
Command User Access Permissions recently used by multiple vendors in the History Query Library of the production environment. goldengate synchronization is often inexplicable.
After being shut down and restarted by other vendors, the front-end application will feel it all at once. Our O & M personnel are under great pressure.
This weekend, I took a good look at the official Oracle GoldenGate documents and studied how to use them.
GoldenGate Security Configuration to control the user's permission to access the GoldenGate ggsci command.
The most pressing daily release of the Golden SEC will explore GoldenGate in a series in the near future
Security configurations. Www.2cto.com 1. Configure GoldenGate Management User GoldenGate on the OS. About how to install and manage GoldenGate®GoldenGate Oracle Installation and Setup Guide Release 11.2.1 1.2.5 Operating system privilegesThefollowing are the privileges in the operating system that are required toinstallOracleGoldenGate and to run the processes. ■ To install on Windows, the person who installoracle GoldenGate must login asAdministrator. ■ To install on UNIX, the person who installoracle GoldenGate must havereadandwrite privileges on the Oracle GoldenGate installation directory. ■ The Oracle GoldenGate Extract, Replicat, and Manager processes mustoperate asanoperating system user that has privileges to read, write, and delete files andsubdirectoriesin the Oracle GoldenGate directory. in addition, the Managerprocessrequires privileges to control the other Oracle GoldenGate processes. ■ (Classic capture mode) In classic capture mode, the Extract process readsthe redologsdirectly and must operate as an operating system user that has read access tothe logfiles, both online and archived. on UNIX systems, that user must be amemberof the group that owns the Oracle instance. if you install the Managerprocessas a Windows service during the installation steps in this documentation, you mustinstall as Administrator for the correct permissions to be assigned. if youcannotinstall Manager as a service, assign read access to the Extract processmanually, and then always run Manager and Extract as Administrator. ■ Dedicate the Extract, Replicat, and Manager operating system users toOracleGoldenGate. sensitive information might be available to anyone who runs anOracleGoldenGate process, depending on how database authentication isconfigured. in Unix, OGG management users must have read and write permissions for/home/oracle/ggs users. To manage extract, pump, and mgr processes, OGG management users must
And its subdirectories have read and write permissions OGG management users must be members of the Oracledatabase instance group www.2cto.com 1. Create an OGG administrator user [root @ prod ~] # Useradd-g oinstall-Gdba, role, asmdba ogg [root @ prod ~] # Echo-n oracle | passwd -- stdin ogg configure OGG user environment variable [root @ prod ~] # Su-ogg [ogg @ prod ~] $ Vi. bash_profile export TMP =/tmp; export TMPDIR = $ TMP; export ORACLE_HOSTNAME = prod.oracle.com; export ORACLE_BASE =/u01/app/oracle; exportORACLE_HOME = $ ORACLE_BASE/product/11.2.0/db_1; export ORACLE_UNQNAME = prod; export ORACLE_SID = prod; export ORACLE_TERM = xterm; export PATH =/usr/sbin: $ PATH; exportPATH =/bin:/OPatch: /usr/kerberos/sbin:/usr/kerberos/bin:/usr/local/
Sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/u01/app/11.2.0/grid/bin: /root/bin; export PATH =/home/oracle/ggs: $ ORACLE_HOME/bin: $ PATHexportLD_LIBRARY_PATH =/home/oracle/ggs: $ ORACLE_HOME/lib: /usr/lib; exportCLASSPATH = $ ORACLE_HOME/JRE: $ ORACLE_HOME/jlib: $
ORACLE_HOME/rdbms/jlib; export NLS_DATE_FORMAT = "yyyy-mm-ddHH24: MI: SS"; # export NLS_LANG = accept; export NLS_LANG = AMERICAN_AMERICA.AL32UTF8; export DISPLAY = 192.168.8.100: 0.0 ~ GoldenGate is installed under/home/oracle/ggs [root @ prod home] # ls-lttotal 12drwx ------ 8 oracle oinstall 4096 Mar 3 21 oracledrwx ------ 3 ogg oinstall 4096 Mar 3 oggdrwx ------ 3 grid oinstall 4096 Mar 1 grid [root @ prod ~] # Cd/home [root @ prod home] # ls-lttotal 12drwx ------ 3 ogg oinstall 4096 Mar 3 oggdrwx ------ 8 oracle oinstall 4096 Mar 3 oracledrwx ------ 3 grid oinstall 4096 Mar 1 20:00 grid [root @ prod home] # su-ogg [ogg @ prod ~] $ Cd/home/oracle/ggs-bash: cd:/home/oracle/ggs: Permissiondenied reason: ogg users do not have permission to access the oracle home Directory/home/oracle Modify/home/oracle group, so that ogg users can access this directory and its sub-directories [root @ prod home] # chmod g + rx oracle [root @ prod home] # ls-lttotal 12drwx ------ 3 ogg oinstall 4096 Mar 3 oggdrwxr-x --- 8 oracle oinstall 4096 Mar 3 oracledrwx ------ 3 grid oinstall 4096 Mar 1 grid can be accessed after modification: [root @ prod home] # su-ogg [ogg @ pro D ~] $ Cd/home/oracle/ggs [ogg @ prod ~] $ Ln-s/home/oracle/ggs execute the ggsci command for testing: [ogg @ prod ~] $ Cd/home/oracle/ggs [ogg @ prod ggs] $ ggsci Oracle GoldenGate Command Interpreter forOracleVersion 11.2.1.0.1 runtime, x86, 32bit (optimized), Oracle 11gon Apr 23 2012 08: 09: 25 Copyright (C) 1995,201 2, Oracle and/or itsaffiliates. all rights reserved. GGSCI (prod.oracle.com) 1> info all Program Status Group Lag at Chkpt Time Since Chkpt MANAGER RUNNING EXTRA Ct running escott 00:00:00 extract running pscott 00:00:06 GGSCI (prod.oracle.com) 2> stop * Sending STOP request to extract escott... request processed. sending STOP request to extract pscott... request processed. GGSCI (prod.oracle.com) 6> info all Program Status Group Lag at Chkpt Time Since Chkpt manager running extract stopped escott 00:00:00 EXTRACT STOPPED PSCOTT 00:00:00 GGSCI (prod.oracle.com) 7> start * Sending START request to MANAGER... extract escott starting Sending START request to MANAGER... extract pscott starting GGSCI (batch) 8> info all Program Status Group Lag at Chkpt Time Since Chkpt manager running extract running escott 00:01:12 extract running pscott 00:00:00 GGSCI (batch) 11> stop mgrManage R process is required by other GGSprocesses. Are you sure you want to stop it (y/n )? Y Sending STOP request to MANAGER... request processed. manager stopped. GGSCI (prod.oracle.com) 12> info all Program Status Group Lag at Chkpt Time Since Chkpt manager stopped extract stopped escott 00:00:00 extract stopped pscott 00:00:08 edit parameter file: GGSCI (prod.oracle.com) 9> edit paramsmgr cannot be edited. Only the read-only permission is granted. The ogg user has only the read-only permission on the dirprm folder and its files. [ogg @ prod ggs] $ ls-lt dirprmtotal 20-rwxr-xr -X 1 oracle oinstall 198 Mar 3 einit. prm-rwxr-xr-x 1 oracle oinstall 153 Mar 3 escott. prm-rwxr-x --- 1 oracle oinstall 53 Mar 3 :06 jagent. prm-rwxr-xr-x 1 oracle oinstall 53 Mar 3 15:06 mgr. prm-rwxr-xr-x 1 oracle oinstall 168 Mar 3 pscott. prm [ogg @ prod ggs] $ ls-lt | grep dirdrwxrwxr-x 2 oracle oinstall 4096 Mar 3 dirdatdrwxrwxr-x 2 oracle oinstall 4096 Mar 3 dirpcsd Rwxrwxr-x 2 oracle oinstall 4096 Mar 3 dirrptdrwxrwxr-x 2 oracle oinstall 4096 Mar 3 dirtmpdrwxrwxr-x 2 oracle oinstall 4096 Mar 3 Mar-x 2 oracle oinstall 4096 Mar 3 pm routing-x 2 oracle oinstall 4096 Mar 3 diroutdrwxrwxr-x 2 oracle oinstall 4096 Mar 3 dirsqldrwxr-x --- 2 oracle oinstall 4096 Mar 3 06 dirprmdrwxr-x --- 2 oracle oinstall 4096 Apr 23. 2012 dirjar if the ogg administrator needs to modify the parameter to ask for your permission, you can run the following command to solve chmod-R g + w/home/oracle/ggs/dirprm. Now the GoldenGate management user has been created. 2. Configure the GoldenGate command security. You can establish command security for the Oracle GoldenGate command to control which users can access
OracleGoldenGate. For example, you can allow some users to execute INFO and STATUS
Command to prevent these users from using the START and STOP commands. The security level is based on the operating system's
Group. To configure a security policy for the OracleGoldenGate command, you can
Create a secure sec file in the directory. Without this file, any user can access it.
All Oracle GoldenGate commands. Step 1. Create an ASCII text file (UE ). 2. refer to the following syntax and example configuration to create one or more rules for each command to be restricted by limit,
One row for each rule. The Rule Order is listed in the abstract order. In the ticket sec File
The security rules are handled from top to bottom. The first qualified rule is to determine whether or not
Rules with access permissions. The format of each component is as follows. Each component is separated by spaces or tabs.
Where: bytes
Is the GGSCI command name or wildcard, such as START, STOP, or *. Bytes
It can be any GGSCI command object or wildcard, such as EXTRACT, REPLICAT, or MANAGER. Bytes Indicates the name of a Windows or UNIX user group. On UNIX systems, you can specify the number
Replace the group name with the group ID. You can also use wildcards to specify all groups. Bytes The name of a Windows or UNIX user. On UNIX systems, you can specify numbers
You can also use wildcards to specify all users. Bytes Specifies whether to authorize or deny access. 3. Name ASCII as invalid Sec (using uppercase letters on Unix systems) and save it to the OracleGoldenGate home directory. The following is an example of correctly implementing the ipvsec file on Unix systems: # Command Object Group User Access Allowed? START * oinstall oracle YESstop * oinstall ogg NOinfo * oinstall ogg YESstats * oinstall ogg YESalter * oinstall ogg NOalter extract oinstall ogg NO test: [oracle @ prod ggs] $ ggsci Oracle GoldenGate Command Interpreter forOracleVersion 11.2.1.0.1OGGCORE _ 11.2.1.0.1 _ latest, x86, 32bit (optimized), Oracle 11gon Apr 23 2012 08:09:25 Copyright (C) 1995,201 2, Oracle and/or itsaffiliates. all rights reserved. GGSCI (prod.oracle.com) 1> info all Program Status Group Lag at Chkpt Time Since Chkpt manager running extract stopped escott 00:00:00 00:00:06 extract stopped pscott 00:00:00 according to the following sec file configuration, ogg users can start extract, unable to stop extract [ogg @ prod ggs] $ ggsci Oracle GoldenGate Command Interpreter forOracleVersion 11.2.1.0.1 oggcore_11.2.1.0.20.platform S_120423.0230_FBOLinux, x86, 32bit (optimized), Oracle 11gon Apr 23 2012 08:09:25 Copyright (C) 1995,201 2, Oracle and/or itsaffiliates. all rights reserved. GGSCI (Issue) 1> info all Program Status Group Lag at Chkpt Time Since Chkpt manager running extract stopped escott 00:00:00 extract stopped pscott 00:01:19 GGSCI (prod.oracle.com) 2> start ESCOTT Sending START req Uest to MANAGER... extract escott starting GGSCI (latency) 3> info all Program Status Group Lag at Chkpt Time Since Chkpt manager running extract running escott 00:00:00 extract stopped pscott 00:01:53 --- ogg can start the escott process normally, stop and try www.2cto.com GGSCI (prod.oracle.com) 4> stop escottERROR: Command not authorized for this user. --- the ogg user cannot stop the escott process and the test is successful. Source http://blog.csdn.net/xiangsir/article/details/8631948