Oracle GoldenGate Security Features

This section presents the Oracle GoldenGate Security features available with the current release. The following table lists the security aspect and the associated Oracle GoldenGate feature that implements it.

Oracle GoldenGate Security Feature	Description	Reference
Secure Administration	All administrative operations are authorized and made with REST API calls Support for TLS 1.3 (default) and TLS 1.2	Secure Deployments Secure Communication Using TLS and mTLS Support
Authentication	Credentials (user name/password) Client certificates (without Reverse Proxy) Single Sign On (SSO) support with external Identity Providers using OAuth/OIDC OCI: Oracle Identity Manager (IAM), Oracle Identity Cloud Service (IDCS) On-Premise: Oracle Access Manager (OAM) Token-based Authentication	Authentication and Authorization Create Certificates for Secure Deployments
Password management and MFA	Local password policy based on character length and rules Supported and enforced by external Identity Provider (IDP)	Service Manager Administrator Account Delegate User Authentication to an External ID Provider
Role based Access Control (RBAC)	Hierarchical Role based layout: Security: User with this privilege, can perform all administrative tasks and authorizing new clients. Administrator: User with this privilege, can perform all administrative tasks, but no authorizing new clients. User: User with this privilege, can retrieve only status or monitoring information. Operator: User with this privilege, with operator role can start and stop processes.	Service Manager Administrator Account
Database Credentials	Credentials stored in secure PKCS#12 wallet Kerberos support, if available for the database, for example: Oracle.	Configure Kerberos Authentication with MA
Database Connectivity	Support based on Database client capabilities Example: Oracle using TCPS or Native Network Encryption.
Network Trail File Distribution (Data in Transit)	Secured with industry standard secure streaming Websocket protocol (WSS) Support for mutual TLS using client certificate
Proxy/DMZ	Support for reverse and forward Proxy Target-initiated Distribution Path for DMZ systems	About Distribution Path
Trail File Encryption (Data in Rest)	Encryption support using AES128, AES192 or AES256 Support for Master key from external Key Management System (OKV, OCI-KMS) Support of multiple Master Keys	Trail File Encryption
Auditing	Logging of REST API Calls Enabled System Security Logging