2023-05-01

GoldenGates credentialstore content

 Oracle GoldenGate is a software which enables logical data extract and replication among different databases. It's not limited to Oracle but also supports several other databases and even streaming platforms like Kafka. 

To extract, but also apply data from or to a database, credentials (and of course grants) are required in the targets. To avoid having credentials as clear text in some scripts, GoldenGate uses a credential store. Technically it's a well known wallet in the directory $GG_HOME/dircrd. To use these credentials, in the commandline tool ggsci commands like



GGSCI (myhost) 1> ALTER CREDENTIALSTORE ADD USER usr5 PASSWORD pwd5 ALIAS usr5@SRV5 domain dom1

Credential store altered.
and

GGSCI (myhost) 2> info credentialstore 

Reading from credential store:

Default domain: OracleGoldenGate

  Alias: ogg@dg
  Userid: ogg@dg

  Alias: c##ogg@dgpdb1
  Userid: c##ogg@dgpdb1

  Alias: c##ogg@dgc
  Userid: c##ogg@dgc


Other domains: 

  dom1

To view other domains, use INFO CREDENTIALSTORE DOMAIN <domain>

can be used.

To see what's really stored in the wallet - in case I need to extract some data from there, a well known mkstore (from my oracle binary installation) can be used: 


  oracle@myhost:/u00/app/oracle/product/gg21_ora/dircrd/ [DGC] mkstore -wrl . -list
Oracle Secret Store Tool Release 19.0.0.0.0 - Production
Version 19.4.0.0.0
Copyright (c) 2004, 2022, Oracle and/or its affiliates. All rights reserved.

Oracle Secret Store entries: 
dom1@#3#@16908a4d-ali1
OracleGoldenGate@#3#@55928a5d-c##ogg@dgc
OracleGoldenGate@#3#@c478f3a2-c##ogg@dgpdb1
OracleGoldenGate@#3#@fabe8b1-ogg@dg
  
And to get the content of an element:

oracle@myhost:/u00/app/oracle/product/gg21_ora/dircrd/ [DGC] mkstore -wrl . -viewEntry OracleGoldenGate@#3#@fabe8b1-ogg@dg
Oracle Secret Store Tool Release 19.0.0.0.0 - Production
Version 19.4.0.0.0
Copyright (c) 2004, 2022, Oracle and/or its affiliates. All rights reserved.

OracleGoldenGate@#3#@fabe8b1-ogg@dg = {pwd_cred_type}@#4#@NEVER_EXPIRE@#5#@ogg@dg_tns_alias@#111#@ogg_pwd


The first detail to notice here: no password is required to read the wallet. This makes it easy to have a centralized wallet and distribute it to all GoldenGate instances which require these credentials. I did not find any method to enforce a wallets password in GoldenGate. 

Another detail which catches my eyes are some syntax and keywords used in the wallets entries:

OracleGoldenGate@#3#@fabe8b1-ogg@dg = {pwd_cred_type}@#4#@NEVER_EXPIRE@#5#@ogg@dg_tns_alias@#111#@ogg_pwd

At first, there are some delimiters within the text: @#3#@. The meaning of the numbers isn't documented anywhere, but they can be deduced by the syntax of the line. 
OracleGoldenGate matches the domainogg@dg is the aliasogg@dg_tns_alias the username and of course ogg_pwd is the password. All relevant bits of information can be retrieved from the wallet without significant problem. 
Unfortunately, all the keywords are not defined anywhere, but at least I could find them in the binary libggnnzitp.so:

  $  strings libggnnzitp.so | grep -B 20  NEVER_EXPIRE
ldap username not set.
No key in bootstrap wallet with key name=
...for map name=
No map in bootstrap wallet with name=
ldap rootname not set.
ldap farmname not set.
ldap url not set.
bootstrap wallet entry key not set.
bootstrap wallet entry map (alias) not set.
bootstrap wallet path not set.
@#3#@
{pwd_cred_type}
@#5#@
@#111#@
nzcsfCCS_CloseCredStore
Error closing Wallet store
Error closing LDAP store
Error freeing cred store list
No Wallet specified to close cred store
@#4#@
NEVER_EXPIRE

All these bits should be a good starting point for everyone who wants to dig deeper in GoldenGates credential management.

Keine Kommentare: