The default key store and security provider are pre-configured for use with any database supported by Dynamic Data Masking.
The default key store is a JCEKS-type key store that permits both read and write operations. If the key store does not already exist, it is created in the following location upon adding the first database object with the default key store:
<DDM>/cfg/ddm.jceks
When you configure the target database, you can select the default key store option and then enter the database user name and password. When you save the database connection, an alias is automatically generated and saved in the key store along with the database credentials. The Dynamic Data Masking Server reads the database credentials from the key store to create an internal connection in the database object. The alias is not visible in the database form, and the Dynamic Data Masking Server never sends the credentials to the client or outside of the Dynamic Data Masking Server.
Dynamic Data Masking upgrades each database object in the following process:
Sets the default key store in the database object.
Sets the automatically-generated alias in the database object.
Saves the alias, user name, and password of the database object in the default key store.
Removes the user name and password from the database object.
Saves the resulting database object in the Management Console tree. The database object contains the alias and default key store, but not the user name or password.