GoldenGate软件已经被很多大型企业用于数据容灾。如果用作异地备份容灾,很多是需要通过租用公网的线路进行传输,而这些数据很多都是企业的机密,为了防止机密数据被黑客获取进而损害企业的利益,需要对GoldenGate的安全做一些增强。
除了通过制定操作系统和数据库级别安全防范措施以外,还可以在GoldenGate层面来制定相应的安全策略。在本地可以通过加密trail文件和数据库文件来保护GoldenGate抽取到的数据。在网络传输过程中GoldenGate也可以加密传输的数据,用户可以自己定义key来加密数据,使得黑客就算获取了数据也无法对其解密。
下面来一一介绍着几种保护GoldenGate和数据安全的方法。
一、加密trail文件
加密extract trail文件非常的简单,只需要在Extract参数文件中加入ENCRYPTTRAIL参数。Extract进程就会对加入参数以后生成的trail文件进行加密。如果生产端trail文件加密,那么在容灾端参数文件中必须加入对应的DECRYPTTRAIL参数解密trail文件再入库。
下面用logdump(查看GoldenGate trial文件的工具)对比一下加密之前和加密以后trail文件中内容的变化。
没加密之前Extract的内容:
示例1:
GGSCI (OE5) 55> view params extma
EXTRACT extma
userid GoldenGate@orcl1, password GoldenGate
setenv (NLS_LANG="AMERICAN_AMERICA.WE8ISO8859P1")
GETTRUNCATES
REPORTCOUNT EVERY 1 MINUTES, RATE
numfiles 50000
DISCARDFILE ./dirrpt/extma.dsc,APPEND,MEGABYTES 50
WARNLONGTRANS 2h,CHECKINTERVAL 3m
EXTTRAIL ./dirdat/ma
DBOPTIONS ALLOWUNUSEDCOLUMN
TRANLOGOPTIONS CONVERTUCS2CLOBS
DYNAMICRESOLUTION
table scott.* ;
没加密之前Extract trail文件的内容:
示例2:
Logdump 55 >open ./dirdat/ma000001
Current LogTrail is /opt/GoldenGate/orcl1/dirdat/ma000001
Logdump 56 >ghdr on
Logdump 57 >detail data
Logdump 58 >ggstoken detail
Logdump 59 >pos 0
Reading forward from RBA 0
Logdump 60 >n
Logdump 65 >n
___________________________________________________________________
Hdr-Ind : E (x45) Partition : . (x04)
UndoFlag : . (x00) BeforeAfter: A (x41)
RecLength: 23 (x0017)I/O Time : 2011/03/22 00:09:39.000.000
IOType : 5 (x05) OrigNode : 255 (xff)
TransInd : . (x00) FormatType: R (x52)
SyskeyLen : 0 (x00) Incomplete: . (x00)
AuditRBA : 2 AuditPos : 29881732
Continued : N (x00) RecCount : 1 (x01)
2011/03/22 00:09:39.000.000 Insert Len 23 RBA 1391
Name: SCOTT.TEST
After Image: Partition 4 G b
0000 0005 0000 0001 3100 0100 0a00 0000 066f 7261| ……1……ora
636c 65 | cle
Column 0 (x0000), Len 5 (x0005)
0000 0001 31 | …1
Column 1 (x0001), Len 10 (x000a)
0000 0006 6f72 6163 6c65 | …oracle --可以明显的看到单词
GGS tokens:
TokenID x52 'R' ORAROWID Info x00 Length 20
4141 414d 3058 4141 4541 4141 4147 5741 4141 0001| AAAM0XAAEAAAAGWAAA
TokenID x4c 'L' LOGCSN Info x00 Length 6
3438 3937 3831 | 489781
TokenID x36 '6' TRANID Info x00 Length 8
392e 3130 2e32 3939 | 9.299
接下来再在参数文件中加入ENCRYPTTRAIL参数,使其对trail文件加密:
示例3:
GGSCI (OE5) 55> view params extma
EXTRACT extma
userid GoldenGate@orcl1, password GoldenGate
setenv (NLS_LANG="AMERICAN_AMERICA.WE8ISO8859P1")
GETTRUNCATES
REPORTCOUNT EVERY 1 MINUTES, RATE
numfiles 50000
DISCARDFILE ./dirrpt/extma.dsc,APPEND,MEGABYTES 50
WARNLONGTRANS 2h,CHECKINTERVAL 3m
ENCRYPTTRAIL
EXTTRAIL ./dirdat/ma
DBOPTIONS ALLOWUNUSEDCOLUMN
TRANLOGOPTIONS CONVERTUCS2CLOBS
DYNAMICRESOLUTION
table scott.* ;
再查看加密后生成的Extract trail文件内容:
示例4:
Logdump 66 >open ./dirdat/ma000002
Current LogTrail is /opt/GoldenGate/orcl1/dirdat/ma000002
Logdump 67 >ghdr on
Logdump 68 >detail data
Logdump 69 >ggstoken detail
Logdump 74 >n
___________________________________________________________________
Hdr-Ind : E (x45) Partition : . (x04)
UndoFlag : . (x00) BeforeAfter: A (x41)
RecLength : 24 (x0018)I/O Time : 2011/03/22 00:35:13.000.000
IOType : 5 (x05) OrigNode : 255 (xff)
TransInd : . (x01) FormatType: R (x52)
SyskeyLen : 0 (x00) Incomplete: . (x00)
AuditRBA : 2 AuditPos : 31891236
Continued : N (x00) RecCount : 1 (x01)
2011/03/22 00:35:13.000.000 Insert Len 24 RBA 1212
Name: SCOTT.TEST
After Image: Partition 4 G m
5e50 86ba af70 962b cc52 5bf9 a3f7 9760 7eda abd0| ^P…p.+.R[…`~…
–加密后看到的是不可识别的密文
c092 111e | …
Bad compressed block, found length of 34490 (x86ba), RBA 1212
GGS tokens:
TokenID x52 'R' ORAROWID Info x00 Length 20
4141 414d 3058 4141 4541 4141 4147 5741 4130 0001| AAAM0XAAEAAAAGWAA0
加密后容灾端进程abend。
下面是容灾端进程的参数和错误信息:
示例5:
GGSCI (OE5) 3> view params repma
REPLICAT repma
USERID GoldenGate@orcl2, PASSWORD GoldenGate
setenv (NLS_LANG="AMERICAN_AMERICA.WE8ISO8859P1")
--REPORT AT 01:59
REPORTCOUNT EVERY 30 MINUTES, RATE
REPERROR DEFAULT, abend
numfiles 50000
DBOPTIONS ALLOWUNUSEDCOLUMN
MAXTRANSOPS 500000
GROUPTRANSOPS 10000
CHECKPOINTSECS 40
--HANDLECOLLISIONS
assumetargetdefs
DISCARDFILE ./dirrpt/repma.dsc, APPEND, MEGABYTES 50
GETTRUNCATES
ALLOWNOOPUPDATES
map scott.* , target scott.* ;
-----ERROR信息―――――――
Source Context :
SourceModule : [ggstd.conv.endian]
SourceID : [/mnt/ecloud/workspace/Build_FBO_OpenSys_r11.1.
1.0.11_001_[41228]/perforce/src/gglib/ggstd/
lecnv.c]
SourceFunction : [convCompSQL]
SourceLine : [531]
ThreadBacktrace : [9] elements
: [/opt/GoldenGate/orcl2/replicat(CMessageContext::
AddThreadContext()+0x26) [0x82021d6]]
: [/opt/GoldenGate/orcl2/replicat(CMessageFactory::
CreateMessage(CSourceContext*, unsigned int, …) +0x817) [0x81f8887]]
: [/opt/GoldenGate/orcl2/replicat(_MSG_ERR_MAP_
COL_INDEX_INVALID(CSourceContext*, DBString<777> const&, int, int, CMessageFactory::Message-
Disposition)+0x8b) [0x81d6c4b]]
: [/opt/GoldenGate/orcl2/replicat [0x84aa2bc]]
: [/opt/GoldenGate/orcl2/replicat(ggConvRecLE(char*,
file_def*, int, char, char)+0x4d) [0x84aa3bd]]
: [/opt/GoldenGate/orcl2/replicat [0x849dd2d]]
: [/opt/GoldenGate/orcl2/replicat(main+0x1f8b) [0x812670b]]
: [/lib/libc.so.6(__libc_start_main+0xdc) [0x68de8c]]
: [/opt/GoldenGate/orcl2/replicat(__gxx_ personality_v0+0x1b5) [0x810a171]]
2011-03-22 00:36:37 ERROR OGG-01161 Bad column index (24144) specified for table SCOTT.TEST, max columns = 2.
根据错误信息猜测是由于抽取进程加密了trail文件,Replicat进程无法还原为真实的信息,导致了进程abend。
下面在容灾端参数文件中加入DECRYPTTRAIL参数,让其对trail文件解密并查看进程的状态:
示例6:
GGSCI (OE5) 3> view params repma
REPLICAT repma
USERID GoldenGate@orcl2, PASSWORD GoldenGate
setenv (NLS_LANG="AMERICAN_AMERICA.WE8ISO8859P1")
--REPORT AT 01:59
REPORTCOUNT EVERY 30 MINUTES, RATE
REPERROR DEFAULT, abend
DECRYPTTRAIL -----加入解密参数
numfiles 50000
DBOPTIONS ALLOWUNUSEDCOLUMN
MAXTRANSOPS 500000
GROUPTRANSOPS 10000
CHECKPOINTSECS 40
--HANDLECOLLISIONS
assumetargetdefs
DISCARDFILE ./dirrpt/repma.dsc, APPEND, MEGABYTES 50
GETTRUNCATES
ALLOWNOOPUPDATES
map scott.* , target scott.* ;
GGSCI (OE5) 14> info all
Program Status Group Lag Time Since Chkpt
MANAGER
REPLICAT RUNNING REPMA 00:00:00 00:00:03
加入解密参数后重新启动Replicat进程,Replicat进程显示running状态。