Configuring S-TAP
Db2® Warehouse uses S-TAP to monitor its database traffic and to forward information about that traffic to a Guardium system. You can specify S-TAP configuration data in an initialization file. Using an initialization file prevents you from having to reconfigure S-TAP manually each time Db2 Warehouse is redeployed.
Before you begin
This task requires that you have root authority.
Procedure
-
In an editor, open the S-TAP initialization file (${SYSCFGDIR}/$(hostname
-s)/guard_tap.ini). Its contents are similar to what is shown here:
; S-TAP Protocol Version = 12 ; SqlGuard Internal Version = Foxhound ; S-TAP Official Version = 10.0 ; [TAP] add_to_verification_schedule=0 all_can_control=1 alternate_ips=NULL appserver_installed=0 appserver_login_pattern=X appserver_ports=8080 appserver_session_pattern=X appserver_session_postfix=X appserver_session_prefix=X appserver_username_postfix=X appserver_username_prefix=X appserver_usersess_pattern=X appserver_usersess_postfix=X appserver_usersess_prefix=X atap_exec_location=/var/guard atap_request_handler_enable=1 blacklist_shmem_ops_by_proc=NULL buf_msg_time_interval=5 buffer_file_size=50 buffer_mmap_file=0 cas_checkpoint_period=3600 cas_client_baseline=client_baseline cas_client_checkpoint=client_checkpoint cas_command_wait=300; cas_fail_over_file=fail_over_file cas_fail_over_file_size_limit=50000 cas_max_reconnect_attempts=5000 cas_md5_size_limit=1000 cas_raw_data_limit=1000 cas_reconnect_interval=60 cas_server_failover_delay=60 cas_task_baseline=task_baseline cas_task_checkpoint=task_checkpoint cassandra_audit_delimiter=GUARD_DELIM cassandra_audit_enabled=0 compression_level=0 connection_timeout_sec=10 db_ignore_response=none db_ignore_response_bypass_bytes=4096 db_ignore_response_filter=0.0.0.0/0.0.0.0 db_ignore_response_local=1 db_ignore_response_resets_per_request=0 debug_snapshot=0 debug_snapshot_level=1 debug_snapshot_time=60 devices=none discovery_dbs=oracle:db2:informix:mysql:postgres:sybase:hadoop:teradata:netezza:memsql:mariadb discovery_debug=0 discovery_interval=24 discovery_ora_alt_locations= discovery_port=8443 fam_enable=0 fam_protect_privileged=0 firewall_default_state=0 firewall_fail_close=0 firewall_force_unwatch=NULL firewall_force_watch=NULL firewall_installed=0 firewall_timeout=10 force_log_limited=0 force_tls_and_log_access_only=0 guardium_ca_path=NULL guardium_crl_path=NULL hunter_trace=0 kafka_bootstrap_servers= kafka_group_name=stap kafka_is_mapr=0 kafka_keytab=NULL kafka_message_max_bytes=65536 kafka_principal=NULL kafka_reader_enabled=0 kafka_ssl_ca_location=NULL kafka_topic_name=NavigatorAuditEvents kafka_use_tls=1 kerberos_plugin_dir=NULL khash_max_entries=8192 khash_table_length=24593 ktap_buffer_flush=0 ktap_buffer_size=4194304 ktap_dbgev_func_name=all ktap_fast_file_verdict=1 ktap_fast_shmem=1 ktap_fast_tcp_verdict=1 ktap_fsmon_buffer_size=4194304 ktap_installed=0 ktap_local_tcp=0 ktap_request_timeout=5 ld_library_paths=NULL load_balancer_ip= load_balancer_num_mus=1 load_balancer_port=8443 log4j_listen_address=0.0.0.0 log4j_num_connections=20 log4j_port=5555 log4j_reader_enabled=0 log_program_name=0 max_server_write_size=65536 merge_with_template=0 min_bytes_to_compress=500 msg_aggregate_timeout=100 msg_count_watermark=64 participate_in_load_balancing=0 pcap_backup_ktap=1 pcap_buffer_size=-1 pcap_dispatch_count=16 pcap_read_timeout=0 qrw_default_state=0 qrw_force_unwatch=NULL qrw_force_watch=NULL qrw_installed=0 ranger_dynamic_policy_default_verdict=1 ranger_dynamic_policy_listen_address=0.0.0.0 ranger_dynamic_policy_num_connections=20 ranger_dynamic_policy_port=5556 ranger_dynamic_policy_reader_enabled=0 ranger_dynamic_policy_timeout=10 remote_messages=1 server_side_masking_default_state=0 server_side_masking_force_unwatch=NULL server_side_masking_force_watch=NULL server_side_masking_installed=0 shmid_blacklist=NULL shmid_blacklist_wait=0 tap_ip=9.30.250.134 sqlguard_cert_cn=NULL stap_statistic=1 stap_statistic_version=1 syslog_messages=1 tap_buf_dir=NULL tap_debug_output_level=0 tap_failover_session_quiesce=240 tap_failover_session_size=1024 tap_log_dir=NULL tap_min_heartbeat_interval=20 tap_run_as_root=1 tap_type=stap tee_installed=0 tee_msg_buf_len=128 tracefiles_dir=/opt/ibm/guardium/guard_stap/trace_files uid_chain_sshd_ip=0 upload_feature=1 upload_snapshots=1 use_tls=1 wait_for_db_exec=0 [DB_0] db_exec_file=NULL db_install_dir=/mnt/blumeta0/home/db2inst1 db_type=DB2_EXIT db_user=NULL encryption=0 db_version=9 intercept_types=NULL load_balanced=1 port_range_end=0 port_range_start=0 priority_count=20 tap_identifier=DB2_EXIT_9.30.250.134(0,0,DB_0) unix_domain_socket_marker=NULL networks=0.0.0.0/0.0.0.0 exclude_networks= [SQLGuard_0] connection_pool_size=0 num_main_thread=1 primary=1 sqlguard_ip=9.32.220.172 sqlguard_port=16016
- Update the text in the comment lines, which are prefixed by a semicolon (;), to reflect the values for your installation.
- Update the parameter settings as needed. For more information about the parameters and the values they can have, see https://www.ibm.com/support/knowledgecenter/en/SSMPHH_9.5.0/com.ibm.guardium95.doc/stap/topics/stap_parms_u.html.
- To activate your changes, stop and restart each node as described in Starting IBM Db2 Warehouse and Stopping IBM Db2 Warehouse.