Table of Contents


  1. Preface
  2. Introduction to Dynamic Data Masking Administration
  3. Authentication
  4. Security
  5. Connection Management
  6. JDBC Client Configuration
  7. ODBC Client Configuration
  8. Access Control
  9. Logs
  10. High Availability
  11. Server Control
  12. Performance Tuning
  13. Troubleshooting
  14. Appendix A: Database Keywords

Administrator Guide

Administrator Guide

Custom Keystore

Custom Keystore

You can use a custom keystore and security provider to store and access the target database credentials. To use a custom keystore and security provider, you must create an XML configuration file called
. If you want to use CyberArk as a security provider, you must also create a CyberArk properties file. Then you can create the target database connection. File

file contains the information used to define the custom keystore and security provider. To configure custom keystores and security providers, create the file in the following location:
Use the following parameters to configure the
file for the custom security provider:
Mandatory. Fully-qualified class name of the security provider. For example:
Optional. Provider-specific initialization parameter. For example, the path to a configuration file.
Use the following parameters to configure the
file for the custom keystore:
Mandatory. Unique name of the keystore. Once you have defined the keystore name, do not modify it.
Mandatory. Type of keystore. For CyberArk, enter the storeType "CyberArk."
Optional. Path to the keystore file.
Optional. Keystore password.
Optional. Name of the custom security provider that Provider.getName() returns. Note that this is not the name of the class.
If the security provider is CyberArk, this parameter is mandatory. Provide the name of the security provider. This name should match the property "" in the CyberArk properties file.
Optional. Specify a clear password for the keystore in the
file. Dynamic Data Masking encrypts the password at run-time and sets
in the file.
After you configure the
file, start the Dynamic Data Masking Server. When you configure the database object, enter the keystore name defined in the
file and the alias associated with the database user name and password in the custom keystore. For CyberArk accounts, the alias name was defined during creation of the CyberArk account.
Custom security providers can allow read-only or read and write access to the keystore. For a read-only keystore, enter the existing alias.

Sample Files

The following file is an example of a
file that contains two custom security providers, one with a configuration file as the provider-specific initialization parameter, and another provider without an initialization parameter. The file contains three custom keystores that have unique names, with two keystores including the name of the designated security provider.
<?xml version="1.0"?> <XML> <keyStores type="ArrayList"> <entry type="StoreDescriptor"> <storeName>store1</storeName> <storePassword>admin</storePassword> <storeType>JCEKS</storeType> <encrypted>false</encrypted> <storeFile>cfg/store.jceks</storeFile> </entry> <entry type="StoreDescriptor"> <storeName>store3</storeName> <storePassword>admin</storePassword> <storeType>PKCS12</storeType> <encrypted>false</encrypted> <provider>PKCS12-Provider-5</provider> <storeFile>cfg/store.pkcs12</storeFile> </entry> <entry type="StoreDescriptor"> <storeName>store2</storeName> <storeType>PKCS11</storeType> <encrypted>false</encrypted> <provider>MyProvider-HSM</provider> <storeFile>cfg/store.pkcs11</storeFile> </entry> </keystores> <providers type="ArrayList"> <entry type="ProviderDescriptor"> <file>cfg/xyz.conf</file> <fqcn></fqcn> </entry> <entry type="ProviderDescriptor"> <fqcn></fqcn> </entry> </providers> </XML>
The following file is an example of a
file configured for use with a CyberArk keystore:
<?xml version="1.0"?> <XML> <keyStores type="ArrayList"> <entry type="StoreDescriptor"> <storeType>CyberArk</storeType> <storeName>DDMQASafe</storeName> <provider>QASafeProvider</provider> </entry> </keyStores> <providers type="ArrayList"> <entry type="ProviderDescriptor"> <file>cfg\CyberArk_DDMQASafe.props</file> <fqcn></fqcn> </entry> </providers> </XML>
You can configure multiple CyberArk entries in the
file with the same method.

CyberArk Properties File

If you use CyberArk as a security provider, you must create a CyberArk properties file in addition to the
file. The CyberArk properties file is a text properties file that contains parameters specific to CyberArk.
Create the CyberArk properties file within the
folder. For example:
. Provide the location of the file in the <file> parameter of the security provider section of the
The CyberArk properties file includes the following parameters:
Name of the security provider. Name must match the <provider> tag in the keystore section of the
Application ID. The application ID was created during the CyberArk installation.
Mandatory. Name of the specific safe within CyberArk.
Unique attribute name of the account.
By default, the name of the account is a unique attribute that is internally mapped with the string "Object." In this case, "Object" is the value for the parameter.
However, if you have selected any other attribute other than name as an unique identifier, give that attribute name as the value of the property.
For example, if you selected the attribute "host" as the unique identifier, give the value of as "host."
Path from the root to the folder containing the given account. If you leave this parameter blank, Dynamic Data Masking assumes the account is under the root.
If you plan to use CyberArk as a security provider, you must put the CyberArk
file into the
<Dynamic Data Masking installation>/lib/ext
directory to complete the integration. The
file is located in the
directory of the CyberArk AIM installation (on Microsoft Windows) or the
directory (on Linux).

Sample CyberArk Properties File

The following file is an example of a CyberArk properties file: provider.client.appid=DDMJavaTest provider.folder.path=root\\subfolder


We’d like to hear from you!