Starting the IBM Knowledge Catalog and Guardium Data Protection integration

After your Guardium® and IBM® Knowledge Catalog systems are correctly configured, you can configure and start the integration from the Guardium UI.

Before you begin

Before you begin, store the IBM Cloud Pak® for Data root certificate on any managed units or stand-alone machines. For more information about storing the Cloud Pak for Data certificates, see store certificate wkc.
Note: Do not use the self-signed certificate that is installed with Cloud Pak for Data. Always use a certificate authority (CA)-signed certificate in production environments.

Procedure

  1. To set up policy integration on a Guardium central manager, browse to Protect > Security Policies > Policy Builder for Data.
  2. From the Security Policies page, open the Configure WKC window.
    • From a central manager, select Configure WKC.
    • From a stand-alone machine, click Manage, and then select Configure WKC.
  3. From the WKC configuration page, enter the following information:
    • Enable WKC data protection rules - Toggle to use IBM Knowledge Catalog data protection.
    • WKC service URI - The URI of the IBM Knowledge Catalog service.
    • Credential type- Select a method to manage credentials:
      • Assign credentials - If you choose to assign credentials, then supply your IBM Knowledge Catalog User name and User password.
      • External password - To support an external credential manager, such as AWS Secrets Manager or CyberArk, select External password, and then select one of the credential managers from the list. Enter the requested information for that credential manager.
      Note: If the credential manager password changes, use the wkc_refresh_external_pwd API to update the password.
    • User scope - The owner of this asset. Select either Database user (the default) or Application user. For more information, see How the Guardium default user works.
    • Column alias - With column-level transformation, SQL column fields can be transformed by some long IBM Knowledge Catalog UDF function calls. Use Column alias to specify whether to use the original column names or an alias of the function name, which can be shorter and help hide some transformation details (which might provide extra security).

      As the database server evaluates the transformed SQL, the transformed function signature displays as the column name in the database client.

      For example, using the following input query:
      select EmpCard from EMPLOYEE
      You can select one of the following options for how to display the transformed query in the database client.
      • Use original column name - Use the original COLUMN_NAME as the IBM Knowledge Catalog UDF alias. The transformed query includes the original column name and the actions taken. The transformed query displays as follows:
        select WKC.MASK_STRING(0,"XXXXXXXXXX",".", EmpCard) AS EmpCard from EMPLOYEE;
      • Use full function signature - Do not use an alias for the column-transformation UDF. The transformed query displays as follows:
        select WKC.MASK_STRING(0,"XXXXXXXXXX",".",EmpCard) from EMPLOYEE;
      • Use short function signature - Use the MASKFUNCTIONNAME_COLUMNNAME as the UDF alias. The transformed query includes the masked function name and the original column name. The transformed query displays as follows:
        select WKC.MASK_STRING(0,"XXXXXXXXXX",".",EmpCard) AS MASK_STRING_EmpCard from EMPLOYEE;

      Regardless of which alias option you select, if the column name in the SQL query statement has a defined alias, then the aliases in the SQL statement are preserved by query rewrite. The column alias option is only available if the SQL column without an alias triggers any column-level transformation.

    • Action on unexpected response - Deny is the default. Select Allow to allow the connection.

      If Guardium receives an unexpected response (or no response) from IBM Knowledge Catalog, you can choose to allow or deny the connection to IBM Knowledge Catalog.The default is Deny, that is, treat the connection as a IBM Knowledge Catalog policy violation. Click Allow to allow the connection, which treats the connection as approved.

    • Cache size - The size of the cache determines the maximum number of decisions that can be stored in memory at any point in time. The default is 1000 decision entries.
    • Time to live (minutes) - The time-to-live (in minutes), that is, the amount of time that each decision is available, in the primary cache. After the time-to-live passes, the decision is deleted from cache. Default = 60. The maximum is 1440.
    • Enable persistent cache - If you enable persistent cache, then you must also specify the following parameters.
      • Maximum entries - The maximum number entries to save in cache. The minimum is 1. Default = 100000.
      • Maximum files - The maximum number of files to save in cache. Default =10. The maximum is 100.
      • Time to live (days) - - The time-to-live (in days) for each decision in the persistent cache. Default = 7. The maximum is 30.
  4. For central managers, the Collector table displays all of the collectors that are associated with this central manager.
    1. Filter, if needed, and select the collectors to include in the IBM Knowledge Catalog integration.
    2. Click OK to begin using the IBM Knowledge Catalog data protection rules for the central manager and selected collectors.
    Note: You can also change the parameters for collectors (and stand-alone machines) by using the store wkc_configuration CLI.
  5. For a stand-alone machine, click OK to begin using the IBM Knowledge Catalog data protection rules on that machine.

What to do next

After you enable the IBM Knowledge Catalog integration, the integration runs until you disable it. However, be sure to stop the integration before you add new assets to the IBM Knowledge Catalog. If the integration is running when you add assets, the new connections are denied and an error occurs.

After the integration is working, you can add transformation and other processes for specific data sources as described in Setting up a transformation integration.