Managing Identities in a Credential Store

9 Managing Identities in a Credential Store

Learn how to use an Oracle GoldenGate credential store to maintain encrypted database passwords and user IDs and associate them with an alias.

It is the alias, not the actual user ID or password, that is specified in a command or parameter file, and no user input of an encryption key is required. The credential store is implemented as an autologin wallet within the Oracle Credential Store Framework (CSF).

Another benefit of using a credential store is that multiple installations of Oracle GoldenGate can use the same one, while retaining control over their local credentials. You can partition the credential store into logical containers known as domains, for example, one domain per installation of Oracle GoldenGate. Domains enable you to develop one set of aliases (for example ext for Extract, rep for Replicat) and then assign different local credentials to those aliases in each domain. For example, credentials for user ogg1 can be stored as ALIAS ext under DOMAIN system1, while credentials for user ogg2 can be stored as ALIAS ext under DOMAIN system2.

The credential store security feature is not supported on the DB2 for i, DB2 z/OS, and NonStop platforms. For those platforms and any other supported platforms, see Encrypting a Password in a Command or Parameter File.

Topics:

Parent topic: Common Security Features

9.1 Creating and Populating the Credential Store

(Optional) To store the credential store in a location other than the dircrd subdirectory of the Oracle GoldenGate installation directory, specify the desired location with the CREDENTIALSTORELOCATION parameter in the GLOBALS file.
From the Oracle GoldenGate installation directory, run GGSCI.
Issue the following command to create the credential store.
```
ADD CREDENTIALSTORE
```
Issue the following command to add each set of credentials to the credential store.
```
ALTER CREDENTIALSTORE ADD USER userid,
  [PASSWORD password]
  [ALIAS alias]
  [DOMAIN domain]
```
Where:
- userid is the user name. Only one instance of a user name can exist in the credential store unless the ALIAS or DOMAIN option is used.
- password is the password. The password is echoed (not obfuscated) when this option is used. For security reasons, it is recommended that you omit this option and allow the command to prompt for the password, so that it is obfuscated as it is entered.
- alias is an alias for the user name. The alias substitutes for the credential in parameters and commands where a login credential is required. If the ALIAS option is omitted, the alias defaults to the user name. If you do not want user names in parameters or command input, use ALIAS and specify a different name from that of the user.
- domain is the domain that is to contain the specified alias. The default domain is Oracle GoldenGate.

Parent topic: Managing Identities in a Credential Store

9.2 Specifying the Alias in a Parameter File or Command

The following commands and parameters accept an alias as substitution for a login credential.

Table 9-1 Specifying Credential Aliases in Parameters and Commands

Purpose of the Credential	Parameter or Command to Use
Oracle GoldenGate database login.	USERIDALIAS `alias`
Oracle GoldenGate database login for Oracle ASM instance.	TRANLOGOPTIONS ASMUSERALIAS `alias`
Oracle GoldenGate database login for a downstream Oracle mining database.	TRANLOGOPTIONS MININGUSERALIAS `alias`
Password substitution for `{CREATE \| ALTER} USER` `name` `IDENTIFIED BY` `password`.	DDLOPTIONS DEFAULTUSERPASSWORDALIAS `alias`
Oracle GoldenGate database login from GGSCI.	DBLOGIN USERIDALIAS `alias`
Oracle GoldenGate database login to a downstream Oracle mining database from GGSCI.	MININGDBLOGIN USERIDALIAS `alias`

Parent topic: Managing Identities in a Credential Store