To integrate External S-TAP for a server
with server verification or mutual authentication if your database uses a custom certificate (that
is, a trusted root certificate signed by a certificate authority [CA]), then External S-TAP must import
the custom certificate. To do so, you need to build a container image, and then manually import the
custom certificate.
Procedure
-
Download the External S-TAP image from the
IBM Cloud Container Registry (icr.io). Derive the docker container image from the
icr.io to add the ca.cert custom CA certificate to the
/etc/ssl/certs/ca-bundle.trust.crt file.
For example, to derive the latest version of the External S-TAP docker container, add the
following commands to your Dockerfile:
FROM icr.io/guardium-insights/guardium_external_s-tap:latest
COPY ./ca.crt /etc/ssl/certs/ca-bundle.trust.crt
- From the derived container, run the docker build command create a new
docker image, for example:
docker build -t localhost/guardium_external_s-tap:v12.0 . -f Dockerfile
- When you deploy a new External S-TAP, provide the
derived image and configure theExternal S-TAP to verify the
database server certificate. You can use one of the following methods:
- From the container_mgmt.sh script, edit the following
parameters:
--invalid-cert-disconnect
--invalid-cert-notify
- With a helm chart, edit the following
information:
# Verify certificates and disconnect if they are invalid
# Optional, default is 0 (no)
disconnect_on_invalid_certificate: true
# Verify certificates and send a message to the STAP event log
# if they are invalid
# Optional, default is 0 (no)
notify_on_invalid_certificate: true
- Configure the On invalid certificate parameter in the Guardium UI
(from the External S-TAP tab in the Edit External S-TAP
group page).