1. Oracle GoldenGate Microservices Documentation
  2. Secure
  3. Oracle GoldenGate Security Feature: Implementation
  4. Encrypting Trail Files

Encrypting Trail Files

Learn about using different Oracle key management systems available with Oracle GoldenGate.

Topics:

Generate Master Keys and Encryption Key

Using Master Keys

You can generate the master key and encryption keys using the Key Management tab in the Configuration page of the Administration Service.

If you want to encrypt your data, then create a Master Key by clicking the + sign in the Master Key section. The master key is generated automatically.

You can change the status of the key to Available or Unavailable, by clicking the edit icon in the Master Key table. You can also delete the Master Key from the table by clicking the delete icon.

Using the Encryption Keys

To use this method of data encryption, you configure Oracle GoldenGate to generate an encryption key and store the key in a local ENCKEYS file. The ENCKEYS file must be secured through the normal method of assigning file permissions in the operating system. This procedure generates an AES encryption key and provides instructions for storing it in the ENCKEYS file.

To generate the ENCKEYS files, click the + sign in the Encryption Keys section. The Encryption Key is generated.

Key Management Service (KMS)

Oracle GoldenGate supports Oracle Key Vault (OKV) and Oracle Cloud Infrastructure Key Management Service (OCI KMS) methods to manage encryption keys.

Oracle GoldenGate Microservices Architecture supports KMS to provide scalability in managing encryption keys and credentials along with security such that the key isn't stored or managed by Oracle GoldenGate.

Oracle GoldenGate uses the encapsulation approach to encrypt trail files. It generates a data encryption key (DEK) for each trail file, known as local key. An encrypted version of the local key is included in the trail file header and a master key is used to encrypt the data encryption key. This process is called encapsulation encryption.

In Oracle GoldenGate, a KMS can be used to manage cryptographic keys within an enterprise.

Why Use KMS to Store Oracle GoldenGate Encryption Keys?

Oracle GoldenGate encryption of trail files is enhanced by using OKV or OCI KMS as the Key Management Service (KMS) to store master keys.

Each time Oracle GoldenGate creates a trail file, it generates a new encryption key automatically. This encryption key encrypts the trail contents. The master key encrypts the encryption key. This process of encrypting encryption keys is known as key wrap and is described in standard ANS X9.102 from American Standards Committee.

Key management refers to managing cryptographic keys within an enterprise. It deals with generating, exchanging, storing, using, and replacing keys as required. A KMS also includes key servers, user procedures, and protocols. The security of the enterprise is dependent upon successful key management.

The advantages of using KMS with Oracle GoldenGate are:

  • Centralized lifecycle management of master keys. You'll be able to generate and upload master keys to Oracle Key Vault directly using custom attributes and perform lifecycle maintenance tasks within the KMS directly.

  • Oracle GoldenGate doesn't need to store the master keys locally and is not involved in the lifecycle management of the master keys.

  • Oracle GoldenGate can leverage from the specialized KMS features that provide key management with several layers of security.

Create and Apply Encryption Profile in a Deployment

In Oracle GoldenGate, the encryption profile is used to define, which trail encryption method to use.

An encryption profile is the configuration information that is used to retrieve a master key from a local wallet or a Key Management Service (KMS) such as OKV or OCI KMS. Encryption profile configuration is only available with Microservices Architecture.

Following methods are available for managing encryption of master keys:

  • Local Wallets

  • Key Management Systems:

    • Oracle Key Vault

    • Oracle Cloud Infrastructure

Each Extract and Replicat process is associated with an encryption profile. The default encryption profile is stored in the local wallet, if you haven't specified any other encryption profile.

If you use a different encryption profile, which uses a KMS, then it includes all the information necessary to connect and authenticate to the KMS server. It also contains the details necessary to retrieve a particular master key that will be used for encryption and decryption. Any KMS uses an authentication token to access their APIs. Oracle GoldenGate Microservices Architecture stores this access token as a credential. This credential is created using the encryption profile in Microservices Architecture.

Oracle Golden Gate processes need to make a request to the Key Management Service (KMS) each time a trail file is opened.

  • For Oracle Key Vault (OKV), the encryption profile parameter time to live (TTL) is used to keep the master key on memory until TTL has been reached.

  • In OCI KMS, the actual master key is never returned and instead the client sends the data to encrypt or decrypt. Thereafter, the server returns the result to the client.

An encryption profile is used by the Oracle GoldenGate processes to encrypt or decrypt depending on whether the processes are writing or reading trail files.

  • Extract: Encrypt (writer)

  • Replicat: Decrypt (Reader)

  • Distribution Service Path (DISTPATH): Encrypt/Decrypt (Writer/Reader).

  • LogDump: Decrypt (Reader)

Configure an Encryption Profile

Oracle GoldenGate Administration Service provides options to set up encryption profiles for managed Extract and Replicat processes.

To set up the encryption profile, click Profile from the navigation pane and then select the Key Management System (KMS) tab.
  1. By default, the Local Wallet profile is created. If you select the Local Wallet encryption profile, you'll see its options, which you can edit using the pen icon.
    Options Description

    Description

    A description of the local wallet.

    Default Profile

    This option is enabled by default. You can select to disable it.

    Encryption Profile Type

    This option cannot be changed for the local wallet.

    Masterkey Name

    OGG_DEFAULT_MASTERKEY default master key for the local wallet. You cannot edit this value.

    Masterkey Version

    This is the master key version number. The value is set to LATEST and cannot be changed.

  2. Click the + sign next to Profile to create an encryption profile by specifying the following details:
    Option Description

    Profile Name

    Name of the encryption profile

    Description

    Describe the encryption profile.

    Default Profile

    If you want to make this profile the default, then enable this option.

    Encryption Profile Type

    Available options are Oracle Key Vault (OKV) and Oracle Cloud Infrastructure (OCI).

  3. Before you set up OKV, you need to perform a client installation. See Step 1: Configure the Oracle Key Vault Server Environment in the Oracle Key Vault Administrator's Guide.

    OKV Configuration Options

    Options to set up Oracle Key Vault (OKV)

    KMS Library Path

    Specify the directory location where Oracle Key Vault is installed.

    Oracle Key Vault Version

    Specify the supported Oracle Key Vault version.

    Masterkey Name

    Specify the name of the master key.

    Time to Live

    Time to live (TTL) for the key retrieved by Extract from KMS. When encrypting the next trail, Extract checks if TTL has expired. If so, it retrieves the latest version of the master key. The default is 24 hours.

  4. For configuring the encryption profile for OCI KMS, see Using OCI KMS Trail File Encryption in Oracle GoldenGate.

Using Oracle Key Vault Trail File Encryption in Oracle GoldenGate

Learn about the benefits of using Oracle Key Vault (OKV) with Oracle GoldenGate Microservices Architecture. Determine the system requirements, processes and parameters available with Oracle GoldenGate for configuring OKV with Oracle GoldenGate.

Topics:

Oracle Key Vault Capabilities

The following table provides the behavior and capabilities of Oracle Key Vault (OKV).

For more information about configuring OKV, see Installing and Configuring Oracle Key Vault .

KMS Name KMS Type Support Tags Support Importing of Keys

Oracle Key Vault

Keyname and custom attributes for versioning

Yes

 Yes

Prerequisites for Configuring OKV on Oracle GoldenGate

Learn the prerequisites for setting up OKV with Oracle GoldenGate.

The following steps belong to the OKV configuration on the machine where the Oracle GoldenGate instance is running:

  1. Download the okvrestservices.jar from the OKV server, where Oracle GoldenGate is deployed as the same system user as the deployment.

  2. Download and install the endpoint file, okvclient.jar from the OKV server, where Oracle GoldenGate is deployed as the same system user as the deployment. For example,

    OS> java -jar okvclient.jar -d /u01/app/oracle/OKV

  3. Create the key. The name of the wallet is provided by the OKV administrator. The following example show how the key is created:
    OS> java -jar okvrestservices.jar kmip 
        --config /u01/app/oracle/OKV/conf/okvclient.ora
        --service create_key 
        --algorithm AES 
        --length 256 
        --mask "ENCRYPT,DECRYPT,TRANSLATE_ENCRYPT,TRANSLATE_DECRYPT,TRANSLATE_WRAP,TRANSLATE_UNWRAP" 
        --wallet OKV_WALLET76876ABA-B06D-4F35-BF7C-D9306D29764B
    Alternatively, you can register your own key, as shown in the following example:
    OS>java -jar okvrestservices.jar kmip 
            --config ./conf/okvclient.ora --service reg_key -ENCRYPT,DECRYPT,TRANSLATE_ENCRYPT,TRANSLATE_DECRYPT,TRANSLATE_WRAP,TRANSLATE_UNWRAP 
            --wallet OGG_WALLET 
            --object /u01/key.txt64B3AAD0-BE77-1821-E053-0100007FD178

  4. Set the OKV_HOME environment variable.

    OS> setenv OKV_HOME /u01/app/oracle/OKV

    The sub-directory structure contains the necessary libraries, binaries, and configuration files for the OKV environment. See Oracle Key Vault Installation and Configuration in the Oracle Key Vault Administration Guide for details about the configuration within the OKV server.

  5. Activate the key as shown in the following example:
    OS> java -jar okvrestservices.jar kmip 
            --config /u01/app/oracle/OKV/conf/okvclient.ora
            --service activate 
            --uid 76876ABA-B06D-4F35-BF7C-D9306D29764B
INFO: Success

  6. Add the Oracle GoldenGate related key attributes (KeyName, KeyVersion) to the configuration. The key name must match the master keyname in the KMS encryption profile created within Oracle GoldenGate. The key value must match the version number of the masterkey.

    OS> java -jar okvrestservices.jar kmip 
            --config /u01/app/oracle/OKV/conf/okvclient.ora
            --service add_custom_attr 
            --uid 76876ABA-B06D-4F35-BF7C-D9306D29764B 
            --attribute x-OGG-KeyName 
            --type TEXT 
            --value OGG_Masterkey 
INFO: Success
    OS> java -jar okvrestservices.jar kmip 
            --config /u01/app/oracle/OKV/conf/okvclient.ora
            --service add_custom_attr 
            --uid 76876ABA-B06D-4F35-BF7C-D9306D29764B 
            --attribute x-OGG-KeyVersion 
            --type TEXT 
            --value 1
INFO: Success

  7. Use okvutil to list the configuration setting and check the endpoint status. As shown in the following example: 

    OS>okvutil list -v 4
okvutil version 18.2.0.0.0
Endpoint type: Oracle (non-database)
Configuration file: /u01/app/oracle/OKV/conf/okvclient.ora
Server: 10.245.64.45:5696 10.245.64.46:5696
Standby Servers:Read Servers: 10.245.64.48:5696
Auto-login wallet found, no password needed
Trying to connect to 10.245.64.45:5696 ...
Connected to 10.245.64.45:5696.
Unique ID Type Identifier
72B673E8-840B-4AD6-8400-CB77B68D74B5 Template Default template for OGG_EP
76876ABA-B06D-4F35-BF7C-D9306D29764B Symmetric Key -

The next steps are managed within Oracle GoldenGate and are shown as an implementation from the Admin Client.

Requirements for Setting up an Encryption Profile

This topic describes the requirements when configuring an encryption profile in Oracle GoldenGate.

You can create multiple encryption profiles within a deployment, but an Oracle GoldenGate process (Extract, Replicat, distribution path) can only use one encryption profile at a time. For distribution paths using filtering, decryption is done to apply the filters but the output trail file remains encrypted. In PASSTHRU, a distribution path will not attempt to use the encryption profile or decrypt the trail file unless explicitly specified.

Any of the existing encryption profiles within a deployment can be set as the default profile. This default profile is only relevant during the creation of an Extract, Replicat or Distribution Path processes. If an encryption profile is not explicitly specified during the creation of a process, the current default profile is assigned to the new process. Changing the default profile does not update the encryption profile assigned to any existing Oracle GoldenGate processes.

Note:

It is advised not to change the encryption profile or master key of a process that has already processed trail files.

The Administration Service web interface allows you to manage your encryption profiles. You cannot modify an encryption profile. If you need to change it, you must delete and add a new profile using the Administration Service.

You can configure encryption profiles from the Administration Service or the Admin Client.

Tool to Set up Encryption Profile Description

Administation Service

To configure the encryption profile using the Administration Server, see Configure an Encryption Profile.

Admin Client

The Admin Client commands used to set up the encryption profile for Extract, Replicat, and Distribution Path, include:

ADD ENCRYPTIONPROFILE,

ALTER ENCRYPTIONPROFILE,

DELETE ENCRYPTIONPROFILE,

INFO ENCRYPTIONPROFILE.

In addition, the ADD or ALTER the Extract, DISTPATH, or Replicat commands have been modified to include the parameter ENCRYPTIONPROFILE encryption-profile-name.

To know more, see Admin Client Command Line Interface Commands in Command Line Interface Reference for Oracle GoldenGate.

Client Behavior Against Different Key States for Oracle Key Vault

This topic describes the relative behavior of the of the reader or writer client processes depending on the different encryption key states.

A key can be in the following states:
Key State Trail Writer (encryption) Trail Reader (decryption)

Active

Trail writer chooses the highest version number with Active state for encryption.

Trail reader can use this key and version number to decrypt the trail.

Preactive

Trail writer ignores and does not consider the key version number with these states.

Not Applicable

Deactivated

None

Trail file reader retrieves and decrypts the trail if the key and version number is deactivated or compromised.

Compromised

None

Trail file reader retrieves and decrypts the trail if the key and version number is deactivated or compromised.

Destroyed

Non

Trail file reader generates an error and abends if the key and version number required to decrypt is in the destroyed or destroyed-compromised state.

Destroyed-Compromised

None

Trail file reader raises an error and abends if the key and version number required to decrypt is in the destroyed or destroyed-compromised state.

Using OCI KMS Trail File Encryption in Oracle GoldenGate

Learn about the prerequisites, requirements, and steps to configure an OCI KMS encryption profile in Oracle GoldenGate to allow trail file encryption using OCI KMS with Extract, Replicat, or Distribution Path processes.

Topics:

Oracle GoldenGate with OCI KMS Workflow

The following diagrams explains how Oracle GoldenGate works with OCI KMS for trail file encryption.

Setting up OCI KMS encryption profile in Oracle GoldenGate and attaching the encryption profile to Extract. Including the ENCRYPTTRAIL parameter to specify the encryption algorithm in the Extract parameter file.

This diagram shows the source deployment EAST containing an Extract associated with the OCI KMS encryption profile. To create the encryption profile in Oracle GoldenGate, the OCI user needs to access the OCI tenancy and get some values from the OCI vault and generate the master key and the API key for the OCI user.

The OCI vault contains information about the tenancy OCID, user OCID, and cryptographic endpoint URL used for downloading the digital CA certificate. The master key associated with the vault is also generated from the OCI vault. The API key pair is also required, which you can generate from the OCI tenancy or upload an existing key pair. See Configure OCI KMS to Connect with Oracle GoldenGate for details.

After you have saved all the values from the OCI tenancy, you can create an encryption profile in Oracle GoldenGate Administration Service. This encryption profile is then associated with the Extract and the Extract parameter file applies the encryption algorithm (AES 128, AES 192, AES 256) that you have decided to apply, using the ENCRYPTTRAIL parameter. The encrypted trail file is transported by the DISTPATH to the target deployment (WEST). The Replicat parameter file on the target deployment (WEST) includes the DECRYPTTRAIL parameter, which allows decrypting the trail file. See Configure Oracle GoldenGate Processes to Enable OCI KMS Trail File Encryption.

Prerequisites for Connecting Oracle GoldenGate with OCI KMS

Perform the tasks in this section before you begin configuring an OCI KMS encryption profile in Oracle GoldenGate.

Topics:

Download the CA Certificate using the Cryptographic Endpoint

To perform the steps in this topic, you need to have a Vault in your OCI teanancy where the cryptographic endpoint URL is mentioned. This URL is required to download the digital CA certificate, for establishing a trusted connection from Oracle GoldenGate to the OCI teanancy. If you don't have an existing vault, then see Create or Access the OCI Vault, and return to this topic for steps to download the CA certificate using the cryptographic endpoint.

If you have an existing Vault in your OCI tenancy, then follow the steps provided in this topic, to download the CA certificate using the cryptographic endpoint.

  1. Navigate to Identity & Security page from the left-navigation pane and select Vault to open the Vault Information page.

  2. From the Vault Information page, copy the cryptographic endpoint value and OCID.

  3. Open a web browser and paste the cryptographic endpoint value in the browser URL bar. The browser does not display any page. However, you can click the Connection is secure to view the CA certificate.

    Download all the CA certificate information from the cryptographic endpoint for SSL/TLS connection.

    This CA certificate is required by Oracle GoldenGate to be able to trust this OCI tenancy when connecting to it.

  4. Go to the Downloads section of the web browser. The CA certificate are listed here.

    View and export the Root certificate

  5. Click Export to download the Root certificate.

    Tip:

    Keep the same directory for downloading the API key and the Root certificate.
Add the Digital CA Certificate as a Trusted CA Certificate in Oracle GoldenGate
The digital CA certificate which you downloaded previously using the cryptographic endpoint URL, needs to be added to the Oracle GoldenGate source deployment as a trusted CA certificate. See Set Up Trusted Certificates.

Note:

In OCI GoldenGate Service, you can skip this step as the CA certificate is already added as part of the service.
From the Oracle GoldenGate Service Manager, perform the following steps to add the digital CA certificate as a Trusted CA certificate for the source deployment:

  1. Log in to Oracle GoldenGate Service Manager.

  2. From the left-navigation pane, select the Certificate Management option.

    Certificate Management page in Oracle GoldenGate Service Manager

    As of now, there is no certificate added as a trusted certificate to connect to the specific OCI tenancy. You will need to add the root certificate that you had downloaded in step of

  3. Add the root certificate as a trusted certificate to the CA Certificates in the Oracle GoldenGate deployment. This enables Oracle GoldenGate to trust a connection with the specific OCI tenancy. Also see, Add a CA Certificate.Add the root certificate as a trusted certificate to the CA certificates in the GoldenGate deployment

Configure OCI KMS to Connect with Oracle GoldenGate

From the OCI KMS tenancy, certain values are needed to set up a connection between Oracle GoldenGate and OCI KMS. These values are:

  • Tenancy ID

  • Cryptographic Endpoint

  • User OCID

  • API Key

Before configuring Oracle GoldenGate to connect with OCI KMS, you need to log in to the OCI tenancy to perform the following tasks:

  • Create a vault, if not already created and get the cryptographic endpoint and User OCID values. See

  • Create and download an API private key pair and information associated with the API key such as the fingerprint and API key value.

  • Download the CA certificate using the cryptographic endpoint. This step is also a prerequisite for configuring Oracle GoldenGate encryption profile. See Download the CA Certificate using the Cryptographic Endpoint for details.

Use the following steps to view and save the OCI KMS values, which would be required while setting up Oracle GoldenGate processes for connecting to OCI KMS:

Topics:

Create or Access the OCI Vault
Access the vault if it already exists in your OCI tenancy to determine the values for:

  • Cryptographic Endpoint: This is the link from where you need to obtain the trusted certificate. Copy this link for use in the later steps.

  • OCID: This is the unique ID for your OCI environment. It will be required while setting up the encryption profile in Oracle GoldenGate.

Use the following steps to create and access the vault:

  1. Log in to your Oracle Cloud account.

  2. From the left-navigation pane of the Oracle Cloud home page, click the Identity & Security option and then select Vault.

  3. Click Create Vault to create a vault, if you haven't already created a vault. In this case, the vault (WSJCVAULT) is already created.

    OCI KMS Key Vault

  4. Click the vault name, for example WSJCVAULT shown in the following image, to access the information regarding vault ocid, cryptographic endpoint, and master key details. In the following image, the General Information section contains the ocid and cryptographic endpoint details and the Master Encryption Keys in the Compartment_WH section displays the master key details.

    Obtain the cryptographic endpoint from the General Information section of the OCI vault.

    From this page, you get the values required to set up a trusted connection between Oracle GoldenGate and OCI KMS. Copy this information to a notepad for reference.

Generate the Master Key and Download the API Private Key

The following steps assume that you are already logged into your OCI tenancy.

Generate Master Key

To create the master key:

  1. Navigate to the Vault Information page.

  2. Click Create Key to display the Create Key page.

  3. Specify the name of the Master key and encryption algorithm among other details to create a master key, as shown in the following image.Create a master key.

  4. Click Create Key. This generates the master key that would be used by Oracle GoldenGate.

Generate API Key

To connect the user with OCI KMS, create an API key using the following steps:

  1. From the vault information page, click the User Settings icon on the top-right corner.User Settings icon on the Vault information page to create an API key for the user to connect to OCI KMS.

  2. Click the API Key option from the Resource section of the left panel to open the API Keys section.User Settings page with the API Keys section to apply existing key or generate an API key pair.

  3. Click Add API Key to open the Add API Key dialog box.

  4. Select the Generate the API key Pair option to create a key pair for the OCI user to connect with OCI KMS. You also have the option to upload an existing public key file using the Choose Public Key File option or paste the value of public key in the text box using the Paste Public Key option.Create an API key for the OCI user to allow access to the OCI KMS key.

  5. Click Download Private Key and keep it in a known location. You can rename the file to a user-friendly name such as API_private_key.pem.

  6. Click Add. This displays the Configuration File Preview dialog box, which contains all information associated with the API key such as the fingerprint, tenancy, region and other details. Copy and save these values in notepad.

    Tip:

    Maintain the same notepad file to store information about the API key's fingerprint, tenancy value and the information about the cryptographic endpoint and OCID values for the OCI vault.

    Configuration File Preview dialog box containing fingerprint, tenancy, and other details.

  7. Click Close to return to the API Keys section where the new API key is listed.

    New API key is listed.

The next step is to set up Oracle GoldenGate encryption profile using all these details and then apply the encryption profile to Extract, Replicat processes, as needed. See the Configure Oracle GoldenGate Processes to Enable OCI KMS Trail File Encryption for next steps.

To learn about the OCI KMS encrypt and decrypt endpoints, see /encrypt and /decrypt endpoint documentation in Oracle Cloud Infrastructure Documentation.

Configure Oracle GoldenGate Processes to Enable OCI KMS Trail File Encryption

Before beginning the steps in this section, make sure that you have completed the Prerequisites for Connecting Oracle GoldenGate with OCI KMS .

In the Oracle GoldenGate interface, perform the following tasks when configuring Oracle GoldenGate to set up a trusted connection with OCI KMS:

  • Create an encryption profile using the OCID, cryptographic endpoint, API key, tenancy, and fingerprint values.

  • Apply the encryption profile to Extract, Distribution Path, or Replicat processes.

Use the following steps to apply OCI KMS-based trail encryption from Oracle GoldenGate Microservices Architecture:

Topics:

Create Encryption Profile in Oracle GoldenGate Processes

Use the following steps to apply OCI KMS-based trail file encryption from Oracle GoldenGate Microservices Architecture web interface:

  1. Log in to the Administration Service and select the Profile option from the left-navigation pane.

  2. Click the Key Management System (KMS) tab.

    Key Management System (KMS) tab used to create an encryption profile from Oracle GoldenGate Administration Service

  3. Open the notepad file where you saved the details for the OCI KMS API key and crypto endpoint details. See step 8 for reference from the Configure OCI KMS to Connect with Oracle GoldenGate. The following image displays the values obtained from API Configuration File Preview dialog box:API configuration details obtained from the Configuration File Preview dialog box.

    The information would include the following values:

    • Crypto Endpoint URL: This value is displayed in the Vault page of OCI KMS.

    • Tenancy OCID: This value can be obtained from the API values that were copied in the notepad file.

    • Key OCID: To obtain this value:

      1. Go to the OCI Vault page and click the API key to open the key details page where the OCID for the API key is provided.

        Obtain Key OCID

      2. Copy the API private key OCID from the Key Details page.

        API Key OCID value displayed in the OCI console's key details page.

    • User OCID: Obtain this value from the API configuration details.

    • API Private Key: Upload the API Private Key from the location where you saved it while performing tasks in Configure OCI KMS to Connect with Oracle GoldenGate.

    • API Key Fingerprint: Obtain this value from the API configuration details.

  4. Validate the encryption profile.

    Validate the encryption profile.

    You will see a message box similar to the following confirming that the validation of the encryption profile was successful.Message for successful validation of the encryption profile

Apply the OCI KMS Encryption Profile for Extract

Use the following steps to implement the OCI KMS encryption profile for Extract:

  1. From the Administration Service Overview page, click Add Extract.

  2. After providing other details for the Extract, scroll down and expand the Encryption Profile section and select OCIKMS profile, such as OCIKMST1.

    Select the encryption profile with OCI KMS configuration when creating Extract, Replicat, or Distribution Path processes.

  3. In the Extract parameter file, include the ENCRYPTTRAIL AES256 option. The Extract parameter file would look similar to the following: 

    EXTRACT ktst
USERIDALIAS ggwest DOMAIN OracleGoldenGate
ENCRYPTTRAIL AES256
EXTTRAIL tt  
TABLE WPDB.U1.*;

  4. Click Create to add Extract and then start the Extract.

  5. On the target host, select Add Replicat from the Administration Service Overview page to add a Replicat.

  6. Select the type of Replicat and populate the Replicat details.

  7. Scroll to the Encryption Profile section, and select the same OCIKMS encryption profile (in this case OCIKMSTS1). Click Next.

  8. In the Replicat parameter file, include the DECRYPTTRAIL option. The Replicat parameter file looks similar to the following:
    REPLICAT renct
USERIDALIAS ggeast DOMAIN OracleGoldenGate
DECRYPTTRAIL
MAP WPDB.U1.*, TARGET U2.*;

  9. Create and then start the Replicat process.

  10. If you want to apply the encryption profile on a Distribution Path (DISTPATH), then you need to do the following steps:

    1. Create the OCI KMS encryption profile on the target host.

    2. Create the DISTPATH and apply the OCI KMS encryption profile to it. See Add a Distribution Path.

    3. Use the same encryption profile to decrypt the trail on the target. This implies that you use the encryption profile created on the target host, while adding a Replicat.

The next section describes steps to test that the committed transactions are captured and applied when using an encryption profile

See ADD ENCRYPTIONPROFILE, ALTER ENCRYPTIONPROFILE if you want to set up the encryption profile using the Admin Client.

Test Data Replication with Trail File Encryption Using OCI KMS

Test the trail file encryption on the source side and trail file decryption on the target side using the steps given in this topic.

Topics:

Test Trail File Encryption in the Source Deployment

In Configure Oracle GoldenGate Processes to Enable OCI KMS Trail File Encryption, the Extract is set up with the OCI KMS encryption profile.

In this example, you will be able to confirm that the encryption profile is being used by Extract by viewing the Extract report file.

To check if Extract is using the OCI KMS encryption profile:

  1. From the Administration Service, click Extract, Details, Report tab to view the Extract report file.Extract report file showing the use of OCI KMS encryption profile.

  2. For troubleshooting purposes, you can check if the trail file is encrypted at source, using Logdump commands. See the Scanning a Trail File to Check for Trail File Encryption from the Logdump Reference for Oracle GoldenGate.

Test the Trail File Decryption on the Target Deployment
On the target side, the following example tests that Replicat applies the 3000 transactions that were captured from source. To make sure that the Replicat is using the OCI KMS encryption profile to decrypt the trail file, check the Replicat report file.

  1. From the Administration Service Overview page, click Replicat, Details, Statistics.

  2. On the Statistics page, the applied transactions are displayed as shown in the following figure:Applied transactions are displayed in the Replicat Statistics

  3. Check the Replicat report file to see if the encryption profile is implemented and used by the Replicat. Replicat report file showing OCI KMS encryption and data replication

    Tip:

    To check if the trail data is received in encrypted format on the target, you can run Replicat without the DECRYPTTRAIL parameter. In this case, the Replicat report file displays that the trail data is encrypted and could not be decrypted without proper key setting.

With these use cases, you can test that the trail file on the Extract side is using OCI KMS encryption profile to encrypt the trail data. On the Replicat side, the OCI KMS encryption profile is used to decrypt the trail data and apply the transactions on the target.