After your Guardium® and
IBM® Knowledge Catalog systems
are correctly configured, you can configure and start the integration from the Guardium
UI.
Before you begin
Before you begin, store the IBM Cloud Pak® for
Data root
certificate on any managed units or stand-alone machines. For more information about storing the
Cloud Pak for
Data
certificates, see store certificate wkc.Note: Do not use the self-signed certificate that is installed with
Cloud Pak for
Data.
Always use a certificate authority (CA)-signed certificate in production
environments.
Procedure
-
To set up policy integration on a Guardium
central manager, browse to .
- From the Security Policies page, open the Configure
WKC window.
- From a central manager, select Configure WKC.
- From a stand-alone machine, click Manage, and then select
Configure WKC.
-
From the WKC configuration page, enter the following information:
- Enable WKC data protection rules - Toggle to use IBM Knowledge Catalog data protection.
- WKC service URI - The URI of the IBM Knowledge Catalog service.
- Credential type- Select a method to manage credentials:
- Assign credentials - If you choose to assign credentials, then supply
your IBM Knowledge Catalog
User name and User password.
- External password - To support an external credential manager, such as
AWS Secrets Manager or CyberArk, select External password, and then select
one of the credential managers from the list. Enter the requested information for that credential
manager.
- User scope - The owner of this asset. Select either Database
user (the default) or Application user. For more information, see
How the Guardium default user works.
- Column alias - With column-level transformation,
SQL column fields can be transformed by some long IBM Knowledge Catalog UDF function
calls. Use Column alias to specify whether to use the original column names
or an alias of the function name, which can be shorter and help hide some transformation details
(which might provide extra security).
As the database server evaluates the transformed SQL, the
transformed function signature displays as the column name in the database client.
For example,
using the following input query: select EmpCard from EMPLOYEE
You can select
one of the following options for how to display the transformed query in the database client.
- Use original column name - Use the original COLUMN_NAME as the IBM Knowledge Catalog UDF alias. The
transformed query includes the original column name and the actions taken. The transformed query
displays as follows:
select WKC.MASK_STRING(0,"XXXXXXXXXX",".", EmpCard) AS EmpCard from EMPLOYEE;
- Use full function signature - Do not use an alias for the
column-transformation UDF. The transformed query displays as follows:
select WKC.MASK_STRING(0,"XXXXXXXXXX",".",EmpCard) from EMPLOYEE;
- Use short function signature - Use the MASKFUNCTIONNAME_COLUMNNAME as the
UDF alias. The transformed query includes the masked function name and the original column name. The
transformed query displays as follows:
select WKC.MASK_STRING(0,"XXXXXXXXXX",".",EmpCard) AS MASK_STRING_EmpCard from EMPLOYEE;
Regardless of which alias option you select, if the column name in the SQL query statement
has a defined alias, then the aliases in the SQL statement are preserved by query rewrite. The
column alias option is only available if the SQL column without an alias triggers any column-level
transformation.
- Action on unexpected response - Deny is the
default. Select Allow to allow the connection.
If Guardium receives an
unexpected response (or no response) from IBM Knowledge Catalog, you can choose
to allow or deny the connection to IBM Knowledge Catalog.The default is
Deny, that is, treat the connection as a IBM Knowledge Catalog policy
violation. Click Allow to allow the connection, which treats the connection
as approved.
- Cache size - The size of the cache determines the maximum
number of decisions that can be stored in memory at any point in time. The default is 1000 decision
entries.
- Time to live (minutes) - The time-to-live (in minutes), that is, the
amount of time that each decision is available, in the primary cache. After the time-to-live passes,
the decision is deleted from cache. Default = 60. The maximum is 1440.
- Enable persistent cache - If you enable persistent cache, then you must
also specify the following parameters.
- Maximum entries - The maximum number entries to save in
cache. The minimum is 1. Default = 100000.
- Maximum files - The maximum number of files to save in cache. Default
=10. The maximum is 100.
- Time to live (days) - - The time-to-live (in days) for each decision in
the persistent cache. Default = 7. The maximum is 30.
- For central managers, the Collector table displays all of the
collectors that are associated with this central manager.
- Filter, if needed, and select the collectors to include in the IBM Knowledge Catalog
integration.
- Click OK to begin using the IBM Knowledge Catalog data protection
rules for the central manager and selected collectors.
Note: You can also change the parameters for collectors (and stand-alone machines) by using the
store wkc_configuration CLI.
- For a stand-alone machine, click OK to begin using the IBM Knowledge Catalog data protection
rules on that machine.
What to do next
After you enable the IBM Knowledge Catalog integration, the
integration runs until you disable it. However, be sure to stop the integration before you add new
assets to the IBM Knowledge Catalog. If the
integration is running when you add assets, the new connections are denied and an error
occurs.After the integration is working, you can add transformation and other processes for
specific data sources as described in Setting up a transformation integration.