Integrating plug-ins

Edit online

Integrate IBM® Guardium® Cryptography Manager with the external system for which you have installed a plug-in.

To integrate plug-ins, the following workflows are supported:
  • Amazon Web Serviced: Discovery of certificates and associated IT assets
  • Google Cloud Platform: Discovery of certificates
  • Microsoft Azure: Discovery of certificates, keys and associated IT assets
  • Rapid7 InsightVM: Discovery of IT assets and cryptographic objects
  • Sectigo Certificate Manager: Discovery of certificates
  • Tenable Security Center: Discovery of IT assets and cryptographic objects
  • Venafi TLS Protect: Discovery of certificates, create certificate, and renew certificate

Enable certificate lifecycle management operations, such as creation and renewal, through integrated third-party PKI platforms. For more information, see Managing certificates.

  1. From the main menu, click Integrations > Available.

  2. Select a plug-in card. For example, choose Tenable Security Center or a custom-developed plug-in.

  3. Review the About information and click Next.

  4. Update the following configuration fields as required.

    Note: Not all fields apply to every plug-in. The configuration parameters table displays a comprehensive list of the configuration parameters.
    Table 1. Configuration parameters
    Fields Description
    Name Enter a unique name for the integration.
    Version Select the plug-in version to integrate. The version field displays the default version from the Plug-ins page.
    Hostname

    Hostname of the external system to connect to.
    Access key

    A unique identifier used to authenticate and authorize access to resources or services.
    Secret key

    A confidential string used for encryption, authentication, or integrity verification.
    Public SSL certificate

    Server certificate details.
    Access token

    A security credential issued by an authorization server, often used in OAuth 2.0–based authentication.
    Username

    A unique identifier used to authenticate a user.
    Password

    A secret string of characters used for authentication purposes with the username.
    Resource group

    Azure Resource Group name.
    Client id

    Microsoft Azure Service Principal Application (Client) ID.
    Client secret

    Microsoft Azure Service Principal Client Secret
    Tenant id

    Microsof Azure Active Directory Tenant ID.
    Subscription id

    Microsoft Azure Subscription ID
    Key vault name

    Microsoft Azure Key Vault name
    Access key ID

    Unique identifier used to authenticate your AWS account.
    Secret access key

    Confidential key paired with the access key to securely sign AWS requests.
    Region

    Specifies the AWS geographical region, for example, us-east-1, where ACM resources are located.
    Project ID

    Enter the Google Cloud Project ID that hosts the Certificate Authority Service resources used by Google Cloud Platform plug-in. This is the project where your CA Pool is created and where certificate requests will be sent. The service account used by the plug-in must have access to your project. For example, my-cas-project-123
    Location

    Specify the Google Cloud region where your CA Pool is deployed. This value must exactly match the location in which the target CA Pool exists; otherwise, the plugin will not be able to locate the Certificate Authority. For example, us-central1
    Service Account JSON Key

    Provide the JSON key file contents of a Google Cloud service account that the plugin uses to authenticate with Google Cloud. This service account must have the required permissions to request certificates from Google Cloud Certificate Authority Service. For example, the ability to access the CA Pool and request certificates.
    CA Pool

    Enter the name of the CA Pool from which the plugin should list the certificates.

  5. After completing the configuration settings, click Test connection to ensure that the Guardium Cryptography Manager can connect to the external system.

  6. After testing the connection, click Finish to save the plug-in integration configuration and create the integration.

    Once the integration is created, the integration service for plug-in is available to discover the IT assets and cryptographic objects.

What to do next

Edit online

After creating the integration service, use the instance to discover the IT assets and cryptographic objects on the host defined in integration service by creating a discovery profile and running it. See Managing plug-in discovery profile.