Linux-UNIX: Configuring Oracle RAC S-TAP and A-TAP

Oracle RAC (Real Application Clusters) allows multiple computers to run Oracle RDBMS software simultaneously while they access a single database, thus providing clustering.

About this task

In a non-RAC Oracle database, a single instance accesses a single database. The database consists of a collection of data files, control files, and redo logs that are on the disk. The instance comprises the collection of Oracle-related memory and operating system processes that run on a computer system.

In an Oracle RAC environment, two or more computers with an Oracle RDBMS instance concurrently access a single database. This environment allows an application or user to connect to either computer and have access to a single coordinated set of data.

Configure Oracle RAC S-TAP (Software TAP) and A-TAP (Application TAP) by completing the following steps.
Tip: You can also use the following procedure to configure A-TAP for Oracle Exadata, which is a specific RAC configuration.

Procedure

  1. Install S-TAP on all nodes. In case GIM (Guardium Installation Manager) is used, install the GIM client on all nodes and then install the bundle S-TAP on all nodes.
  2. Configure the S-TAP parameters by using GIM UI.
    1. STAP_TAP_IP: public IP configured for the node
    2. STAP_ALTERNATE_IPS: comma-separated list of VIPs (virtual IPs) configured for the node, and the scan listener
      Tip: Use the following command to retrieve the value for virtual hostnames to put in STAP_ALTERNATE_IPS: 
      su – grid –c ‘cat $ORACLE_HOME/network/admin/*.ora’|grep –i host
      The following example shows the command to retrieve the value for virtual hostnames.
      [root@racvm121 ~]# su - grid -c 'cat $ORACLE_HOME/network/admin/*.ora'|grep -i host
LISTENER_RACVM121=(DESCRIPTION=(ADDRESS_LIST=(ADDRESS=(PROTOCOL=TCP)(HOST=<hostname>)(PORT=1521))(ADDRESS=(PROTOCOL=TCP)(HOST=9.70.148.198)(PORT=1521)(IP=FIRST)))) # line added by Agent
    3. Configure S-TAP inspection engine parameter: unix_domain_socket_marker=<key>, where <key> value can be found in listener.ora in the IPC protocol definition.
      Tip: Use the following command to retrieve value for unix_domain_socket_marker: 
      su – grid –c ‘cat $ORACLE_HOME/network/admin/*.ora’|grep –i KEY
      For example, if the listener.ora description is LISTENER=(DESCRIPTION=(ADDRESS_LIST=(ADDRESS=(PROTOCOL=IPC)(KEY=ORCL)))), then unix_domain_socket_marker=ORCL.
      If there is more than one IPC line in listener.ora, use a common denominator for all keys.
      su - grid -c 'cat $ORACLE_HOME/network/admin/*.ora'|grep -i KEY
LISTENER=(DESCRIPTION=(ADDRESS_LIST=(ADDRESS=(PROTOCOL=IPC)(KEY=LISTENER)))) 
LISTENER_SCAN1=(DESCRIPTION=(ADDRESS_LIST=(ADDRESS=(PROTOCOL=IPC)(KEY=LISTENER_SCAN1)))) 
LISTENER_SCAN2=(DESCRIPTION=(ADDRESS_LIST=(ADDRESS=(PROTOCOL=IPC)(KEY=LISTENER_SCAN2)))) 
LISTENER_SCAN3=(DESCRIPTION=(ADDRESS_LIST=(ADDRESS=(PROTOCOL=IPC)(KEY=LISTENER_SCAN3))))
      Guardium uses a string search in the path. In this case, LISTENER works for all four configuration files and unix_domain_socket_marker=LISTENER needs to be used.
      If there is no common denominator to identify the IPC keys used by the databases, create separate inspection engines with unix_domain_socket_marker corresponding to the specific IPC keys. The following example shows the guard_tap.ini output.
      [DB_0]
...
unix_domain_socket_marker=EXTPROC1522
...
[DB_1]
...
unix_domain_socket_marker=LISTENER
  3. If the Oracle database is encrypted (ASO/SSL), activate A-TAP on active and standby nodes.
    Important: Use the guardctl parameters to configure A-TAP for an Oracle database. For more information, see Linux-UNIX: Oracle-specific guardctl parameters.

    Make sure that ktap_installed parameter is set to 1 in the guard_tap.ini S-TAP configuration file.

    The following example shows an Oracle setup with two users: grid and oracle.
    1. Authorize users: grid and oracle.
      sudo /opt/IBM/Guardium/modules/ATAP/current/files/bin/guardctl authorize_user oracle
sudo /opt/IBM/Guardium/modules/ATAP/current/files/bin/guardctl authorize_user grid
    2. Stop the instance on the node that is part of RAC environment by using the grid environment.
      srvctl stop instance -db database_name -node node_name -force
    3. Verify that the instance on the node is stopped by entering the command from the grid environment.
      srvctl status instance -db database_name -node node_name
    4. Stop the local listener on that node.
      lsnrctl stop
    5. Configure A-TAP.
      /usr/local/guardium/guard_stap/guardctl --db-user=oracle --db-type=oracle --db-instance=oracle --db-home=$ORACLE_HOME --db-version=18.0 store-conf
    6. Add oracle user to the guardium group by using authorize-user command.
      /usr/local/guardium/guard_stap/guardctl authorize_user oracle
    7. Activate A-TAP.
      /usr/local/guardium/guard_stap/guardctl --db-instance=oracle activate
    8. Restart the instance and the local listener on the node that is part of RAC environment by using the grid environment. 
      srvctl start instance -db database_name -node node_name
lsnrctl start
    9. Restart the scan listener.
      srvctl start scan_listener
    10. Repeat steps 3.a through 3.h on all nodes of the RAC environment.