Chat now with support
Chat mit Support

SharePlex 12.1 - Administration Guide

Revision History About this Guide Conventions used in this guide Overview of SharePlex Run SharePlex Run multiple instances of SharePlex Execute commands in sp_ctrl Set SharePlex parameters Configure data replication Configure replication to and from a container database Configure named queues Configure partitioned replication Configure replication to a change history target Configure a replication strategy Configure DDL replication Configure error handling Configure data transformation Configure security features Assign SharePlex users to security groups Start replication on your production systems Monitor SharePlex Prevent and solve replication problems Repair out-of-sync data Tune the Capture process Tune the Post process Recover replication after Oracle failover Make changes to an active replication environment Apply an Oracle application patch or upgrade Back up Oracle data on the source or target Troubleshooting Tips Appendix A: Peer-To-Peer Diagram Appendix B: SharePlex environment variables

Secure data with SSH

Secure Data with SSH

SharePlex uses the SSH® Secure ShellTM utility to provide encryption for network services such as secure remote login and other services over an insecure network.

Requirements

  • Purchase and install the SSH software. SSH is not included with SharePlex.
  • Using SSH with SharePlex requires the use of local port forwarding (also known as tunneling) within the SSH configuration. Port forwarding allows you to establish a secure SSH session and then tunnel TCP connections through it.
  • SharePlex can be configured to work with SSH software between a source system and one target system. If a source replicates to multiple targets, only one of the routes can be configured with SSH.
  • This feature is supported on Unix and Linux.

To set up SharePlex to use SSH:

  1. On the source and target systems, choose an available local port to be used as the tunnel port. For peer-to-peer and high availability replication, the port must be the same number on both systems. For other replication strategies, choose a different port on each system.

  2. On the source system, issue the following command from the command prompt. This command connects to the target system to set up the tunnel.

    $ ssh -L source_port:target_host:target_port userid@target_host -N -f

    where:

    • -L specifies that the specified port on the local host (acting as the client) is to be forwarded to the remote host and port.
    • source_port is the port number on the source system.
    • target_host is the name of the target system.
    • target_port is the port on the target system.
    • userid is your Unix and Linux user ID. You will be prompted for the password.
    • -N specifies not to execute a remote command. This is used just to forward a port (protocol version 2 only).
    • -f forces the SSH shell to work in the background just before command execution. If this argument is omitted, the terminal window you are using must be kept open. SSH cannot be started with nohup.

    Refer to your SSH documentation for more information about these commands.

  3. (If using multiple SharePlex instances) On the source system, export the correct variable-data directory for the instance of sp_cop for which you are setting up SSH.

    ksh shell:

    export SP_SYS_VARDIR=/full_path_of_variable-data_directory

    csh shell:

    setenv SP_SYS_VARDIR=/full_path_of_variable-data_directory

  4. On the source system, start sp_cop.
  5. On the source system, run sp_ctrl from the bin subdirectory of the product directory.

  6. In sp_ctrl, set the SP_XPT_USE_LOCALHOST parameter in one of the following ways.

    • If there is only one target system, set the parameter with the following syntax:

      sp_ctrl> set param SP_XPT_USE_LOCALHOST 1

    • If there are multiple targets, use the following command to set up a tunnel to the target that will use SSH. Replication to the other target systems will connect directly in the normal fashion.

      sp_ctrl> set param SP_XPT_USE_LOCALHOST to host 1

    where: host is the name of the target system that will use the tunnel.

  7. In sp_ctrl, use the list param command with the modified option to verify the parameter setting. If the setting is correct, you can activate a configuration at this point.

    sp_ctrl> list param modified

  8. If there is an active configuration, stop and then start sp_cop to make the new parameter setting active.

    To stop sp_cop:

    sp_ctrl> shutdown /productdir/bin/sp_cop &

    To start sp_cop:

    $ /productdir/bin/sp_cop &

Encrypt data between Export and Import

If you do not want to use SSL/TLS but still want to encrypt data between Export and Import, you might do so using this feature.

SharePlex can be configured to encrypt replicated data across the network. SharePlex uses Advanced Encryption Standard (AES) encryption.

Encryption guidelines

Encryption must be enabled on the source and target systems. You enable encryption and set the size of the key through the Export process. You configure the Import process to ensure that encryption is enabled on the source, so that no data is sent across the network unless it is encrypted.

When configuring encryption, follow these guidelines:

  • Use one encryption key for all Export processes in the SharePlex instance.
  • To use encryption, SharePlex must be version 9.1 or later.

Important:

  • SharePlex utilizes AES encryption with 128, 192, or 256-bit keys in CBC (Cipher Block Chaining) mode.

  • For SSL/TLS security within SharePlex (included in sp_security), OpenSSL is used and comes bundled with the software.

  • The encryption and hashing algorithm (AES256-SHA) used are compliant with FIPS standards.

Encryption procedure

Note: SharePlex uses AES Cipher Block Chaining (CBC mode) for data encryption.

On the source system:

  1. Set the Export parameter SP_XPT_ENABLE_AES to 1. This enables encryption.

    sp_ctrl> set param sp_xpt_enable_aes 1

  2. Run the create encryption key command to create the key.

    sp_ctrl> create encryption key

    The following is an example key:
    E5F5D4CBA329D2C86B5D7ABA096C18600595490129F55A1422AAB0248B28D0E4

  3. (Optional) Set the SP_XPT_AES_KEY_LENGTH parameter to increase the key size.

    The create encryption key command returns a randomly generated, 256-bit AES key. By default, SharePlex uses 128 bits of that length to encrypt the data.

    To increase the key length that SharePlex uses, set the SP_XPT_AES_KEY_LENGTH parameter to 192 or 256 bits. When you increase the length, the key is harder to hack but requires more CPU power.

    sp_ctrl> set param sp_xpt_aes_key_length {192 | 256}

    Example: set param sp_xpt_aes_key_length 256

  4. Run the set encryption key command. This adds the key to the Export configuration.

    sp_ctrl> set encryption key key_value

    Example: set encryption key E5F5D4CBA329D2C86B5D7ABA096C18600595490129F55A1422AAB0248B28D0E4

  5. Restart Export to activate the settings.

    sp_ctrl> stop export

    sp_ctrl> start export

On the target system:

  1. Set the SP_IMP_ENABLE_AES parameter to 1. This prevents SharePlex on the target from accepting data that is not encrypted.

  2. Run the set encryption key command with the same key value that you set for Export. The key values on the source and target must match.

    sp_ctrl>set encryption key key_value

    Example: set encryption key E5F5D4CBA329D2C86B5D7ABA096C18600595490129F55A1422AAB0248B28D0E4

  3. Restart Import to activate the settings.

    sp_ctrl> stop import

    sp_ctrl> start import

View the encryption key

Issue this command on the source and target systems to ensure that both key values match.

sp_ctrl> show encryption key

FIPS Compliance

SharePlex installations can be run on FIPS-enabled servers on the Linux platform. No FIPS-specific configurations are required to run SharePlex installations on FIPS-enabled servers.

CMVP guidelines

To align with CMVP (Cryptographic Module Validation Program) guidelines and strengthen data security, SharePlex supports cryptographic operations using the OpenSSL FIPS provider on Linux platform. It ensures that AES encryption algorithms used within SharePlex are executed through a validated cryptographic module, meeting FIPS 140-2 standards.

SharePlex OpenSSL FIPs settings:

Component Algorithm Used Mode Key Length FIPS Compliance Notes
Communication between SharePlex processes—such as COP to Command and Control, and data flow between Export and Import—can be secured. Refer to the sp_security section for instructions on enabling TLS security.

To make the FIPS provider the default, use the following OpenSSL calls:

OSSL_PROVIDER_load(NULL, "fips");

EVP_set_default_properties(NULL, "fips=yes");

 FIPS 256 Yes Used for TLS-encrypted secure communication between SharePlex source and target.
Provides additional AES-encrypted tunneling between Export and Import processes. Refer to SP_XPT_ENABLE_AES and SP_IMP_ENABLE_AES for configuration details. AES FIPS 128/192/256 Yes Users can configure a key of the desired length to encrypt data.
Store sensitive information AES FIPS 256 Yes  

Assign SharePlex users to security groups

Contents

 

Overview

The SharePlex security groups provide access control to the SharePlex command and control system. Without proper configuration of these groups, anyone with permissions on the system can use the commands that view, configure, and control data replication.

Verwandte Dokumente

The document was helpful.

Bewertung auswählen

I easily found the information I needed.

Bewertung auswählen