Create a Tokenization Service
The tokenization service enables you to substitute a sensitive data element with a non-sensitive equivalent.
To configure and use the tokenization service, you must:
Have the Anypoint Security - Edge entitlement for your Anypoint Platform account. If you don’t see Security in Management Center or the Tokenization Service tab in Runtime Manager, contact your customer success manager to enable the tokenization service for your account.
If you do not see the Tokenization Service tab in Runtime Manager, contact your customer success manager to enable the tokenization service for your account.
Have the correct permissions to manage tokenization.
See Granting Tokenization Permissions
Have Runtime Fabric 1.1.153 or later with inbound traffic configured.
See the Runtime Fabric documentation.
Runtime Fabric requires an Anypoint Platform Platinum or higher-level subscription.
Have a secrets group to store the tokenization table encryption keys that are created by the tokenization service.
See Secrets Manager documentation.
Have a tokenization format, which describes the format and how data is tokenized.
See Tokenization Formats.
Each tokenization service you create must have a corresponding, dedicated secrets group in Secrets Manager. Do not use this secrets group with any other tokenization service. Do not store any secrets outside of this tokenization service in another secrets group.
This is the recommended approach for several reasons:
Using a dedicated secrets group for the tokenization service helps prevent accidentally deleting other secrets groups when you delete a secrets group.
You can create and change as many formats as you need for the tokenization service, and the secrets group will not be exhausted.
The unique association between the tokenization service and its dedicated secrets group prevents exceeding the allowed number of vaultless data protection (VDP) secrets in a secrets group.
In the worst case, there will be 10 secrets created of the VDP Context type— one for each VDP domain.
Use Secrets Manager to create and manage secrets groups.
Tokenization table keys appear in the Shared Secret tab in the secrets group that is associated with the tokenization service. Normally, you can view and edit shared secrets in Secrets Manager; however, the tokenization table keys are a view-only, noneditable part of the secrets group.
Click View to see the name, type, and expiration of the shared secret.
Go to the Runtime Manager > Tokenization Service page.
Click Create Tokenization Service.
The prerequisites you completed provide the information you need to make the following selections:
Select the Runtime Fabric to which to deploy the tokenization service.
Select the tokenization format.
You can assign one or more formats or all formats to one tokenization service.
Select the secrets group that corresponds with this tokenization service.
Select the number of tokenization service replicas to run.
The tokenization service runs on worker nodes in Runtime Fabric.
Select the log level for the tokenization service or keep the default (ERROR).
Click Build and Deploy to create the tokenization table.
A mapping table prebuilds, containing a large number of randomizations that are used at the core of tokenizing and detokenizing. This prebuilt table is not a table of one-to-one mappings; it is used during internal steps to swap in and swap out randomizations in place of the actual data.
The tokenization mapping table build is a one-time action and takes some time to complete, depending on the size of the tokenization format. For example, a table that contains only an SSN format with a size that is less than 200 MB might build in 2 minutes, but a table that uses a larger format, such as lax alphanumeric, might take up to 20 minutes to build.
If many or all of the formats are selected, it takes much longer to build the table, because a table with all formats is approximately 2 GB in size.