Enabling encrypted connection to the database

You can enable encrypted connection between the License Metric Tool server and its database.

About this task

Starting from application update 9.2.32, connection between the License Metric Tool server and the MS SQL Server database is encrypted by default. However, License Metric Tool is set to trust any certificate that is presented by the MS SQL Server database. You can further harden the encryption by setting the value of the trustServerCertificate parameter to false and defining criteria that the certificate must meet to be trusted.

• To enable encrypted connection to the DB2 database, perform the following steps.
  1. Save the truststore as the db_truststore.p12 file and place it in the security subdirectory of the License Metric Tool server installation directory. By default, the subdirectory is in the following location: /opt/ibm/LMT/wlp/usr/servers/server1/resources/security.
  2. Open the server.xml file. By default, the file is in the following location: /opt/ibm/LMT/wlp/usr/servers/server1/server.xml.
  3. Locate the properties.db2.jcc element in the server.xml file. List attributes of this element that you want to be included in the database connection string as parameters. Do not remove any of the attributes that are already listed.
     The following example shows what attributes might be added to the properties.db2.jcc element and explains their meaning. You might list other attributes depending on your scenario.

     <dataSource id='DatabaseConnection' jndiName='jdbc/ilmtDatabaseConnection'>
         <jdbcDriver libraryRef='DatabaseLib'/>
         <properties.db2.jcc databaseName='TEMABVT' driverType='4' enableExtendedIndicators='2' 
         password='{aes}<encrypted_password>' portNumber='50001' serverName='192.0.2.0' user='db2inst1'
         sslConnection='true' sslTrustStoreLocation='resources/security/db_truststore.p12' 
         sslTrustStorePassword='{aes}<encrypted_password>' sslTrustStoreType='PKCS12'/>
       </dataSource>

     Where:

     sslConnection

     The attribute is set to true to enable encrypted connection between the License Metric Tool server and its database.

     sslTrustStoreLocation

     A relative or an absolute path to the db_truststore.p12 file.

     sslTrustStorePassword

     Truststore password. You can provide the password in plain text or encoded. To encode the truststore password, perform the following steps.

     1. Set the JAVA_HOME variable: export JAVA_HOME=<install_dir>/jre/jre
     2. Run the following command:

        <install_dir>/wlp/bin/securityUtility encode --encoding=aes

     3. When prompted, enter and re-enter the truststore password.
     4. Save the encoded password. Provide it in the sslTrustStorePassword parameter.

     sslTrustStoreType

     Truststore type. Only PKCS12 is supported by License Metric Tool.

  4. If the encrypted connection uses a non-default port to connect to the database, change the port number in the server.xml and database.yml files.
     • Open the server.xml file and provide the correct port number in the portNumber attribute of the properties.db2.jcc element. By default, the file is in the following location: /opt/ibm/LMT/wlp/usr/servers/server1.
     • Open the database.yml file and provide the correct port number in the port element. By default, the file is in the following location: /opt/ibm/LMT/wlp/usr/servers/server1/config.
  5. Restart the License Metric Tool server.
     1. Stop the License Metric Tool server.
     2. Start the License Metric Tool server.
• To enable or harden encrypted connection to the MS SQL Server database, perform the following steps.
  1. Save the truststore as the db_truststore.p12 file and place it in the security subdirectory of the License Metric Tool server installation directory. By default, the subdirectory is in the following location: C:\Program Files\IBM\LMT\wlp\usr\servers\server1\resources\security.
  2. Open the server.xml file. By default, the file is in the following location: C:\Program Files\IBM\LMT\wlp\usr\servers\server1\server.xml.
  3. Locate the properties.microsoft.sqlserver element in the server.xml file. List attributes of this element that you want to be included in the database connection string as parameters. Do not remove any of the attributes that are already listed.
     The following example shows what attributes might be added to the properties.microsoft.sqlserver element and explains their meaning. You might list other attributes depending on your scenario.

     <dataSource id='DatabaseConnection' jndiName='jdbc/ilmtDatabaseConnection'>
         <jdbcDriver libraryRef='DatabaseLib'/>
         <properties.microsoft.sqlserver databaseName='temadb' lockTimeout='180000' password='<password>'
         serverName='192.0.2.0' user='sa' trustServerCertificate='false' encrypt='true' 
         trustStore='resources/security/db_truststore.p12' trustStorePassword='{aes}<encrypted_password>' 
         trustStoreType='PKCS12'/>
       </dataSource>

     Where:

     encrypt

     The attribute is set to true to enable encrypted connection between the License Metric Tool server and its database.

     trustServerCertificate

     If the attribute is set to true, License Metric Tool trusts any certificate that is presented by the MS SQL Server database. In this case, you do not need to specify the trustStore, trustStorePassword, and trustStoreType parameters.

     If the attribute is set to false, License Metric Tool trusts only the certificate that meets the criteria that are specified in the trustStore, trustStorePassword, and trustStoreType parameters. This approach is more secure.

     trustStore

     A relative or an absolute path to the db_truststore.p12 file.

     trustStorePassword

     Truststore password. You can provide the password in plain text or encoded. To encode the truststore password, perform the following steps.

     1. Set the JAVA_HOME variable: set JAVA_HOME=<install_dir>\jre\jre
     2. Run the following command:

        <install_dir>\wlp\bin\securityUtility encode --encoding=aes

     3. When prompted, enter and re-enter the truststore password.
     4. Save the encoded password. Provide it in the trustStorePassword parameter.

     trustStoreType

     Truststore type. Only PKCS12 is supported by License Metric Tool.

  4. Ensure that the value of the serverName element in the server.xml file and the value of the host element in the database.yml file match the Common Name (CN) or DNS name in the Subject Alternate Name (SAN) of the database certificate.
     • Open the server.xml file and verify the value of the serverName element. If it is not correct, change it. By default, the file is in the following location: C:\Program Files\IBM\LMT\wlp\usr\servers\server1.
     • Open the database.yml file and verify the value of the host element. If it is not correct, change it. By default, the file is in the following location: C:\Program Files\IBM\LMT\wlp\usr\servers\server1\config.
  5. Restart the License Metric Tool server.
     1. Stop the License Metric Tool server.
     2. Start the License Metric Tool server.

You can enable encrypted connection with the MS SQL Server that is used as the BigFix database. In this case, both the BigFix server and the License Metric Tool server trust any certificate that is presented by the MS SQL Server that is used as the BigFix database.

About this task

Starting from application update 9.2.32, connection between the BigFix server and the MS SQL Server database is encrypted by default and no additional steps are needed.