10 Managing Identities in a Credential Store

Learn how to use an Oracle GoldenGate credential store to maintain encrypted database passwords and user IDs and associate them with an alias.

It is the alias, not the actual user ID or password, that is specified in a command or parameter file, and no user input of an encryption key is required. The credential store is implemented as an autologin wallet within the Oracle Credential Store Framework (CSF).

Another benefit of using a credential store is that multiple installations of Oracle GoldenGate can use the same one, while retaining control over their local credentials. You can partition the credential store into logical containers known as domains, for example, one domain per installation of Oracle GoldenGate. Domains enable you to develop one set of aliases (for example ext for Extract, rep for Replicat) and then assign different local credentials to those aliases in each domain. For example, credentials for user ogg1 can be stored as ALIAS ext under DOMAIN system1, while credentials for user ogg2 can be stored as ALIAS ext under DOMAIN system2.

The credential store security feature is not supported on the DB2 for i, DB2 z/OS, and NonStop platforms. For those platforms and any other supported platforms, see Encrypting a Password in a Command or Parameter File.

Topics:

Parent topic: Securing Oracle GoldenGate

10.1 Creating and Populating the Credential Store

  1. (Optional) To store the credential store in a location other than the dircrd subdirectory of the Oracle GoldenGate installation directory, specify the desired location with the CREDENTIALSTORELOCATION parameter in the GLOBALS file. (See Administering Oracle GoldenGate for more information about the GLOBALS file.)
  2. From the Oracle GoldenGate installation directory, run GGSCI.
  3. Issue the following command to create the credential store. 
    ADD CREDENTIALSTORE
  4. Issue the following command to add each set of credentials to the credential store. 
    ALTER CREDENTIALSTORE ADD USER userid,
  [PASSWORD password]
  [ALIAS alias]
  [DOMAIN domain]

    Where:

    • userid is the user name. Only one instance of a user name can exist in the credential store unless the ALIAS or DOMAIN option is used.

    • password is the password. The password is echoed (not obfuscated) when this option is used. For security reasons, it is recommended that you omit this option and allow the command to prompt for the password, so that it is obfuscated as it is entered.

    • alias is an alias for the user name. The alias substitutes for the credential in parameters and commands where a login credential is required. If the ALIAS option is omitted, the alias defaults to the user name. If you do not want user names in parameters or command input, use ALIAS and specify a different name from that of the user.

    • domain is the domain that is to contain the specified alias. The default domain is Oracle GoldenGate.

For more information about the commands used in this procedure and additional credential store commands, see Reference for Oracle GoldenGate.

Parent topic: Managing Identities in a Credential Store

10.2 Specifying the Alias in a Parameter File or Command

The following commands and parameters accept an alias as substitution for a login credential.

Table 10-1 Specifying Credential Aliases in Parameters and Commands

Purpose of the Credential Parameter or Command to Use

Oracle GoldenGate database loginFoot 1

 
USERIDALIAS alias

Oracle GoldenGate database login for Oracle ASM instance

 
TRANLOGOPTIONS ASMUSERALIAS alias

Oracle GoldenGate database login for a downstream Oracle mining database

 
TRANLOGOPTIONS MININGUSERALIAS alias

Password substitution for {CREATE | ALTER} USER name IDENTIFIED BY password

 
DDLOPTIONS DEFAULTUSERPASSWORDALIAS alias

Oracle GoldenGate database login from GGSCI

 
DBLOGIN USERIDALIAS alias

Oracle GoldenGate database login to a downstream Oracle mining database from GGSCI

 
MININGDBLOGIN USERIDALIAS alias

Footnote 1

Syntax elements required for USERIDALIAS vary by database type. See Reference for Oracle GoldenGate for more information.

Parent topic: Managing Identities in a Credential Store