ADD ENCRYPTIONPROFILE
Use ADD ENCRYPTIONPROFILE
to add an encryption profile
for Oracle Key Vault using Oracle GoldenGate.
An encryption profile is used to retrieve a master key from an external Key Management System (KMS).You can choose between Oracle Key Vault (OKV) and Oracle Cloud Infrastructure Keys Management System (OCIKMS). If there is no explicitly defined encryption profile, then a Local Wallet is used as the default profile.
To know more, see What is an Encryption Profile?.
Syntax
ADD ENCRYPTIONPROFILE encryption-profile-name
| OKV
OKVPATH dir-path
[KEYNAMEATTRIBUTE key-name-attribute]
[KEYVERSIONATTRIBUTE key-version-attribute]
MASTERKEY NAME masterkey-name
[VERSION masterkey-version]
[ TTL ttl]
| OCIKMS (
ENDPOINT endpoint
TENANCY tenancy-ocid
USER user-ocid
APIKEY api-key
FINGERPRINT fingerprint
KEY key-OCID ) )
[DEFAULT [ YES | NO ]
- OKV options:
OKVPATH
- Specifies the directory where Oracle Key Vault client is installed.
-
KEYNAMEATTRIBUTE
-
Custom attribute used in Oracle Key Vault server to specify the masterkey name
-
KEYVERSIONATTRIBUTE
-
Custom attribute used in Oracle Key Vault server to specify the masterkey version.
-
MASTERKEY [NAME]
- Name of the master key. This value must match the key name in the KMS parameter in Oracle GoldenGate and cannot be changed once replication has started.
-
MASTERKEY [VERSION]
- Version of the master key. This must be a numeric value.
-
- OCI KMS
-
-
Endpoint
-
Specify the Cryptographic endpoint of the OCI KMS Vault.
-
Tenancy
-
Specify the tenancy OCID.
-
User
-
Specify the OCID for the user.
-
APIKEY
-
Specify the path to the file containing the OCI API Signing Key. The key is read from this file and sent to Oracle GoldenGate. If you need to change the OCI API KEY at some point, you can use the
ALTER ENCRYPTIONPROFILE
command. -
KEY
-
Specify the key OCID that belongs to a key stored in your OCI KMS Vault, this is the key used by Oracle GoldenGate for encryption (trail encryption).
-
Fingerprint
-
Hash (MD5) of the API signing key.
-
-
DEFAULT
- Specifies the current encryption profile. If you set
DEFAULT YES
then the encryption profile is set to be the current encryption profile. If you setDEFAULT NO
then the encryption profile is removed. If there is no explicitly defined current encryption profile (you set asDEFAULT NO
to the previously current one) then the implicitly default profile isLocalWallet
.
Note:
Do not upload keys with duplicate values ofKeyName
and KeyVersion
. At the time of
startup, restart, or rollover, Oracle GoldenGate processes retrieve the highest
KeyVersion
value.
Parent topic: Admin Client Command Line Interface Commands