Preparing SSL certificates for client applications
To use client applications with External S-TAP®, you might need to update the database client by specifying a new database endpoint and port from External S-TAP.
About this task
To deploy an External S-TAP, you need to prepare a private key (proxy.Key) and certificate (proxy.pem) that is signed by the trusted root certificate (rootCA.pem). You can store the certificate in a Guardium® collector, a persistent volume, or Kubernetes secret. If the database uses TLS/SSL, then you also need to distribute the root certificate (rootCA.pem) to the database client.
- Set up the database client. You might need to update the database client by specifying a new database endpoint and port from External S-TAP. To enable TLS or SSL on connection, specify the following driver setting in the jdbc url connection string for your database:
- SQL Server - sqlserver (encrypt=true)
- PostgreSQL - postgresql (ssl=on)
- MongoDB - mongodb (tls=true)
- Configure certificates for Java™ applications. You can configure access to certificates in your application with the following mechanisms:
- The Java virtual machine (JVM) truststore and JVM keystore.
- A client-specific truststore and keystore.
- Configure the JVM truststore by adding the following parameters,
- javax.net.ssl.trustStore - The path to a truststore that contains the certificate of the signing authority.
- javax.net.ssl.trustStorePassword - The password to access the truststore that is defined in javax.net.ssl.trustStore.
- Run the following keytool commands to import the rootCA.pem certificate to
keytool -importcert -trustcacerts -file <path to CA file that External S-TAP uses> -keystore <path to trust store> -storepass <password>
- Configure the JVM keystore. Use an application that initiates TLS or SSL requests to set the
following JVM system properties to ensure that the client presents a TLS/SSL certificate to the
- javax.net.ssl.keyStore - The path to a keystore that contains the client's TLS/SSL certificates.
- javax.net.ssl.keyStorePassword - The password to access the keystore that is defined in javax.net.ssl.keyStore.
- Create a keystore by using the keytool or OpenSSL. From the keytool, enter the following
keytool -keystore clientkeystore -genkey -alias client
What to do next
To restrict your application to use the TLS 1.x protocol only, set the jdk.tls.client.protocols system property to TLSv1.x.