Oracle GoldenGate Security | Passive Extract

When a target system resides inside a trusted intranet zone, initiating connections from the source system (the standard Oracle GoldenGate method) may violate security policies if the source system is in a less trusted zone. It also may violate security policies if a system in a less trusted zone contains information about the ports or IP address of a system in the trusted zone, such as that normally found in an Oracle GoldenGate Extract parameter file.

In this kind of intranet configuration, you can use a passive-alias Extract configuration. Connections are initiated from the target system inside the trusted zone by an alias Extract group, which acts as an alias for a regular Extract group on the source system, known in this case as the passive Extract. Once a connection between the two systems is established, data is processed and transferred across the network by the passive Extract group in the usual way.

  1. An Oracle GoldenGate user starts the alias Extract on the trusted system, or an AUTOSTART or AUTORESTART parameter causes it to start.
  2. GGSCI on the trusted system sends a message to Manager on the less trusted system to start the associated passive Extract. The host name or IP address and port number of the Manager on the trusted system are sent to the less trusted system.
  3. On the less trusted system, Manager starts the passive Extract, and the passive Extract finds an open port (according to rules in the DYNAMICPORTLIST Manager parameter) and listens on that port.
  4. The Manager on the less trusted system returns that port to GGSCI on the trusted system.
  5. GGSCI on the trusted system sends a request to the Manager on that system to start a Collector process on that system.
  6. The target Manager starts the Collector process and passes it the port number where Extract is listening on the less trusted system.
  7. Collector on the trusted system opens a connection to the passive Extract on the less trusted system.
  8. Data is sent across the network from the passive Extract to the Collector on the target and is written to the trail in the usual manner for processing by Replicat.
Share This

Muhammad Rawish Siddiqui

Master in Computer Science (Database Engineering) and PGD in Management Information System.
45+ Online Certifications, which includes EDRP (EC-Council Disaster Recovery Professional), Data Management, Security+, DBaaS - Cloud Certified Expert, Oracle Cloud Autonomous Database Specialist, Oracle Database Cloud Certified Professional, Oracle Cloud Infrastructure, OCP 7.3, 10g, 11g, 11i, R12, OCE/OCS 11i System Administration, Solaris, Linux and Real Application Cluster 10g, 11g, Oracle Autonomous Database, Real Application Cluster, Oracle Data Guard and Performance Tuning etc. .

Foremost interested areas include, Data Management, Oracle Databases and EBS Health Checks, Real Application Cluster, Disaster Recovery, GoldenGate and Oracle Cloud.
Notify of
Inline Feedbacks
View all comments