Linux-UNIX: Oracle considerations for A-TAP
A-TAP Procedure when working with Oracle Patch Installations
Oracle patches may invoke relink and will replace the Oracle executable, causing the A-TAP to stop functioning.
The correct procedure is:
- Make sure all A-TAP instances are deactivated and deinstrumented.
- Apply Oracle patch(es).
- instrument and activate all A-TAP instances
However, in case A-TAP was not
properly deactivated prior to Oracle patch installation, DO NOT try to deactivate it after patch
installation. Instead follow these steps:
- Check if A-TAP IS OK.
grep guardium $ORACLE_HOME/bin/oracle >& /dev/null && echo "ATAP IS OK"
- If
ATAP IS OK
is displayed, the A-TAP is still active and there is no need to do anything. - If
ATAP IS OK
is NOT displayed, remove $ORACLE_HOME/bin/oracle-guard and activate the A-TAP.
- If
In case everything else fails:
- Remove $ORACLE_HOME/bin/oracle-guard
- Run relink all
A-TAP Problems And Solutions associated with Oracle Permissions
Several problems may occur that have to do with user and group permissions.
- In 'BEQUEATH' access from the user other than the one that installed the database the
permissions have to be set manually:
- add user running sqlplus to group 'guardium'
- open the read permissions 'chmod a+rx' on the following two directories:
/usr/local/guardium/xxx/etc/guard /usr/local/guardium/xxx/etc/guard/executor
- make sure that the SUID and SGID bits are on ${ORACLE_HOME}/bin/oracle.
- If not, run the command chmod ug+s ${ORACLE_HOME}/bin/oracle')
- If the UID or EUID are not members of OWNER group GID, the reason for permission denied is that the user matching UID or EUID does not belong to group matching OWNER GID.
- To make it easier, not having to handle different OS syntaxes for adding users and groups, while
disabling the automatic addition to group Guardium, two commands are available within guardctl which
can be used irrespective of the method you use to activate ATAP (i.e. guardctl or
guard_tap.ini):
- #/path/to/guardium/bin/guardctl is-user-authorized
- #/path/to/guardium/bin/guardctl authorize-user ...
Note: Group Guardium can be removed on most OS's with groupdel guardium.
However, after removal, only the guard_ktap_loader parameter can correctly
re-create it and change the K-TAP device
permissions.