Linux-UNIX: Installing and activating A-TAP in Solaris zones

Installing A-TAP in Solaris zones requires additional configuration.

About this task

diagram of global zone and local zones with S-TAPs and A-TAPs

Procedure

  1. Install S-TAP®/K-TAP on the global zone using GIM or shell installation and verify that inspection engines are configured for all local zones databases. If discovery did not find database instances running on the local zones, configure them manually for all available databases running in the local zones either in the guard_tap.ini file or the GUI..
  2. In the local zone, install the same S-TAP version that is already installed in the global zone. (The S-TAP installer automatically detects the local zone environment and disables K-TAP by default).
  3. Verify that inspection engines are configured in the S-TAPs in the local zones (installed in step 2) for all databases that require A-TAP. If discovery did not find database instances running on the local zones, manually create inspection engines for these databases using the guard_tap.ini file or the GUI.
  4. Verify that the group ID (GID) for the group "guardium" is the same as the group ID for this group in the global zone. If the group IDs do not match, change the group ID in the local zones using command groupmod -g <NEW_GID> guardium. For example:
    bash-3.2# groupmod -g 105 guardium
    bash-3.2#
  5. For each local zone where Oracle is installed, make sure the Guardium® device is mapped. Use these commands in the global zone environment.
    1. Find the zone_name by executing zoneadm list
    2. zoneadm -z <zone_name> halt
    3. zonecfg -z <zone_name>
    4. add device
    5. set match=/dev/guard_ktap
    6. end
    7. verify
    8. For Solaris 11 devices guard_ktap1, guard_ktap2, guard_ktap3, guard_ktap4, guard_ktap5, repeat steps 5.d to g for each device. For example:
      root@sys-sol11u3:~# zoneadm list
      global
      sys-sol11u3z2
      sys-sol11u3z1
      root@sys-sol11u3:~# zonecfg -z sys-sol11u3z2
      zonecfg:sys-sol11u3z2> add device
      zonecfg:sys-sol11u3z2:device> set match=/dev/guard_ktap
      zonecfg:sys-sol11u3z2:device> end
      zonecfg:sys-sol11u3z2> verify
      zonecfg:sys-sol11u3z2> add device
      zonecfg:sys-sol11u3z2:device> set match=/dev/guard_ktap1
      zonecfg:sys-sol11u3z2:device> end
      zonecfg:sys-sol11u3z2> verify
      zonecfg:sys-sol11u3z2> add device
      zonecfg:sys-sol11u3z2:device> set match=/dev/guard_ktap2
      zonecfg:sys-sol11u3z2:device> end
      zonecfg:sys-sol11u3z2> verify
      zonecfg:sys-sol11u3z2> add device
      zonecfg:sys-sol11u3z2:device> set match=/dev/guard_ktap3
      zonecfg:sys-sol11u3z2:device> end
      zonecfg:sys-sol11u3z2> verify
      zonecfg:sys-sol11u3z2> add device
      zonecfg:sys-sol11u3z2:device> set match=/dev/guard_ktap4
      zonecfg:sys-sol11u3z2:device> end
      zonecfg:sys-sol11u3z2> verify
      zonecfg:sys-sol11u3z2> add device
      zonecfg:sys-sol11u3z2:device> set match=/dev/guard_ktap5
      zonecfg:sys-sol11u3z2:device> end
      zonecfg:sys-sol11u3z2> verify
      zonecfg:sys-sol11u3z2> exit
      root@sys-sol11u3:~# 
    9. For Solaris 10, the device names are different. To find the correct string for the devices, execute this command in the Global Zone environment:
      ls /dev/ktap*|awk -F "-" '{print $1}'
      Typical output looks like:
      /dev/ktap_106844_0
      /dev/ktap_106844_1
      /dev/ktap_106844_2
      /dev/ktap_106844_3
      /dev/ktap_106844_4
      /dev/ktap_106844_5
      bash-3.2#
      After mapping the devices, go to the relevant local zone dev directory and create links for mapped devices to /dev/guard_ktap*, for example:
      bash-3.2# cd /zones/sol10z2/dev
      bash-3.2# ln -fs ktap_106844_0 guard_ktap
      bash-3.2# ln -fs ktap_106844_1 guard_ktap1
      bash-3.2# ln -fs ktap_106844_2 guard_ktap2
      bash-3.2# ln -fs ktap_106844_3 guard_ktap3
      bash-3.2# ln -fs ktap_106844_4 guard_ktap4
      bash-3.2# ln -fs ktap_106844_5 guard_ktap5
      bash-3.2# ls -lrt *ktap*
      crw-rw-rw-   1 root     guardium 336,  5 Jul 15 12:36 ktap_106844_5
      crw-rw-rw-   1 root     guardium 336,  4 Jul 15 12:36 ktap_106844_4
      crw-rw-rw-   1 root     guardium 336,  3 Jul 15 12:36 ktap_106844_3
      crw-rw-rw-   1 root     guardium 336,  2 Jul 15 12:36 ktap_106844_2
      crw-rw-rw-   1 root     guardium 336,  1 Jul 15 12:36 ktap_106844_1
      crw-rw----   1 root     guardium 336,  0 Jul 15 12:36 ktap_106844_0
      lrwxrwxrwx   1 root     root          13 Jul 19 10:58 guard_ktap -> ktap_106844_0
      lrwxrwxrwx   1 root     root          13 Jul 19 10:58 guard_ktap1 -> ktap_106844_1
      lrwxrwxrwx   1 root     root          13 Jul 19 10:59 guard_ktap2 -> ktap_106844_2
      lrwxrwxrwx   1 root     root          13 Jul 19 10:59 guard_ktap3 -> ktap_106844_3
      lrwxrwxrwx   1 root     root          13 Jul 19 10:59 guard_ktap4 -> ktap_106844_4
      lrwxrwxrwx   1 root     root          13 Jul 19 10:59 guard_ktap5 -> ktap_106844_5
    10. Set the permissions so that guard_ktap and ktap_xxxxx are accessable by everyone, using the command: chmod 0666 *ktap*. For example:
      bash-3.2# chmod 0666 *ktap* 
    11. exit
  6. Verify that all devices are properly mapped by executing this command in the Global Zone environment:
    zonecfg -z <zone_name> info|grep match 
    For example:
    root@sys-sol11u3:~# zonecfg -z sys-sol11u3z2 info|grep match
    match: /dev/guard_ktap4
    match: /dev/guard_ktap3
    match: /dev/guard_ktap2
    match: /dev/guard_ktap1
    match: /dev/guard_ktap
    match: /dev/guard_ktap5
  7. Boot the local zone by executing the command:
    zoneadm -z <zone_name> boot
  8. Note: A-TAP only needs to be activated in the global zone for encrypted databases running in the global zone. If required, activate it with the guardctl command option activate. It cannot be enabled with the encryption checkbox in the inspection engine section in GUI interface or by setting encryption=1 in the guard_tap.ini file. If the database is not used on the global zone, then A-TAP activation in the global zone is not required. To activate A-TAP in the global zone, use the DB OS user.
    Activate A-TAP in the local zones using guardctl. Activation in local zones can only be perfomed by the root user with DB OS user autherization.