Oracle GoldenGate is a software which enables logical data extract and replication among different databases. It's not limited to Oracle but also supports several other databases and even streaming platforms like Kafka.
To extract, but also apply data from or to a database, credentials (and of course grants) are required in the targets. To avoid having credentials as clear text in some scripts, GoldenGate uses a credential store. Technically it's a well known wallet in the directory $GG_HOME/dircrd. To use these credentials, in the commandline tool ggsci commands like
GGSCI (myhost) 1> ALTER CREDENTIALSTORE ADD USER usr5 PASSWORD pwd5 ALIAS usr5@SRV5 domain dom1
Credential store altered.
GGSCI (myhost) 2> info credentialstore
Reading from credential store:
Default domain: OracleGoldenGate
Alias: ogg@dg
Userid: ogg@dg
Alias: c##ogg@dgpdb1
Userid: c##ogg@dgpdb1
Alias: c##ogg@dgc
Userid: c##ogg@dgc
Other domains:
dom1
To view other domains, use INFO CREDENTIALSTORE DOMAIN <domain>
can be used.
To see what's really stored in the wallet - in case I need to extract some data from there, a well known mkstore (from my oracle binary installation) can be used:
oracle@myhost:/u00/app/oracle/product/gg21_ora/dircrd/ [DGC] mkstore -wrl . -list
Oracle Secret Store Tool Release 19.0.0.0.0 - Production
Version 19.4.0.0.0
Copyright (c) 2004, 2022, Oracle and/or its affiliates. All rights reserved.
Oracle Secret Store entries:
dom1@#3#@16908a4d-ali1
OracleGoldenGate@#3#@55928a5d-c##ogg@dgc
OracleGoldenGate@#3#@c478f3a2-c##ogg@dgpdb1
OracleGoldenGate@#3#@fabe8b1-ogg@dg
oracle@myhost:/u00/app/oracle/product/gg21_ora/dircrd/ [DGC] mkstore -wrl . -viewEntry OracleGoldenGate@#3#@fabe8b1-ogg@dg
Oracle Secret Store Tool Release 19.0.0.0.0 - Production
Version 19.4.0.0.0
Copyright (c) 2004, 2022, Oracle and/or its affiliates. All rights reserved.
OracleGoldenGate@#3#@fabe8b1-ogg@dg = {pwd_cred_type}@#4#@NEVER_EXPIRE@#5#@ogg@dg_tns_alias@#111#@ogg_pwd
The first detail to notice here: no password is required to read the wallet. This makes it easy to have a centralized wallet and distribute it to all GoldenGate instances which require these credentials. I did not find any method to enforce a wallets password in GoldenGate.
Another detail which catches my eyes are some syntax and keywords used in the wallets entries:
OracleGoldenGate@#3#@fabe8b1-ogg@dg = {pwd_cred_type}@#4#@NEVER_EXPIRE@#5#@ogg@dg_tns_alias@#111#@ogg_pwd
At first, there are some delimiters within the text: @#3#@. The meaning of the numbers isn't documented anywhere, but they can be deduced by the syntax of the line.
OracleGoldenGate matches the domain, ogg@dg is the alias, ogg@dg_tns_alias the username and of course ogg_pwd is the password. All relevant bits of information can be retrieved from the wallet without significant problem.
Unfortunately, all the keywords are not defined anywhere, but at least I could find them in the binary libggnnzitp.so:
$ strings libggnnzitp.so | grep -B 20 NEVER_EXPIRE
ldap username not set.
No key in bootstrap wallet with key name=
...for map name=
No map in bootstrap wallet with name=
ldap rootname not set.
ldap farmname not set.
ldap url not set.
bootstrap wallet entry key not set.
bootstrap wallet entry map (alias) not set.
bootstrap wallet path not set.
@#3#@
{pwd_cred_type}
@#5#@
@#111#@
nzcsfCCS_CloseCredStore
Error closing Wallet store
Error closing LDAP store
Error freeing cred store list
No Wallet specified to close cred store
@#4#@
NEVER_EXPIRE
All these bits should be a good starting point for everyone who wants to dig deeper in GoldenGates credential management.
Keine Kommentare:
Kommentar veröffentlichen