ogg登陆数据库用户密码加密

使用过gg的人应该都知道，在配置抽取和复制进程参数文件的时候都需要配置ogg用户以登陆数据库，这里就涉及到一个数据库安全的问题，不过还好，ogg提供了一些加密方法，如下摘录自gg的administrator guide中关于加密数据库用户密码的一段说明：

To encrypt the password
1. Run GGSCI.
2. Issue the ENCRYPT PASSWORD command.
ENCRYPT PASSWORD ENCRYPTKEY { | DEFAULT}

Where:
❍ is the clear-text login password. Do not enclose the password within
quotes. If the password is case-sensitive, type it that way.
❍ specifies the encryption algorithm to use:
◗ AES128 uses the AES-128 cipher, which has a key size of 128 bits.
◗ AES192 uses the AES-192 cipher, which has a key size of 192 bits.
◗ AES256 uses the AES-256 cipher, which has a key size of 256 bits.
◗ BLOWFISH uses Blowfish encryption with a 64-bit block size and a variablelength
key size from 32 bits to 128 bits. Use BLOWFISH only for backward
compatibility with earlier Oracle GoldenGate versions.
❍ ENCRYPTKEY specifies the logical name of a user-created encryption key in
the ENCKEYS lookup file. The key name is used to look up the actual key in the
ENCKEYS file. Using a user-defined key and an ENCKEYS file is required for AES
encryption. To create a key and ENCKEYS file, see “Generating encryption keys” on
page 134.
❍ ENCRYPTKEY DEFAULT directs Oracle GoldenGate to generate a random key that is then
stored in the trail so that decryption can be performed by the downstream process.
This type of key is insecure and should not be used in a production environment.
Use this option only when BLOWFISH is specified. ENCRYPT PASSWORD returns an error
if AES is used with DEFAULT.
If no algorithm is specified, AES128 is the default for all database types except DB2 on
z/OS and NonStop SQL/MX, where BLOWFISH is the default.
3. The encrypted password is output to the screen when you run the ENCRYPT PASSWORD
command.

下面介绍下如何进行加密：

1.使用oracle默认生成的key的加密方法：

GGSCI (testdb) 31> encrypt password ogg,ENCRYPTKEY default
Using default key...

Encrypted password:  AACAAAAAAAAAAADAHBLDCCIIOIRFNEPB

我这里没有指定具体的加密算法，默认就是AES128算法。

测试使用加密后的密码登陆数据库：

GGSCI (testdb) 45> dblogin userid ogg, password AACAAAAAAAAAAADAHBLDCCIIOIRFNEPB,ENCRYPTKEY default
Successfully logged into database.

然后修改抽取进程：

GGSCI (testdb) 35> edit params ext1
EXTRACT EXT1
setenv ( NLS_LANG = AMERICAN_AMERICA.ZHS16GBK )
USERID ogg,PASSWORD AACAAAAAAAAAAADAHBLDCCIIOIRFNEPB,ENCRYPTKEY default
exttrail /home/oracle/ggs/dirdat/k1
DYNAMICRESOLUTION
DDL INCLUDE MAPPED
DDLOPTIONS ADDTRANDATA,REPORT
FETCHOPTIONS, USESNAPSHOT, NOUSELATESTVERSION, MISSINGROW REPORT
STATOPTIONS REPORTFETCH
WARNLONGTRANS 1H, CHECKINTERVAL 5M
TABLE mynet_app.*;
最后重启抽取进程就ok了~~

2.使用指定key的加密方法：

administrator guide中介绍如下：

Generating encryption keys
You must generate and store encryption keys when using:
❍ ENCRYPTTRAIL with KEYNAME (see page 126)
❍ ENCRYPT PASSWORD with ENCRYPTKEY (see page 130)
❍ RMTHOST or RMTHOSTOPTIONS with ENCRYPT (see page 133)
This procedure is not required if you are using the following encryption options:
● ENCRYPT PASSWORD with ENCRYPTKEY DEFAULT (valid only when using BLOWFISH)
● ENCRYPTTRAIL without options (for 256-key byte substitution)
In this procedure you will:
● Create one or more encryption keys.
● Store the keys in an ENCKEYS lookup file on the source system.
● Copy the ENCKEYS file to each target system.
You can define your own key or run the Oracle GoldenGate KEYGEN utility to create a
random key.

To define your own key
Use a tool of your choice. The key value can be up to 128 bits (16 bytes) as either of the
following:
● a quoted alphanumeric string (for example “Dailykey”)
● a hex string with the prefix 0x (for example 0x420E61BE7002D63560929CCA17A4E1FB)
To use KEYGEN to generate a key
Change directories to the Oracle GoldenGate home directory on the source system, and
issue the following shell command. You can create multiple keys, if needed. The key values
are returned to your screen. You can copy and paste them into the ENCKEYS file.
KEYGEN
Where:
❍ is the encryption key length, up to 128 bits (16 bytes).
❍ represents the number of keys to generate.
Example:
KEYGEN 128 4
To store the keys in an ENCKEYS lookup file
1. On the source system, open a new ASCII text file.
2. For each key value that you generated, enter a logical name of your choosing, followed
by the key value itself.
❍ The key name can be a string of 1 to 24 alphanumeric characters without spaces or
quotes.
❍ Place multiple key definitions on separate lines.
❍ Do not enclose a key name or value within quotes; otherwise it will be interpreted
as text.
Use the following sample ENCKEYS file as a guide.
3. Save the file as the name ENCKEYS in all upper case letters, without an extension, in the
Oracle GoldenGate installation directory.                                                                                                                                  4. Copy the ENCKEYS file to the target Oracle GoldenGate installation directory. The key
names and values in the source ENCKEYS file must match those of the target ENCKEYS file,
or else the data exchange will fail and Extract and Collector will abort with the
following message:
GGS error 118 – TCP/IP Server with invalid data

下面介绍详细的加密过程：

[oracle@testdb ggs]$ ./keygen 128 1
0xB793945154E4C74F9AF5D050E200E429
这里的128代表128位的加密算法，1表示生成几个key。

然后把这串key值copy到一个ENCKEYS file（保存名为：ENCKEYS ）中，内容如下：

kasaur_key     0xB793945154E4C74F9AF5D050E200E429

然后将该文件copy至目标库。

使用这个密钥来生成加密后的口令：

[oracle@testdb ggs]$ ./ggsci

Oracle GoldenGate Command Interpreter for Oracle
Version 11.1.1.1.2 OGGCORE_11.1.1.1.2_PLATFORMS_111004.2100
Linux, x64, 64bit (optimized), Oracle 10g on Oct  4 2011 23:50:20

Copyright (C) 1995, 2011, Oracle and/or its affiliates. All rights reserved.

 

GGSCI (testdb) 1> encrypt password ogg encryptkey kasaur_key
Encrypted password:  AACAAAAAAAAAAADAFFCJKAOBLIPGBHBB
登陆测试：

GGSCI (testdb) 2> dblogin userid ogg,password AACAAAAAAAAAAADAFFCJKAOBLIPGBHBB,encryptkey kasaur_key
Successfully logged into database.

GGSCI (testdb) 3>
显示成功~~

至于第一种加密方法，弊端很多，oracle也建议不要在生产库上使用这种加密方式，切忌！！

ok，就介绍到此。

来自 “ ITPUB博客 ” ，链接：http://blog.itpub.net/25618347/viewspace-722144/，如需转载，请注明出处，否则将追究法律责任。