Your suggested change has been received. Thank you.

Suggest A Change

Thank you! Your suggestion has been submitted.

https://thales.na.market.dpondemand.io/docs/dpod/services/kmo….

There are some errors in your form.

Your Name This field is required

Your Email This field is required

How can we improve this content? This field is required

Administration
Release Notes

All

All

Advanced Topics

Error Replacement

Please Note:

Administration
Quick Start
Alternative installation methods
- Silent Installation
- Install CDP for DB2 on IBM DB2 pureScale
- Install CDP for DB2 on IBM PureData System for Transaction
- Install CDP using Chef Scripts
Tasks
- Encrypt a column
- Decrypt a column
- Re-encrypt data with new key
- Delete data after encryption or decryption
- Configure column-level encryption settings
- Delete views and triggers
- Altering encrypted tables
  - Add unencrypted column
  - Add column to encrypt
  - Delete decrypted column
  - Delete encrypted column
  - Resize unencrypted column
  - Resize an encrypted column
  - Grant/revoke table and column permissions
- View job history
- Recreate view and triggers
- Download keys from CipherTrust Manager
- Upgrade CDP
- Uninstall CDP
- Install Unrestricted JCE Policy Files
- Configure SSL connection
- Install Files for Client Certificate Authentication
Advanced Topics
- Planning Encryption
  - Standard Encryption
  - Format Preserving Encryption
- Encryption Flow
- Key caching
- Tables and Views
- Database objects
  - UDFs for Non-FPE
    - How to Call Direct DB2 UDFs for Non-FPE Algorithms
  - UDFs for FPE
    - How to Call Direct DB2 UDFs for FPE Algorithms
  - Stored Procedure
- Configuration Parameters
  - Network Configuration Parameters
  - Connection Configuration Parameters
  - Local Encryption Configuration Parameters
  - SSL Configuration Parameters
  - Logging Configuration Parameters
- User Mapping
- Error Replacement
Tips and Best Practices
Troubleshooting
FAQs

CDP for DB2
Administration
Advanced Topics
Error Replacement

Error Replacement

If a database user attempts to access encrypted data to which they do not have decryption permission, the system returns an error message. You can specify the content of those permission–related errors using the replacement values feature. You can use the Error Replacement Value field on the Column Properties section to specify that the system return a specific value, a NULL value, or the original standard error.

If users without sufficient permissions access the migrated data, CDP can be configured to return any of the following:

Standard “insufficient permissions” error
NULL value (not the error)
User specified error replacement value
Return encrypted value for FPE encryption

Important

Replacement values are not returned if a query yields a NULL value. When a query results in a NULL value, no cryptographic process is required, so CDP for DB2 does not interact with the Key Manager and the replacement values feature is not activated.
When CDP performs crypto operations in local mode, the error replacement values also get cached. The values remain in the cache until the time specified in Symmetric_Key_Cache_Expiry has passed.
For large object data types, CDP does not support the user-defined error replacement value. Standard error and Null value replacement are supported.
If there is an empty record in a column, then instead of the Error Replacement value, empty is displayed.
Replacement values cannot be set to null for the following column types:
- VARCHAR
- CHAR
- TIME
- TIMESTAMP

Note

Error replacement can't be set for VARGRAPHIC datatype.

On this page

CDP for DB2

© Copyright 2019-2025, Thales Group

+1 410-469-1651 supportportal.thalesgroup.com

Support
- Support Contacts
- Text Conventions
Legal

© Copyright 2019-2025, Thales Group

+1 410-469-1651 supportportal.thalesgroup.com