Scribd
Upload
16 views

DDM 991 DynamicDataMaskingAcceleratorForUseWith (SAP) en

Uploaded by

Kishore Iyer
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
16 views

DDM 991 DynamicDataMaskingAcceleratorForUseWith (SAP) en

Uploaded by

Kishore Iyer
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 23

Informatica® Dynamic Data Masking

9.9.1

Dynamic Data Masking


Accelerator for use with SAP
Informatica Dynamic Data Masking Dynamic Data Masking Accelerator for use with SAP
9.9.1
June 2019
© Copyright Informatica LLC 1993, 2019

This software and documentation contain proprietary information of Informatica LLC and are provided under a license agreement containing restrictions on use and
disclosure and are also protected by copyright law. Reverse engineering of the software is prohibited. No part of this document may be reproduced or transmitted in any
form, by any means (electronic, photocopying, recording or otherwise) without prior consent of Informatica LLC. This Software may be protected by U.S. and/or
international Patents and other Patents Pending.

Use, duplication, or disclosure of the Software by the U.S. Government is subject to the restrictions set forth in the applicable software license agreement and as
provided in DFARS 227.7202-1(a) and 227.7702-3(a) (1995), DFARS 252.227-7013©(1)(ii) (OCT 1988), FAR 12.212(a) (1995), FAR 52.227-19, or FAR 52.227-14 (ALT III),
as applicable.

The information in this product or documentation is subject to change without notice. If you find any problems in this product or documentation, please report them to
us in writing.

Informatica, Informatica Platform, Informatica Data Services, PowerCenter, PowerCenterRT, PowerCenter Connect, PowerCenter Data Analyzer, PowerExchange,
PowerMart, Metadata Manager, Informatica Data Quality, Informatica Data Explorer, Informatica B2B Data Transformation, Informatica B2B Data Exchange Informatica
On Demand, Informatica Identity Resolution, Informatica Application Information Lifecycle Management, Informatica Complex Event Processing, Ultra Messaging,
Informatica Master Data Management, and Live Data Map are trademarks or registered trademarks of Informatica LLC in the United States and in jurisdictions
throughout the world. All other company and product names may be trade names or trademarks of their respective owners.

Portions of this software and/or documentation are subject to copyright held by third parties, including without limitation: Copyright DataDirect Technologies. All rights
reserved. Copyright © Sun Microsystems. All rights reserved. Copyright © RSA Security Inc. All Rights Reserved. Copyright © Ordinal Technology Corp. All rights
reserved. Copyright © Aandacht c.v. All rights reserved. Copyright Genivia, Inc. All rights reserved. Copyright Isomorphic Software. All rights reserved. Copyright © Meta
Integration Technology, Inc. All rights reserved. Copyright © Intalio. All rights reserved. Copyright © Oracle. All rights reserved. Copyright © Adobe Systems Incorporated.
All rights reserved. Copyright © DataArt, Inc. All rights reserved. Copyright © ComponentSource. All rights reserved. Copyright © Microsoft Corporation. All rights
reserved. Copyright © Rogue Wave Software, Inc. All rights reserved. Copyright © Teradata Corporation. All rights reserved. Copyright © Yahoo! Inc. All rights reserved.
Copyright © Glyph & Cog, LLC. All rights reserved. Copyright © Thinkmap, Inc. All rights reserved. Copyright © Clearpace Software Limited. All rights reserved. Copyright
© Information Builders, Inc. All rights reserved. Copyright © OSS Nokalva, Inc. All rights reserved. Copyright Edifecs, Inc. All rights reserved. Copyright Cleo
Communications, Inc. All rights reserved. Copyright © International Organization for Standardization 1986. All rights reserved. Copyright © ej-technologies GmbH. All
rights reserved. Copyright © Jaspersoft Corporation. All rights reserved. Copyright © International Business Machines Corporation. All rights reserved. Copyright ©
yWorks GmbH. All rights reserved. Copyright © Lucent Technologies. All rights reserved. Copyright © University of Toronto. All rights reserved. Copyright © Daniel
Veillard. All rights reserved. Copyright © Unicode, Inc. Copyright IBM Corp. All rights reserved. Copyright © MicroQuill Software Publishing, Inc. All rights reserved.
Copyright © PassMark Software Pty Ltd. All rights reserved. Copyright © LogiXML, Inc. All rights reserved. Copyright © 2003-2010 Lorenzi Davide, All rights reserved.
Copyright © Red Hat, Inc. All rights reserved. Copyright © The Board of Trustees of the Leland Stanford Junior University. All rights reserved. Copyright © EMC
Corporation. All rights reserved. Copyright © Flexera Software. All rights reserved. Copyright © Jinfonet Software. All rights reserved. Copyright © Apple Inc. All rights
reserved. Copyright © Telerik Inc. All rights reserved. Copyright © BEA Systems. All rights reserved. Copyright © PDFlib GmbH. All rights reserved. Copyright ©
Orientation in Objects GmbH. All rights reserved. Copyright © Tanuki Software, Ltd. All rights reserved. Copyright © Ricebridge. All rights reserved. Copyright © Sencha,
Inc. All rights reserved. Copyright © Scalable Systems, Inc. All rights reserved. Copyright © jQWidgets. All rights reserved. Copyright © Tableau Software, Inc. All rights
reserved. Copyright© MaxMind, Inc. All Rights Reserved. Copyright © TMate Software s.r.o. All rights reserved. Copyright © MapR Technologies Inc. All rights reserved.
Copyright © Amazon Corporate LLC. All rights reserved. Copyright © Highsoft. All rights reserved. Copyright © Python Software Foundation. All rights reserved.
Copyright © BeOpen.com. All rights reserved. Copyright © CNRI. All rights reserved.

This product includes software developed by the Apache Software Foundation (http://www.apache.org/), and/or other software which is licensed under various
versions of the Apache License (the "License"). You may obtain a copy of these Licenses at http://www.apache.org/licenses/. Unless required by applicable law or
agreed to in writing, software distributed under these Licenses is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express
or implied. See the Licenses for the specific language governing permissions and limitations under the Licenses.

This product includes software which was developed by Mozilla (http://www.mozilla.org/), software copyright The JBoss Group, LLC, all rights reserved; software
copyright © 1999-2006 by Bruno Lowagie and Paulo Soares and other software which is licensed under various versions of the GNU Lesser General Public License
Agreement, which may be found at http:// www.gnu.org/licenses/lgpl.html. The materials are provided free of charge by Informatica, "as-is", without warranty of any
kind, either express or implied, including but not limited to the implied warranties of merchantability and fitness for a particular purpose.

The product includes ACE(TM) and TAO(TM) software copyrighted by Douglas C. Schmidt and his research group at Washington University, University of California,
Irvine, and Vanderbilt University, Copyright (©) 1993-2006, all rights reserved.

This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit (copyright The OpenSSL Project. All Rights Reserved) and
redistribution of this software is subject to terms available at http://www.openssl.org and http://www.openssl.org/source/license.html.

This product includes Curl software which is Copyright 1996-2013, Daniel Stenberg, <[email protected]>. All Rights Reserved. Permissions and limitations regarding this
software are subject to terms available at http://curl.haxx.se/docs/copyright.html. Permission to use, copy, modify, and distribute this software for any purpose with or
without fee is hereby granted, provided that the above copyright notice and this permission notice appear in all copies.

The product includes software copyright 2001-2005 (©) MetaStuff, Ltd. All Rights Reserved. Permissions and limitations regarding this software are subject to terms
available at http://www.dom4j.org/ license.html.

The product includes software copyright © 2004-2007, The Dojo Foundation. All Rights Reserved. Permissions and limitations regarding this software are subject to
terms available at http://dojotoolkit.org/license.

This product includes ICU software which is copyright International Business Machines Corporation and others. All rights reserved. Permissions and limitations
regarding this software are subject to terms available at http://source.icu-project.org/repos/icu/icu/trunk/license.html.

This product includes software copyright © 1996-2006 Per Bothner. All rights reserved. Your right to use such materials is set forth in the license which may be found at
http:// www.gnu.org/software/ kawa/Software-License.html.

This product includes OSSP UUID software which is Copyright © 2002 Ralf S. Engelschall, Copyright © 2002 The OSSP Project Copyright © 2002 Cable & Wireless
Deutschland. Permissions and limitations regarding this software are subject to terms available at http://www.opensource.org/licenses/mit-license.php.

This product includes software developed by Boost (http://www.boost.org/) or under the Boost software license. Permissions and limitations regarding this software
are subject to terms available at http:/ /www.boost.org/LICENSE_1_0.txt.

This product includes software copyright © 1997-2007 University of Cambridge. Permissions and limitations regarding this software are subject to terms available at
http:// www.pcre.org/license.txt.

This product includes software copyright © 2007 The Eclipse Foundation. All Rights Reserved. Permissions and limitations regarding this software are subject to terms
available at http:// www.eclipse.org/org/documents/epl-v10.php and at http://www.eclipse.org/org/documents/edl-v10.php.
This product includes software licensed under the terms at http://www.tcl.tk/software/tcltk/license.html, http://www.bosrup.com/web/overlib/?License, http://
www.stlport.org/doc/ license.html, http://asm.ow2.org/license.html, http://www.cryptix.org/LICENSE.TXT, http://hsqldb.org/web/hsqlLicense.html, http://
httpunit.sourceforge.net/doc/ license.html, http://jung.sourceforge.net/license.txt , http://www.gzip.org/zlib/zlib_license.html, http://www.openldap.org/software/
release/license.html, http://www.libssh2.org, http://slf4j.org/license.html, http://www.sente.ch/software/OpenSourceLicense.html, http://fusesource.com/downloads/
license-agreements/fuse-message-broker-v-5-3- license-agreement; http://antlr.org/license.html; http://aopalliance.sourceforge.net/; http://www.bouncycastle.org/
licence.html; http://www.jgraph.com/jgraphdownload.html; http://www.jcraft.com/jsch/LICENSE.txt; http://jotm.objectweb.org/bsd_license.html; . http://www.w3.org/
Consortium/Legal/2002/copyright-software-20021231; http://www.slf4j.org/license.html; http://nanoxml.sourceforge.net/orig/copyright.html; http://www.json.org/
license.html; http://forge.ow2.org/projects/javaservice/, http://www.postgresql.org/about/licence.html, http://www.sqlite.org/copyright.html, http://www.tcl.tk/
software/tcltk/license.html, http://www.jaxen.org/faq.html, http://www.jdom.org/docs/faq.html, http://www.slf4j.org/license.html; http://www.iodbc.org/dataspace/
iodbc/wiki/iODBC/License; http://www.keplerproject.org/md5/license.html; http://www.toedter.com/en/jcalendar/license.html; http://www.edankert.com/bounce/
index.html; http://www.net-snmp.org/about/license.html; http://www.openmdx.org/#FAQ; http://www.php.net/license/3_01.txt; http://srp.stanford.edu/license.txt;
http://www.schneier.com/blowfish.html; http://www.jmock.org/license.html; http://xsom.java.net; http://benalman.com/about/license/; https://github.com/CreateJS/
EaselJS/blob/master/src/easeljs/display/Bitmap.js; http://www.h2database.com/html/license.html#summary; http://jsoncpp.sourceforge.net/LICENSE; http://
jdbc.postgresql.org/license.html; http://protobuf.googlecode.com/svn/trunk/src/google/protobuf/descriptor.proto; https://github.com/rantav/hector/blob/master/
LICENSE; http://web.mit.edu/Kerberos/krb5-current/doc/mitK5license.html; http://jibx.sourceforge.net/jibx-license.html; https://github.com/lyokato/libgeohash/blob/
master/LICENSE; https://github.com/hjiang/jsonxx/blob/master/LICENSE; https://code.google.com/p/lz4/; https://github.com/jedisct1/libsodium/blob/master/
LICENSE; http://one-jar.sourceforge.net/index.php?page=documents&file=license; https://github.com/EsotericSoftware/kryo/blob/master/license.txt; http://www.scala-
lang.org/license.html; https://github.com/tinkerpop/blueprints/blob/master/LICENSE.txt; http://gee.cs.oswego.edu/dl/classes/EDU/oswego/cs/dl/util/concurrent/
intro.html; https://aws.amazon.com/asl/; https://github.com/twbs/bootstrap/blob/master/LICENSE; https://sourceforge.net/p/xmlunit/code/HEAD/tree/trunk/
LICENSE.txt; https://github.com/documentcloud/underscore-contrib/blob/master/LICENSE, and https://github.com/apache/hbase/blob/master/LICENSE.txt.

This product includes software licensed under the Academic Free License (http://www.opensource.org/licenses/afl-3.0.php), the Common Development and
Distribution License (http://www.opensource.org/licenses/cddl1.php) the Common Public License (http://www.opensource.org/licenses/cpl1.0.php), the Sun Binary
Code License Agreement Supplemental License Terms, the BSD License (http:// www.opensource.org/licenses/bsd-license.php), the new BSD License (http://
opensource.org/licenses/BSD-3-Clause), the MIT License (http://www.opensource.org/licenses/mit-license.php), the Artistic License (http://www.opensource.org/
licenses/artistic-license-1.0) and the Initial Developer’s Public License Version 1.0 (http://www.firebirdsql.org/en/initial-developer-s-public-license-version-1-0/).

This product includes software copyright © 2003-2006 Joe WaInes, 2006-2007 XStream Committers. All rights reserved. Permissions and limitations regarding this
software are subject to terms available at http://xstream.codehaus.org/license.html. This product includes software developed by the Indiana University Extreme! Lab.
For further information please visit http://www.extreme.indiana.edu/.

This product includes software Copyright (c) 2013 Frank Balluffi and Markus Moeller. All rights reserved. Permissions and limitations regarding this software are subject
to terms of the MIT license.

See patents at https://www.informatica.com/legal/patents.html.

DISCLAIMER: Informatica LLC provides this documentation "as is" without warranty of any kind, either express or implied, including, but not limited to, the implied
warranties of noninfringement, merchantability, or use for a particular purpose. Informatica LLC does not warrant that this software or documentation is error free. The
information provided in this software or documentation may include technical inaccuracies or typographical errors. The information in this software and documentation
is subject to change at any time without notice.

NOTICES

This Informatica product (the "Software") includes certain drivers (the "DataDirect Drivers") from DataDirect Technologies, an operating company of Progress Software
Corporation ("DataDirect") which are subject to the following terms and conditions:

1. THE DATADIRECT DRIVERS ARE PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO,
THE IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT.
2. IN NO EVENT WILL DATADIRECT OR ITS THIRD PARTY SUPPLIERS BE LIABLE TO THE END-USER CUSTOMER FOR ANY DIRECT, INDIRECT, INCIDENTAL,
SPECIAL, CONSEQUENTIAL OR OTHER DAMAGES ARISING OUT OF THE USE OF THE ODBC DRIVERS, WHETHER OR NOT INFORMED OF THE POSSIBILITIES
OF DAMAGES IN ADVANCE. THESE LIMITATIONS APPLY TO ALL CAUSES OF ACTION, INCLUDING, WITHOUT LIMITATION, BREACH OF CONTRACT, BREACH
OF WARRANTY, NEGLIGENCE, STRICT LIABILITY, MISREPRESENTATION AND OTHER TORTS.

Revision: 1
Publication Date: 2019-06-27
Table of Contents
Preface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Informatica Resources. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Informatica Network. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Informatica Knowledge Base. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Informatica Documentation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Informatica Product Availability Matrices. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Informatica Velocity. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Informatica Marketplace. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Informatica Global Customer Support. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

Chapter 1: Introduction to Dynamic Data Masking Accelerator for use with


SAP. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Accelerator Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Dynamic Data Masking with the SAP Client Process. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

Chapter 2: Accelerator Setup. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9


Accelerator Setup Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Verify Requirements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Install SAP Java Connector. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Install Apache Tomcat. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Deploy the Java Servlet. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Deploy the Java Servlet on Windows. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Deploy the Java Servlet on Linux and UNIX. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Create Dynamic Data Masking Database Administrator User. . . . . . . . . . . . . . . . . . . . . . . . . . 12
Compile the Database Objects. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Create Access Control List for Oracle 11G. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Configure the Cache Reset Tool. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Configure the Cache Reset Tool on Windows. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Configure the Cache Reset Tool on Linux and UNIX. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Create a Database Connection. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Import Connection Rules. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Import Application Security Rules. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Create Development Security Rules. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
Reset SAP Cache. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

Chapter 3: Accelerator Rules. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19


Accelerator Rules Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Connection Rules. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
SAPDevConnRule Connection Rule. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
SAPAppConnRule Connection Rule. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

4 Table of Contents
SAPDevRuleSet Security Rule Set. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
SAPAppRuleSet Security Rule Set. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
BlackList Rule Folder. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
WhiteList Rule Folder. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

Index. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

Table of Contents 5
Preface
Dynamic Data Masking Accelerator for use with SAP contains information to help administrators use the
accelerator to implement Dynamic Data Masking with an SAP application. This guide assumes that you have
knowledge of Dynamic Data Masking.

Informatica Resources
Informatica provides you with a range of product resources through the Informatica Network and other online
portals. Use the resources to get the most from your Informatica products and solutions and to learn from
other Informatica users and subject matter experts.

Informatica Network
The Informatica Network is the gateway to many resources, including the Informatica Knowledge Base and
Informatica Global Customer Support. To enter the Informatica Network, visit
https://network.informatica.com.

As an Informatica Network member, you have the following options:

• Search the Knowledge Base for product resources.


• View product availability information.
• Create and review your support cases.
• Find your local Informatica User Group Network and collaborate with your peers.

Informatica Knowledge Base


Use the Informatica Knowledge Base to find product resources such as how-to articles, best practices, video
tutorials, and answers to frequently asked questions.

To search the Knowledge Base, visit https://search.informatica.com. If you have questions, comments, or
ideas about the Knowledge Base, contact the Informatica Knowledge Base team at
[email protected].

Informatica Documentation
Use the Informatica Documentation Portal to explore an extensive library of documentation for current and
recent product releases. To explore the Documentation Portal, visit https://docs.informatica.com.

6
Informatica maintains documentation for many products on the Informatica Knowledge Base in addition to
the Documentation Portal. If you cannot find documentation for your product or product version on the
Documentation Portal, search the Knowledge Base at https://search.informatica.com.

If you have questions, comments, or ideas about the product documentation, contact the Informatica
Documentation team at [email protected].

Informatica Product Availability Matrices


Product Availability Matrices (PAMs) indicate the versions of the operating systems, databases, and types of
data sources and targets that a product release supports. You can browse the Informatica PAMs at
https://network.informatica.com/community/informatica-network/product-availability-matrices.

Informatica Velocity
Informatica Velocity is a collection of tips and best practices developed by Informatica Professional Services
and based on real-world experiences from hundreds of data management projects. Informatica Velocity
represents the collective knowledge of Informatica consultants who work with organizations around the
world to plan, develop, deploy, and maintain successful data management solutions.

You can find Informatica Velocity resources at http://velocity.informatica.com. If you have questions,
comments, or ideas about Informatica Velocity, contact Informatica Professional Services at
[email protected].

Informatica Marketplace
The Informatica Marketplace is a forum where you can find solutions that extend and enhance your
Informatica implementations. Leverage any of the hundreds of solutions from Informatica developers and
partners on the Marketplace to improve your productivity and speed up time to implementation on your
projects. You can find the Informatica Marketplace at https://marketplace.informatica.com.

Informatica Global Customer Support


You can contact a Global Support Center by telephone or through the Informatica Network.

To find your local Informatica Global Customer Support telephone number, visit the Informatica website at
the following link:
https://www.informatica.com/services-and-training/customer-success-services/contact-us.html.

To find online support resources on the Informatica Network, visit https://network.informatica.com and
select the eSupport option.

Preface 7
Chapter 1

Introduction to Dynamic Data


Masking Accelerator for use with
SAP
This chapter includes the following topics:

• Accelerator Overview, 8
• Dynamic Data Masking with the SAP Client Process, 8

Accelerator Overview
Use the accelerator to implement Dynamic Data Masking with an SAP application. The accelerator package
contains predefined Dynamic Data Masking connection and security rules for common masking
requirements.

The accelerator is in the Dynamic Data Masking installation folder as an additional component that you can
configure to work with an SAP application. You can use the accelerator to mask data based on the
application user that accesses the SAP application.

You must use an SAP client application to use the accelerator.

Dynamic Data Masking with the SAP Client Process


SAP caches SQL requests sent to the database. Dynamic Data Masking Accelerator for use with SAP stores
the modified SQL request in the SAP cache.

The Dynamic Data Masking Server is used once for each unique SQL statement. After Dynamic Data Masking
modifies a statement, the SAP cache stores the modified statement. When you send a request to the
database, the SAP engine searches the cache for the request. If the request is not in the cache, the request
goes through the Dynamic Data Masking Server

8
Chapter 2

Accelerator Setup
This chapter includes the following topics:

• Accelerator Setup Overview, 9


• Verify Requirements, 10
• Deploy the Java Servlet, 10
• Create Dynamic Data Masking Database Administrator User, 12
• Compile the Database Objects, 13
• Configure the Cache Reset Tool, 14
• Create a Database Connection, 16
• Import Connection Rules, 17
• Import Application Security Rules, 17
• Create Development Security Rules, 18
• Reset SAP Cache, 18

Accelerator Setup Overview


Set up the accelerator to use predefined connection and security rules.

You can find the accelerator in the following directory:

<Dynamic Data Masking installation>\Accelerators\SAP

To set up the accelerator, perform the following tasks:

1. Verify the requirements.


2. Deploy the Java servlet.
3. Create a Dynamic Data Masking database administrator user.
4. Compile the database objects.
5. Configure the Cache Reset Tool.
6. Create a Dynamic Data Masking Oracle database connection.
7. Import the accelerator connection rules.
8. Import the accelerator application security rules.
9. Create accelerator development security rules.
10. Reset the SAP cache.

9
Verify Requirements
Verify the following requirements before you use the accelerator:

• The Dynamic Data Masking Server and Management Console version 9.1.0 or later must be installed.
• You must have an Oracle database configured for SAP.
• The SAP Java Connector must be installed.
• Apache Tomcat version 7.0 or later must be installed.

Install SAP Java Connector


You must have SAP Java Connector installed on the machine that hosts the Dynamic Data Masking Server
and the machine that hosts the Dynamic Data Masking Java servlet.

You can download SAP Java Connector from the following URL:

http://service.sap.com/connectors

Download SAP Java Connector version 2.1 or later and choose the file for the platform that hosts the
Dynamic Data Masking server or Apache Tomcat web server.

Install Apache Tomcat


Apache Tomcat Server version 7.0 or later must be installed to use the accelerator.

You can download Apache Tomcat from the following URL:

http://tomcat.apache.org/download-70.cgi

Java 1.6 or later must be installed on the machine with Apache Tomcat.

Install the Apache Tomcat Windows service version on Windows. Install Apache Tomcat as the root user on
Linux and UNIX.

After you install Apache Tomcat, verify that the JAVA_HOME environment variable is defined.

Deploy the Java Servlet


You must deploy the Dynamic Data Masking Java servlet to use the accelerator.

You can find the Java servlet in the following location:

<Dynamic Data Masking installation>\Accelerators\SAP\lib

Deploy the Java Servlet on Windows


Deploy the Dynamic Data Masking Java servlet on Windows.

The Apache Tomcat Windows operating service must be stopped.

1. Copy ddmsap.war from the following directory:


<Dynamic Data Masking installation>\Accelerators\SAP\lib\ddmsap.war
2. Paste ddmsap.war into the following directory:

10 Chapter 2: Accelerator Setup


<Apache Tomcat installation>\webapps
3. Copy sapjco.jar from the SAP Java Connector installation directory.
4. Paste sapjco.jar into the following directory:
<Apache Tomcat installation>\lib
5. Start the Apache Tomcat Windows operating system service.
The ddmsap war file deployment on Apache Tomcat creates the following directory:
<Apache Tomcat installation>\webapps\ddmsap
6. Stop the Apache Tomcat Windows operating system service.
7. Open logon.properties from the following location:
<Apache Tomcat installation>\webapps\ddmsap\WEB-INF\classes\logon.properties
8. Modify the logon.properties properties.
The following table describes the properties:

Property Description

jco.client.client SAP client number.

jco.client.user SAP user name.

jco.client.passwd SAP user password.

jco.client.language Language. Default is en.

jco.client.ashost IP address of the SAP environment server.

jco.client.sysnr System number in the specified host. Range is 00 to 99.

9. Start the Apache Tomcat Windows operating system service.


10. Open a browser and navigate to the following URL:
http:<Apache Tomcat IP address>:<port>/ddmsap/getsapuserdetails?processid=123
The browser displays null.

Deploy the Java Servlet on Linux and UNIX


Deploy the Dynamic Data Masking Java servlet on Linux and UNIX.

The Apache Tomcat server must be stopped.

1. Copy ddmsap.war from the following directory:


<Dynamic Data Masking installation>/Accelerators/SAP/lib/ddmsap.war
2. Paste ddmsap.war into the following directory:
<Apache Tomcat installation>\webapps
3. Copy sapjco.jar from the SAP Java Connector installation directory.
4. Paste sapjco.jar into the following directory:
<Apache Tomcat installation>/lib
5. Navigate to the following directory:
<Apache Tomcat installation>/bin

Deploy the Java Servlet 11


6. Run the following command to start the Apache Tomcat server:
./catalina.sh start
The ddmsap war file deployment on Apache Tomcat creates the following directory:
<Apache Tomcat installation>/webapps/ddmsap
7. Stop the Apache Tomcat server.
8. Open logon.properties from the following location:
<Apache Tomcat installation>\webapps\ddmsap\WEB-INF\classes\logon.properties
9. Modify the logon.properties properties.
The following table describes the properties:

Property Description

jco.client.client SAP client number.

jco.client.user SAP user name.

jco.client.passwd SAP user password.

jco.client.language Language. Default is en.

jco.client.ashost IP address of the SAP environment server.

jco.client.sysnr System number in the specified host. The range is 00 to 99.

10. Start the Apache Tomcat server.


11. Open a browser and navigate to the following URL:
http:<Apache Tomcat IP address>:<port>/ddmsap/getsapuserdetails?processid=123
The browser displays null.

Create Dynamic Data Masking Database


Administrator User
Create a Dynamic Data Masking database administrator user to use the accelerator.

Connect to the database with the sys user and run the following database commands:

CREATE USER DDMUSER IDENTIFIED BY XXXX


ALTER USER DDMUSER QUOTA UNLIMITED ON USERS
GRANT BECOME USER TO DDMUSER
GRANT CREATE SESSION TO DDMUSER
GRANT ALTER SESSION TO DDMUSER
GRANT SELECT ANY TABLE TO DDMUSER
GRANT SELECT ANY DICTIONARY TO DDMUSER
GRANT EXECUTE ON UTL_HTTP TO DDMUSER

12 Chapter 2: Accelerator Setup


GRANT DBA TO DDMUSER

Note: The database commands create a database user with the user name DDMUSER and password XXXX.
You can change the values of the user name and password.

Compile the Database Objects


Use the SQL scripts in the SAP folder to compile the database objects.

You can find the SQL script files in the following directory:
<Dynamic Data Masking installation>\Accelerators\SAP\sql\Oracle

1. Connect to the database with the Dynamic Data Masking database user you created to use the
accelerator.
2. Navigate to the following directory:
<Dynamic Data Masking installation>\Accelerators\SAP\sql\Oracle
3. Open DDM_SAP_MATCHERS_TBL.sql and replace <schema> with the Dynamic Data Masking user you
created to use the accelerator.
4. Save DDM_SAP_MATCHERS_TBL.sql and close the file.
5. Create the DDM_SAP_MATCHERS_TBL table with the following script:
DDM_SAP_MATCHERS_TBL.sql
6. Compile the SAP matchers package spec with the following script:
DDM_SAP_MATCHERS_spec.sql
7. Compile the SAP matchers package body with the following script:
DDM_SAP_MATCHERS_body.sql
8. Grant execute privileges to all users with the following database command:
GRANT EXECUTE ON DDM_SAP_MATCHERS TO PUBLIC
9. Create a public synonym for the SAP matchers package with the following database command:
CREATE PUBLIC SYNONYM DDM_SAP_MATCHERS FOR DDM_SAP_MATCHERS
10. Call the DDM_SAP_MATCHERS.SET_BASE_URL function to set the base URL of the Apache Tomcat Web
Server with the following command:
Begin
Ddm_Sap_Matchers.Set_Base_Url(<Base Web Server URL>)
End;
The base URL is in the following format:
http://<Server IP/Name>:<Port>
The following URL is an example of a base URL:
http://localhost:8080
11. Verify that you entered the correct base URL with the following select statement:
Select DDM_SAP_MATCHERS.GET_BASE_URL From Dual
12. Verify that the database objects are compiled with the following select statement:
Select DDM_SAP_MATCHERS.user_match('abcd') from dual
The returned value is zero.

Compile the Database Objects 13


Create Access Control List for Oracle 11G
If you have an Oracle 11G database, you must create an access control list to enable an outgoing network
with utl_http.

A database administrator must create the access control list because it impacts applications that use
utl_http.

Use the following script to create the access control list:


begin
DBMS_NETWORK_ACL_ADMIN.CREATE_ACL (
acl => 'www.xml', --access control list file name (.xml)
description => 'Permissions to access tomcat',
principal => 'SYSTEM', --replace with the DDM user
is_grant => TRUE,
privilege => 'connect');
COMMIT;

DBMS_NETWORK_ACL_ADMIN.ASSIGN_ACL (
acl => ‘www.xml', --the file name you gave in the precedent
command
host => '*'); --which host is available for the access control
COMMIT;
End ;

Configure the Cache Reset Tool


Configure the Cache Reset Tool to clear the SAP cache. If you use the Cache Reset Tool, you do not need to
restart the SAP environment to clear the SAP cache.

Reset the SAP cache when you modify the Dynamic Data Masking accelerator security rules.

You must have the SAP Java Connector installed before you can use the Cache Reset Tool.

Before you configure the Cache Reset Tool, import the transport functions into the SAP environment. You can
find the transport functions in the following location:

<Dynamic Data Masking installation>\Accelerators\SAP\ThirdParty

Configure the Cache Reset Tool on Windows


Configure the Dynamic Data Masking Cache Reset Tool on Windows.

1. Open resetsapcache.bat from the following directory:


<Dynamic Data Masking installation>\Accelerators\SAP\resetsapcache.bat
2. Add sapco.jar to the Java class path in resetsapcache.bat.
The following sapco.jar excerpt shows the Java class path:
SET CP="$myRoot/lib/ResetSapCache.jar:jar;<SAP Java Connector installation>/sapjco.jar"
3. Open sample_logon.properties from the following directory:
<Dynamic Data Masking installation>\Accelerators\SAP\sample_logon.properties
4. Edit the sample_logon.properties properties.

14 Chapter 2: Accelerator Setup


The following table describes the properties:

Property Description

jco.client.client SAP client number.

jco.client.user SAP user name.

jco.client.passwd SAP user password.

jco.client.language Language. Default is en.

jco.client.ashost IP address of the SAP environment server.

jco.client.sysnr System number in the specified host. The range is 00 to 99.

5. Save sample_logon.properties as logon.properties in the following directory:


<Dynamic Data Masking installation>\Accelerators\SAP
6. Run the following command to clear the SAP cache:
<Dynamic Data Masking installation>\Accelerators\SAP \resetsapcache.bat

Configure the Cache Reset Tool on Linux and UNIX


Configure the Dynamic Data Masking Cache Reset Tool on Linux and UNIX.

1. Open the resetsapcache file from the following directory:


<Dynamic Data Masking installation>/Accelerators/SAP
2. Add sapco.jar to the Java class path in the resetsapcache file.
The following sapco.jar excerpt shows the Java class path:
SET CP="lib\ResetSapCache.jar;<SAP Java Connector installation>\sapco.jar
3. Open sample_logon.properties from the following directory:
<Dynamic Data Masking installation>/Accelerators/SAP/sample_logon.properties
4. Edit the sample_logon.properties properties.
The following table describes the properties:

Property Description

jco.client.client SAP client number.

jco.client.user SAP user name.

jco.client.passwd SAP user password.

jco.client.language Language. Default is en.

jco.client.ashost IP address of the SAP environment server.

jco.client.sysnr System number in the specified host. The range is 00 to 99.

Configure the Cache Reset Tool 15


5. Save sample_logon.properties as logon.properties in the following directory:
<Dynamic Data Masking installation>/Accelerators/SAP
6. Run the following command to clear the SAP cache:
<Dynamic Data Masking installation>/Accelerators/SAP/ResetSapCache

Create a Database Connection


Create a Dynamic Data Masking database connection for Oracle in the Management Console.

1. Log in to the Dynamic Data Masking Management Console.


2. Highlight the Dynamic Data Masking Server in the Management Console tree and select Tree > Add DDM
Services.
The Add DDM Services window appears.
3. Check DDM for Oracle and click OK.
The DDM for Oracle node appears in the Management Console tree.
4. Highlight a domain node or the Management Console tree root node and select Tree > Add Database.
The Add Database window appears.
5. Select the Oracle database type.
6. Configure the Oracle database connection parameters.
The following table describes the database connection parameters:

Parameter Description

Database Name Logical name defined for the target database.

Instance Name Instance name for the target database.

Listener Address Server host name or TCP/IP address for the target database.

Listener Port TCP/IP listener port for the target database.

Listener Service Name Service name for the target database.

DBA Username The user name of the user you created to use the accelerator.

DBA Password Password for the user you created to use the accelerator.

7. Click Test Connection and verify that Dynamic Data Masking is connected to the database.
8. Click OK.
The database node appears in the Management Console.

16 Chapter 2: Accelerator Setup


Import Connection Rules
Import the accelerator connection rules into the Management Console.

1. Highlight the DDM for Oracle node in the Management Console tree and select Tree > Connection Rules.
The Rule Editor opens.
2. In the Rule Editor, highlight the DDM for Oracle node in the tree and select Action > Import.
The Import window opens.
3. Navigate to the following directory:
<Dynamic Data Masking installation>\Accelerators\SAP\rules\Oracle
4. Select SAPConnectionRules.xml and click Import.
The SAPAppConnRule and SAPDevConnRule connection rules appear in the Rule Editor.
5. Select File > Update Rules to save the connection rules.
6. Select File > Exit to close the Rule Editor.

Note: If you modify the SAP connection rules, you must log out of the SAP application and log in again.

Import Application Security Rules


Import the accelerator application security rules into the Management Console.

1. Highlight the Management Console tree root node and select Tree > Add Rule Set.
The Add Rule Set window opens.
2. Enter SAPAppRuleSet as the rule set name and click OK.
The SAPAppRuleSet rule appears in the Management Console tree.
3. Highlight the SAPAppRuleSet rule set and select Tree > Security Rule Set.
The Rule Editor opens.
4. In the Rule Editor, select Action > Import.
The Import window opens.
5. Navigate to the following directory:
<Dynamic Data Masking installation>\Accelerators\SAP\rules\Oracle
6. Select SAPAppRuleSet.xml and click Import.
The MatchSAPTables rule folder appears in the Rule Editor.
7. Expand the MatchSAPTables rule folder to view the UserHandling folder.
8. Expand the UserHandling folder to view the CustomerMasking, EmployeeMasking, VendorMasking,
BlackList, and WhiteList folders.
9. Define masking rules in the Rule Editor. Highlight a rule and select Action > Edit to open the Edit Rule
window.
10. Select File > Update Rules to save the security rules.
11. Select File > Exit to close the Rule Editor.
If you modify the accelerator security rules, you must reset the SAP cache.

Import Connection Rules 17


Create Development Security Rules
Create the accelerator development security rules in the Management Console.

1. Highlight the Dynamic Data Masking Server node in the Management Console tree and select Tree > Add
Rule Set.
The Add Rule Set window opens.
2. Enter SAPDevRuleSet as the rule set name and click OK.
The SAPDevRuleSet rule set appears in the Management Console tree.
3. Highlight the SAPDevRuleSet rule set and select Tree > Security Rule Set.
The Rule Editor opens.
4. Highlight the SAPDevRuleSet rule set and select Action > Import to open the Append Rule window and
edit the rule.
5. Create security rules for SAP development tools. Select Action > Insert Rule to create new rules.
6. Select File > Update Rules to save the security rules.
7. Select File > Exit to close the Rule Editor.
If you modify the accelerator security rules, you must reset the SAP cache.

Reset SAP Cache


If you modify the SAPAppRuleSet or SAPDevRuleSet security rules, you must reset the SAP cache. You must
configure the Cache Reset Tool before you use the tool.

Run the following command to reset the SAP cache:

<Dynamic Data Masking installation>\Accelerators\SAP\ResetSapCache.bat

18 Chapter 2: Accelerator Setup


Chapter 3

Accelerator Rules
This chapter includes the following topics:

• Accelerator Rules Overview, 19


• Connection Rules, 19
• SAPDevRuleSet Security Rule Set, 20
• SAPAppRuleSet Security Rule Set, 21

Accelerator Rules Overview


The accelerator contains an Oracle connection rule set and multiple security rule sets. The rule sets contain
predefined rules that are common masking techniques.

The connection rule set contains rules that direct the SQL statement to the security rule sets. The security
rule sets determine how the data is masked. You can modify the rules to alter the masking techniques.

The following table describes the accelerator rule sets:

Rule Set Description

Connection Rule Set An Oracle connection rule set that directs SQL requests to the SAPDevRuleSet and
SAPAppRuleSet security rule sets.

SAPDevRuleSet A security rule set that masks rules that do not come from an SAP client. You use the
SAPDevRuleSet for SQL requests from the development team.

SAPAppRuleSet A security rule set that masks rules that come from an SAP client. The SAPAppRuleSet masks
requests sent from non-development team users.

Connection Rules
The accelerator connection rules direct SQL requests to security rule sets. The connection rules are
SAPDevConnRule and SAPAppConnRule.

The SAPDevConnRule connection rule matches SQL requests that do not come from an SAP client. It directs
requests to the SAPDevRuleSet security rule set. You can use SAPDevConnRule to direct requests from
development tools such as Toad and SQL Developer.

19
The SAPAppConnRule connection rule matches SQL requests that come from an SAP client. It directs
requests to the SAPAppRuleSet security rule set. You can use SAPAppConnRule to direct requests that come
from non-development tools.

The following table describes the accelerator connection rules:

Rule Description

SAPDevConnRule Directs requests that do not come from an SAP client to the SAPDevRuleSet security rule set.

SAPAppConnRule Directs requests that come from an SAP client to the SAPAppRuleSet security rule set.

SAPDevConnRule Connection Rule


The SAPDevConnRule connection rule directs all database requests that do not come from an SAP client to
the SAPDevRuleSet security rule set. You can use the SAPDevConnRule rule to direct requests that come
from the development team.

The SAPDevConnRule connection rule uses the Client/Application Information matcher to identify incoming
requests. The matcher contains items on the exclude list that identify SAP clients. The connection rule is
applied to any request that comes from a tool that is not on the exclude list. The rule action specifies that
Dynamic Data Masking uses the SAPDevRuleSet security rule set for the request.

For example, if the development team accesses the database through SQL Developer, the SAPDevConnRule
rule directs the request to the SAPDevRuleSet security rule set.

SAPAppConnRule Connection Rule


The SAPAppConnRule connection rule directs all database requests from an SAP client to the
SAPAppRuleSet security rule set. You can use the SAPAppConnRule rule for non-development purposes.

The SAPAppConnRule connection rule uses the Client/Application Information matcher to identify incoming
requests. The matcher contains items on the include list that identify SAP clients. The connection rule is
applied to any request that comes from a tool that is on the include list. The rule action specifies that
Dynamic Data Masking uses the SAPAppRuleSet security rule set for the request.

For example, if a user accesses the database through an SAP client, the SAPAppConnRule rule directs the
request to the SAPAppRuleSet security rule set.

SAPDevRuleSet Security Rule Set


The SAPDevRuleSet security rule set receives requests from the SAPDevConnRule connection rule if the
request does not come from an SAP client.

The SAPDevRuleSet security rule set does not contain any rules. Create masking rules in the SAPDevRuleSet
security rule set that mask data when a request comes from a development tool.

For example, the development team works from 8:00 a.m. to 5:00 p.m. You want to block access to the
database from development tools when the development team is not at work. Create a security rule in the
SAPDevRuleSet security rule set that uses the Time of Day matcher to block requests to the database at all
other times of day.

20 Chapter 3: Accelerator Rules


SAPAppRuleSet Security Rule Set
The SAPAppRuleSet security rule set receives SQL requests from the SAPAppConnRule connection rule if the
request comes from an SAP client. You can mask data based on the type of user that accesses the database.

The following table describes the rule folders in the SAPAppRuleSet security rule set:

Rule Folder Description

BlackList Contains the BlackListDefinition and ExecuteUnion rules.

CustomerMasking Contains masking rules for customers.

EmployeeMasking Contains masking rules for employees.

UserHandling Contains masking rules based on the application user that accesses the data.

VendorMasking Contains masking rules for vendors.

WhiteList Contains the WhiteListDefinition and ExecuteUnion rules.

The following table describes the rules in the SAPAppRuleSet security rule set:

Rule Description

BlackListDefinition Defines the users that receive masked data. Separate users with a comma.

ExecuteUnion Rewrites the SQL request.

RULE_EMAIL_MASK Masks email addresses.

RULE_NAMEMASK Masks names.

RULE_STREET_MASK Masks addresses.

RULE_TELENO Masks telephone numbers.

SaveOrig Saves the original SQL request.

WhiteListDefinition Defines the users that receive unmasked data. Separate users with a comma.

BlackList Rule Folder


The BlackList rule folder is a security rule folder that defines the users that receive masked data.

You can define the list of BlackList users in the BlackListDefinition security rule. The security rule uses the
Define Symbol action to create a list of users that view masked data. Separate user names with a comma.

If you want to mask data based on the users in the BlackList folder, enable the BlackList folder and disable
the WhiteList folder.

For example, you have 100 users. You want to mask data when 20 of the users access the database. Enable
the BlackList folder and disable the WhiteList folder. List the 20 users in the BlackListDefinition rule. Dynamic
Data Masking will mask data when a request is sent from one of the users in the BlackListDefinition rule.

SAPAppRuleSet Security Rule Set 21


WhiteList Rule Folder
The WhiteList rule folder is a security rule folder that defines the users that receive unmasked data.

You can define the list of WhiteList users in the WhiteListDefinition security rule. The security rule uses the
Define Symbol action to create a list of users that view unmasked data. Separate user names with a coma.

If you want to mask data based on the users in the WhiteList folder, enable the WhiteList folder and disable
the BlackList folder.

For example, you want the database administrator to view unmasked data. You want everyone else to see
masked data. Enable the WhiteList folder and disable the BlackList folder. List the database administrator in
the WhiteListDefinition rule. Dynamic Data Masking will mask data for everyone that is not the database
administrator. The database administrator will view unmasked data.

22 Chapter 3: Accelerator Rules


Index

A R
accelerator rule sets
setup 9 connection rule set 19
application security rule sapappruleset 21
import 17 sapdevruleset 20
security rule set 20
rules

C blacklist 21
blacklistdefinition 21
connection rule executeunion 21
import 17 rule_email_mask 21
rule_name_mask 21
rule_street_mask 21

D rule_teleno 21
sapappconnrule 19, 20
development security rule sapdevconnrule 19, 20
create 18 saveorig 21
whitelist 22
whitelistdefinition 22

F
folders
blacklist 21
S
customermasking 21 security rules
employeemasking 21 create 18
userhandling 21 import 17
vendormasking 21
whitelist 22

23

You might also like