About one-way SSL and two-way SSL authentication
Configuring communication between an SSL server and client can use one-way or two-way SSL authentication. The SSL client is the computer where the IBM Security Identity Governance and Intelligence Server (IGI) is installed, and the SSL server is the external database server.
One-way SSL authentication
One-way authentication or SSL authentication creates a truststore on the client and a keystore on the server. In below example, CA certificate “A” exists in the truststore on the SSL client and in the keystore on the SSL server.
Two-way SSL authentication
Two-way authentication creates a truststore and a keystore on client and the server. In this example, there is a CA certificate “A” in the truststore and a CA certificate “B” in the keystore on client and server both.
The two-way SSL authentication and SSL server client authentication are same. It works similar to SSL (Secure Socket Layer) authentication or one-way SSL authentication, with the addition of client authentication using digital signatures. The client and the server validate each other with the digital certificate. This validation helps both the parties to be assured about the identity between them.
SSL Support in IBM Security Identity and Governance and Intelligence
From IGI V5.2.3, external database configurations are supported by using SSL authentication or one-way SSL authentication.
From IGI V5.2.4, external database configurations are supported by using one-way and two-way SSL authentication.
Exporting the certificate for two-way SSL authentication to the database server
Follow these steps to add the SSL certificate for 2-way authentication from the virtual appliance (VA) to the certificate store of the database server.
Procedure:
- Select Configure > Certificates in the local management interface dashboard.
- In the Certificate Stores pane, select the Identity Governance and Intelligence key store certificate database and click Edit.
- In the Certificate Stores > Identity Governance and Intelligence key store > Certificates pane, select Personal and select the personal certificate.
- Select Export to download the certificate file to your computer.
- Add the certificate to the certificate store of the database server.
- Optional: If OpenID Connect Provider Configuration is enabled in the virtual appliance (VA), execute steps 4 and 5 on the OpenID Connect Provider key store.
Adding VA certificate to the Oracle database
Prerequisites and assumptions:
- A functioning database server configured in SSL
- Certificate wallet created
- Export and save the required VA certificates on database server
Commands
Use below commands to add the VA certificate:
orapki wallet add -wallet “wallet_location” -pwd “wallet_password” -trusted_cert -cert “certificate_path”
Where:
wallet_location is the location of the Oracle certificate wallet.
wallet_password is the oracle database certificate wallet password.
certificate_path is the location of the exported IGI VA certificate.
Adding VA certificate to the IBM DB2 database
Prerequisites and assumptions:
- A functioning database server configured in SSL
- gsk8capicmd_64 library installed on database server
- Export and save the required VA certificates on database server
Commands
Use below commands to add the VA certificate:
gsk8capicmd_64 -cert -add -db “db_certstore” -type “kdb” -pw “certstore_password” -label “cert_label” -file “certificate_path” -format ascii -trust enable
Where:
db_certstore is the database certificate store. Example, key.kdb.
certstore_password is the database certificate stores password.
cert_label is the certificate label for the VA signer certificate.
certificate_path is the location of the exported IGI VA certificate.
#IGI