ogg登陸資料庫使用者密碼加密

使用過gg的人應該都知道，在配置抽取和複製程式引數檔案的時候都需要配置ogg使用者以登陸資料庫，這裡就涉及到一個資料庫安全的問題，不過還好，ogg提供了一些加密方法，如下摘錄自gg的administrator guide中關於加密資料庫使用者密碼的一段說明：

To encrypt the password
1. Run GGSCI.
2. Issue the ENCRYPT PASSWORD command.
ENCRYPT PASSWORD ENCRYPTKEY { | DEFAULT}

Where:
❍ is the clear-text login password. Do not enclose the password within
quotes. If the password is case-sensitive, type it that way.
❍ specifies the encryption algorithm to use:
◗ AES128 uses the AES-128 cipher, which has a key size of 128 bits.
◗ AES192 uses the AES-192 cipher, which has a key size of 192 bits.
◗ AES256 uses the AES-256 cipher, which has a key size of 256 bits.
◗ BLOWFISH uses Blowfish encryption with a 64-bit block size and a variablelength
key size from 32 bits to 128 bits. Use BLOWFISH only for backward
compatibility with earlier Oracle GoldenGate versions.
❍ ENCRYPTKEY specifies the logical name of a user-created encryption key in
the ENCKEYS lookup file. The key name is used to look up the actual key in the
ENCKEYS file. Using a user-defined key and an ENCKEYS file is required for AES
encryption. To create a key and ENCKEYS file, see “Generating encryption keys” on
page 134.
❍ ENCRYPTKEY DEFAULT directs Oracle GoldenGate to generate a random key that is then
stored in the trail so that decryption can be performed by the downstream process.
This type of key is insecure and should not be used in a production environment.
Use this option only when BLOWFISH is specified. ENCRYPT PASSWORD returns an error
if AES is used with DEFAULT.
If no algorithm is specified, AES128 is the default for all database types except DB2 on
z/OS and NonStop SQL/MX, where BLOWFISH is the default.
3. The encrypted password is output to the screen when you run the ENCRYPT PASSWORD
command.

下面介紹下如何進行加密：

1.使用oracle預設生成的key的加密方法：

GGSCI (testdb) 31> encrypt password ogg,ENCRYPTKEY default
Using default key...

Encrypted password:  AACAAAAAAAAAAADAHBLDCCIIOIRFNEPB

我這裡沒有指定具體的加密演算法，預設就是AES128演算法。

測試使用加密後的密碼登陸資料庫：

GGSCI (testdb) 45> dblogin userid ogg, password AACAAAAAAAAAAADAHBLDCCIIOIRFNEPB,ENCRYPTKEY default
Successfully logged into database.

然後修改抽取程式：

GGSCI (testdb) 35> edit params ext1
EXTRACT EXT1
setenv ( NLS_LANG = AMERICAN_AMERICA.ZHS16GBK )
USERID ogg,PASSWORD AACAAAAAAAAAAADAHBLDCCIIOIRFNEPB,ENCRYPTKEY default
exttrail /home/oracle/ggs/dirdat/k1
DYNAMICRESOLUTION
DDL INCLUDE MAPPED
DDLOPTIONS ADDTRANDATA,REPORT
FETCHOPTIONS, USESNAPSHOT, NOUSELATESTVERSION, MISSINGROW REPORT
STATOPTIONS REPORTFETCH
WARNLONGTRANS 1H, CHECKINTERVAL 5M
TABLE mynet_app.*;
最後重啟抽取程式就ok了~~

2.使用指定key的加密方法：

administrator guide中介紹如下：

Generating encryption keys
You must generate and store encryption keys when using:
❍ ENCRYPTTRAIL with KEYNAME (see page 126)
❍ ENCRYPT PASSWORD with ENCRYPTKEY (see page 130)
❍ RMTHOST or RMTHOSTOPTIONS with ENCRYPT (see page 133)
This procedure is not required if you are using the following encryption options:
● ENCRYPT PASSWORD with ENCRYPTKEY DEFAULT (valid only when using BLOWFISH)
● ENCRYPTTRAIL without options (for 256-key byte substitution)
In this procedure you will:
● Create one or more encryption keys.
● Store the keys in an ENCKEYS lookup file on the source system.
● Copy the ENCKEYS file to each target system.
You can define your own key or run the Oracle GoldenGate KEYGEN utility to create a
random key.

To define your own key
Use a tool of your choice. The key value can be up to 128 bits (16 bytes) as either of the
following:
● a quoted alphanumeric string (for example “Dailykey”)
● a hex string with the prefix 0x (for example 0x420E61BE7002D63560929CCA17A4E1FB)
To use KEYGEN to generate a key
Change directories to the Oracle GoldenGate home directory on the source system, and
issue the following shell command. You can create multiple keys, if needed. The key values
are returned to your screen. You can copy and paste them into the ENCKEYS file.
KEYGEN
Where:
❍ is the encryption key length, up to 128 bits (16 bytes).
❍ represents the number of keys to generate.
Example:
KEYGEN 128 4
To store the keys in an ENCKEYS lookup file
1. On the source system, open a new ASCII text file.
2. For each key value that you generated, enter a logical name of your choosing, followed
by the key value itself.
❍ The key name can be a string of 1 to 24 alphanumeric characters without spaces or
quotes.
❍ Place multiple key definitions on separate lines.
❍ Do not enclose a key name or value within quotes; otherwise it will be interpreted
as text.
Use the following sample ENCKEYS file as a guide.
3. Save the file as the name ENCKEYS in all upper case letters, without an extension, in the
Oracle GoldenGate installation directory.                                                                                                                                  4. Copy the ENCKEYS file to the target Oracle GoldenGate installation directory. The key
names and values in the source ENCKEYS file must match those of the target ENCKEYS file,
or else the data exchange will fail and Extract and Collector will abort with the
following message:
GGS error 118 – TCP/IP Server with invalid data

下面介紹詳細的加密過程：

[oracle@testdb ggs]$ ./keygen 128 1
0xB793945154E4C74F9AF5D050E200E429
這裡的128代表128位的加密演算法，1表示生成幾個key。

然後把這串key值copy到一個ENCKEYS file（儲存名為：ENCKEYS ）中，內容如下：

kasaur_key     0xB793945154E4C74F9AF5D050E200E429

然後將該檔案copy至目標庫。

使用這個金鑰來生成加密後的口令：

[oracle@testdb ggs]$ ./ggsci

Oracle GoldenGate Command Interpreter for Oracle
Version 11.1.1.1.2 OGGCORE_11.1.1.1.2_PLATFORMS_111004.2100
Linux, x64, 64bit (optimized), Oracle 10g on Oct  4 2011 23:50:20

Copyright (C) 1995, 2011, Oracle and/or its affiliates. All rights reserved.

 

GGSCI (testdb) 1> encrypt password ogg encryptkey kasaur_key
Encrypted password:  AACAAAAAAAAAAADAFFCJKAOBLIPGBHBB
登陸測試：

GGSCI (testdb) 2> dblogin userid ogg,password AACAAAAAAAAAAADAFFCJKAOBLIPGBHBB,encryptkey kasaur_key
Successfully logged into database.

GGSCI (testdb) 3>
顯示成功~~

至於第一種加密方法，弊端很多，oracle也建議不要在生產庫上使用這種加密方式，切忌！！

ok，就介紹到此。

來自 “ ITPUB部落格 ” ，連結：http://blog.itpub.net/25618347/viewspace-722144/，如需轉載，請註明出處，否則將追究法律責任。