Runtime Database Configuration
Runtime Database configuration
To configure postgres as runtime database, update the database_name, host, port, credential and ssl_settings in the given sample below and copy it into storage.yml.
When session_cache is configured to be type db, the runtime_db configuration is used as session store.
PostgreSQL Runtime Database configuration sample
runtime_db: mypq # Configuration of runtime database. Points to the database server connection.
session_cache:
type: db # Specifies the type of session cache, in-memory, redis, or db.
# cfg: redis-standalone # Specifies the configuration of the `redis` cache, for `redis` type only. Points to `redis` server connection
# life_time: 600 # Specifies the session entry duration in seconds. It applies to `in-memory` type sessions only. Default is `600`
# max_entries: 60000 # Specifies the maximum number of session entries. It applies to `in-memory` type sessions only. Default is `60000`
server_connections: # Server connections
- name: mypq # Connection name
type: postgresql # Connection type, `redis`, `ldap`, `postgresql`, `oracle`
database_name: verify-access # Specifies the database or service name. For database types only.
hosts: # List of host information (IP and port)
- hostname: postgresql # Server's hostname
hostport: 5432 # Server's host port
credential: # Credential information to connect to the server
username: postgres # Specifies the username to access the server.
password: 'OBF:gJDSuqEFmORCR2Uw3FsAmFKomjYLmhMwdDG2XoUxtQ0='
# Specifies the password to access the server. It is recommended to obfuscate this.
ssl:
certificate: # The SSL connection certificate array.
- ks:postgres_keys # The SSL keystore to be used for SSL connections. ks: indicates keystore.
mutual_auth:
key: ks:rt_profile_keys/postgres # When mutual TLS is needed, specify the keystore and label that contains the client's private key.
certificate: ks:rt_profile_keys/postgres # When mutual TLS is needed, specify the keystore and label of the client's leaf certificate.
ca:
- ks:rt_profile_keys/ca # When mutual TLS is needed, specify the keystore and label of the client's CA certificate.
disable_hostname_verification: false # The SSL connection validates the hostname.
conn_settings: # Connection settings
max_idle_time: 10 # Maximum idle time in seconds
min_pool_size: 5 # Minimum connection pool size
max_pool_size: 50 # Maximum connection pool size
connect_timeout: 5 # Connect timeout, in seconds
aged_timeout: 30 # Aged timeout, in seconds
Oracle Runtime Database configuration sample
runtime_db: myoracle # Configuration of runtime database. Points to the database server connection.
session_cache:
type: db # Specifies the type of session cache, in-memory, redis, or db.
server_connections: # Server connections
- name: myoracle # Connection name
type: oracle # Connection type, `redis`, `ldap`, `postgresql`, `oracle`
database_name: verify-access # Specifies the database or service name. For database types only.
hosts: # List of host information (IP and port)
- hostname: myoracle # Server's hostname
hostport: 2484 # Server's host port
credential: # Credential information to connect to the server
username: SYSTEM # Specifies the username to access the server.
password: 'OBF:gJDSuqEFmORCR2Uw3FsAmFKomjYLmhMwdDG2XoUxtQ0='
# Specifies the password to access the server. It is recommended to obfuscate this.
ssl:
wallet: # For Oracle database only. Oracle database uses client wallet for SSL connection and mutual TLS. The client wallet contains the certificates that are required for Oracle SSL connection and mutual TLS.
type: path # The type of content that is being supplied, either a zip file or a directory name.
content: oracle/wallet # The content that is used for the wallet. When the type is path, specify the path of the wallet.
# type: zip # The content is used for the wallet. When the type is zip, the content can be specified by using either @ or B64: annotation.
# content: "@oracle/wallet.zip" # when type is zip, use @ annotation to specify the wallet zip file path.
# content: "B64:UEsDBBQACAAIAAJg......+ScAAAAA" # when type is zip, use B64: annotation to specify the base64 encoded wallet zip file.
disable_hostname_verification: false # The SSL connection validates the hostname.
conn_settings: # Connection settings
max_idle_time: 10 # Maximum idle time in seconds
aged_timeout: 30 # Aged timeout, in seconds
max_idle_size: 5 # Maximum connection idle size
max_pool_size: 50 # Maximum connection pool size
connect_timeout: 5 # Connect timeout, in seconds
Db2 Runtime Database configuration sample
runtime_db: mydb2 # Configuration of runtime database. Points to the database server connection.
session_cache:
type: db # Specifies the type of session cache, in-memory, redis, or db.
server_connections: # Server connections
- name: mydb2 # Connection name
type: db2 # Connection type, `redis`, `ldap`, `postgresql`, `oracle`, `db2`
database_name: verify-access # Specifies the database or service name. For database types only.
hosts: # List of host information (IP and port)
- hostname: mydb2 # Server's hostname
hostport: 50001 # Server's host port
credential: # Credential information to connect to the server
username: db2inst1 # Specifies the username to access the server.
password: 'OBF:gJDSuqEFmORCR2Uw3FsAmFKomjYLmhMwdDG2XoUxtQ0='
# Specifies the password to access the server. It is recommended to obfuscate this.
ssl:
certificate: # The SSL connection certificate for Db2. The Db2 SSL connection certificate must use 'ks', '@' annotation to specify the keystore in P12 format, PEM file or 'B64'annotation to specify the base64 encoded PEM file. If multiple certificates are configured, the first certificate that is specified with '@' or 'B64:' annotation is used.
- '@keystore/rt_profile_keys/signer/ca.pem' # '@' annotation to specify the certificate PEM file.
# - 'b64:LS0tLS1CRUdJTiBD......tLQo=' # 'B64'annotation to specify the base64 encoded certificate PEM.
# - 'ks:db2client' # 'ks'annotation to specify keystore in P12 format.
disable_hostname_verification: false # The SSL connection validates the hostname.
conn_settings: # Connection settings
max_idle_time: 10 # Maximum idle time in seconds
aged_timeout: 30 # Aged timeout, in seconds
max_idle_size: 5 # Maximum connection idle size
max_pool_size: 50 # Maximum connection pool size
connect_timeout: 5 # Connect timeout, in seconds
Annotation used for Oracle database wallet when type is zip
- When type is zip, the content can be specified by using either @ or B64: annotation.
- @ represents a zip file. It uses a relative files system path that looks under
/var/isvaop/config/. - B64: represents the literal value of the base64 encoded wallet zip file.
- The zip file contains the wallet files only without any subfolders.
Annotation used for Db2 database SSL certificate
- When database type is db2, the SSL certificate must be specified by using either ks, @ or B64: annotation.
- @ represents a certificate file in PEM format. It uses a relative files system path that looks under
/var/isvaop/config/. - B64: represents the literal value of the base64 encoded PEM format certificate.
- ks: represents a keystore in P12 format, the password of the keystore should be stored in an associated .obf file with the same name.
Note: It is recommended to use the gskit command line tool in the Db2 server to generate the P12 keystore.
1. Server connections
| Name | Description | Valid Value | Mandatory | Default |
|---|---|---|---|---|
| name | Connection name. | string | Yes | |
| type | Connection type. | postgresql, oracle, or db2 | Yes | |
| database_name | Specifies the database or service name. For database types only. | string | Yes | |
| hosts | List of host information (IP and port) | HostInfo | Yes | |
| credential | Credential information to connect to the server | Credential | ||
| ssl | SSL settings, if missing the connection is non SSL. | SSLSettings | ||
| conn_settings | Connection pool settings. | ConnectionSettings |
1.1. Host information
| Name | Description | Valid Value | Mandatory | Default |
|---|---|---|---|---|
| hostname | Runtime Database Server's hostname | string | Yes | |
| hostport | Runtime Database Server's host port | integer | Yes | |
| credential | Credential information to connect to the Runtime Database Server. | Credential | ||
| ssl | SSL settings for the Runtime Database Server. | SSLSettings | ||
| conn_settings | Connection pool settings for the Runtime Database server. | ConnectionSettings |
1.2. Credential
| Name | Description | Valid Value | Mandatory | Default |
|---|---|---|---|---|
| username | Specifies the username to access the server. | string | Yes | |
| password | Specifies the password to access the server. Use obfuscation. | string, recommended to be obfuscated | Yes |
1.3. SSL settings
| Name | Description | Valid Value | Mandatory | Default |
|---|---|---|---|---|
| certificate | The array of SSL certificates to be used for SSL connection to the database. | string | No | |
| mutual_auth | No | |||
| key | When mutual TLS is needed, specify the keystore and label that contains the client's private key. | string | No | |
| certificate | When mutual TLS is needed, specify the keystore of the client's leaf certificate. | string | No | |
| ca | When mutual TLS is needed, specify an array of CA certificates needed for the connection. | string | No | |
| wallet | For Oracle database only. Oracle database uses client wallet for SSL connection and mutual TLS. The client wallet contains the certificates that are required for Oracle SSL connection and mutual TLS. | No | ||
| type | When wallet is needed, it is the type of content that is being supplied. Either a zip file or a directory name. | path or zip | No | |
| content | The content that is used for the wallet. The content can either be the name of a directory, a relative to the /var/isvaop/config directory of the container, or a zip file. | |||
| disable_hostname_verification | The flag to enable or disable hostname verification for SSL connections. | Boolean | No |
1.4. Connection settings
| Name | Description | Valid Value | Mandatory | Default |
|---|---|---|---|---|
| min_pool_size | Minimum connection pool size | integer | No | 5 |
| max_idle_size | Maximum connection idle size | integer | No | 10 |
| max_pool_size | Maximum connection pool size | integer | No | 50 |
| max_idle_time | Maximum idle time in seconds | integer | No | 10 |
| aged_timeout | Age timeout, in seconds | integer | No | 30 |
| connect_timeout | Connect timeout, in seconds | integer | No | 5 |
1.5 Oracle Database Overview
1.5.1 Oracle Database Configuration Differences Between IBM Security Verify Access OIDC Provider (ISVAOP) and IBM Security Verify Access (ISVA)
| Configure | IBM Security Verify Access OIDC Provider | IBM Security Verify Access |
|---|---|---|
| SSL Connection | Trusted certificates are supplied to ISVAOP using Oracle Wallet | Trusted certificates are supplied to ISVA using Certificate Store |
| Mutual TLS | Mutual TLS is supported by ISVAOP. Client certificates are supplied to ISVAOP using Oracle Wallet | Mutual TLS is not supported by ISVA |
1.5.2 Oracle Wallet Overview
Oracle Wallet is configuration files that store authentication and signing credentials.
Trusted certificates are stored in the Oracle Wallet when the wallet is used for security credentials.
ISVA OP requires an Oracle client wallet for SSL connection and mutual TLS. The cwallet.sso file must present.
See the Oracle Documentation to create or manage an Oracle wallet.
- Go to the Oracle Database Documentation page in Oracle Help Center.
- Select your version of Oracle Database.
- In the Topics section, select Security.
- In the Centralized User Management section, select Oracle Database Enterprise User Security Administrator's Guide.
- See the chapter
Using Oracle Wallet Manager.
Or click the following direct links.
- Oracle Database 12c Release 1: Using Oracle Wallet Manager
- Oracle Database 12c Release 2: Using Oracle Wallet Manager
- Oracle Database 19c: Using Oracle Wallet Manager
1.5.3 Oracle Database Failover and High Availability
See the Oracle Database High Availability documentations to configure failover and high availability.
- Oracle Database 12c Release 1: Database High Availability Overview
- Oracle Database 12c Release 2: High Availability Overview
- Oracle Database 19c: High Availability Overview and Best Practices
1.6 Db2 Database Overview
1.6.1 Db2 Database Host Configuration and High availability
Db2 server connection supports upto 2 hosts.
The first host is the primary server. If the second host exists, it is the alternate server.
The alternate server is used when the primary server cannot be contacted (Client Reroute.)
If there are more than two hosts configured, only the first two will be used.
See the Db2 high availability documentation to configure high availability.
1.6.2 Db2 Database Password rules and Limitations
See Db2 Password rules for drivers and CLPPlus for details.
1.6.3 Db2 Database SSL Configuration
When database type is db2, the SSL certificate must be specified by using either ks, @ or B64: annotation.
If multiple certificates are configured, the first certificate that is specified with @ or B64: annotation is used.
- @ represents a certificate file in PEM format. It uses a relative files system path that looks under
/var/isvaop/config/. - B64: represents the literal value of the base64 encoded PEM format certificate.
- ks: represents a keystore in P12 format, the password of the keystore should be stored in an associated .obf file with the same name.
Note: It is recommended to use the gskit command line tool in the Db2 server to generate the P12 keystore.
IBM Security Verify Access OIDC Provider does not support Db2 database Mutual TLS authentication.
Updated almost 2 years ago