Preparing SSL certificates for client applications
To use client applications with External S-TAP, you might need to update the database client by specifying a new database endpoint and port from External S-TAP.
About this task
To deploy an External S-TAP, you need to prepare a private key (proxy.Key) and certificate (proxy.pem) that is signed by the trusted root certificate (rootCA.pem). You can store the certificate in a Guardium® collector, a persistent volume, or Kubernetes secret. If the database uses TLS/SSL, then you also need to distribute the root certificate (rootCA.pem) to the database client.
Procedure
What to do next
Note: By default, the driver ensures that the hostname included in the server's TLS/SSL
certificates matches the provided hostnames. You can choose to disable hostname and server
certificate verification, then you do not need to create a client-side certificate. To disable these
verification methods, set the connection URL property
trustServerCertificate=true.
By default, the driver
ensures that the hostname included in the server's TLS/SSL certificates matches the provided
hostnames. If you need to disable hostname verification or server certificate verification, change
the driver properties.To restrict your application to use the TLS 1.x protocol only, set the jdk.tls.client.protocols system property to TLSv1.x.