The default keystore and security provider are pre-configured for use with any database supported by Dynamic Data Masking.
The default keystore is a JCEKS-type keystore that permits both read and write operations. If the keystore does not already exist, it is created in the following location when the Dynamic Data Masking Server starts:
<DDM>/cfg/ddm.jceks
When you configure the target database, you can select the default keystore option and then enter the database user name and password. When you save the database object, an alias is automatically generated and saved in the keystore along with the database credentials. The Dynamic Data Masking Server reads the database credentials from the keystore to create an internal connection to the database. The alias is not visible in the database form, and the Dynamic Data Masking Server never sends the credentials to the client or outside of the Dynamic Data Masking Server.
Dynamic Data Masking upgrades each database object in the following process:
Sets the default keystore in the database object.
Sets the automatically-generated alias in the database object.
Saves the alias, user name, and password of the database object in the default keystore.
Removes the user name and password from the database object.
Saves the resulting database object in the Management Console tree. The database object contains the alias and default keystore, but not the user name or password.
This upgrade is performed only when the database objects were created in versions of Dynamic Data Masking prior to 9.8.3.