Linux-UNIX: Configuring the S-TAP for Cloudera

Configure the S-TAP® to establish communication between the Guardium system and Cloudera Navigator that uses a Kafka cluster.

About this task

You can also configure the S-TAP directly in the guard_tap.ini file. Restart the S-TAP for the configuration to take effect.

Procedure

  1. Browse to Setup > Tool and Views > Hadoop Monitoring and then click the add icon (Add icon) in the Add cluster information tile.
  2. Select Cloudera as the Hadoop distribution.
  3. Select an S-TAP that is connected to the Guardium system in the S-TAP host name drop-down list.
  4. Enter the Kafka details.
    • Group name. The name of the Kafka consumer group you want this S-TAP to be a part of.
    • Topic name for the Kafka cluster. Unless this setting was changed in the Kafka cluster configuration settings, use the default NavigatorAuditEvents. For more information about configuring the Kafka cluster, see the Cloudera documentation.
    • Bootstrap servers. One or more Kafka nodes to take the initial connection from the Guardium S-TAP. Both host name and port are required for each server. Any nodes that are leaders of a partition for the topic can handle consumer requests. For the initial connections, it's best to specify more than one server to provide a failover in case one of the bootstrap servers is down.
    • LD library path. Path to the directory that contains the guard_stap binary, indicating to the S-TAP about which libraries to load. (For example, /usr/local/guardium/guard_stap or /usr/local/modules/STAP/current.)
  5. If your Kafka cluster is configured with TLS, check Enable TLS.
    Restriction: Guardium does not support Kafka clusters that are configured to require SSL client authentication.
    • SSL CA path. Required parameter for TLS. Path to a file that contains the certificate to verify the Kafka broker’s certificate, in PEM format. You can have a file that contains multiple certificates in a single file.
  6. If the Kafka cluster requires Kerberos authentication, check Use Kerberos, and enter the Kerberos details.
    • Principal. The Kerberos principal name for the S-TAP. For example, guardium/FullyQualifiedDomainName@kerberosDomain
    • Path to keytab file. the full path to the Kerberos keytab file on the S-TAP server. For example, /etc/krb.keytab. Verify that the keytab is owned by the S-TAP user and group, and is only readable by the user.
  7. Click Save.
    The NavigatorAuditEvents pop-up opens, showing that monitoring is enabled. If the S-TAP status is not green, investigate its status.