This is a feature avaialble with Oracle GoldenGate 12.1.2.1.1+ versions.
You need to know three concepts to understand this approach. They are SSH, SSH Tunnel, and SOCKS Proxy.
- SSH, also known as Secure Socket Shell, is a network protocol that provides a safe way to communicate with a server and to connect to systems remotely via command-line. You can use SSH to log into the remote servers, tunnel your traffic, transfer files (SFTP), transfer file with secure copy (SCP), mount remote file systems, and more. [2] You can connect to SSH via user name and password or key pairs. The key pairs is a more secure approach.
- SSH tunnel is an encrypted tunnel created through an SSH connection. Users may set up SSH tunnels to transfer unencrypted traffic over a network through an encrypted channel. You can setup SSH tunnel with Putty (Win32 SSH) on Windows, OpenSSH on LINUX/MacOS, and some products such as Bitwise.
- SOCKS Proxy refers to a proxy server that establishes a TCP/UDP connection to another server on behalf of a client, then routes all the traffic back and forth between the client and the server. If you're using SSH tunnel with dynamic port forwarding, you then need to configure your programs to use a SOCKS proxy server. This is the approach normally used by the Oracle GoldenGate replications.[5]
- SSH Tunnel doesn't have to have SOCKS proxy. SSH Tunnel with local and remote port forwarding doesn't require an SOCKS5 proxy.
- SOCKS proxy is not limited to SSH Tunnels. It can be used for SSH connections or HTTP connections.
Please refer to this post: How to Tunneling SSH over an HTTP Proxy.
To protect the GoldenGate replication, we configure
- A SSH tunnel for an encrypted channel,
- A SOCKS5 Proxy server to redirect the traffic between source and target.
- SSH Key pairs used for the SSH connections.
Please refer to this post: How to Generate SSH Key pairs.
- The client program must have a SOCKS client capability. Oracle GoldenGate Pump is the client program.
- You must run and maintain a SOCKS server. There are many programs providing SOCKS server support such as Putty (Win32 SSH) on Windows, OpenSSH on LINUX/MacOS, and commercial products such as WinGate.
Please refer to this post: How to Create SOCKS5 Proxy.
When using SSH connection, you should also consider making the SSH connection secure. Before using SSH, you can check if the followings are configured[1]:
- Change SSH listening port: The reason to change SSH listening port is because attackers use port scanner software to check TCP port 22 and see if any host runs an SSH service. Changing the SSH port to a number higher than 1024 can help reduce such attacks. You can modify the port number by updating the port option in the /etc/ssh/sshd_config file and restart the SSH service.
- Use SSH Protocol 2
- No root access via SSH
- Use DSA public key authentication
- Use TCP wrapper to allow only specific hosts to connect (/etc/hosts.allow)