Oracle GoldenGate Security – Credential Store for Database Logins
Table of Contents
___________________________________________________________________________________________________
1. Overview
2. Login to GoldenGate
3. Add/Create Credential store
4. Add user to credential store
4.1 Add user to credential store with ALIAS
— OR —
4.2 Add user to credential store with domain
— OR —
4.3 Add user with connect string
5.1 Info credential store with ALIAS
5.2 Info credential store with domain
6.1 Login to OGG with USERIDALIAS
— OR —
6.2 Login to OGG with USERIDALIAS and DOMAIN
7.1 Change password at GoldenGate level (ALIAS)
— OR —
7.2 Change password at GoldenGate level (DOMAIN)
8.1 Delete user with ALIAS or default
— OR —
8.2 Delete user with ALIAS and DOMAIN
___________________________________________________________________________________________________
Credential Store - OGG 12.1 New Feature
The credential store manages user IDs and their encrypted passwords
A Credential Store is a User ID and Password storage mechanism that utilizes the auto login wallet within the Oracle Credential Store Framework to store and encrypt sensitive information, which in turn will be accessed by GoldenGate processes via ALIAS parameters, such as USERIDALIAS and ASMUSERIDALIAS.
The Credential Store is created in the default directory dircrd under the Oracle GoldenGate installation directory.
We can't change the ALIAS name, if you really want to change then delete and re-create
We can create multiple ALIAS names for same userid
GGSCI (rac2.rajasekhar.com) 1> dblogin userid oggadmin, password oggadmin_123
Successfully logged into database.
GGSCI (rac2.rajasekhar.com as oggadmin@PDEV) 2>
3. Add/Create Credential store
GGSCI (rac2.rajasekhar.com as oggadmin@PDEV) 2> sh ls -ltr /u01/app/oracle/product/12.3/ogg/dircrd total 0 <----------- GGSCI (rac2.rajasekhar.com as oggadmin@PDEV) 3> ADD CREDENTIALSTORE Credential store created. GGSCI (rac2.rajasekhar.com as oggadmin@PDEV) 4> sh ls -ltr /u01/app/oracle/product/12.3/ogg/dircrd total 4 -rw-r-----. 1 oracle oinstall 418 Apr 1 14:31 cwallet.sso <------ GGSCI (rac2.rajasekhar.com as oggadmin@PDEV) 5>
4. Add user to credential store
4.1 Add user to credential store with ALIAS
GGSCI (rac2.rajasekhar.com as oggadmin@PDEV) 5> ALTER CREDENTIALSTORE ADD USER oggadmin PASSWORD oggadmin_123 ALIAS ogg
Credential store altered.
GGSCI (rac2.rajasekhar.com as oggadmin@PDEV) 6>
—- OR —-
4.2 Add user to credential store with domain
GGSCI (rac2.rajasekhar.com as oggadmin@PDEV) 9> ALTER CREDENTIALSTORE ADD USER oggadmin PASSWORD oggadmin_123 ALIAS ogg DOMAIN gg
Credential store altered.
GGSCI (rac2.rajasekhar.com as oggadmin@PDEV) 10>
—- OR —-
4.3 Add user with connect string
GGSCI (rac2.rajasekhar.com as oggadmin@PDEV) 17> ALTER CREDENTIALSTORE ADD USER oggadmin@PDEV PASSWORD oggadmin_987 ALIAS oggs
Credential store altered.
GGSCI (rac2.rajasekhar.com as oggadmin@PDEV) 18>
5. Info credential store
5.1 Info credential store with ALIAS
GGSCI (rac2.rajasekhar.com as oggadmin@PDEV) 6> INFO CREDENTIALSTORE Reading from credential store: Default domain: OracleGoldenGate Alias: ogg Userid: oggadmin GGSCI (rac2.rajasekhar.com as oggadmin@PDEV) 7> --- OR --- GGSCI (rac2.rajasekhar.com as oggadmin@PDEV) 19> ALTER CREDENTIALSTORE ADD USER oggadmin PASSWORD oggadmin_987 ALIAS ogg Credential store altered. GGSCI (rac2.rajasekhar.com as oggadmin@PDEV) 20> info CREDENTIALSTORE Reading from credential store: Default domain: OracleGoldenGate Alias: oggs Userid: oggadmin@PDEV Alias: ogg Userid: oggadmin Other domains: gg To view other domains, use INFO CREDENTIALSTORE DOMAIN GGSCI (rac2.rajasekhar.com as oggadmin@PDEV) 21>
—- OR —-
5.2 Info credential store with domain
GGSCI (rac2.rajasekhar.com as oggadmin@PDEV) 11> INFO CREDENTIALSTORE DOMAIN gg
Reading from credential store:
Domain: gg
Alias: ogg
Userid: oggadmin
GGSCI (rac2.rajasekhar.com as oggadmin@PDEV) 12>
6. Login to GoldenGate using USERIDALIAS
GGSCI (rac2.rajasekhar.com as oggadmin@PDEV) 7> DBLOGIN USERIDALIAS ogg
Successfully logged into database.
GGSCI (rac2.rajasekhar.com as oggadmin@PDEV) 8>
— OR —
6.2 Login to OGG with ALIAS and DOMAIN
GGSCI (rac2.rajasekhar.com as oggadmin@PDEV) 12> DBLOGIN USERIDALIAS ogg DOMAIN gg
Successfully logged into database.
GGSCI (rac2.rajasekhar.com as oggadmin@PDEV) 13>
-- Incase of password change at database level due security reasons, then we need to change at GoldenGate level as well SQL> alter user oggadmin identified by oggadmin_987; User altered. SQL>
7.1 Change password at GoldenGate level
GGSCI (rac2.rajasekhar.com) 1> DBLOGIN USERIDALIAS ogg ERROR: Unable to connect to database using user oggadmin. Ensure that the necessary privileges are granted to the user. OCI Error ORA (status = 1017-ORA-01017: invalid username/password; logon denied ). GGSCI (rac2.rajasekhar.com) 2> GGSCI (rac2.rajasekhar.com) 3> INFO CREDENTIALSTORE Reading from credential store: Default domain: OracleGoldenGate Alias: ogg Userid: oggadmin GGSCI (rac2.rajasekhar.com) 4> GGSCI (rac2.rajasekhar.com) 8> ALTER CREDENTIALSTORE REPLACE USER oggadmin PASSWORD oggadmin_987 ALIAS ogg Credential store altered. GGSCI (rac2.rajasekhar.com) 9> DBLOGIN USERIDALIAS ogg Successfully logged into database. GGSCI (rac2.rajasekhar.com as oggadmin@PDEV) 10>
— OR —
7.2 Change password at GoldenGate level (DOMAIN)
GGSCI (rac2.rajasekhar.com as oggadmin@PDEV) 14> INFO CREDENTIALSTORE DOMAIN gg Reading from credential store: Domain: gg Alias: ogg Userid: oggadmin GGSCI (rac2.rajasekhar.com as oggadmin@PDEV) 15> ALTER CREDENTIALSTORE REPLACE USER oggadmin PASSWORD oggadmin_987 ALIAS ogg DOMAIN gg Credential store altered. GGSCI (rac2.rajasekhar.com as oggadmin@PDEV) 16> DBLOGIN USERIDALIAS ogg DOMAIN gg Successfully logged into database. GGSCI (rac2.rajasekhar.com as oggadmin@PDEV) 17>
8. Delete user
8.1 Delete user with ALIAS or default
GGSCI (rac2.rajasekhar.com) 18> ALTER CREDENTIALSTORE DELETE USER ogg
Credential store altered.
GGSCI (rac2.rajasekhar.com) 19>
— OR —
8.2 Delete user with ALIAS and DOMAIN
GGSCI (rac2.rajasekhar.com) 15> ALTER CREDENTIALSTORE DELETE USER ogg ERROR: Credential domain 'OracleGoldenGate' not found in credential store. GGSCI (rac2.rajasekhar.com) 16> ALTER CREDENTIALSTORE DELETE USER ogg DOMAIN gg Credential store altered. GGSCI (rac2.rajasekhar.com) 17>
Caution: Your use of any information or materials on this website is entirely at your own risk. It is provided for educational purposes only. It has been tested internally, however, we do not guarantee that it will work for you. Ensure that you run it in your test environment before using.
Thank you,
Rajasekhar Amudala
Email: br8dba@gmail.com
WhatsApp : +
Linkedin: https://www.linkedin.com/in/rajasekhar-amudala/
Excellent document anna garu