OGG security Features: Encrypt database password

Second, encrypt the database password

You can encrypt some database passwords by Goldengate, and you can encrypt database passwords in roughly 3 of the following.

Goldengate Extract, Replicat process and other processes login to the database password.

ASM Database, goldengate password required to log on to the ASM instance.

Goldengate Open DDL, if the production side performs a similar create | ALTER} USER <name> identified by <password> operation, the disaster-tolerant end has the parameter Ddloptions Defaultuserpassword will encrypt the password to make it different from the production end.

The method for encrypting the database password is as follows.

Enter the Goldengate ggsci command line, and then enter the command:

Example 7:

ENCRYPT PASSWORD <password>

Goldengate will use the default key to generate an encrypted password, of course, you can also specify the key to generate encryption password, only need to type the command:

Example 8:

CRYPT PASSWORD <password> Encryptkey <keyname>

<keyname> is a name for the user-generated key, and the name and key will be saved in the local Enckeys file. Of course you want to use this property, you have to generate a key, and create a Enckeys file locally, and create a name for the key, which is keyname.

When using the Encryptkey attribute, it is necessary to introduce the method of generating the encryption keys first.

User-defined key: First to create a 1 to 24 character KeyName, which cannot contain spaces and references, keyvalues maximum of 128 bytes, can contain numbers and letters or a hexadecimal string plus hexadecimal identifier 0x, For example: 0X420E61BE7002D63560929CCA17A4E1FB.

More Wonderful content: http://www.bianceng.cnhttp://www.bianceng.cn/database/extra/

Use the Keygen property to generate key: The source end is in the Goldengate installation directory, type the command under the shell:

Example 9:

KEYGEN <key length> <n>

You can get more than one key, where:

<key Length>: Is the length of the generated encrypted password, the maximum is 128 bytes.

<N>: Controls the number of key to be generated.

Example 10:

[Oracle@oe5 orcl1]$./keygen 128 4

0xa3116324f0c72b3be328e728c6e75725

0x907b7678a7ab561caf2532539a1de72a

0x7ee5894c5d8f817d7b227d7d6e537630

0x6c4f9d201473ac5e481fc82742890536

[Oracle@oe5 orcl1]$

Create an ASCII file named Enckeys, and save it in this file for each key generated by a name to be used for goldengate:

Example 11:

# # encryption keys

# # Key Name key value

Superkey 0xa3116324f0c72b3be328e728c6e75725

Superkey1 0x907b7678a7ab561caf2532539a1de72a

Superkey2 0x7ee5894c5d8f817d7b227d7d6e537630

Superkey3 0x6c4f9d201473ac5e481fc82742890536

Then, use the Goldengate default key to encrypt the database password:

Example 12:

[Oracle@oe5 orcl1]$./ggsci

Oracle Goldengate Command Interpreter for Oracle

Version 11.1.1.0.11 Build 001

Linux, x86, 32bit (optimized), Oracle on Dec 6 2010 14:20:28

Copyright (C) 1995, the Oracle and/or its affiliates. All rights reserved.

Ggsci (OE5) 1> ENCRYPT PASSWORD goldengate

No key specified, using default key ...

Encrypted PASSWORD:AACAAAAAAAAAAAKAPATACEHBIGQGCFZCCDIGAEMCQFFBZHVC

--This is the generated encryption password

Ggsci (OE5) 2>

Copy generated encrypted passwords are pasted into the goldengate parameter file in the following manner.

Goldengate User password:

Example 13:

USERID <user>, PASSWORD <encrypted_password>, &encryptkey {DEFAULT | <keyname>}

Ggsci (OE5) 5> edit params Extma

EXTRACT Extma

--userid GOLDENGATE@ORCL1, Password goldengate

UserID GOLDENGATE@ORCL1, password aacaaaaaaaaaaakapatacehbigqgcfzccdiga-emcqffbzhvc, Encryptkey DEFAULT

Setenv (nls_lang= "American_america"). We8iso8859p1 ")

Gettruncates

Reportcount EVERY 1 MINUTES, RATE

Numfiles 50000

Discardfile./dirrpt/extma.dsc,append,megabytes 50

Warnlongtrans 2h,checkinterval 3m

Exttrail./dirdat/ma

Dboptions Allowunusedcolumn

Tranlogoptions Convertucs2clobs

Dynamicresolution

Table scott.*;

This way, when you open the parameter file, you cannot see the plaintext of the password. Even if the hacker breached the goldengate user, see this configuration file, with this encrypted password can not log in to the database, which has played a role in protecting database data.

ASM goldengate user access password:

Example 14:

Tranlogoptions asmuser sys@<asm_instance_name>, Asmpassword <encrypted_password>, ENCRYPTKEY {DEFAULT | <keyname>}

Readers can experiment on their own, and there is no demonstration here.

Create/alter USER Password:

Example 15:

Ddloptions defaultuserpassword <encrypted_password>,encryptkey {DEFAULT | <keyname>}

The interpretation of nouns in parameters:

<user id> is the user of the database used to goldengate processes. For ASM, the user must have SYS permissions.

<encrypted_password> Use the command encrypt password to obtain the encrypted password.

Encryptkey default uses the encrypted password generated by the Goldengate key.

Encryptkey <keyname> If you use the Encryptkey <keyname> parameter when using the command encrypt password, you also need to add this option in the parameter file. Tells Goldengate to use the encrypted password generated by the user's custom key.