When Dynamic Data Masking fails to validate a specific certificate, it consults the configured trust strategy, if the strategy trusts the certificate chain. If a trust strategy determines that it trusts the certificate, it returns an "accept" value to the trust manager. If the trust strategy accepts the certificate and returns the "accept_permanently" or "accept_temporarily" value to the trust manager, Dynamic Data Masking adds the certificate to the preferred or temporary truststore. Dynamic Data Masking then validates the certificate chain again with the likely positive result.

If the trust strategy determines that it cannot trust a certificate, it returns a "reject" value to the trust manager. If all configured trust strategies reject the certificate and return a "reject" value to the trust manager, Dynamic Data Masking denies the client connection.

Trust strategies allow Dynamic Data Masking to add accepted certificates to the Dynamic Data Masking truststore at run time, similar to web browsers. For example, if a database uses a self-signed certificate to perform the SSL handshake with the client, you can configure the self-signed strategy in Dynamic Data Masking to accept all self-signed certificates. Dynamic Data Masking adds those certificates to the truststore. Similarly, you can use different strategies to accept and store new certificates in the truststore without any manual action.

Dynamic Data Masking is installed with two trust strategies that you can configure in the

cfg/ddm.security

file:

A strategy to accept self-signed certificates:
com.activebase.security.trustmanager.strategies.SelfSignedStrategy
When you configure the strategy, you provide a value for both the
<accept>
and
<reject>
parameters. The <accept> parameter tells Dynamic Data Masking what action to take on self-signed certificates. The
<reject>
value tells Dynamic Data Masking what action to take on certificates that are not self-signed.
For example, the following image shows a configuration to permanently accept all self-signed certificates and reject all other certificates:

The following image shows a configuration to reject all self-signed certificates and permanently accept all other certificates:

A strategy to accept certificates with a matching fingerprint:
com.activebase.security.trustmanager.strategies.FingerprintStrategy
This strategy generates a fingerprint from the certificate that Dynamic Data Masking checks using the specified crytographic
<algorithm>
parameter, "SHA-1" for example. The strategy compares the generated fingerprint with the configured
<fingerprint>
parameter. You also configure the
<reject>
and
<accept>
parameters to tell Dynamic Data Masking what to do with certificates that are accepted or rejected based on the strategy logic.

The final result of trust strategy processing is a combination of the following steps:

The following table describes when Dynamic Data Masking stores an accepted certificate in either the preferred or temporary truststore, based on the accept value of the trust strategy and the preferred value of the truststore:

Preferred Store	Trust Strategy Result	Client Connection	Action
set	Accept permanently	Allow	Dynamic Data Masking permanently stores the new certificate and uses it for the duration of the current and all future sessions.
set	Accept temporarily	Allow	Dynamic Data Masking temporarily accepts the new certificate and uses it for the duration of the current session.
not set	Accept permanently	Allow	Dynamic Data Masking temporarily accepts the new certificate and uses it for the duration of the current session.
not set	Accept temporarily	Allow	Dynamic Data Masking temporarily accepts the new certificate and uses it for the duration of the current session.
set	Reject	Refuse	No action taken.
not set	Reject	Refuse	No action taken.
not set	-	Refuse	No action taken.
set	-	Refuse	No action taken.

The following image shows a configuration of the two trust strategies in the

cfg/ddm.security

file:

The certificate fingerprint is a long string that represents a real fingerprint.