1. Microservices Architecture Documentation
  2. Secure
  3. Oracle GoldenGate Security Feature: Implementation

Oracle GoldenGate Security Feature: Implementation

This section is relevant for DBAs and developers engaged in security configurations. It describes the implementation steps of security features in Oracle GoldenGate Microservices Architecture deployment and Service Manager.

The following steps describe the Oracle GoldenGate security features that you can implement when building a secure Oracle GoldenGate environment.

  1. Use the latest software version.

    Download latest Oracle GoldenGate software. Make sure you're using the most recent Release Update (RU). Installing the most recent software can often improve security as newer versions frequently include fixes and updates that address vulnerabilities discovered in previous versions.

  2. If you use OGGCA to deploy Oracle GoldenGate, ensure that security is enabled. A secure deployment consists of the Server certificate, its Private Key, and the CA-signed (root) certificate. This enables secure communication using TLS for REST-API.

    If you are unable to implement Oracle GoldenGate with the Server certificate, you may consider using the Reverse Proxy for secure network communication. In this scenario, make sure the server is locked down.

  3. Use passwords that adhere to the Strong Password Policy. You might utilize a local Oracle GoldenGate Administration User for the Service Manager and an external identity Provider (IDP) for external authentication using OAuth2/OIDC. You can use Oracle Cloud-based OCI-IAM, IDCS, or On-Premise OAM as IDP providers. IDP allows you to take advantage of SSO, MFA, or Token-based Authentication.

  4. Oracle GoldenGate supports role-based authentication control (RBAC) for user authorization. Use the least privilege best practices for Oracle GoldenGate users.

  5. Verify that encryption is applied to the trail files. The trail file encryption master key is managed locally. Key management systems like OCI-KMS or OKV, which are external, offer an even higher degree of protection.

  6. Oracle GoldenGate utilizes a PKCS#12 wallet to hold Oracle GoldenGate and database credentials. Only a USERIDALIAS can be used to establish database connections. You might want to update the Oracle GoldenGate Administrator user's credentials.

  7. For secure network communication to the database, use the provided database secured network client. The Oracle Database Server provides TCPS and native network Encryption (NNE).

  8. For the Distribution path protocol, use the Secure WebSocket Protocol (WSS). To protect Oracle GoldenGate DistPath, you can utilize Credentials, Client certificates (Mutual TLS), or OAuth/OIDC.

  9. In firewall-secured DMZ environments, use Target Initiated DistPath. This makes it possible for the target Receiver Service to start the DistPath.

  10. Federal Information Processing Standards (FIPS) compliance is another feature of Oracle GoldenGate. During deployment, the additional security standard (FIPS) can be enabled.

Oracle GoldenGate fully supports virtual machine environments created with any virtualization software on any platform unless otherwise noted. When installing Oracle GoldenGate into a virtual machine environment, select a build that matches the database and the operating system of the virtual machine, not the host system.

Note:

Oracle customers with an active support contract and running supported versions of Oracle products (including Oracle GoldenGate) receive assistance from Oracle when running those products on VMware virtualized environments. If Oracle identifies the underlying issue is not caused by Oracle’s products or is being run in a computing environment not supported by Oracle, Oracle will refer customers to VMware for further assistance and Oracle will provide assistance to VMware as applicable in resolving the issue.

This support policy does not affect Oracle or VMware licensing policies.