Table of Contents

Search

  1. Preface
  2. Introduction to Dynamic Data Masking Administration
  3. Authentication
  4. Security
  5. Connection Management
  6. JDBC Client Configuration
  7. ODBC Client Configuration
  8. Configuration for MicroStrategy
  9. Access Control
  10. Logs
  11. High Availability
  12. Server Control
  13. Performance Tuning
  14. Troubleshooting
  15. Appendix A: Database Keywords

Administrator Guide

Administrator Guide

Custom Keystore

Custom Keystore

You can use a custom keystore and security provider to store and access the target database credentials. To use a custom keystore and security provider, you must create an XML configuration file called
ddm.security
. If you want to use CyberArk as a security provider, you must also create a CyberArk properties file. Then you can create the target database connection.

ddm.security File

The
ddm.security
file contains the information used to define the custom keystore and security provider. To configure custom keystores and security providers, create the file in the following location:
<DDM>/cfg/ddm.security
Use the following parameters to configure the
ddm.security
file for the custom security provider:
Name
Description
<fqcn>
Mandatory. Fully-qualified class name of the security provider. For example: com.security.provider.MyProvider
<file>
Optional. Provider-specific initialization parameter. For example, the path to a configuration file.
Use the following parameters to configure the
ddm.security
file for the custom keystore:
Name
Default
Description
storeName
-
Mandatory. Unique name of the keystore. Once you have defined the keystore name, do not modify it.
storeType
-
Mandatory. Type of keystore. For CyberArk, enter the storeType as CyberArk.
storeFile
null
Optional. Path to the keystore file.
storePassword
null
Optional. Keystore password.
provider
-
Optional. Name of the custom security provider that Provider.getName() returns. Note that this is not the name of the class.
If the security provider is CyberArk, this parameter is mandatory. Provide the name of the security provider. This name should match the provider.name property in the CyberArk properties file.
encrypted
false
Optional. Specify a clear password for the keystore in the
ddm.security
file. Dynamic Data Masking encrypts the password at run-time and sets
encrypted=true
in the file.
After you configure the
ddm.security
file, start the Dynamic Data Masking Server. When you configure the database object, enter the keystore name defined in the
ddm.security
file and the alias associated with the database user name and password in the custom keystore. For CyberArk accounts, the alias name was defined during creation of the CyberArk account.
Custom security providers can allow read-only or read and write access to the keystore. For a read-only keystore, enter the existing alias.

Sample ddm.security Files

The following file is an example of a
ddm.security
file that contains two custom security providers, one with a configuration file as the provider-specific initialization parameter, and another provider without an initialization parameter. The file contains three custom keystores that have unique names, with two keystores including the name of the designated security provider.
<?xml version="1.0"?> <XML> <keyStores type="ArrayList"> <entry type="StoreDescriptor"> <storeName>store1</storeName> <storePassword>admin</storePassword> <storeType>JCEKS</storeType> <encrypted>false</encrypted> <storeFile>cfg/store.jceks</storeFile> </entry> <entry type="StoreDescriptor"> <storeName>store3</storeName> <storePassword>admin</storePassword> <storeType>PKCS12</storeType> <encrypted>false</encrypted> <provider>PKCS12-Provider-5</provider> <storeFile>cfg/store.pkcs12</storeFile> </entry> <entry type="StoreDescriptor"> <storeName>store2</storeName> <storeType>PKCS11</storeType> <encrypted>false</encrypted> <provider>MyProvider-HSM</provider> <storeFile>cfg/store.pkcs11</storeFile> </entry> </keystores> <providers type="ArrayList"> <entry type="ProviderDescriptor"> <file>cfg/xyz.conf</file> <fqcn>com.security.provider.XYZProvider</fqcn> </entry> <entry type="ProviderDescriptor"> <fqcn>com.security.provider.MyProvider</fqcn> </entry> </providers> </XML>
The following file is an example of a
ddm.security
file configured for use with a CyberArk keystore:
<?xml version="1.0"?> <XML> <keyStores type="ArrayList"> <entry type="StoreDescriptor"> <storeType>CyberArk</storeType> <storeName>DDMQASafe</storeName> <provider>QASafeProvider</provider> </entry> </keyStores> <providers type="ArrayList"> <entry type="ProviderDescriptor"> <file>cfg\CyberArk_DDMQASafe.props</file> <fqcn>com.informatica.security.jce.cyberark.CyberarkProvider</fqcn> </entry> </providers> </XML>
You can configure multiple CyberArk entries in the
ddm.security
file with the same method.

CyberArk Properties File

If you use CyberArk as a security provider, you must create a CyberArk properties file in addition to the
ddm.security
file. The CyberArk properties file is a text properties file that contains parameters specific to CyberArk.
Create the CyberArk properties file within the
<DDM>/cfg/
folder. For example:
<DDM>/cfg/CyberArk.props
. Provide the location of the file in the <file> parameter of the security provider section of the
ddm.security
file.
The CyberArk properties file includes the following parameters:
Name
Description
provider.name
Name of the security provider. Name must match the <provider> tag in the keystore section of the
ddm.security
file.
provider.client.appid
Application ID. The application ID was created during the CyberArk installation.
provider.safe
Mandatory. Name of the specific safe within CyberArk.
provider.uniqueattr.name
Unique attribute name of the account.
By default, the name of the account is a unique attribute that is internally mapped with the string "Object." In this case, Object is the value for the uniqueattr.name parameter.
However, if you have selected any other attribute other than name as an unique identifier, give that attribute name as the value of the property.
For example, if you selected the attribute host as the unique identifier, give the value of provider.uniqueattr.name as host.
provider.folder.path
Path from the root to the folder containing the given account. If you leave this parameter blank, Dynamic Data Masking assumes the account is under the root.
If you plan to use CyberArk as a security provider, you must put the CyberArk
JavaPasswordSDK.jar
file into the
<Dynamic Data Masking installation>/lib/ext
directory to complete the integration. The
JavaPasswordSDK.jar
file is located in the
ApplicationPasswordSdk
directory of the CyberArk AIM installation (on Microsoft Windows) or the
/opt/CARKaim/sdk/
directory (on Linux).

Sample CyberArk Properties File

The following file is an example of a CyberArk properties file:
provider.name=QASafeProvider provider.client.appid=DDMJavaTest provider.safe=DDMQASafe provider.uniqueattr.name=Object provider.folder.path=root\\subfolder

0 COMMENTS

We’d like to hear from you!