Oracle internals, debugging and undocumented features
Oracle GoldenGate and Encrypted Tablespaces (TDE) in 11.2
May 16, 2011Posted by on
To make GG work with encrypted tablespaces you have to apply database patch:
Patch 10395645 for Oracle 188.8.131.52.
mkstore -wrl ./ -createEntry ORACLE.SECURITY.CL.ENCRYPTION.ORACLEGG
Supply shared secret for GG ( not wallet password).Last step is to supply wallet password.Copy ewallet.p12 file to other nodes ( if running RAC but not sharing wallet location ).
Do not forget standby databases if you have them.
If you like to see shared secret for GG you can run:
mkstore -wrl /u01/app/oracle/wallet -viewEntry ORACLE.SECURITY.CL.ENCRYPTION.ORACLEGG
Create package dbms_internal_clkm.Package code get created by running script prvtclkm.plb located under GG home .Once package is created grant execute privileget to GG user:
grant execute on on thedbms_internal_clkm to gguser;
This package has only one procedure called GET_KEY with following parameters:
SQL> desc dbms_internal_clkm
Argument Name Type In/Out Default?
—————————— ———————– —— ——–
CLIENT VARCHAR2 IN
MASTER_KEY_ID VARCHAR2 IN
WRAPPED_KEY VARCHAR2 IN
FLAGS BINARY_INTEGER IN
KEY VARCHAR2 OUT
Encrypt the Shared secret key
GGSCI> ENCRYPT PASSWORD “shared key”
Add an entry to the Extract parameter file to decrpt the new shared password
DBOPTIONS DECRYPTPASSWORD “SHARED KEY”
Close and open wallet to clear caches.If you have wallet enabled with auto login ( file cwallet.sso ) than disable it temporary to close and open wallet.