Table of Contents

Search

  1. Preface
  2. Introduction to Dynamic Data Masking Administration
  3. Authentication
  4. Security
  5. Connection Management
  6. JDBC Client Configuration
  7. ODBC Client Configuration
  8. Access Control
  9. Logs
  10. High Availability
  11. Server Control
  12. Performance Tuning
  13. Troubleshooting
  14. Appendix A: Database Keywords

Administrator Guide

Administrator Guide

Trust Strategies

Trust Strategies

A trust strategy tells Dynamic Data Masking how to handle a certificate that does not exist in the Dynamic Data Masking truststore and is therefore rejected by the trust manager.
When Dynamic Data Masking fails to validate a specific certificate, it consults the configured trust strategy, if the strategy trusts the certificate chain. If a trust strategy determines that it trusts the certificate, it returns an "accept" value to the trust manager. If the trust strategy accepts the certificate and returns the "accept_permanently" or "accept_temporarily" value to the trust manager, Dynamic Data Masking adds the certificate to the preferred or temporary truststore. Dynamic Data Masking then validates the certificate chain again with the likely positive result.
If the trust strategy determines that it cannot trust a certificate, it returns a "reject" value to the trust manager. If all configured trust strategies reject the certificate and return a "reject" value to the trust manager, Dynamic Data Masking denies the client connection.
Trust strategies allow Dynamic Data Masking to add accepted certificates to the Dynamic Data Masking truststore at run time, similar to web browsers. For example, if a database uses a self-signed certificate to perform the SSL handshake with the client, you can configure the self-signed strategy in Dynamic Data Masking to accept all self-signed certificates. Dynamic Data Masking adds those certificates to the truststore. Similarly, you can use different strategies to accept and store new certificates in the truststore without any manual action.
Dynamic Data Masking is installed with two trust strategies that you can configure in the
cfg/ddm.security
file:
  • A strategy to accept self-signed certificates:
    com.activebase.security.trustmanager.strategies.SelfSignedStrategy
    When you configure the strategy, you provide a value for both the
    <accept>
    and
    <reject>
    parameters. The <accept> parameter tells Dynamic Data Masking what action to take on self-signed certificates. The
    <reject>
    value tells Dynamic Data Masking what action to take on certificates that are not self-signed.
    For example, the following image shows a configuration to permanently accept all self-signed certificates and reject all other certificates:
    The following image shows a configuration to reject all self-signed certificates and permanently accept all other certificates:
  • A strategy to accept certificates with a matching fingerprint:
    com.activebase.security.trustmanager.strategies.FingerprintStrategy
    This strategy generates a fingerprint from the certificate that Dynamic Data Masking checks using the specified crytographic
    <algorithm>
    parameter, "SHA-1" for example. The strategy compares the generated fingerprint with the configured
    <fingerprint>
    parameter. You also configure the
    <reject>
    and
    <accept>
    parameters to tell Dynamic Data Masking what to do with certificates that are accepted or rejected based on the strategy logic.
The final result of trust strategy processing is a combination of the following steps:
  1. Acceptance or rejection of the certificate, based on the logic of the strategy.
  2. Assignment of the appropriate value to the acceptance or rejection.
The following table describes when Dynamic Data Masking stores an accepted certificate in either the preferred or temporary truststore, based on the accept value of the trust strategy and the preferred value of the truststore:
Preferred Store
Trust Strategy Result
Client Connection
Action
set
Accept permanently
Allow
Dynamic Data Masking permanently stores the new certificate and uses it for the duration of the current and all future sessions.
set
Accept temporarily
Allow
Dynamic Data Masking temporarily accepts the new certificate and uses it for the duration of the current session.
not set
Accept permanently
Allow
Dynamic Data Masking temporarily accepts the new certificate and uses it for the duration of the current session.
not set
Accept temporarily
Allow
Dynamic Data Masking temporarily accepts the new certificate and uses it for the duration of the current session.
set
Reject
Refuse
No action taken.
not set
Reject
Refuse
No action taken.
not set
-
Refuse
No action taken.
set
-
Refuse
No action taken.
The following image shows a configuration of the two trust strategies in the
cfg/ddm.security
file:
The certificate fingerprint is a long string that represents a real fingerprint.

0 COMMENTS

We’d like to hear from you!