Please Note:

Administration
Quick Start
Alternative installation methods
- Silent Installation
- Install CDP for DB2 on IBM DB2 pureScale
- Install CDP for DB2 on IBM PureData System for Transaction
- Install CDP using Chef Scripts
Tasks
- Encrypt a column
- Decrypt a column
- Re-encrypt data with new key
- Delete data after encryption or decryption
- Configure column-level encryption settings
- Delete views and triggers
- Altering encrypted tables
  - Add unencrypted column
  - Add column to encrypt
  - Delete decrypted column
  - Delete encrypted column
  - Resize unencrypted column
  - Resize an encrypted column
  - Grant/revoke table and column permissions
- View job history
- Recreate view and triggers
- Download keys from CipherTrust Manager
- Upgrade CDP
- Uninstall CDP
- Install Unrestricted JCE Policy Files
- Configure SSL connection
- Install Files for Client Certificate Authentication
Advanced Topics
- Planning Encryption
  - Standard Encryption
  - Format Preserving Encryption
- Encryption Flow
- Key caching
- Tables and Views
- Database objects
  - UDFs for Non-FPE
    - How to Call Direct DB2 UDFs for Non-FPE Algorithms
  - UDFs for FPE
    - How to Call Direct DB2 UDFs for FPE Algorithms
  - Stored Procedure
- Configuration Parameters
  - Network Configuration Parameters
  - Connection Configuration Parameters
  - Local Encryption Configuration Parameters
  - SSL Configuration Parameters
  - Logging Configuration Parameters
- User Mapping
- Error Replacement
Tips and Best Practices
Troubleshooting
FAQs

CDP for DB2
Administration
Advanced Topics
User Mapping

User Mapping

A user mapping is an association between a database user or a database role and a local user on the Key Manager. CDP for DB2 uses this user mapping to authenticate with the Key Manager before submitting cryptographic requests.

CDP for DB2 authenticates to the Key Manager as the NAE user mapped to the database user who is performing the operation. (If the database user is valid, but is not specifically listed, the default mapping value is used, when enabled.) If the user mapping contains a valid NAE user and password, and that NAE user has permission to access the key required for the operation, then the request is honored. However, if either of the conditions above is not met, then the operation is not performed.

A valid user mapping is needed to create triggers and views regardless of database environment.

Some features may need to be enabled for all database users not otherwise listed on the User Mappings section. To do this, the Default Mapping value should be associated with a specific NAE user. For example, an NAE user with access to global keys can be created, or an NAE user with access to no specific permissions can be created to enable the replacement value feature.

You can create and manage user mapping using any of these options:

CipherTrust Manager UI. Refer to Managing User Mappings for details.
pdbctl utility. Refer to the pdbctl utility documentation for details.

Default Mapping

The default mapping is a catch-all CipherTrust Manager user connected to the CipherTrust Manager when no user mapping exists for a database user. When there is no default mapping and an unmapped database user attempts to access sensitive data, CDP returns an error message and does not send the request to the CipherTrust Manager. It may be useful to create a default mapping to prevent CDP from automatically returning this error.

When this feature is enabled, instead of returning an error message, CDP connects to the CipherTrust Manager as the default CipherTrust Manager user. How the CipherTrust Manager then responds to requests depends on the CipherTrust Manager configuration. The CipherTrust Manager might return following:

insufficient permissions
NULL
Pre–configured replacement value.
Return encrypted value

(This behavior is configured on the Database Column Properties screen for the encrypted column.)

When the default mapping is assigned, the system creates an entry in the ING_AUTHORIZED_USER table with the user name, ING_DEFAULT_USER. For this reason, avoid using ING_DEFAULT_USER to represent a specific database user.

Limitations

When using CDP 8.12.1 or higher versions with the CipherTrust Manager 2.15 or lower, if a user mapping is added or updated, you must execute the pdbctl utility command migrateusermap. This makes the added/updated user mapping compatible with the CipherTrust Manager. Refer to Migrate user mappings for details.

Group or Role Mapping

CDP for DB2 enables an authorized database user’s access to encryption keys. A database user or a database role can be directly mapped to a CipherTrust Manager user.

Note

If a database user, who is a member of a database role mapped to an NAE user, is also mapped individually to an NAE user, then the individual user mapping takes precedence.
If a database user belongs to multiple database roles, which are mapped to NAE users, then the user inherits the access privileges of the NAE user mapped to the role that appears first when sorted alphabetically.
The mapping priority takes precedence in the following order: individual > database role > Default Mapping.

Suggest A Change

User Mapping

Default Mapping

Limitations

Group or Role Mapping

On this page