Wednesday, January 8, 2014

GoldenGate: 12c Credential Store Secure Login

The Credential Store is a new 12c security feature in GoldenGate that has been implemented as an autologin wallet in Oracle’s Credential Store Framework.  User IDs and passwords are encrypted in the store and, as a result, an encryption key in the connection string is no longer needed.

The default location of the store is in the ./dircrd directory of the GoldenGate software home.  If you want to change the location, you can edit the ./GLOBALS file with the following CREDENTIALSTORELOCATION parameter.

GGSCI> edit params ./GLOBALS


CREDENTIALSTORELOCATION /home/oracle/ggs/dircrd


You must exit and restart ggsci before proceeding or the file will be created in the default location.

GGSCI> exit

$ ./ggsci

GGSCI> add credentialstore

Credential store created in /home/oracle/ggs/dircrd/.

GGSCI> exit

$ ls /home/oracle/ggs/dircrd
cwallet.sso


Once the credential store has been created, users and password can be added to it.  One of the key features of the store is the use of domains which can be used to logically group login aliases.  The same alias can be defined in different domains with different credentials.  This can be handy when developing and testing in different database environments from the same GoldenGate installation.  The default domain is “Oracle GoldenGate”.

In this example, the user c##ggsadmin is added to the store in the “test” domain.  If the “password” keyword is omitted, GoldenGate will prompt for the password and hide it from the output.

GGSCI> alter credentialstore add user c##ggsadmin, alias ggsadm, domain test
Password:

Credential store in /home/oracle/ggs/dircrd/ altered.


If you want to see the information maintained in the store, you can use the INFO CREDENTIONSTORE command.  If you don’t specify the domain, it will default to “Oracle GoldenGate”.  As you can see below, the default domain is still empty.

GGSCI> info credentialstore

Reading from /home/oracle/ggs/dircrd/:

No information found in credential store.

GGSCI> info credentialstore domain test

Reading from /home/oracle/ggs/dircrd/:

Domain: test
  Alias: ggsadm
  Userid: c##ggsadmin


In older version of GoldenGate, you had to supply the username and password in plain text or encrypted for your login credentials.


Using DBLOGIN at the command line.

GGSCI> DBLOGIN USERID c##ggsadmin@orcl, PASSWORD AACAAAAAAAAAAAJAUEUGODSCVGJEEIUGKJDJTFNDKEJFFFTC AES128, ENCRYPTKEY securekey1

Successfully logged into database CDB$ROOT.


Using credentials in the parameter files.

GGSCI> edit params e1aa


EXTRACT e1aa
USERID c##ggsadmin@orcl, PASSWORD AACAAAAAAAAAAAJAUEUGODSCVGJEEIUGKJDJTFNDKEJFFFTC AES128, ENCRYPTKEY securekey1
LOGALLSUPCOLS
EXTTRAIL ./dirdat/aa

TABLE pdborcl.scott.emp;
TABLE pdborcl.scott.dept;

SOURCECATALOG pdborcl
TABLE scott.bonus;
TABLE scott.salgrade;


In 12c, the credential store secures the information and makes the connection much easier through the use of the alias that was created.


Using DBLOGIN at the command line.

GGSCI> dblogin useridalias ggsadm domain test

Successfully logged into database CDB$ROOT.


Using credentials in the parameter files.

GGSCI> edit params e1aa


EXTRACT e1aa
USERIDALIAS ggsadm domain test
LOGALLSUPCOLS
EXTTRAIL ./dirdat/aa

TABLE pdborcl.scott.emp;
TABLE pdborcl.scott.dept;

SOURCECATALOG pdborcl
TABLE scott.bonus;
TABLE scott.salgrade;

No comments:

Post a Comment