Communities
A collaborative platform to connect and grow with like-minded Informaticans across the globe
Product Communities
Connect and collaborate with Informatica experts and champions
Discussions
Have a question? Start a Discussion and get immediate answers you are looking for
User Groups
Customer-organized groups that meet online and in-person. Join today to network, share ideas, and get tips on how to get the most out of Informatica
Get Started
Community Guidelines
Knowledge Center
Troubleshooting documents, product guides, how to videos, best practices, and more
Knowledge Base
One-stop self-service portal for solutions, FAQs, Whitepapers, How Tos, Videos, and more
Support TV
Video channel for step-by-step instructions to use our products, best practices, troubleshooting tips, and much more
Documentation
Information library of the latest product documents
Velocity (Best Practices)
Best practices and use cases from the Implementation team
Learn
Rich resources to help you leverage full capabilities of our products
Trainings
Role-based training programs for the best ROI
Certifications
Get certified on Informatica products. Free, Foundation, or Professional
Product Learning Paths
Free and unlimited modules based on your expertise level and journey
Resources
Library of content to help you leverage the best of Informatica products
Tech Tuesdays Webinars
Most popular webinars on product architecture, best practices, and more
Product Availability Matrix
Product Availability Matrix statements of Informatica products
SupportFlash
Monthly support newsletter
Support Documents
Informatica Support Guide and Statements, Quick Start Guides, and Cloud Product Description Schedule
Product Lifecycle
End of Life statements of Informatica products
Ideas
Events
Change Request Tracking
Marketplace
English
  • Dynamic Data Masking 9.9.4
  • All Products

Table of Contents

Search

  1. Preface
  2. Introduction to Dynamic Data Masking Administration
  3. Authentication
  4. Security
  5. Connection Management
  6. JDBC Client Configuration
  7. ODBC Client Configuration
  8. Configuration for MicroStrategy
  9. Access Control
  10. Logs
  11. High Availability
  12. Server Control
  13. Performance Tuning
  14. Troubleshooting
  15. Appendix A: Database Keywords

Administrator Guide

Administrator Guide

Back Next

Key Strategies

Key Strategies

If Dynamic Data Masking uses multiple signed certificates to perform the handshake with database clients, you must configure a simple port strategy or an advanced port strategy in the
cfg/ddm.security
 file.
By default, the standard Java implementation chooses the first alias it finds in the keystore for which there is a private key and a key of the right type for the chosen cipher suite. The selected alias does not necessarily correspond to the requested domain, which can cause certificate errors.
To overcome this limitation, you can configure a simple port strategy or an advanced port strategy that map each SSL host and port combination in Dynamic Data Masking to a specific alias. Each alias corresponds to a key entry with a private key and signed certificate in the keystore that Dynamic Data Masking uses for the SSL handshake with the client.
The following image shows the keystrategies configuration section of the
cfg/ddm.security
 file:
Alias names must be unique for all keystores. If you do not give unique alias names, Dynamic Data Masking uses the key entry with the first found matching alias to handshake with the client.
You do not need to configure the keystrategy section when you have not configured the Dynamic Data Masking Server with a keystore, or when a keystore configured in the Dynamic Data Masking Server contains only one signed certificate.
If you have not configured the Dynamic Data Masking Server with a keystore, Dynamic Data Masking uses the self-signed certificate generated in the default Dynamic Data Masking keystore file
cfg/ddm.jceks
. This certificate is associated with the reversed alias name
ddm_self_signed
. Do not use this alias name in any other keystores.
In this scenario, the Dynamic Data Masking Server provides the self-signed certificate to the client.
If you have configured the Dynamic Data Masking Server with one keystore, defined in the file
jvm.params
 or
cfg/ddm.security
, that contains only one signed certificate, Dynamic Data Masking uses that certificate.
The following table describes the keystore strategy requirements for both the Dynamic Data Masking Server and the administrative tools:
Dynamic Data Masking Server
Administrative Tools
Keystore or Keystores
Dynanic Data Masking Server SSL Functionality
Truststore or Truststores
Dynamic Data Masking Administrative Tools SSL Functionality
not set
Provides the self-signed certificate to the SSL client. The key strategy is not relevant.
not set
Accepts any certificate. Can connect.
set with certificates
Provides to SSL client:
  • If you have not configured a port strategy, provides the first found signed certificate.
  • If you have configured a port strategy, provides a signed certificate associated with an alias mapped to a specific SSL port.
not set
Accepts any certificate. Can connect.
not set
Provides the self-signed certificate to SSL client. Key strategy is not relevant.
set with certificates
Cannot connect, because the Dynamic Data Masking Server has no matching private key.
set with certificates
Must have a configured port strategy. Provides to SSL client a signed certificate associated with an alias mapped to a specific SSL port.
set with certificates
Can connect, but the Dynamic Data Masking Server must have matching private key.
0 COMMENTS
We’d like to hear from you!