Windows: Configuring the Db2 Exit library

The Db2 Exit mechanism enables Guardium to pick up all Db2 traffic, whether encrypted or not and whether local or remote. This solution simplifies the S-TAP configuration, and provides native Db2 support.

About this task

Db2 Exit embeds a Guardium library into Db2 by using the Db2 Exit mechanism. The Db2 Exit communicates directly with the Guardium S-TAP to forward all Db2 traffic, whether encrypted or not, and both local and remote. Db2 Exit captures TCP and SHM traffic.

Db2 Exit supports terminate.

The guard_tap.ini DB2_PROTOCOLS and WINSTAP_DB2_PROTOCOLS GIM parameters specify the protocols that the Db2 Exit picks up.
  • For unencrypted TCPIP traffic, you can use the default value, which is LOCAL,PIPES,SSL (with no spaces between values). In this case, TCPIP traffic is picked up from the WFP Monitor driver. However, WFP Monitor ignores encrypted traffic.
  • For encrypted TCPIP traffic, include the TCPIP parameter to DB2_PROTOCOLS to allow TCPIP to pick up the encrypted traffic, for example:
    DB2_PROTOCOLS=LOCAL,PIPES,SSL,TCPIP
Limitations
  • Db2 Exit does not support the firewall, redact, or query rewrite functions.
  • If you add TCPIP to DB2_PROTOCOLS, Db2 Exit captures TCPIP traffic in all ports. In this case, you do not need to specify PORT_RANGE_START and PORT_RANGE_END in the Db2 Exit inspection engine.

    However, if you do not specify TCPIP in DB2_PROTOCOLS, the WFPMonitor driver picks up TCP traffic. In this case, the WFPMonitor driver refers to PORT_RANGE_START and PORT_RANGE_END in the Db2 exit inspection engine.

Procedure

  1. Create a folder within the Db2 SQLLIB folder, for each instance: $DB2PATH\security\plugin\commexit\instance_name. For example, C:\Program Files\IBM\SQLLIB\security\plugin\commexit\DB2_01
  2. Copy the corresponding DLLs from the S-TAP® installation directory into the created directories:
    • For 32-bit Db2 - GuardiumInterfacex86.dll
    • For 64-bit Db2 - GuardiumInterfacex64.dll
  3. Stop the Db2 instance, or instances, and issue the following command:
    • For 32 bit - UPDATE DBM CFG USING COMM_EXIT_LIST GuardiumInterfacex86
    • For 64 bit - UPDATE DBM CFG USING COMM_EXIT_LIST GuardiumInterfacex
  4. Start the Db2 instances.
  5. Add an inspection engine for Db2 Exit with protocol Db2 Exit. Go to Manage > Activity Monitoring > S-TAP Control. See parameter descriptions in Protocols 7 and 8 Inspection engine parameters. Advanced users can also modify the guard_tap.ini, but it's best to use the GUI since it completes some of the information automatically, and does some validation. If you modify the guard_tap.ini file, set these parameters:
    • [DB_DB2_EXIT1]
    • DB_TYPE=DB2_EXIT
    • INSTANCE_NAME=Service_name

    In the TAP section, set the parameter DB2_EXIT_DRIVER_INSTALLED=1

    The service name is not the instance name. You can determine the service name by using the db2tap utility in the S-TAP installation folder, or from the Control Panel. Set the instance name to the portion of the service name that follows the second dash ( - ) delimiter. For example, if the service name in the Control Panel is DB2 - DB2COPY1 - DB2-01-0, set INSTANCE_NAME to DB2-01-0.
  6. To stop Db2 Exit, issue the following command, and then restart Db2:
    db2 UPDATE DBM CFG USING COMM_EXIT_LIST NULL