1 About Oracle GoldenGate Security
Oracle GoldenGate has integrated security features and understanding the security features and the use cases they cover are important first steps when setting up a secure environment.
There are two different architectures offered with Oracle GoldenGate:
- Microservices Architecture (MA)
-
This is a REST API-based services architecture that allows you to configure, monitor, and manage Oracle GoldenGate services using a web interface or through REST API calls. Oracle recommends implementing MA to ensure the highest levels of security with Oracle GoldenGate.
You can use MA to deploy, monitor, manage, and perform Extract and Replicat operations on trail data within your MA implementation. To learn more about MA see Components of Oracle GoldenGate Microservices Architecture.
- Classic Architecture (CA)
-
This is the original Oracle GoldenGate architecture to effectively move data across numerous topologies. To know more about Classic Architecture, see Components of Classic Architecture and the Oracle GoldenGate user guide for your database.
Oracle GoldenGate Microservices Architecture (MA) is most secure. This guide addresses MA-specific topics in the main chapters, while security aspects of the Classic Architecture are addressed in the appendix.
- Overview of Security Options
You can use these security features to protect your Oracle GoldenGate environment and the data that is being processed.
1.1 Overview of Security Options
You can use these security features to protect your Oracle GoldenGate environment and the data that is being processed.
What to Secure | Security Features | Supported Databases | Supported Architecture | Description |
---|---|---|---|---|
Master Encryption Keys | Managing Data Encryption using Oracle Key Vault. | All databases |
Classic and Microservices |
Manages the encryption of trail files by storing the master keys. |
|
Master key and wallet method is the preferred method on platforms that support it. Not valid for NonStop platforms. |
X |
Encrypts the data in files, across data links, and across TCP/IP. Use one of the following:
|
|
User IDs and passwords (credentials) assigned to Oracle GoldenGate processes to log into a database. |
Credential Store Identity Management |
Credential store is the preferred password management method on platforms that support it. Not valid for NonStop platforms. |
Microservices |
User credentials are maintained in secure wallet storage. Aliases for the credentials are specified in commands and parameters. |
Passwords specified in commands and parameter files that are used by Oracle GoldenGate processes to log into a database. |
Password Encryption |
Valid for all Oracle GoldenGate-supported databases and platforms. Blowfish must be used on the DB2 for i, DB2 z/OS, and NonStop platforms. On other platforms, the credential store is the preferred password-management method. |
Classic |
Encrypts a password and then provides for specifying the encrypted password in the command or parameter input. Use any of the following:
|
Oracle GoldenGate commands issued through GGSCI. |
Command Authentication |
Valid for all Oracle GoldenGate-supported databases and platforms. |
X |
Stores authentication permissions in an
operating-system-secured file. Configure a |
TCP/IP connection to untrusted Oracle GoldenGate host machines that are outside a firewall. |
Trusted Connection |
Valid for all Oracle GoldenGate-supported databases and platforms. |
X |
Use any of the following:
|
Access rules for Manager. |
Manager Security |
Valid for all Oracle GoldenGate-supported databases and platforms. |
Classic |
You can secure the following:
|
Select the cryptographic library that better suits your needs: Portability (Classic), Portability and compliance with FIPS-140 standard (FIPS140), or enhanced throughput (Native). |
CryptoEngine |
Valid for all Oracle GoldenGate-supported databases and platforms (Classic and FIPS140). Valid for all Oracle GoldenGate-supported databases on Linux.x64 and Windows.x64 (Native). |
Classic and Microservices |
Selects which cryptographic library the Oracle GoldenGate processes will use. |
MA REST Service Interface | Authentication | Valid for all Oracle GoldenGate-supported databases and platforms | Microservices | X |
Communication Security | TLS and Secure Network Protocols | Valid for all Oracle GoldenGate-supported databases and platforms | Microservices | X |
MA REST User Authorization | Authorization |
Valid for all Oracle GoldenGate-supported databases and platforms |
Microservices | X |
Target-initiated Trails |
Target-initiated trails for trusted environments |
Valid for all Oracle GoldenGate-supported databases and platforms |
Microservices |
|
Reverse Proxy |
The reverse proxy only uses one port. See Configure Reverse Proxy with NGINX to Access Oracle GoldenGate Microservices |
Valid for all Oracle GoldenGate-supported databases and platforms |
Microservices |
X |
Parent topic: About Oracle GoldenGate Security