Creating a datasource definition

Use the Datasource Builder to create datasource definitions for use with Guardium applications.

About this task

You can create a datasource definition through two general processes. First, you can add a datasource definition from the Datasource Builder and then specify the application for which you want to use the datasource. Second, you can go into the application you want to use, and create a datasource within the application. The navigation for adding a datasource definition within a specific application varies depending on the application you choose or the type of database selected. For example, if you want to create an audit database, navigate to Harden > Configuration Change Control (CAS Application) > Value Change Audit Database Creation and click Add Datasource.


  1. Open the Datasource Builder by navigating to Setup > Datasource Definitions.
  2. Click New to open the Create datasource dialog. Use the Create datasource dialog to provide information about the datasource to be stored for future use. Depending on the application and database type that you select, and the type of datasource you use, the dialog varies slightly.
  3. Select an Application Type.
  4. Enter a unique Name for the datasource.
  5. From the Database Type menu, select the database or type of file. For some applications, the datasource must be a database, and cannot be a text file. Depending on the type of database you select, some fields on the panel are disabled, or the labels change. For example, Assign Credentials can be either optional or mandatory. When mandatory, it is disabled and the user name and password fields are mandatory. When optional, user name and password are disabled until you select Assign Credentials.
  6. Select Share Datasource to share the datasource definition across all applications. If you do not share the datasource, the definition you create can be used only with the application you chose.
  7. Optionally, configure additional credentials.
    • Use SSL: select to use SSL. Then optionally select import server SSL certificate, and click add certificate to select the certificate
    • Use LDAP: Select to use LDAP. Then click Assign credentials, and enter the user name and password
    • Use Kerberos: Select to use a predefined Kerberos configuration. Select a Kerberos configuration, and enter the Realm and KDC. The datasource compares this with its own KDC and Realm to make sure they match.
  8. Select Save Password to save and encrypt your authentication credentials on the Guardium appliance. Save password is required if you are defining a datasource with an application that runs as a scheduled task (as opposed to on demand). When save password is selected, login name and password are required.
  9. Enter your credentials for Login Name and Password.
  10. For the Host Name/IP field, enter the host name or IP address for the datasource.
  11. Use the table to complete Port based on your datasource type.
    Datasource type and port number table
    Database type Port number
    Aster Data 2046


    For DB2 UDB, Guardium supports count_big(*). On very large tables, a standard count(*) could fail

    DB2 for i 446
    DB2 for z/OS 446
    GreenplumDB 5432
    Hadoop 21000-21050
    Informix 1526
    MS SQL Server (Dynamic ports) and MS SQL Server (DataDirect - Dynamic ports)

    Port number grayed out - Use of this datasource allows a client without a defined port value or where the dynamic function is enabled from the MS SQL Server database server to connect dynamically to a MS SQL server database. To define dynamic port, go onto the DB serve for MS SQL Server and define 0 for Dynamic port type and remove TCP/IP which by default is port 1433. Setting Dynamic port value to 0 and restarting the services will set a dynamic IP.

    For MS SQL, Guardium supports count_big(*). On very large tables, a standard count(*) could fail

    DataDirect driver for MS SQL Server

    Previously the jTDS driver had to be downloaded in order to support Windows authentication using NTLM and NTLMv.

    Now the Guardium DataDirect driver will permit this.


    If the Guardium user wants to use Windows authentication, then add this parameter to the Connection Property:


    If using NTLMv2 for Windows authentication, then add this parameter to the Connection Property:




    Determines which authentication method the driver uses when establishing a connection. If the specified authentication method is not supported by the database server, the connection fails and the driver throws an exception.

    Valid Values

    auto | kerberos | ntlm | ntlmjava | ntlm2java | userIdPassword


    If you specify AuthenticationMethod=ntlmjava when the LMCompatabilityLevel has been restricted to NTLMv2, an error will be returned. When the LMCompatabilityLevel has been restricted to NTLMv2, AuthenticationMethod must be set to ntlm2java.

    If you specify AuthenticationMethod=ntlmjava or AuthenticationMethod=ntlm2java, you must specify the name of the domain server that administers the database. You can specify the domain server using the Domain property. If the Domain property is not specified, the driver tries to determine the domain server from the User property. If the driver cannot determine the domain server name, it throws an exception.

    The User property provides the user ID. The Password property provides the password.

    The values type4, type2, and none are deprecated, but are recognized for backward compatibility. Use the kerberos, ntlm, and userIdPassword value, respectively, instead.

    If the Guardium user is using non-standard database Unicode such as Azeri_Cyrillic_100_CI_AS or Chinese_Hong_Kong_Stroke_90_CI_AS, then add this parameter to the connection property:


    If using SSL (Force encryption=Yes) , then add:


    MS SQL Server (DataDirect) 1433
    MongoDB 27017
    MySQL 3306
    Netezza 5480
    Oracle (DataDirect) 1521
    PostgreSQL 5432
    SAP HANA 39015
    Sybase 4100
    Sybase IQ 2638
    Teradata 1025
    Text 0
    Text:HTTP 8000
    Text:FTP 21
    Text:SAMBA 445
    Text:HTTPS 8443
    N_A 0
    MS SQL Server (open source) (use Harden > Vulnerability Assessment > Customer Uploads to upload these JDBC drivers, see Subscribed Groups Upload) 1433
    Oracle (open source) (use Harden > Vulnerability Assessment > Customer Uploads to upload these JDBC drivers, see Subscribed Groups Upload) 1521
    HIVE, HiveServer2 10000
    HADOOP, Hive CLI deprecated 9083
    HIVE, for Impala from Hue 21050
    HADOOP, Impala shell 21000
    HUE, Oracle Hue backend 1521
    HUE, MySQL Hue backend 3306
    HUE, PostgreSQL Hue backend 5432
    WEBHDFS 50070
    Note: When attempting to connect using an SSL datasource for the first time, you may encounter this error when testing the connection:
    Connection unsuccessful  
    Could not connect to: 'jdbc:db2://su11u1x64t-va:55000/VA_DB' for user: '(DELETE ME) db2 10.1 SSL_DB2(Security Assessment)'. DataSourceConnectException: Could not connect to: 'DB2 (DELETE ME) db2 10.1 SSL' for user: 'db2inst1'. Exception: [jcc][t4][2030][11211][4.15.134] A communication error occurred during operations on the connection's underlying socket, socket input stream,
    This is caused because the GUI does not have the correct keystore file for the certificate loaded into memory. To correct this, restart the GUI and this error should go away and the connection should be successful.
  12. Depending on the datasource type, the dialog varies slightly for the fields after port.
    • If DB2, enter the database name.
    • If DB2 iSeries or Oracle, enter the service name.
    • If Informix, enter the Informix server name.
    • For a non-text Database Type, in the Database box, enter the database name (Informix, Sybase, MS SQL Server, PostgreSQL, or Teradata only). If it is blank for Sybase or MS SQL Server, the default is master. For Sybase database, the Database text box should contain either the database name or default to master if it is blank (This works for Entitlement Reports and Classifier. For VA, use the database instance name.)
    • For DB2, DB2 iSeries, or Oracle enter a valid schema name in the Schema box to use.
    • For a text file Database Type, in the File Name box, enter the file name.
  13. Use the Connection Property box only if additional connection properties must be included on the JDBC URL to establish a JDBC connection with this datasource. The required format is property=value, where each property and value pair is separated from the next by a semicolon.
    • For a Sybase database with a default character set of Roman8, enter the following property: charSet=utf8.
    • For an Oracle Encrypted Connection you need to define a Connection Property as:; (Replacing with an encryption algorithm required by the monitored instance, regardless of its type).
    • NOTE that 3DES168 encryption is problematic. A datasource defined to use 3DES168 encryption will incorrectly throw an ORA-17401 protocol error or ORA-17002 checksum error when it encounters any SQL error. Thereafter, the connection simply won't work until it is closed and reopened.
    • For a DB2 Encrypted Connection you need to define a Connection Property as: securityMechanism=13
    • For a DB2 iSeries Connection, define a Connection Property as:;translate binary=true
    • For DB2 z/OS datasource, add a Connection Property to improve database performance: resultSetHoldability=2
    • In Oracle, sys is an Oracle default user, is owner of the database instance, and has super user privileges, much like root on Unix. SYSDBA is a role and has administrative privileges that are required to perform many high-level administrative operations such as starting and stopping the database as well as performing such operations as backup and recovery. This role (SYSDBA) can also be granted to other users. The phrase sys as SYSDBA refers to the connection method required to connect as the sys user.
    • For monitor values for Oracle 10 (sys as SYSDBA) (this is for the Oracle open source driver), enter the following: internal_logon=sysdba
    • For DataDirect (Oracle driver), enter the following: SysLoginRole=sysdba
    • In addition, if using CRYPTO_CHECKSUM_TYPES in your sqlnet.ora, use the following examples:
    • Example: Use authentication to Oracle LDAP which is known as OID. Values needed are: the LDAP server host or IP, the LDAP server port, the Oracle instance name and the realm. The custom URL must be properly entered: jdbc:guardium:oracle:@ldap://wi3ku2x32t4:389/on0maver;cn=OracleContext;dc=vguardium;dc=com
  14. If needed, enter a Custom URL connection string to the datasource. When the Custom URL field is blank, the connection is made using the properties entered in the other datasource definition fields (for example, host, port, instance, etc.).
    • When specifying a Custom URL field with the Oracle Open Source format, specify jdbc:guardium:oracle://;SID=<SID>.
    • When creating a datasource for an Oracle database with Oracle Advanced Security enabled, specify EncryptionLevel=required in the Custom URL field of the datasource definition.
  15. Click Show Advanced Options to display the Roles and CAS options.
  16. Optionally click Roles to assign roles for the datasource. Adding a role to a Datasource will allow users to view Datasource configuration. Only owners and administrators are allowed to modify and delete Datasource.

    Because vendors offer flexibility during installation, users should be asked to help in determining the two fields required on the datasource definition.

    CAS needs two pieces of information: a database instance account to run some of the database tools on Unix, and the name of the database instance directory in order to find the files it is to monitor. Generally, if the Database Instance Account and Directory are not correctly entered in the Datasource Definition, you will see No CAS data available messages for tests where CAS could not find data.

    1. Enter a Database Instance Account (software owner) and a Database Instance Directory (directory where database software was installed) that will be used by CAS.
      These are suggestions for how to find the needed information to fill in the CAS information for datasources. This information may vary from one installation to another. One of the ways used on Unix is to list the /etc/passwd file for specific database installations that can be used to identify the database instance account and instance directory. Sometimes during the installation an environment variable is defined in the database instance account identifying the instance directory, such as ORACLE_HOME. In this case, enter $ORACLE_HOME in the database instance directory field of the datasource definition form and the variable will be expanded to find the correct directory name on the database server.
      Note: To search multiple directories, you can define multiple file paths for Database Instance Directory. Refer to the MongoDB row for an example.
      Table 1. Database Instances
      Database Type Database Instance Account Database Instance Directory/ Additional Hints
      DB2 Often db2inst1

      Home directory of db2inst1 or C:\Program Files\IBM\SQLLIB on Windows  

      The program db2cmd.exe must be on the system path, or in the bin subdirectory of the Database Instance Directory.

      Informix Often informix

      Something like /opt/IBM/informix on Unix, or C:\Program Files\IBM\Informix. An environment variable INFORMIXDIR may be defined.  

      The program <servicename>.cmd must be on the system path where <servicename> is the value entered in the Informix Server of the Datasource Definition.

      MongoDB Often mongodb or mongos

      With MongoDB, you must specify multiple paths for the database instance directory. Indicate a separate path by using a pipe | with spaces.

      For example, /var/lib/mongo | MongoBinary=/usr/bin | dbpath=/var/lib/mongo | logpath=/var/log/mongodb | keytab=/home/keytab | dbdumppath=/opt/backup | sslpath=/etc/ssl | keyfile=/home/mongod/mongo_server.keyfile.

      The /var/lib/mongo path is required, as it is the home path for the mongo user.

      MongoBinary=/usr/bin is the path to the mongo binary. You must specify the variable (which is case sensitive) and then equal the path.

      dbpath=/var/lib/mongo is the path to the data files. In this case, it happens to be the same as the MongoDB home directory.

      logpath=/var/log/mongodb is the path to the MongoDB log.

      keytab=/home/keytab is the directory to the MongoDB keytab file.

      dbdumppath=/opt/backup is the directory to the MongoDB backup dump.

      sslpath=/etc/ssl is the path to MongoDB SSL files.

      keyfile=/home/mongod/mongo_server.keyfile points to the MongoDB keyfile.

      You do not need to define all the listed paths. Whichever paths are not defined will not be analyzed.

      Oracle Often oracle, or version specific such as oracle9 or oracle10

      For example, /home/oracle9 on Unix, or C:\oracle\product\10.2.0\db_1 on Windows. An environment variable ORACLE_HOME may be defined.  

      On Windows, environment variables PERL5LIB and ORACLE_HOME must be defined, and the program opatch.bat must be on the system path.

      SQL Server Not needed unless Windows Authentication is being used. In that case, it must be in the form acceptable to Windows Authentication, DOMAIN/Username.

      There are two scenarios when populating Database instance Directory for CAS usage in SQL Server.

      If the datasource is being used for Vulnerability Assessment Tests, then this column needs to be populate with the DATABASE INSTANCE HOME DIRECTORY.  



      C:\Program Files\Microsoft SQL Server\MSSQL10.MSSQLSERVER\MSSQL

      MSSQL2014, default instance.

      C:\Program Files\Microsoft SQL Server\MSSQL12.MSSQLSERVER\MSSQL

      MSSQL2016, Name instance.

      C:\Program Files\Microsoft SQL Server\MSSQL13.SQL2016\MSSQL

      If the datasource is being used for NON Vulnerability Assessment Tests, but for CAS monitoring files or registry.  

      Then this column will be the Microsoft SQL Server directory with Program Files

      Examples C:\Program Files (x86)\Microsoft SQL Server


      C:\Program Files\Microsoft SQL Server

      Note: You must have two datasources if you want to do Vulnerability Assessment Tests and CAS file monitoring

      Sybase Often "sybase" For Unix /home/sybase, or C:\sybase for Windows. An environment variable SYBASE may be defined.

      An environment variable MYSQL_HOME may be defined.

      Note: A MySQL datasource with a Unicode database name is not supported. The datasource name in MYSQL must be ASCII.
      Teradata   Not needed. The installations all look the same.
      Netezza   Not needed. The installation is in the same location on all machines.
      PostgreSQL   This is the most flexible of the installations. The user is required to define two environment variables on the Postgres database server: PostgreSQL_BIN should be the location of the binaries for the installation, and PostgreSQL_DATA the location of the data.  
      Note: If an environment variable is to be used within the Database Instance Directory field, that environment variable must be defined on the database server.
    2. Select a Severity Classification (or impact level) for the datasource. Severity classification can be used to sort, filter, or focus datasources while you are viewing reports and results.
    3. Click Save to save the datasource definition (you cannot add roles or comments until the definition has been saved).
    4. Optionally click Add Comments to add comments to the definition.
    5. Optionally click Test Connection to test connectivity of the defined datasource.
    6. Click Close when you are finished with the definition.