1. Oracle GoldenGate Security Guide
  2. Common Security Features
  3. Managing Encryption Using a Key Management Service in Oracle GoldenGate
  4. Managing Encryption Using a Key Management Service in Oracle GoldenGate Microservices Architecture
  5. How to Configure an Encryption Profile in MA?

7.2.3 How to Configure an Encryption Profile in MA?

This topic describes the steps to configure an encryption profile for different KMS options available with Oracle GoldenGate MA.

You can configure encryption profiles from the Administration Server or the AdminClient. To configure the encryption profile using the Administration Server, see Administration Server: Key Management tab.

The Admin Client commands used to set up the encryption profile for Extract, Replicat, and Distribution Path, include ADD ENCRYPTIONPROFILE, ALTER ENCRYPTIONPROFILE, DELETE ENCRYPTIONPROFILE, INFO ENCRYPTIONPROFILE. In addition, the ADD or ALTER the Extract, DISTPATH, or Replicat commands have been modified to include the parameter ENCRYPTIONPROFILE encryption-profile-name.

To know more, see AdminClient Command Line Interface Commands in Command Line Interface Reference for Oracle GoldenGate.

There are two options for managing masterkeys:

  • Local Wallets

  • KMS, which is OKV.

Local Wallet Encryption Profile

The default encryption profile is set to Local Wallet after you install Oracle GoldenGate MA or upgrade to Oracle GoldenGate 19c (19.1.0). For Extract, Replicat, and Distribution Path, the Profile Name field displays the value as Local Wallet.

Oracle Key Vault Encryption Profile

For Oracle Key Vault, the encryption profile credentials require the following inputs:
  • Name: Specify the name of the Oracle Key Vault encryption profile.

  • Type: Specify the KMS type as OKV.

  • Home Path: Specify the directory location where Oracle Key Vault is installed. In Admin Client, this is the OKV path. In the web interface, this is the KMS library path.

  • Key Name Attribute: Specify the name of the encryption key using this custom attribute. This value must match the key name in the KMS parameter in Oracle GoldenGate and cannot be changed once replication has started.

  • Key Version Attribute: Specify the version of the encryption key using this custom attribute. This value must be numeric.

  • MasterKey Name: Specify the name of the master key.

  • MasterKey Version: Specify the version of Oracle Key Vault. Default value is LATEST or you can specify the version number such as 18.1.

  • Time to live: Time to live (TTL) for the key retrieved by Extract from KMS. When encrypting the next trail, Extract checks if TTL has expired. If so, it retrieves the latest version of the master key. The default is 24 hours.

Note:

Do not upload keys with duplicate values of Key Name and Key Version. At the time of startup, restart, or rollover, Oracle GoldenGate processes retrieve the highest Key Version value.

Parent topic: Managing Encryption Using a Key Management Service in Oracle GoldenGate Microservices Architecture