Skip to main content

Zero Downtime Migration Wallet Setup

Introduction​

When executing Zero Downtime Migration it asks for several passwords for users specified in the ZDM response file. To avoid re-entering the passwords all the time when a job is executed, a wallet can be used to securely store the password. ZDM can then be configured to get the password from the wallet file instead of asking for it. This is especially helpful when ZDM is started with a script.

  • Logical Migration
Example of ZDM asking for passwords in logical migration:
Enter source database administrative user "SYSTEM" password:
Enter source database administrative user "GGADMIN" password:
Enter source container database administrative user "SYSTEM" password:
Enter source container database administrative user "C##GGADMIN" password:
Enter target database administrative user "SYSTEM" password:
Enter target database administrative user "GGADMIN" password:
Enter Oracle GoldenGate hub administrative user "oggadmin" password:
  • Physical Migration
Example of ZDM asking for passwords in physical migration:
Enter source database DBNAME SYS password:
Enter user "[email protected]" password:
Enter source database DBNAME TDE keystore password:

Setup​

  • Compute instance with running ZDM software.
  • Log in as the user running the ZDM software and make sure the ZDM_BASE and ZDM_HOME variables are set accordingly.

Logical Migration​

1. Create directories​

Directories need to be created to store the wallet files:

mkdir -p $ZDM_BASE/wallets
mkdir -p $ZDM_BASE/wallets/src_admin
mkdir -p $ZDM_BASE/wallets/src_ggadmin
mkdir -p $ZDM_BASE/wallets/src_admin_cdb
mkdir -p $ZDM_BASE/wallets/src_ggadmin_cdb
mkdir -p $ZDM_BASE/wallets/tgt_admin
mkdir -p $ZDM_BASE/wallets/tgt_ggadmin
mkdir -p $ZDM_BASE/wallets/ogg_oggadmin

2. Create wallet files​

After creating the directories the wallet files can be created. The orapki command is used for this and the wallet files are created as auto_login. 

$ZDM_HOME/bin/orapki wallet create -wallet $ZDM_BASE/wallets/src_admin -auto_login_only
$ZDM_HOME/bin/orapki wallet create -wallet $ZDM_BASE/wallets/src_ggadmin -auto_login_only
$ZDM_HOME/bin/orapki wallet create -wallet $ZDM_BASE/wallets/src_admin_cdb -auto_login_only
$ZDM_HOME/bin/orapki wallet create -wallet $ZDM_BASE/wallets/src_ggadmin_cdb -auto_login_only
$ZDM_HOME/bin/orapki wallet create -wallet $ZDM_BASE/wallets/tgt_admin -auto_login_only
$ZDM_HOME/bin/orapki wallet create -wallet $ZDM_BASE/wallets/tgt_ggadmin -auto_login_only
$ZDM_HOME/bin/orapki wallet create -wallet $ZDM_BASE/wallets/ogg_oggadmin -auto_login_only
Example output of the orapki tool:
Oracle PKI Tool Release 21.0.0.0.0 - Production
Version 21.0.0.0.0
Copyright (c) 2004, 2021, Oracle and/or its affiliates. All rights reserved.

Operation is successfully completed.

3. Create credentials​

Next step is to create the credentials for the different users. Again the orapki tool is used for that. The password needs to be entered for every user.

  • Source database admin user (system):

    $ZDM_HOME/bin/mkstore -wrl $ZDM_BASE/wallets/src_admin -createCredential store system

  • Source database GoldenGate user (ggadmin): 

    $ZDM_HOME/bin/mkstore -wrl $ZDM_BASE/wallets/src_ggadmin -createCredential store ggadmin

  • Source database admin user for the CDB (system):

    $ZDM_HOME/bin/mkstore -wrl $ZDM_BASE/wallets/src_admin_cdb -createCredential store system

  • Source database GoldenGate user for the CDB (c##ggadmin):

    $ZDM_HOME/bin/mkstore -wrl $ZDM_BASE/wallets/src_ggadmin_cdb -createCredential store c##ggadmin

  • Target database admin user (system):

    $ZDM_HOME/bin/mkstore -wrl $ZDM_BASE/wallets/tgt_admin -createCredential store system

  • Target database GoldenGate user (ggadmin):

    $ZDM_HOME/bin/mkstore -wrl $ZDM_BASE/wallets/tgt_ggadmin -createCredential store ggadmin

  • GoldenGate admin user (oggadmin):

    $ZDM_HOME/bin/mkstore -wrl $ZDM_BASE/wallets/ogg_oggadmin -createCredential store oggadmin
Example output of the orapki tool:
Oracle Secret Store Tool Release 21.0.0.0.0 - Production
Version 21.0.0.0.0
Copyright (c) 2004, 2021, Oracle and/or its affiliates. All rights reserved.

Your secret/Password is missing in the command line
Enter your secret/Password:
Re-enter your secret/Password:

4. List Credentials​

To list the existing credentials inside the wallet files the mkstore command can be used.

$ZDM_HOME/bin/mkstore -wrl $ZDM_BASE/wallets/src_admin -listCredential | grep '^1'
$ZDM_HOME/bin/mkstore -wrl $ZDM_BASE/wallets/src_ggadmin -listCredential | grep '^1'
$ZDM_HOME/bin/mkstore -wrl $ZDM_BASE/wallets/src_admin_cdb -listCredential | grep '^1'
$ZDM_HOME/bin/mkstore -wrl $ZDM_BASE/wallets/src_ggadmin_cdb -listCredential | grep '^1'
$ZDM_HOME/bin/mkstore -wrl $ZDM_BASE/wallets/tgt_admin -listCredential | grep '^1'
$ZDM_HOME/bin/mkstore -wrl $ZDM_BASE/wallets/tgt_ggadmin -listCredential | grep '^1'
$ZDM_HOME/bin/mkstore -wrl $ZDM_BASE/wallets/ogg_oggadmin -listCredential | grep '^1'

5. Configure ZDM​

The following parameters need to be set in the ZDM response file to make use of the wallet files.
<ZDM_BASE> needs to be replaced with the full absolute path.

WALLET_SOURCEADMIN=<ZDM_BASE>/wallets/src_admin
WALLET_SOURCEGGADMIN=<ZDM_BASE>/wallets/src_ggadmin
WALLET_SOURCECONTAINER=<ZDM_BASE>/wallets/src_admin_cdb
WALLET_SOURCECGGADMIN=<ZDM_BASE>/wallets/src_ggadmin_cdb
WALLET_TARGETADMIN=<ZDM_BASE>/wallets/tgt_admin
WALLET_TARGETGGADMIN=<ZDM_BASE>/wallets/tgt_ggadmin
WALLET_OGGADMIN=<ZDM_BASE>/wallets/ogg_oggadmin

Physical Migration​

1. Create directories​

Directories need to be created to store the wallet files:

mkdir -p $ZDM_BASE/wallets
mkdir -p $ZDM_BASE/wallets/src_sys
mkdir -p $ZDM_BASE/wallets/oss_user
mkdir -p $ZDM_BASE/wallets/src_tde

2. Create wallet files​

After creating the directories the wallet files can be created. The orapki command is used for this and the wallet files are created as auto_login. 

$ZDM_HOME/bin/orapki wallet create -wallet $ZDM_BASE/wallets/src_sys -auto_login_only
$ZDM_HOME/bin/orapki wallet create -wallet $ZDM_BASE/wallets/oss_user -auto_login_only
$ZDM_HOME/bin/orapki wallet create -wallet $ZDM_BASE/wallets/src_tde -auto_login_only
Example output of the orapki tool:
Oracle PKI Tool Release 21.0.0.0.0 - Production
Version 21.0.0.0.0
Copyright (c) 2004, 2021, Oracle and/or its affiliates. All rights reserved.

Operation is successfully completed.

3. Create credentials​

Next step is to create the credentials for the different users. Again the orapki tool is used for that. The password needs to be entered for every user.

  • Source database sys user:

    $ZDM_HOME/bin/mkstore -wrl $ZDM_BASE/wallets/src_sys -createCredential store sysuser

  • OCI object storage user: 

    $ZDM_HOME/bin/mkstore -wrl $ZDM_BASE/wallets/oss_user -createCredential store ossuser

  • Source database TDE keystore:

    $ZDM_HOME/bin/mkstore -wrl $ZDM_BASE/wallets/src_tde -createCredential store tdeuser
Example output of the orapki tool:
Oracle Secret Store Tool Release 21.0.0.0.0 - Production
Version 21.0.0.0.0
Copyright (c) 2004, 2021, Oracle and/or its affiliates. All rights reserved.

Your secret/Password is missing in the command line
Enter your secret/Password:
Re-enter your secret/Password:

4. List Credentials​

To list the existing credentials inside the wallet files the mkstore command can be used.

$ZDM_HOME/bin/mkstore -wrl $ZDM_BASE/wallets/src_sys -listCredential | grep '^1'
$ZDM_HOME/bin/mkstore -wrl $ZDM_BASE/wallets/oss_user -listCredential | grep '^1'
$ZDM_HOME/bin/mkstore -wrl $ZDM_BASE/wallets/src_tde -listCredential | grep '^1'

5. Configure ZDM​

The following parameters need to be set in the ZDM response file to make use of the wallet files.
<ZDM_BASE> needs to be replaced with the full absolute path.

-sourcesyswallet <ZDM_BASE>/wallets/src_sys
-osswallet <ZDM_BASE>/wallets/oss_user
-tdekeystorewallet <ZDM_BASE>/wallets/src_tde

Example:

-sourcesyswallet /u01/zdm/zdmbase/wallets/src_sys
-osswallet /u01/zdm/zdmbase/wallets/oss_user
-tdekeystorewallet /u01/zdm/zdmbase/wallets/src_tde