The pinguser is a special SAKA user with the username pinguser. This user has only a single—and extremely limited—privilege: to be able to decrypt the single first encrypted record in the encryption domain and report the plaintext data associated with it. This user exists to allow Operations staff to detect if the web service is fully operational at the application layer without having access to any of the plaintext sensitive data in the encryption domain.
The first encrypted record in any encryption domain on the appliance is something called the well-known-PAN. In SAKA version 1.0 it is a test record containing the first ten prime numbers followed by a zero: 1235711131719230. In SAKA 2.0 each node of the cluster has its own default well-known PAN: 1111000000001111 for server ID #1, 2222000000002222 on server ID #2, 3333000000003333 on server ID #3, and so on. These well-known PANs are created by the New Domain Wizard when a new encryption domain is created. Since this is the first transaction sent to the new domain on the appliance—assuming the default configuration and values are being used—the web service returns the well-known token 1000000000000001 on server ID #1, 2000000000000001 on server ID #2, and so on.
NOTE: SAKA 2.0 provides the ability to return tokens that conform to the Luhn algorithm (https://en.wikipedia.org/wiki/Luhn_algorithm). In this case, the tokens will be discontinuous; please see KAM Configuration, Section 2 for details. |
The username (pinguser) and the tokens requested for decryption within each encryption domain (1000000000000001, 2000000000000001, etc.) are hard-coded into the SAKA application. Hence, when creating the pinguser credential using DACTool, the username must precisely state pinguser. Each encryption domain is expected to have only one such pinguser credential.