Tchater maintenant avec le support
Tchattez avec un ingénieur du support

SharePlex 11.4 - Administration Guide

About this Guide Conventions used in this guide Revision History Overview of SharePlex Run SharePlex Run multiple instances of SharePlex Execute commands in sp_ctrl Set SharePlex parameters Configure data replication Configure replication to and from a container database Configure named queues Configure partitioned replication Configure replication to a change history target Configure a replication strategy Configure DDL replication Configure error handling Configure data transformation Configure security features Assign SharePlex users to security groups Start replication on your production systems Monitor SharePlex Prevent and solve replication problems Repair out-of-sync data Tune the Capture process Tune the Post process Recover replication after Oracle failover Make changes to an active replication environment Apply an Oracle application patch or upgrade Back up Oracle data on the source or target Troubleshooting Tips Appendix A: Peer-To-Peer Diagram Appendix B: SharePlex environment variables

Encrypt data between Export and Import

If you do not want to use SSL/TLS but still want to encrypt data between Export and Import, you might do so using this feature.

SharePlex can be configured to encrypt replicated data across the network. SharePlex uses Advanced Encryption Standard (AES) encryption.

Encryption guidelines

Encryption must be enabled on the source and target systems. You enable encryption and set the size of the key through the Export process. You configure the Import process to ensure that encryption is enabled on the source, so that no data is sent across the network unless it is encrypted.

When configuring encryption, follow these guidelines:

  • Use one encryption key for all Export processes in the SharePlex instance.
  • To use encryption, SharePlex must be version 9.1 or later.

Important:

  • SharePlex utilizes AES encryption with 128, 192, or 256-bit keys in CBC (Cipher Block Chaining) mode.

  • For SSL/TLS security within SharePlex (included in sp_security), OpenSSL is used and comes bundled with the software.

  • The encryption and hashing algorithm (AES256-SHA) used are compliant with FIPS standards.

Encryption procedure

Note: SharePlex uses AES Cipher Block Chaining (CBC mode) for data encryption.

On the source system:

  1. Set the Export parameter SP_XPT_ENABLE_AES to 1. This enables encryption.

    sp_ctrl> set param sp_xpt_enable_aes 1

  2. Run the create encryption key command to create the key.

    sp_ctrl> create encryption key

    The following is an example key:
    E5F5D4CBA329D2C86B5D7ABA096C18600595490129F55A1422AAB0248B28D0E4

  3. (Optional) Set the SP_XPT_AES_KEY_LENGTH parameter to increase the key size.

    The create encryption key command returns a randomly generated, 256-bit AES key. By default, SharePlex uses 128 bits of that length to encrypt the data.

    To increase the key length that SharePlex uses, set the SP_XPT_AES_KEY_LENGTH parameter to 192 or 256 bits. When you increase the length, the key is harder to hack but requires more CPU power.

    sp_ctrl> set param sp_xpt_aes_key_length {192 | 256}

    Example: set param sp_xpt_aes_key_length 256

  4. Run the set encryption key command. This adds the key to the Export configuration.

    sp_ctrl> set encryption key key_value

    Example: set encryption key E5F5D4CBA329D2C86B5D7ABA096C18600595490129F55A1422AAB0248B28D0E4

  5. Restart Export to activate the settings.

    sp_ctrl> stop export

    sp_ctrl> start export

On the target system:

  1. Set the SP_IMP_ENABLE_AES parameter to 1. This prevents SharePlex on the target from accepting data that is not encrypted.

  2. Run the set encryption key command with the same key value that you set for Export. The key values on the source and target must match.

    sp_ctrl>set encryption key key_value

    Example: set encryption key E5F5D4CBA329D2C86B5D7ABA096C18600595490129F55A1422AAB0248B28D0E4

  3. Restart Import to activate the settings.

    sp_ctrl> stop import

    sp_ctrl> start import

View the encryption key

Issue this command on the source and target systems to ensure that both key values match.

sp_ctrl> show encryption key

FIPS Compliance

SharePlex installations can be run on FIPS-enabled servers on the Linux platform. No FIPS-specific configurations are required to run SharePlex installations on FIPS-enabled servers.

Assign SharePlex users to security groups

Contents

 

Overview

The SharePlex security groups provide access control to the SharePlex command and control system. Without proper configuration of these groups, anyone with permissions on the system can use the commands that view, configure, and control data replication.

Overview of SharePlex security groups

About the SharePlex Security Groups

To monitor, control, or change SharePlex replication, a person must be assigned to one of the SharePlex security groups on the systems where he or she will be issuing commands. Each group corresponds to an authorization level, which determines which SharePlex commands a person can issue. To execute a command, a user must have that command’s authorization level or higher. Use the authlevel command to determine your authorization level for issuing SharePlex commands on a system.

Description of the SharePlex security groups

Refer to the following table to determine the group and authorization level that you want to grant each SharePlex user.

User Authorization Levels and Roles
Auth level User type User group User roles
1 Administration spadmin*

You need at least one user with Administrator rights on each source and target system.

Can issue all SharePlex commands. Commands that can only be issued by a SharePlex Administrator are:

  • startup, shutdown
  • all configuration commands relating to an active configuration
  • all parameter commands except list param
  • start capture
  • stop capture
  • abort capture
  • truncate log

The SharePlex Administrator user must be in the Oracle dba group. For Oracle RAC and ASM 11gR2 and above, the user must also be in the Oracle Inventory group. For example: $ useradd –g spadmin –G dba,oinstall. The membership in Oracle Inventory group must be listed explicitly in the etc/group file.

On Unix and Linux, unless you install SharePlex as a root user, the SharePlex Administrator user and the SharePlex admin group must exist prior to installation.

2 Operator spopr Can issue all SharePlex commands except those listed above.
3 Viewer spview Can view lists, status screens, and logs to monitor replication only.

Note: The default name for the SharePlex administrator group is spadmin, but you can designate any group or specify any name for that group during installation.

Documents connexes

The document was helpful.

Sélectionner une évaluation

I easily found the information I needed.

Sélectionner une évaluation