Securing Oracle GoldenGate Database Login in a Credential Store

Security is always a big deal.  In setting up Oracle GoldenGate the capture (extract) and apply (replicat) parameter files need to be configured to log in to the database which they will perform operations.  In order to do this the Oracle GoldenGate User name and password need to be provided in the parameter files.  Example 1 shows how the database login is traditionally done in a extract or replicat parameter file.
Example 1:

--Oracle Login
USERID ggate, PASSWORD ggate

To make this process login information more secure, we can create a userid alias that the extract or replicat process can use to log into the database.  In order to create a login alias, a credential store needs to be create.  Below are the steps to create the credential store and associated aliases.
After logging into the GoldenGate Service Command Interface (GGSCI), a credential store needs to be created.  By default the credential store will be kept in the “dircrd” directory undert the $OGG_HOME.
Create the credential store:

GGSCI (db12cgg.acme.com) 1> add credentialstore
Credential store created in ./dircrd/.

With the credential store created, now an alias can be created for the gguser.

GGSCI (db12cgg.acme.com) 2> alter credentialstore add user ggate, password ggate alias aggate
Credential store in ./dircrd/ altered.

The extract or replicat parameter files need to be updated to use the new alias.  Once the update is done the associated process needs to be restarted.

--Oracle Login
USERIDALIAS aggate

After restarting the process, the Oracle GoldenGate login is secure.
Note: If the password for the Oracle GoldenGate User changes, the alias in the credential store will need to be updated.
Enjoy!
about.me: http://about.me/dbasolved

Please follow and like: