Configuring S-TAP

Db2® Warehouse uses S-TAP to monitor its database traffic and to forward information about that traffic to a Guardium system. You can specify S-TAP configuration data in an initialization file. Using an initialization file prevents you from having to reconfigure S-TAP manually each time Db2 Warehouse is redeployed.

Before you begin

This task requires that you have root authority.

Procedure

  1. In an editor, open the S-TAP initialization file (${SYSCFGDIR}/$(hostname -s)/guard_tap.ini). Its contents are similar to what is shown here:
    ; S-TAP Protocol Version = 12
    ; SqlGuard Internal Version = Foxhound
    ; S-TAP Official Version = 10.0
    ;
    [TAP]
    add_to_verification_schedule=0
    all_can_control=1
    alternate_ips=NULL
    appserver_installed=0
    appserver_login_pattern=X
    appserver_ports=8080
    appserver_session_pattern=X
    appserver_session_postfix=X
    appserver_session_prefix=X
    appserver_username_postfix=X
    appserver_username_prefix=X
    appserver_usersess_pattern=X
    appserver_usersess_postfix=X
    appserver_usersess_prefix=X
    atap_exec_location=/var/guard
    atap_request_handler_enable=1
    blacklist_shmem_ops_by_proc=NULL
    buf_msg_time_interval=5
    buffer_file_size=50
    buffer_mmap_file=0
    cas_checkpoint_period=3600
    cas_client_baseline=client_baseline
    cas_client_checkpoint=client_checkpoint
    cas_command_wait=300;
    cas_fail_over_file=fail_over_file
    cas_fail_over_file_size_limit=50000
    cas_max_reconnect_attempts=5000
    cas_md5_size_limit=1000
    cas_raw_data_limit=1000
    cas_reconnect_interval=60
    cas_server_failover_delay=60
    cas_task_baseline=task_baseline
    cas_task_checkpoint=task_checkpoint
    cassandra_audit_delimiter=GUARD_DELIM
    cassandra_audit_enabled=0
    compression_level=0
    connection_timeout_sec=10
    db_ignore_response=none
    db_ignore_response_bypass_bytes=4096
    db_ignore_response_filter=0.0.0.0/0.0.0.0
    db_ignore_response_local=1
    db_ignore_response_resets_per_request=0
    debug_snapshot=0
    debug_snapshot_level=1
    debug_snapshot_time=60
    devices=none
    discovery_dbs=oracle:db2:informix:mysql:postgres:sybase:hadoop:teradata:netezza:memsql:mariadb
    discovery_debug=0
    discovery_interval=24
    discovery_ora_alt_locations=
    discovery_port=8443
    fam_enable=0
    fam_protect_privileged=0
    firewall_default_state=0
    firewall_fail_close=0
    firewall_force_unwatch=NULL
    firewall_force_watch=NULL
    firewall_installed=0
    firewall_timeout=10
    force_log_limited=0
    force_tls_and_log_access_only=0
    guardium_ca_path=NULL
    guardium_crl_path=NULL
    hunter_trace=0
    kafka_bootstrap_servers=
    kafka_group_name=stap
    kafka_is_mapr=0
    kafka_keytab=NULL
    kafka_message_max_bytes=65536
    kafka_principal=NULL
    kafka_reader_enabled=0
    kafka_ssl_ca_location=NULL
    kafka_topic_name=NavigatorAuditEvents
    kafka_use_tls=1
    kerberos_plugin_dir=NULL
    khash_max_entries=8192
    khash_table_length=24593
    ktap_buffer_flush=0
    ktap_buffer_size=4194304
    ktap_dbgev_func_name=all
    ktap_fast_file_verdict=1
    ktap_fast_shmem=1
    ktap_fast_tcp_verdict=1
    ktap_fsmon_buffer_size=4194304
    ktap_installed=0
    ktap_local_tcp=0
    ktap_request_timeout=5
    ld_library_paths=NULL
    load_balancer_ip=
    load_balancer_num_mus=1
    load_balancer_port=8443
    log4j_listen_address=0.0.0.0
    log4j_num_connections=20
    log4j_port=5555
    log4j_reader_enabled=0
    log_program_name=0
    max_server_write_size=65536
    merge_with_template=0
    min_bytes_to_compress=500
    msg_aggregate_timeout=100
    msg_count_watermark=64
    participate_in_load_balancing=0
    pcap_backup_ktap=1
    pcap_buffer_size=-1
    pcap_dispatch_count=16
    pcap_read_timeout=0
    qrw_default_state=0
    qrw_force_unwatch=NULL
    qrw_force_watch=NULL
    qrw_installed=0
    ranger_dynamic_policy_default_verdict=1
    ranger_dynamic_policy_listen_address=0.0.0.0
    ranger_dynamic_policy_num_connections=20
    ranger_dynamic_policy_port=5556
    ranger_dynamic_policy_reader_enabled=0
    ranger_dynamic_policy_timeout=10
    remote_messages=1
    server_side_masking_default_state=0
    server_side_masking_force_unwatch=NULL
    server_side_masking_force_watch=NULL
    server_side_masking_installed=0
    shmid_blacklist=NULL
    shmid_blacklist_wait=0
    tap_ip=9.30.250.134
    sqlguard_cert_cn=NULL
    stap_statistic=1
    stap_statistic_version=1
    syslog_messages=1
    tap_buf_dir=NULL
    tap_debug_output_level=0
    tap_failover_session_quiesce=240
    tap_failover_session_size=1024
    tap_log_dir=NULL
    tap_min_heartbeat_interval=20
    tap_run_as_root=1
    tap_type=stap
    tee_installed=0
    tee_msg_buf_len=128
    tracefiles_dir=/opt/ibm/guardium/guard_stap/trace_files
    uid_chain_sshd_ip=0
    upload_feature=1
    upload_snapshots=1
    use_tls=1
    wait_for_db_exec=0
    [DB_0]
    db_exec_file=NULL
    db_install_dir=/mnt/blumeta0/home/db2inst1
    db_type=DB2_EXIT
    db_user=NULL
    encryption=0
    db_version=9
    intercept_types=NULL
    load_balanced=1
    port_range_end=0
    port_range_start=0
    priority_count=20
    tap_identifier=DB2_EXIT_9.30.250.134(0,0,DB_0)
    unix_domain_socket_marker=NULL
    networks=0.0.0.0/0.0.0.0
    exclude_networks=
    [SQLGuard_0]
    connection_pool_size=0
    num_main_thread=1
    primary=1
    sqlguard_ip=9.32.220.172
    sqlguard_port=16016
  2. Update the text in the comment lines, which are prefixed by a semicolon (;), to reflect the values for your installation.
  3. Update the parameter settings as needed. For more information about the parameters and the values they can have, see https://www.ibm.com/support/knowledgecenter/en/SSMPHH_9.5.0/com.ibm.guardium95.doc/stap/topics/stap_parms_u.html.
  4. To activate your changes, stop and restart each node as described in Starting IBM Db2 Warehouse and Stopping IBM Db2 Warehouse.