You can define protocols and ciphers as global settings that apply to all SSL ports in Dynamic Data Masking. The following image shows an example configuration in the

cfg/ddm.security

file for:

TLSv1.2 communication between clients and Dynamic Data Masking, and communication between Dynamic Data Masking and databases
Specification of two cipher suites for message encryption

In this example you have manually disabled the TLSv1.1 protocol, because TLSv1.1 does not support the specified ciphers suites. Otherwise, Dynamic Data Masking disables protocols that do not support any of the listed ciphers.

When you start Dynamic Data Masking, it logs a warning about unsupported protocols and automatically disabled protocols. To print a list of global protocols and cipher suites that Dynamic Data Masking uses at run-time, run the following server network commands:

To print a list of all available protocols and cipher suites enabled in the Java Virtual Machine on which Dynamic Data Masking runs, run the following server network commands:

The protocols and ciphers that you configure must be a subset of the available protocols and ciphers.

If a database client does not support protocols and ciphers that you configure in the

cfg/ddm.security

file, the client cannot connect to Dynamic Data Masking or any databases through Dynamic Data Masking. In this case, you must configure the client software with the appropriate protocols and ciphers.

You can configure an advanced port strategy that maps SSL-enabled host and port values to an alias in Dynamic Data Masking, in addition to optional security protocol and cipher suites. Configuring a port strategy gives you the ability to fine-tune network security with the clients that request a connection to specific SSL-enabled ports in Dynamic Data Masking. The port strategy might disable protocols that do not support any of the specified cipher suites.

The following image shows an example of advanced port configuration in the

cfg/ddm.security

file:

In this example, TLSv1.2 communication is allowed only on the port 1535, and two cipher suites are defined.

You can configure as many strategies as required in the

cfg/ddm.security

file. However, do not specify each host and port more than once. Dynamic Data Masking uses the first found entry with a matching [host:]port entry to configure the SSL port and find the matching signed certificate to perform the SSL handshake with the client.

Protocols and cipher suites defined in an advanced port strategy might override any global settings. The following table shows example configuration settings and the corresponding run-time behavior:

Scenario	Configured Protocols		Runtime Protocols
	Global	Strategy on Port 1535	Port to Communicate With	Port to Communicate With
			Client (1535)	Database
1	TLSv1.2 TLSv1.1	TLSv1.2	TLSv1.2	TLSv1.2 TLSv1.1
2	TLSv1.2	TLSv1.2 TLSv1.1	TLSv1.2 TLSv1.1	TLSv1.2
3	TLSv1.2 TLSv1.1	Not set	TLSv1.2 TLSv1.1	TLSv1.2 TLSv1.1
4	Not set	TLSv1.2 TLSv1.1	TLSv1.2 TLSv1.1	all protocols
5	Not set	Not set	all protocols	all protocols

To print a list of configured protocols and cipher suites for a specific SSL host and port, run the following server network commands:

For example:

server network protocols 10.40.1.172:1535

server network ciphers 1535

By default, TLSv1 and TLSv1.1 algorithms are disabled in the JRE version included with Dynamic Data Masking. You can choose to enable the algorithms if required.

To enable TLSv1 and TLSv1.1, perform the following tasks:

Open the following file:
<Dynamic Data Masking installation directory>/jre/lib/security/java.security
Search the file content for the
jdk.tls.disabledAlgorithms
property.
Delete the TLSv1 and TLSv1.1 values from the list of values.
Save the changes to the file.

For more information about JRE algorithms, see the Azul JDK support website.