Configure Guardium®
External S-TAPs to
automatically generate certificate signing requests (CSRs) that are signed by an intermediate
certificate.
About this task
Store an intermediate certificate on a Guardium collector to allow External S-TAP instances
to sign a certificate request from an External S-TAP that uses
your common name (CN) to create an on-demand certificate for encrypted traffic. In this case, the
CSR and the signed certificate carry the public key.
Note: If your database configuration requires a CN match, specify the name of either the server or
the load balancer as the CN.
Procedure
- Obtain an intermediate signing key and certificate pair from your certificate
authority.
Note that Guardium does not provide certificate authority.
- Use the following CLI command to store the signing key and signing certificate on the
Guardium system as an intermediate certificate:
store certificate_external_stap_signing
At the prompts, enter the
requested information, exactly as it shows in your certificate. Only the common name (CN=) is
required.
- The command generates a token that is required to deploy the External S-TAP. The
token is the certificate secret, which you provide in either the Guardium GUI or the deployment
script. Record the token because you will need it to deploy External S-TAPs in the
future.
Note: You can view the token by calling show certificate external_stap_signing.
To create a new token, delete the certificate by using delete certificate
external_stap_signing and then store it again.
- In the GUI, enter the details in the Container tab of the Deploy
External S-TAP window.
- In the deployment script, enter the details in the --proxy-secret and
--proxy-csr-name parameters (along with any other parameters that you
include).
What to do next
After the intermediate certificate is stored on the collector, it
can automatically create a certificate for each new External S-TAP
container.