Manage master encryption key wallets

Use master encryption keys to encrypt trail files distributed to other GoldenGate deployments. You can then import and export master encryption key wallets to use with other source and target OCI GoldenGate deployments.

Note:

This information applies only to Data replication deployments.

If a master key is created in Oracle GoldenGate, then each time GoldenGate creates a trail file, it automatically generates a new encryption key that encrypts the trail contents. The master key encrypts the encryption key.

Before you begin

Ensure that you have the following:

Add a master key in the deployment console

To add a master key in the GoldenGate deployment console:
  1. Launch the GoldenGate deployment console from the deployment details page.
  2. Log in as the GoldenGate admin user.
  3. After you log in, open the navigation menu, click Configuration, and then click Key Management.
  4. On the Key Management page, for Master Keys, click Add Master key (plus icon).
A new master key appears in the list.

Export a master encryption key wallet from an OCI GoldenGate deployment

If a master key is added in the source deployment, ensure that you export it and import it into the target deployment.
To export a master encryption key wallet:
  1. On the Deployments page, select the deployment from which to export the master encryption key wallet.
  2. On the deployment details page, under Resources, click Master encryption key actions.
  3. Click Export.
  4. In the Export dialog:
    1. For Name, enter a name for the master encryption key wallet.
    2. (Optional) Enter a description to help distinguish it from others in the wallet list.
    3. For Vault in <compartment-name>, select the vault in which to export the master encryption key wallet. Click Change compartment to select a different compartment.
    4. For Encryption key in <compartment name>, select the appropriate encryption key to use. Click Change compartment to select a different compartment.
  5. Click Export.

Export a master key encryption wallet from an on premise Oracle GoldenGate instance

If a master key is added to a source (on premise or Marketplace) Oracle GoldenGate instance, ensure that you base64 encode the cwallet.sso and then copy it into an OCI Vault secret.
To export a master encryption key wallet from an on premise Oracle GoldenGate instance:
  1. SSH into your on premise Oracle GoldenGate instance.
  2. Change directories to the location in which the wallet (cwallet.sso) resides.

    Note:

    Oracle recommends making a copy of cwallet.sso to work with.
  3. Base64 encode the cwallet.sso using the following command:
    base64 -w 0 cwallet.sso
  4. Copy the output string.
  5. In the Oracle Cloud console, open the navigation menu, select Identity & Security, and then select Vault.
  6. On the Vaults page, select your vault.
  7. On the Vault details page, under Resources, click Secrets, and then click Create Secret.
  8. In the Create Secret panel, complete the fields as follows:
    1. For Create in Compartment, select the compartment in which to create the Secret.
    2. Enter a Name for the secret.
    3. (Optional) Enter a Description for the secret.
    4. For Encryption Key in <compartment-name>, select the master encryption key created in the Before you begin steps. Click Change compartment to select a master encryption key located in a different compartment.
    5. For Secret type template, select Plain-Text.
    6. For Secret contents, paste the cwallet.sso base64 encoded string from step 3.
  9. Click Create Secret.
The Secret appears in the Secrets list. You can now import the master encryption key wallet to the target OCI GoldenGate deployment, and select this Secret.

Import a master encryption key wallet to a deployment

To import a master encryption key wallet:
  1. On the Deployments page, select the deployment in which to import the master encryption key wallet.
  2. On the deployment details page, under Resources, click Master encryption key wallet actions.
  3. Click Import.
  4. In the Import dialog:
    1. For Wallet secret in <compartment-name>, select the wallet secret to import. Click Change compartments to select a wallet secret from a different compartment.
    2. (Optional) Select Backup existing wallet to ...
      If selected, then under Backup wallet:
      1. For Name, enter a name for the backup wallet.
      2. (Optional) Enter a description.
      3. For Encryption key in <compartment-name>, select the encryption key to use. Click Change compartment to select an encryption key in a different compartment.
  5. Click Import.

Import a master encryption key wallet to an on premise GoldenGate instance

Ensure that you exported the source OCI GoldenGate deployment's master encryption key wallet.
To import a master encryption key wallet to an on premise GoldenGate instance:
  1. On the OCI GoldenGate Deployments page, select the source deployment.
  2. On the deployment details page, under Resources, click Master encryption key wallet actions.
  3. In the Master encryption key wallet actions list, select the exported wallet. You're brought to the Secret details page in your Vault.
  4. On the Secret details page, under Versions, open the Action menu (ellipsis icon), and then select View Secret contents.
  5. In the View Secret contents dialog, select Show decoded Base64 digit.
  6. Copy the contents of the text area.
  7. SSH into your on premise or Marketplace Oracle GoldenGate instance.
  8. Create a new text file (vi or other text editor) and then paste the Secret contents into the file.
  9. Run the Base64 command on the file you created (ensure that you replace <filename> with the name of your text file):
    base64 -d <filename> > cwallet.sso
  10. Copy or move cwallet.sso to the GoldenGate wallet directory.
You can now add and run a Replicat to receive the encrypted Trail file sent from the source OCI GoldenGate deployment.