Enabling the database connection encryption for Data Source

Before you begin

Please check that:

BigFix Platform DB2 / MSSQL database is configured to enable the connection encryption.
- MSSQL - For more information on configuring SQL Server Database engine for encrypting connections, refer to https://learn.microsoft.com/en-us/sql/database-engine/configure-windows/configure-sql-server-encryption?view=sql-server-ver16.
- DB2 - For information on IBM TLS configuration process for DB2, refer to https://www.ibm.com/docs/en/db2/11.5?topic=transit-tls-configuration-db2.
The extracted public trust certificate should be available in 64-bit encoded .CER format.
DB2:
You can extract the certificate using the below command:
```
gsk8capicmd_64 -cert -extract -db "<Server Keystore .kdb file>" -pw "<Server Keystore password>" -label "<label name>" -target "<.cer file name>" -format ascii
```
MS SQL:
Export the public certificate in the .CER Base-64 encoded X.509 format using Certmgr (Manage Computer Certificates).
Perform these steps:
1. Run the Certmgr on Windows system hosting MS SQL database.
2. In the left panel of the program, go to Personal > Certificates.
3. In the right panel, right click on the database server certificate and go to All Tasks > Export.
4. Click Next in the window that appears.
5. Choose No, do not export the private key and click Next.
6. Choose Base-64 encoded X.509 (.CER) format and click Next.
7. Select the path name and file name to save the certificate.
8. Review specified settings and click on Finish.
9. Certificate is exported to the specified location.

About this task

Once you export the certificate, enable the connection encryption on BigFix Inventory server.

Perform the below steps to enable the encryption Data Source on BigFix Inventory server:

Procedure

Create p12 type TrustStore and import the public certificate into it.
1. Copy the DB2 / MSSQL server certificate to BigFix Inventory machine.
2. Open command line and use the cd <BFI_INSTALL_DIR>\jre\jre\bin command.
3. Import the certificate into the TrustStore using the below command:
```
./keytool
-importcert -file <.cer file location>
-keystore <BFI_INSTALL_DIR>/wlp/usr/servers/server1/resources/security/keys_bf_db.p12
-alias "bf_db_cert"
```
4. Provide a TrustStore password of your choice. Enter Yes to trust the certificate.
  
  Restriction: Semicolon ';' character is not allowed in password string.
5. Create a password file, <BFI_INSTALL_DIR>/wlp/usr/servers/server1/resources/security/keys_bf_db.pwd and provide TrustStore password that you created in the above step. The content of the file must look like the below example.
  password=<your_password>
  
  The file is updated with the encrypted password after you restart BigFix Inventory application.
To import any additional certificates from other Data Source databases, you can repeat command from point 1b) using the same keystore file 'keys_bf_db.p12' and password, but different alias.
Restart BigFix Inventory service.

Results

In Management > Data Sources panel, choose 'Encrypt Database Connection' option. For DB2 databases, set appropriate TLS port number for the connection.

Important: The hostname entered in Data Sources panel must match the hostname in certificate for Bigfix Platform database.