- Creating a user and group on the operating system with proper privileges to install and run Oracle GoldenGate
- Restricting the operating system users' executions of Oracle GoldenGate commands
It's the best practices to create a separate operating system user to install/run Oracle GoldenGate. This is because sensitive information might be available to anyone who runs an Oracle GoldenGate process, depending on how database authentication is configured. [2]
Oracle GoldenGate Extract, Replicat, and Manager processes operate as an operating system user that has privileges to read, write, and delete files and subdirectories. Also, the Manager process requires privileges to control the other Oracle GoldenGate processes. Therefore, you need to make sure the operating system user running Oracle GoldenGate can:
- read/write/delete files and sub-directories in Oracle GoldenGate directory
- read/write/delete trail/report/discard etc. file and sub-folders if they are in locations different from the default configuration
- Have read access to the log files, both online and archived. On UNIX systems, that user must be a member of the group that owns the Oracle instance. This is not needed if you use integrated capture.
useradd -m -g oinstall -G dba oracle
export LD_LIBRARY_PATH=/u01/app/oracle/oci:$LD_LIBRARY_PATH export GGHOME=/u01/app/oracle/gghome export TNS_ADMIN=/u01/app/oracle/oci/network/admin export ORACLE_INVENTORY=/u01/app/oracle/oraInventory/ alias ggsci=$GGHOME/ggsci alias rda=/u01/app/oracle/rda/rda.sh export ORACLE_HOME=$GGHOME export INSTANT_CLIENT_HOME=/u01/app/oracle/oci export PATH=$ORACLE_HOME:$ORACLE_HOME/OPatch:$INSTANT_CLIENT_HOME/bin:$INSTANT_CLIENT_HOME:$PATH
Oracle GoldenGate allows you to restrict which users (operating system users) have access to which Oracle GoldenGate functions. The configuration is defined in the CMDSEC (command-line security) file [1]. Without this file, access to all Oracle GoldenGate commands is granted to all users. Let's discuss this file with more details.
CMDSEC file is an ASCII file with the name to be CMDSEC. The file needs to be created in the Oracle GoldenGate home directory. The format is defined as:
command_name command_object OS_group OS_user {YES | NO}
An example CMDSEC file is shown as follows:
--Command Object Group User Access Allowed? * * dba * YES SHELL * * oracle NO SH * * oracle NO * * * * NO
Because this file control operating system users' access to Oracle GoldenGate command, you need to secure the file by making it read-only to only authorized users.
- Oracle GoldenGate Documentation - 11.7 Configuring GGSCI Command Security.
- Oracle GoldenGate Documentation (12.2) - 1.2. Operating System Privileges