Installing the S-TAP for IBM i

The S-TAP software is a shell script that you must run from IBM i, within the Portable App Solutions Environment (PASE) environment. Take the following steps to upload the S-TAP software to the IBM i Integrated File System (IFS) and then install it.

Before you begin

  • Review the minimum requirements from the following location: Guardium and Db2 for i - technical resources
  • Review the Db2 for IBM i PTF Group Schedule for your version of IBM i: Db2 for i - Technology Updates.
  • Make sure that you have the following special authorities: *ALLOBJ, *JOBCTL, and *SECADM.
  • Verify that license program 5722SS1-33 Portable App Solutions Environment (PASE) is installed on your IBM i system.
  • If you use FTP to upload S-TAP software to IFS, ensure that you have access to the 5250 emulator software to connect to the IBM i system remotely. To use the IBM i Access Client Solutions (ACS) tool, download ACS from the following location: IBM i Access Client Solutions.
  • Download the S-TAP for the IBM i platform.
  • Identify the IP address of the Guardium® system to which this S-TAP connects.
  • Ensure that the following ports are open between the Guardium system and IBM i:
    • Port 446: The default port for data source connectivity via JDBC.
    • Port 16016: the port for sending encrypted traffic to the Guardium collector.
    Note: In general, connections to the following IBM i ports are required:
    • 449
    • 446/448(TLS/SSL)
    • 8471/9471(TLS/SSL)
    • 8476/9476(TLS/SSL)

    However, depending on the version of the IBM i server and the version of the jt400.jar JDBC driver that Guardium uses, the required ports might vary. See the IBM i documentation to check the IBM i well-known ports. For more information about port requirements for IBM i, see TCP/IP Ports Required for IBM i Access and Related Functions.

  • Use the IBM i Verify TCP/IP Connection (PING) command to verify that IBM i can establish a TCP/IP connection to the IP of the Guardium system that the S-TAP must communicate with.

Procedure

  1. Upload the S-TAP software to the IBM i Integrated File System (IFS) by using FTP or the graphical IBM i Access Client Solutions (ACS) tool.
    To upload via FTP, use the following steps:
    • Use the 5250 emulator software to connect to IBM i remotely and enter the following command to open the PASE shell: call qp2term.
    • In the PASE shell environment on the IBM i, create a temporary directory to store the S-TAP installation script. Example: /tmp/username.
    • Use the start TCP/IP File Transfer (FTP) command and move the S-TAP installation shell script to that temporary directory.
    To upload by using ACS, use the following steps:
    • Within the ACS tool, use the IFS to create a temporary directory and navigate to it.
    • Use the GUI to select and upload the S-TAP software.
  2. In the temporary directory, run the following command:
    <S-TAP_shell_script.sh> --sqlguardip <guardium_host_IP> -u | -overwrite-existing [--tls force | none]
    Where:
    • --sqlguardip: a mandatory parameter that indicates the IP address of the Guardium system with which the S-TAP communicates.
    • If an IBM i S-TAP installation exists, you must enter one of the following parameters:
      • -u: an optional parameter to keep the existing configuration parameters and update the S-TAP configuration with the parameters that were entered in the command.
      • -overwrite-existing: an optional parameter to overwrite the existing installation and create a new guard_tap.ini file with default parameters.
    • --tls force: an optional parameter to use TLS encryption. If a secure protocol cannot be obtained when you connect, the S-TAP can fall back to using a nonsecure protocol.
    • --tls none: an optional parameter to indicate that the connection is not encrypted. This parameter is selected by default if TLS is not specified.
    The program installs in the following location: /usr/local/guardium.
  3. Optional: When you install the S-TAP, it not only installs the necessary components and configurations, but the S-TAP also starts with the factory default configuration. Therefore, the S-TAP immediately starts capturing all database activity for all users and processes. You can stop the S-TAP immediately after installation, establish filtering rules, and then restart the S-TAP.
    To stop the S-TAP, use the IBM i Run SQL command. For example,
    RUNSQL SQL('CALL SYSPROC/SYSAUDIT_END( )') COMMIT(*NONE)
    Tip: You must establish a filtering rule that matches your database activity monitoring strategy and requirements. As an example, if you use only the Guardium policy to establish filtering, the S-TAP on IBM i might transfer and store more activity details than needed on the Guardium collector.
  4. On the Guardium system's GUI, go to Manage > System View > S-TAP Status Monitor and confirm that the S-TAP status is green. A green status indicates that the S-TAP is communicating with the collector. If the S-TAP monitor is not showing green, review the details within the following IFS stream files:
    • /usr/local/guardium/install_out.txt
    • /usr/local/guardium/guard_itap.stderr.1.txt
    Tip: You can ignore the Inspection Engine status column. Inspection engines are not used for Db2 for i S-TAP.

Uninstalling the S-TAP

Procedure

To stop and uninstall the S-TAP, run the following commands:
RUNSQL SQL(‘call SYSPROC/SYSAUDIT_End’) COMMIT(*NONE)
CALL QP2TERM
cd /usr/local/guardium/
uninstall
F3
RMVDIR DIR(‘/usr/local/guardium’) SUBTREE(*ALL)