The S-TAP software is a shell script that you must run from IBM i, within the Portable
App Solutions Environment (PASE) environment. Take the following steps to upload the S-TAP software
to the IBM i Integrated File System (IFS) and then install it.
Before you begin
- Review the minimum requirements from the following location: Guardium and Db2 for i -
technical resources
- Review the Db2 for IBM i PTF Group Schedule for your version of IBM i: Db2 for i -
Technology Updates.
- Make sure that you have the following special authorities: *ALLOBJ, *JOBCTL, and *SECADM.
- Verify that license program 5722SS1-33 Portable App Solutions Environment (PASE) is installed on
your IBM i system.
- If you use FTP to upload S-TAP software to IFS, ensure that you have access to the 5250 emulator
software to connect to the IBM i system remotely. To use the IBM i Access Client Solutions (ACS)
tool, download ACS from the following location: IBM i Access Client Solutions.
- Download the S-TAP for the IBM i platform.
- Identify the IP address of the Guardium®
system to which this S-TAP connects.
- Ensure that the following ports are open between the Guardium
system and IBM i:
- Port 446: The default port for data source connectivity via JDBC.
- Port 16016: the port for sending encrypted traffic to the Guardium collector.
Note: In general, connections to the following IBM i ports are required:
- 449
- 446/448(TLS/SSL)
- 8471/9471(TLS/SSL)
- 8476/9476(TLS/SSL)
However, depending on the version of the IBM i server and the version of the
jt400.jar JDBC driver that Guardium uses, the required ports might vary. See
the IBM i
documentation to check the IBM i well-known ports. For more information about port
requirements for IBM i, see TCP/IP Ports Required for IBM i Access and Related Functions.
- Use the IBM i Verify TCP/IP Connection (PING) command to verify that IBM i can establish a
TCP/IP connection to the IP of the Guardium
system that the S-TAP must communicate with.
Procedure
- Upload the S-TAP software to the IBM i Integrated File System (IFS) by using FTP or the
graphical IBM i Access Client Solutions (ACS) tool.
To upload via FTP, use
the following steps:
- Use the 5250 emulator software to connect to IBM i remotely and enter the following command to
open the PASE shell: call qp2term.
- In the PASE shell environment on the IBM i, create a temporary directory to store the S-TAP
installation script. Example: /tmp/username.
- Use the start TCP/IP File Transfer (FTP) command and move the S-TAP installation shell script to
that temporary directory.
To upload by using ACS, use the following steps:
- Within the ACS tool, use the IFS to create a temporary directory and navigate to it.
- Use the GUI to select and upload the S-TAP software.
- In the temporary directory, run the following command:
<S-TAP_shell_script.sh> --sqlguardip <guardium_host_IP> -u |
-overwrite-existing [--tls force | none]
Where:
- --sqlguardip: a mandatory parameter that indicates the IP address of the
Guardium
system with which the S-TAP communicates.
- If an IBM i S-TAP installation exists, you must enter one of the following parameters:
- -u: an optional parameter to keep the existing configuration parameters and
update the S-TAP configuration with the parameters that were entered in the command.
- -overwrite-existing: an optional parameter to overwrite the existing
installation and create a new guard_tap.ini file with default parameters.
- --tls force: an optional parameter to use TLS encryption. If a secure
protocol cannot be obtained when you connect, the S-TAP can fall back to using a nonsecure
protocol.
- --tls none: an optional parameter to indicate that the connection is not
encrypted. This parameter is selected by default if TLS is not specified.
The program installs in the following location:
/usr/local/guardium.
- Optional: When you install the S-TAP, it not only installs the necessary
components and configurations, but the S-TAP also starts with the factory default configuration.
Therefore, the S-TAP immediately starts capturing all database activity for all users and processes.
You can stop the S-TAP immediately after installation, establish filtering rules, and then restart
the S-TAP.
To stop the S-TAP, use the IBM i Run SQL command. For
example,
RUNSQL SQL('CALL SYSPROC/SYSAUDIT_END( )') COMMIT(*NONE)
Tip: You must establish a filtering rule that matches your database activity monitoring
strategy and requirements. As an example, if you use only the Guardium policy to establish
filtering, the S-TAP on IBM i might transfer and store more activity details than needed on the
Guardium collector.
- On the Guardium
system's GUI, go to and confirm that the S-TAP
status is green. A green status indicates that the S-TAP is communicating with the collector. If the
S-TAP monitor is not showing green, review the details within the following IFS stream files:
- /usr/local/guardium/install_out.txt
- /usr/local/guardium/guard_itap.stderr.1.txt
Tip: You can ignore the Inspection Engine status column. Inspection engines are not used
for Db2 for i S-TAP.