External S-TAP requirements
To use External S-TAP® with your Guardium® system, your site must meet the following requirements.
For more information about supported platforms for External S-TAP, see IBM Guardium System Requirements and Supported Platforms.
For advanced users, you can redirect the clients to the External S-TAP by adjusting the DNS resolution. If you change the DNS resolution, be sure to use the DNS name that is visible to the client (that is, the name of the database server).
The External S-TAP can only listen to one port per container.
External S-TAP supports both unencrypted (plaintext) and SSL/TLS-encrypted session flows. Other types of encrypted workflows (such as TDGSS and Oracle Native Encryption) are not supported.
If the External S-TAP container host is an on-premises or virtual machine, the host must meet the following requirements:
- An x86_64 processor.
- Minimum RAM memory 500 MB and 2 GB storage.
- Linux® kernel version 3.10 or higher (latest is recommended).
- Iptables 1.4 or higher.
- Docker Desktop.
- Ability to use UNIX domain sockets. Important: For on-premises installations, it is recommended that you enable pubkey authentication for the user who starts the containers on the host systems. The deployment script calls ssh for the host systems multiple times; pubkey authentication simplifies the process.
- For Kubernetes, configure the storage to appear inside any containers at /persistent. For more information, see Deploy External S-TAP window.
- For container_mgmt.sh, use the --persistent flag to specify the name of the Docker volume to use. For more information, see --persistent in External S-TAP deployment scripts.
In addition, all installations, either on-premises or in the cloud, must meet the following requirements:
- For Docker, make sure that the installing user has the necessary privileges to create a container across systems.
- Ensure that network access is available to the IBM Cloud Container Registry (icr.io) where IBM releases the External S-TAP images.
- Using TCP, database clients must be able to connect to the External S-TAP host and the External S-TAP host must be able to connect to the database server.
- Locate all External S-TAP hosts in the network topology in such a way that they can be placed between the client and database host. Ideally, the latency between the client, the External S-TAP host, and the database service is as brief as possible.
- Be sure that access to the External S-TAP host is secured.
- Docker uses the kernel core pattern of the host to determine where to place core files. On some
systems, the default path is not appropriate from the container's perspective. To make sure that
core files are stored correctly, use the following
pattern:
'/tmp/core.%t.%e.%p'
For example, on the External S-TAP host where a container runs, enter the following command to set the core pattern:echo '/tmp/core.%t.%e.%p' | sudo tee /proc/sys/kernel/core_pattern'
<External-IP> <your DB host>
- For Windows, add this entry to
\windows\system32\drivers\etc\hosts
. - For Linux or UNIX, add this entry to
/etc/hosts
.