Linux-UNIX: Configuring Db2 Exit
The Db2® Exit module enables S-TAP to monitor any Db2 database activities, whether encrypted or not and whether local or remote. It does not require A-TAP or K-TAP.
About this task
Db2 Exit embeds a Guardium® library into the Db2 database and communicates with the S-TAP with a Guardium shared library.
By default, Guardium supports up to 10 total Exit inspection engines (combined total of all Exit types). If you use more than one type of Exit, the combined maximum is 10. For more information, see the exit_libs_num_threads parameter in Linux-UNIX: General parameters.
- libguard_db2_exit_64.so
- libguard_db2_exit_32.so (available for RHEL6 on the i686 CPU only)
- The S-TAP copies libraries in the standard library paths:
- Shell Installation - <guardium_installation_directory>/guard_stap
- GIM Installation - < guardium_installation_directory>/modules/STAP/current/files
- And then creates links. For example:
- /usr/lib64/libguard_db2_exit_64.so -> libguard_db2_64.so.<release number>
- /usr/lib/libguard_db2_exit_32.so -> libguard_db2_32.so.<release number>
.so.
reflect the release number. These digits were introduced
in V10.6. (In previous releases, Lib files do not include release numbers.)Guardium support matrix details exactly what Db2 Exit can monitor.
If you are not monitoring another database, then K-TAP is not required. Set ktap_installed=0 in guard_tap.ini, or with GIM; set ktap_enabled to no. You can upgrade the Linux OS and the S-TAP without being concerned about K-TAP module compatibility. However, if you are monitoring another database with S-TAP, then K-TAP is required. Ensure that a compatible K-TAP module is available when you upgrade your Linux version.
When you upgrade S-TAP from 10.6.0.0 and higher, database restart is not required. You can upgrade S-TAP while the database is running. The EXIT library from the previous version is used until you restart the database. When you restart the database, it starts by using the updated exit library on the S-TAP. However, if the new library addresses any issues you are waiting for, you must restart the database.
Use the Db2 Exit health check script to gather information from the Db2 server when you configure the Db2 inspection engines. The script is located in the guard_stap bin directory. You can run it from anywhere with the full path. The script name is ./db2_exit_health_check.sh [ check | fix ]. By default it outputs some of the IE parameters for each DB2_EXIT inspection engine, and runs checks on the IE configuration. Use the fix option to fix the IE parameters.
- Create a local group called guardium with the same group ID (when you authorize the DB user it is added to this group).
- Add the guardium group ID (GID) to the DB user in /etc/passwd.
In a GIM installation, you still need to authorize the db user.