Authentication and Authorization

Learn about the authentication and authorization features on the Oracle GoldenGate side and on the Database side when working with Oracle GoldenGate.

Oracle GoldenGate Authentication and Authorization

In Oracle GoldenGate Microservices, security is applied at both the authentication and authorization layers. Authentication (AN) includes tasks such as configuring the credential store with aliases as substitute for the userID and password, for logging into databases. Authorization (AZ) includes Oracle GoldenGate to Oracle GoldenGate communication, and tasks for network and server configuration.

All the security configurations and services are common to MA-based servers. These servers authenticate, authorize, and secure access to command and control, monitoring, data conveyance, and information service interfaces for Oracle GoldenGate.

Oracle GoldenGate Microservices provides an infrastructure for building service-aware applications to operate and integrate into global, cloud-based deployment environments

Oracle GoldenGate Authentication

The goal of an authenticated identity in Oracle GoldenGate is to establish identity authentication between users, applications, and Oracle GoldenGate Microservices deployments. The authentication design provides the option to either validate users and applications with certificates or user credentials stored as credential aliases (username and password pair).


Certificate Store and Credential Store used for Authentication

Authentication with User Credentials

User credentials (username, password) combination is stored in the credential store and is accessible using credential aliases, allowing users to keep the user ID and password ensconced in the credential store and only the alias to connect to an Oracle GoldenGate deployment or another application.

Strong password policy is implemented with guidelines to have 1 uppercase, 1 lowercase, 1 numeric, and 1 special character.

Authentication with Certificates

User authentication can be done with certificates when connecting between deployments. This authentication method is an alternative to using credential aliases (user ID, password) for authentication.

You can set up Certificate authentication when configuring a distribution path to connect the source deployment to a target deployment that is on a different network. This scenario is most common different organizations need to communicate over a secure network for data transfer. In this case, a distribution client (distclient) user with Operator role is created on the target deployment and the client certificate is stored on the source deployment. The distclient user presents the client certificate when connecting to the source deployment. This certificate is verified by the trusted rootCA certificate available on the target deployment and m-TLS is used by the source to validate the target server certificate. To learn more about setting up certificates for user authentication, see the Connecting Two Deployments Using External RootCA Certificate and Connecting Two Deployments Using External RootCA Certificate.

Also see the Add a Distribution Path section for steps used when configuring certificates for two separate deployments.

Certificate Management

When a client attempts to connect to a source or target database through a TCPS (Secure TCP) database connection service, Oracle GoldenGate uses TLS certificate-based authentication to authenticate the connection, as shown in the following diagram.


Oracle GoldenGate services authenticated using Server certificates. Clients authenticated with client certificates or credential alias

By default, Oracle GoldenGate uses self-signed certificates. However you can also install CA-signed server-side certificate for authentication.

For implementation, see Create Certificates for Secure Deployments.

You can also learn approaches that can be implemented when using certificates for connecting secure deployments, see the following quickstarts:

Connecting Two Deployments Using a Common RootCA Certificate

Connecting Two Deployments Using External RootCA Certificate

Authorization in Oracle GoldenGate

Authorization in Oracle GoldenGate relies on user roles. You can choose and assign from the following user roles when creating Oracle GoldenGate users.

Table 4-1 Oracle GoldenGate User Roles and Privileges

Role ID Privilege Level

User

Allows information-only service requests, which do not alter or effect the operation of either the MA. Examples of Query/Read-Only information include performance metric information and resource status and monitoring information.

Operator

Allows users to perform only operational actions, such as creating, starting and stopping resources. Operators cannot alter the operational parameters or profiles of the MA server.
Administrator

Grants full access to the user, including the ability to alter general, non-security related operational parameters and profiles of the server.

Security

Grants administration of security related objects and invoke security related service requests. This role has full privileges.
Oracle GoldenGate User Management

Oracle GoldenGate users that are created at different stages of deployment configuration, have different access functions for Oracle GoldenGate Microservices.

The first user for Oracle GoldenGate is set up from the Oracle GoldenGate Configuration (OGGCA) utility. This user can access the Service Manager and all Microservices for all deployments associated with the Service Manager on the host.

After you access the Service Manager using the first user, you can create users from the Administrator page of the Service Manager. Depending on the user role, you can enable users to access Oracle GoldenGate Microservices.

Here are some examples of accessing Oracle GoldenGate Microservices with different user roles:

  • Example 1: If you create a user with the Operator role in Administration Service, you cannot access the Service Manager with these credentials.

  • Example 2: If you create a user with the Operator role in the Service Manager, you cannot access the Administration Service with these credentials.

Database Authentication and Authorization

Learn about database authentication and authorization configurations required when setting up the database to work with Oracle GoldenGate.

Database Authentication

Database connections are managed with the USERIDALIAS parameter in Oracle GoldenGate. You cannot directly connect to the database from Oracle GoldenGate. The DBLOGIN USERIDALIAS, FETCHUSERIDALIAS, and MINNINGDBUSERIDALIAS contains username and password for any supported database, which is stored in Oracle GoldenGate credentialstore.

Kerberos Authentication

Oracle GoldenGate supports operating system level login for Oracle database. The support of Kerberos authentication is enabled on top of the existing OS level, as an external authentication feature.

For implementation details regarding Kerberos Authentication, see Configure Kerberos Authentication.