Identity and Governance

Two-way SSL database configurations with IBM® Security Identity Governance and Intelligence Virtual Appliance (IGI-VA)

Share this post:

Two-way SSL database configurations with IBM® Security Identity Governance and Intelligence Virtual Appliance (IGI-VA)

About one-way SSL and two-way SSL authentication

Configuring communication between an SSL server and client can use one-way or two-way SSL authentication. The SSL client is the computer where the IBM Security Identity Governance and Intelligence Server (IGI) is installed, and the SSL server is the external database server.

One-way SSL authentication

One-way authentication or SSL authentication creates a truststore on the client and a keystore on the server. In below example, CA certificate “A” exists in the truststore on the SSL client and in the keystore on the SSL server.

Two-way SSL authentication

Two-way authentication creates a truststore and a keystore on client and the server. In this example, there is a CA certificate “A” in the truststore and a CA certificate “B” in the keystore on client and server both.

The two-way SSL authentication and SSL server client authentication are same. It works similar to SSL (Secure Socket Layer) authentication or one-way SSL authentication, with the addition of client authentication using digital signatures. The client and the server validate each other with the digital certificate. This validation helps both the parties to be assured about the identity between them.

SSL Support in IBM Security Identity and Governance and Intelligence

From IGI V5.2.3, external database configurations are supported by using SSL authentication or one-way SSL authentication.

From IGI V5.2.4, external database configurations are supported by using one-way and two-way SSL authentication.

Exporting the certificate for two-way SSL authentication to the database server

Follow these steps to add the SSL certificate for 2-way authentication from the virtual appliance (VA) to the certificate store of the database server.

Procedure:

  1. Select Configure > Certificates in the local management interface dashboard.
  2. In the Certificate Stores pane, select the Identity Governance and Intelligence key store certificate database and click Edit.
  3. In the Certificate Stores > Identity Governance and Intelligence key store > Certificates pane, select Personal and select the personal certificate.
  4. Select Export to download the certificate file to your computer.
  5. Add the certificate to the certificate store of the database server.
  6. Optional: If OpenID Connect Provider Configuration is enabled in the virtual appliance (VA), execute steps 4 and 5 on the OpenID Connect Provider key store.

Adding VA certificate to the Oracle database

Prerequisites and assumptions:

  1. A functioning database server configured in SSL
  2. Certificate wallet created
  3. Export and save the required VA certificates on database server

Commands:

Use below commands to add the VA certificate:

orapki wallet add -wallet “wallet_location” -pwd “wallet_password” -trusted_cert -cert “certificate_path”

Where:

wallet_location is the location of the Oracle certificate wallet.

wallet_password is the oracle database certificate wallet password.

certificate_path is the location of the exported IGI VA certificate.

Adding VA certificate to the IBM DB2 database

Prerequisites and assumptions:

  1. A functioning database server configured in SSL
  2. gsk8capicmd_64 library installed on database server
  3. Export and save the required VA certificates on database server

Commands:

Use below commands to add the VA certificate:

gsk8capicmd_64 -cert -add -db “db_certstore” -type “kdb” -pw “certstore_password” -label “cert_label” -file “certificate_path” -format ascii -trust enable

Where:

db_certstore is the database certificate store. Example, key.kdb.

certstore_password is the database certificate stores password.

cert_label is the certificate label for the VA signer certificate.

certificate_path is the location of the exported IGI VA certificate.

Click here to rate this article

Rate this article :

More Identity and Governance stories
By David Edwards on April 15, 2019

IGDM Part 3 – Implementing the Identity Governance Data Model

This blog is the third in a series of three looking at a proposed common Identity Governance Data Model (IGDM). This model attempts to address the needs of managing heterogeneous complex target system access models in an Identity Governance and Administration (IGA) environment. The proposed IGDM is designed to standardize identity management and governance data […]

Continue reading

By David Edwards on April 15, 2019

IGDM Part 2 – Validating the Proposed Identity Governance Data Model

This blog is the second in a series of three looking at a proposed common Identity Governance Data Model (IGDM). This model attempts to address the needs of managing heterogeneous complex target system access models in an Identity Governance and Administration (IGA) environment. The proposed IGDM is designed to standardize identity management and governance data […]

Continue reading

By David Edwards on April 15, 2019

IGDM Part 1 – Proposing an Identity Governance Data Model

This blog is the first in a series of three looking at a proposed common Identity Governance Data Model (IGDM). This model attempts to address the needs of managing heterogeneous complex target system access models in an Identity Governance and Administration (IGA) environment. The proposed IGDM is designed to standardize identity management and governance data […]

Continue reading