There is no possibility to get access to plain stream in MySQL (similar to other ATAP integrations) for encrypted sessions - it is engine approach.
That is why the access to plain text requires SSL termination and external STAP provides this functionality.
------------------------------
Zbigniew (Zibi) Szmigiero
IBM
Warsaw
------------------------------
Original Message:
Sent: Thu April 16, 2020 05:05 AM
From: Herman
Subject: Import Certificate For MySQL DB
Is there are any other planned solution for this? The External S-TAP solution is not an option in my environment and will probably not be for some time.
Original Message:
Sent: Tue January 14, 2020 09:03 AM
From: Chase Walkup
Subject: Import Certificate For MySQL DB
Quang,
For the second part of your question; yes, Postgres encrypted traffic will need to be monitored using the A-TAP.
------------------------------
Chase Walkup
Original Message:
Sent: Mon January 13, 2020 11:11 AM
From: Quang Le Nguyen Hong
Subject: Import Certificate For MySQL DB
Hi Zbigniew Szmigiero,
Thanks you for quick response, I also find this document :
https://www.ibm.com/support/knowledgecenter/en/SSMPHH_10.5.0/com.ibm.guardium.doc.stap/stap/choose_setup.html
In Encrypted traffic column, the MySQL column is blank and Postgres is A-TAP. Is this mean With MySQL install on Linux it not support monitor encrypted trafffic and for Postgres i need using A-TAP to monitor encrypted traffic ??
Thanks,
------------------------------
Quang Le Nguyen Hong
Original Message:
Sent: Mon January 13, 2020 02:17 AM
From: Zbigniew Szmigiero
Subject: Import Certificate For MySQL DB
Hi,
I assume that you would like to monitor encrypted connections between your MySQL server and client?
In this case you must implement External STAP instead of standard one. Encrypted traffic monitoring is not supported by standard STAP.
Do not execute store certificate mysql commands they are related to TLS configuration for appliance internal database.
------------------------------
Zbigniew Szmigiero
IBM
Warsaw
Original Message:
Sent: Sun January 12, 2020 10:27 AM
From: Quang Le Nguyen Hong
Subject: Import Certificate For MySQL DB
Hi everyone,
I am using Guardium and try to create a policy for my DB. At first, the policy somehow not working at all, then i found that because my user using MySQL Workbench which have SSL enable by default if available. After i turn off SSL on MySQL Workbench, the policy was working but it not the way to completely solve the problems. I must import the certificate of MySQL to Guardium for it can work even the SSL option enable. I found that there is a commands :
- store certificate mysql client <ca|cert> <[console|external>
Stores MySQL client certificates.
- store certificate mysql server <ca|cert> <[console|external>
Stores MySQL server certificates.
The problem is the document not explain clearly so i don't really understand about this. Can anybody please kindly help me answer some questions below :
- As my understand, both MySQL client and server have to import the certificate to Guardium. The MySQL Server is have the certificate, but the client mention here is MySQL Workbench install on client right ? If it correct, then do i have to import all the certificate on the user computer, that woulb be a ton of it. Ad when i user install MySQL Workbench they don't import the MySQL client certificate to it so where do i get the client cert ?
- The CA certificate is the certificate of CA Server that was issue certificate for client and server, is that corect ? Which file type i should import to ? The .pem file or .cert ??
- What about the S-TAP, do i have to modify anything on S-TAP that install on MySQL Server or just install certificate to IBM Guardium is enough ?
Thanks,
------------------------------
Quang Le Nguyen Hong
------------------------------