Provisioning an instance of External S-TAP

Before you can use the External S-TAP service, you must provision an instance service. Each provisioned instance corresponds to a certain cloud database that you want to proxy through Guardium® Data Protection.

Before you begin

Ensure that the External S-TAP service meets all of the prerequisites, as described in Deploying External S-TAP with an operator.

About this task

Any IBM Cloud Pak® for Data user with Create service instances permission can provision an instance of the External S-TAP service. Each provisioned instance corresponds to a certain cloud database that you want to proxy through Guardium.

Procedure

  1. Open the New service instance for External S-TAP page.
    1. From the IBM Cloud Pak for Data home page, browse to Services > Services catalog. Then find and select Guardium External S-TAP under Data sources.
    2. Select the Guardium External S-TAP text or logo to open the description page, and then click Provision instance to open the New service instance for the External S-TAP service.

    The New service instance page contains a number of tabs. For each instance of an External S-TAP you want to provision, enter the information for each page, and then click Next to continue.

  2. From the Instance details tab, provide the following information and then click Next.
    • Name - Required. A name for this External S-TAP instance.
    • Namespace - Required. Select the Kubernetes namespace for this instance.
    • Description
  3. From the Storage tab, enter the following details for persistent storage.
    • Use existing storage - If a persistent volume claim (PVC) is available, then select this option and specify the PVC Claim name to use for storage
    • Create new storage - To create new storage, select the Storage class from the list and use the Size in GB slider to specify the size. The default is 1 GB.
  4. Under the General tab, enter information about the deployment and image.
    • Worker threads - Specify the number of threads for each External S-TAP container. You can specify up the number of cores available on the Kubernetes worker nodes.
    • Scaling type - Determine whether you want to use a default scaling type or customize the scaling.

      If you select predefined, you can select the following options:

      • Deployment size - Select a deployment size or use the default. Changing the deployment size determines the number of pods.
      • Pod memory size - The initial size of the pod's memory limit. Use the default, unless your deployment experiences out of memory issues. In that case, change the Pod memory size to large.
    • If you select custom, specify the following information:
      • Replicas - Use the slider to select the number of replicas of this instance to create. The default is 2.
      • CPU request - Default = 500m
      • Memory request - Default = 512Mi
      • CPU limit - Default = 500m
      • Memory limit - Default = 512Mi

      For more information, see Scaling services.

    • NodePort - Specify either random (the default) or specific. For specific, use the slider to select a port number on which to create the NodePort. When you deploy External S-TAP, the deployment creates a load balancer that uses the specified NodePort.
      Note: If you select a port that is already in use, the deployment fails. Use kubectl to determine available ports.
    • Service account name - A service account provides an identity for processes that run in a Kubernetes pod. Specify the service account name that your site uses to create Kubernetes pods. If you don't have service account name, use default.
    • Registry path - Required. Specify the registry path that is accessible from the namespace that contains the External S-TAP image.
    • Image selection method - Specify the method to select the External S-TAP. Enter the following information:
      • Image label - Required. Specify the label of the External S-TAP image in the registry.
      • Hash or Tag - Depending on the selection method that you choose, specify either the image tag or the hash of the image name.

        Use Hash to specify a specific External S-TAP container image.

        Use Tag to specify a class of External S-TAP images that you can use. For example, specify v11.4.0 to pull the latest v11.4 image. Make sure that the image take you specify is intended to be deployed with the installed assembly version.

      • Image pull policy - Defaults to IfNotPresent.
  5. From the Database and proxy tab, provide the following information.
    • Enter information for the back-end database service parameters:
      • Database host - Required. Specify the hostname or IP of the database instance for which the External S-TAP will monitor client connections.
      • Database port - Required. Use the slider to select a port for which the specified database is listening for client connections.
      • Database type - Required. Specify the type of database to monitor. The string must be one of the documented allowable database type strings for IBM Guardium External S-TAP. For information about supported data sources, see IBM Guardium System Requirements and Supported Platforms and select the System Requirements document for your Guardium version.
      • Debug - Enables debug logging for troubleshooting. Leave debug set to 0 (off) except when debugging and troubleshooting. When debug is on, decrypted traffic might be stored in the logs and the additional logging might impact the performance of the External S-TAP.
    • Enter information for the general proxy parameters:
      • Proxy secret token - Specify the key for the token that is retrieved from the Guardium collector that is stored as the Kubernetes secret (from the General page). The proxy secret token is required only if you are retrieving or signing certificates from a Guardium collector. For more information, see Managing certificates.
      • Proxy group UUID - Specify a unique identifier to group replicas together in the Guardium appliance. If you do not specify the UUID, a UUID is randomly generated.
      • Proxy protocol expected - When enabled, Proxy protocol expected tells the External S-TAP to expect a proxy protocol v1 packet at the beginning of each client connection. If the packet is not present, then the connection fails. External S-TAP removes the proxy protocol packet from the data stream before it relays the connection to the back-end service.
      • Disconnect on invalid certificate - When enabled, disconnect the External S-TAP from the client or server if the certificate is invalid.
      • Notify on invalid certificate - When enabled, send an alert that a client or server with an invalid certificate has attempted to contact the External S-TAP.
      • Internal container listen port - Select the port on which the External S-TAP listens inside the container.
        Note: This port is exposed by the load-balancing service and its associated NodePort. Note that port 8080 is exposed for an HTTP health check, but is not exposed by a service.
    • Enter information for the proxy certificate signing request (CSR) parameters. This information is required only if you are retrieving or signing certificates from a Guardium collector. For more information, see Managing certificates.
      • CSR Common Name - The common name for the CSR.
      • CSR Country - The country or region for the CSR.
      • CSR Province - The state or province for the CSR.
      • CSR City - The city or locality for the CSR.
      • CSR Organization - The organization or business name for the CSR.
      • Key length - Specify the key length for the CSR key.
  6. From the Collector tab, provide information about the primary Guardium collector and up to nine secondary collectors.
    For the primary collector, provide the following information:
    • Primary Guardium collector host - Specify the hostname or IP of the Guardium appliance to which the External S-TAPs will connect.
    • Primary Guardium collector port - Select the base port on which this Guardium appliance accepts UNIX protocol traffic.
    • Primary Guardium collector connection pool size - Specify the number of auxiliary threads that the External S-TAP creates to send data to the Guardium appliance.
    • Primary Guardium collector number of main threads - Specify the number of main threads created by External S-TAP to communicate with the Guardium appliance.
      Main threads are used to participate in load balancing with options 1 and 4. When multiple main threads are available, the Guardium S-TAP connects multiple times to the same collector when threading the S-TAPs intercepted traffic read end. This is a shortcut for specifying the same collector multiple times as secondary collectors.
      Note: Set the number of main threads to greater than 1 only when the collector has the capacity for the extra connections.
    • Participate in load balancing with Guardium collectors - Select one of the following load-balancing options for External S-TAP.
      • 0 - No load balancing (default). Traffic is sent to one alive server. The primary server has highest priority.
      • 1 - Split sessions between collectors. Traffic is split between servers.
      • 2 - Duplicate traffic to all collectors. Traffic is sent to all servers.
      • 3 - Hardware load balancing with a load balancer such as F5. S-TAP sends traffic to the load balancer, which forwards it to one of the collectors in the pool.
      • 4 - Split sessions between collectors (multi-threading). Traffic is managed (and split) by multiple S-TAP threads.

    Each External S-TAP instance can support up to nine additional collectors. If you start to add information for a secondary collector, the framework for the next collector displays. Leave the Secondary Guardium collector host field blank to ignore the collector.

    Select All can control to allow all appliances to change the S-TAP configuration. If not selected, only the primary collector can make changes.

    • Secondary Guardium collector host - A secondary hostname or IP of a Guardium appliance to which the External S-TAPs can connect. If you leave this field blank, the secondary collector is ignored.
    • Secondary Guardium collector port - Select the base port on which this Guardium appliance accepts UNIX protocol traffic.
    • Secondary Guardium collector connection pool size - Specify the number of auxiliary threads that the External S-TAP creates to send data to the Guardium appliance.
    • Secondary Guardium collector number of main threads - Specify the number of main threads created by External S-TAP to communicate with the Guardium appliance.
  7. Use the Probes and Limits tab to configure liveness and readiness probes along with some other options. In general, you do not need to change any of these options.
    • Liveness probe options:
      • Probe command - The name of the script that determines whether the container is considered live.
      • Initial delay - Enter the time (in seconds) to wait before running the probe. The minimum is 1 and the maximum is 60.
      • Period - Select the time (in seconds) between probe runs (default = 10). The minimum is 1 and the maximum is 600.
      • Failure threshold - Number of failed attempts before stopping (default = 4). The minimum is 1 and the maximum is 10.
    • Readiness probe options:
      • Probe command - The name of the script that determines whether the container is considered ready.
      • Initial delay - Enter the time (in seconds) to wait before running the probe. The minimum is 1 and the maximum is 60.
      • Period - Select the time (in seconds) between probe runs (default = 5). The minimum is 1 and the maximum is 600.
      • Failure threshold - Number of failed attempts before stopping (default = 5). The minimum is 1 and the maximum is 10.
    • Advanced External S-TAP feature options:
      • Override server IP - If you enter a hostname or server IP, override the server IP that is recorded for intercepted traffic in the Guardium appliance with this value.
      • SQLGuard Certificate Common Name - If you provide a common name (CN) , the External S-TAP checks the specified CN against the certificate for the Guardium appliance before the External S-TAP connects. If the CN does not match, the External S-TAP cannot communicate with the Guardium appliance.
      • Guardium certificate authority path - Enter the path to the CA certificate that the External S-TAP uses to verify the connection to the Guardium appliance.
      • Number of packets within which to be required to have detected SSL - Specify whether to look for SSL within a session, as follows:
        • -1 - Detect SSL at any point during a session.
        • 0 - Do not attempt to detect SSL.
        • Any integer greater than 0 - Attempt to detect SSL within the specified number of packets per session.
  8. From the Summary page, review all of your settings, and then click Create to create this External S-TAP instance.

Results

From the IBM Cloud Pak for Data console, you can now configure and use External S-TAPs to monitor your data with Guardium.

What to do next

After you provision an External S-TAP instance, add a connection from your database to the External S-TAPs. You can connect to any target database supported by Guardium External S-TAP. For more information about connecting to data sources, see Connecting to data sources. For information about supported data sources, see IBM Guardium System Requirements and Supported Platforms and select the System Requirements document for your Guardium version.