Linux and UNIX systems: Configuring the S-TAP to use x.509 certificate authentication

About this task

First, take note of what you have assigned as the CA and the CN of the certificate.  If you don't remember, use the CLI command show system certificate to display the values.

show system certificate

You need the CN of the cert installed on the Guardium system and the public-key for the CA that signed the certificate on the Guardium system. You also might want a Certificate Revocation list signed by the same CA that signed the Guardium system cert, but it's not necessary.

The relevant parameters in the guard_tap.ini are:

where is the ca certificate

If you do not choose to use a value for a parameter, set its value equal to NULL. This is pertinent to the CRL path in particular, or if you want to shut off certificate authentication and go back to TLS.

Procedure

  1. Copy the public key [and the CRL if wanted] for the CA that the CA sent you to a directory on the S-TAP host. Take note of this directory.
  2. Set guardium_ca_path=[path-to-CA.pem]
  3. Set sqlguard_cert_cn=[the full CN or partial CN (using * as a wildcard) of the Guardium system]
  4. If you want to use a certificate revocation list at this time, set guardium_crl_path=[path-to-crl.crl] It should look like: 
    guardium_ca_path=/var/tmp/pki/Victoria_QA_CA.pem
sqlguard_cert_cn=sample1_qa.victoria
guardium_crl_path=/var/tmp/pki/Victoria_QA_CA.crl
  5. Change tls=1.
  6. Restart the S-TAP You are now connected using Openssl.
Parent topic: Linux and UNIX systems: Set up S-TAP authentication with SSL certificates