求教DG的Pri与异地Standby之间传输加密思路

wqkabc

前几天看了下DG相关的信息，其在网络上传递其实就是redo log，不是SQL，因此，如果加密要求不是很高的话，直接配DG就好了。

下流俘获(Downstream capture)其实是Oracle自己的底层技术，并不需要谁重新写一个LogMiner，或者解码redo log之类。因此，如果说安全方面，并不比Oracle更危险。对于一般企业而言，大概基本不会怀疑Oracle会对它的敏感数据感兴趣。

Yong Huang

> 网络上传递其实就是redo log，不是SQL

Data Guard includes a primary database and one or more standby databases. The standby can be either physical or logical. In case of logical, are you sure the data transmitted on the network is not SQL? You may have to restrict your statement to the data guard configuration where the standby is physical only.

ludal

Yong Huang 发表于 2015-8-27 22:16
> 网络上传递其实就是redo log，不是SQL

Data Guard includes a primary database and one or more stan ...

physical only。 right！

wqkabc

Yong Huang 发表于 2015-8-27 22:16
> 网络上传递其实就是redo log，不是SQL

Data Guard includes a primary database and one or more stan ...

当然

http://docs.oracle.com/cd/E11882 ... /standby.htm#i50960
Logical Standby
A logical standby database is initially created as an identical copy of the primary database, but it later can be altered to have a different structure. The logical standby database is updated by executing SQL statements. This allows users to access the standby database for queries and reporting at any time. Thus, the logical standby database can be used concurrently for data protection and reporting operations.

Data Guard automatically applies information from the archived redo log file or standby redo log file to the logical standby database by transforming the data in the log files into SQL statements and then executing the SQL statements on the logical standby database. Because the logical standby database is updated using SQL statements, it must remain open. Although the logical standby database is opened in read/write mode, its target tables for the regenerated SQL are available only for read-only operations. While those tables are being updated, they can be used simultaneously for other tasks such as reporting, summations, and queries. Moreover, these tasks can be optimized by creating additional indexes and materialized views on the maintained tables.

A logical standby database has some restrictions on datatypes, types of tables, and types of DDL and DML operations. See Appendix C for information on data type and DDL support on logical standby databases.

Physical Standby
------------------------------
A physical standby database is an exact, block-for-block copy of a primary database. A physical standby is maintained as an exact copy through a process called Redo Apply, in which redo data received from a primary database is continuously applied to a physical standby database using the database recovery mechanisms.

两者的区别只是后面的应用：对于LS为SQL Apply，对于PS为：Redo Apply。前面在网络上传递的都是redo log。

顺便说下：AQ/Stream是DG的底层支撑

后面两个附件中表示的SYNC/ASYNC传输可以说明问题。

wqkabc

DG SYNC/ASYNC传输原理附件

Yong Huang

> 前面在网络上传递的都是redo log。

I guess you're right, because decoding raw redo into SQLs consumes CPU, a task better done on the standby. If I were the developer, I would definitely do this on the standby side. But it would be better to see the statement in an official document. What you quoted from documentation doesn't say that. The two images you posted are about sync vs. async, which is irrelevant to this discussion. Here we're talking about the location where redo is converted to SQLs.

wqkabc

无语，呵呵

chen33593541

Yong Huang 发表于 2015-8-29 00:38
> 前面在网络上传递的都是redo log。

I guess you're right, because decoding raw redo into SQLs cons ...

Guys, likely we don't need to buy lisence for "Network encryption" of "Oracle Advanced Security"  anymore, it started from Oracle 10g Release 2..

http://docs.oracle.com/cd/B19306 ... ptions.htm#DBLIC137

Oracle Advanced Security includes the following features:

Transparent Data Encryption (TDE) for columns
RMAN backup encryption
Network encryption (native network encryption and SSL/TLS) and strong authentication services (Kerberos, PKI, and RADIUS) are no longer part of Oracle Advanced Security and are available in all licensed editions of all supported releases of the Oracle database.

Yong Huang

chen33593541,

Thanks for that info. I also checked 11g and 12c documentation. That statement ("Network encryption ... no longer part of Oracle Advanced Security") is in there too. Thanks.