Creating a datasource definition

Use the Datasource Builder to create datasource definitions for use with Guardium applications.

1. Open the Datasource Builder by navigating to Setup > Datasource Definitions.
2. Click to open the Create datasource dialog. Use the Create datasource dialog to provide information about the datasource to be stored for future use. Depending on the application and database type that you select, and the type of datasource you use, the dialog varies slightly.
3. Select an Application Type.
4. Enter a unique Name for the datasource.
5. From the Database Type menu, select the database or type of file. For some applications, the datasource must be a database, and cannot be a text file. Depending on the type of database you select, some fields on the panel are disabled, or the labels change. For example, Assign Credentials can be either optional or mandatory. When mandatory, it is disabled and the user name and password fields are mandatory. When optional, user name and password are disabled until you select Assign Credentials.
6. Select Share Datasource to share the datasource definition across all applications. If you do not share the datasource, the definition you create can be used only with the application you chose.
7. Optionally, configure additional credentials.
   • Use SSL: select to use SSL. Then optionally select import server SSL certificate, and click add certificate to select the certificate
   • Use LDAP: Select to use LDAP. Then click Assign credentials, and enter the user name and password
   • Use Kerberos: Select to use a predefined Kerberos configuration. Select a Kerberos configuration, and enter the Realm and KDC. The datasource compares this with its own KDC and Realm to make sure they match.
8. Select Save Password to save and encrypt your authentication credentials on the Guardium appliance. Save password is required if you are defining a datasource with an application that runs as a scheduled task (as opposed to on demand). When save password is selected, login name and password are required.
9. Enter your credentials for Login Name and Password.
10. For the Host Name/IP field, enter the host name or IP address for the datasource.
11. Use the table to complete Port based on your datasource type.
    Datasource type and port number table

    Database type	Port number
    Aster Data	2046
    DB2	50000 For DB2 UDB, Guardium supports count_big(*). On very large tables, a standard count(*) could fail
    DB2 for i	446
    DB2 for z/OS	446
    GreenplumDB	5432
    Hadoop	21000-21050
    Informix	1526
    MS SQL Server (Dynamic ports) and MS SQL Server (DataDirect - Dynamic ports)	Port number grayed out - Use of this datasource allows a client without a defined port value or where the dynamic function is enabled from the MS SQL Server database server to connect dynamically to a MS SQL server database. To define dynamic port, go onto the DB serve for MS SQL Server and define 0 for Dynamic port type and remove TCP/IP which by default is port 1433. Setting Dynamic port value to 0 and restarting the services will set a dynamic IP. For MS SQL, Guardium supports count_big(*). On very large tables, a standard count(*) could fail DataDirect driver for MS SQL Server Previously the jTDS driver had to be downloaded in order to support Windows authentication using NTLM and NTLMv. Now the Guardium DataDirect driver will permit this. Parameters If the Guardium user wants to use Windows authentication, then add this parameter to the Connection Property: domain=domain_name;AuthenticationMethod=ntlmjava If using NTLMv2 for Windows authentication, then add this parameter to the Connection Property: domain=domain_name;AuthenticationMethod=ntlm2java AuthenticationMethod Purpose Determines which authentication method the driver uses when establishing a connection. If the specified authentication method is not supported by the database server, the connection fails and the driver throws an exception. Valid Values auto | kerberos | ntlm | ntlmjava | ntlm2java | userIdPassword Notes If you specify AuthenticationMethod=ntlmjava when the LMCompatabilityLevel has been restricted to NTLMv2, an error will be returned. When the LMCompatabilityLevel has been restricted to NTLMv2, AuthenticationMethod must be set to ntlm2java. If you specify AuthenticationMethod=ntlmjava or AuthenticationMethod=ntlm2java, you must specify the name of the domain server that administers the database. You can specify the domain server using the Domain property. If the Domain property is not specified, the driver tries to determine the domain server from the User property. If the driver cannot determine the domain server name, it throws an exception. The User property provides the user ID. The Password property provides the password. The values type4, type2, and none are deprecated, but are recognized for backward compatibility. Use the kerberos, ntlm, and userIdPassword value, respectively, instead. If the Guardium user is using non-standard database Unicode such as Azeri_Cyrillic_100_CI_AS or Chinese_Hong_Kong_Stroke_90_CI_AS, then add this parameter to the connection property: CodePageOverride=UTF-8 If using SSL (Force encryption=Yes) , then add: encryptionMethod=SSL;validateServerCertificate=false
    MS SQL Server (DataDirect)	1433
    MongoDB	27017
    MySQL	3306
    Netezza	5480
    Oracle (DataDirect)	1521
    PostgreSQL	5432
    SAP HANA	39015
    Sybase	4100
    Sybase IQ	2638
    Teradata	1025
    Text	0
    Text:HTTP	8000
    Text:FTP	21
    Text:SAMBA	445
    Text:HTTPS	8443
    N_A	0
    MS SQL Server (open source) (use Harden > Vulnerability Assessment > Customer Uploads to upload these JDBC drivers, see Subscribed Groups Upload)	1433
    Oracle (open source) (use Harden > Vulnerability Assessment > Customer Uploads to upload these JDBC drivers, see Subscribed Groups Upload)	1521
    HIVE, HiveServer2	10000
    HADOOP, Hive CLI deprecated	9083
    HIVE, for Impala from Hue	21050
    HADOOP, Impala shell	21000
    HUE, Oracle Hue backend	1521
    HUE, MySQL Hue backend	3306
    HUE, PostgreSQL Hue backend	5432
    WEBHDFS	50070

    Note: When attempting to connect using an SSL datasource for the first time, you may encounter this error when testing the connection:

    error
    Connection unsuccessful  
    Could not connect to: 'jdbc:db2://su11u1x64t-va:55000/VA_DB' for user: '(DELETE ME) db2 10.1 SSL_DB2(Security Assessment)'. DataSourceConnectException: Could not connect to: 'DB2 (DELETE ME) db2 10.1 SSL 9.70.146.39:55000' for user: 'db2inst1'. Exception: com.ibm.db2.jcc.am.DisconnectNonTransientConnectionException: [jcc][t4][2030][11211][4.15.134] A communication error occurred during operations on the connection's underlying socket, socket input stream,

    This is caused because the GUI does not have the correct keystore file for the certificate loaded into memory. To correct this, restart the GUI and this error should go away and the connection should be successful.
12. Depending on the datasource type, the dialog varies slightly for the fields after port.
    • If DB2, enter the database name.
    • If DB2 iSeries or Oracle, enter the service name.
    • If Informix, enter the Informix server name.
    • For a non-text Database Type, in the Database box, enter the database name (Informix, Sybase, MS SQL Server, PostgreSQL, or Teradata only). If it is blank for Sybase or MS SQL Server, the default is master. For Sybase database, the Database text box should contain either the database name or default to master if it is blank (This works for Entitlement Reports and Classifier. For VA, use the database instance name.)
    • For DB2, DB2 iSeries, or Oracle enter a valid schema name in the Schema box to use.
    • For a text file Database Type, in the File Name box, enter the file name.
13. Use the Connection Property box only if additional connection properties must be included on the JDBC URL to establish a JDBC connection with this datasource. The required format is property=value, where each property and value pair is separated from the next by a semicolon.
    • For a Sybase database with a default character set of Roman8, enter the following property: charSet=utf8.
    • For an Oracle Encrypted Connection you need to define a Connection Property as: oracle.net.encryption_client=REQUIRED;oracle.net.encryption_types_client=RC4_40 (Replacing with an encryption algorithm required by the monitored instance, regardless of its type).
    • NOTE that 3DES168 encryption is problematic. A datasource defined to use 3DES168 encryption will incorrectly throw an ORA-17401 protocol error or ORA-17002 checksum error when it encounters any SQL error. Thereafter, the connection simply won't work until it is closed and reopened.
    • For a DB2 Encrypted Connection you need to define a Connection Property as: securityMechanism=13
    • For a DB2 iSeries Connection, define a Connection Property as: property1=com.ibm.as400.access.AS400JDBCDriver;translate binary=true
    • For DB2 z/OS datasource, add a Connection Property to improve database performance: resultSetHoldability=2
    • In Oracle, sys is an Oracle default user, is owner of the database instance, and has super user privileges, much like root on Unix. SYSDBA is a role and has administrative privileges that are required to perform many high-level administrative operations such as starting and stopping the database as well as performing such operations as backup and recovery. This role (SYSDBA) can also be granted to other users. The phrase sys as SYSDBA refers to the connection method required to connect as the sys user.
    • For monitor values for Oracle 10 (sys as SYSDBA) (this is for the Oracle open source driver), enter the following: internal_logon=sysdba
    • For DataDirect (Oracle driver), enter the following: SysLoginRole=sysdba
    • In addition, if using CRYPTO_CHECKSUM_TYPES in your sqlnet.ora, use the following examples:
      • oracle.net.encryption_client=aes256;oracle.net.crypto_checksum_types_client=SHA1
      • oracle.net.encryption_client=rc4_256;oracle.net.crypto_checksum_types_client=MD5
      • oracle.net.encryption_client=aes256;oracle.net.crypto_checksum_types_client=MD5
      • oracle.net.encryption_client=rc4_256;oracle.net.crypto_checksum_types_client=SHA1
    • Example: Use authentication to Oracle LDAP which is known as OID. Values needed are: the LDAP server host or IP, the LDAP server port, the Oracle instance name and the realm. The custom URL must be properly entered: jdbc:guardium:oracle:@ldap://wi3ku2x32t4:389/on0maver;cn=OracleContext;dc=vguardium;dc=com
14. If needed, enter a Custom URL connection string to the datasource. When the Custom URL field is blank, the connection is made using the properties entered in the other datasource definition fields (for example, host, port, instance, etc.).
    Important:

    • When specifying a Custom URL field with the Oracle Open Source format, specify jdbc:guardium:oracle://;SID=<SID>.
    • When creating a datasource for an Oracle database with Oracle Advanced Security enabled, specify EncryptionLevel=required in the Custom URL field of the datasource definition.
15. Click Show Advanced Options to display the Roles and CAS options.
16. Optionally click Roles to assign roles for the datasource. Adding a role to a Datasource will allow users to view Datasource configuration. Only owners and administrators are allowed to modify and delete Datasource.

    Because vendors offer flexibility during installation, users should be asked to help in determining the two fields required on the datasource definition.

    CAS needs two pieces of information: a database instance account to run some of the database tools on Unix, and the name of the database instance directory in order to find the files it is to monitor. Generally, if the Database Instance Account and Directory are not correctly entered in the Datasource Definition, you will see No CAS data available messages for tests where CAS could not find data.

    1. Enter a Database Instance Account (software owner) and a Database Instance Directory (directory where database software was installed) that will be used by CAS.
       These are suggestions for how to find the needed information to fill in the CAS information for datasources. This information may vary from one installation to another. One of the ways used on Unix is to list the /etc/passwd file for specific database installations that can be used to identify the database instance account and instance directory. Sometimes during the installation an environment variable is defined in the database instance account identifying the instance directory, such as ORACLE_HOME. In this case, enter $ORACLE_HOME in the database instance directory field of the datasource definition form and the variable will be expanded to find the correct directory name on the database server.

       Note: To search multiple directories, you can define multiple file paths for Database Instance Directory. Refer to the MongoDB row for an example.

       Table 1. Database Instances

       Database Type	Database Instance Account	Database Instance Directory/ Additional Hints
       DB2	Often db2inst1	Home directory of db2inst1 or C:\Program Files\IBM\SQLLIB on Windows   The program db2cmd.exe must be on the system path, or in the bin subdirectory of the Database Instance Directory.
       Informix	Often informix	Something like /opt/IBM/informix on Unix, or C:\Program Files\IBM\Informix. An environment variable INFORMIXDIR may be defined.   The program <servicename>.cmd must be on the system path where <servicename> is the value entered in the Informix Server of the Datasource Definition.
       MongoDB	Often mongodb or mongos	With MongoDB, you must specify multiple paths for the database instance directory. Indicate a separate path by using a pipe | with spaces. For example, /var/lib/mongo | MongoBinary=/usr/bin | dbpath=/var/lib/mongo | logpath=/var/log/mongodb | keytab=/home/keytab | dbdumppath=/opt/backup | sslpath=/etc/ssl | keyfile=/home/mongod/mongo_server.keyfile. The /var/lib/mongo path is required, as it is the home path for the mongo user. MongoBinary=/usr/bin is the path to the mongo binary. You must specify the variable (which is case sensitive) and then equal the path. dbpath=/var/lib/mongo is the path to the data files. In this case, it happens to be the same as the MongoDB home directory. logpath=/var/log/mongodb is the path to the MongoDB log. keytab=/home/keytab is the directory to the MongoDB keytab file. dbdumppath=/opt/backup is the directory to the MongoDB backup dump. sslpath=/etc/ssl is the path to MongoDB SSL files. keyfile=/home/mongod/mongo_server.keyfile points to the MongoDB keyfile. You do not need to define all the listed paths. Whichever paths are not defined will not be analyzed.
       Oracle	Often oracle, or version specific such as oracle9 or oracle10	For example, /home/oracle9 on Unix, or C:\oracle\product\10.2.0\db_1 on Windows. An environment variable ORACLE_HOME may be defined.   On Windows, environment variables PERL5LIB and ORACLE_HOME must be defined, and the program opatch.bat must be on the system path.
       SQL Server	Not needed unless Windows Authentication is being used. In that case, it must be in the form acceptable to Windows Authentication, DOMAIN/Username.	There are two scenarios when populating Database instance Directory for CAS usage in SQL Server. If the datasource is being used for Vulnerability Assessment Tests, then this column needs to be populate with the DATABASE INSTANCE HOME DIRECTORY.   Examples MSSQL2008 C:\Program Files\Microsoft SQL Server\MSSQL10.MSSQLSERVER\MSSQL MSSQL2014, default instance. C:\Program Files\Microsoft SQL Server\MSSQL12.MSSQLSERVER\MSSQL MSSQL2016, Name instance. C:\Program Files\Microsoft SQL Server\MSSQL13.SQL2016\MSSQL If the datasource is being used for NON Vulnerability Assessment Tests, but for CAS monitoring files or registry.   Then this column will be the Microsoft SQL Server directory with Program Files Examples C:\Program Files (x86)\Microsoft SQL Server or C:\Program Files\Microsoft SQL Server Note: You must have two datasources if you want to do Vulnerability Assessment Tests and CAS file monitoring
       Sybase	Often "sybase"	For Unix /home/sybase, or C:\sybase for Windows. An environment variable SYBASE may be defined.
       MySQL		An environment variable MYSQL_HOME may be defined. Note: A MySQL datasource with a Unicode database name is not supported. The datasource name in MYSQL must be ASCII.
       Teradata		Not needed. The installations all look the same.
       Netezza		Not needed. The installation is in the same location on all machines.
       PostgreSQL		This is the most flexible of the installations. The user is required to define two environment variables on the Postgres database server: PostgreSQL_BIN should be the location of the binaries for the installation, and PostgreSQL_DATA the location of the data.

       Note: If an environment variable is to be used within the Database Instance Directory field, that environment variable must be defined on the database server.
    2. Select a Severity Classification (or impact level) for the datasource. Severity classification can be used to sort, filter, or focus datasources while you are viewing reports and results.
    3. Click Save to save the datasource definition (you cannot add roles or comments until the definition has been saved).
    4. Optionally click Add Comments to add comments to the definition.
    5. Optionally click Test Connection to test connectivity of the defined datasource.
    6. Click Close when you are finished with the definition.