Connecting securely from MC to the database

When you use MC to monitor and manage a database, MC (running in a browser) connects as the client to the database server.

MC uses JDBC for most database connections

MC uses Java Database Connectivity (JDBC) for most connections to a database, including:

Retrieving database information to display in charts
Running SQL queries through JDBC
Configuring and updating database properties
Configuring the database for extended monitoring

Exception

When MC uses Agents to perform AdminTools tasks, MC does not use JDBC to connect to the database.

OpenText™ Analytics Database supports TLS

OpenText™ Analytics Database and MC support TLS up to version 1.2. This topic and its subtopics describe configuring TLS in MC for JDBC connections to a database.

About certificate file formats

MC requires that all certificate and key files for upload to MC must be in PEM (Privacy-enhanced Electronic Mail) format.

Database security dictates how MC connects

The TLS/SSL security you configure for a database in MC must be consistent with the security configured on the database itself.

Whether the database has TLS/SSL configured in server mode or mutual mode, you should configure TLS/SSL for that database in MC to match.

To find out how the database is configured, see Determining the TLS mode of the database.

You can configure TLS/SSL in either server mode or mutual mode in MC.

The rest of this topic and related topics use the term TLS, TLS/SSL, and SSL interchangeably.

TLS server mode

When the MC client connects to a database configured in server mode:

The client requests and verifies the server's credentials.
The client does not need to present a client certificate and private key file to the server.
The MC administrator must configure the CA certificate that can verify server's certificate on MC when MC connects to the database over JDBC.

TLS mutual mode

When the MC client connects to a database configured in mutual mode:

The MC client requests and verifies the database server's credentials.
The server also requests and verifies the MC client's credentials.
Each MC user is a separate client, and must present a valid client certificate file and private key file pair (keypair), namely a certificate signed by a CA recognized by the database server as valid.
The MC administrator must configure:
- The CA certificate to verify the database server certificate.
- A client certificate and private key file (keypair) for each MC user. The keypair can be unique for each user, or shared by multiple users, depending on how client authentication is configured on the database. See Configuring client authentication.
Each MC user must be configured to map correctly to a user who is configured on the database server.

For more information about how the database supports TLS/SSL security, see TLS protocol.

MC administrator configures MC security

Only MC users having Admin or Super privileges on a database are able to configure TLS certificates and keys on MC for database connections. The topics in this section use "MC administrator" to refer to both of these roles. For more information about MC user roles and privileges, see User administration in MC.

As the MC administrator, when you first configure security in MC for a database that requires mutual mode, you configure these certificates for the database:

The server certificate and public key of the database.
Your own client certificate and private key, as the first configured MC user mapped to a database user.

Configuring TLS/SSL on MC

MC provides the Certificates wizard for configuring TLS certificates for all JDBC connections to the database, to ensure those connections are secure.

In MC, there are three scenarios in which you need to configure TLS security for a database:

While you are importing a database to monitor in MC. See Configuring TLS while importing a database on MC.
When you want to add security for a database that is already monitored by MC. See Configuring TLS for a monitored database in MC.
When you need to configure client security for an individual MC user who is mapped to a user who has privileges on the database server, because the database requires mutual authentication. See Configuring mutual TLS for MC users.

Adding certificates to MC for later use

You may want to add multiple CA certificates or client certificates to MC all at one time, to streamline the configuration of security when you are importing databases to MC or creating MC users. For details, see and .

To connect successfully, MC and database security must match

MC Security	Database Security	Does the connection succeed?
None	None	Connection succeeds, and it is open and therefore unsecured.
TLS server mode	TLS server mode	Connection succeeds provided MC can verify the server's certificate using the CA certificate configured on MC.
TLS mutual mode	TLS mutual mode	Connection succeeds provided: MC can verify the server's certificate using the CA certificate configured on MC. The server can verify the client certificate and private key that MC presents as belonging to a mapped user on the database.
None	TLS server mode	MC attempts to establish an open connection. The connection fails if the database requires TLS for client connections. For more information, see: Client authentication with TLS CREATE AUTHENTICATION
None	TLS mutual mode	MC attempts to establish an open connection. The connection fails if the database requires TLS for client connections. The connection fails because MC does not present what the database requires: a valid client certificate and private key that the database can verify as belonging to a mapped database user.
TLS server mode	None	MC attempts to connect to the database securely, however the connection fails as the database is not configured with TLS certificates.
TLS mutual mode	None	MC attempts to connect to the database securely, however the connection fails as the database is not configured with TLS certificates.