Dynamic Data Masking supports SSL communication between the Dynamic Data Masking Server and multiple database instances, types, and clients, such as the Management Console and Server Control. The Dynamic Data Masking Server can load multiple existing keystores and truststores, which in most cases you can copy from the database or database client to the Dynamic Data Masking installation without any modification.
When you enable SSL communication, you configure the
cfg/ddm.security
file for keystores and truststores used by the Dynamic Data Masking Server. You also configure the
cfg/client.security
file for truststores used by clients such as the Management Console and Server Control. Configuration parameters for the
cfg/client.security
and
cfg/ddm.security
files are the same.
You also use the
cfg/ddm.security
file to configure key strategies and trust strategies. Key strategies are required when Dynamic Data Masking uses multiple signed certificates to perform the handshake with database clients. Trust strategies tell Dynamic Data Masking how to handle a certificate that does not exist in the Dynamic Data Masking truststore and is therefore rejected by the trust manager.
Dynamic Data Masking supports various security protocol and cipher suites. You can define global settings for security protocols and cipher suites, or you can configure protocols and ciphers that map to a specific Dynamic Data Masking host and port.
You can enable SSL communication for Oracle, IBM DB2, and Microsoft SQL Server target databases.