Overview
Netskope One supports scanning self-managed IBM Db2 data stores. Follow these instructions to set up your self-managed IBM Db2 database and configure its connection to Netskope One DSPM.
Create a Netskope One DSPM Service Account
Begin by configuring an IBM Db2 database service account which will be dedicated to Netskope One DSPM’s use.
There are two approaches you can use for configuring this service account.
| User Type | Benefit | Note |
|---|---|---|
| Super User (Netskope One DSPM-recommended) | Can automatically access new schemas and tables as they are created. | Some customers are not comfortable with granting super user access. |
| Read-only User | Useful for customers who wish to grant Netskope One DSPM access to only the data within scanning scope. | Must be explicitly granted access to new schemas and tables. |
IBM Db2 does not manage user accounts internally, instead it relies on an external authentication system for user management. Hence this process will vary based on your environment such as Windows, Linux, LDAP, etc. The following steps may require the assistance of your local database administrator.
In both the approaches, you will need to ask your system administrator to create the service account with the privileges you wish to grant.
Super User
- As a database administrator user, log onto your Db2 Shell interface.
- Make sure the new user has access to CONNECT to the database
- Create the Netskope One DSPM-specific IBM Db2 user by executing the following commands in order, depending on the user type you wish to create:
| Command | Outcome |
|---|---|
|
Grant the Netskope One DSPM-specific user access to IBM Db2 database. |
|
Grant the newly created user privileges to access all data. This will also grant privileges to INSERT, UPDATE, or DELETE data from tables. |
Non-Super User (manual)
- As a database administrator user, log onto your Db2 Shell interface.
- Make sure the new user has access to CONNECT to the database
- Create the Netskope One DSPM-specific IBM Db2 user by executing the following commands in order, depending on the user type you wish to create:
| Command | Outcome |
|---|---|
|
Grant the Netskope One DSPM-specific user access to IBM Db2 database. |
|
Grant read-only privileges to specific schemas. This command must be run for each schema or database you wish Netskope One DSPM to scan. |
|
Grant read-only privileges to specific tables. This command must be run for each schema or database you wish Netskope One DSPM to scan. |
Non-Super User (script)
Netskope One DSPM provides a script that you can use to grant read-only permissions to the newly created service account.
Prerequisites
- You have database administrator access for the data store.
- You have a python environment for IBM database servers set-up and running.
- Make sure the environment where you are running the script can connect to your database instance.
Run Script
- Open the command line interface (CLI).
- Run the following command to download the script:
wget https://dasera-release.s3.us-west-2.amazonaws.com/db2_setup.py- If necessary, navigate to the directory where the script was downloaded.
- Run the script using
python db2_setup.py - When prompted, enter the following parameters:
| Parameter | Value |
|---|---|
| Database Endpoint | The IP address or DNS name of your IBM Db2 instance |
| Port | The TCP/IP port number that Db2 is exposed on (default is 50000) |
| Database | The name of the Db2 database |
| Username | Username of the Db2 admin user which has the permission to invoke SELECTIN grant to DSPM Service Account |
| Password | Password for the above user |
| Username for Netskope DSPM User | Username for the Netskope One DSPM Service Account |
Retrieve Connection Information
In addition to configuring a service account, Netskope One DSPM will require additional information to communicate with your self-managed IBM Db2 database. Please follow the steps below to identify the connection values for later use within Netskope One DSPM.
Corresponding Netskope One DSPM Value |
Details |
|---|---|
Endpoint |
Enter a single string in the format:
|
Note that in IBM Db2, each database within the instance is completely isolated. Hence, in order to connect multiple databases, you will need to create multiple data store connections within Netskope One DSPM. Replace the /database part in the endpoint with the database you wish to connect each time.
Connect Your Data Store
Excerpt: Connect Your Data Store 1
Log into the Netskope One DSPM platform. Navigate to the Data Stores > Data Store Invento
- Log into the Netskope One DSPM platform.
- Navigate to Data Stores → Data Store Inventory.
- Use the Discovered tab, then click the CONNECT button under Actions to connect a discovered data store. You'll immediately see the Credentials tab with some fields automatically populated.
- Alternately, click the CONNECT A DATA STORE button in the upper right to select a data store type and go through the data store connection UI manually.
- The Connect a Data Store modal is displayed, starting with the SELECT DATA STORE tab.
- Click on the icon for the Data Store Type you wish to connect. The modal will auto-navigate you to the next tab.
- On the PROVIDE CREDENTIALS tab, complete the following fields:
| Field | Value |
|---|---|
| Data Store Identifier | Human-friendly name to describe this Data Store. This value displays in other Netskope One DSPM screens such as Policy Management and Classification Management. |
| Data Store Endpoint |
Enter the corresponding value from the Retrieve Connection Information step above, plus the port number and database name. For example, for a Public IP address like 1.2.3.4 and database named "example_db", you would enter 1.2.3.4:5432/example_db. 50000 is the default IBM Db2 port number. If you are using a custom port number, be sure to substitute it here. |
| Database Username (if Service Account) | Enter the corresponding value from the Create a Netskope One DSPM Service Account step above. |
| Password (if Service Account) | Enter the corresponding value from the Create a Netskope One DSPM Service Account step above. |
| Scan Frequency | Controls how often your Data Store is reviewed for changes; Netskope One DSPM’s recommended frequency is defaulted, which you can override as needed. |
| Sidecar Pool |
If you will use sidecars to monitor this data store, select a sidecar pool with network visibility to said data store. This field is displayed when there is at least one defined sidecar pool. To learn more, please visit our Sidecar Administration article. |
Excerpt: Connect Your Data Store 2
Click the NEXT button, which will navigate you to the next tab. On the SELECT CAP
- Click the NEXT button. The SELECT CAPABILITIES tab is displayed.
- Complete the following fields:
- Assign a Data Owner (optional): define one or more Platform Users responsible for this Data Store and its data sets.
- Which databases should Netskope One DSPM scan?: utilize the field’s picklist control to select which databases & schemas should be monitored by the Netskope One DSPM application. By default, all databases & schemas are selected.
- Features: Netskope One DSPM’s recommended feature selections will be defaulted, which you can override if desired. Some features are always-on, some are not applicable (with disabled toggles), while others may request additional configurations.
| Capability | Supported for Oracle Base Database |
|---|---|
| Discovery | Yes (always-on) |
| Privilege Analysis | No |
| Shadow Data Analysis | No |
| Classification | Yes |
| Data In Use Monitoring | No |
| Automation | Yes (always-on) |
Excerpt: Connect Your Data Store 3
Click the NEXT button, which will navigate you to the next tab. On the REVIEW tab
- Click the SAVE button, which will navigate you to the next tab.
- On the REVIEW tab, Netskope One DSPM will validate your credentials and capability selections. In the event of any issues, follow the on-screen instructions to remediate the displayed warnings or errors.
- Click the SAVE button to finalize your connection.