A datasource is a database connection that is created and configured for use with
Guardium®
applications such as Vulnerability Assessment and classifier. A datasource can be created by using
the Datasource Definitions tool or by creating and uploading a CSV file by
using the Customer Uploads tool in the Guardium user
interface. You can also create a datasource by using Guardium APIs.
Before you begin
Ensure that the Guardium user
has the privileges that are necessary to access the database. To assign database access privileges
to a user, the database administrator must download and run a set of scripts on the database server.
For more information, see Database privileges for vulnerability assessments and classification.
You can also create a datasource group for any applications that use
datasources. A datasource group can be static (based on available datasources), or dynamic (based on
criteria).
About this task
Use the following procedure to define a datasource by using the Datasource
Definitions tool.
Procedure
-
Open the Datasource Definitions tool by clicking .
- Click the Datasources tab.
-
Click to open the Create datasource window. The inputs vary
depending on your choice of application, database type, and datasource.
-
Select an Application type.
-
Enter a unique name for the datasource.
-
From the Database type menu, select the database or type of file.
-
Select Share datasource to share the datasource definition across all
Guardium
applications. If the datasource is not shared, you can use the definition only with the selected
application type.
- The authentication protocol depends on your choice of Database
type.
- Select Use SSL and Import server SSL certificate.
The Add certificate option is available to datasources that support mutual
SSL authentication. The certificate for mutual SSL authentication is added after the datasource
configuration is saved.
- To use LDAP authentication, select LDAP and proceed with assigning
datasource credentials.
- For Kerberos, pick a predefined Kerberos configuration from the
Kerberos config menu and enter the Realm and
KDC server.
Tip: To check whether a Kerberos configuration exists on the Guardium GUI, go
to . To create a new
Kerberos configuration that defines your KDC and Realm, click
.
The login credentials must be a valid Kerberos user ID and password that
is also used for certificate authority (CA). Test your Kerberos credentials to ensure that it can be
used to log in to the Hive beeline command line.
- Select the appropriate Credential type.
- Choose Assign credentials to manually enter the User
name and password for the datasource.
- Choose External password to obtain your password from an
external credential management system. Select your credential management application from the
External password type menu.
- If credentials are not assigned, choose None.
- Configure the Host name/IP address, Port
number, Database, Connection property, and
Custom URL. If you use Configuration Auditing System (CAS), click
the Advanced tab and configure the CAS database
instance.
- Optional: Click the Custom tab and
select a property from a list of customized values to assign to the datasource. If the custom
properties are not configured, you can temporarily save the datasource and assign the properties
later. For more information, see Configuring custom properties for your datasources.
- Save the datasource and test the connection. If applicable, add the mutual SSL
authentication certificate by using the Add certificate
button.
The certificate is a PEM file that contains both the private key and the certificate. You must
include both the
BEGIN and
END lines for the private key and
certificate. You can also install the certificate by using the CLI. For more information, see
Installing an appliance certificate.
Note: When you test the connection to an SSL
datasource for the first time, you might encounter the following error:
Could not connect to: 'jdbc:db2://hostname:port_number/db_name' for user: 'Your_datasource_name_DB2(Security Assessment)'. DataSourceConnectException: Could not connect to: 'Your_datasource_name_ 123.123.123.123:port_number' for user: 'db2inst1'. Exception: com.ibm.db2.jcc.am.DisconnectNonTransientConnectionException: [jcc][t4][2030][11211][4.15.134] A communication error occurred during operations on the connection's underlying socket, socket input stream.
The error occurs when the GUI does not have the correct keystore file for the certificate that is
loaded into memory. To fix the error, restart the GUI and test the connection again.
What to do next
You can use the options in the menu to test the connection for one or more datasources, add
the datasources to a group, and update the credentials or custom
properties, if necessary.