To create a Domain, follow the below steps:
Click the Add Domain button in the Domain Creation and Selection panel. The Add Domain slider window pops up.
Enter a unique name and description for the domain in the Domain Name and Domain Description field, respectively. Select the keystore from the Key Store drop-down. This field displays the list of all available system and custom generated key stores. Select the IDP from the IDP drop-down for which domain is defined.
Select the type of encryption key from the Encryption Key drop-down. Enter the Encryption Key Password once encryption key is selected from the Encryption key drop-down.
In the similar manner, select the type of FP encryption key from the FP Encryption Key drop-down
and enter the FP Encryption Key Password.
Enter the salt in the FP Encryption Salt field.
Select either Passphrase or PBDKF2 option in the FPM/SL Key field.
When Passphrase is selected in the FPM/SL Key option. Enter the passphrase and queue number in the FPM/SL Passphrase and Queue field, respectively.
When PBKDF2 is selected in the FPM/SL option. Enter the passphrase and salt in the FPM/SL Passphrase and Salt field, respectively. Select the type of hash function from the Hash Function drop-down. Enter the numeric value in the Derivation Key Length for generating key length.
Enter the numeric value in the Iterations and Queue fields.
After filling up the required details in the Add Domain pop-up, click Save to add the domain or cancel to not save it. After saving the domain details, assign policies to newly created domain in the Assign Policies to Domains panel. The same policies are required to be chosen in the protection task that run across the locations specified in the domain.
*Note: Assign Policies panel is not required while creating a domain for RDBMS.
The last step is to add a directory for a domain where global consistency can be scoped, and destination directories for protected files are specified.
To maintain consistency across all the databases or directories, same domain must be linked in all the tabs under Domain page. All unique data values that are discovered within locations under a domain will be masked/encrypted the same way. For example, a Social Security Number that is found within S3 bucket and RDBMS database will be masked with the same value in both the locations.
For example, in the above image, specify same domain name in all tabs to maintain consistency across different databases. Domain name AES_Enc specified in DBMS DBs/Tables and Files Directories tabs (highlighted in RED). The directory mapping in this image displays the Source and Branch directory i.e., location of the unmasked file and the Destination directory i.e., location of the masked file.
To add a directory, follow the below mentioned steps. This allows you to specify the values for the attributes, based on which the directory mapping is done in the Domain.
Select the directory from the Selected:<database_directory> drop-down in the bottom panel.
Click the Add Directory button next to the Selected: <database_directory> button to add directory where the source file is kept. To add a directory, click the Add Directory button or Add Namespace/Table (For HBASE) button. This allows you to specify certain attributes listed below to finish setting up a domain.
For RDBMS: Specify the following attributes.
Select Connection – Select a connection from the drop-down.
Domains – Select a domain from the drop-down.
Select Schema/DB – Select the requisite schema/database from this panel. This populates the table panel and displays all the tables which are associated with it.
Table name – Select the table by checking the checkbox available with the table name to include it.
Click Add to add the details for review in the panel below. Click Save to save the changes on the domain screen.
For HDFS, Files, AWS, and Azure: Specify the following attributes.
Source Directory – This field specifies the location of the target files for masking/encryption.
Domains – This drop-down displays the list of all the domains that you have defined. Select the domain.
Branch Point – This field preserves the source directory structure as well as re-create the destination directory from the branch point.
Destination Directory – This field specifies the location of the target files (protected) once the protection process is completed.
Click Save to save the changes on the domain screen.
For Hive, HBase, and BigQuery: Specify the following attributes.
Select clusters – Select the required cluster from this drop-down.
Select Source DB/Table (or Namespace/Table) – Select the source database/table/namespace from the panel by checking the checkbox available with them. Click on icon to expand the tables listed in them.
Domains – Select the domain from the drop-down.
Define Destination DB (or Namespace) – Specify the destination database/namespace by selecting the requisite database from the Select DB drop-down. Specify the prefix of destination table in Destination Table Prefix textbox. To create a new destination database, select Create New DB and add the name in the textbox below it. To specify location of newly created database, Db Location textbox will be enabled for HIVE.
Click Add to add the details for review in the panel below. Click Save to save the changes on the Domain screen.
The Branch Point must be same as the Source Directory or a parent of the Source Directory. It cannot be a subdirectory of the Source Directory, and it cannot be a path completely outside the Source Directory hierarchy.
The Destination Directory cannot be a subdirectory of the Source Directory.
The following examples illustrates how the Branch Point affects the Destination Directory’s lay-out:
Source Directory: /a1/b1/c1
Branch Point: /a1/b1/c1
Destination Directory: /out1
Branch Point: /
Destination Directory: /out1
Branch Point: /a1/b1
Destination Directory: /a1/out2
All child directories of a parent directory that is mapped to a domain, automatically become the part of the domain. Child directories can also be overloaded with their own domain, if needed. Domains can be created within the PK Protect UI or via Rest API with the Customer Success team’s guidance.