1. Oracle GoldenGate Security Guide
  2. Securing the Classic Architecture
  3. Managing Encryption Using a Key Management Service in Oracle GoldenGate Classic Architecture
  4. Uploading Master Keys in Oracle Key Vault
  5. Register and Upload Master Keys in Oracle Key Vault

Register and Upload Master Keys in Oracle Key Vault

Advanced Encryption Standard (AES) 256 master keys can be generated externally and uploaded to the Oracle Key Vault.

Use the Oracle Key Vault REST utility to register or create the master keys, which Oracle GoldenGate can retrieve for trail file encryption and decryption.

For details, see Oracle Key Vault Automation with RESTful Services.

Here are the steps to register the master key using the REST utility:

  1. Register an AES 256 master key. The following is an example:

    
  java  -jar okvrestservices.jar kmip 
          --config ./conf/okvclient.ora 
          --service reg_key -ENCRYPT,DECRYPT,TRANSLATE_ENCRYPT,TRANSLATE_DECRYPT,TRANSLATE_WRAP,TRANSLATE_UNWRAP
          --wallet OGG_WALLET 
          --object /u01/key.txt
  ØReturns a UID, eg: 64B3AAD0-BE77-1821-E053-0100007FD178

    See Oracle Key Vault Use Case Scenarios for more information about registering and uploading master keys.

  2. Activate the master key. The following is a example:
    
    java  -jar okvrestservices.jar kmip 
          --config ./conf/okvclient.ora 
          --service activate 
          --uid A9917590-4F7C-4F5B-BF62-E7872C797638
  3. Add the Oracle GoldenGate master key name and version attributes to the key, as shown in the following example:
    
    java  -jar okvrestservices.jar kmip 
          --config ./conf/okvclient.ora 
          --service  add_custom_attr 
          --uid 64B3AAD0-BE77-1821-E053-0100007FD178
          --attribute x-OGG-KeyName 
          --type TEXT 
          --value OGG_MASTER_KEY_NAME
    
    
    java  -jar okvrestservices.jar kmip 
           --config ./conf/okvclient.ora 
           --service  add_custom_attr 
            --uid 64B3AAD0-BE77-1821-E053-0100007FD178
           --attribute x-OGG-KeyVersion 
           --type TEXT 
           --value 201

    Oracle GoldenGate identifies the master key for a particular deployment using the custom attributes, x-OGG-KeyName and x-OGG-KeyVersion.

  4. Specify the following Oracle Key Vault values in the new KMS global parameter. See Configuring Oracle GoldenGate:

    • The location of Oracle Key Vault home directory (OKV_HOME)

    • Name of the master key

    • Time-to-live

    An example with the Oracle Key Vault values is: 
    KMS TYPE OKV KMS_VERSION 18.1 HOME /u01/app/okv_home MASTER_KEY_NAME OGG1 TTL 60mins

Note:

Do not register multiple keys with the same x-OGG-KeyName and x-OGG-KeyVersion.

Parent topic: Uploading Master Keys in Oracle Key Vault