Managing Identities in a Credential Store
Oracle GoldenGate uses credential stores to maintain encrypted database passwords and user IDs and associate them with an alias.
It is the alias, not the actual user ID or password, that is specified in a command or parameter file. No user input of an encryption key is required within the Oracle Credential Store Framework (CSF) embedded into Oracle GoldenGate.
A credential store can be used across multiple deployments with the same Service Manager user access, while retaining control over their local credentials.
You can partition the credential store into logical containers known as
domains, for example, one domain per installation of Oracle GoldenGate. Domains enable you to develop one set of aliases and then assign different local
credentials to those aliases in each domain. For example, credentials for user
ogg1
can be stored as ALIAS ext
under
DOMAIN system1
, while credentials for user ogg2
can be stored as ALIAS ext
under DOMAIN system2
.
Specify the Alias in a Parameter File or Command
The following commands and parameters accept an alias as substitution for a login credential.
Table 10-2 Specifying Credential Aliases in Parameters and Commands
Purpose of the Credential | Parameter or Command to Use |
---|---|
Oracle GoldenGate database login. |
USERIDALIAS |
Oracle GoldenGate database login for a downstream Oracle mining database. |
TRANLOGOPTIONS MININGUSERALIAS |
Password substitution for |
DDLOPTIONS DEFAULTUSERPASSWORDALIAS |
Oracle GoldenGate database login from the Admin Client. |
DBLOGIN USERIDALIAS |
Oracle GoldenGate database login to a downstream Oracle mining database from the Admin Client. |
MININGDBLOGIN USERIDALIAS |
Encrypt and Store User Credentials
As you set up and
install Oracle GoldenGate, you
must occasionally log-in to the database by using the
DBLOGIN
command, for tasks such as
adding supplemental logging with the ADD
TRANDATA
command.
Encrypting the login password is a recommended security measure. However, using a
secure password in the standard DBLOGIN
command
requires first encrypting it by using the ENCRYPT
PASSWORD
command. To avoid this
step while protecting the user ID from exposure, you can create
an Oracle GoldenGate credential store before you start setting
up and configuring the user credentials.
When you use a credential store, you only have to supply an alias for the login
credential whenever you log in with DBLOGIN
.
The credential store also makes the work of specifying login
credentials for the Extract and Replicat processes easier and
more secure when configuring the parameter files. You can create
basic entries in the credential store at first and then use the
management commands to expand it as needed. You can create an
encryption profile using the Admin Client to set up your
credential store.