Chat now with support
Chat with Support

Welcome, ApexSQL customers to Quest Support Portal click here for for frequently asked questions regarding servicing your supported assets.

SharePlex 9.0 - Administration Guide

About this Guide Conventions used in this guide Overview of SharePlex Run SharePlex Run multiple instances of SharePlex Execute commands in sp_ctrl Set SharePlex parameters Configure SharePlex to replicate data Configure replication to and from a container database Configure named queues Configure partitioned replication Configure SharePlex to maintain a change history target Configure a replication strategy Configure SharePlex to replicate Oracle DDL Set up error handling Transform data Configure SharePlex security features Activate replication in your production environment Monitor SharePlex Prevent and solve replication problems Repair out-of-sync Data Procedures to maintain Oracle high availability Make changes to an active replication environment Apply an Oracle application patch or upgrade Back up Oracle data on the source or target Tune the Capture process Tune the Post process Appendix A: Peer-To-Peer Diagram Appendix B: SharePlex environment variables

Secure data with SSH

SharePlex uses the SSH® Secure ShellTM utility to provide encryption for network services such as secure remote login and other services over an insecure network.

Requirements

  • Purchase and install the SSH software. SSH is not included with Shareplex.
  • Using SSH with SharePlex requires the use of local port forwarding (also known as tunneling) within the SSH configuration. Port forwarding allows you to establish a secure SSH session and then tunnel TCP connections through it.
  • SharePlex can be configured to work with SSH software between a source system and one target system. If a source replicates to multiple targets, only one of the routes can be configured with SSH.
  • This feature is supported on Unix and Linux.

To set up SharePlex to use SSH

  1. On the source and target systems, choose an available local port to be used as the tunnel port. For peer-to-peer and high availability replication, the port must be the same number on both systems. For other replication strategies, choose a different port on each system.
  2. On the source system, issue the following command from the command prompt. This command connects to the target system to set up the tunnel.

    $ ssh -L source_port:target_host:target_port userid@target_host -N -f

    where:

    • -L specifies that the specified port on the local host (acting as the client) is to be forwarded to the remote host and port.
    • source_port is the port number on the source system.
    • target_host is the name of the target system.
    • target_port is the port on the target system.
    • userid is your Unix and Linux user ID. You will be prompted for the password.
    • -N specifies not to execute a remote command. This is used just to forward a port (protocol version 2 only).
    • -f forces the SSH shell to work in the background just before command execution. If this argument is omitted, the terminal window you are using must be kept open. SSH cannot be started with nohup.

    Refer to your SSH documentation for more information about these commands.

  3. (If using multiple SharePlex instances) On the source system, export the correct variable-data directory for the instance of sp_cop for which you are setting up SSH.

    ksh shell:

    export SP_SYS_VARDIR=/full_path_of_variable-data_directory

    csh shell:

    setenv SP_SYS_VARDIR /full_path_of_variable-data_directory

  4. On the source system, start sp_cop.
  5. On the source system, run sp_ctrl from the bin subdirectory of the product directory.
  6. In sp_ctrl, set the SP_XPT_USE_LOCALHOST parameter in one of the following ways.

    • If there is only one target system, set the parameter with the following syntax:

      sp_ctrl> set param SP_XPT_USE_LOCALHOST 1

    • If there are multiple targets, use the following command to set up a tunnel to the target that will use SSH. Replication to the other target systems will connect directly in the normal fashion.

      sp_ctrl> set param SP_XPT_USE_LOCALHOST to host 1

    where: host is the name of the target system that will use the tunnel.

  7. In sp_ctrl, use the list param command with the modified option to verify the parameter setting. If the setting is correct, you can activate a configuration at this point.

    sp_ctrl> list param modified

  8. If there is an active configuration, stop and then start sp_cop to make the new parameter setting active.

    To stop sp_cop:

    sp_ctrl> shutdown /productdir/bin/sp_cop &

    To start sp_cop:

    $ /productdir/bin/sp_cop &

Encrypt data across the network

SharePlex encryption provides the ability to encrypt replicated data across the network. SharePlex uses industry-standard Advanced Encryption Standard (AES) encryption.

The Export process controls whether encryption is performed and the size of the key. It communicates these factors to the Import process.

To configure encryption

  1. Review the Encryption guidelines.

On the source system:

  1. Enable encryption in SharePlex by setting the SP_XPT_ENABLE_AES parameter to 1. See Enable encryption on the source system
  2. (Optional) Set the size of the key by setting the SP_XPT_AES_KEY_LENGTH parameter to the desired length (128-the default, 192, 256 bits). See Set the key size on the source system.
  3. Create an encryption key by running the create encryption key command. See Create an encryption key on the source system.

On the source and target systems:

  1. Run the set encryption key command. See Set the key on the source and target.

On the source system:

  1. Stop and start Export to activate the SP_XPT_ENABLE_AES parameter.

Encryption guidelines

  • Use one encryption key for all Export processes in the SharePlex instance.
  • SharePlex on both the source and target must be of a version that supports encryption (version 8.6.3 or later).

Enable encryption on the source system

Set the Export parameter SP_XPT_ENABLE_AES to 1 on the source system. By default, this parameter is set to 0 (encryption is disabled).

sp_ctrl> set param sp_xpt_enable_aes 1

Restart Export to activate this setting after you finish configuring encryption.

Set the key size on the source system

By default the AES key size is 128 bits. To increase the key size to 192 or 256 bits, set the Export parameter SP_XPT_AES_KEY_LENGTH to the desired length on the source system. The parameter takes effect the next time that Export starts.

sp_ctrl> set param sp_xpt_aes_key_length {128 | 192 | 256}

Create an encryption key on the source system

Run the following command in sp_ctrl on the source system:

sp_ctrl> create encryption key

The command returns a randomly generated AES key, for example: E5F5D4CBA329D2C86B5D7ABA096C18600595490129F55A1422AAB0248B28D0E4.

Note: This command only generates the key. You must set the key on all systems. For more information, see Set the key on the source and target.

Set the key on the source and target

The encryption key must be set on the source system plus all of the target systems.

To set a key

Run the following command in sp_ctrl on the source and target systems.

sp_ctrl> set encryption key key

Component Description
key

The encryption key that was generated by the create encryption key command. The key must be set to the entire value that was generated by create encryption key. It must be 64 bytes long.

Without further options, the command affects all routes.

Example:

sp_ctrl> set encryption key E5F5D4CBA329D2C86B5D7ABA096C18600595490129F55A1422AAB0248B28D0E4

Example

The following example creates and sets the encryption key.

On the source:

sp_ctrl> create encryption key

On target 1:

sp_ctrl> set encryption key E5F5D4CBA329D2C86B5D7ABA096C18600595490129F55A1422AAB0248B28D0E4

On target 2:

sp_ctrl>set encryption key E5F5D4CBA329D2C86B5D7ABA096C18600595490129F55A1422AAB0248B28D0E4

View and reset encryption

To view the encryption key

Use the show encryption key command to view the key that is being used by SharePlex.

sp_ctrl> show encryption key

To reset the encryption key

Use the reset encryption key command to remove the encryption key.

sp_ctrl> reset encryption key

Assign SharePlex users to security groups

Contents

Overview

The SharePlex security groups provide access control to the SharePlex command and control system. Without proper configuration of these groups, anyone with permissions on the system can use the commands that view, configure, and control data replication.

Overview of SharePlex security groups

To monitor, control, or change SharePlex replication, a person must be assigned to one of the SharePlex security groups on the systems where he or she will be issuing commands. Each group corresponds to an authorization level, which determines which SharePlex commands a person can issue. To execute a command, a user must have that command’s authorization level or higher.

Use the authlevel command to determine your authorization level for issuing SharePlex commands on a system.

Description of the SharePlex security groups

Refer to the following table to determine the group and authorization level that you want to grant each SharePlex user.

User Authorization Levels and Roles
Auth level User type User group User roles
1 Administration spadmin*

You need at least one user with Administrator rights on each source and target system.

Can issue all SharePlex commands. Commands that can only be issued by a SharePlex Administrator are:

  • startup, shutdown
  • all configuration commands relating to an active configuration
  • all parameter commands except list param
  • start capture
  • stop capture
  • abort capture
  • truncate log

The SharePlex Administrator user must be in the Oracle dba group. For Oracle RAC and ASM 11gR2 and above, the user must also be in the Oracle Inventory group. For example: $ useradd –g spadmin –G dba,oinstall. The membership in Oracle Inventory group must be listed explicitly in the etc/group file.

On Unix and Linux, unless you install SharePlex as a root user, the SharePlex Administrator user and the SharePlex admin group must exist prior to installation.

2 Operator spopr Can issue all SharePlex commands except those listed above.
3 Viewer spview Can view lists, status screens, and logs to monitor replication only.

Note: The default name for the SharePlex administrator group is spadmin, but you can designate any group or specify any name for that group during installation.

Related Documents