Linux-UNIX: Configuring Teradata exit

The Teradata exit module enables S-TAP to monitor any Teradata database activities, whether encrypted or not and whether local or remote. It does not require A-TAP or K-TAP.

Before you begin

Before configuring Teradata Exit, use the setup_exit.sh script to configure and activate the exit libraries.

About this task

Teradata Exit embeds a Guardium® library into the Teradata database and communicates with the S-TAP through a Guardium shared library.

By default, Guardium supports up to 10 total Exit inspection engines (combined total of all Exit types). If you use more than one type of Exit, the combined maximum is 10. For more information, see the exit_libs_num_threads parameter in Linux-UNIX: General parameters.

Teradata Exit shared libraries are part of the Guardium UNIX S-TAP installation. The S-TAP includes 64-bit Exit libraries for 64-bit OS version and 32-bit Exit libraries for 32-bit OS version:

libguard_teradata_exit_64.so
libguard_teradata_exit_32.so (available for RHEL6 on the i686 CPU only)

When you install the S-TAP:

It copies libraries in the standard library paths:
- Shell and RPM installation: <guardium_installation_directory>/guard_stap
- GIM installation:<guardium_installation_directory>/modules/STAP/current/files
It creates links, for example,
- /usr/lib64/libguard_teradata_exit_64.so -> libguard_teradata_exit_64.so.<release number>
- /usr/lib/libguard_teradata_exit_32.so -> libguard_teradata_exit_32.so.<release number>

The digits after .so reflect the release number. These digits were introduced in V10.6. (In previous releases, Lib files do not include release numbers.)

Guardium support matrix details exactly what the Teradata Exit can monitor.

Teradata configuration

The gtwcontrol option -u SendConnectRespNoSecurity specifies whether the gateway sends connection responses encrypted or cleartext. Valid values are:

YES: The logon response is in cleartext, that is, unencrypted plain text.
NO: The logon response is encrypted, which is the default setting.

Set this parameter to Yes to capture DB User (-u YES). (When set to No, the connection response is encrypted before it gets to the gtwgateway, the process that loads the Guardium Exit library, and therefore cannot be passed unencrypted to Guardium.)

For more information, see Teradata documentation.

K-TAP considerations

If there is no other database to monitor, then K-TAP is not necessary. Set ktap_installed=0 in guard_tap.ini or set ktap_enabled to no in GIM. You can upgrade the Linux® OS and the S-TAP without being concerned about K-TAP module compatibility. However, if another database needs to be monitored by S-TAP and K-TAP is necessary, make sure that a compatible K-TAP module is available when you upgrade your Linux version.

Upgrade

When you upgrade S-TAP from v10.6.0.0 and higher, a database restart is not necessary. You can upgrade S-TAP while the database is running. The Exit library from the previous version is used until you restart the database. When you restart the database, it starts by using the updated exit library. Any issues that are addressed in the new library are resolved when you restart the database.

Procedure

Install and start the S-TAP agent on the database server and configure an inspection engine for the teradata_exit protocol. See Linux-UNIX: Before you start installing S-TAP and Linux-UNIX: Inspection engine parameters. Use these parameters and values:

GUI	guard_tap.ini	GUI Value / guard_tap.ini value
Protocol	db_Type	Teradata Exit / TRD_EXIT
ClientIP/Mask	networks	0.0.0.0/0/ 0.0.0.0/0.0.0.0
DB Install Dir	db_install_dir	Home directory of the user that runs the main Teradata process (pdemain), (use the following command: `<echo $HOME>`)
Process Name	db_exec_file	Full path to the main Teradata process (pdemain)
DB User	db_user	NULL (not relevant for Teradata exit)

A typical DB section in the guard_tap.ini file for the inspection engine is:

[DB_0]
connect_to_ip=127.0.0.1
db_exec_file=/opt/teradata/tdat/tgtw/16.20.07.01/bin/pdemain
db_install_dir=/root
db_type=TRD_EXIT
db_user=NULL
encryption=0
db_version=9
intercept_types=NULL
load_balanced=1
port_range_end=0
port_range_start=0
priority_count=20
real_db_port=NULL
tap_identifier=TRD_EXIT_dbateral1620 (0,0,DB_0)
unix_domain_socket_marker=NULL
networks=0.0.0.0/0.0.0.0
exclude_networks=

As a root user, enable teradata exit in the database, while the database is running.
```
/usr/tgtw/bin/gtwcontrol --monitorlib load=yes
```
Stop the Teradata service.
```
/etc/init.d/tpa stop 
/etc/init.d/tgtw stop
```
Check that the Teradata database is stopped with your Teradata Administrator, or with the UNIX command.
```
pdestate -a
```
The output is as follows:
```
PDE state: DOWN/HARDSTOP
```

Authorize the required users.

As a root user, verify that the users teradata, tdatuser, and root are in the Guardium group. If any of the users are not in the Guardium group, use the guardctl utility to add the user to the group. (The teradata and tdatuser users are the primary operating system-native users that are used in running Teradata DBS/PDE where they are created during the Teradata Database installation process. root is the user of pdemain process.)
Verify the users for shell installation as shown in the following example:
```
<guardium_installation_directory>/guard_stap/guardctl authorize-user teradata
<guardium_installation_directory>/guard_stap/guardctl authorize-user tdatuser
```
Verify the users for GIM installation as shown in the following example:
```
<guardium_installation_directory>/ATAP/current/files/bin/guardctl authorize-user teradata
<guardium_installation_directory>/ATAP/current/files/bin/guardctl authorize-user tdatuser
```

Confirm that the user is authorized with the option is-user-authorized by using the guardctl command.

For shell S-TAP installation, run the following command:

<guardium_installation_directory>/guard_stap/guardctl is-user-authorized teradata
<guardium_installation_directory>/guard_stap/guardctl is-user-authorized tdatuser
<guardium_installation_directory>/guard_stap/guardctl is-user-authorized root

For GIM installation, run the following command:

<guardium_installation_directory>/ATAP/current/files/bin/guardctl is-user-authorized teradata
<guardium_installation_directory>/ATAP/current/files/bin/guardctl is-user-authorized tdatuser
<guardium_installation_directory>/ATAP/current/files/bin/guardctl is-user-authorized root

As a root user, create the directory <teradata_install_directory>/tdat/tgtw/site.
```
mkdir <teradata_install_directory>/tdat/tgtw/site
```
Set the permissions and the ownership for the directory site.
```
chown -R teradata:tdtrusted <teradata_install_directory>/tdat/tgtw/site 
chmod -R 755 <teradata_install_directory>/tdat/tgtw/site
```
Remember: Sometimes permissions for root root also work.

Confirm that the permissions are set correctly as gown in the following example.
Start the Teradata service.
```
/etc/init.d/tpa start
/etc/init.d/tgtw start
```
Verify that the Teradata database is started with your Teradata Administrator, or with the UNIX command:
```
pdestate -a
```
The following output is displayed.
```
PDE state is RUN/STARTED.
DBS state is 5: Logons are enabled - The system is quiescent
```
Link the Teradata Exit library to the libtgtwmonitoring.so.
As a Teradara OS user, create the link for the full path of the Teradata Exit library from the standard system library path. Use either /usr/lib or /usr/lib64, depending on the OS version of your database server.
```
ln -fs <standard_system_library_path>/libguard_teradata_exit_64.so <teradata_install_directory>/tdat/tgtw/site/libtgtwmonitoring.so
```
Teradata can now use the version-independent symbolic link that was created during S-TAP installation. Verify that the link is created as shown in the following example:
Confirm that the Teradata Exit library is loaded into the database.
```
/usr/tgtw/bin/gtwcontrol -d
```
Verify that The Monitoring Library: load=yes as shown in the following example: