Product Documentation
Abstract
How does Guardium DB2-Exit feature work and what is it used for?
Content
At a very high level:
What does the DB2-Exit feature do?
The DB2-Exit functionality collects database traffic.
How does the functionality work?
The exit library being a dynamic linked library, is loaded by the DB2 database during database startup. A Guardium library is imbedded into DB2 via the DB2_Exit mechanism. Once the lib is loaded it enables DB2-Exit to communicate directly with the Guardium S-TAP; allowing to forward all DB2 traffic, whether encrypted or not, both local and remote. Its capability includes capturing TCP as well as SHM traffic. DB2 exit supports firewall, terminate, and UID chain.
What about ATAP?
Configuring DB2-Exit replaces the need to configure ATAP. If using DB2-Exit, ATAP install is not required.
Why using DB2-Exit instead of ATAP?
Beside the smaller footprint and less configuration required, enabling UID chain with DB2, for example, consumes much less CPU resource than KTAP and UID chain.
Limitations:
- DB2 Exit does not support Guardium data masking (scrub/redact)
- Stored Procedures: DB2 Exit monitors stored procedures. Since Guardium does not know what is in the stored procedure, SQL from inside the procedure is not captured.
Note: In special case, if database is not started by database user, authorize the user who starts the database and also add an inspection engine to include the HOME of that user to db_install_dir
Detailed information on how to set up the DB2_Exit library can be found in the following links:
- https://www.ibm.com/support/knowledgecenter/en/SSMPHH_10.1.0/com.ibm.guardium.doc.stap/stap/db2_stap_integrate.html
- https://www-01.ibm.com/support/docview.wss?uid=swg21990093
Related Information
Was this topic helpful?
Document Information
Modified date:
13 August 2021
UID
ibm10729041