OGG security features-encrypt database passwords

Ii. Encrypted Database Password

You can use GoldenGate to encrypt some database passwords. There are roughly three types of database passwords that can be encrypted.

The password used to log on to the database by GoldenGate Extract, Replicat, and other processes.

The password used to log on to the ASM database and GoldenGate.

When DDL is enabled on GoldenGate, if the production end performs an operation similar to CREATE | ALTER} USER <name> identified by <password>, the disaster recovery end uses the ddloptions defaultuserpassword parameter to encrypt the password, making it different from the production end.

The following describes how to encrypt a database password.

Go to the GoldenGate GGSCI command line and enter the command:

Example 7:

Encrypt password <password>

GoldenGate uses the default key to generate an encrypted password. Of course, you can also specify the key to generate the encrypted password. You only need to enter the following command:

Example 8:

Crypt password <password> ENCRYPTKEY <keyname>

<Keyname> is a name of the KEY generated by the user. The name and KEY are saved in the local ENCKEYS file. To use this property, you must generate a KEY, create an ENCKEYS file locally, and create a name for the KEY, that is, the keyname.

When using the encryptkey attribute, it is necessary to first introduce the method for generating encryption keys.

Custom KEY: you must first create a one-to-24-character keyname, which cannot contain spaces or references. The maximum keyvalues value is 128 bytes, it can contain numbers, letters, or a hexadecimal string with a hexadecimal identifier 0x, for example, 0x420E61BE7002D63560929CCA17A4E1FB.

Use the KEYGEN attribute to generate the KEY: the source is in the GoldenGate installation directory, and type the command in shell:

Example 9:

KEYGEN <key length> <n>

You can obtain multiple keys, including:

<Key length>: the length of the generated encryption password, up to 128 bytes.

<N>: control the number of keys to be generated.

Example 10:

[Oracle @ OE5 orcl1] $./keygen 128 4

0xA3116324F0C72B3BE328E728C6E75725

0x907B7678A7AB561CAF2532539A1DE72A

0x7EE5894C5D8F817D7B227D7D6E537630

0x6C4F9D201473AC5E481FC82742890536

[Oracle @ OE5 orcl1] $

Create an ASCII file named ENCKEYS, name each generated KEY, and save it to this file for GoldenGate to use:

Example 11:

# Encryption keys

# Key name Key value

Superkey 0xA3116324F0C72B3BE328E728C6E75725

Superkey1 0x907B7678A7AB561CAF2532539A1DE72A

Superkey2 0x7EE5894C5D8F817D7B227D7D6E537630

Superkey3 0x6C4F9D201473AC5E481FC82742890536

Then, use the default GoldenGate KEY to encrypt the database password:

Example 12:

[Oracle @ OE5 orcl1] $./ggsci

Oracle GoldenGate Command Interpreter for Oracle

Version 11.1.1.0.11 Build 001

Linux, x86, 32bit optimized), Oracle 10 on Dec 6 2010 14:20:28

Copyright C) 1995,201 0, Oracle and/or its affiliates. All rights reserved.

GGSCI OE5) 1> encrypt password GoldenGate

No key specified, using default key...

Encrypted password: aacaaaaaaaaakapatacehbigqgcfzccdigaemcqffbzhvc

-- This is the generated encrypted password.

GGSCI OE5) 2>

Copy the generated encryption password and paste it to the GoldenGate parameter file as follows.

GoldenGate user password:

Example 13:

USERID <user>, PASSWORD <encrypted_password>, & ENCRYPTKEY {DEFAULT | <keyname>}

GGSCI OE5) 5> edit params extma

EXTRACT extma

-- Userid GoldenGate @ orcl1, password GoldenGate

Userid GoldenGate @ orcl1, password AACAAAAAAAAAAAKAPATACEHBIGQGCFZCCDIGA-EMCQFFBZHVC, ENCRYPTKEY DEFAULT

Setenv NLS_LANG = "AMERICAN_AMERICA.WE8ISO8859P1 ")

GETTRUNCATES

Reportcount every 1 MINUTES, RATE

Numfiles 50000

DISCARDFILE./dirrpt/extma. dsc, APPEND, MEGABYTES 50

WARNLONGTRANS 2 h, CHECKINTERVAL 3 m

EXTTRAIL./dirdat/ma

DBOPTIONS ALLOWUNUSEDCOLUMN

TRANLOGOPTIONS CONVERTUCS2CLOBS

DYNAMICRESOLUTION

Table scott .*;

In this way, the plaintext of the password is invisible when the parameter file is opened. Even if a hacker breaks the GoldenGate user and sees the configuration file, he cannot log on to the database with the encrypted password. This protects the database data.

ASM GoldenGate user access password:

Example 14:

Tranlogoptions asmuser sys @ <ASM_instance_name>, ASMPASSWORD <encrypted_password>, ENCRYPTKEY {DEFAULT | <keyname>}

You can perform the test on your own.

CREATE/alter user password:

Example 15:

Ddloptions defaultuserpassword <encrypted_password>, ENCRYPTKEY {DEFAULT | <keyname>}

Explanation of the nouns in the parameters:

<User id> is the user used in the database for the GoldenGate process. For ASM, the user must have the SYS permission.

<Encrypted_password> the encrypted PASSWORD obtained by running the encrypt password command.

Encryptkey default uses the encryption password generated by GoldenGate's default key.

ENCRYPTKEY <keyname> If the ENCRYPTKEY <keyname> parameter is used when the encrypt password command is used, you must add this option to the parameter file. Tells GoldenGate that the encrypted password is generated using the custom KEY.

Oracle video tutorial follow: http://u.youku.com/user_video/id_UMzAzMjkxMjE2.html