Configuring mutual authentication
If your database settings are configured for mutual authentication, you can configure the External S-TAP®, to verify the certificate that is set from both the data store server and client.
About this task
For the External S-TAP, Guardium
supports mutual authentication through an External S-TAP custom
keystore. In this scenario:
- The data store client successfully verifies the certificate in the External S-TAP custom keystore.
- The External S-TAP verifies the data store server certificate.
- If mutual authentication is enabled on both the client and the server, the client sends the client certificate to the External S-TAP. The External S-TAP parses that message and verifies the certificate on behalf of the server.
- If the client certificate is trusted, External S-TAP sends the External S-TAP certificate to the PostgreSQL server so that the PostgreSQL server can verify the certificate from the External S-TAPs.
To provide mutual authentication with multiple client certificates, you need to use certificate mirroring. For more information, see Configuring certificate mirroring.