Preparing SSL certificates for client applications

To use client applications with External S-TAP, you might need to update the database client by specifying a new database endpoint and port from External S-TAP.

About this task

To deploy an External S-TAP, you need to prepare a private key (proxy.Key) and certificate (proxy.pem) that is signed by the trusted root certificate (rootCA.pem). You can store the certificate in a Guardium® collector, a persistent volume, or Kubernetes secret. If the database uses TLS/SSL, then you also need to distribute the root certificate (rootCA.pem) to the database client.

Procedure

  1. Set up the database client.
    You might need to update the database client by specifying a new database endpoint and port from External S-TAP. To enable TLS or SSL on connection, specify the following driver setting in the jdbc url connection string for your database:
    • SQL Server - sqlserver (encrypt=true)
    • PostgreSQL - postgresql (ssl=on)
    • MongoDB - mongodb (tls=true)
  2. Configure certificates for Java™ applications.
    You can configure access to certificates in your application with the following mechanisms:
    • The Java virtual machine (JVM) truststore and JVM keystore.
    • A client-specific truststore and keystore.
    1. Configure the JVM truststore by adding the following parameters,
      • javax.net.ssl.trustStore - The path to a truststore that contains the certificate of the signing authority.
      • javax.net.ssl.trustStorePassword - The password to access the truststore that is defined in javax.net.ssl.trustStore.
    2. Run the following keytool commands to import the rootCA.pem certificate to the keystore,
       keytool -importcert -trustcacerts -file <path to CA file that External S-TAP uses>
       -keystore <path to trust store> -storepass <password>
    3. Configure the JVM keystore. Use an application that initiates TLS or SSL requests to set the following JVM system properties to ensure that the client presents a TLS/SSL certificate to the database server,
      • javax.net.ssl.keyStore - The path to a keystore that contains the client's TLS/SSL certificates.
      • javax.net.ssl.keyStorePassword - The password to access the keystore that is defined in javax.net.ssl.keyStore.
  3. Create a keystore by using the keytool or OpenSSL. From the keytool, enter the following command,
    keytool -keystore clientkeystore -genkey -alias client

What to do next

Note: By default, the driver ensures that the hostname included in the server's TLS/SSL certificates matches the provided hostnames. You can choose to disable hostname and server certificate verification, then you do not need to create a client-side certificate. To disable these verification methods, set the connection URL property trustServerCertificate=true.
By default, the driver ensures that the hostname included in the server's TLS/SSL certificates matches the provided hostnames. If you need to disable hostname verification or server certificate verification, change the driver properties.

To restrict your application to use the TLS 1.x protocol only, set the jdk.tls.client.protocols system property to TLSv1.x.