Identity and Governance

Two-way SSL database configurations with IBM® Security Identity Governance and Intelligence Virtual Appliance (IGI-VA)

Share this post:

Two-way SSL database configurations with IBM® Security Identity Governance and Intelligence Virtual Appliance (IGI-VA)

About one-way SSL and two-way SSL authentication

Configuring communication between an SSL server and client can use one-way or two-way SSL authentication. The SSL client is the computer where the IBM Security Identity Governance and Intelligence Server (IGI) is installed, and the SSL server is the external database server.

One-way SSL authentication

One-way authentication or SSL authentication creates a truststore on the client and a keystore on the server. In below example, CA certificate “A” exists in the truststore on the SSL client and in the keystore on the SSL server.

Two-way SSL authentication

Two-way authentication creates a truststore and a keystore on client and the server. In this example, there is a CA certificate “A” in the truststore and a CA certificate “B” in the keystore on client and server both.

The two-way SSL authentication and SSL server client authentication are same. It works similar to SSL (Secure Socket Layer) authentication or one-way SSL authentication, with the addition of client authentication using digital signatures. The client and the server validate each other with the digital certificate. This validation helps both the parties to be assured about the identity between them.

SSL Support in IBM Security Identity and Governance and Intelligence

From IGI V5.2.3, external database configurations are supported by using SSL authentication or one-way SSL authentication.

From IGI V5.2.4, external database configurations are supported by using one-way and two-way SSL authentication.

Exporting the certificate for two-way SSL authentication to the database server

Follow these steps to add the SSL certificate for 2-way authentication from the virtual appliance (VA) to the certificate store of the database server.

Procedure:

  1. Select Configure > Certificates in the local management interface dashboard.
  2. In the Certificate Stores pane, select the Identity Governance and Intelligence key store certificate database and click Edit.
  3. In the Certificate Stores > Identity Governance and Intelligence key store > Certificates pane, select Personal and select the personal certificate.
  4. Select Export to download the certificate file to your computer.
  5. Add the certificate to the certificate store of the database server.
  6. Optional: If OpenID Connect Provider Configuration is enabled in the virtual appliance (VA), execute steps 4 and 5 on the OpenID Connect Provider key store.

Adding VA certificate to the Oracle database

Prerequisites and assumptions:

  1. A functioning database server configured in SSL
  2. Certificate wallet created
  3. Export and save the required VA certificates on database server

Commands:

Use below commands to add the VA certificate:

orapki wallet add -wallet “wallet_location” -pwd “wallet_password” -trusted_cert -cert “certificate_path”

Where:

wallet_location is the location of the Oracle certificate wallet.

wallet_password is the oracle database certificate wallet password.

certificate_path is the location of the exported IGI VA certificate.

Adding VA certificate to the IBM DB2 database

Prerequisites and assumptions:

  1. A functioning database server configured in SSL
  2. gsk8capicmd_64 library installed on database server
  3. Export and save the required VA certificates on database server

Commands:

Use below commands to add the VA certificate:

gsk8capicmd_64 -cert -add -db “db_certstore” -type “kdb” -pw “certstore_password” -label “cert_label” -file “certificate_path” -format ascii -trust enable

Where:

db_certstore is the database certificate store. Example, key.kdb.

certstore_password is the database certificate stores password.

cert_label is the certificate label for the VA signer certificate.

certificate_path is the location of the exported IGI VA certificate.

Click here to rate this article

Rate this article :

More Identity and Governance stories
By Ramakrishna Gorthi and DAVID EDWARDS on February 14, 2019

Identity Governance and Intelligence – Custom Rules

Identity Governance and Intelligence – Custom Rules IBM Security Identity Governance and Intelligence (IGI) allows enterprises to manage and govern users, such as to provision, audit and report user access and his activities through life cycle, compliance and analytics capabilities. This blog presents a new resource to assist with extending the functionality of IGI, namely […]

Continue reading

By Leo Farrell and AdrianRinaldi Sasmita on February 12, 2019

OpenBanking: The state hash claim

OpenBanking: The state hash claim When implementing OpenBanking and following the foundation implementers draft  one of the requirements is to include several additional claim values. One of the claim values is s_hash the goal of this claim is to ensure the id_token returned in the authorization code flow matches the request to /authorize triggered by the […]

Continue reading

By Leo Farrell on February 1, 2019

Federated Single Sign On: Access Policy

Federated Single Sign on: Access policy Authentication is a requirement when performing Federated Single sign on. This is traditionally completed via a traditional forms based authentication. However there are several situations that require more than traditional forms based authentication. For example, some applications may have access to more sensitive data, or invoke more ‘risky’ APIs. […]

Continue reading