Tips and Best Practices
Tips
# | Description |
---|---|
1 | Properties File The values in the properties file are case-sensitive. yes is not YES. tcp is not TCP. Follow the example of the default properties file. |
2 | Modifying the Properties File For any changes in the properties file to be effective, the database must be restarted. |
3 | Setting Connection_Timeout If the client is working with many versions of a key, do not set the Connection_Timeout parameter too low. Otherwise the client connection may close before the operation is complete. |
4 | Protocol Parameter The Protocol specifies the protocol used to communicate between the client and the CipherTrust Manager. Possible options are: tcp and ssl. If the use of TLSv1.0, TLSv1.1, and TLSv1.2 are disabled on servers, then SSL connections can’t be established between NAE clients and servers. Note: TLSv1.1 and 1.2 are supported for DB2 using JRE versions 1.7 and above. |
5 | Partitioning Key The partitioning key itself cannot be encrypted. If the table contains a nullable partitioning key, no columns can be encrypted. |
6 | User Authorization The user authorization comes into effect after the migration is complete. Even if the error replacement value is set, all users can see the actual data while migration is in progress. Users not permitted to view sensitive information should not be granted permission to the table that has sensitive data before migration is complete. |
7 | Choosing an Encryption Algorithm It is recommended to use an AES key (any size) or a 168-bit DES-EDE key, as these ciphers are stronger than the others. It is also recommended to not use DES keys because DES is considered to be a weak cipher. |
8 | Modifying Encrypted Tables Once a table is migrated, it is strongly recommended to not do any of the following: —Drop or rename the encrypted table. — Drop or rename the encrypted column. — Change the data type or extend the length of an encrypted column. — Modify the data type of the encrypted column. — Rename the IV column. — Rename a view created. — Rename a trigger created. |
9 | Deleting Views and Triggers Executing INSERT, UPDATE, or DELETE statements on the table after deleting the views and triggers but before unencrypting the table can lead to data loss. Be sure to recreate the views and triggers before executing these statements. |
10 | Mapping Precedence The mapping priority takes precedence in the following order: individual > database role > Default Mapping. |
11 | Modifying Group Permissions in Local Mode In Local Mode, for Group permissions on key, if the permission is changed from Decrypt Always to Decrypt Never and Vice versa then to reflect the changes, DB2 needs to be restarted. |
12 | Authorization Policy To reflect any group permission related changes made after Authorization policy's Maximum Operations count is reached, DB2 needs to be restarted. |
Limitation
The following table provides quick reference to CDP for DB2 limitations:
# | Description |
---|---|
1 | User Specified Error Replacement Value For BLOB/CLOB For users without sufficient permissions to access the migrated data, CDP can be configured to return any of the following: — Standard “insufficient permissions” error — NULL value (not the error) — User specified error replacement value For BLOB/CLOB data types, CDP does not support the user-defined error replacement value. Standard error and Null value replacement are supported. |
2 | Running the Data Migration Process When migrating, rotating keys, or unencrypting BLOB and CLOB data types, the batch size is 1. |
3 | BLOB/CLOB Data Size Limitation For BLOB/CLOB, the maximum data size supported for cryptographic operations is 128 MB. |
4 | XML Data Type Can’t be Encrypted A table containing an XML data type can’t be migrated. |
5 | BLOB/CLOB Data Types Can’t be Migrated with Other Data Types Migration, key rotation, or unencryption of BLOB/CLOB data types is not allowed with other data types. Migrate these data types separately. Note: If the user mapping is incorrect, then migration will fail. To restore the migration process, user mapping should be corrected first. |