Linux-UNIX: Configuring Teradata exit

The Teradata exit module enables S-TAP to monitor any Teradata database activities, whether encrypted or not and whether local or remote. It does not require A-TAP or K-TAP.

About this task

Teradata Exit embeds a Guardium® library into the Teradata database and communicates with the S-TAP through a Guardium shared library.

By default, Guardium supports up to 10 total Exit inspection engines (combined total of all Exit types). If you use more than one type of Exit, the combined maximum is 10. For more information, see the exit_libs_num_threads parameter in Linux-UNIX: General parameters.

Teradata Exit shared libraries are part of the Guardium UNIX S-TAP installation. The S-TAP includes 64-bit Exit libraries for 64-bit OS version and 32-bit Exit libraries for 32-bit OS version:
  • libguard_teradata_exit_64.so
  • libguard_teradata_exit_32.so (available for RHEL6 on the i686 CPU only)
When you install the S-TAP:
  • It copies libraries in the standard library paths:
    • Shell and RPM installation: <guardium_installation_directory>/guard_stap
    • GIM installation:<guardium_installation_directory>/modules/STAP/current/files
  • It creates links, for example:
    • /usr/lib64/libguard_teradata_exit_64.so -> libguard_teradata_exit_64.so.<release number>
    • /usr/lib/libguard_teradata_exit_32.so -> libguard_teradata_exit_32.so.<release number>
The digits after .so reflect the release number. These digits were introduced in V10.6. (In previous releases, Lib files do not include release numbers.)

Guardium support matrix details exactly what can be monitored by Teradata Exit.

Teradata configuration
The gtwcontrol option -u SendConnectRespNoSecurity specifies whether the gateway sends connection responses encrypted or cleartext. Valid values are:
  • YES: The logon response is in cleartext (unencrypted plain text).
  • NO: The logon response is encrypted. This is the default setting.
Set this parameter to Yes to capture DB User (-u YES). (When set to No, the connection response is encrypted before it gets to the gtwgateway, the process that loads the Guardium Exit library, and therefore cannot be passed unencrypted to Guardium.)
For more information, see Teradata documentation.
K-TAP considerations
If there is no other database to monitor, then K-TAP is not required. Set ktap_installed=0 in guard_tap.ini, or with GIM: set ktap_enabled to no. You can upgrade the Linux® OS and the S-TAP without being concerned about K-TAP module compatibility. However, if there is another database that needs monitoring by S-TAP, and K-TAP is required you must ensure that a compatible K-TAP module is available when you upgrade your Linux version.
Upgrade
When you upgrade S-TAP from v10.6.0.0 and higher, database restart is not required. You can upgrade S-TAP while the database is running. The Exit library from the previous version is used until you restart the database. When you restart the database, it starts using the updated exit library. If there are any issues that are addressed in the new library that you are waiting for, this is only resolved when you restart the database.

Procedure

  1. Install and start the S-TAP agent on the database server and configure an inspection engine for the teradata_exit protocol. See Linux-UNIX: Before you start installing S-TAP and Linux-UNIX: Inspection engine parameters. Use these parameters and values:
    GUI guard_tap.ini GUI Value / guard_tap.ini value
    Protocol db_Type Teradata Exit / TRD_EXIT
    ClientIP/Mask networks 0.0.0.0/0 / 0.0.0.0/0.0.0.0
    DB Install Dir db_install_dir Home directory of the user that runs the main Teradata process (pdemain), (using the following command <echo $HOME>)
    Process Name db_exec_file Full path to the main Teradata process (pdemain)
    DB User db_user NULL (not relevant for Teradata exit)
    A typical DB section in the guard_tap.ini file for the inspection engine is:
    [DB_0]
    connect_to_ip=127.0.0.1
    db_exec_file=/opt/teradata/tdat/tgtw/16.20.07.01/bin/pdemain
    db_install_dir=/root
    db_type=TRD_EXIT
    db_user=NULL
    encryption=0
    db_version=9
    intercept_types=NULL
    load_balanced=1
    port_range_end=0
    port_range_start=0
    priority_count=20
    real_db_port=NULL
    tap_identifier=TRD_EXIT_dbateral1620 (0,0,DB_0)
    unix_domain_socket_marker=NULL
    networks=0.0.0.0/0.0.0.0
    exclude_networks=
    When you are defining the inspection engine with the GUI, it looks like:
    defining the inspection engine in the GUI
    When the inspection engine is configured, it look like:
    inspection engine configuration in the GUI
  2. As user root enable teradata exit in the database, while the database is running, by entering:
    /usr/tgtw/bin/gtwcontrol --monitorlib load=yes
  3. Stop the Teradata service:
    1. Enter:
      /etc/init.d/tpa stop 
      /etc/init.d/tgtw stop
    2. Check that the Teradata database is stopped with your Teradata Administrator, or with the UNIX command:
      pdestate -a
      The response should be:
      PDE state: DOWN/HARDSTOP
  4. Authorize the required users:
    1. As user root, verify that the users teradata, tdatuser, and root are in the guardium group. If any of the users are not in the group guardium, use the guardctl utility to add the user to the group. (The teradata and tdatuser users are the primary operating system-native users used in running Teradata DBS/PDE where they are created during Teradata Database installation process. root is the user of pdemain process.) For example:
      • For shell installation:
        <guardium_installation_directory>/guard_stap/guardctl authorize-user teradata
        <guardium_installation_directory>/guard_stap/guardctl authorize-user tdatuser
      • For GIM installation:
        <guardium_installation_directory>/ATAP/current/files/bin/guardctl authorize-user teradata
        <guardium_installation_directory>/ATAP/current/files/bin/guardctl authorize-user tdatuser
    2. Confirm that the user is authorized with the option is-user-authorized in the guardctl command.
      • For shell S-TAP installation:
        <guardium_installation_directory>/guard_stap/guardctl is-user-authorized teradata
        <guardium_installation_directory>/guard_stap/guardctl is-user-authorized tdatuser
        <guardium_installation_directory>/guard_stap/guardctl is-user-authorized root
      • For GIM S-TAP installation:
        <guardium_installation_directory>/ATAP/current/files/bin/guardctl is-user-authorized teradata
        <guardium_installation_directory>/ATAP/current/files/bin/guardctl is-user-authorized tdatuser
        <guardium_installation_directory>/ATAP/current/files/bin/guardctl is-user-authorized root
  5. As user root, create the directory <teradata_install_directory>/tdat/tgtw/site by running:
    mkdir <teradata_install_directory>/tdat/tgtw/site
  6. Set the permissions and the ownership for the directory: site.
    1. Enter:
      chown -R teradata:tdtrusted <teradata_install_directory>/tdat/tgtw/site 
      chmod -R 755 <teradata_install_directory>/tdat/tgtw/site
      
      Note: In some cases permissions for root root also work.
    2. Confirm that the permissions are set correctly. For example: Verify directory permissions
  7. Start the Teradata service:
    1. Enter:
      /etc/init.d/tpa start
      /etc/init.d/tgtw start
    2. Verify that the Teradata database is started with your Teradata Administrator, or with the UNIX command:
      pdestate -a
      The response should be:
      PDE state is RUN/STARTED.
      DBS state is 5: Logons are enabled - The system is quiescent
  8. Link the Teradata Exit library to the libtgtwmonitoring.so.
    1. As Teradara OS user, create the link for the full path of the Teradata Exit library from the standard system library path, either /usr/lib or /usr/lib64, depending on the OS version of your database server. This allows Teradata to use the version-independent symbolic link that was created during S-TAP installation.
      ln -fs <standard_system_library_path>/libguard_teradata_exit_64.so <teradata_install_directory>/tdat/tgtw/site/libtgtwmonitoring.so
    2. Verify that the link is created, for example:Verify link to exit library
  9. Confirm that the Teradata Exit library is loaded into the database by verifying The Monitoring Library: load=yes in response to the command:
    /usr/tgtw/bin/gtwcontrol -d
    For example: