《叱咤风云GoldenGate企业级运维实战》第10章_GoldenGate的安全特性

第10章GoldenGate的安全特性GoldenGate软件已经被很多大型企业用于数据容灾。如果用作异地备份容灾，很多是需要通过租用公网的线路进行传输，而这些数据很多都是企业的机密，为了防止机密数据被黑客获取进而损害企业的利益，需要对GoldenGate的安全做一些增强。除了通过制定操作系统和数据库级别安全防范措施以外，还可以在GoldenGate层面来制定相应的安全策略。在本地可以通过加密trail文件和数据库文件来保护GoldenGate抽取到的数据。在网络传输过程中GoldenGate也可以加密传输的数据，用户可以自己定义key来加密数据，使得黑客就算获取了数据也无法对其解密。下面来一一介绍着几种保护GoldenGate和数据安全的方法。10.1加密trail文件加密extracttrail文件非常的简单，只需要在Extract参数文件中加入ENCRYPTTRAIL参数。Extract进程就会对加入参数以后生成的trail文件进行加密。如果生产端trail文件加密，那么在容灾端参数文件中必须加入对应的DECRYPTTRAIL参数解密trail文件再入库。下面用logdump（查看GoldenGatetrial文件的工具）对比一下加密之前和加密以后trail文件中内容的变化。没加密之前Extract的内容：示例10-1：GGSCI(OE5)55viewparamsextmaEXTRACTextmauseridGoldenGate@orcl1,passwordGoldenGatesetenv(NLS_LANG=AMERICAN_AMERICA.WE8ISO8859P1)GETTRUNCATESREPORTCOUNTEVERY1MINUTES,RATEnumfiles50000DISCARDFILE./dirrpt/extma.dsc,APPEND,MEGABYTES50WARNLONGTRANS2h,CHECKINTERVAL3mEXTTRAIL./dirdat/maDBOPTIONSALLOWUNUSEDCOLUMNTRANLOGOPTIONSCONVERTUCS2CLOBSDYNAMICRESOLUTIONtablescott.*;没加密之前Extracttrail文件的内容：第10章GoldenGate的安全特性147示例10-2：Logdump55open./dirdat/ma000001CurrentLogTrailis/opt/GoldenGate/orcl1/dirdat/ma000001Logdump56ghdronLogdump57detaildataLogdump58ggstokendetailLogdump59pos0ReadingforwardfromRBA0Logdump60nLogdump65n___________________________________________________________________Hdr-Ind:E(x45)Partition:.(x04)UndoFlag:.(x00)BeforeAfter:A(x41)RecLength:23(x0017)I/OTime:2011/03/2200:09:39.000.000IOType:5(x05)OrigNode:255(xff)TransInd:.(x00)FormatType:R(x52)SyskeyLen:0(x00)Incomplete:.(x00)AuditRBA:2AuditPos:29881732Continued:N(x00)RecCount:1(x01)2011/03/2200:09:39.000.000InsertLen23RBA1391Name:SCOTT.TESTAfterImage:Partition4Gb0000000500000001310001000a000000066f7261|........1........ora636c65|cleColumn0(x0000),Len5(x0005)0000000131|....1Column1(x0001),Len10(x000a)000000066f7261636c65|....oracle--可以明显的看到单词GGStokens:TokenIDx52'R'ORAROWIDInfox00Length204141414d30584141454141414147574141410001|AAAM0XAAEAAAAGWAAA..TokenIDx4c'L'LOGCSNInfox00Length6343839373831|489781TokenIDx36'6'TRANIDInfox00Length8392e31302e323939|9.10.299接下来再在参数文件中加入ENCRYPTTRAIL参数，使其对trail文件加密：示例10-3：GGSCI(OE5)55viewparamsextma叱咤风云：GoldenGate企业级运维实战148EXTRACTextmauseridGoldenGate@orcl1,passwordGoldenGatesetenv(NLS_LANG=AMERICAN_AMERICA.WE8ISO8859P1)GETTRUNCATESREPORTCOUNTEVERY1MINUTES,RATEnumfiles50000DISCARDFILE./dirrpt/extma.dsc,APPEND,MEGABYTES50WARNLONGTRANS2h,CHECKINTERVAL3mENCRYPTTRAILEXTTRAIL./dirdat/maDBOPTIONSALLOWUNUSEDCOLUMNTRANLOGOPTIONSCONVERTUCS2CLOBSDYNAMICRESOLUTIONtablescott.*;再查看加密后生成的Extracttrail文件内容：示例10-4：Logdump66open./dirdat/ma000002CurrentLogTrailis/opt/GoldenGate/orcl1/dirdat/ma000002Logdump67ghdronLogdump68detaildataLogdump69ggstokendetailLogdump74n___________________________________________________________________Hdr-Ind:E(x45)Partition:.(x04)UndoFlag:.(x00)BeforeAfter:A(x41)RecLength:24(x0018)I/OTime:2011/03/2200:35:13.000.000IOType:5(x05)OrigNode:255(xff)TransInd:.(x01)FormatType:R(x52)SyskeyLen:0(x00)Incomplete:.(x00)AuditRBA:2AuditPos:31891236Continued:N(x00)RecCount:1(x01)2011/03/2200:35:13.000.000InsertLen24RBA1212Name:SCOTT.TESTAfterImage:Partition4Gm5e5086baaf70962bcc525bf9a3f797607edaabd0|^P...p.+.R[....`~...–加密后看到的是不可识别的密文c092111e|....Badcompressedblock,foundlengthof34490(x86ba),RBA1212GGStokens:TokenIDx52'R'ORAROWIDInfox00Length204141414d30584141454141414147574141300001|AAAM0XAAEAAAAGWAA0..第10章GoldenGate的安全特性149加密后容灾端进程abend。下面是容灾端进程的参数和错误信息：示例10-5：GGSCI(OE5)3viewparamsrepmaREPLICATrepmaUSERIDGoldenGate@orcl2,PASSWORDGoldenGatesetenv(NLS_LANG=AMERICAN_AMERICA.WE8ISO8859P1)--REPORTAT01:59REPORTCOUNTEVERY30MINUTES,RATEREPERRORDEFAULT,abendnumfiles50000DBOPTIONSALLOWUNUSEDCOLUMNMAXTRANSOPS500000GROUPTRANSOPS10000CHECKPOINTSECS40--HANDLECOLLISIONSassumetargetdefsDISCARDFILE./dirrpt/repma.dsc,APPEND,MEGABYTES50GETTRUNCATESALLOWNOOPUPDATESmapscott.*,targetscott.*;-----ERROR信息―――――――SourceContext:SourceModule:[ggstd.conv.endian]SourceID:[/mnt/ecloud/workspace/Build_FBO_OpenSys_r11.1.1.0.11_001_[41228]/perforce/src/gglib/ggstd/lecnv.c]SourceFunction:[convCompSQL]SourceLine:[531]ThreadBacktrace:[9]elements:[/opt/GoldenGate/orcl2/replicat(CMessageContext::AddThreadContext()+0x26)[0x82021d6]]:[/opt/GoldenGate/orcl2/replicat(CMessageFactory::CreateMessage(CSourceContext*,unsignedint,...)+0x817)[0x81f8887]]:[/opt/GoldenGate/orcl2/replicat(_MSG_ERR_MAP_COL_INDEX_INVALID(CSourceContext*,DBString777const&,int,int,CMessageFactory::Message-Disposition)+0x8b)[0x81d6c4b]]:[/opt/GoldenGate/orcl2/replicat[0x84aa2bc]]:[/opt/GoldenGate/orcl2/replicat(ggConvRecLE(char*,file_def*,int,char,char)+0x4d)[0x84aa3bd]]叱咤风云：GoldenGate企业级运维实战150:[/opt/GoldenGate/orcl2/replicat[0x849dd2d]]:[/opt/GoldenGate/orcl2/replicat(main+0x1f8b)[0x812670b]]:[/lib/libc.so.6(__libc_start_main+0xdc)[0x68de8c]]:[/opt/GoldenGate/orcl2/replicat(__gxx_personality_v0+0x1b5)[0x810a171]]2011-03-2200:36:37ERROROGG-01161Badcolumnindex(24144)specifiedfortableSCOTT.TEST,maxcolumns=2.根据错误信息猜测是由于抽取进程加密了trail文件，Replicat进程无法还原为真实的信息，导致了进程abend。下面在容灾端参数文件中加入DECRYPTTRAIL参数，让其对trail文件解密并查看进程的状态：示例10-6：GGSCI(O