Using Db2 for IBM i S-TAP

You can use the Guardium Db2 for i S-TAP to monitor and report on any database access on IBM i, including any programs, such as RPG, that use native database I/O operations or SQL access.

You can use information that is gathered by the Guardium Db2 for i S-TAP to create activity reports, help you meet auditing requirements, and generate alerts of unauthorized activity. Detailed auditing information includes:

Session start and end times
TCP/IP address and port
Object names (for example, tables or views)
Users
SQLSTATEs
Job and Job numbers
SQL statements and variables
Client special register values
Interface information such as ODBC, ToolboxJDBC, Native JDBC, .NET

The S-TAP receives data from two sources:

SQL Performance Monitor (otherwise known as database monitor) data for SQL applications
Audit entries from the QSYS/QAUDJRN audit journal for applications by using non-SQL interfaces

Data from these sources includes:

Any SQL access whether it is initiated on the IBM i server or from a client
Any native access that is captured in the audit journal

The S-TAP sends this data to the Guardium® system in real time.

Note: The Db2 for IBM i S-TAP supports basic S-TAP features only. Features such as blocking, query rewrite, and FAM are not supported.

For more information about the Db2 for i S-TAP and related topics, see:

i S-TAP for encryption, load balancing, and failover

The IBM i S-TAP supports TLS encryption and S-TAP session load balancing/failover.

Restriction: i S-TAP TLS support and load balancing are supported only for IBM i 7.1 and 7.2.

Similar to UNIX S-TAPs, i S-TAP configuration parameters are saved in a guard_tap.ini file in the /usr/local/guardium directory on the IBM i server.

Administrators can configure the S-TAP by using the same APIs and UI (S-TAP Control) as other UNIX S-TAPs. When the UI or API is used to change to the S-TAP configuration, the Guardium sniffer sends a message to the S-TAP. The S-TAP backs up the old .ini file, saves the configuration to the new .ini file and then restarts itself.

Administrators can set up encrypted communication between the S-TAP and the appliance by using the S-TAP configuration controls and set up various load balancing options.

Using S-TAP failover and load balancing

The failover and load balancing options for the i S-TAP are similar to what exists for UNIX S-TAPs. Use the participate_in_load_balancing parameter to determine whether to use failover or load balancing behavior, and use the SQLGuard sections of your S-TAP to set up primary, secondary, and tertiary Guardium hosts.

However, there is no need for participate_in_load_balancing=3 because the i S-TAP communication architecture ensures that complete session information is available on each message. This option means that even before the enhancements are delivered in this patch, you might use hardware balancing (such as F5) with participate_in_load_balancing=1 and a virtual IP address in the primary SQLGuard section of the configuration file.

In a failover configuration, the S-TAP is configured to register with multiple collectors, but send traffic to only one collector at a time (participate_in_load_balancing=0). The S-TAP in this configuration sends all its traffic to one collector unless it encounters connectivity issues to that collector that triggers a failover to a secondary collector.

How to use AppEvent from IMS

The data holding user information of an APP_EVENT DLI call needs to have similar syntax as the GuardAppEvent api.

The first two bytes in the sequence represent the ccsid (Character Code Set Identifier) of the encoding for the subsequent bytes. For example, 0x04B8 represents ccsid 1208. The following bytes must have the syntax as shown:

SELECT
‘GuardAppEvent:Start’, 
‘GuardAppEventType:type’, 
‘GuardAppEventUserName:name’, 
‘GuardAppEventStrValue:string’, 
‘GuardAppEventNumValue:number’, 
‘GuardAppEventDateValue:date’
FROM DUAL

For more information about type, name, string, number, date, see Identify Users with API.

Currently, only UTF8 encoding is supported.