You can help ensure that your External S-TAP connects only to an authorized collector by
verifying the collector's certificate before connecting to the External S-TAP.
About this task
To verify the collector’s certificate, provide the External S-TAP CA certificate and the CN for
the collector's certificate. If your site uses Kubernetes, specify your private repository along
with the derived Docker image name and tag as the image to use for the pods in the deployment
configuration.
Procedure
- Create and store a certificate signed request (CSR) on the collector with the
create csr sniffer CLI command as described in
Configuring Guardium-S-TAP communication using an SSL certificate
.
- Instead of downloading a Docker
image from the Docker store, derive the Docker container image from the Docker store to add the CA
certificate to the /etc/guardium/guardium_ca.crt file. For example, to derive the latest version of
the External S-TAP Docker container, add the following commands to your Dockerfile:
FROM store/ibmcorp/guardium_external_s-tap:latest
COPY ./guardium_ca.crt /etc/guardium/guardium_ca.crt
Note: The entire COPY path is required: /etc/guardium/guardium_ca.crt
.
- From the derived container, run the
docker build
command create a new
docker image. For example:
docker build -t localhost/<my_image_name>:latest .
- When you deploy a new External S-TAP, provide the derived image and configure the
External S-TAP to expect the CN of the collector's certificate. You can deploy the External S-TAP in
multiple ways:
- From the user interface in the Advanced tab under the Deploy
External S-TAP tab:
- Select Verify certificate
- In Collector CN, provide the collector’s certificate CN. You can use a
regular expression to verify multiple certificates.
For more information, see Deploy External S-TAP window
- From the
container_mgmt.sh
script in non-interactive mode, provide the
collector’s certificate CN in the --sqlguard-cert-cn parameter. For more
information, see External S-TAP deployment scripts.
- From the
container_mgmt.sh
script in interactive mode, enter the collector’s
certificate CN in response to the following
question:Enter the CN to match when verifying the Guardium Collector's Certificate
What to do next
After you deploy the External S-TAP, the External S-TAP starts. You can
make sure that it is running from the External S-TAP instances pane.