Communities
A collaborative platform to connect and grow with like-minded Informaticans across the globe
Product Communities
Connect and collaborate with Informatica experts and champions
Discussions
Have a question? Start a Discussion and get immediate answers you are looking for
User Groups
Customer-organized groups that meet online and in-person. Join today to network, share ideas, and get tips on how to get the most out of Informatica
Get Started
Community Guidelines
Knowledge Center
Troubleshooting documents, product guides, how to videos, best practices, and more
Knowledge Base
One-stop self-service portal for solutions, FAQs, Whitepapers, How Tos, Videos, and more
Support TV
Video channel for step-by-step instructions to use our products, best practices, troubleshooting tips, and much more
Documentation
Information library of the latest product documents
Velocity (Best Practices)
Best practices and use cases from the Implementation team
Learn
Rich resources to help you leverage full capabilities of our products
Trainings
Role-based training programs for the best ROI
Certifications
Get certified on Informatica products. Free, Foundation, or Professional
Product Learning Paths
Free and unlimited modules based on your expertise level and journey
Resources
Library of content to help you leverage the best of Informatica products
Tech Tuesdays Webinars
Most popular webinars on product architecture, best practices, and more
Product Availability Matrix
Product Availability Matrix statements of Informatica products
SupportFlash
Monthly support newsletter
Support Documents
Informatica Support Guide and Statements, Quick Start Guides, and Cloud Product Description Schedule
Product Lifecycle
End of Life statements of Informatica products
Ideas
Events
Change Request Tracking
Marketplace
English
  • Dynamic Data Masking 9.9
  • All Products

Table of Contents

Search

  1. Preface
  2. Introduction to Dynamic Data Masking Administration
  3. Authentication
  4. Security
  5. Connection Management
  6. JDBC Client Configuration
  7. ODBC Client Configuration
  8. Access Control
  9. Logs
  10. High Availability
  11. Server Control
  12. Performance Tuning
  13. Troubleshooting
  14. Appendix A: Database Keywords

Administrator Guide

Administrator Guide

Back Next

Custom Keystore

Custom Keystore

You can use a custom keystore and security provider to store and access the target database credentials. To use a custom keystore and security provider, you must create an XML configuration file called
ddm.security
. If you want to use CyberArk as a security provider, you must also create a CyberArk properties file. Then you can create the target database connection.

ddm.security File

The
ddm.security
 file contains the information used to define the custom keystore and security provider. To configure custom keystores and security providers, create the file in the following location:
<DDM>/cfg/ddm.security
Use the following parameters to configure the
ddm.security
 file for the custom security provider:
Name
Description
<fqcn>
Mandatory. Fully-qualified class name of the security provider. For example: com.security.provider.MyProvider
<file>
Optional. Provider-specific initialization parameter. For example, the path to a configuration file.
Use the following parameters to configure the
ddm.security
 file for the custom keystore:
Name
Default
Description
storeName
-
Mandatory. Unique name of the keystore. Once you have defined the keystore name, do not modify it.
storeType
-
Mandatory. Type of keystore. For CyberArk, enter the storeType "CyberArk."
storeFile
null
Optional. Path to the keystore file.
storePassword
null
Optional. Keystore password.
provider
-
Optional. Name of the custom security provider that Provider.getName() returns. Note that this is not the name of the class.
If the security provider is CyberArk, this parameter is mandatory. Provide the name of the security provider. This name should match the property "provider.name" in the CyberArk properties file.
encrypted
false
Optional. Specify a clear password for the keystore in the
ddm.security
 file. Dynamic Data Masking encrypts the password at run-time and sets
encrypted=true
 in the file.
After you configure the
ddm.security
 file, start the Dynamic Data Masking Server. When you configure the database object, enter the keystore name defined in the
ddm.security
 file and the alias associated with the database user name and password in the custom keystore. For CyberArk accounts, the alias name was defined during creation of the CyberArk account.
Custom security providers can allow read-only or read and write access to the keystore. For a read-only keystore, enter the existing alias.

Sample ddm.security Files

The following file is an example of a
ddm.security
 file that contains two custom security providers, one with a configuration file as the provider-specific initialization parameter, and another provider without an initialization parameter. The file contains three custom keystores that have unique names, with two keystores including the name of the designated security provider. 
<?xml version="1.0"?>
<XML>
	<keyStores type="ArrayList">
		<entry type="StoreDescriptor">
			<storeName>store1</storeName>
			<storePassword>admin</storePassword>
			<storeType>JCEKS</storeType>
			<encrypted>false</encrypted>
			<storeFile>cfg/store.jceks</storeFile>
		</entry>
		<entry type="StoreDescriptor">
			<storeName>store3</storeName>
			<storePassword>admin</storePassword>
			<storeType>PKCS12</storeType>
			<encrypted>false</encrypted>
			<provider>PKCS12-Provider-5</provider>
			<storeFile>cfg/store.pkcs12</storeFile>
		</entry>
		<entry type="StoreDescriptor">
			<storeName>store2</storeName>
			<storeType>PKCS11</storeType>
			<encrypted>false</encrypted>
			<provider>MyProvider-HSM</provider>
			<storeFile>cfg/store.pkcs11</storeFile>
		</entry>
	</keystores>
	<providers type="ArrayList">
		<entry type="ProviderDescriptor">
			<file>cfg/xyz.conf</file>
			<fqcn>com.security.provider.XYZProvider</fqcn>
		</entry>
		<entry type="ProviderDescriptor">
			<fqcn>com.security.provider.MyProvider</fqcn>
		</entry>
	</providers>
</XML>
The following file is an example of a
ddm.security
 file configured for use with a CyberArk keystore: 
<?xml version="1.0"?>
<XML>  
  <keyStores type="ArrayList"> 
 <entry type="StoreDescriptor">      
    <storeType>CyberArk</storeType>      
    <storeName>DDMQASafe</storeName>	  
    <provider>QASafeProvider</provider>    
  </entry>  
 </keyStores>
   
 <providers type="ArrayList">  	
  <entry type="ProviderDescriptor">      
    <file>cfg\CyberArk_DDMQASafe.props</file>      
    <fqcn>com.informatica.security.jce.cyberark.CyberarkProvider</fqcn>    
  </entry>    
 </providers>
</XML>
You can configure multiple CyberArk entries in the
ddm.security
 file with the same method.

CyberArk Properties File

If you use CyberArk as a security provider, you must create a CyberArk properties file in addition to the
ddm.security
 file. The CyberArk properties file is a text properties file that contains parameters specific to CyberArk.
Create the CyberArk properties file within the
<DDM>/cfg/
 folder. For example:
<DDM>/cfg/CyberArk.props
. Provide the location of the file in the <file> parameter of the security provider section of the
ddm.security
 file.
The CyberArk properties file includes the following parameters:
Name
Description
provider.name
Name of the security provider. Name must match the <provider> tag in the keystore section of the
ddm.security
 file.
provider.client.appid
Application ID. The application ID was created during the CyberArk installation.
provider.safe
Mandatory. Name of the specific safe within CyberArk.
provider.uniqueattr.name
Unique attribute name of the account.
By default, the name of the account is a unique attribute that is internally mapped with the string "Object." In this case, "Object" is the value for the uniqueattr.name parameter.
However, if you have selected any other attribute other than name as an unique identifier, give that attribute name as the value of the property.
For example, if you selected the attribute "host" as the unique identifier, give the value of provider.uniqueattr.name as "host."
provider.folder.path
Path from the root to the folder containing the given account. If you leave this parameter blank, Dynamic Data Masking assumes the account is under the root.
If you plan to use CyberArk as a security provider, you must put the CyberArk
JavaPasswordSDK.jar
 file into the
<Dynamic Data Masking installation>/lib/ext
 directory to complete the integration. The
JavaPasswordSDK.jar
 file is located in the
ApplicationPasswordSdk
 directory of the CyberArk AIM installation (on Microsoft Windows) or the
/opt/CARKaim/sdk/
 directory (on Linux).

Sample CyberArk Properties File

The following file is an example of a CyberArk properties file: 
provider.name=QASafeProvider
provider.client.appid=DDMJavaTest
provider.safe=DDMQASafe
provider.uniqueattr.name=Object
provider.folder.path=root\\subfolder
0 COMMENTS
We’d like to hear from you!