Configuring Guardium-S-TAP communication by using an SSL certificate

Edit online

Create and store an SSL certificate for Guardium-S-TAP communication on Windows®, UNIX®, Linux®, and z/OS systems.

About this task

For Windows® systems, if you do not choose to use a value for a parameter, do not include it in the guard_tap.ini. This setting is pertinent to the CRL path in particular, or if you want to shut off certificate authentication and go back to TLS.

For UNIX® or Linux® systems, if you do not choose to use a value for a parameter, set its value equal to NULL. This setting is pertinent to the CRL path in particular, or if you want to shut off certificate authentication and go back to TLS.

Attention: For z/OS, steps 7 and 8 are not necessary, but you must configure an AT-TLS policy. Work with your system admins to configure AT-TLS. For more information, see AT-TLS policy example.

Procedure

  1. Log in to the CLI of your Guardium.
  2. Enter: create csr sniffer.
  3. Enter the common name (CN) of the requested system to create the CSR request.
  4. Get the CSR signed by a certificate authority (CA) service and the root certificate used by the certificate authority (CA) service to get the certificate.
    If the certificate is not already in PEM format, use OpenSSL or another third-party tool to convert it.
    The following example shows the openssl command to convert from PKCS7 format to PEM.
    openssl pkcs7 -print_certs -in certificate.p7b -out certificate.pem
  5. Store the certificate on your system by entering the store certificate sniffer CLI command:
  6. If you don't know the CA and the CN of the certificate, enter: show certificate sniffer. Output is similar to the following, though the signature algorithm may use a more recent encryption algorithm: 
    Certificate File system.cert.pem
Certificate:
Data:
Version: 1 (0x0)
Serial Number: 12345678912345678999 (0x8ba99886be3317ab)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=aa, ST=aa, L=aa, O=aa, OU=aa, CN=CYCLOPS
  7. On the DB server, store the root certificate from certificate authority (CA) service in a file.
  8. In the guard_tap.ini file, update the following parameters:
    • guardium_ca_path=[Location of the Certificate Authority certificate]
    • sqlguard_cert_cn=<CN from step 3>
    • guardium_crl_path=<the path to the certificate revocation list file or directory (the blocklist)>
  9. Restart the S-TAP, and restart the sniffer with the CLI command: restart inspection-engines.
  10. Verify that the installed certificate is being used.
    The following example shows the openssl command to verify that the installed certificate is being used.
    openssl s_client -servername <SERVER_NAME> -connect <APPLIANCEIP>:16018 -CAfile /opt/ibm/guardium/system.cert.pem
    The output for the command looks similar to the following example:
    SSL handshake has read 13901 bytes and written 822 bytes
Verification: OK
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_256_GCM_SHA384
    Session-ID: 2F0C59CC1A8F6CC7C4FCB592D5D01423DCBD6206807B566775BABA750A434BDA
    Session-ID-ctx:
    Resumption PSK: ADCE21A5DA431C524304576F0D3C208D1835248B978CF7663DA76B0D8C77AE59702C6D2E4854E0C6C4CF7955C944ABBC
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 86400 (seconds)
    TLS session ticket:
    0000 - be 2b f2 5d 0d 31 64 43-45 d0 c1 06 20 2a 30 dd   .+.].1dCE... *0.
    0010 - 32 8b e2 8b 37 af e1 4f-1d f9 09 0b c4 da 0d f6   2...7..O........
    You are now connected by using OpenSSL.