sp_wallet utility
SP_wallet
Description
Use the sp_wallet utility to provide the Oracle Wallet password to SharePlex. SharePlex uses the wallet password to access the TDE primary Encryption Key. SharePlex uses the TDE primary Encryption Key to decrypt TDE-protected data in the redo log that must be replicated.
Grant read permission on the Oracle Wallet file to the dba group before using sp_wallet.
Supported databases
Oracle on Unix and Linux
Run sp_wallet
To run sp_wallet and manually supply the password:
-
On the source system, start SharePlex from the SharePlex product directory. You are prompted to run sp_wallet.
*** To enable TDE replication, run sp_wallet and provide the wallet password ***
-
Run sp_wallet.
./sp_wallet [-r port_number]
./sp_wallet -r 9400
wallet password: walletpw
Wallet loaded into SharePlex
To run sp_wallet in auto-open mode:
If you are using an auto-open wallet, you can configure SharePlex to open the TDE wallet automatically. This eliminates the need to run sp_wallet manually at SharePlex startup. The syntax is:
./sp_wallet --auto-open [-r port_number]
Important! Using the auto-open wallet feature has additional security considerations. See the Oracle documentation for more information. In addition, do not back up the SharePlex variable-data directory together with the Oracle wallet and the Oracle data files.
To cancel auto-open mode:
./sp_wallet --no-auto-open [-r port_number]
To change the TDE primary encryption key:
If you need to change the TDE primary Encryption Key while a SharePlex configuration is active, take the following steps to ensure that SharePlex continues to replicate the TDE-protected data after the changes.
- Quiesce the source database.
- Make sure that Capture finishes processing the remaining data in the redo log.
- Shut down SharePlex.
- Change the TDE primary Encryption Key.
- Restart SharePlex.
-
Run the sp_wallet utility to provide SharePlex with the new TDE primary Encryption Key.
./sp_wallet [-r port_number]
sp_hsm
sp_hsm
Description
Use the sp_hsm utility to provide the Oracle Wallet password to SharePlex that is stored at external storage (HSM). SharePlex uses the wallet password to access the TDE primary Encryption Key. SharePlex uses the TDE primary Encryption Key to decrypt TDE protected data in the redo log that must be replicated.
Grant read permission on the Oracle Wallet file to the dba group before using sp_hsm.
Note: The sp_hsm utility supports HSM physical devices that are compatible with the PKCS 11 library.
Supported databases
Oracle
Run the sp_hsm Utility
Run the sp_hsm utility:
-
Open command prompt.
-
Enter the Oracle SID or TNS alias if it is an RAC configuration [ORCL1]: ORCL1
-
Ensure the HSM library is set up correctly:
HSM opm_is_hsm_library_setup entered for sid o.ORCL1
HSM opm_is_hsm_library_setup returned true
-
Enter the Slot ID for the HSM on which the Oracle database is configured.
HSM Slot ID [0]: 1
-
Enter the HSM password.
After successfully adding the HSM password to Shareplex, the utility displays the following message:
The HSM password has been successfully added to Shareplex.
Shareplex will automatically connect to HSM upon startup.
The sp_hsm utility will not need to be run again unless you want to change the HSM password.
To change the HSM password, just run sp_hsm and enter the new password.
The old HSM password will replace the existing password.
sp_security
Description
Use the sp_security utility to enable, disable or view the SSL/TLS settings for SharePlex network communication.
Enable SSL/TLS
IMPORTANT! SSL/TLS must be either enabled with a common network password or disabled on all SharePlex installations.
To enable SSL/TLS:
Run sp_security --setup, select the SSL/TLS option, and then enter a network password.
% sp_security --setup
Security Setup Wizard
---------------------
This wizard will walk you through setting up the SharePlex network security.
Setup configuration for '/home/shareplex/var110/' and Port 2100 [N]: Y
Choose your network security model. Please note the following:
* Cop must be down when the security model is changed, or when the network password is changed
* The same model must be used among all SharePlex nodes replicating to each other
* For security model [1], the same network password must be set on all SharePlex nodes replicating to each other
[1] Use basic SSL/TLS connections
[2] Use non-SSL/TLS connections (default prior to SharePlex 9.1.3)
Security model: 1
Please enter a network password that will be used for authentication
among the SharePlex nodes. All SharePlex nodes that replicate data to each
other must have the same network password.
Network password:
Please re-enter the network password
Network password:
Security settings:
Configuration for '/home/shareplex/var110/' and Port 2100:
Security model : SSL/TLS
Network password : stored for unattended startup
SSL key file password : stored for unattended startup
SSL key file : key.pem
SSL cert file : cert.pem
Setup complete!
Disable SSL/TLS
IMPORTANT! SSL/TLS must be either enabled with a common network password or disabled on all SharePlex installations.
To disable SSL/TLS:
Run “sp_security --setup” and select non-SSL/TLS connections.
% sp_security --setup
Security Setup Wizard
---------------------
This wizard will walk you through setting up the SharePlex network security.
Setup configuration for '/home/shareplex/var110/' and Port 2100 [N]: Y
Choose your network security model. Please note the following:
* Cop must be down when the security model is changed, or when the network password is changed
* The same model must be used among all SharePlex nodes replicating to each other
* For security model [1], the same network password must be set on all SharePlex nodes replicating to each other
[1] Use basic SSL/TLS connections
[2] Use non-SSL/TLS connections (default prior to SharePlex 9.1.3)
Security model: 2
Security settings:
Configuration for '/home/shareplex/var110/' and Port 2100:
Security model : Un-encrypted
Setup complete!
View current SSL/TLS configuration
To view the current SSL/TLS configuration:
Run “sp_security --show”.
% sp_security --show
Security settings:
Configuration for '/home/shareplex/var110/' and Port 210:
Security model : Un-encrypted
Trigger Scripts
Description
SharePlex provides three interactive scripts that you can run in SQL*Plus to manage triggers so that they do not interfere with replication. Review the following points before you run the scripts.
-
To run the trigger scripts, you must have access to both the SYS and DBA objects. If the SharePlex database account was set up properly during installation, that account has this access.
- After applying an Oracle patch (which sometimes creates or modifies triggers), re-run sp_add_trigger.sql on the target system if triggers are not disabled.
-
The scripts reside in the util sub-directory of the SharePlex product directory.
- The SharePlex trigger scripts support row-level triggers only. Statement-level triggers must be disabled/enabled for the SharePlex user separately.
- Triggers that modify data in tables NOT being replicated and do not affect tables in the replication configuration can fire on the target system without special treatment. However, the scripts operate on all objects in the Oracle or PostgreSQL instance, whether or not they are part of replication.
- SharePlex provides other interactive scripts for managing triggers.
- The scripts must be run for target objects. Do not run them on the source objects unless you are using peer-to-peer replication.
- The scripts should not be used if source and target objects are both on the same machine. In this configuration, the user can disable triggers on target objects.
Supported databases
Oracle and supported platforms
sp_add_trigger.sql
Use sp_add_trigger.sql when you cannot disable triggers on target objects, such as for peer-to-peer and high-availability configurations. This script changes the triggers so that they ignore the SharePlex Oracle user associated with the Post process, but fire for all other users. It inserts the following WHEN clause into each trigger in the database.
when user != ‘SharePlex_username’ begin
The script prompts for the SharePlex user name, and then it modifies the triggers. It does not modify triggers belonging to SYS, SYSTEM, and SCOTT.
Syntax
@absolute_pathname/sp_add_trigger.sql
sp_change_trigger.sql
Use sp_change_trigger.sql to replace the name of the SharePlex user in the WHEN clause that was created with sp_add_trigger.sql. It prompts for the current SharePlex user name and for the new user name. Change the SharePlex user in Oracle before you run this script.
Syntax
@absolute_pathname/sp_change_trigger.sql
sp_remove_trigger.sql
Use sp_remove_trigger.sql to remove the WHEN clause created with sp_add_trigger.sql. It prompts for the SharePlex user name and then automatically removes the WHEN clause from all of the triggers. Use this script if you no longer will be replicating to those tables. If you continue to use SharePlex to replicate to those tables without disabling the triggers, the triggers will fire when SharePlex posts data, and SharePlex will generate out-of-sync errors.
Syntax
@absolute_pathname/sp_remove_trigger.sql