1. 程式人生 > >Oracle Golden Gate 系列十六 -- 配置 GG 安全 說明 與 示例

Oracle Golden Gate 系列十六 -- 配置 GG 安全 說明 與 示例

由於GoldenGate所需的使用者許可權較大,而每個GoldenGate程序配置檔案中都需要設定該使用者和密碼用於資料庫登陸,出於安全性的考慮,建議將密碼進行加密。

官方文件上介紹的加密有如下三種方法:

1.Encryption

Options are available for encrypting anddecrypting:

(1)data in an extract file ortrail

(2)database passwords

(3)data sent across TCP/IP

--這裡的可以對trail檔案加密或者對db 密碼進行加密。

2.Command security:

Sets user-levelpermissions for accessing Oracle GoldenGate commands through GGSCI.

3. Connection security

Allowsconnections to be established from the target system instead of the sourcesystem. For use when the target resides within a trusted network zone behind aninternal firewall.

這篇Blog 我們只看使用加密的方式,其他的方式自己檢視官方文件。

一.使用加密

This section contains instructions forencrypting and decrypting the following:

(1)The trail or extract file thatholds data being processed by Oracle GoldenGate

(2)A database password

(3)The data sent across TCP/IP

1.1 How data is encrypted

The following encryption methods are used:

(1)To encrypt trail or extractfiles, Oracle GoldenGate uses 256-key byte substitution. All records going intothose files are encrypted both across any data links and within the filesthemselves.

--對trail 和extractfile 進行加密,GG 使用256-key byte 替代,所有record記錄都以加密的形式寫入trail。

(2)To encrypt the databasepassword or data that is sent across TCP/IP, Oracle GoldenGate uses Blowfishencryption. Blowfish is a symmetric block cipher that can be used as a drop-inreplacement for DES or IDEA. Oracle GoldenGate’s implementation of Blowfish cantake a variable-length key from 32 bits to 128 bits. Blowfish encryption can becombined with Oracle GoldenGate trail encryption.

--對資料庫密碼進行加密或者TCP/IP 上傳送data 時進行加密。 GG 使用Blowfish 加密演算法。

1.2 Encrypting trail or extract files

You can encrypt the data in any local orremote trail or file.

NOTE:

(DB2 on z/OS)This feature cannot be used when FORMATASCII is used to write data to a file inASCII format. The trail or file must be written in the default canonical format.

1.2.1 To encrypt trail or extract files

1. In the Extract parameter file, list thefollowing parameter before all trails or files that you want to be encrypted.You can list multiple trails or files after one instance of this parameter.

ENCRYPTTRAIL

2. To disable encryption for any files ortrails listed in the Extract parameter file, precede their entries with thefollowing parameter.

NOENCRYPTTRAIL

3. In the Replicat parameter file, includethe following parameter so that Replicat decrypts the data for processing.

DECRYPTTRAIL

You also can use DECRYPTTRAIL for an Extract data pump to decrypt the data for column mapping,filtering, transformation, and so forth. You can then leave it decrypted for downstreamtrails or files, or you can use ENCRYPTTRAIL to encrypt the data again before itis written to those files.

1.2.2 示例

我的測試環境使用的Extract+datapum+replicat,我們對這個環境下進行加密測試。

(1)Extract 引數新增加密引數

GGSCI (gg1) 46> view params ext1

extract ext1

ENCRYPTTRAIL

userid [email protected], password ggate

--rmthost gg2,mgrport 7809

--rmttrail /u01/ggate/dirdat/lt

exttrail /u01/ggate/dirdat/lt

ddl include all objname dave.pdba;

table dave.pdba;

(2)Data Pump 我們不需要做處理,因為它只是將我們的trail 傳送到Targetsystem。

(3)Replicat 新增解密引數

GGSCI (gg2) 16> view params rep1

replicat rep1

DECRYPTTRAIL

ASSUMETARGETDEFS

userid [email protected],password ggate

discardfile/u01/ggate/dirdat/rep1_discard.txt, append, megabytes 10

--HANDLECOLLISIONS

ddl include all

ddlerror default ignore retryop

map dave.pdba, target dave.pdba;

(4)測試

在Source DB上做DML 操作,看可能同步到Target DB 上。

--Source DB

SQL> select count(*) from pdba;

COUNT(*)

----------

2678632

SQL> delete from pdba whererownum<100;

99 rows deleted.

SQL> commit;

Commit complete.

--Target DB

SQL>select count(*) from pdba;

COUNT(*)

----------

2678632

資料並沒有同步過來,確認了半天,GG程序是正常的,後來查看了一下dpump程序,找到了原因:

GGSCI (gg1) 31> info dpump

EXTRACTDPUMP Last Started 2011-11-1915:03 Status RUNNING

Checkpoint Lag 00:00:00 (updated 00:00:07 ago)

Log Read Checkpoint File /u01/ggate/dirdat/lt000000

First Record RBA 0

設定加密之後,dpump 的起始點又變成0了。

檢視ext1的report,確定當前正在使用的trails 檔案:

GGSCI (gg1) 33> view report ext1

….

2011-11-19 15:03:32 INFOOGG-01026 Rolling over remotefile /u01/ggate/dirdat/lt000012.

2011-11-19 15:03:33 INFOOGG-01053 Recovery completed fortarget file /u01/ggate/dirdat/lt000013, at RBA 1009.

2011-11-19 15:03:33 INFOOGG-01057 Recovery completed forall targets.

…..

根據以下系列中有關DataPump的說明:

我們重置一下DataPump的序列號:

GGSCI (gg1) 36> stop dpump

Sending STOP request to EXTRACT DPUMP ...

Recovery is not complete. This normal stop will wait and checkpointrecovery's work when recovery has finished. To force Extract to stop now, usethe SEND EXTRACT DPUMP, FORCESTOP command.

GGSCI (gg1) 37>send dpump forcestop

Sending FORCESTOP request to EXTRACT DPUMP...

STOP request will be executed immediately(recovery aborted).

GGSCI (gg1) 38>alter extractdpump,extseqno 13,extrba 0

EXTRACT altered.

GGSCI (gg1) 39>start dpump

Sending START request to MANAGER ...

EXTRACT DPUMP starting

GGSCI (gg1) 40>info dpump

EXTRACTDPUMP Last Started 2011-11-1915:22 Status RUNNING

Checkpoint Lag 00:00:00 (updated 00:00:07 ago)

Log Read Checkpoint File /u01/ggate/dirdat/lt000013

First Record RBA 0

在到Target DB 確認一下:

SQL> select count(*) from pdba;

COUNT(*)

----------

2678533

同步正常。 所以經過測試,我們在對trail 進行加密時,要注意一下dpump 的trail 起始點。

1.3 Encrypting the password of a database user

You can encryptany of the following database passwords through Oracle GoldenGate:

(1)The database password that isused by the Extract and Replicat processes and other processes to log into thesource and target databases. (Not all database types require a database loginfor Oracle GoldenGate processes.)

(2)The database password for anOracle ASM user.

--可以使用GG 加密Extract,Replicat,和ASM 使用者的密碼。

To encrypt a database user password

1.3.1. Run GGSCI and issue the ENCRYPTPASSWORD command to generate an encrypted password.

--在GGSCI 裡執行encrypt password 生成加密後的密碼

The command provides the following options.

(1)The default ENCRYPT PASSWORD command,without any options, generates an encrypted password using a default key thatis randomly generated by Oracle GoldenGate.

ENCRYPT PASSWORD <password>

--預設情況下encrypt 命令使用隨即生成的key來進行加密。

(2)ENCRYPT PASSWORD with the ENCRYPTKEY<keyname> option generates an encrypted password using a user-defined keycontained in the ENCKEYS lookup file.

ENCRYPT PASSWORD <password> ENCRYPTKEY<keyname>

--可以通過指定key來進行加密

For <keyname>,specify the logical name for the key you want to use, as it appears in thelocal ENCKEYS file. To use this option, you must first generate a key, createan ENCKEYS file on the local system, and create an entry in the file for thegenerated key.

--注意這裡的keyname,必須要通過命令生成,在local system 上生成一個enckeys的檔案,而不是隨便指定,關於生成key的命令,下節裡單獨說明。

The encrypted password is output to the screen when you run the ENCRYPT PASSWORD command.

1.3.2. Copy the encrypted password andpaste it into the appropriate Oracle GoldenGate parameter statement as shown inTable 5.

Where:

(1)<user> is the database user name for theOracle GoldenGate process or (Oracle only) a host string. For Oracle ASM, the user must be SYS.

--如果是ASM,則必須是SYS使用者,由此可以看見加密的重要性了。

(2)<encrypted_password> isthe encrypted password that is copied from the ENCRYPT PASSWORD commandresults.

(3)ENCRYPTKEY DEFAULT is requiredif the password was encrypted using ENCRYPT PASSWORD without the ENCRYPTKEY option.

(4)ENCRYPTKEY <keyname> isrequired if the password was encrypted using ENCRYPT PASSWORD with the ENCRYPTKEY<keyname> option. Specify the logical name of the key as it appears inthe ENCKEYS lookup file.

1.3.3 示例

這裡我們對Extract 程序的引數中的密碼進行預設的加密,在生成加密時不指定key。

(1)之前的引數配置,使用的是明碼:

GGSCI (gg1) 41> view params ext1

extract ext1

ENCRYPTTRAIL

userid [email protected], password ggate

--rmthost gg2,mgrport 7809

--rmttrail /u01/ggate/dirdat/lt

exttrail /u01/ggate/dirdat/lt

ddl include all objname dave.pdba;

table dave.pdba;

(2)生成加密之後的密碼:

GGSCI (gg1) 42> encrypt password ggate

No key specified, using default key...

--這裡defaultkey 是隨即生成的。

Encrypted password: AACAAAAAAAAAAAFAPHODADQGAJVDSHPG

(3)修改引數中的密碼:

--先測試一下連線:

GGSCI (gg1) 45> dblogin [email protected],password AACAAAAAAAAAAAFAPHODADQGAJVDSHPG,encryptkey default

Successfully logged into database.

--這裡成功連線。

當然,直接使用明碼還是可以登陸的:

GGSCI (gg1) 46> dblogin [email protected],password ggate

Successfully logged into database.

修改之後的引數:

GGSCI (gg1) 53> view params ext1

extract ext1

ENCRYPTTRAIL

userid [email protected],passwordAACAAAAAAAAAAAFAPHODADQGAJVDSHPG,encryptkey default

--rmthost gg2,mgrport 7809

--rmttrail /u01/ggate/dirdat/lt

exttrail /u01/ggate/dirdat/lt

ddl include all objname dave.pdba;

table dave.pdba;

使用default key 加密的示例就到這。

1.4 Encrypting data sent across TCP/IP

You can encryptcaptured data before Oracle GoldenGate sends it across the TCP/IP network tothe target system. On the target system, Oracle GoldenGate decrypts the data beforewriting it to the Oracle GoldenGate trails (unless trail encryption also isspecified).

By default, datasent across a network is not encrypted.

在前面的幾小節,將的都是對檔案進行加密或者是對DB 密碼進行加密。 在網路上傳送trail內容時也可以進行加密,先加密傳到Target ,然後在Target進行解密。

預設情況下,在網路上傳輸時, 是不進行加密的。

To encrypt data sent across TCP/IP

1. On the source system, generate one ormore encryption keys and create an ENCKEYS file.

--在Source 生成金鑰。

2. Copy the finished ENCKEYS file to theOracle GoldenGate installation directory on all target systems. The key namesand values in the source ENCKEYS file must match those of the target ENCKEYS file,or else the data exchange will fail and Extract and Collector will abort withthe following message:

GGS error 118 – TCP/IP Server with invalid data.

--將Source 端的金鑰copy到Target 的GG 安裝目錄下。 Source 和Target 上金鑰的名稱必須一致。 否在在使用時會報TCP/IP Server withinvalid data.的錯誤。

3. Depending on whether this is a regularExtract group or a passive Extract group ,use the ENCRYPT option of either the RMTHOST or RMTHOSTOPTIONS parameterto specify the type of encryption and the logical key name as shown:

ENCRYPTBLOWFISH, KEYNAME <keyname>

然後修改RMTHOST引數,如果採用Data Pump 就修改Data pump的引數。

Where:

(1) BLOWFISH specifies Blowfishencryption.

(2) <keyname> is the logicalname for the encryption key you want to use, as it appears in the ENCKEYS file.

示例:

RMTHOST sys1, MGRPORT 7840, ENCRYPTBLOWFISH, KEYNAME superkey

RMTHOSTOPTIONS ENCRYPT BLOWFISH, KEYNAMEsuperkey

4. If using a static Collector and Blowfishencryption, append the following additional parameters in the Collector startupstring:

-KEYNAME <name>

-ENCRYPT BLOWFISH

Where:

(1) KEYNAME <name> specifies thename of the key.

(2) ENCRYPT BLOWFISH specifiesBlowfish encryption.

Collectormatches these parameters to those specified with the KEYNAME and ENCRYPT optionsof RMTHOST.

二.使用金鑰加密

You must createat least one encryption key and two ENCKEYS lookup files, one on the source andone on the target, if you want to:

(1)Encrypt data sent across TCP/IP

(2)Use a user-defined key to encryptthe database password

--如果在網路上加密或者使用金鑰來對密碼進行加密時就必須生成金鑰。

This procedure is not required if:

(1)you are using a default keygenerated by Oracle GoldenGate to encrypt the database password

(2)you are encrypting a trail orextract file.

在以上兩種情況下,不需要生成金鑰:一是使用GG 預設的金鑰來對密碼加密,二是對trail 檔案進行加密時。

You can defineyour own key or run Oracle GoldenGate’s KEYGEN utility to create a key randomly.

2.1 To define your ownkey

(1)The key name can be a string of1 to 24 alphanumeric characters without spaces or quotes.

--keyname 由1到24個字母或數字組成,不能包含空格和引號。

(2)The key value can be up to 128bits (16 bytes) as a quoted alphanumeric string (for example “Dailykey”) or ahex string with the prefix 0x (for example 0x420E61BE7002D63560929CCA17A4E1FB).

--key value 最多由16個bytes或者128bits 組成。如果是位元組,會被引號括起來,如果是十六進位制的,則沒有。

2.2 To use KEYGEN to generate a key

Changedirectories to the Oracle GoldenGate home directory on the source system, and issuethe following shell command. You can create multiple keys, if needed. The keyvalues are returned to your screen.

進入GG的安裝目錄,執行keygen命令生成key:

KEYGEN <key length> <n>

Where:

(1)<key length> is theencryption key length, up to 128 bits.

(2) <n> represents the number ofkeys to generate.

--n表示生成幾個keys

Example:

KEYGEN 128 4

2.3 To store the keys for use by Oracle GoldenGate

1. On the source system, open a new ASCIItext file.

2. For each key that you generated, enter alogical name followed by the key value itself. Place multiple key definitionson separate lines. Do not enclose a key name or value within quotes; otherwiseit will be interpreted as text. Use the following sample ENCKEYS file as aguide.

將生成的key name 存放的一個ASCII 檔案裡,每行一對keyname 和 key value,不要用引號括起來。

3.Save the file as ENCKEYS withoutan extension in the Oracle GoldenGate installation directory. The name must bein upper case.

--在GG 安裝目錄下儲存建立的ASCII 檔案為ENCKEYS, 注意必須大寫,沒有副檔名。

4. Copy the ENCKEYS file to the targetOracle GoldenGate installation directory. The key names and values in thesource ENCKEYS file must match those of the target ENCKEYS file, or else thedata exchange will fail and Extract and Collector will abort with the followingmessage:

GGS error 118 –TCP/IP Server with invalid data.

--Copy 這個ENCKEYS檔案到target system的根目錄下,名稱必須和source 一致。

2.4 示例

2.4.1 生成key

gg1:/u01/ggate> keygen 128 4

0x1C4E2A6B3F005D495987CA43FFEBDE54

0xEF90654D6C22F846A3307673AB22897D

0xC2D3A02F99449344EED9212358593326

0x9516DC11C6662E423883CD520490DD4E

注意這裡只生成了keyvalue,並沒有生成key name,在我們儲存的時候,就可以隨便指定我們的keyname了。

2.4.2 儲存金鑰

在GG根目錄下建立ENCKEYS 檔案,並儲存我們的金鑰

gg1:/u01/ggate> touch ENCKEYS

gg1:/u01/ggate> vi ENCKEYS

davekey1 0x1C4E2A6B3F005D495987CA43FFEBDE54

davekey2 0xEF90654D6C22F846A3307673AB22897D

davekey3 0xC2D3A02F99449344EED9212358593326

davekey4 0x9516DC11C6662E423883CD520490DD4E

2.4.3 用金鑰對我們的DB密碼進行加密

GGSCI (gg1) 54> encrypt password ggateencryptkey davekey1

Encrypted password: AACAAAAAAAAAAAFAJDEIOHGHKCHBSAYA

2.4.4 測試加密後的密碼:

GGSCI (gg1) 55> dblogin useridggate,password AACAAAAAAAAAAAFAJDEIOHGHKCHBSAYA,encryptkey davekey1

Successfully logged into database.

連線成功,如果要修改Extract和Replicat 的話,只需要把這部分更新到引數裡就ok了。

小結:

GG的加密方式還是比較靈活,可以對trail 加密,在網路傳輸時進行加密,也可以對密碼進行加密。

當事務量較大的時候,對trail 和 傳輸時加密都會增加系統的壓力。所以最好的加密方式就是對密碼進行加密。即起到了安全控制,也不影響GG的效能。

-------------------------------------------------------------------------------------------------------

版權所有,文章允許轉載,但必須以連結方式註明源地址,否則追究法律責任!

Blog: http://blog.csdn.net/tianlesoftware

Weibo: http://weibo.com/tianlesoftware

Skype: tianlesoftware

-------加群需要在備註說明Oracle表空間和資料檔案的關係,否則拒絕申請----

DBA1 群:62697716(滿); DBA2 群:62697977(滿)DBA3 群:62697850(滿)

DBA 超級群:63306533(滿); DBA4 群:83829929(滿) DBA5群: 142216823(滿)

DBA6 群:158654907(滿) DBA7 群:69087192(滿)DBA8 群:172855474

DBA 超級群2:151508914 DBA9群:102954821 聊天 群:40132017(滿)

相關推薦

Oracle Golden Gate 系列 -- 配置 GG 安全 說明 示例

由於GoldenGate所需的使用者許可權較大,而每個GoldenGate程序配置檔案中都需要設定該使用者和密碼用於資料庫登陸,出於安全性的考慮,建議將密碼進行加密。 官方文件上介紹的加密有如下三種方法: 1.Encryption Options are available for encrypting

Oracle Golden Gate 系列五 -- GG Trails 說明

一.Trails 說明 理論知識在系列一里有說明,這裡在拿出來看一下: To support thecontinuous extraction and replication of database changes, Oracle GoldenGatestores the captured chan

Oracle Golden Gate 系列八 -- GG 多對一 real-time data warehousing 說明 示例

一.官網說明 A datawarehousing configuration is a many-to-one configuration. Multiple sourcedatabases send data to one target warehouse databas

Oracle Golden Gate 系列四 -- GG 安裝 解除安裝 理論知識

在前面的幾篇裡講了GG的系統需求及支援的物件型別, 在這裡看下GG的安裝與解除安裝的理論知識,這裡只介紹Linux 平臺的說明,其他平臺的自己參看官方文件。 一.GG 安裝說明 To install Oracle GoldenGate , the following s

oracle課堂隨筆--第

tlist 重新 ron mat 打開數據庫 事務 主動 font export 實例管理 監聽 啟動監聽: $ netstat -tlnp | grep 1521 $ lsnrctl LSNRCTL> help $ lsnrctl status $ lsnrct

ORACLE GOLDEN GATE oracle同步數據至kafka

文件夾 lin ebe inux display off wms alter common 一.服務器信息 ip 軟件版本 ogg版本 軟件包 操作系統版本 OGG安裝路徑 10.1.50.52 源 oracle11.2.0.4 12.2.0.1.1 V100

、Spring Boot 部署服務配置

truct package pen vra 技術分享 時間 gprof ica 情況 spring Boot 其默認是集成web容器的,啟動方式由像普通Java程序一樣,main函數入口啟動。其內置Tomcat容器或Jetty容器,具體由配置來決定(默認Tomcat)。當然

轉://Oracle Golden Gate 概念和原理

拓撲 根據 target 提高 支持斷點續傳 占用 均衡負載 col 都是 引言:Oracle Golden Gate是Oracle旗下一款支持異構平臺之間高級復制技術,是Oracle力推一種HA高可用產品,簡稱“OGG”,可以實現Active-Active 雙業務中心架構

Oracle Golden Gate - 概念和機制

ogg Oracle Golden Gate ogg機制 ogg概念 Oracle Golden Gate - 概念和機制 (ogg)Golden Gate(簡稱OGG)提供異構環境下交易數據的實時捕捉、變換、投遞。 OGG支持的異構環境有: OGG的特性:對生產系統影響小:實時讀取交易日誌,

學習ASP.NET Core Razor 編程系列——排序

esc 因此 detail href 替換 瀏覽器中 lec 創建項目 html 學習ASP.NET Core Razor 編程系列目錄 學習ASP.NET Core Razor 編程系列一 學習ASP.NET Core Razor 編程系列二—&mdash

katalon系列:程式碼執行時實時建立元素物件或列表

Katalon的常規方法是先抓取元素並儲存到倉庫,在指令碼中需要用到的時候調取,但假如元素屬性和個數是可變的,就不能事先儲存到倉庫了,需要在指令碼執行時實時建立。   程式碼執行時實時建立一個元素物件的例子import com.kms.katalon.core.testobject.Condit

Docker系列():搭建Openshift環境

目的: 搭建Linux下的Openshift環境。 參考資料: 開源容器雲OpenShift 構建基於Kubernetes的企業應用雲平臺 ,陳耿 ,P253 ,2017.06 .pdf 下載地址:https://pan.baidu.com/s/1_D1k9tJpFTGr3wdnoeh7

Oracle學習筆記第

Oracle學習筆記第十六天 子程式 概念: 命名的PL/SQL塊,編譯並存儲在資料庫中 ​ 把編寫好的SQL程式取一個名稱,並儲存在資料庫裡面,可以通過這個名稱來呼叫這段程式。 分類: 過程 – 執行某些操作 2. 函式 -- 執行操作並返回值

PyTorch學習系列()——如何使用cuda進行訓練?

如果想在CUDA上進行計算,需要將操作物件放在GPU記憶體中。 對於普通的張量,可以直接: x = torch.randn(2, 3) x = x.cuda() 對於神經網路: mode

hibernate系列:分組查詢,子查詢,原生sql查詢,命名查詢

一  分組查詢 HQL查詢語句使用groupby子句進行分組查詢,使用having子句篩選分組結果。下面通過示例說明。 案例1.  按性別分組,查詢學生的平均年齡 package com.obtk.test; import java.util.List; import

Oracle Golden Gate體系架構詳解

GoldenGate簡介  Oracle Golden Gate軟體是一種基於日誌的結構化資料複製備份軟體,它通過解析源資料庫線上日誌或歸檔日誌獲得資料的增量變化,再將這些變化應用到目標資料庫,從而實現源資料庫與目標資料庫同步。Oracle Golden Gate可以在異

Docker系列:Docker Swarm不間斷更新業務

[[email protected] example-vote-app]# docker network create -d overlay demo ycmwxqjbebksqxcblqigruj9u [[email protected] example

kubernetes系列() - Helm安裝和入門

- [1. helm簡介](#head1) - [1.1 為什麼需要helm](#head2) - [1.2 helm中幾個概念](#head3) - [1.3 helm用途](#head4) - [2. helm安裝](#head5) - [3. helm的基本使用](#head6) - [3.1

Java設計模式菜鳥系列(五)建造者模式建模實現

郵箱 system for face tom 建造者模式 data mar 方法 轉載請註明出處:http://blog.csdn.net/lhy_ycu/article/details/39863125 建造者模式(Builder):工廠類模式提供的

IT輪子系列)——Excel上傳解析,一套代碼解決所有Excel業務上傳,你Get到了嗎

tryparse mappath src 個推 列名 import ges bject tab 前言 在日常開發當中,excel的上傳與解析是很常見的。根據業務不同,解析的數據模型也都不一樣。不同的數據模型也就需要不同的校驗邏輯,這往往需要寫多套的代碼進行字段的檢驗,如必填