1. Restricting OS User Access
Your security planning should start with setting up protections on the Operating System (OS) before installing Oracle GoldenGate. The OS user and the user group should have the minimum required privileges to install and run Oracle GoldenGate. In addition, you need to define access rules in Oracle GoldenGate to limit both local and remote access, and use ALLOWOUTPUTDIR to specify the allowed output trail directory (including its subdirectories).
2. Protect Database Logins
GoldenGate replication requires database logins. You can encrypt user password with AES encryption or store the user logins in Oracle GoldenGate's credential store. You also need to grant minimum required privileges to replication database users.
3. Protecting the Network Delivery
When send data over the network, you need to consider the network security. You would always consider setting up a secure connection with VPN or SSH tunneling. You also would consider encrypting the trail files and masking sensitive data for PII/SPI compliance. To avoid keeping the server connection information in a non-trusted network zone, you can use passive-alias extract configuration to initiate connection from the secure network zone.
In summary, the essential task is to protect the source, target, and the replicated data.
Resources
- Oracle GoldenGate Documentation 12.2 - Understand Oracle GoldenGate security options
- Oracle GoldenGate Security and Privilege Considerations - FAQ (Doc ID 1307264.1)