Create and Apply Encryption Profile in a Deployment
In Oracle GoldenGate, the encryption profile is used to define, which trail encryption method to use.
An encryption profile is the configuration information that is used to retrieve a master key from a local wallet or a Key Management Service (KMS) such as OKV or OCI KMS. Encryption profile configuration is only available with Microservices Architecture.
-
Local Wallets
-
Key Management Systems:
-
Oracle Key Vault
-
Oracle Cloud Infrastructure
-
Each Extract and Replicat process is associated with an encryption profile. The default encryption profile is stored in the local wallet, if you haven't specified any other encryption profile.
If you use a different encryption profile, which uses a KMS, then it includes all the information necessary to connect and authenticate to the KMS server. It also contains the details necessary to retrieve a particular master key that will be used for encryption and decryption. Any KMS uses an authentication token to access their APIs. Oracle GoldenGate Microservices Architecture stores this access token as a credential. This credential is created using the encryption profile in Microservices Architecture.
Oracle Golden Gate processes need to make a request to the Key Management Service (KMS) each time a trail file is opened.
-
For Oracle Key Vault (OKV), the encryption profile parameter time to live (TTL) is used to keep the master key on memory until TTL has been reached.
-
In OCI KMS, the actual master key is never returned and instead the client sends the data to encrypt or decrypt. Thereafter, the server returns the result to the client.
-
Extract: Encrypt (writer)
-
Replicat: Decrypt (Reader)
-
Distribution Service Path (DISTPATH): Encrypt/Decrypt (Writer/Reader).
-
LogDump: Decrypt (Reader)
Requirements for Setting up an Encryption Profile
This topic describes the requirements when configuring an encryption profile in Oracle GoldenGate.
You can create multiple encryption profiles within a deployment, but an Oracle GoldenGate process (Extract, Replicat, distribution path) can only use one encryption profile at a time. For distribution paths using filtering, decryption is done to apply the filters but the output trail file remains encrypted. In PASSTHRU, a distribution path will not attempt to use the encryption profile or decrypt the trail file unless explicitly specified.
Any of the existing encryption profiles within a deployment can be set as the default profile. This default profile is only relevant during the creation of an Extract, Replicat or Distribution Path processes. If an encryption profile is not explicitly specified during the creation of a process, the current default profile is assigned to the new process. Changing the default profile does not update the encryption profile assigned to any existing Oracle GoldenGate processes.
Note:
It is advised not to change the encryption profile or master key of a process that has already processed trail files.The Administration Service web interface allows you to manage your encryption profiles. You cannot modify an encryption profile. If you need to change it, you must delete and add a new profile using the Administration Service.
You can configure encryption profiles from the Administration Service or the Admin Client.
Tool to Set up Encryption Profile | Description |
---|---|
Administation Service |
To configure the encryption profile using the Administration Server, see Configure an Encryption Profile. |
Admin Client |
The Admin Client commands used to set up the encryption profile for Extract, Replicat, and Distribution Path, include:
In addition, the To know more, see Admin Client Command Line Interface Commands in Command Line Interface Reference for Oracle GoldenGate. |
Configure an Encryption Profile
Oracle GoldenGate Administration Service provides options to set up encryption profiles for managed Extract and Replicat processes.
-
By default, the Local Wallet profile is created. If you select the Local Wallet encryption profile, you'll see its options, which you can edit using the pen icon.
Options Description Description
A description of the local wallet.
Default Profile
This option is enabled by default. You can select to disable it.
Encryption Profile Type
This option cannot be changed for the local wallet.
Masterkey Name
OGG_DEFAULT_MASTERKEY
default master key for the local wallet. You cannot edit this value.Masterkey Version
This is the master key version number. The value is set to LATEST and cannot be changed.
-
Click the + sign next to Profile to create an encryption profile by specifying the following details:
Option Description Profile Name
Name of the encryption profile
Description
Describe the encryption profile.
Default Profile
If you want to make this profile the default, then enable this option.
Encryption Profile Type
Available options are Oracle Key Vault (OKV) and Oracle Cloud Infrastructure (OCI).
-
Before you set up OKV, you need to perform a client installation. See Step 1: Configure the Oracle Key Vault Server Environment in the Oracle Key Vault Administrator's Guide.
OKV Configuration Options
Options to set up Oracle Key Vault (OKV)
KMS Library Path
Specify the directory location where Oracle Key Vault is installed.
Oracle Key Vault Version
Specify the supported Oracle Key Vault version.
Masterkey Name
Specify the name of the master key.
Time to Live
Time to live (TTL) for the key retrieved by Extract from KMS. When encrypting the next trail, Extract checks if TTL has expired. If so, it retrieves the latest version of the master key. The default is 24 hours.
-
For configuring the encryption profile for OCI KMS, see Using OCI KMS Trail File Encryption in Oracle GoldenGate.