SharePlex 8.6.6 - Installation Guide

Set up TDE Support

SharePlex uses the TDE Master Encryption Key to decrypt TDE-protected data that must be replicated. SharePlex uses the Oracle wallet password to access the TDE Master Encryption Key.

If the wallet opens successfully, Capture connects to the decryption module and processes the data. If the wallet does not open, Capture remains in the initialization state until either the wallet is opened or the process is stopped. The initialization state that is displayed in the show capture command is "Capture state: Waiting for open wallet."

Note:  The SharePlex copy/append command does not support TDE. For full information on the Oracle features that SharePlex supports, see the SharePlex Release Notes.

Required privilege to capture TDE-protected data

To decrypt TDE-protected data from the redo log, the SharePlex Administrator must open Oracle Wallet using the wallet password. By default, only the Oracle Wallet owner-user has read and write permissions for this file. You can either start as the owner of the wallet, or you can grant read permission to the file to the dba group, because the SharePlex Administrator user is a member of that group.

Configure SharePlex to capture TDE-protected data

To configure SharePlex to support TDE-protected data, two setup tools must be run:

• (If this was not done during installation) Run ora_setup. When prompted to enable TDE replication, type "y" and then enter the fully qualified path to the TDE wallet file, including the wallet file name, when prompted. See the SharePlex Reference Guide for more information about this utility.
• Run the sp_wallet utility to provide the Oracle Wallet password to SharePlex. This utility can be run in manual or auto-open mode.

To run sp_wallet and manually supply the password

1. On the source system, start SharePlex from the SharePlex product directory. You are prompted to run sp_wallet.

   *** To enable TDE replication, run sp_wallet and provide the wallet password ***

2. Run sp_wallet.

   ./sp_wallet [-r port_number]

   Important! On Windows, if you installed SharePlex on any port other than the default of 2100, use the -r option to specify the port number. For example, in the following command the port number is 9400:

   ./sp_wallet -r 9400

   wallet password: walletpw

   Wallet loaded into SharePlex

To run sp_wallet in auto-open mode

If you are using an auto-open wallet, you can configure SharePlex to open the TDE wallet automatically. This eliminates the need to run sp_wallet manually at SharePlex startup. The syntax is:

./sp_wallet --auto-open [-r port_number]

Important! Using the auto-open wallet feature has additional security considerations. See the Oracle documentation for more information. In addition, do not back up the SharePlex variable-data directory together with the Oracle wallet and the Oracle data files.

To cancel auto-open mode

./sp_wallet --no-auto-open [-r port_number]

To change the TDE master encryption key

If you need to change the TDE Master Encryption Key while a SharePlex configuration is active, take the following steps to ensure that SharePlex continues to replicate the TDE-protected data after the changes.

1. Quiesce the source database.
2. Make sure that Capture finishes processing the remaining data in the redo log.
3. Shut down SharePlex.
4. Change the TDE Master Encryption Key.
5. Restart SharePlex.

6. Run the sp_wallet utility to provide SharePlex with the new TDE Master Encryption Key.

   ./sp_wallet [-r port_number]