Table of Contents


  1. Preface
  2. Introduction to Dynamic Data Masking Administration
  3. Authentication
  4. Security
  5. Connection Management
  6. JDBC Client Configuration
  7. ODBC Client Configuration
  8. Access Control
  9. Logs
  10. High Availability
  11. Server Control
  12. Performance Tuning
  13. Troubleshooting

Administrator Guide

Administrator Guide

Custom Key Store

Custom Key Store

You can use a custom key store and security provider to store and access the target database credentials. To use a custom key store and security provider, you must create an XML configuration file called
. If you want to use CyberArk as a security provider, you must also create a CyberArk properties file. Then you can create the target database connection. File

file contains the information used to define the custom key store and security provider. To configure custom key stores and security providers, create the file in the following location:
Use the following parameters to configure the
file for the custom security provider:
Mandatory. Fully-qualified class name of the security provider. For example:
Optional. Provider-specific initialization parameter. For example, the path to a configuration file.
Use the following parameters to configure the
file for the custom key store:
Mandatory. Unique name of the key store. Once you have defined the key store name, do not modify it.
Mandatory. Type of key store. For CyberArk, enter the storeType "CyberArk."
Optional. Path to the key store file.
Optional. Key store password.
Optional. Name of the custom security provider that Provider.getName() returns. Note that this is not the name of the class.
If the security provider is CyberArk, this parameter is mandatory. Provide the name of the security provider. This name should match the property "" in the CyberArk properties file.
Optional. Clear password for the key store that you can set in the
file. Dynamic Data Masking encrypts the password at run-time and sets
in the file.
After you configure the
file, you can start the Dynamic Data Masking Server to load the file and then create the target database connection. When you configure the connection, enter the key store name defined in the
file and the alias. For CyberArk accounts, the alias name was defined during creation of the CyberArk account.
Custom security providers can allow read-only or read and write access to the key store. For a read-only key store, enter the existing alias.

Sample Files

The following file is an example of a
file that contains two custom security providers, one with a configuration file as the provider-specific initialization parameter, and another provider without an initialization parameter. The file contains three custom key stores that have unique names, with two key stores including the name of the designated security provider.
<?xml version="1.0"?> <XML> <keyStores type="ArrayList"> <entry type="StoreDescriptor"> <storePassword>admin</storePassword> <storeType>JCEKS</storeType> <encrypted>false</encrypted> <storeName>store1</storeName> <storeFile>home/user/store.jceks</storeFile> </entry> <entry type="StoreDescriptor"> <storePassword>admin</storePassword> <storeType>PKCS12</storeType> <encrypted>false</encrypted> <provider>PKCS12-Provider-5</provider> <storeName>store3</storeName> <storeFile>home/user/store.pkcs12</storeFile> </entry> <entry type="StoreDescriptor"> <storeType>PKCS11</storeType> <encrypted>false</encrypted> <provider>MyProvider-HSM</provider> <storeName>store2</storeName> <storeFile>home/user/store.hsm</storeFile> </entry> </keystores> <providers type="ArrayList"> <entry type="ProviderDescriptor"> <file>home/config/rsa.conf</file> <fqcn></fqcn> </entry> <entry type="ProviderDescriptor"> <fqcn></fqcn> </entry> </providers> </XML>
The following file is an example of a
file configured for use with a CyberArk key store:
<?xml version="1.0"?> <XML> <keyStores type="ArrayList"> <entry type="StoreDescriptor"> <storeType>CyberArk</storeType> <storeName>DDMQASafe</storeName> <provider>QASafeProvider</provider> </entry> </keyStores> <providers type="ArrayList"> <entry type="ProviderDescriptor"> <file>cfg\CyberArk_DDMQASafe.props</file> <fqcn></fqcn> </entry> </providers> </XML>
You can configure multiple CyberArk entries in the
file with the same method.

CyberArk Properties File

If you use CyberArk as a security provider, you must create a CyberArk properties file in addition to the
file. The CyberArk properties file is a text properties file that contains parameters specific to CyberArk.
Create the CyberArk properties file within the
folder. For example:
. Provide the location of the file in the <file> parameter of the security provider section of the
The CyberArk properties file includes the following parameters:
Name of the security provider. Name must match the <provider> tag in the key store section of the
Application ID. The application ID was created during the CyberArk installation.
Mandatory. Name of the specific safe within CyberArk.
Unique attribute name of the account.
By default, the name of the account is a unique attribute that is internally mapped with the string "Object." In this case, "Object" is the value for the parameter.
However, if you have selected any other attribute other than name as an unique identifier, give that attribute name as the value of the property.
For example, if you selected the attribute "host" as the unique identifier, give the value of as "host."
Path from the root to the folder containing the given account. If you leave this parameter blank, Dynamic Data Masking assumes the account is under the root.
If you plan to use CyberArk as a security provider, you must put the CyberArk
file into the
<Dynamic Data Masking installation>/lib/ext
directory to complete the integration. The
file is located in the
directory of the CyberArk AIM installation (on Microsoft Windows) or the
directory (on Linux).

Sample CyberArk Properties File

The following file is an example of a CyberArk properties file: provider.client.appid=DDMJavaTest provider.folder.path=root\\subfolder


We’d like to hear from you!