Linux-UNIX: A-TAP management

Edit online

A-TAP is an application-level tap. It sits in the application layer to support monitoring of encrypted database traffic, which cannot be done in the kernel by K-TAP.

The A-TAP mechanism monitors communication between internal components of the database server. The data is unencrypted in the application layer, where A-TAP picks it up and sends to K-TAP. K-TAP is a proxy to pass data to S-TAP®, and from there it is then sent to the Guardium® collector.

This figure shows where A-TAP fits in with the overall architecture on the database server.

A-TAP in the applications level of the database

A-TAP is included in every S-TAP but must be specifically configured for each database that requires it.

When to use A-TAP

A-TAP is required when DBMS encryption in motion is used, but other internal database implementation details might require it, such as shared memory.

If you have the option, use an exit library instead of A-TAP.

Limitations:
  • A-TAP is not supported in an environment where a 32-bit database is located on a 64-bit server
  • For ASO traffic, CLIENT_IP is not the actual client IP; use the Analyzed Client IP, which is the correct IP.
  • For Oracle ASO encrypted IPv6 traffic (local and remote), use the Client Host Name to identify the actual client session, due to limitations.
  • For SSL traffic, CLIENT_IP is not the actual client IP and there is no ANALYZED_CLIENT_IP.
  • If CLIENT_HOST_NAME cannot be mapped to one specific network, it cannot be used to differentiate between multiple networks. In this case, ANALYZED_CLIENT_IP is not available. Due to this limitation, use CLIENT_HOST_NAME to identify the actual client session.
  • For ASO traffic when S-TAP is configured to send traffic to multiple collectors, the CLIENT_IP is not the actual client IP and there is not an ANALYZED_CLIENT_IP. Encrypted and unencrypted A-TAP traffic cannot be sent to the same Guardium system for all databases since not all database-encrypted K-TAP traffic and unencrypted A-TAP traffic can share the same session.
Attention: The exit interfaces for Db2® and Informix® are preferred to using A-TAP for Db2 and Informix. The exit interfaces offer several advantages:
  • No need to install or use kernel modules (K-TAP).
  • Lower CPU utilization.
  • New database versions are supported sooner.

A-TAP for Db2 and Informix are no longer supported starting with Guardium 12.0.

For information about using Db2 Exit, see Linux-UNIX: Configuring Db2 Exit.For information about using Informix Exit, see Linux-UNIX: Configuring Informix Exit.

Monitoring restrictions: See Guardium support matrix for complete details on what is supported for the various databases and operating systems.