Configuring Guardium-S-TAP communication using an SSL certificate

Create and store an SSL certificate for Guardium-S-TAP communication.

About this task

For Windows systems, if you do not choose to use a value for a parameter, do not include it in the guard_tap.ini. This is pertinent to the CRL path in particular, or if you want to shut off certificate authentication and go back to TLS.

For UNIX or Linux systems, if you do not choose to use a value for a parameter, set its value equal to NULL. This is pertinent to the CRL path in particular, or if you want to shut off certificate authentication and go back to TLS.

Attention: For z/OS, steps 7 and 8 are not required, but an AT-TLS policy must be configured. Work with your system admins to configure AT-TLS. For more information, see AT-TLS policy example.

Procedure

  1. Log in to the CLI of your Guardium.
  2. Enter: create csr sniffer
  3. Enter the common name (CN) of the requested system to create the CSR request.
  4. Get the CSR signed by a certificate authority (CA) service to get the certificate, as well as the root certificate used by the certificate authority (CA) service.
    If the certificate is not already in PEM format, use OpenSSL or another third-party tool to convert it. For example, to convert from PKCS7 format to PEM, use the following OpenSSL command: openssl pkcs7 -print_certs -in certificate.p7b -out certificate.pem
  5. Store the certificate on your system by entering the CLI command: store certificate sniffer
  6. If you don't know the CA and the CN of the certificate, enter: show certificate sniffer. Output is similar to the following, though the signature algorithm may use a more recent encryption algorithm:
    Certificate File system.cert.pem
    Certificate:
    Data:
    Version: 1 (0x0)
    Serial Number: 12345678912345678999 (0x8ba99886be3317ab)
    Signature Algorithm: sha256WithRSAEncryption
    Issuer: C=aa, ST=aa, L=aa, O=aa, OU=aa, CN=CYCLOPS
  7. On the DB server, store the root certificate from certificate authority (CA) service in a file.
  8. In the guard_tap.ini file, update the following parameters:
    • guardium_ca_path=[Location of the Certificate Authority certificate]
    • sqlguard_cert_cn=<CN from step 3>
    • guardium_crl_path=<the path to the certificate revocation list file or directory (the blocklist)>
  9. Restart the S-TAP, and restart the sniffer with the CLI command: restart inspection-engines.
  10. Verify that the installed certificate is being used by entering openssl, for example: openssl s_client -connect 9.70.157.113:16018. The output should be similar to -connect 9.70.157.113:16018
    You are now connected using OpenSSL.