Windows: Configuring the Db2 Exit library
The Db2 Exit mechanism enables Guardium to pick up all Db2 traffic, whether encrypted or not and whether local or remote. This solution simplifies the S-TAP configuration, and provides native Db2 support.
About this task
Db2 Exit embeds a Guardium library into Db2 by using the Db2 Exit mechanism. The Db2 Exit communicates directly with the Guardium S-TAP to forward all Db2 traffic, whether encrypted or not, and both local and remote. Db2 Exit captures TCP and SHM traffic.
Db2 Exit supports terminate.
The guard_tap.ini
DB2_PROTOCOLS and WINSTAP_DB2_PROTOCOLS GIM parameters
specify the protocols that the Db2 Exit picks up.
- For unencrypted TCPIP traffic, you can use the default value, which is
LOCAL,PIPES,SSL
(with no spaces between values). In this case, TCPIP traffic is picked up from the WFP Monitor driver. However, WFP Monitor ignores encrypted traffic. - For encrypted TCPIP traffic, include the TCPIP parameter to
DB2_PROTOCOLS to allow TCPIP to pick up the encrypted traffic, for
example:
DB2_PROTOCOLS=LOCAL,PIPES,SSL,TCPIP
Limitations
- Db2 Exit does not support the firewall, redact, or query rewrite functions.
- If you add TCPIP to DB2_PROTOCOLS, Db2
Exit captures TCPIP traffic in all ports. In this case, you do not need to specify PORT_RANGE_START
and PORT_RANGE_END in the Db2 Exit inspection engine.
However, if you do not specify TCPIP in DB2_PROTOCOLS, the WFPMonitor driver picks up TCP traffic. In this case, the WFPMonitor driver refers to PORT_RANGE_START and PORT_RANGE_END in the Db2 exit inspection engine.