Deploy and configure the vulnerability assessment scanner

Edit online

Follow these steps to successfully deploy and configure the vulnerability assessment scanner on Kubernetes.

About this task

12.2.2 and later This feature is available in 12.2.2 and later versions of Guardium®.

Procedure

  1. Deploy the Guardium Data Protection server:
    Important: The Guardium Data Protection server must be deployed in an environment where port 8443 is accessible from the database and Kubernetes cluster.

    Recommended approach:

    • Deploy Guardium Data Protection on AWS EC2 (or another public cloud provider).
    • Ensure the Guardium Data Protection server port 8443 is accessible from your EKS cluster.

    AWS EC2 deployment example:

    # 1. Launch EC2 instance with appropriate instance type
# 2. Configure Security Group to allow inbound traffic on port 8443
# 3. Install and configure Guardium Data Protection
# 4. Verify GDP is accessible: https://your-gdp-ip:8443

    Security group configuration:

    • Inbound rule: TCP port 8443 from your EKS cluster CIDR or security group
    • Outbound rule: Allow all (for database connectivity)
  2. Create a database instance in your cloud environment (e.g. AWS RDS) that will be assessed for vulnerabilities:

    AWS RDS example:

    # Create RDS instance via AWS Console or CLI
# Important: Note down these connection details:

    Required information:

    • Database endpoint (e.g. mydb.abc123.us-east-1.rds.amazonaws.com)
    • Port (1521 for Oracle, 3306 for MySQL, 5432 for PostgreSQL)
    • Database name/Service name
    • Master username
    • Master password

    Supported database types:

    • Oracle Database
    • MySQL / MariaDB
    • PostgreSQL
    • Microsoft SQL Server
    • IBM DB2
    • MongoDB
    • Other Guardium-supported databases

    Network configuration:

    • Ensure the database security group allows connections from the Guardium Data Protection server.
    • For RDS: Enable public accessibility or use VPC peering as needed.
  3. Set up the EKS cluster:

    Create and configure your Amazon EKS cluster with proper permissions for deploying the vulnerability assessment scanner.

    1. Create the EKS cluster:

      Using eksctl (Recommended):

      eksctl create cluster \
  --name va-scanner-cluster \
  --region us-east-1 \
  --nodegroup-name standard-workers \
  --node-type t3.medium \
  --nodes 3 \
  --nodes-min 2 \
  --nodes-max 4 \
  --managed

      Or use the AWS Console:

      EKS cluster creation
    2. Configure kubectl access: 
      # Update kubeconfig to access your cluster
aws eks update-kubeconfig --region us-east-1 --name va-scanner-cluster
# Verify connection
kubectl get nodes
    3. Verify authentication: 
      # Check current context
kubectl config current-context
# Expected output: arn:aws:eks:us-east-1:ACCOUNT_ID:cluster/va-scanner-cluster

# Verify cluster info
kubectl cluster-info
# Expected output:
# Kubernetes control plane is running at https://...
# CoreDNS is running at https://...
    4. Create a namespace: 
      # Create dedicated namespace for VA Scanner
kubectl create namespace va-scanner
# Verify namespace creation
kubectl get namespaces | grep va-scanner
    5. Verify permissions:

      Ensure you have sufficient RBAC permissions:

      # Test required permissions
kubectl auth can-i create deployments -n va-scanner      # Should return: yes
kubectl auth can-i create secrets -n va-scanner          # Should return: yes
kubectl auth can-i create serviceaccounts -n va-scanner  # Should return: yes
kubectl auth can-i create hpa -n va-scanner              # Should return: yes
  4. Connect your database to the Guardium Data Protection system so it can be assessed for vulnerabilities:
    1. Log in to the Guardium Data Protection console and navigate to the Data Sources section.

      Open your browser and navigate to:

      https://your-gdp-server:8443

      Log in with your Guardium Data Protection administrator credentials.

    2. To add your data source, follow these steps in the Guardium Data Protection console:
      1. Click Add Data Source.
      2. Select your database type (Oracle Database, MySQL, PostgreSQL, SQL Server, DB2, MongoDB, and so on).
      3. Enter the connection details:
        Field Description Example
        Host Database endpoint mydb.abc123.us-east-1.rds.amazonaws.com
        Port Database port 1521 (Oracle), 3306 (MySQL), 5432 (PostgreSQL)
        Database/Service name Database identifier ORCL, mydb
        Username Database user admin
        Password Database password your-secure-password
      4. Click Test Connection to verify connectivity. You should see a Connection successful message before proceeding to the next step.
      5. Click Save to store the data source.
      GDP data source configuration
  5. Create a security assessment in Guardium Data Protection by configuring the vulnerability assessment tests that will run on your database.
    1. Log in to the Guardium Data Protection console and navigate to the Assessment Builder section.
    2. Create a new assessment:
      1. Click the Plus button to create a new assessment.
      2. Enter a descriptive name (e.g. Oracle Production DB Assessment).
      3. Click Create.
    3. Add a data source to the assessment:
      1. In the assessment configuration page, click Add Data Source.
      2. Select the data source that you created in Step 4.
      3. Click Save.
      Adding data source to assessmentData source selection
    4. Configure the security tests:
      1. Click Configure Test.
      2. Navigate to the Config tab.
      3. Select your database type (e.g. Oracle, MySQL, PostgreSQL)
      4. Choose the security tests you want to run. These include:
        • Configuration vulnerabilities
        • User privilege checks
        • Password policy validation
        • Patch level verification
        • Encryption settings
        • Audit configuration
      5. Click Save.
      Configure security tests
    5. Before deploying the scanner, manually test the assessment:
      1. Return to the assessment overview.
      2. Click Run Once Now. This will run the assessment immediately.
      3. View the results in the Assessment Results section.
        Note: You should see test results appearing in the results section, indicating the assessment is properly configured.
  6. Deploy the vulnerability assessment scanner with Helm:

    To learn about the various installation methods, see Installation methods for vulnerability assessment scanner Helm chart.

    Deploy the vulnerability assessment scanner to your EKS cluster to automate continuous vulnerability assessments.

    1. Gather the required credentials:

      Guardium Data Protection API key:

      # SSH to your GDP server
ssh user@your-gdp-server
# Create API key for the scanner
grdapi create_api_key name=vascannereks
# Copy and save the "Encoded API key" from the output

      Guardium Data Protection certificate:

      Extract the certificate directly from your Guardium Data Protection server using OpenSSL:

      # Run this command on YOUR LAPTOP (replace YOUR_GDP_HOST with your GDP server):
openssl s_client -connect YOUR_GDP_HOST:8443 -showcerts </dev/null 2>/dev/null | openssl x509 -outform PEM | base64 | tr -d '\n'
# Example:
openssl s_client -connect ec2-54-85-148-224.compute-1.amazonaws.com:8443 -showcerts </dev/null 2>/dev/null | openssl x509 -outform PEM | base64 | tr -d '\n'

      This will output the base64-encoded certificate in a single line. Copy the entire output.

      Check the certificate hostname:

      Verify the hostname that the certificate is issued for:

      # Run this command to see the certificate's Subject Alternative Name (SAN):
openssl s_client -connect YOUR_GDP_HOST:8443 -showcerts </dev/null 2>/dev/null | openssl x509 -noout -text | grep -A2 "Subject Alternative Name"
# Example output:
#     X509v3 Subject Alternative Name:
#         DNS:ec2-54-85-148-224.compute-1.amazonaws.com
      Important: The hostname in the certificate (DNS name) must match the gdp.host value in your configuration. If they match, you do not need host aliases.

      IBM entitlement key:

      Get your IBM entitlement key for pulling the scanner image:

      # Go to: https://myibm.ibm.com/products-services/containerlibrary
# Click "Copy entitlement key" button
# Save the key - you'll need it for registry.password
    2. Prepare the Helm values file: 
      # Navigate to the Helm chart directory
cd src/va-scanner
# Copy the example values file
cp values-example.yaml my-values.yaml
    3. Configure your values:

      Edit my-values.yaml with your specific configuration:

      # Namespace Configuration
namespace:
  create: false  # Set to false if using --create-namespace flag
  name: va-scanner6
# GDP Server Configuration
gdp:
  # GDP Server hostname - MUST match the hostname in your SSL certificate
  # STEP 1: Check certificate hostname:
  #   openssl s_client -connect YOUR_GDP_HOST:8443 -showcerts </dev/null 2>/dev/null | openssl x509 -noout -text | grep -A2 "Subject Alternative Name"
  # STEP 2: Use the DNS name from certificate output
  host: "guard.yourcompany.com"                      # TODO: Replace with YOUR certificate DNS name
  apiKey: "your-base64-encoded-api-key"              # TODO: From step 6.1
  agentName: "eks-va-scanner-01"                     # Unique identifier for this scanner
  certBase64: "your-base64-encoded-certificate"      # TODO: From step 6.1
# IBM Container Registry Credentials (for cp.icr.io)
registry:
  username: "cp"                                      # Use 'cp' for IBM entitled software
  password: "your-ibm-entitlement-key"               # TODO: From https://myibm.ibm.com/products-services/containerlibrary
  email: "cp"                                        # Use 'cp' for entitled software
  server: cp.icr.io                                  # IBM Container Registry
# Scanner Container Image
image:
  repository: cp.icr.io/cp/ibm-guardium-data-security-center/guardium/vascanner-12.2.0/va-scanner
  tag: "vascanner-v12.2.0"
  pullPolicy: IfNotPresent
# Deployment Configuration
replicaCount: 3  # Number of scanner pods (if HPA is disabled)
# VA Scanner Polling (prevents CrashLoopBackOff when no jobs available)
vaScannerPollInMins: 10  # Poll every 10 minutes
# Optional: Enable auto-scaling
autoscaling:
  enabled: true
  minReplicas: 2
  maxReplicas: 10
# Host Aliases - ONLY needed if certificate hostname differs from actual hostname
# Check if needed by comparing certificate DNS name with gdp.host above
# If they MATCH → use empty array: hostAliases: []
# If they DIFFER → configure mapping:
# hostAliases:
#   - ip: "52.21.60.157"              # TODO: Your GDP server's actual IP
#     hostnames:
#       - "guard.yourcompany.com"     # TODO: Must match gdp.host above
hostAliases: []  # Default: empty (assumes certificate hostname matches)
    4. Deploy with Helm:

      Choose one of the installation methods below based on your preference:

      Method 1: From a cloned repository

      # Navigate to the cloned repository
cd va-scanner-helm
# Install the Helm chart from src directory
helm install va-scanner ./src/va-scanner -f my-values.yaml -n va-scanner --create-namespace
# Watch the deployment progress
kubectl get pods -n va-scanner -w

      Method 2: From a packaged tar file

      # Install from packaged tar file in releases directory
helm install va-scanner ./releases/va-scanner-1.0.0.tgz -f my-values.yaml -n va-scanner --create-namespace
# Watch the deployment progress
kubectl get pods -n va-scanner -w

      Method 3: Using Helm Git support

      # Install directly from Git repository (Helm 3.7+)
helm install va-scanner \
  git+https://github.ibm.com/Guardium/va-scanner-helm@main?path=src/va-scanner \
  -f my-values.yaml \
  -n va-scanner \
  --create-namespace
# Watch the deployment progress
kubectl get pods -n va-scanner -w
      Note: The --create-namespace flag is required for the first installation. It tells Helm to create the namespace before deploying resources.

      Expected output:

      NAME                          READY   STATUS    RESTARTS   AGE
va-scanner-5d8f7b9c4d-abc12   1/1     Running   0          30s
va-scanner-5d8f7b9c4d-def34   1/1     Running   0          30s
va-scanner-5d8f7b9c4d-ghi56   1/1     Running   0          30s
    5. Verify successful deployment:

      Check all resources:

      kubectl get all -n va-scanner

      Check scanner logs:

      kubectl logs -n va-scanner -l app=va-scanner --tail=100 -f

      Expected log output (success indicators):

      Using this certificate file for keystore: [ /var/vascanner/certs/vascanner.pem ]
2025-12-18 18:39:09 INFO  VAScannerLogger:147 - VA Scanner App is starting to run
2025-12-18 18:39:09 INFO  VAScannerLogger:147 - VA Scanner App running
2025-12-18 18:39:09 INFO  VAScannerLogger:147 - VA Scanner App connecting to Guardium server
2025-12-18 18:39:14 INFO  VAScannerLogger:147 - Test ID Assessment : ID : 20000 TestID : 4211 Severity : INFO completed

      Sample assessment execution logs:

      2025-11-26 18:33:49 INFO  VAScannerLogger:147 - Test ID Assessment : ID : 20000 TestID : 20 Severity : INFO completed in 0 minutes and 0 seconds.
2025-11-26 18:33:56 INFO  VAScannerLogger:147 - Test ID Assessment : ID : 20000 TestID : 250 Severity : INFO completed in 0 minutes and 0 seconds.
2025-11-26 18:33:56 INFO  VAScannerLogger:147 - Test ID Assessment : ID : 20000 TestID : 251 Severity : INFO completed in 0 minutes and 0 seconds.
2025-11-26 18:34:07 INFO  VAScannerLogger:147 - Test ID Assessment : ID : 20000 TestID : 220 Severity : INFO completed in 0 minutes and 0 seconds.

      Key success indicators:

      • The vulnerability assessment scanner app begins to run and the scanner is initialized.
      • The vulnerability assessment scanner app runs and the scanner is active.
      • The vulnerability assessment scanner app connects to the Guardium server and the connection is established.
      • Test ID Assessment : ID : XXXXX TestID : XXX ... completes and the assessments run.

Results

The vulnerability assessment scanner is now deployed and automatically running security assessments on your databases.