Chat now with support
Chat with Support

SharePlex 10.2.1 - Administration Guide

About this Guide Conventions used in this guide Overview of SharePlex Run SharePlex Run multiple instances of SharePlex Execute commands in sp_ctrl Set SharePlex parameters Configure data replication Configure named queues Configure partitioned replication Configure replication to a change history target Configure a replication strategy Configure DDL replication Configure error handling Configure data transformation Configure security features Start replication on your production systems Monitor SharePlex Prevent and solve replication problems Repair out-of-sync data Tune the Capture process Tune the Post process Make changes to an active replication environment Apply an Oracle application patch or upgrade Back up Oracle data on the source or target Troubleshooting Tips Appendix A: Peer-To-Peer Diagram Appendix B: SharePlex environment variables

Secure data with SSL/TLS

SharePlex provides a feature to enable SSL/TLS connections for all network traffic. This will encrypt data on the network between SharePlex instances and between SharePlex and the command line interface.

If SSL/TLS is enabled, SharePlex will only accept SSL/TLS connections. For all SharePlex instances that replicate to each other, either all must have SSL/TLS enabled or all must have SSL/TLS disabled. The SSL/TLS configuration includes a network password. This password must be the same across all of your SharePlex instances.

NOTE: For TLS connections, SharePlex supports TLS 1.2 (or later).

To change the SSL/TLS configuration:

  • Shutdown sp_cop on all nodes
  • Run “sp_security --setup” on all nodes
  • Start sp_cop on all nodes

sp_security

Use the sp_security utility to enable, disable or view the SSL/TLS settings for SharePlex network communication.

Enable SSL/TLS

IMPORTANT! SSL/TLS must be either enabled with a common network password or disabled on all SharePlex installations.

To enable SSL/TLS

Run “sp_security --setup”, select the SSL/TLS option, and then enter a network password.

% sp_security --setup

Security Setup Wizard
---------------------
This wizard will walk you through setting up the SharePlex network security.

Setup configuration for '/home/shareplex/var110/' and Port 2100 [N]: Y

Choose your network security model.  Please note the following:
         * Cop must be down when the security model is changed, or when the network password is changed
         * The same model must be used among all SharePlex nodes replicating to each other
         * For security model [1], the same network password must be set on all SharePlex nodes replicating to each other

  [1] Use basic SSL/TLS connections
  [2] Use non-SSL/TLS connections (default prior to SharePlex 9.1.3)

Security model: 1

Please enter a network password that will be used for authentication
among the SharePlex nodes.  All SharePlex nodes that replicate data to each
other must have the same network password.

Network password:
Please re-enter the network password

Network password:

Security settings:

Configuration for '/home/shareplex/var110/' and Port 2100:

  Security model            : SSL/TLS
  Network password          : stored for unattended startup
  SSL key file password     : stored for unattended startup
  SSL key file              : key.pem
  SSL cert file             : cert.pem

Setup complete!

Disable SSL/TLS

IMPORTANT! SSL/TLS must be either enabled with a common network password or disabled on all SharePlex installations.

To disable SSL/TLS

Run “sp_security --setup” and select non-SSL/TLS connections.

% sp_security --setup

Security Setup Wizard
---------------------
This wizard will walk you through setting up the SharePlex network security.

Setup configuration for '/home/shareplex/var110/' and Port 2100 [N]: Y

Choose your network security model.  Please note the following:
         * Cop must be down when the security model is changed, or when the network password is changed
         * The same model must be used among all SharePlex nodes replicating to each other
         * For security model [1], the same network password must be set on all SharePlex nodes replicating to each other

  [1] Use basic SSL/TLS connections
  [2] Use non-SSL/TLS connections (default prior to SharePlex 9.1.3)

Security model: 2

Security settings:

Configuration for '/home/shareplex/var110/' and Port 2100:

  Security model            : Un-encrypted

Setup complete!

View current SSL/TLS configuration

To view the current SSL/TLS configuration

Run “sp_security --show”.

% sp_security --show

Security settings:

Configuration for '/home/shareplex/var110/' and Port 210:

  Security model            : Un-encrypted

Host Authentication

SharePlex provides host authorization security that verifies whether or not SharePlex processes on specific remote systems are authorized to connect to the local system for service and command requests. To implement host authorization, you create an ASCII text file named auth_hosts in the data sub-directory of the SharePlex variable-data directory and then populate it with the names of systems being granted connection permission.

Requirements

  • If used, the auth_hosts file must contain valid entries. If this file exists but is empty or contains invalid entries, SharePlex sends an error message similar to the following example to the Event Log: unauthorized connection attempt.
  • If an auth_hosts file does not exist on a system, SharePlex accepts all requests from all systems that attempt to connect to sp_cop.
  • The name of the local system must be the first non-commented line of this file, or host authorization will not function.
  • All entries, including comments, must end with a return.

To configure the auth_hosts file

Note: Begin comment lines with a pound character (#).

  1. Run an ASCII text editor such as NotePad, or WordPad to open a blank file.
  2. On the first non-commented line, enter the full machine name of the local system, for example:Localhost.mycorp.com.

  3. On the next non-commented line, enter one of the following:

    Value Description
    all Grants connection authorization to processes on all remote systems.
    hostname Grants connection authorization to the specified host. Enter the fully qualified machine name, for example remotehost.mycorp.com. Specify as many host names as needed, each on its own line.
  4. Save the file as auth_hosts in the data sub-directory of the SharePlex variable-data directory. If running multiple instances of sp_cop, make certain to save the file to the correct variable-data directory.

Example

Note the name of the local host is on the first non-commented line.

#Comment: first line is local host name.

Localhost.mycorp.com

#Comment: remaining lines are remote hosts.

remotehost.mycorp.com

remotehost2.mycorp.com

remotehost3.mycorp.com

Encrypt data between Export and Import

If you do not want to use SSL/TLS but still want to encrypt data between Export and Import, you might do so using this feature.

SharePlex can be configured to encrypt replicated data across the network. SharePlex uses Advanced Encryption Standard (AES) encryption.

Encryption guidelines

Encryption must be enabled on the source and target systems. You enable encryption and set the size of the key through the Export process. You configure the Import process to ensure that encryption is enabled on the source, so that no data is sent across the network unless it is encrypted.

When configuring encryption, follow these guidelines:

  • Use one encryption key for all Export processes in the SharePlex instance.
  • To use encryption, SharePlex must be version 9.1 or later.

Encryption procedure

On the source system

  1. Set the Export parameter SP_XPT_ENABLE_AES to 1. This enables encryption.

    sp_ctrl> set param sp_xpt_enable_aes 1

  2. Run the create encryption key command to create the key.

    sp_ctrl> create encryption key

    The following is an example key:
    E5F5D4CBA329D2C86B5D7ABA096C18600595490129F55A1422AAB0248B28D0E4

  3. (Optional) Set the SP_XPT_AES_KEY_LENGTH parameter to increase the key size.

    The create encryption key command returns a randomly generated, 256-bit AES key. By default, SharePlex uses 128 bits of that length to encrypt the data.

    To increase the key length that SharePlex uses, set the SP_XPT_AES_KEY_LENGTH parameter to 192 or 256 bits. When you increase the length, the key is harder to hack but requires more CPU power.

    sp_ctrl> set param sp_xpt_aes_key_length {192 | 256}

    Example: set param sp_xpt_aes_key_length 256

  4. Run the set encryption key command. This adds the key to the Export configuration.

    sp_ctrl> set encryption key key_value

    Example: set encryption key E5F5D4CBA329D2C86B5D7ABA096C18600595490129F55A1422AAB0248B28D0E4

  5. Restart Export to activate the settings.

    sp_ctrl> stop export

    sp_ctrl> start export

On the target system

  1. Set the SP_IMP_ENABLE_AES parameter to 1. This prevents SharePlex on the target from accepting data that is not encrypted.

  2. Run the set encryption key command with the same key value that you set for Export. The key values on the source and target must match.

    sp_ctrl>set encryption key key_value

    Example: set encryption key E5F5D4CBA329D2C86B5D7ABA096C18600595490129F55A1422AAB0248B28D0E4

  3. Restart Import to activate the settings.

    sp_ctrl> stop import

    sp_ctrl> start import

View the encryption key

Issue this command on the source and target systems to ensure that both key values match.

sp_ctrl> show encryption key

Assign SharePlex users to security groups

Contents

 

Overview

The SharePlex security groups provide access control to the SharePlex command and control system. Without proper configuration of these groups, anyone with permissions on the system can use the commands that view, configure, and control data replication.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating