1 About Oracle GoldenGate Security

Oracle GoldenGate has integrated security features and understanding the security features and the use cases they cover are important first steps when setting up a secure environment.

There are two different architectures offered with Oracle GoldenGate:

Microservices Architecture (MA)

This is a REST API-based services architecture that allows you to configure, monitor, and manage Oracle GoldenGate services using a web interface or through REST API calls. Oracle recommends implementing MA to ensure the highest levels of security with Oracle GoldenGate.

You can use MA to deploy, monitor, manage, and perform Extract and Replicat operations on trail data within your MA implementation. To learn more about MA see Components of Oracle GoldenGate Microservices Architecture.

Classic Architecture (CA)

This is the original Oracle GoldenGate architecture to effectively move data across numerous topologies. To know more about Classic Architecture, see Components of Classic Architecture and the Oracle GoldenGate user guide for your database.

Oracle GoldenGate Microservices Architecture (MA) is most secure. This guide addresses MA-specific topics in the main chapters, while security aspects of the Classic Architecture are addressed in the appendix.

• Overview of Security Options
  You can use these security features to protect your Oracle GoldenGate environment and the data that is being processed.

1.1 Overview of Security Options

You can use these security features to protect your Oracle GoldenGate environment and the data that is being processed.

What to Secure	Security Features	Supported Databases	Supported Architecture	Description
Master Encryption Keys	Managing Data Encryption using Oracle Key Vault.	All databases	Classic and Microservices	Manages the encryption of trail files by storing the master keys.
Data in the trails or an Extract file Data sent across TCP/IP networks	Encrypting Data with the Master Key and Wallet Method	Master key and wallet method is the preferred method on platforms that support it. Not valid for NonStop platforms.	X	Encrypts the data in files, across data links, and across TCP/IP. Use one of the following: Any Advanced Encryption Security (AES) Advanced Encryption Standard (AES) is a symmetric-key encryption standard that is used by governments and other organizations that require a high degree of data security. It offers three 128-bit block-ciphers: a 128-bit key cipher, a 192-bit key cipher, and a 256-bit key cipher. The LD_LIBRARY_PATH value is set to $ORACLE_HOME/lib with a default configuration. Use the export command to modify this value. Blowfish: Blowfish encryption: A keyed symmetric-block cipher. The Oracle GoldenGate implementation of Blowfish has a 64-bit block size.
User IDs and passwords (credentials) assigned to Oracle GoldenGate processes to log into a database.	Credential Store Identity Management Managing Identities in a Credential Store	Credential store is the preferred password management method on platforms that support it. Not valid for NonStop platforms.	Microservices	User credentials are maintained in secure wallet storage. Aliases for the credentials are specified in commands and parameters.
Passwords specified in commands and parameter files that are used by Oracle GoldenGate processes to log into a database.	Password Encryption See Encrypting a Password in a Command or Parameter File.	Valid for all Oracle GoldenGate-supported databases and platforms. Blowfish must be used on the DB2 for i, DB2 z/OS, and NonStop platforms. On other platforms, the credential store is the preferred password-management method.	Classic	Encrypts a password and then provides for specifying the encrypted password in the command or parameter input. Use any of the following: AES-128 AES-192 AES-256 Blowfish
Oracle GoldenGate commands issued through GGSCI.	Command Authentication See Configuring GGSCI Command Security.	Valid for all Oracle GoldenGate-supported databases and platforms.	X	Stores authentication permissions in an operating-system-secured file. Configure a CMDSEC (Command Security) file.
TCP/IP connection to untrusted Oracle GoldenGate host machines that are outside a firewall.	Trusted Connection See Using Target System Connection Initiation.	Valid for all Oracle GoldenGate-supported databases and platforms.	X	Use any of the following: AES-128 AES-192 AES-256 Blowfish
Access rules for Manager.	Manager Security Securing Manager	Valid for all Oracle GoldenGate-supported databases and platforms.	Classic	You can secure the following: GGSCI: Secures access to the GGSCI command-line interface. MGR | MANAGER: Secures access to all inter-process commands controlled by Manager, such as START, STOP, and KILL REPLICAT: Secures connection to the Replicat process. COLLECTOR | SERVER: Secures the ability to dynamically create a Collector process.
Select the cryptographic library that better suits your needs: Portability (Classic), Portability and compliance with FIPS-140 standard  (FIPS140), or enhanced throughput (Native).	CryptoEngine	Valid for all Oracle GoldenGate-supported databases and platforms (Classic and FIPS140). Valid for all Oracle GoldenGate-supported databases on Linux.x64 and Windows.x64 (Native).	Classic and Microservices	Selects which cryptographic library the Oracle GoldenGate processes will use.
MA REST Service Interface	Authentication	Valid for all Oracle GoldenGate-supported databases and platforms	Microservices	X
Communication Security	TLS and Secure Network Protocols	Valid for all Oracle GoldenGate-supported databases and platforms	Microservices	X
MA REST User Authorization	Authorization	Valid for all Oracle GoldenGate-supported databases and platforms	Microservices	X
Target-initiated Trails	Target-initiated trails for trusted environments	Valid for all Oracle GoldenGate-supported databases and platforms	Microservices	See Using Target-Initiated Distribution Paths.
Reverse Proxy	The reverse proxy only uses one port. See Configure Reverse Proxy with NGINX to Access Oracle GoldenGate Microservices	Valid for all Oracle GoldenGate-supported databases and platforms	Microservices	X