Known issues in OCI GoldenGate

Related Topics

General

Learn about general known issues that apply to the entire service and how to work around them.

OCI Object Storage replication error when using Resource Principal

If a Resource Principal is used for authentication, the Replicat will fail, and encounter the following error:
ERROR 2025-06-12 14:48:16.000489 [main] - An exception has occurred: java.lang.NullPointerException: Cannot invoke "String.startsWith(String)" because "path" is null java.lang.NullPointerException: Cannot invoke "String.startsWith(String)" because "path" is null

Distribution and Receiver Paths may fail after 21.x deployments upgraded to 21.17

Beginning with Oracle GoldenGate versions 21.17 and 23ai, Paths use the default reserved domain name, "Network," so existing Paths that use any other domain name fail with the following error reported: 

ERROR| Exception Message: The network connection could not be established: 'OGG-10351' - 'Generic error -1 noticed. Error description - credential store alias not found in domain.'

Workaround:

In the OCI GoldenGate deployment console, edit each Path and change the domain name to "Network," and then restart the Path. To verify, check the domain of the Path auth user in the Credential store section of the Configuration page.

If you prefer to use Admin Client, run the following commands to update the domain name. Ensure that you replace the <path_name> and <alias> placeholders:

For source-initiated paths:

ALTER DISTPATH <path_name> TARGET AUTHENTICATION USERIDALIAS <alias> domain
    Network

For target-initiated paths:

ALTER RECVPATH <path_name> SOURCE AUTHENTICATION USERIDALIAS <alias> domain
    Network

Issues encountered upgrading to Oracle GoldenGate 21.17 for Big Data

Users upgrading from Oracle GoldenGate versions 21.14, 21.15, or 21.16 for Big Data to version 21.17 with truststore and/or keystore connection properties configured are failing with the following errors reported:

Caused by: oracle.goldengate.util.GGException: An exception occurred when creating the Kafka Producer object. 
Caused by: org.apache.kafka.common.KafkaException: Failed to construct kafka producer 
Caused by: org.apache.kafka.common.KafkaException: Failed to load SSL  keystore /u02/connections/<connection OCID>/trustStore of type JKS 
Caused by: java.io.IOException: keystore password was incorrect

Workaround:

  1. Convert the JKS truststore and keystore to PKCS12.
    1. For the keystore, it should prompt for a password. Keytool is a utility in the JDK. 
      keytool -importkeystore -srckeystore [MY_KEYSTORE.jks] -destkeystore [MY_KEYSTORE.p12] -srcstoretype JKS -deststoretype PKCS12 -deststorepass [PASSWORD_PKCS12]
    2. For truststore, it should prompt for a password.
      keytool -importkeystore -srckeystore [MY_TRUSTSTORE.jks] -destkeystore [MY_TRUSTSTORE.p12] -srcstoretype JKS -deststoretype PKCS12 -deststorepass [PASSWORD_PKCS12]
  2. In the Kafka producer properties file, set the following:
    ssl.truststore.type=PKCS12
ssl.keystore.type=PKCS12

Issues encountered during rollback from 21.15 or 23.x builds to 21.14

When attempting to rollback a 21.15 or 23.x build to:

  • Oracle (21.14.0.0.0_240525)
  • Big Data (21.14.0.0.0_240515)
  • MySQL (21.14.0.0.0_240404)
  • MSSQL (21.14.0.0.0_240404)

You may encounter one of the following issues:

  • Missing Connections/Credentials issue due to new wallet encryption feature introduced 21.15 onwards.

    Workaround: You must unassign and reassign existing connections to the deployment and recreate missing users required for any Distribution or Receiver paths in use.

  • Service Manager fails to start due to an issue with Performance Metrics Service in rollbacks from 23.x to 21.14. Contact Oracle Support if you encounter this issue.
  • Oracle GoldenGate processes fail with the error, "OGG-02431 Invalid record header found in checkpoint file."

    Workaround: Upgrade the deployment to the latest 21.14 build available in the series. Contact Oracle Support if the issue persists.

Invalid redirect url error when trying to access an IAM-enabled deployment using an IP

When attempting to access an IAM-enabled deployment using the deployment's IP address, you encounter the following error:

{"error":"invalid_redirect_uri","error_description":"Client
        xxxxxxxx1ocioraclecloudcom_APPID requested an invalid redirect URL: https://192.x.x.x/services/adminsrvr/v2/authorization. ECID:
        xxxx"}

Workaround: You can do one of the following:

Option 1: Add the deployment IP address to your Identity Domain Application. To make this change, you must be part of the user group assigned to the application.

  1. In the Oracle Cloud navigation menu, select Identity & Security, then under Identity, click Domains.
  2. Select your domain from the Domains list.
  3. From the domain's Identity Domain resource menu, select Oracle Cloud Services.
  4. Select your application from the Oracle Cloud Services list. For example, GGS INFRA Application for Deployment Id:<deployment OCID>.
  5. On the application page under OAuth configuration, click Edit OAuth configuration.
  6. For Redirect URL, enter the deployment's Console URL with the deployment's IP in place of the domain. For example: https://<deployment-ip>/services/adminsrvr/v2/authorization.
  7. Save your changes.
Option 2: Add an entry in your client machine hosts file to map 127.0.0.1 to your deployment FQDN (replace <region> with the appropriate region). For example: 
127.0.0.1 xx.deployment.goldengate.<region>.oci.oraclecloud.com

Unable to update custom certificates on IAM deployments

The service prohibits updates to the FQDN as it impacts cross region access and requires updates to IAM resources in the target region.

Workaround: To work around this issue, create a new deployment to use the updated FQDN.

Oracle GoldenGate REST APIs return 302 redirects to an index page.

You can use the GoldenGate REST APIs to manage your OCI GoldenGate deployments. For those familiar with Oracle GoldenGate, note that the Service Manager is not exposed in OCI GoldenGate and any calls made to Service Manager won't be able to return.

AdminClient: Unable to negotiate with <ip-address> port 22: no matching host key type found.

When you use AdminClient in Cloud Shell to connect to your deployment, you may encounter the following message:
FIPS mode initialized.
Unable to negotiate with <ip-address> port 22: no matching host key type found. Their offer: ssh-ed25519
Action completed. Waiting until the work request has entered state: ('SUCCEEDED',)
FIPS mode initialized.
Unable to negotiate with <ip-address> port 22: no matching host key type found. Their offer: ssh-ed25519
Cannot create ssh tunnelnel

Workaround: Complete the following steps:

  1. Open a new Cloud Shell session.
  2. Create a file using the following command:
    cat .ssh/config
  3. Enter the following into the .ssh/config file, and then save it:
    HostkeyAlgorithms ssh-rsa,ssh-ed25519
PubkeyAcceptedKeyTypes ssh-ed25519,ssh-rsa
  4. If there's an existing .ssh/known_hosts file, delete it.
  5. Close the Cloud Shell session.
  6. Click Launch Admin Client on your deployment details page.

Connections

Learn about known issues related to connections and how to work around them.

Java.net.UnknownHostException errors for Amazon S3 and Google Cloud Storage connections with Shared endpoints

Workaround: Edit the connection and change the Traffic routing method to Dedicated, or select Dedicated when you create Amazon S3 and Google Cloud Storage connections.

OCI GoldenGate MongoDB connection doesn't support mongdb+srv connection strings.

Workaround: Use MongoDB connection strings.

  1. In MongoDB Atlas, click Connect.
  2. Select Drivers.
  3. Select Java.
  4. For Version, select 3.4 or later.
  5. You can use the provided mongodb string. For example:
    mongodb://<user_name>:<db_password>@cluster0-shard-00-00.abc.mongodb.net:27017,cluster0-shard-00-01.abc.mongodb.net:27017,cluster0-shard-00-02.abc.mongodb.net:27017/?ssl=true&replicaSet=atlas-3grqh1-shard-0&authSource=admin&retryWrites=true&w=majority&appName=Cluster0

Issue with Amazon S3 connections in OCI GoldenGate

If you encounter the following error when using Amazon S3 connections, then open a support ticket, share the details and error message. 

ERROR 2024-03-04 11:42:31.000505 [TaskEngine_2(FileFinalizeTask)] - Verify S3 bucket
      [ggstest] failed.com.amazonaws.SdkClientException: Unable to execute HTTP request: s3.us-east-2.amazonaws.com

You can then use the following steps as a temporary workaround.

Workaround:

  1. Connect to Cloud Shell.
  2. Create a new Amazon S3 connection using the following CLI sample:
    oci goldengate connection create-amazon-s3-connection --routing-method SHARED_SERVICE_ENDPOINT --display-name <connection_name> --compartment-id <compartment_ocid> --technology-type AMAZON_S3 --access-key-id <aws_access_key> --secret-access-key <aws_secret>
  3. Assign the connection to your deployment.
  4. Add and run a Replicat for Amazon S3.

Alternatively, if you prefer not to use public access, configure your Amazon S3 connection's buckets to use AWS VPC Endpoints. For OCI GoldenGate to access your S3 bucket using VPC Endpoints, you must also configure an IPsec VPN between your VCN and the AWS VPC.

To set the endpoint for Amazon S3, add the gg.eventhandler.s3.url property to Replicat Properties File, and provide the endpoint for the private connection.

Issue with MongoDB Test connection

You may encounter an error when using Test connection with MongoDB connections. You can ignore this error and test MongoDB connections in the OCI GoldenGate deployment console. In the deployment console, open the navigation menu for the Administration Service, click Configuration. Your MongoDB connection should be listed as a credential, where you can click Connect to <alias> to test the connection.

Action required for Autonomous Databases that use mTLS Authentication

When an Autonomous Database wallet is rotated, the OCI GoldenGate connection to this database must be refreshed to retrieve the latest wallet information.

For more information see, My Oracle Support (MOS) Document 2911553.1.

To refresh an Autonomous Database connection: Edit and save the connection to the Autonomous Database (Autonomous Transaction Processing or Autonomous Data Warehouse). Saving the connection automatically downloads and refreshes the wallet. No other changes to the connection is needed.

To verify:

  1. Launch the deployment console for a deployment that uses the Autonomous Database connection.
  2. In the deployment console, open the navigation menu, and then click Configuration.
  3. On the Credentials screen, observe the Autonomous Database connection string.

    Before the wallet is refreshed, the connection string looks like the following:

    ggadmin@(DESCRIPTION=(TRANSPORT_CONNECT_TIMEOUT=3)(CONNECT_TIMEOUT=60)(RECV_TIMEOUT=120)(retry_count=20)(retry_delay=3)(address=(protocol=tcps)(port=1522)(host=adb.us-phoenix-1.oraclecloud.com))(CONNECT_DATA=(COLOCATION_TAG=ogginstance)(FAILOVER_MODE=(TYPE=SESSION)(METHOD=BASIC)(OVERRIDE=TRUE))(service_name=<adb-servicename>_low.adb.oraclecloud.com))(security=(MY_WALLET_DIRECTORY=“/u02/connections/ocid1.goldengateconnection.oc1.phx.<ocid>/wallet”)(SSL_SERVER_DN_MATCH=TRUE)(ssl_server_cert_dn=“CN=adwc.uscom-east-1.oraclecloud.com,
        OU=Oracle BMCS US, O=Oracle Corporation, L=Redwood City, ST=California,
        C=US”)))

    After the wallet is refreshed, the connection string is updated to look like the following:

    ggadmin@(DESCRIPTION=(TRANSPORT_CONNECT_TIMEOUT=3)(CONNECT_TIMEOUT=60)(RECV_TIMEOUT=120)(retry_count=20)(retry_delay=3)(address=(protocol=tcps)(port=1522)(host=adb.us-phoenix-1.oraclecloud.com))(CONNECT_DATA=(COLOCATION_TAG=ogginstance)(FAILOVER_MODE=(TYPE=SESSION)(METHOD=BASIC)(OVERRIDE=TRUE))(service_name=<adb-servicename>_low.adb.oraclecloud.com))(security=(MY_WALLET_DIRECTORY=“/u02/connections/ocid1.goldengateconnection.oc1.phx.<ocid>/wallet”)(SSL_SERVER_DN_MATCH=TRUE)(ssl_server_dn_match=yes)))

MySQL database usernames that include an '@' symbol don't appear in Credential Alias list when creating an Extract in the OCI GoldenGate deployment console

For MySQL databases, usernames that include @ symbols are omitted from the Credential Alias list when creating Extracts in the OCI GoldenGate deployment console.

Workaround: Select a different alias from the list and then manually update the Parameter File on the next screen.

Network timeout affects database connections using private endpoints.

If you're using a private endpoint to connect to a database, then you may encounter network timeouts when starting or stopping Extract processes.

Workaround: You can do one of the following:

  • Apply the latest patches from your deployment details page. In the Deployment Information section, under GoldenGate, for Version, click Upgrade.
  • If you're unable to apply the latest patches at this time, you can update the connection string to include EXPIRE_TIME=1. By default, you may have an EZ connection string in Oracle GoldenGate. This connection string needs to be updated in the Oracle GoldenGate Credential to a long connection string as follows:
    <username>@//<hostname>:1521/<service_name>
<username> @(DESCRIPTION = (EXPIRE_TIME=1)(ADDRESS_LIST = (ADDRESS = (COMMUNITY = tcp)(PROTOCOL = TCP)(Host = <hostname>)(Port = 1521))) (CONNECT_DATA = (SERVICE_NAME = <service_name>)))

SCAN Proxy doesn't support TLS

While OCI GoldenGate supports Oracle Single Client Access Name (SCAN) hosts and IPs, the SCAN proxy does not support TLS.

Workaround: You can connect to a RAC database using the Database Node IP.

User OCID Mismatch in OCI Object Storage connection (Federated users only)

If a federated user selects Use current user when creating an OCI Object Storage connection, their OCID doesn't match the OCID picked up by the system.

Workaround: When you create an OCI Object Storage connection, ensure that you choose Specify another user, and then enter the federated user's OCID.

To find the user OCID, click Profile in the Oracle Cloud console global header, and then select the user name. On the User Details page, under User Information, click Show for OCID.

Deployment console

Deployment console fails to load

If you enter a fully qualified domain name (FQDN) whose last portion is longer than 11 characters, the deployment console fails to load.

Workaround: Keep the last portion of your FQDN under 11 characters.

The OCI GoldenGate deployment console is not compatible with Safari web browsers.

The Oracle Cloud Infrastructure GoldenGate Deployment Console will not display correctly when accessed using a Safari web browser.

Workaround: Use Chrome or FireFox browsers instead.

Connecting to a credential can take several minutes

In the deployment console's Configuration screen when you attempt to connect to a credential, it can take several minutes for it to connect successfully. Refreshing your screen will only add time to the connection process.

Workaround: This is a known issue that is resolved in GoldenGate build version oggoracle:21.8.0.0.0_221119.1258_663.

GoldenGate processes

Learn about known issues related to GoldenGate processes and how to work around them.

MongoDB, DocumentDB, and Oracle JSON Collection TLS Security Protocol

If the MongoDB Replicat, DocumentDB Replicat, or Oracle JSON Collection connection fails with the following error in the Report file:
Error: Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

Workaround: Add the following property to your Properties file, update <connection_ocid> with your connection OCID and keep the rest as is. 

jvm.bootoptions=-Djavax.net.ssl.trustStore=/u02/connections/<connection_ocid>/truststore.pkcs12 -Djavax.net.ssl.trustStorePassword=Welcome123

Bug 37518857: OGGDAA GGS Snowflake Streaming Replicat error

Snowflake Streaming Handler fails with: Exception: java.lang.StackOverflowError thrown from the UncaughtExceptionHandler in thread "process reaper"

Workaround: Add the following to your Replicat Properties file:
jvm.bootoptions= -Djdk.lang.processReaperUseDefaultStackSize=true

OCI GoldenGate deployment console cannot display custom/non-default named Discard file

Discard files, by default, follow the naming convention <process-name>.dsc. You can see all discard files in the OCI GoldenGate deployment console, unless you renamed them. The deployment console doesn't display custom named discard files.

Workaround: Use the Collect diagnostics tool on the deployment details page to access your discard files.

Replicats fail when using Trail file from MongoDB Extract with BINARY_JSON_FORMAT

When a Replicat uses a Trail file generated from a MongoDB Extract with BINARY_JSON_FORMAT in the Extract parameter file, the Replicat fails with the following error: 

ERROR 2023-08-04 17:13:13.000421 [main] - Unable to decode column 0 : Input length = 1
      java.nio.charset.MalformedInputException: Input length = 1 at
      java.nio.charset.CoderResult.throwException(CoderResult.java:281) ~[?:1.8.0_311]at java.nio.charset.CharsetDecoder.decode(CharsetDecoder.java:816) ~[?:1.8.0_311] at
      oracle.goldengate.datasource.UserExitDataSource.createColumnValue(UserExitDataSource.java:1106)
      [ggdbutil-21.9.0.0.3.001.jar:21.9.0.0.3.001] Exception in thread “main”
      oracle.goldengate.util.GGException: Unable to decode column 0 : Input length = 1 at
      oracle.goldengate.datasource.UserExitDataSource.createColumnValue(UserExitDataSource.java:1203)

Workaround: When BINARY_JSON_FORMAT is removed from the Extract parameters, the Replicat runs successfully and documents are represented in Extended JSON format.

Remote change data capture Extracts fail for GTID enabled databases

When you create a Change Data Capture Extract process with the Remote option enabled for a MySQL database that uses global transaction identifiers (GTIDs), the Extract process fails and the following error is reported:
ERROR   OGG-25192  Trail file '<trail name>' is remote. Only local trail allowed for this extract.

Workaround: On the Parameter file screen of the Change Data Capture Extract, remove the line, TRANLOGOPTIONS ALTLOGDEST REMOTE.

For more information, see Using Oracle GoldenGate for MySQL.

To create Distribution Paths to send data to or pull data from Oracle Cloud Infrastructure GoldenGate, ensure that you add the root certificate to Certificate Management or your client wallet

To send data to or pull data from OCI GoldenGate, you must create a Distribution Server Path or a target initiated path on the Receiver Server in your on-premises or Marketplace Oracle GoldenGate, respectively. You must also add the OCI GoldenGate root certificate or self-signed certificate to your Oracle GoldenGate Certificate Management (Oracle GoldenGate 21c or higher) or client wallet (Oracle GoldenGate 19c). This creates a trusted connection between your Oracle GoldenGate and OCI GoldenGate deployments. Only WebSocket Secure (WSS) protocol is supported for Distribution and Receiver Server Paths between Oracle GoldenGate and OCI GoldenGate.

A change in the OCI GoldenGate root certificate will cause the Distribution Server Path or a target initiated path on the Receiver Server in your on-premises or Marketplace Oracle GoldenGate to fail and produce the following error: 

ERROR   OGG-10390  Oracle GoldenGate Receiver Service:  Generic error -1 noticed for endpoint
      wss://<deployment URL>:443/services/v2/sources?trail=<trail name>. Error description - SSL
      connection unexpectedly closed.

Workaround: To fix this issue, update the certificate in the client wallet or Service Manager's Certificate Management screen to use the OCI GoldenGate Deployment Console root certificate. In some cases, when the OCI GoldenGate deployment’s certificate is not signed directly by the root certificate but by intermediate one(s) for example, it might be necessary to also add the intermediate CA certificate(s).

Learn more:

Only Digest Authentication is currently supported

Oracle Cloud Infrastructure GoldenGate doesn't currently support certificate-based authentication when you use Oracle Cloud Infrastructure GoldenGate as the Distribution Path target.

Workaround: None.

Pipelines

Learn about known issues related to Pipelines and how to work around them.

ZeroETL Mirror Pipeline Apply process failure

If your pipeline Apply process fails with the following error in OCI Logging:
Error mapping from ADMIN.DBTOOLS$EXECUTION_HISTORY to <ADB ID>.ADMIN.DBTOOLS$EXECUTION_HISTORY.

Workaround: Create an Exclude rule with ADMIN.*, and then restart the Pipeline.

Oracle Data Pump fails if the target database time zone file version is lower than the source database's

The pipeline option, "Copy existing data to target database before starting replication" uses Oracle Data Pump. Oracle Data Pump fails if the target database's time zone file version is lower than that of the source database.

Workaround: To work around this, you must upgrade the target database's time zone version. See Manage time zone file updates on Autonomous Database.