GoldenGate allows users to encrypt trail files using a Key Management Service (KMS) like OCI Vault or local master key wallets stored within a GoldenGate deployment. We have covered how to use a Key Management Service with OCI GoldenGate in a previous article, Using Profiles with OCI GoldenGate, so we will focus on managing and using a local master key wallet in this blog.
Creating and using a master key wallet
Launch your OCI GoldenGate deployment console, then navigate to Administration Service > Configuration > Key Management.
Click on Add new version of Master Key (+ icon) next to Master Keys.
A new master key appears in the list and can be used in Extracts and Replicats.
To encrypt the trail data, set the Encryption Profile to LocalWallet while creating an Extract. It is the default value.
Then, add ENCRYPTTRAIL {AES128 | AES192 | AES256} to your Extract parameter file. See more info in Specifying Encryption Parameters in the Parameter File.
EXTRACT E_ATP
USERIDALIAS ATP_Source DOMAIN OracleGoldenGate
ENCRYPTTRAIL AES192
EXTTRAIL E1
TABLE SRC_OCIGGLL.*;
You can verify that trails are correctly encrypted using Logdump in Cloud Shell to open up the trail from a deployment backup. If you do not have the correct master key, the trail cannot be decrypted, as shown below.
Target Replicats can only process the encrypted trails if their deployment can access the correct master key wallet. If not, you will get the following error message: “Error retrieving master encryption key OGG_DEFAULT_MASTERKEY from wallet at location /u02/Deployment/var/lib/wallet/.”
Managing master keys using the Master key wallet operations page
You can use the Master key wallet operations page to import and export master keys between OCI GoldenGate and GoldenGate on-premises deployments.
Once your OCI GoldenGate deployment has a master key created, you can export it using the Export button. You must have an existing Vault, Encryption key, and the minimum required policies in place.
The master key is exported into a Secret in OCI Vault. Using the Import functionality, it can then be imported into another OCI GoldenGate deployment.
Click Import, select the Secret, and click Import.
You can follow the import and export master key wallet operations on the Work requests page.
Once the Wallet import operation is complete, return to your OCI GoldenGate console and verify that the correct master key appears in Administration Service > Configuration > Key Management.
Exporting and importing master keys between OCI GoldenGate and GoldenGate on-premises
If you currently use GoldenGate on-premises, you may want to import a master key created in OCI GoldenGate or do the opposite.
To import a master key from GoldenGate on-premises, you need to:
- Copy the cwallet.sso file from /u02/deployments/Marketplace/var/lib/wallet/ into another directory
- Encode the sso file with the command: base64 -w 0 cwallet.sso
- Copy the output of the command into the clipboard
- In OCI Console, go to OCI Vault, create a new Secret using a previously created Encryption Key, and enter the output from the base64 command as the Secret Contents. Set Secret Type Template set to Plain-Text
- Finally, go to your OCI GoldenGate deployment, click on Master key wallet operations, and import the Wallet using the newly created Secret
To export a master key into GoldenGate on-premises, you need to:
- Export your master key wallet into a Secret in OCI Vault
- Go to OCI Vault, click on the newly created Secret
- Click View Secret Contents, and enable ‘Show decoded Base64 digit’
- Copy the content into the clipboard
- Connect to the machine hosting your GoldenGate on-premises deployment, create a new file (secretfile), and copy the Secret Contents into it
- Run the following command: base64 -d secretfile > cwallet.sso
- Finally, copy cwallet.sso into /u02/deployments/Marketplace/var/lib/wallet/
Conclusion
In this technical article, we have seen how GoldenGate uses a master key wallet to encrypt the data contained in trails. OCI GoldenGate provides access to the Master key wallet operations page, enabling users to export and import their master key wallets between OCI GoldenGate and GoldenGate on-premises deployments.