Wednesday, April 12, 2017

Encrypted tables # TDE with goldengate #

In previous releases (up to OGG OGG does not support TDE completely.
TDE tablespace encryption is not supported in OGG 10.4 and
Starting with OGG the behaviour is changed and TDE is supported.  

TDE columns are encrypted in the data files and in the redo log, so Extract must be
configured to fetch the clear-text values from the database. To trigger this fetch, use the fetch parameters fetchcols and fetchmodcols.
FETCHCOLS forces a fetch of values that are not in the redo log, and FETCHMODCOLS or FETCHMODCOLS[EXCEPT] forces a fetch of values that are in the logs. Used together, these parameters ensure that the TDE columns are always fetched from the database. The following is an example of how to configure Extract to support TDE. In this example, the TDE column is credit_card_number.

USERID ggs, password ggs

RMTHOST sysb, mgrport 4261
RMTTRAIL C:\ggs\oracle\v8100\dirdat\td
TABLE ab.payment_info, FETCHCOLS (credit_card_number), &
FETCHMODCOLS (credit_card_number);

GoldenGate limitations with TDE:
The table that contains the TDE columns must have a primary or unique key.
Columns that use TDE cannot be part of the primary key.
If there is no primary or unique key defined in the source database, it might be added in the extract. 

for more details # please see following note #

See KM 1341598.1 for detail of full TDE support. The basic setup is described in the Oracle GoldenGate 10.4 documentation:

Replicating Oracle TDE data
If any tables have columns that use Transparent Data Encryption (TDE), check them
Still it is mandatory to have a non-TDE column to be unique. 
See Note 1294601.1 GoldenGate workaround for replicating encrypted tables having no PK or UK  To enable processing of TDE-protected data

---Nikhil Tatineni--
---TDE --Ogg--