Chatta subito con l'assistenza
Chat con il supporto

SharePlex 11.3 - Administration Guide

About this Guide Conventions used in this guide Revision History Overview of SharePlex Run SharePlex Run multiple instances of SharePlex Execute commands in sp_ctrl Set SharePlex parameters Configure data replication Configure replication to and from a container database Configure named queues Configure partitioned replication Configure replication to a change history target Configure a replication strategy Configure DDL replication Configure error handling Configure data transformation Configure security features Assign SharePlex users to security groups Start replication on your production systems Monitor SharePlex Prevent and solve replication problems Repair out-of-sync data Tune the Capture process Tune the Post process Recover replication after Oracle failover Make changes to an active replication environment Apply an Oracle application patch or upgrade Back up Oracle data on the source or target Troubleshooting Tips Appendix A: Peer-To-Peer Diagram Appendix B: SharePlex environment variables

Configure security features

SharePlex provides a number of security features that help protect replicated data on the local system and during transfer across a network. This chapter provides guidelines for the configuration and use of these features.

Note: When replicating data from PostgreSQL to PostgreSQL, SharePlex supports only Secure Data with SSL/TLS and Encrypt Data between Export and Import security features .

Contents

Secure data with SSL/TLS

SharePlex provides a feature to enable SSL/TLS connections for all network traffic. This will encrypt data on the network between SharePlex instances and between SharePlex and the command line interface.

If SSL/TLS is enabled, SharePlex will only accept SSL/TLS connections. For all SharePlex instances that replicate to each other, either all must have SSL/TLS enabled or all must have SSL/TLS disabled. The SSL/TLS configuration includes a network password. This password must be the same across all of your SharePlex instances.

NOTE: For TLS connections, SharePlex supports TLS 1.2 (or later).

To change the SSL/TLS configuration:

  1. Shutdown sp_cop on all nodes
  2. Run “sp_security --setup” on all nodes
  3. Start sp_cop on all nodes

Use the sp_security utility to enable, disable or view the SSL/TLS settings for SharePlex network communication.

Enable SSL/TLS

IMPORTANT! SSL/TLS must be either enabled with a common network password or disabled on all SharePlex installations.

To enable SSL/TLS:

Run sp_security --setup, select the SSL/TLS option, and then enter a network password.

% sp_security --setup Security Setup Wizard --------------------- This wizard will walk you through setting up the SharePlex network security. Setup configuration for '/home/shareplex/var110/' and Port 2100 [N]: Y Choose your network security model. Please note the following: * Cop must be down when the security model is changed, or when the network password is changed * The same model must be used among all SharePlex nodes replicating to each other * For security model [1], the same network password must be set on all SharePlex nodes replicating to each other [1] Use basic SSL/TLS connections [2] Use non-SSL/TLS connections (default prior to SharePlex 9.1.3) Security model: 1 Please enter a network password that will be used for authentication among the SharePlex nodes. All SharePlex nodes that replicate data to each other must have the same network password. Network password: Please re-enter the network password Network password: Security settings: Configuration for '/home/shareplex/var110/' and Port 2100: Security model : SSL/TLS Network password : stored for unattended startup SSL key file password : stored for unattended startup SSL key file : key.pem SSL cert file : cert.pem Setup complete!

Disable SSL/TLS

IMPORTANT! SSL/TLS must be either enabled with a common network password or disabled on all SharePlex installations.

To disable SSL/TLS:

Run “sp_security --setup” and select non-SSL/TLS connections.

% sp_security --setup Security Setup Wizard --------------------- This wizard will walk you through setting up the SharePlex network security. Setup configuration for '/home/shareplex/var110/' and Port 2100 [N]: Y Choose your network security model. Please note the following: * Cop must be down when the security model is changed, or when the network password is changed * The same model must be used among all SharePlex nodes replicating to each other * For security model [1], the same network password must be set on all SharePlex nodes replicating to each other [1] Use basic SSL/TLS connections [2] Use non-SSL/TLS connections (default prior to SharePlex 9.1.3) Security model: 2 Security settings: Configuration for '/home/shareplex/var110/' and Port 2100: Security model : Un-encrypted Setup complete!

View current SSL/TLS configuration

To view the current SSL/TLS configuration:

Run “sp_security --show”.

% sp_security --show Security settings: Configuration for '/home/shareplex/var110/' and Port 210: Security model : Un-encrypted

Host Authentication

SharePlex provides host authorization security that verifies whether or not SharePlex processes on specific remote systems are authorized to connect to the local system for service and command requests. To implement host authorization, you create an ASCII text file named auth_hosts in the data sub-directory of the SharePlex variable-data directory and then populate it with the names of systems being granted connection permission.

Requirements

  • If used, the auth_hosts file must contain valid entries. If this file exists but is empty or contains invalid entries, SharePlex sends an error message similar to the following example to the Event Log: unauthorized connection attempt.
  • If an auth_hosts file does not exist on a system, SharePlex accepts all requests from all systems that attempt to connect to sp_cop.
  • The name of the local system must be the first non-commented line of this file, or host authorization will not function.
  • All entries, including comments, must end with a return.

To configure the auth_hosts file:

Note: Begin comment lines with a pound character (#).

  1. Run an ASCII text editor such as vi (Unix and Linux) to open a blank file. If you are using a Unix and Linux text editor, change directories to the data sub-directory of the SharePlex variable-data directory before you run the editor.
  2. On the first non-commented line, enter the full machine name of the local system, for example:Localhost.mycorp.com.
  3. On the next non-commented line, enter one of the following:

    Value Description
    all Grants connection authorization to processes on all remote systems.
    hostname Grants connection authorization to the specified host. Enter the fully qualified machine name, for example remotehost.mycorp.com. Specify as many host names as needed, each on its own line.
  4. Save the file as auth_hosts in the data sub-directory of the SharePlex variable-data directory. If running multiple instances of sp_cop, make certain to save the file to the correct variable-data directory.
Example

Note the name of the local host is on the first non-commented line.

#Comment: first line is local host name.

Localhost.mycorp.com

#Comment: remaining lines are remote hosts.

remotehost.mycorp.com

remotehost2.mycorp.com

remotehost3.mycorp.com

Secure data with SSH

Secure Data with SSH

SharePlex uses the SSH® Secure ShellTM utility to provide encryption for network services such as secure remote login and other services over an insecure network.

Requirements

  • Purchase and install the SSH software. SSH is not included with SharePlex.
  • Using SSH with SharePlex requires the use of local port forwarding (also known as tunneling) within the SSH configuration. Port forwarding allows you to establish a secure SSH session and then tunnel TCP connections through it.
  • SharePlex can be configured to work with SSH software between a source system and one target system. If a source replicates to multiple targets, only one of the routes can be configured with SSH.
  • This feature is supported on Unix and Linux.

To set up SharePlex to use SSH:

  1. On the source and target systems, choose an available local port to be used as the tunnel port. For peer-to-peer and high availability replication, the port must be the same number on both systems. For other replication strategies, choose a different port on each system.
  2. On the source system, issue the following command from the command prompt. This command connects to the target system to set up the tunnel.

    $ ssh -L source_port:target_host:target_port userid@target_host -N -f

    where:

    • -L specifies that the specified port on the local host (acting as the client) is to be forwarded to the remote host and port.
    • source_port is the port number on the source system.
    • target_host is the name of the target system.
    • target_port is the port on the target system.
    • userid is your Unix and Linux user ID. You will be prompted for the password.
    • -N specifies not to execute a remote command. This is used just to forward a port (protocol version 2 only).
    • -f forces the SSH shell to work in the background just before command execution. If this argument is omitted, the terminal window you are using must be kept open. SSH cannot be started with nohup.

    Refer to your SSH documentation for more information about these commands.

  3. (If using multiple SharePlex instances) On the source system, export the correct variable-data directory for the instance of sp_cop for which you are setting up SSH.

    ksh shell:

    export SP_SYS_VARDIR=/full_path_of_variable-data_directory

    csh shell:

    setenv SP_SYS_VARDIR=/full_path_of_variable-data_directory

  4. On the source system, start sp_cop.
  5. On the source system, run sp_ctrl from the bin subdirectory of the product directory.
  6. In sp_ctrl, set the SP_XPT_USE_LOCALHOST parameter in one of the following ways.

    • If there is only one target system, set the parameter with the following syntax:

      sp_ctrl> set param SP_XPT_USE_LOCALHOST 1

    • If there are multiple targets, use the following command to set up a tunnel to the target that will use SSH. Replication to the other target systems will connect directly in the normal fashion.

      sp_ctrl> set param SP_XPT_USE_LOCALHOST to host 1

    where: host is the name of the target system that will use the tunnel.

  7. In sp_ctrl, use the list param command with the modified option to verify the parameter setting. If the setting is correct, you can activate a configuration at this point.

    sp_ctrl> list param modified

  8. If there is an active configuration, stop and then start sp_cop to make the new parameter setting active.

    To stop sp_cop:

    sp_ctrl> shutdown /productdir/bin/sp_cop &

    To start sp_cop:

    $ /productdir/bin/sp_cop &

Related Documents

The document was helpful.

Seleziona valutazione

I easily found the information I needed.

Seleziona valutazione