Category - GOLDENGATE

Trail File Encryption - Using ENCKEYS

Below method will be used to ENCRYPT trail file using ENCKEYS

We will use ENCKEYS to Encrypt Trail file which is Generated by EXTRACT and then Decrypt Trail file which will be read by REPLICAT

Below are some Notes for this Method

=> To encrypt trail data:
In the parameter file of the primary Extract group and the data pump, add an ENCRYPTTRAIL parameter with the KEYNAME option before any parameter that specifies a trail or file that you want to be encrypted.
=> To Decrypt trail data:
Data that is encrypted in the trail remains encrypted unless the DECRYPTTRAIL parameter is used. DECRYPTTRAIL is required by Replicat before it can apply encrypted data to the target
-----
=> To encrypt data across TCP/IP:
In the RMTHOSTOPTIONS(Valid For Passive Extract) parameter in the parameter file of the data pump (or the primary Extract, if no pump is being used), add the ENCRYPT option with the KEYWORD clause.
=> To Decrypt data across TCP/IP:
Data that is encrypted over TCP/IP connections is decrypted automatically at the destination before it is written to a trail, unless trail encryption also is specified.

=> A data pump passes encrypted data untouched to the output trail, unless the DECRYPTTRAIL and ENCRYPTTRAIL parameters are used.


Steps invloved for this practice as below

Step 1=> Generate Random key using keygen utility (From Goldengate Home)

[oracle@HOST12C2020 gg_home]$./keygen 256 1

0xF8C635491B1E002B5EEF4A095881C05674A42E4B7372487AFD5C4F2F501BC007 

Step 2=> Copy this key in ENCKEYS file on Source and then on Traget as below (On Goldengate Home )

--ON Source

[oracle@HOST12C2020 gg_home]$ cat ENCKEYS
# KeyName       KeyValue
# Key for Trail file Encryption
fil1    0xF8C635491B1E002B5EEF4A095881C05674A42E4B7372487AFD5C4F2F501BC007
[oracle@HOST12C2020 gg_home]$

--ON Traget

[oracle@HOST12C2021 gg_home]$ cat ENCKEYS
# Key for Trail file Encryption
fil1    0xF8C635491B1E002B5EEF4A095881C05674A42E4B7372487AFD5C4F2F501BC007
[oracle@HOST12C2021 gg_home]$

Step 3=> Edit EXTRACT parameter as below on Source

GGSCI (HOST12C2020) 3> view params EXT1
EXTRACT ext1
USERID ggsource@NCDB password AADAAAAAAAAAAAIARIHASGODKDZFIAZISDJDGBNIOHZADDHFAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AES128 ENCRYPTKEY ggk
ey
--USERID ggsource@NCDB password ggsource
--USERIDALIAS ggncdb
--Encrypt Trail file on SOURCE
ENCRYPTTRAIL AES256 KEYNAME fil1
EXTTRAIL /u01/app/oracle/gg_home/dirdat/tt
TRANLOGOPTIONS EXCLUDEUSER ggsource
TABLE dbsource.*;

Step 4=> Edit REPLICAT parameter as below on Traget

GGSCI (HOST12C2021) 3> view params REP1
REPLICAT rep1
ASSUMETARGETDEFS
USERID ggtarget@TCDB  PASSWORD ggtarget
--Decrypt Trail on target
DECRYPTTRAIL AES256 KEYNAME fil1
MAP dbsource.*, TARGET dbtarget.*;

Step 5=> Start EXTRACT and then REPLICAT

GGSCI (HOST12C2020) 2> info all

Program     Status      Group       Lag at Chkpt  Time Since Chkpt

MANAGER     RUNNING
EXTRACT     RUNNING     DPUMP1      00:00:00      00:25:04
EXTRACT     RUNNING     EXT1        00:00:00      00:00:02

GGSCI (HOST12C2021) 2> info all

Program     Status      Group       Lag at Chkpt  Time Since Chkpt

MANAGER     RUNNING
REPLICAT    RUNNING     REP1        00:00:00      00:00:09

Step 6=> Check ggseerror.log file for more information

ON SOURCE
 
[oracle@HOST12C2020 gg_home]$ cat ggserr.log |grep -i aes
2020-05-24T16:41:06.751+0530  INFO    OGG-00987  Oracle GoldenGate Command Interpreter for Oracle:  GGSCI command (oracle): dblogin userid ggsource password *** AES128 ggkey.
2020-05-24T16:41:36.626+0530  INFO    OGG-00987  Oracle GoldenGate Command Interpreter for Oracle:  GGSCI command (oracle): dblogin userid ggsource password *** AES128 ENCRYPTKEY ggkey.
2020-05-30T22:30:29.546+0530  INFO    OGG-05519  Oracle GoldenGate Capture for Oracle, ext1.prm:  Output trail file encryption: AES256.
2020-05-30T22:32:17.836+0530  INFO    OGG-05520  Oracle GoldenGate Capture for Oracle, dpump1.prm:  Input trail file encryption: AES256.
2020-05-30T22:32:17.918+0530  INFO    OGG-05519  Oracle GoldenGate Capture for Oracle, dpump1.prm:  Output trail file encryption: AES256.
2020-05-30T22:48:08.911+0530  INFO    OGG-05519  Oracle GoldenGate Capture for Oracle, ext1.prm:  Output trail file encryption: AES256.
2020-05-30T23:40:35.788+0530  INFO    OGG-05519  Oracle GoldenGate Capture for Oracle, ext1.prm:  Output trail file encryption: AES256.
[oracle@HOST12C2020 gg_home]$

ON TARGET

[oracle@HOST12C2021 gg_home]$ cat ggserr.log  |grep -i aes
2020-05-30T22:35:38.036+0530  INFO    OGG-05520  Oracle GoldenGate Delivery for Oracle, rep1.prm:  Input trail file encryption: AES256.
2020-05-30T22:49:48.114+0530  INFO    OGG-05520  Oracle GoldenGate Delivery for Oracle, rep1.prm:  Input trail file encryption: AES256.
2020-05-30T23:40:45.312+0530  INFO    OGG-05520  Oracle GoldenGate Delivery for Oracle, rep1.prm:  Input trail file encryption: AES256.
[oracle@HOST12C2021 gg_home]$