1. Oracle GoldenGate Microservices Documentation
  2. Secure
  3. Oracle GoldenGate Security Feature: Implementation
  4. Managing Identities in a Credential Store

Managing Identities in a Credential Store

Oracle GoldenGate uses credential stores to maintain encrypted database passwords and user IDs and associate them with an alias.

Starting with Oracle GoldenGate 23c, maximum password length has been increased to 1024 bytes.

It is the alias, not the actual user ID or password, that is specified in a command or parameter file, and no user input of an encryption key is required. The credential store is implemented as an autologin wallet within the Oracle Credential Store Framework (CSF).

Another benefit of using a credential store is that multiple installations of Oracle GoldenGate can use the same one, while retaining control over their local credentials. You can partition the credential store into logical containers known as domains, for example, one domain per installation of Oracle GoldenGate. Domains enable you to develop one set of aliases and then assign different local credentials to those aliases in each domain. For example, credentials for user ogg1 can be stored as ALIAS ext under DOMAIN system1, while credentials for user ogg2 can be stored as ALIAS ext under DOMAIN system2.

Topics:

Credential Store Tasks

  1. (Optional) To store the credential store in a location other than the dircrd subdirectory of the Oracle GoldenGate installation directory, specify the desired location with the CREDENTIALSTORELOCATION parameter in the GLOBALS file.
  2. From the Oracle GoldenGate installation directory, start the command line.
  3. After using the CONNECT command to login to the deployment (when using the Admin Client), isssue the following commands to perform various tasks with the credential store.
    Command Description

    ADD CREDENTIALSTORE

    Adds a database credential store.

    ALTER CREDENTIALSTORE

    Adds each set of credentials to the credential store.

    INFO CREDENTIALSTORE

    Retrieves information about an Oracle GoldenGate credential store. This information includes the aliases that a credential store contains and the user IDs that correspond to them. The encrypted passwords in the credential store are not returned.

    DELETE CREDENTIALSTORE

    Removes a credential store from the system. The credential store wallet and its contents are permanently deleted.

Specifying the Alias in a Parameter File or Command

The following commands and parameters accept an alias as substitution for a login credential.

Table 10-2 Specifying Credential Aliases in Parameters and Commands

Purpose of the Credential Parameter or Command to Use

Oracle GoldenGate database login.

 
USERIDALIAS alias

Oracle GoldenGate database login for a downstream Oracle mining database.

 
TRANLOGOPTIONS MININGUSERALIAS alias

Password substitution for {CREATE | ALTER} USER name IDENTIFIED BY password.

 
DDLOPTIONS DEFAULTUSERPASSWORDALIAS alias

Oracle GoldenGate database login from the Admin Client.

 
DBLOGIN USERIDALIAS alias

Oracle GoldenGate database login to a downstream Oracle mining database from the Admin Client.

 
MININGDBLOGIN USERIDALIAS alias

Encrypting and Storing User Credentials

As you set up and install Oracle GoldenGate, you must occasionally log-in to the database by using the DBLOGIN command, for tasks such as adding supplemental logging with the ADD TRANDATA command.

Encrypting the login password is a recommended security measure. However, using a secure password in the standard DBLOGIN command requires first encrypting it by using the ENCRYPT PASSWORD command. To avoid this step while protecting the user ID from exposure, you can create an Oracle GoldenGate credential store before you start setting up and configuring the user credentials.

When you use a credential store, you only have to supply an alias for the login credential whenever you log in with DBLOGIN. The credential store also makes the work of specifying login credentials for the Extract and Replicat processes easier and more secure when configuring the parameter files. You can create basic entries in the credential store at first and then use the management commands to expand it as needed. You can create an encryption profile using the Admin Client to set up your credential store.