Monday, December 2, 2019

Master Note For Transparent Data Encryption ( TDE ) (Doc ID 1228046.1)

n this Document
Purpose
Scope
Details
 Oracle Transparent Data Encryption Concepts and Overview
 Oracle Transparent Data Encryption Installation
 Oracle Transparent Data Encryption Configuration and Administration
 TDE Master Key and Wallet Management
 Oracle Transparent Data Encryption Storage Overhead
 Oracle Transparent Data Encryption Performance Overhead
 Oracle Transparent Data Encryption Frequently Asked Questions
 Oracle Transparent Data And other Database Features
 Important Patches for TDE
 Oracle Transparent Data Encryption Troubleshooting and Debugging
 Oracle Transparent Data Encryption Best Practices
 Oracle Transparent Data Encryption Documentation
 Oracle Transparent Data Encryption Licensing
 Using My Oracle Support Effectively
References

APPLIES TO:

Advanced Networking Option - Version 10.2.0.5 and later
Information in this document applies to any platform.

PURPOSE

This Master Note is intended to provide an index and references to the most frequently used My Oracle Support Notes with respect to Oracle Transparent Data Encryption. This Master Note is subdivided into categories to allow for easy access and reference to notes that are applicable to your area of interest. 

SCOPE

This document is meant for use as a guide by those who are configuring or managing/troubleshooting Oracle Transparent Data Encryption.

For information specific to Oracle Database 12c,please refer to the following note:
TDE 12c : Frequently Asked Questions Note 2253348.1

DETAILS

Oracle Transparent Data Encryption Concepts and Overview


Oracle Transparent Data Encryption (TDE) enables the organizations to encrypt sensitive application data on storage media completely transparent to the application. TDE addresses encryption requirements associated with public and private privacy and security regulations such as PCI DSS. TDE column encryption was introduced in Oracle Database 10g Release 2, enabling encryption of table columns containing sensitive information. The TDE tablespace encryption and the support for hardware security modules (HSM) were introduced in Oracle Database 11gR1.

TDE is protecting the data at rest. It is encrypting the data in the datafiles so that in case they are obtained by other parties it will not be possible to access the clear text data.  TDE cannot be used to obfuscate the data for the users who have privileges to access the tables. In the databases where TDE is configured any user who has access on an encrypted table will be able to see the data in clear text because Oracle will transparently decrypt the data for any user having the necessary privileges.



TDE is using a two tier encryption key architecture consisting of:
  • a master encryption key - this is the encryption key used to encrypt secondary keys used for column encryption and tablespace encryption
  • one or more table and/or tablespace keys - these are the keys that are used to encrypt one or more specific columns or the keys used to encrypt  tablespaces. There is only one table key regardless of the number of encrypted columns in a table and it will be stored in the data dictionary. The tablespace key is stored in the header of each datafile of the encrypted tablespace.

The table and tablespace keys are encrypted using the master key. The master key is stored in an external security module (ESM) that can be one of the following:
  • an Oracle Wallet - a secure container outside of the database. It is encrypted with a password.
  • a Hardware Security Module (HSM) - a device used to secure keys and perform cryptographic operations. Oracle interfaces to the device using a PKCS#11 library supplied by the HSM vendor.

Currently in 11g, it is possible to migrate the TDE master keys from the Oracle wallet to a HSM but it is not supported to migrate the master keys from the HSM back to the wallets. Starting from 12.1 DB, reverse migration from HSM to Oracle Software wallet is possible. See Note 1282980.1 for details.

Oracle Transparent Data Encryption Installation


Oracle TDE is available by default in Oracle RDBMS Enteprise Edition. To be able to use this it is necessary to purchase an Oracle Advanced Security license.

Oracle Transparent Data Encryption Configuration and Administration


To start using TDE in 11g DB, the following operations have to be performed:
Note: In case of 12c DB, refer to Note 1964158.1 - Getting Started With Transparent Data Encryption in Oracle 12c (non pluggable database )

1) Make sure that the wallet location exists. If a non default wallet location must be used then specify it in the sqlnet.ora file :
ENCRYPTION_WALLET_LOCATION =
   (SOURCE = (METHOD = FILE)
     (METHOD_DATA =
      (DIRECTORY = <wallet directory path>)
     )
   )

Note: The default encryption wallet location is $ORACLE_BASE/admin/<global_db_name>/wallet. If you want to let Oracle manage a wallet in the default location then there is no need to set the ENCRYPTION_WALLET_LOCATION parameter in sqlnet.ora.

It is important to check that the location specified in sqlnet.ora or the default location exists and can be read/written by the Oracle processes. Starting with 11gR2 the wallet can be shared by all the instances of a RAC database.  See the documentation for details.

2) Generate a master key:
alter system set encryption key identified by "wallet_password";

This command will do the following:

A) If there is no wallet currently in the wallet location then a new wallet with the password "wallet_password" will be generated. The password is enclosed in double quotes to preserve the case of the characters. If the double quotes are not used then the characters of the password will be all in upper case. This command will also cause the new wallet to be opened and ready for use.
Comment: This is the only valid way of creating a new wallet for TDE, you may not use oracle wallet manager or command line tool orapki to create the TDE wallet for the first time!

B) A new master key will be generated and will be written to the wallet. This newly generated master key will become the active master key. The old master keys (if there were any) will still be kept in the wallet but they will not be active. They are kept there to be used when decrypting data that was previously encrypted using them.


To see the status of an wallet run the following query:
SQL> select * from v$encryption_wallet;

WRL_TYPE
--------------------
WRL_PARAMETER
--------------------------------------------------------------------------------
STATUS
------------------
file
<wallet directory path>
OPEN





3) Enable encryption for a column or for an entire tablespace:

3.1) Create a table by specifying the encrypt option:
create table test(col1 number, col2 varchar2(100) encrypt using 'AES256' NO SALT);


3.2) Encrypt the column(s) of an existing table:
alter table test modify( col2 encrypt SALT);

Note: If the table has many rows then this operation might take some time since all the values stored in col2 must be replaced by encrypted strings. If the access to the table during this operations is needed then use Online Table Redefinition. An worked example can be found in Note 848298.1.

3.3) Create an encrypted tablespace :
CREATE TABLESPACE <Tablespace_name>
DATAFILE '<datafile directory with file name>.dbf' SIZE 100M
ENCRYPTION USING 'AES256'
DEFAULT STORAGE(ENCRYPT);

Note: Upto 12.1 DB, an existing  non encrypted tablespace cannot be encrypted. If you must encrypt the data from an entire tablespace then create a new encrypted tablespace and then move the data from the old tablespace to the new one.
Starting from 12.2 DB, existing tablespace can be encrypted. Refer to Note 2255611.1 TDE 12.2 : Encryption and Decryption of Existing Tablespaces


Note 317311.1  - 10g R2 New Feature TDE Transparent Data Encryption
Note 432776.1  - 11g New Feature Transparent Data Encryption at Tablespace Level

TDE Master Key and Wallet Management

The wallet is a critical component and should be backed up in a secure location (different to the location where the database backups are stored!). If the wallet containing the master keys is lost or if its password is forgotten then the encrypted data will not be accessible anymore.

 Make sure that the wallet is backed up in the following scenarios:
  1. Immediately after creating it. 
  2. When regenerating the master key 
  3. When backing up the database. Make sure that the wallet backup is not stored in the same location with the database backup
  4. Before changing the wallet password 

Make sure that the wallet password is complex but at the same time easy to remember. When it is possible split knowledge about wallet password ( See Note 1062413.1)

If needed, the wallet password can be changed within Oracle Wallet Manager or with the following command using orapki (starting from 11.1.0.7):
orapki wallet change_pwd -wallet <wallet_location>

Oracle recommends that the wallet files are placed outside of the $ORACLE_BASE directory to avoid having them backed up to same location as other Oracle files. Furthermore it is recommended to restrict the access to the directory and to the wallet files to avoid accidental removals. Below is the recommended way of restricting the access to the wallet file:
$ cd /etc
$ mkdir –pv oracle/wallets/<$ORACLE_SID>
$ chown –R oracle:oinstall oracle
$ chmod –R 700 oracle


Set the ENCRYPTION_WALLET_LOCATION parameter in sqlnet.ora to the newly created directory and create the wallet with the following command:
SQL> alter system set encryption key identified by “password”;

After creating the wallet reduce the permissions on the wallet file
$ chmod 600 ewallet.p12
 The wallet can be opened and closed with the following commands:
alter system set wallet open identified by "password”;
alter system set wallet close identified by "password”;
alter system set wallet close; -- This is used with auto_login wallets to remove the cached keys from memory after making the cwallet.sso unavailable




Oracle Transparent Data Encryption Storage Overhead


1) Storage overhead incured by TDE column encryption is between 1 and 52 bytes for each encrypted value. The overhead is caused by the following factors:

A) Padding to the next 16 or 8 byte. The storage overhead caused by padding depends on the algorithm used to encrypt the data. AES uses a block size of 128 bits(128/8 = 16bytes), no matter what's the size of the key ( 192, 256, etc.), so we will have a padding of maximum 16 bytes. This means that even if original value's size is a multiple of 16 bytes we will add one extra block of 16 bytes. That's the "worst" case. The same discussion applies to 3DES but in this case the block size is 8 bytes. This padding 8 or 16 bytes overhead is MANDATORY(there is no option to avoid it).

B)  20 bytes overhead for integrity check. This is OPTIONAL ( to avoid it use the 'NOMAC' option)

C)  16 bytes overhead if 'SALT' is used to encrypt a column. This is OPTIONAL (to avoid it use the 'NO SALT' option).


2) Tablespace encryption causes no storage overhead whatsoever.

Oracle Transparent Data Encryption Performance Overhead

The overhead of the TDE, be it column or tablespace encryption cannot be assessed without testing, it depends from statement to statement. Please test thoroughly before implementing.

1) Column encryption: It is recommended to upgrade to 10.2.0.4 and then install Patch 7639262 or to upgrade to 11.1.0.7 and then install Patch 8421211. These one off patches contain fixes that are reducing the performance impact of column TDE. These known issues are permanently fixed starting with 11.2.0.1.

The overhead is obtained when the same execution plan is used as if TDE is not present. Sometimes it is not possible to have the exact same execution plan and as such the impact will be more severe. When using column TDE the index range scans are not possible and as such there are situations when the execution plans are poorer causing a more severe performance degradation. But TDE tablespace encryption also allows index range scans on data in encrypted tablespaces.
For a detailed discussion of the impact of TDE on the execution plans see Note 728292.1.

2) Tablespace encryption. Starting with 11.2.0.2 Oracle is able to use the hardware crypto acceleration features of the Intel XEON 5600 processors. This is reducing the performance overhead of tablespace TDE.  See more information in Note 1365021.1.

Note 848298.1 How To Encrypt/Rekey a Table for TDE and Avoid the Associated Performance Problems and Locks?
Note 728292.1  Known Performance Issues When Using TDE and Indexes on the Encrypted Columns
Note 1303412.1 Performance Impact of TDE

Oracle Transparent Data Encryption Frequently Asked Questions

The following TDE FAQ document is maintained by TDE product management:

http://www.oracle.com/technetwork/database/security/tde-faq-093689.html

The following TDE FAQ note is maintained by Oracle Support:

Note 1251597.1  TDE Frequently Asked Questions
 Note 2253348.1 TDE 12c : Frequently Asked Questions 

Oracle Transparent Data And other Database Features


Data Guard

Note 1627807.1 Step by step method to implement Transparent Data Encryption (TDE) in 11g Data Guard and 11g RAC environments
Note 1197943.1 Wallet Status in TDE Recovery Scenarios (Including Data Guard/Standby Configuration)


RAC

Note 567287.1 Managing TDE Wallets in a RAC Environment 
Note 2425822.1 How To Validate A TDE Setup On 12c RAC After Configuring It?

Multitenant

Note 2107821.1 How to configure TDE in pluggable database in 12c for standalone and RAC environment
Note 1678525.1 How to migrate a non pluggable database that uses TDE to pluggable database ? 
Note  2448182.1 Unplug and Plug PDB with TDE in the Same Container shows 'PDB needs to import keys from source'
Note 2312242.1 Opening TDE Keystore With CONTAINER=ALL Does Not Open Keystore In PDB(s)

Data Pump

Note 1195013.1 Additional Encryption Related Parameters For 11g/12c Data Pump Export 
Note 2442358.1 IMPDP Fails With ORA-28365: Wallet Is Not Open (After EXPDP From DB Having Columns Encrypted With TDE) 


1) How can one verify if the tablespace encryption master key in v$encrypted_tablespaces is contained in the wallet?

The MASTERKEYID in v$encrypted_tablespaces is stored in the base64 format. To get the ID in the format used within the wallet we have to run the following query:

select  utl_raw.cast_to_varchar2( utl_encode.base64_encode('01'||substr(masterkeyid,1,4))) || utl_raw.cast_to_varchar2( utl_encode.base64_encode(substr(masterkeyid,5,length(masterkeyid)))) 
FROM v$encrypted_tablespaces;

We have to compare the string obtained with this query to the value of  wallet's ORACLE.SECURITY.DB.ENCRYPTION.MASTERKEY.
Example:


SQL> select ts#, masterkeyid,  utl_raw.cast_to_varchar2( utl_encode.base64_encode('01'||substr(masterkeyid,1,4))) || utl_raw.cast_to_varchar2( utl_encode.base64_encode(substr(masterkeyid,5,length(masterkeyid)))) masterkeyid_base64  FROM v$encrypted_tablespaces;

TS#         MASTERKEYID                                     MASTERKEYID_BASE64
---------- --------------------------------------------    ------------------------------------------------------------------------------------------
         n <master key id>                                 <masterkey_id_base64>     <================  This is the key of the tablespace !!!

[oracle@seclin4 wallet]$ mkstore -wrl . -list
Oracle Secret Store Tool : Version 11.2.0.2.0 - Production
Copyright (c) 2004, 2010, Oracle and/or its affiliates. All rights reserved.

Enter wallet password:

Oracle Secret Store entries:
ORACLE.SECURITY.DB.ENCRYPTION.<masterkey_id_base64>
.............
ORACLE.SECURITY.DB.ENCRYPTION.MASTERKEY
ORACLE.SECURITY.DN
ORACLE.SECURITY.PASSWORD
ORACLE.SECURITY.TS.ENCRYPTION.*****************
[oracle@seclin4 wallet]$ mkstore -wrl . -viewEntry ORACLE.SECURITY.DB.ENCRYPTION.MASTERKEY
Oracle Secret Store Tool : Version 11.2.0.2.0 - Production
Copyright (c) 2004, 2010, Oracle and/or its affiliates. All rights reserved.

Enter wallet password:

ORACLE.SECURITY.DB.ENCRYPTION.MASTERKEY = <masterkey_id_base64> <======================== This is the current master key !!!
[oracle@seclin4 wallet]$



Note : The above query that transforms the ID of the key from the HEX format to the BASE64 format will work for 11gR2. For 11gR1 one must replace the '01' string with '05':

select ts#, masterkeyid,  utl_raw.cast_to_varchar2( utl_encode.base64_encode('05'||substr(masterkeyid,1,4))) || utl_raw.cast_to_varchar2( utl_encode.base64_encode(substr(masterkeyid,5,length(masterkeyid)))) masterkeyid_base64  FROM v$encrypted_tablespaces;



The tablespapce keys can be also obtained with the following query:

SQL> select t.name, RAWTOHEX(x.mkid) from v$tablespace t, x$kcbtek x where t.ts#=x.ts#;

NAME                           RAWTOHEX(X.MKID)
------------------------------ --------------------------------
SYSTEM                         <master key id>                        <================= This is the key ID in the HEX format.
SYSAUX                         00000000000000000000000000000000
UNDOTBS1                       00000000000000000000000000000000
UNDOTBS2                       00000000000000000000000000000000

The HEX string "<master key id>" can be also transformed to a BASE64 string to be able to compare with the contents of the wallet:

SQL> select  utl_raw.cast_to_varchar2( utl_encode.base64_encode('01'||substr('<master key id>',1,4))) || utl_raw.cast_to_varchar2( utl_encode.base64_encode(substr('<master key id>',5,length('<master key id>')))) masterkeyid_base64  FROM dual;


MASTERKEYID_BASE64
--------------------------------------------------------------------------------
<masterkey_id_base64>                                                    < ================ This is the key ID in the BASE64 format !!!

2) How can one verify if the  master key used to encrypt a column is present in the wallet?

select mkeyid from enc$ where obj# in (select object_id from dba_objects where object_type='TABLE' and object_name='<your table's name>' and owner = '<owner>');
MKEYID
--------
<masterkey_id_base64>


Then check whether that master key ID is present in the wallet:

mkstore -wrl . -list
Oracle Secret Store Tool : Version 11.2.0.2.0 - Production
Copyright (c) 2004, 2010, Oracle and/or its affiliates. All rights reserved.

Enter wallet password:

Oracle Secret Store entries:
ORACLE.SECURITY.DB.ENCRYPTION.<masterkey_id_base64>
ORACLE.SECURITY.DB.ENCRYPTION.MASTERKEY




3) Is it possible to recreate the TDE wallet ?
It is possible, but such an operation should be done in extreme circumstances only, because it can result in data loss or corruptions.
Note 1541818.1 Step by Step Troubleshooting Guide for TDE Error ORA-28374



All the versions up to 11.2.0.3.PSU2
=========================
When generating a new master key the old master key is kept in the wallet ( i.e. it is not erased ).  The key associated with the  SYSTEM tablespace is also regenerated. The problem appears when for some reason the original wallet is removed. As soon as you do that, the  key associated with the SYSTEM tablespace will not change ( The SYSTEM tablepace will continue to be linked to the original key):
SQL> select t.name, RAWTOHEX(x.mkid) from v$tablespace t, x$kcbtek x where t.ts#=x.ts#;

NAME                           RAWTOHEX(X.MKID)
------------------------------ --------------------------------
SYSTEM                         <master key id>                     ====================> This is the original SYSTEM key !!!
SYSAUX                         00000000000000000000000000000000
USERS                          00000000000000000000000000000000
PROT_DATA_TS                   00000000000000000000000000000000
PROT_INDEX_TS                  00000000000000000000000000000000
BATCH_DATA_TS                  00000000000000000000000000000000
TESTBIG                        00000000000000000000000000000000
TESTSMALL                      00000000000000000000000000000000
UNDOTBS_02                     00000000000000000000000000000000
TEMP                           00000000000000000000000000000000

10 rows selected.

SQL> alter system set encryption key identified by "<wallet password>";  =======================> I generate a new master key !!!

System altered.

SQL> select t.name, RAWTOHEX(x.mkid) from v$tablespace t, x$kcbtek x where t.ts#=x.ts#;

NAME                           RAWTOHEX(X.MKID)
------------------------------ --------------------------------
SYSTEM                         <master key id>                    ======================> The system key is changed !!!
SYSAUX                         00000000000000000000000000000000
USERS                          00000000000000000000000000000000
PROT_DATA_TS                   00000000000000000000000000000000
PROT_INDEX_TS                  00000000000000000000000000000000
BATCH_DATA_TS                  00000000000000000000000000000000
TESTBIG                        00000000000000000000000000000000
TESTSMALL                      00000000000000000000000000000000
UNDOTBS_02                     00000000000000000000000000000000
TEMP                           00000000000000000000000000000000

10 rows selected.


$ ls -ltr
total 40
-rw-r--r-- 1 **** ***** 1573 Oct 29 11:14 ewallet.p12
-rw------- 1 **** ***** 1651 Oct 29 11:18 cwallet.sso

$ mv ewallet.p12 ewallet.p12.good     =========== > "Losing" the wallets !!!
$ mv cwallet.sso cwallet.sso.good





SQL> alter system set encryption key identified by "<wallet password>";
alter system set encryption key identified by "<wallet password>"
*
ERROR at line 1:
ORA-28362: master key not found       ================================================> This is a first sign that there was a problem !!! The wallet will be generated anyway but THERE ARE ISSUES ALREADY !!!


SQL> select t.name, RAWTOHEX(x.mkid) from v$tablespace t, x$kcbtek x where t.ts#=x.ts#;

NAME                           RAWTOHEX(X.MKID)
------------------------------ --------------------------------
SYSTEM                         <master key id>                         ==========================> The system key remains unchanged !!!
SYSAUX                         00000000000000000000000000000000
USERS                          00000000000000000000000000000000
PROT_DATA_TS                   00000000000000000000000000000000
PROT_INDEX_TS                  00000000000000000000000000000000
BATCH_DATA_TS                  00000000000000000000000000000000
TESTBIG                        00000000000000000000000000000000
TESTSMALL                      00000000000000000000000000000000
UNDOTBS_02                     00000000000000000000000000000000
TEMP                           00000000000000000000000000000000

10 rows selected.

The key associated with the SYSTEM tablespace is used to encrypt the data in the TEMP tablespace. After removing the original wallet this key will not be available anymore and as such you will get ORA-28374 errors when running an operation that requires large sorts(creating a large index, running a query with ORDER BY on a large table, etc.). The system will not be able to encrypt the data that is written to the TEMP tablespace.

4) How to create an auto login (auto open) HSM wallet when the TDE master key was already generated into the HSM?
For Oracle RDBMS 11gR2 do this :

A. Add the following to your $ORACLE_HOME\network\admin\sqlnet.ora file :

 ENCRYPTION_WALLET_LOCATION = (SOURCE = (METHOD = HSM) (METHOD_DATA =
     (DIRECTORY = <path to the oracle wallet directory>)))

B. Create an auto-login wallet in the directory specified in sqlnet.ora:

cd <path to the oracle wallet directory>
orapki wallet create -wallet . -auto_login

When you are prompted for the password just type "<hsm_partition_pwd>|<slot_name>"

C. Add the following entry in the wallet you have just created:

mkstore -wrl . -createEntry ORACLE.TDE.HSM.AUTOLOGIN <any_non_empty_string>

Note: Usually the <any_non_empty_string> is <hsm_partition_pwd>|<slot_name>. This will help the database administrator to keep track of the HSM partition that is being used for this particular database.  

For Oracle RDBMS 12.1.0.1 or newer use the documentation : Configuring Auto-Login Hardware Security Modules
For configuring auto_login with OKV HSM wallet: Note 2120160.1 - How To Create a TDE Auto_Login Wallet For A Database With Oracle Key Vault OKV TDE Direct Connection / Online Master Key

5) Can TDE store its master encryption key in any external device using the PKSC11 interface( a.k.a HSM )?

Starting in Oracle Database 11g Release 2, customers of Oracle Advanced Security Transparent Data Encryption (TDE) optionally may store the TDE master encryption key in an external device using the PKCS11 interface. In this setup, the master key is stored directly in the third-party device rather than in the included Oracle Wallet (note: the Oracle Wallet is a PKCS12 file-based keystore which is used by most TDE customers).
When using PKCS11, the third-party vendor provides the storage device, PKCS11 software client library, secure communication from the device to the PKCS11 client (running on the database server), authentication, auditing, and other related functionality. The vendor also is responsible for testing and ensuring high-availability of the TDE master encryption key in diverse database server environments and configurations. Customers should contact the device vendor to receive assistance for any related issues or certification questions.

6) How to deal with ORA-28376: cannot find PKCS11 library errors seen while using a SafeNet HSM ?

SafeNet / Ingrian HSM libraries need to be able to locate the HSM's device properties file. One has to point to that file using the NAE_Properties_Conf_Filename environment variable. When using a GI home make sure that this environment variable is set in OCR too :

srvctl setenv database -d <dbname> -T  "NAE_Properties_Conf_Filename=/opt/oracle/extapi/64/hsm/safenet/6.1.0/IngrianNAE.properties"

Important Patches for TDE

- Mandatory patch for TDE in 11.2.0.2 with HSM:

  Patch 12626642 (superceded by Patch 13893640 on some platforms) fixes failure in heartbeat signal sent to HSM and provides auto-open HSM functionality on Unix / Linux systems.

  Windows users: install patch bundle 15 : patch 13413154 (32-bit) or patch 13413155 (64-bit) or higher on top of version 11.2.0.2, this bundle includes both

  base bug 11789943 and bug 11863940 that make up equivalent merge patch 12626642 on Unix / Linux systems.

- Patches for bug 7002207 and bug 7298987 are available for 10.2.0.4 (patch 7639262) and 11.1.0.7 (patch 8421211). It is highly recommended to install these patches.

- HSM multi-token support:

Patch 9453959 (11.1.0.7); patch 9229896 (11.2.0.1)

- TDE (on RAC) wallet related issues:

  Database version 11.2.0.2: install patch 10431487 (fixed 11.2.0.3) and patch 14144138

  Database version 11.2.0.3: install patch 14144138
  Database Version 11.2.0.4 before PSU 11.2.0.4.3 install patch 16360112
  Database Version 12.1.0.2: install patch 21821302
- Performance improvements
  Database version 11.2.0.3: install patch 14468919 for better block checking efficiency

Oracle Transparent Data Encryption Troubleshooting and Debugging


Note 317317.1   - 10gR2 How to Export/Import with Data Encrypted with Transparent Data Encryption (TDE)
Note 317319.1   -  10g R2 New Feature TDE (Transparent Data Encryption) Usage with OLS
Note.445147.1   -  How To Generate A New Master Encryption Key for the TDE
Note 1152787.1 - How To Change The Tablespace Encryption Key?
Note 1062413.1 - How to fulfill PCI-DSS requirement 3.6.6 ?
Note 1517187.1 - How are the requirements of 3.6.7 of PCIDSSv2.0 satisfied by TDE?
Note 602280.1   - Column Level VPD on Indexed Columns Can Lead to Slow Execution Plan (Full Table Scan Instead of Index Access)
Note 785600.1   - ORA-00600 [Ztsmstore Failed] When Valid Wallets are Opened or Master Keys for TDE Are Created or Reset
Note 843949.1   - Ora-00600 Internal Error Code, Arguments [Ztsmd Failed] After Migrating to 11.1.0.6
Note 790476.1   - Sql*loader Table Load With Tde Encryption Takes a Very Long Time
Note 1118558.1 - Query on TDE Encrypted Tables Fails with Ora-00600 [Ztsmdwl Failed]
Note 988022.1   - Deleting and Recreating the Wallet in 11.2 Results in ORA-28374
Note 1197943.1 - Wallet Status in TDE Recovery Scenarios (Including Data Guard/Standby Configuration)
Note 958729.1   - ORA-07445 [kzthsmgmkid ] Error Thrown On Encrypting Columns Using A Hsm Wallet
Note 394539.1   - ORA-28353 - Cannot set the encryption key password for TDE
Note 880574.1   - 404 Not found Error When Using Tablespace Encryption Page In Gridcontrol
Note 1073237.1 - Database With Encrypted Tablespaces Cannot Be Opened If The TDE Wallet Is Not Accessible
Note 984700.1   - Error Logging For DMLs Executed On Encrypted Tables Fails With ORA-38906
Note 975357.1   - ORA-960 When Running A Query Against A Table Protected By TDE
Note 2350151.1 HOW TO clone PDB with TDE implemented

Note 1453995.1 - Auto-login wallet does not open when starting database with srvctl

Note 757936.1   - Ora-28374 Typed Master Key Not Found In Wallet
Note 459801.1   - Getting Ora-28336 When Doing a DATAPUMP Export as User SYS With TDE Encrypted Tables
Note 415247.1   - DBA_ENCRYPTED_COLUMNS Show Columns That Do Not Exist In The Table

Note 454980.1   - Best Practices For Having Indexes On Encrypted Columns Using TDE in 10gR2
Note 389958.1   - Using Transparent Data Encryption In An Oracle Dataguard Config in 10gR2
Note 416526.1   - How to Avoid Performance Overhead Associated With Certificate Based TDE Encryption
Note 387091.1   - How To Configure X509.3 Certificate As Encryption Key To Use With Tde
Note 1058930.1  - Integration Oracle 11gR1 on Sun Solaris 10 SPARC 64-bit with Safenet Luna SA HSM
Note 1302664.1  - TDE Operations Are Failing With Ora-28367 / Ora-28367 After Manipulating The Wallet With OWM or orapki
Note 1301365.1  - Known TDE Wallet Issues
Note 1240824.1 - The Impact of the Sqlnet Settings on Database Security (sqlnet.ora Security Parameters and Wallet Location)
Note 1320239.1 How to Create a Wallet to Use with TDE with PKI Key Pairs
Note 1365021.1 - How To Benefit From Hardware Acceleration for Tablespace Encryption?
Note 2148746.1 - Enable Transparent Data Encryption (TDE) Using Fast Offline Conversion in 11.2.0.4 and 12.1.0.2
Note 1964158.1 - Getting Started With Transparent Data Encryption in Oracle 12c (non pluggable database)
Note 2193264.1 - How To Manage A TDE Wallet Created In ASM
 Note 2310066.1 Oracle TDE Support With 3rd Party HSM Vendors 

Oracle Transparent Data Encryption Best Practices

The following document will make you aware of Oracle TDE Best Practices:

https://www.oracle.com/technetwork/database/security/twp-transparent-data-encryption-bes-130696.pdf

The following applications are certified with TDE:

E-Business Suite
JD Edwards
PeopleSoft
Siebel
SAP - See SAP Note 974876

Oracle Transparent Data Encryption Documentation


The Oracle Transparent Data Encryption documentation can be accessed from the following URLs:

Oracle TDE 10gR2
Oracle TDE 11gR1
Oracle TDE 11gR2

Oracle Transparent Data Encryption Licensing


The Oracle Advanced Security Option license covers the usage of TDE. Oracle Advanced Security Option is available for Oracle RDBMS Enterprise Edition.

Using My Oracle Support Effectively


Note 166650.1 - Working Effectively With Global Customer Support
Note 199389.1 - Escalating Service Requests with Oracle Support Services

REFERENCES

NOTE:459801.1 - Getting Ora-28336 When Doing a DATAPUMP Export as User SYS With TDE Encrypted Tables
NOTE:389958.1 - Using Transparent Data Encryption In An Oracle Dataguard Config in 10gR2

NOTE:1058930.1 - Integration Oracle 11gR1 on Sun Solaris 10 SPARC 64-bit with Safenet Luna SA HSM
NOTE:1320239.1 - How to Create a Wallet to Use with TDE with PKI Key Pairs
NOTE:1240824.1 - The Impact of the Sqlnet Settings on Database Security (sqlnet.ora Security Parameters and Wallet Location)
NOTE:1152787.1 - How To Change The Tablespace Encryption Key?
NOTE:728292.1 - Known Performance Issues When Using TDE and Indexes on the Encrypted Columns
NOTE:1251597.1 - Quick TDE Setup and FAQ
NOTE:1118558.1 - Query on TDE Encrypted Tables Fails with Ora-00600 [Ztsmdwl Failed]
NOTE:958729.1 - ORA-07445 [kzthsmgmkid ] Error Thrown On Encrypting Columns Using A Hsm Wallet
NOTE:984700.1 - Error Logging For DMLs Executed On Encrypted Tables Fails With ORA-38906
NOTE:166650.1 - Working Effectively With Oracle Support - Best Practices

NOTE:1301365.1 - Known Issues In A TDE Environment
NOTE:317311.1 - Transparent Data Encryption (TDE)
NOTE:415247.1 - DBA_ENCRYPTED_COLUMNS Show Columns That Do Not Exist In The Table
NOTE:387091.1 - How To Configure X509.3 Certificate As Encryption Key To Use With Tde
NOTE:432776.1 - 11g New Feature : Transparent Data Encryption at Tablespace Level
NOTE:790476.1 - Sql*loader Table Load With Tde Encryption Takes a Very Long Time
NOTE:880574.1 - 404 Not found Error When Using Tablespace Encryption Page In Gridcontrol

NOTE:1197943.1 - Wallet Status in TDE Recovery Scenarios (Including Data Guard/Standby Configuration)

NOTE:1062413.1 - How to fulfill PCI-DSS requirement 3.6.6 ?


NOTE:988022.1 - Deleting and Recreating the Wallet in 11.2 Results in ORA-28374
NOTE:445147.1 - How To Generate A New Master Encryption Key for the TDE


NOTE:785600.1 - ORA-00600 [Ztsmstore Failed] When Valid Wallets are Opened or Master Keys for TDE Are Created or Reset
NOTE:317317.1 - How to Export/Import with Data Encrypted with Transparent Data Encryption (TDE)
NOTE:602280.1 - Column Level VPD on Indexed Columns Can Lead to Slow Execution Plan (Full Table Scan Instead of Index Access)
NOTE:416526.1 - How to Avoid Performance Overhead Associated With Certificate Based TDE Encryption
NOTE:757936.1 - Creating Encrypted Tablespace in 11.1 DB Fails Ora-28374: Typed Master Key Not Found In Wallet
NOTE:848298.1 - How To Encrypt/Rekey a Table for TDE and Avoid the Associated Performance Problems and Locks?
NOTE:1073237.1 - Database With Encrypted Tablespaces Cannot Be Opened If The TDE Wallet Is Not Accessible
NOTE:843949.1 - Ora-00600: Internal Error Code, Arguments: [Ztsmd Failed] After Migrating to 11.1.0.6
NOTE:975357.1 - ORA-960 When Running A Query Against A Table Protected By TDE
NOTE:1584144.1 - Master Note for Oracle Advanced Security TDE "OneCommand"
NOTE:454980.1 - Best Practices For Having Indexes On Encrypted Columns Using TDE Column encryption.
NOTE:317319.1 - 10g R2 New Feature TDE (Transparent Data Encryption) Usage with OLS
NOTE:1282980.1 - Is It Possible To Migrate The Master Keys From A Software Wallet To A HSM And Viceversa ?
NOTE:1365021.1 - How To Benefit From Hardware Acceleration for Tablespace Encryption?
NOTE:436876.1 - IMPDP Fails With ORA-39180: "Unable To Encrypt ENCRYPTION_PASSWORD" After Switching TDE Wallet
NOTE:394539.1 - ORA-28353 - Cannot Set The Encryption Key Password for TDE

Master Note - Oracle GoldenGate (Doc ID 1298817.1)

n this Document
Details
  
 Available Community
Actions
 Functionality:
 Oracle GoldenGate Product
 Certification, Software Downloads, and Support Coverage
 Documentation:
 Supported Databases and Platforms:
 Tutorials:
 @Internal Training for v11.2:
 Installation:
 Upgrades:
 Compatibility
 Performance and Tuning (LAG):
 
Tracing:
 FAQ: (What People Want: or "The Top Searches")
 Handlecollisions
 
NLS_LANG
 Supplemental Logging
 

RAC
 ARCHIVE LOG Sequence
 CheckPoint
 TCP Port Assignment and Usage:
 
 Colmap
 ASM
 
 TDE - Transparent data Encryption
 
ALTARCHIVELOGDEST
 ALTARCHIVELOGDEST " Points Extract to the archived or backup Oracle transaction logs when they reside somewhere other than the default location. Extract first checks the specified location and then checks the default location"
 Top Linked Docs:
References

APPLIES TO:

Oracle GoldenGate - Version 4.0.0 and later
Information in this document applies to any platform.

DETAILS

Purpose
The purpose of this GoldenGate note is to act as a quick reference to
  • GoldenGate functionality
  • Goldengate releases
  • GoldenGate installation
  • GoldenGate documentation
  • Commonly researched issues

 

This note contains information, references and notes pertaining to the Oracle GoldenGate Core Product
Notes on other Oracle GoldenGate Products can be found at
Note 1307285.1  OGG Veridata Master Note
Note: 1307305.1 OGG Management Pack/Director Master Note

Available Community

The user may also obtain information from the GoldenGate / Streams Community as documented in Note 1388537.1.


ACTIONS

Functionality:

Oracle GoldenGate (OGG) provides near real-time transactional data replication, as well as adjunct services, in a heterogeneous computing environment. The environment can consist of one or more nodes, each running one of several operating systems supporting one or more databases of one or more vendors and versions. Replication may be uni-directional, bi-directional or multi-dimensional. Any combination of environments can be active or passive throughout the replication. Replication can involve several sources and targets simultaneously and be used for, among other things, distributing data for backup, hot standby, auditing, reporting, warehousing and load distribution (etc). Data may be replicated as is, or the replicated data may be edited, transformed, split into different distributions, have metadata added, or filtered. Both DMLs and DDLs may be replicated in whole or in part.

Oracle GoldenGate Product

The Oracle GoldenGate page on Oracle.com provides product information, data sheets, product manuals, software downloads, and Communities information regarding the Oracle GoldenGate core product and other OGG offerings.

Certification, Software Downloads, and Support Coverage

Certification
Oracle GoldenGate certification information is provided under Oracle Fusion Middleware Supported System Configurations. At this site:
  • OGG v12.1.2 certification can be found in the Excel spreadsheet entitled:  System Requirements and Supported Platforms for Oracle Fusion Middleware 12c (12.1.2)
  • For OGG v11.1.x, search on the text string 'Oracle GoldenGate' (multiple times) to locate Excel spreadsheets for System Requirements and Supported Platforms for Oracle GoldenGate 11gR2 (and 11gR1). 
OGG certification information is also available on My Oracle Support's Certifications page.  Under Certification Search, enter Oracle GoldenGate for product and select desired release and platform.
For questions regarding Oracle GoldenGate certification information, please create a Service Request (SR) with Oracle Customer Support.
Software Download
Oracle GoldenGate (core) software versions 11.2.1 and 12.1.2 are available for download from the Oracle GoldenGate Downloads webpage on Oracle.com.  The complete set of Oracle GoldenGate software including versions for other databases and platforms is available at the Oracle Software Delivery Cloud (eDelivery); when prompted for the product pack, select Oracle Fusion Middleware.
Support Coverage
Oracle GoldenGate is supported under the Oracle Lifetime Support lifecycle.  Refer to the Lifetime Support Policy: Oracle Fusion Middleware Products (PDF; section MASTER DATA MANAGEMENT AND DATA INTEGRATOR) for support end dates for each lifecycle stage of OGG coverage.
Please note that Oracle GoldenGate version 10.4 is no longer covered under the Premier Support stage of Oracle Lifetime Support.
Patch Set Availability
Master Note for Oracle GoldenGate 11.2.1 Patch Sets (Doc ID 1645495.1)

Documentation:

Supported Databases and Platforms:

GoldenGate 11g Overview page can be found here:  Overview
 There is a great deal of information available on the overview page including such Product Technical Briefs such as: (note these are topic listings, not links. The link is just above).
 NB. use the above described link to access these briefs.


Tutorials:

Various tutorials with instructions and examples for replicating between various supported databases may be found here.
Educational resources including white papers, webcasts, and podcasts are available here on Oracle.com, and here on OTN (Oracle Technology Network).

@Internal Training for v11.2:

@1)      @OGG 11gR2 - Conflict Detection and Resolution 

@4)      @OGG 11gR2 - Security, Performance, Extensibility, Manageability & Monitoring 

Installation:

See Individual products notes for individual links:
Note 1304564.1 Main Note - Oracle GoldenGate - Installation
Note 965230.1 How to Find GoldenGate on edelivery.oracle.com
Note 970860.1 How To Apply Oracle GoldenGate Patches
Note 965394.1 Installing GoldenGate Code Into An Existing Subvolume
Note 1060867.1 How To Upgrade A Single Component In GoldenGate
Note 968632.1 Does OGG Support Installation Of Its Product On A Shared Disk Subsystem In A Clustered Environment?
Note 966181.1 Installing GoldenGate For Oracle RAC

Upgrades:



See Individual products Notes for individual links:

Note 1304561.1 Master Note - Oracle GoldenGate - Upgrading OGG code
Note : 1235992.1 How to find Patches and Updates for Oracle GoldenGate
Note : 1293587.1 Searching the Patch site for a particular OGG release
Note : 970860.1 How To Apply Oracle GoldenGate Patches
Note: 1112325.1 Deploying Oracle GoldenGate to Achieve Operational Reporting for Oracle E-Business Suite
Note: 1112406.1 Deploying Oracle GoldenGate to Achieve Operational Reporting for Oracle JD Edwards
Note: 1114746.1 Deploying Oracle GoldenGate to Achieve Operational Reporting for PeopleSoft
Note: 1112403.1 Deploying Oracle GoldenGate to Achieve Operational Reporting for Oracle Siebel CRM  
 Some Best Practices
1310542.1 Oracle GoldenGate Best Practices: Instantiation from a DB2 Source Database
1310946.1 Oracle GoldenGate Best Practices: Instantiation from a SQL Server Source Database
1276058.1 Oracle GoldenGate Best Practices: Instantiation from an Oracle Source Database
1312092.1 Oracle GoldenGate Best Practices: Oracle GoldenGate Veridata – Internal only - It contains info about performing back-end loading which we don't support.
1232303.1 Oracle GoldenGate Best Practices: Mount options to use when configuring GoldenGate to run on NFS mounted file system
1313703.1 Oracle GoldenGate Best Practices: Oracle GoldenGate high availability using Oracle Clusterware
1314698.1 Oracle GoldenGate Best Practices: Creating History Tables
1321696.1 Oracle GoldenGate Best Practices: Sample Parameter Files
1322547.1 Oracle GoldenGate Best Practices: Oracle GoldenGate and Oracle Data Guard - Switchover/Fail-over Operations for GoldenGate

Compatibility

Note : 965423.1 Is GoldenGate Compatible Between Different Releases?
Note : 1300936.1 NSK Specific Main Note 
Note: 266043.1 Support of Linux and Oracle Products on Linux

Performance and Tuning (LAG):

Note 1304557.1 Main Note - Oracle GoldenGate - Lag, Performance, Slow and Hung Processes
Oracle GoldenGate Performance Best Practices (pdf)
- An Oracle Maximum Availability Architecture Best Practices White Paper, March 2014


Tracing:

 Note 1304496.1 Main Note - Oracle GoldenGate - Tracing



FAQ: (What People Want: or "The Top Searches")

Handlecollisions

Note 966207.1 What Does The HANDLECOLLISIONS Parameter Do


NLS_LANG


Note 969551.1 How is NLS_LANG Set When You Run OGG On The Superset Character Sets Database
Note 969651.1 ORA-12705: Invalid Or Unknown NLS Parameter Value Specified.

Supplemental Logging


"Supplemental logging at the table level and the database level must be enabled for the tables from the source database."

Note 1304503.1 Main Note - Oracle GoldenGate - Supplemental Logging
 



RAC


Note 1304593.1 Main Note - Oracle GoldenGate - RAC
 

ARCHIVE LOG Sequence


Note 1186935.1 GGS Error 500 Could Not Find Archived Log For Sequence
Note 1108953.1 What does this mean? Redo thread 1: Online log /oracle/..... on sequence# nnn has missing
Note 971825.1 Why Does Extract For Oracle Abend With Error "Mismatched Sequences In Archive Log"?

CheckPoint


Note 1304617.1 Main Note - Oracle GoldenGate - Checkpoints
Note 1138409.1 EXTRACT / REPLICAT CHECKPOINT RBA IS LARGER THAN LOCAL TRAILFILE SIZE, AFTER SERVER CRASH 
 

TCP Port Assignment and Usage:

 
Note 1300117.1 Main Note - OGG Port Usage and TCP

Colmap



Note 1302422.1 Column Mapping Usage
Note 1277199.1 REPLICAT abend 'Error in COLMAP clause' but we aren't using COLMAP
Note 1111576.1 Replicat Abends With Can Not Process Without All Fields Or Colmap Error


ASM


Note 1304627.1 Main Note - Oracle GoldenGate - ASM 

TDE - Transparent data Encryption


Note 965745.1 How To Replicate Oracle TDE (Transparent Data Encryption) Data.
Note 1271522.1 Oracle GoldenGate (OGG) and Transparent Data Encryption (TDE)
 


ALTARCHIVELOGDEST

ALTARCHIVELOGDEST " Points Extract to the archived or backup Oracle transaction logs when they reside somewhere other than the default location. Extract first checks the specified location and then checks the default location"



Note 1060870.1 ALTARCHIVELOGDEST
Note 966243.1 How Do I Use The ALTARCHIVELOGDEST ; Parameter To Access Oracle Redo Archive Logs In An Alternate Directory?
Note 969500.1 Parameter Options After ALTARCHIVELOGDEST Entry Are Ignored
Note 969542.1 Restored Archive Files To Another Location, Then Extract Failed With LOG_ARCHIVE_FORMAT Parameter Is

Top Linked Docs:



Note 966211.1 How To Resync A Single Table With Minimum Impact To Other Tables' Replication?
Note 966227.1 Troubleshooting TCP/IP Errors In Open Systems
Note 972954.1 What Causes The 'Bad Column Index(xxxx)' Error In Replicat?
Note 987379.1 How to recover from Extract ERROR 180 encountered commit SCN that is not greater than the highest SCN already processed (GG Version 10)
Note 1112506.1 GoldenGate Extract Abends with "Unable to lock file" Error For Trail File
Note 1124403.1 When Replicat is Running but Not Applying Records
Note 1138409.1 EXTRACT / REPLICAT CHECKPOINT RBA IS LARGER THAN LOCAL TRAILFILE SIZE, AFTER SERVER CRASH
Note 1163073.1 When using rmthost with timeout option, there are orphaned data collector processes on target system
Note 1266389.1 Oracle GoldenGate and compressed tables
Note 1270168.1 OGG-01028 Compression Not Supported - when extract processes regular and cluster tables
Note 1276538.1Replicat Abending With Mapping Error and discard file shows Missing Key Columns
Note 1280584.1 Where To Find The List Of Supported And Unsupported Oracle Data Types for GoldenGate 
Note 1288562.1 GG Data Pumps Error With OGG-01031 When Upgrading the Target Side
Note 957112.1 Encountered SCN That Is Not Greater Than The Highest SCN Already Processed
Note 1271578.1 How to Handle Tables without Primary Keys or Unique Indexes with Oracle GoldenGate
Note 957053.1 Recovering From a GG Pump Process Abending With An Incompatible Record Error
Note 968622.1 Does GoldenGate Support Tables With An UNUSED Column?
Note 968614.1 Why Does GoldenGate Report The Lag Is Unknown or a Timestamp Mismatch?
Note 968769.1 GoldenGate Errors That Occur In Teradata Extract Setting
Note 1163073.1 When using rmthost with timeout option, there are orphaned data collector processes on target system
Note 964709.1 How To Handle Oracle DDLs (add/drop/resize a Column) 22 19 1
Note 1300076.1 Usage and considerations for allocation of ports and DYNAMICPORTLIST
Note 1232303.1 mount options to use when configuring GoldenGate to run on NFS mounted file system
Note 1298548.1 Extract not accepting CACHESIZE settings
Note 1300197.1 Logger not logging cobol transactions for GGSLIB with non default AUDCFG location
Note 1273285.1 How To Troubleshoot Oracle Redo Log Reading Extract Slow Performance Issue

REFERENCES

NOTE:966181.1 - Installing GoldenGate for Oracle RAC
NOTE:968614.1 - Why Does GoldenGate Report The Lag Is Unknown or a Timestamp Mismatch?
NOTE:968622.1 - Does GoldenGate Support Tables with an UNUSED Column?
NOTE:1112325.1 - Deploying Oracle GoldenGate to Achieve Operational Reporting for Oracle E-Business Suite
NOTE:1300936.1 - Main Master Note - Oracle GoldenGate Core Product - HP NonStop (NSK, Tandem, Guardian, S-Series)
NOTE:1277199.1 - REPLICAT abend 'Error in COLMAP clause' but we aren't using COLMAP
NOTE:1280584.1 - Where Is The List Of Supported And Unsupported Oracle Data Types (Datatypes) for GoldenGate ?
NOTE:1199561.1 - GoldenGate Replicat Characterset Conversion: Error 160 Bad column length
NOTE:965745.1 - OGG How To Replicate Oracle TDE (Transparent Data Encryption) Data.
NOTE:1304564.1 - Main Note - Oracle GoldenGate - Installation
NOTE:969551.1 - How is NLS_LANG Set When You Run GoldenGate On The Superset Character Sets Database?
NOTE:966211.1 - How to Resync a Single Table with Minimum Impact to Other Tables' Replication?
NOTE:1300933.1 - Main Note - Oracle GoldenGate Core Product - Open Systems
NOTE:1300197.1 - Logger Not Logging Cobol Transactions For GGSLIB With Non Default AUDCFG Location
NOTE:965394.1 - Installing GoldenGate Code Into An Existing Subvolume on NSK
NOTE:1273285.1 - How To Troubleshoot Oracle Redo Log Reading Extract Slow Performance Issue using TESTMAPPINGSPEED
NOTE:1060870.1 - ALTARCHIVELOGDEST Oracle GoldenGate Extract
NOTE:1292874.1 - GoldenGate Extract/Pump/Replicat Abends on Startup with Error OGG-01088 Realloc xxx Bytes Failed.
NOTE:1300117.1 - Master Note - OGG TCP Port Usage
NOTE:1271578.1 - How to Handle Tables Without Primary Keys or Unique Indexes With Oracle GoldenGate
NOTE:972954.1 - What Causes the GGS ERROR 160 Bad Column Index(xxxx) Error in Replicat
NOTE:1235992.1 - How to find Patches and Updates for Oracle GoldenGate (OGG)
NOTE:1114746.1 - Overview of Using Oracle GoldenGate to Achieve Operational Reporting for PeopleSoft
NOTE:987379.1 - (VERSION 10 EXTRACT ONLY) How to Recover from Extract ERROR 180 Encountered Commit SCN That Is Not Greater than the Highest SCN Aly Processed
NOTE:1307285.1 - Master Note Oracle GoldenGate Veridata
NOTE:1304617.1 - Main Note - Oracle GoldenGate - Checkpoints
NOTE:966227.1 - OGG Troubleshooting TCP/IP Errors In Open Systems
NOTE:966243.1 - How Do I Use The "ALTARCHIVELOGDEST" Parameter To Access Oracle Redo Archive Logs In An Alternate Directory Path?
NOTE:1159684.1 - OGG Extract abends,mss: missing trailing blocks, unable to queue I/O, I/O beyond file size
NOTE:1195995.1 - Implementing GoldenGate in Conjunction with a Planned or Unplanned DataGuard Failovers
NOTE:1271522.1 - Oracle GoldenGate (OGG) 11.1.1.0 and Transparent Data Encryption (TDE)
NOTE:1112506.1 - GoldenGate Extract Abends with "Unable to lock file" Error For Trail File
NOTE:1304557.1 - Main Note - Oracle GoldenGate - Lag, Performance, Slow and Hung Processes
NOTE:964709.1 - How To Handle Oracle DDLs (add/drop/resize a Column) When not using DDL replication?
NOTE:1163073.1 - When using rmthost with timeout option, there are orphaned data collector processes on target system
NOTE:957053.1 - Recovering From a GG Pump Process Abending With An Incompatible Record Error
NOTE:1232303.1 - Oracle GoldenGate Best Practice: NFS Mount options for use with GoldenGate
NOTE:965270.1 - How Does GoldenGate Allocates Ports between Source Extract Pump and Target Server/Collector?
NOTE:1270168.1 - Ogg-01028 Compression Not Supported - When Extract Processes Regular And Cluster Tables
NOTE:1061093.1 - Extract Fails Due to an ASM Connection Configuration Issue
NOTE:968769.1 - GoldenGate Errors That Occur In Teradata Extract Setting
NOTE:1304503.1 - Main Note - Oracle GoldenGate - Supplemental Logging
NOTE:1304593.1 - Main Note - Oracle GoldenGate - RAC
NOTE:1304561.1 - Main Note - Oracle GoldenGate - Documentation and References for Upgrading OGG code
NOTE:1288562.1 - OGG Data Pumps Error With OGG-01031 When Upgrading the Target Side
NOTE:1302422.1 - Column Mapping Usage - COLMAP , USEDEFAULTS
NOTE:1266389.1 - Oracle GoldenGate: Compressed Tables Are Not Supported until OGG v11.2.X Integrated Extract.

NOTE:1108953.1 - What does this message mean? "Redo thread 1: Online log /oracle/..... on sequence# 8463 has missing trailing blocks."
NOTE:1138409.1 - OGG Extract / Replicat Checkpoint RBA Is Larger than Local Trail Size
NOTE:1112403.1 - Deploying Oracle GoldenGate to Achieve Operational Reporting for Oracle Siebel CRM
NOTE:966207.1 - What Does The HANDLECOLLISIONS Parameter Do?
NOTE:966156.1 - Why Does Replicat Abend With ORA-01461?
NOTE:1186935.1 - GGS Error 500 "Could Not Find Archived Log For Sequence"
NOTE:1111576.1 - Replicat Abends With ERROR 222 Missing Fields In Compressed Record For , Cannot Process Without All Fields Or Colmap.
NOTE:965423.1 - Is GoldenGate Compatible Between Different Releases?
NOTE:1276538.1 - Replicat Abending with Mapping Error and Discard File Shows Missing Key Columns
NOTE:1060547.1 - How To Set NLS_LANG When You Run GoldenGate On The Superset Character Sets Database?
NOTE:968632.1 - Does GoldenGate Support Installation of Its Product on a Shared Disk Subsystem in a Clustered Environment?
NOTE:1276058.1 - Oracle GoldenGate Best Practices: Instantiation from an Oracle Source Database
NOTE:1060867.1 - How To Upgrade A Single Component In GoldenGate Version 10.0
NOTE:1124403.1 - When Replicat is Running but Not Applying Records
NOTE:1286276.1 - Why Isn't GoldenGate Manager Purging The Trail Files?
NOTE:969651.1 - Extract and/or Replicat Fails With: ORA-12705: Invalid Or Unknown NLS Parameter Value Specified
NOTE:965373.1 - Visual Representation of Oracle GoldenGate in an Oracle RAC Environment
NOTE:965356.1 - OGG GGS Error 150: No Dynamic Ports Available Orphan Ports Server Collector

NOTE:1112406.1 - Deploying Oracle GoldenGate to Achieve Operational Reporting for Oracle JD Edwards
NOTE:957112.1 - OGG Encountered SCN That Is Not Greater Than The Highest SCN Already Processed
NOTE:1307305.1 - Master Note Oracle GoldenGate Management Pack - Director
NOTE:965230.1 - How To Find And Download GoldenGate On edelivery.oracle.com (Oracle Software Delivery Cloud)
NOTE:970860.1 - This document has been replaced with more recent information on this topic. Please refer to more recent documentation.
NOTE:1304627.1 - Main Note - Oracle GoldenGate - ASM
NOTE:971825.1 - Why Does Extract For Oracle Abend With The Error Message "Mismatched Sequences In Archive Log"?

NOTE:1300076.1 - Usage and considerations for allocation of ports and DYNAMICPORTLIST
NOTE:1293587.1 - Searching the Patch site for a particular OGG release
NOTE:969500.1 - Parameter Options After ALTARCHIVELOGDEST Entry Are Ignored
NOTE:969542.1 - After Restoring Archive Files to Another Location, Extract Failed With LOG_ARCHIVE_FORMAT Parameter is Undefined

Database Options/Management Packs Usage Reporting for Oracle Databases 11.2 and later (Doc ID 1317265.1)

  Database Options/Management Packs Usage Report You can determine whether an option is currently in use in a database by running options_pa...