Windows: Troubleshooting S-TAP problems
You can use the S-TAP® Status monitor tab of the System View to begin investigating any problems. Sometimes you might need to use other tools, particularly if you are monitoring databases for which the inspection engines cannot be verified.
- If an S-TAP is not connected to your Guardium® system
- Check whether the IBM Security Guardium S-TAP service is
running on the database server:
Check the IBM Security Guardium S-TAP service and see that it's running.
- How to identify the S-TAP version?
-
- From the GUI, the S-TAP version number is displayed in
- Alternatively, you can display the S-TAP version number from the command line of the database server.
- Run debug from the command line to quickly identify configuration issues
- Turn on debug from the GIM GUI or the command line. See debug levels in Protocol 7 Debug parameters.
- Verify the connection between the database server and the Guardium system
-
- Verify that you can ping the Guardium system at sqlguard_ip from the database server.
- If the ping is successful, verify that you can telnet to the following ports on the Guardium system: 9500/9501 for S-TAP on Protocol 7, or 9800/9801 for S-TAP on Protocol 8.
- If there is a firewall between the database server and the Guardium system
- Verify that the following ports are open for traffic between these two systems: TCP port 9500 or TLS port 9501 for encrypted connections for S-TAP on Protocol 7, or TCP port 9800 or TLS port 9801 for encrypted connections for S-TAP on Protocol 8.
- Verify that the sqlguard_ip parameter is set to the correct guardium hostname or the IP for the Guardium system that you are connecting to.
-
- Click S-TAP Control. to open
- Locate the S-TAP Host for the IP address that corresponds to your database server.
- Expand the Guardium Hosts subsection, and verify that the active Guardium Host is correctly configured.
- If necessary, click Modify to update the Guardium Hosts.
- Where is the debug file located?
- If the debuglevel > 0, then the log from the previous S-TAP session (if it exists) is saved as: %STAP_DIR%\Bin\StapBuffer\stap_%HOSTNAME%%YY-MM-DD%%HHMMDD%.old and the new log is created as: %STAP_DIR%\Bin\StapBuffer\stap_%HOSTNAME%%YY-MM-DD%%HHMMDD%.new.
- Severe spikes in traffic, and traffic getting dropped
- This symptoms could be due to a buffer overflow. Check the debug log for a message indicating buffer overflow. Advanced users only: consider enabling the dynamic buffer feature. See dynamic_buffer_increase in Protocol 7 General parameters.
- Verify that the S-TAP process is not repeatedly restarting
- To verify the process, go to services and check the status of Guardium services.
- Verify that S-TAP Approval is not turned on
- If S-TAP Approval is turned on, any new S-TAP that connects to the Guardium system is refused.
- Click S-TAP Certification. to open
- Look at the S-TAP Approval Needed checkbox . If this box is checked, new S-TAPs can connect to this Guardium system only after they are added to the list of approved S-TAPs.
- If S-TAP Approval is turned on, access the Approved Tap Clients report to view a list of approved S-TAPs. If the S-TAP that you are investigating is not on this list, return to the S-TAP Certification page, enter the IP address of the S-TAP in the Client Host field, and click Add.
- S-TAP verification issues
-
The verification process attempts to log in to your database's STAP client with an erroneous user ID and password to verify that this attempt is recognized and communicated to the Guardium system. Your S-TAP might be configured in a way that prevents the inspection engine message from reaching the Guardium system from which the request was made.
These configuration details include:- Load balancing: if the S-TAP is configured to return responses to more than one Guardium system, the error message might be sent to a different Guardium system.
- Failover: If secondary Guardium systems are configured for the S-TAP, the error message might be sent to a secondary Guardium system if the primary Guardium system is too busy.
- db_ignore_response: if the S-TAP is configured to ignore all responses from the database, it does not send error messages to the Guardium system.
- Client IP/mask: if any mask is defined that is not 0.0.0.0, it might prevent the error message from being sent.
- Exclude IP/mask: if any mask is defined that is not 0.0.0.0, it might prevent the error message from being sent.