MA Security Features

Learn about these MA security features:

• Connection Filtering: This is responsible for qualifying and filtering a candidate connection based on connection policy specifications.

• Certificate Filtering: Similar to connection filtering, this feature enables qualifying certificates as part of accepting or denying a connection request.

• Fall-back Constraints: Network security configuration within MA servers enables you to configure and constrain the protocol version negotiation fall-back behavior allowing them to control if and how the protocol versions are negotiated.

• IPv6 Support: Oracle GoldenGate network implementations support native IPv6 addressing standards.

• Session Management: MA Service Interfaces requests are REST and stateless, which implies that no client application context it stored on the server between requests. The application session state is entirely held by the client.

• User Credential Storage: MA implementations address this by using Oracle Wallets and related identity management services to store security information. Approved encryption technologies are configured to secure both stored and in-flight user data. Stored data typically refers to file system files like capture data trail files while in-flight data typically refers to data transmitted between peers over a non-persistent communications channel.

• Single Page Applications (SPAs) and WebApp Security: If the initial connection to the Service Manager uses the HTTPS protocol, then the browser connects using SSL/TLS. If the server is configured to require the client to present a certificate, the browser needs to be configured to present the appropriate client certificate.

• Cipher-suites: The cipher-suites for MA are configured during deployment. You can change the value of the cipher-suite using the Server Manager REST interfaces for each server. Alternatively, you can update then using either the MA boostrap configuration override option or the command-line configuration override options. The list of cipher-suites available to a user differs based on the environment. This ensures that there is sufficient overlap to allow secure communication at the required security level.

  Both client and server platforms generally support more than one cipher-suite. This increases the probability that the client and server can negotiate and agree on a cipher-suite to use. The set of available cipher-suites on the server is dictated by the NZ Toolkit (or alternate TLS/SSL toolkit). There are several cipher-suites set as the default set and is dependent on the Java Runtime Environment distributed with Oracle GoldenGate. The default set attempts to specify the most common cipher-suites with the highest security protection and highest performance. However, in practice you need to choose between high security and high performance as these are competing attributes and there is a trade-off between security and performance.