There are two ways to provide GoldenGate data encryption; the Master Key and Wallet method or using ENCKEYS.  This blog describes how to provide GoldenGate Data Encryption using the Master Key and wallet method.  The Master key is kept in an Oracle Wallet in the dirwlt directory under the GoldenGate home.  You can change this if desired, but I don’t recommend it.  There are just a few steps to create and use the Master Key and wallet method.

  1. Create the Wallet.
  2. Add the Master Key.
  3. Copy the Master Key to the target system.
  4. Modify GoldenGate Parameters.

Create the Wallet

The wallet is created with the CREATE WALLET command in ggsci.

GGSCI (gg22a.perftuning.com) 4> create wallet

Created wallet.

Opened wallet.

This will create and open the wallet.

Add the Master Key

The Master Key is created with the ADD MASTERKEY command in ggsci.

GGSCI (gg22a.perftuning.com) 5> add masterkey

2019-05-17T14:04:09Z  INFO    OGG-06142  Created version 1 of master key ‘OGG_DEFAULT_MASTERKEY’ in Oracle Wallet.

This will create the master key.

You can view the master key information with the info masterkey command.

GGSCI (gg22a.perftuning.com) 6> info masterkey

Masterkey Name: OGG_DEFAULT_MASTERKEY

Version         Creation Date                   Status

1               2019-05-17T09:04:09.000-06:00   Current

Once the master key is created it must be copied to the target system into the dirwlt directory.

Copy the Master Key

The master key is located in the dirwlt directory under GGHOME.  Copy the wallet (cwallet.sso) to the dirwlt directory on the target system.

[oracle@gg22a dirwlt]$ scp cwallet.sso ggkafka01:/u01/app/oracle/product/ggbigdata_3/dirwlt

oracle@ggkafka01’s password:

cwallet.sso                                                                                                                      100%  763     1.6MB/s   00:00

Once the wallet has been copied to the target system it should be opened by using the open wallet command.

GGSCI (mssql00) 2> open wallet

Opened wallet.

GGSCI (mssql00) 3> info masterkey

Masterkey Name: OGG_DEFAULT_MASTERKEY

Version         Creation Date                   Status

1               2019-05-19T10:30:48.000-06:00   Current

The wallet is now ready to be used.

Modify Parameters

The final step in providing GoldenGate data encryption using the Master Key and wallet method is to modify the parameters.  The data in the trail files can be encrypted either at the source if you want to encrypt the trail that is being created by the extract or via the pump.  One or both of these methods can be used.

Encrypting in the Extract

In order to encrypt the trial generated by the extract use the ENCRYPTTRAIL parameter in the extract parameter file.  This will encrypt the trail as it is created by the extract.

ENCRYPTTRAIL { AES128 | AES192 | AES256 }

For example

ENCRYPTTRAIL AES256

Encrypting in the Pump

In order to encrypt in the pump, add RMTHOSTOPTIONS ENCRYPT { AES128 | AES192 | AES256 } to the Pump parameter file

RMTHOSTOPTIONS  ENCRYPT { AES128 | AES192 | AES256 }

For example

RMTHOSTOPTIONS  ENCRYPT AES256

Using the Master Key Encryption

Once you have setup the master key and wallet method of encryption you can provide GoldenGate data encryption between your source(s) and target(s).  This will automatically encrypt and decrypt the trail files.  This is an easy way to secure the GoldenGate trail files with GoldenGate data encryption.