Linux-UNIX: Configuring Db2 Exit

The Db2® Exit module enables S-TAP to monitor any Db2 database activities, whether encrypted or not and whether local or remote. It does not require A-TAP or K-TAP.

About this task

Db2 Exit embeds a Guardium® library into the Db2 database and communicates with the S-TAP with a Guardium shared library.

By default, Guardium supports up to 10 total Exit inspection engines (combined total of all Exit types). If you use more than one type of Exit, the combined maximum is 10. For more information, see the exit_libs_num_threads parameter in Linux-UNIX: General parameters.

Db2 Exit shared libraries are part of the Guardium UNIX S-TAP installation. S-TAP includes 64-bit and 32-bit.
  • libguard_db2_exit_64.so
  • libguard_db2_exit_32.so (available for RHEL6 on the i686 CPU only)
When you install the S-TAP, it copies libraries in the standard library paths, and creates links.
  • The S-TAP copies libraries in the standard library paths:
    • Shell Installation - <guardium_installation_directory>/guard_stap
    • GIM Installation - < guardium_installation_directory>/modules/STAP/current/files
  • And then creates links. For example:
    • /usr/lib64/libguard_db2_exit_64.so -> libguard_db2_64.so.<release number>
    • /usr/lib/libguard_db2_exit_32.so -> libguard_db2_32.so.<release number>
The digits after .so. reflect the release number. These digits were introduced in V10.6. (In previous releases, Lib files do not include release numbers.)

Guardium support matrix details exactly what Db2 Exit can monitor.

If you are not monitoring another database, then K-TAP is not required. Set ktap_installed=0 in guard_tap.ini, or with GIM; set ktap_enabled to no. You can upgrade the Linux OS and the S-TAP without being concerned about K-TAP module compatibility. However, if you are monitoring another database with S-TAP, then K-TAP is required. Ensure that a compatible K-TAP module is available when you upgrade your Linux version.

When you upgrade S-TAP from 10.6.0.0 and higher, database restart is not required. You can upgrade S-TAP while the database is running. The EXIT library from the previous version is used until you restart the database. When you restart the database, it starts by using the updated exit library on the S-TAP. However, if the new library addresses any issues you are waiting for, you must restart the database.

Use the Db2 Exit health check script to gather information from the Db2 server when you configure the Db2 inspection engines. The script is located in the guard_stap bin directory. You can run it from anywhere with the full path. The script name is ./db2_exit_health_check.sh [ check | fix ]. By default it outputs some of the IE parameters for each DB2_EXIT inspection engine, and runs checks on the IE configuration. Use the fix option to fix the IE parameters.

User authorization: The user must be authorized for the guardium group. If the guardium group was created in LDAP, then take one of the following steps,
  • Create a local group called guardium with the same group ID (when you authorize the DB user it is added to this group).
  • Add the guardium group ID (GID) to the DB user in /etc/passwd.
In a shell installation, if the inspection engine db_user is specified, then you don't need to authorize the user even in an LDAP environment.
In a GIM installation, you still need to authorize the db user.
Note: If your site uses Db2 Warehouse, you can use the Db2 Warehouse integration. For more information, see Embedded integrations.

Procedure

  1. Install and start the S-TAP agent on the database server and configure an Inspection engine for the db2_exit protocol. See Linux-UNIX: Before you start installing S-TAP and Linux-UNIX: Inspection engine parameters.
  2. If S-TAP is already installed and configured with A-TAP:
    1. Stop the Db2 by entering db2stop force; ipclean
    2. Deactivate the A-TAP by entering /opt/IBM/guardium/module/modules/ATAP/current/files/bin/guardctl db_instance=<db_instance> deactivate
    3. Configure the IE (Inspection Engine) for DB2_EXIT as usual either in the guard_tap.ini or from the GUI. (Make sure any previously configured IE for db_type=DB2_EXIT is removed.)
    4. Verify that the parameter db_install_dir for DB2_EXIT IE is set to the value of $DB2_HOME or $HOME of Db2 environment variable.
    5. Restart the S-TAP with the new configuration.
  3. Determine the bitwise of the Db2. Log in as root and run db2level. The output is similar to
    DB21085I Instance db2inst1 uses 64 bits and DB2 code release SQL09070, with level identifier 08010107
  4. Locate the communication buffer exit library location (DB2PATH):
    1. Log in to Db2 as user trip
    2. In the Db2 CLP, run get database manager configuration
    3. In the output, look for default database path:
      Default database path (DFTDBPATH) = /DB2/trip
      DFTDBPATH is the value that you need for the environment parameter DB2PATH.
  5. The first time that you set up Db2 for exit, log in as Db2 OS user, and create the directory by entering one of these commands.
    • 64-bit environment - mkdir $DB2_PATH/sqllib/security64/plugin/commexit
    • 32-bit environment: - mkdir $DB2_PATH/sqllib/security/plugin/commexit
  6. As Db2 OS user, run the command: ln -fs /usr/lib64/libguard_db2_exit_64.so $DB2_PATH/sqllib/security64/plugin/commexit/libguard_db2_exit_64.so.
    This allows Db2 to use the version-independent symbolic link that was created during S-TAP installation.
  7. As root user, add the Db2 OS user to the Guardium group.
    The Guardium group is created during S-TAP installation. This requirement increases the security of shared memory regions that are created by the S-TAP.
    1. If Db2 user is 'trip', verify whether 'trip' is already authorized. Use guardctl under the A-TAP folder, as user root.
      # /opt/IBM/guardium/module/modules/ATAP/current/files/bin/guardctl is-user-authorized trip
      User 'trip' is authorized.
    2. If the user trip is not authorized, authorize it now:
      # /opt/IBM/guardium/module/modules/ATAP/current/files/bin/guardctl authorize-user trip
  8. Enable Db2 Exit in Db2 (so it sends the database activity to the S-TAP).
    1. Log in as Db2 OS user and use the Db2 CLP commands to enable:
      db2 UPDATE DBM CFG USING COMM_EXIT_LIST libguard_db2_exit_64
    2. Verify whether DB2_Exit is successfully enabled by entering,
      db2 get database manager configuration
      If successful, the output includes,
      Communication buffer exit library list (COMM_EXIT_LIST) = libguard_db2_exit_64
  9. Restart the Db2 database with the commands:
    db2stop force
    db2start
  10. Set up Zone or WPARs,
    1. In the secondary Zone or WPAR, install the same version of S-TAP that is already installed in global, with K-TAP disabled.
    2. On Zone or WPARs, add the DB2_EXIT IE in the guard_tap.ini or configure by using GUI.
    3. If discovery automatically created any inspection engines, delete them.