Linux-UNIX: Installing and activating A-TAP in Solaris zones
Installing A-TAP in Solaris zones requires additional configuration.
About this task
Procedure
- Install S-TAP®/K-TAP on the global zone using GIM or shell installation and verify that inspection engines are configured for all local zones databases. If discovery did not find database instances running on the local zones, configure them manually for all available databases running in the local zones either in the guard_tap.ini file or the GUI..
- In the local zone, install the same S-TAP version that is already installed in the global zone. (The S-TAP installer automatically detects the local zone environment and disables K-TAP by default).
- Verify that inspection engines are configured in the S-TAPs in the local zones (installed in step 2) for all databases that require A-TAP. If discovery did not find database instances running on the local zones, manually create inspection engines for these databases using the guard_tap.ini file or the GUI.
- Verify that the group ID (GID) for the group "guardium" is the same as the group ID for
this group in the global zone. If the group IDs do not match, change the group ID in the local zones
using command groupmod -g <NEW_GID> guardium. For example:
bash-3.2# groupmod -g 105 guardium bash-3.2#
- For each local zone where Oracle is installed, make sure the Guardium®
device is mapped. Use these commands in the global zone environment.
- Find the zone_name by executing zoneadm list
- zoneadm -z <zone_name> halt
- zonecfg -z <zone_name>
- add device
- set match=/dev/guard_ktap
- end
- verify
- For Solaris 11 devices guard_ktap1, guard_ktap2, guard_ktap3, guard_ktap4, guard_ktap5, repeat
steps 5.d to g for each device. For
example:
root@sys-sol11u3:~# zoneadm list global sys-sol11u3z2 sys-sol11u3z1 root@sys-sol11u3:~# zonecfg -z sys-sol11u3z2 zonecfg:sys-sol11u3z2> add device zonecfg:sys-sol11u3z2:device> set match=/dev/guard_ktap zonecfg:sys-sol11u3z2:device> end zonecfg:sys-sol11u3z2> verify zonecfg:sys-sol11u3z2> add device zonecfg:sys-sol11u3z2:device> set match=/dev/guard_ktap1 zonecfg:sys-sol11u3z2:device> end zonecfg:sys-sol11u3z2> verify zonecfg:sys-sol11u3z2> add device zonecfg:sys-sol11u3z2:device> set match=/dev/guard_ktap2 zonecfg:sys-sol11u3z2:device> end zonecfg:sys-sol11u3z2> verify zonecfg:sys-sol11u3z2> add device zonecfg:sys-sol11u3z2:device> set match=/dev/guard_ktap3 zonecfg:sys-sol11u3z2:device> end zonecfg:sys-sol11u3z2> verify zonecfg:sys-sol11u3z2> add device zonecfg:sys-sol11u3z2:device> set match=/dev/guard_ktap4 zonecfg:sys-sol11u3z2:device> end zonecfg:sys-sol11u3z2> verify zonecfg:sys-sol11u3z2> add device zonecfg:sys-sol11u3z2:device> set match=/dev/guard_ktap5 zonecfg:sys-sol11u3z2:device> end zonecfg:sys-sol11u3z2> verify zonecfg:sys-sol11u3z2> exit root@sys-sol11u3:~#
- For Solaris 10, the device names are different. To find the correct string for the devices,
execute this command in the Global Zone environment:
Typical output looks like:ls /dev/ktap*|awk -F "-" '{print $1}'
/dev/ktap_106844_0 /dev/ktap_106844_1 /dev/ktap_106844_2 /dev/ktap_106844_3 /dev/ktap_106844_4 /dev/ktap_106844_5 bash-3.2#
After mapping the devices, go to the relevant local zone dev directory and create links for mapped devices to /dev/guard_ktap*, for example:bash-3.2# cd /zones/sol10z2/dev bash-3.2# ln -fs ktap_106844_0 guard_ktap bash-3.2# ln -fs ktap_106844_1 guard_ktap1 bash-3.2# ln -fs ktap_106844_2 guard_ktap2 bash-3.2# ln -fs ktap_106844_3 guard_ktap3 bash-3.2# ln -fs ktap_106844_4 guard_ktap4 bash-3.2# ln -fs ktap_106844_5 guard_ktap5 bash-3.2# ls -lrt *ktap* crw-rw-rw- 1 root guardium 336, 5 Jul 15 12:36 ktap_106844_5 crw-rw-rw- 1 root guardium 336, 4 Jul 15 12:36 ktap_106844_4 crw-rw-rw- 1 root guardium 336, 3 Jul 15 12:36 ktap_106844_3 crw-rw-rw- 1 root guardium 336, 2 Jul 15 12:36 ktap_106844_2 crw-rw-rw- 1 root guardium 336, 1 Jul 15 12:36 ktap_106844_1 crw-rw---- 1 root guardium 336, 0 Jul 15 12:36 ktap_106844_0 lrwxrwxrwx 1 root root 13 Jul 19 10:58 guard_ktap -> ktap_106844_0 lrwxrwxrwx 1 root root 13 Jul 19 10:58 guard_ktap1 -> ktap_106844_1 lrwxrwxrwx 1 root root 13 Jul 19 10:59 guard_ktap2 -> ktap_106844_2 lrwxrwxrwx 1 root root 13 Jul 19 10:59 guard_ktap3 -> ktap_106844_3 lrwxrwxrwx 1 root root 13 Jul 19 10:59 guard_ktap4 -> ktap_106844_4 lrwxrwxrwx 1 root root 13 Jul 19 10:59 guard_ktap5 -> ktap_106844_5
- Set the permissions so that
guard_ktap
andktap_xxxxx
are accessable by everyone, using the command: chmod 0666 *ktap*. For example:bash-3.2# chmod 0666 *ktap*
- exit
- Verify that all devices are properly mapped by executing this command in the Global Zone
environment:
For example:zonecfg -z <zone_name> info|grep match
root@sys-sol11u3:~# zonecfg -z sys-sol11u3z2 info|grep match match: /dev/guard_ktap4 match: /dev/guard_ktap3 match: /dev/guard_ktap2 match: /dev/guard_ktap1 match: /dev/guard_ktap match: /dev/guard_ktap5
- Boot the local zone by executing the command:
zoneadm -z <zone_name> boot
- Note: A-TAP only needs to be activated in the global zone for encrypted databases running in the global zone. If required, activate it with the guardctl command option activate. It cannot be enabled with the encryption checkbox in the inspection engine section in GUI interface or by setting encryption=1 in the guard_tap.ini file. If the database is not used on the global zone, then A-TAP activation in the global zone is not required. To activate A-TAP in the global zone, use the DB OS user.Activate A-TAP in the local zones using guardctl. Activation in local zones can only be perfomed by the root user with DB OS user autherization.