Configuring Db2 Exit

Edit online

The Db2® Exit module enables S-TAP® to monitor any Db2 database activities, whether encrypted or not and whether local or remote.

Before you begin

Trial:
  • This special trial (ISO file) is available for current and potential Db2 customers. It cannot be used for production purposes.
  • The trial license expires in 90 days from the point of installation of the license.
  • Trial clients can extend their trial for 1 more period of 90 days by applying for another trial license (with the approval of your IBM representative).
  • Previously accepted trial licenses that are expired continue to appear on the license page as accepted licenses.
  • You cannot use a regular Guardium® license in addition to this trial appliance.

About this task

This task covers Db2 Exit configuration for Unix. To configure for Windows™ instead, see this topic.
Remember: When you configure Exit libraries, set participate_in_load_balancing=1 and in the SQLGuard section, set num_main_thread up to a total of 10. The total value of num_main_thread should not exceed 10.

Procedure

  1. Log in as the Db2 instance user (db2inst1).
    [root@db2server# su - db2inst1
    [db2inst1@db2server ~]$ DB2_PATH=`db2 get dbm cfg | grep -i DFTDBPATH | awk -F' = ' '{print $2}'`

[db2inst1@db2server ~]$ mkdir $DB2_PATH/sqllib/security64/plugin/commexit

[db2inst1@db2server ~]$ ln -fs /usr/lib64/libguard_db2_exit_64.so $DB2_PATH/sqllib/security64/plugin/commexit/libguard_db2_exit_64.so
  2. Log in as the root user.
    [root@db2server ~]# /usr/local/guardium/modules/ATAP/current/files/bin/guardctl is-user-authorized db2inst1 
User 'db2inst1' is authorized.

[root@db2server ~]#
  3. Restart Db2.
    [db2inst1@db2server ~]$ db2stop 
03/14/2025 17:58:22 0 0 SQL1064N DB2STOP processing was successful. 
SQL1064N DB2STOP processing was successful. 

[db2inst1@db2server ~]$ db2start 
03/14/2025 17:58:27 0 0 SQL1063N DB2START processing was successful. 
SQL1063N DB2START processing was successful.
  4. Use setup_exit.sh to configure the inspection engine to use Db2 Exit.
    [root] /usr/local/guardium/modules/STAP/current/setup_exit.sh
    [root] /usr/local/guardium/modules/STAP/current/exit_health_check.sh
Script will do health check only by default, Please use setup_exit.sh to make correction.
Processing section DB_0
user db2inst1 is already authorized to guardium group
DB EXIT IE in DB_0 has a GOOD setup
  5. Restart S-TAP.
    ps -ef | grep -i tap
kill -9 <processID_of_guard_tapini>