Encrypt data between Export and Import
If you do not want to use SSL/TLS but still want to encrypt data between Export and Import, you might do so using this feature.
SharePlex can be configured to encrypt replicated data across the network. SharePlex uses Advanced Encryption Standard (AES) encryption.
Encryption guidelines
Encryption must be enabled on the source and target systems. You enable encryption and set the size of the key through the Export process. You configure the Import process to ensure that encryption is enabled on the source, so that no data is sent across the network unless it is encrypted.
When configuring encryption, follow these guidelines:
- Use one encryption key for all Export processes in the SharePlex instance.
- To use encryption, SharePlex must be version 9.1 or later.
|
Important:
-
SharePlex utilizes AES encryption with 128, 192, or 256-bit keys in CBC (Cipher Block Chaining) mode.
-
For SSL/TLS security within SharePlex (included in sp_security), OpenSSL is used and comes bundled with the software.
-
The encryption and hashing algorithm (AES256-SHA) used are compliant with FIPS standards. |
Encryption procedure
Note: SharePlex uses AES Cipher Block Chaining (CBC mode) for data encryption.
On the source system:
-
Set the Export parameter SP_XPT_ENABLE_AES to 1. This enables encryption.
sp_ctrl> set param sp_xpt_enable_aes 1
-
Run the create encryption key command to create the key.
sp_ctrl> create encryption key
The following is an example key:
E5F5D4CBA329D2C86B5D7ABA096C18600595490129F55A1422AAB0248B28D0E4
-
(Optional) Set the SP_XPT_AES_KEY_LENGTH parameter to increase the key size.
The create encryption key command returns a randomly generated, 256-bit AES key. By default, SharePlex uses 128 bits of that length to encrypt the data.
To increase the key length that SharePlex uses, set the SP_XPT_AES_KEY_LENGTH parameter to 192 or 256 bits. When you increase the length, the key is harder to hack but requires more CPU power.
sp_ctrl> set param sp_xpt_aes_key_length {192 | 256}
Example: set param sp_xpt_aes_key_length 256
-
Run the set encryption key command. This adds the key to the Export configuration.
sp_ctrl> set encryption key key_value
Example: set encryption key E5F5D4CBA329D2C86B5D7ABA096C18600595490129F55A1422AAB0248B28D0E4
-
Restart Export to activate the settings.
sp_ctrl> stop export
sp_ctrl> start export
On the target system:
-
Set the SP_IMP_ENABLE_AES parameter to 1. This prevents SharePlex on the target from accepting data that is not encrypted.
-
Run the set encryption key command with the same key value that you set for Export. The key values on the source and target must match.
sp_ctrl>set encryption key key_value
Example: set encryption key E5F5D4CBA329D2C86B5D7ABA096C18600595490129F55A1422AAB0248B28D0E4
-
Restart Import to activate the settings.
sp_ctrl> stop import
sp_ctrl> start import
View the encryption key
Issue this command on the source and target systems to ensure that both key values match.
sp_ctrl> show encryption key
FIPS Compliance
SharePlex installations can be run on FIPS-enabled servers on the Linux platform. No FIPS-specific configurations are required to run SharePlex installations on FIPS-enabled servers.
Assign SharePlex users to security groups
Assign SharePlex Users to Security Groups
Contents
Overview
The SharePlex security groups provide access control to the SharePlex command and control system. Without proper configuration of these groups, anyone with permissions on the system can use the commands that view, configure, and control data replication.
Overview of SharePlex security groups
About the SharePlex Security Groups
To monitor, control, or change SharePlex replication, a person must be assigned to one of the SharePlex security groups on the systems where he or she will be issuing commands. Each group corresponds to an authorization level, which determines which SharePlex commands a person can issue. To execute a command, a user must have that command’s authorization level or higher. Use the authlevel command to determine your authorization level for issuing SharePlex commands on a system.
Description of the SharePlex security groups
Refer to the following table to determine the group and authorization level that you want to grant each SharePlex user.
User Authorization Levels and Roles
| 1 |
Administration |
spadmin* |
You need at least one user with Administrator rights on each source and target system.
Can issue all SharePlex commands. Commands that can only be issued by a SharePlex Administrator are:
- startup, shutdown
- all configuration commands relating to an active configuration
- all parameter commands except list param
- start capture
- stop capture
- abort capture
- truncate log
The SharePlex Administrator user must be in the Oracle dba group. For Oracle RAC and ASM 11gR2 and above, the user must also be in the Oracle Inventory group. For example: $ useradd –g spadmin –G dba,oinstall. The membership in Oracle Inventory group must be listed explicitly in the etc/group file.
On Unix and Linux, unless you install SharePlex as a root user, the SharePlex Administrator user and the SharePlex admin group must exist prior to installation. |
| 2 |
Operator |
spopr |
Can issue all SharePlex commands except those listed above. |
| 3 |
Viewer |
spview |
Can view lists, status screens, and logs to monitor replication only. |
Note: The default name for the SharePlex administrator group is spadmin, but you can designate any group or specify any name for that group during installation.
