Verify collector certificates (optional)

You can help ensure that your External S-TAP connects only to an authorized collector by verifying the collector's certificate before connecting to the External S-TAP.

About this task

To verify the collector’s certificate, provide the External S-TAP CA certificate and the CN for the collector's certificate. If your site uses Kubernetes, specify your private repository along with the derived Docker image name and tag as the image to use for the pods in the deployment configuration.

Procedure

  1. Create and store a certificate signed request (CSR) on the collector with the create csr sniffer CLI command as described in Configuring Guardium-S-TAP communication using an SSL certificate .
  2. Instead of downloading a Docker image from the Docker store, derive the Docker container image from the Docker store to add the CA certificate to the /etc/guardium/guardium_ca.crt file. For example, to derive the latest version of the External S-TAP Docker container, add the following commands to your Dockerfile:
    FROM store/ibmcorp/guardium_external_s-tap:latest
    COPY ./guardium_ca.crt /etc/guardium/guardium_ca.crt 
    
    Note: The entire COPY path is required: /etc/guardium/guardium_ca.crt .
  3. From the derived container, run the docker build command create a new docker image. For example:
    docker build -t localhost/<my_image_name>:latest .
  4. When you deploy a new External S-TAP, provide the derived image and configure the External S-TAP to expect the CN of the collector's certificate. You can deploy the External S-TAP in multiple ways:
    • From the user interface in the Advanced tab under the Deploy External S-TAP tab:
      • Select Verify certificate
      • In Collector CN, provide the collector’s certificate CN. You can use a regular expression to verify multiple certificates.

      For more information, see Deploy External S-TAP window

    • From the container_mgmt.sh script in non-interactive mode, provide the collector’s certificate CN in the --sqlguard-cert-cn parameter. For more information, see External S-TAP deployment scripts.
    • From the container_mgmt.sh script in interactive mode, enter the collector’s certificate CN in response to the following question:
      Enter the CN to match when verifying the Guardium Collector's Certificate

What to do next

After you deploy the External S-TAP, the External S-TAP starts. You can make sure that it is running from the External S-TAP instances pane.