Linux and UNIX systems: Configuring the Kerberos plugin
To monitor database traffic on a server that uses Kerberos authentication, including identifying the DB_USER, you must configure the guardtap.ini and guardkerbplugin.conf files appropriately.
About this task
All customization settings for the Kerberos plugin are located in the file guardkerbplugin.conf. The default contents of this file are:
# Kerberos values
KRB5RCACHETYPE=none
KRB5_KTNAME=/path/to/kerberos/krb5.keytab
KRB5_CONFIG=/path/to/kerberos/krb5.conf
# Plugin values
KRB5_PLUGIN_CCACHE=/path/to/kerberos/krb5cc_*
KRB5_PLUGIN_GSSAPI_LIBRARY=/path/to/lib/libgssapi_krb5.so
#KRB5_PLUGIN_DEBUG=0
Lines beginning with a #, as well as blank lines, are treated as comments and ignored. Invalid entries cause errors and prevent the Kerberos plugin from running.
When any configuration entry is changed, the S-TAP must be restarted for the updated values to take effect.
Configuration entries are:
- KRB5RCACHETYPE
- KRB5RCACHETYPE=none
- KRB5_KTNAME
- This is the path to the keytab file; this can either be a keytab file already in use by the system, or one generated by Kerberos utilities specifically for use by the plugin. In general this file will have the name krb5.keytab. for example:
- KRB5_KTNAME=/home/oracle11/krb5/keytabKRB5_KTNAME=/home/sybase15/kerberos/keytab
- KRB5_CONFIG
- This is the path to the Kerberos configuration file in use by the system. In general this file is named krb5.conf. for example:KRB5_CONFIG=/home/oracle11/krb5/krb5.conf KRB5_CONFIG=/home/sybase15/kerberos/krb5.conf
- KRB5_PLUGIN_CCACHE
- This is a wildcard path to where the Kerberos system cache files are located. For example: KRB5_PLUGIN_CCACHE=/tmp/krb5cc*
- The value can also be a name if it is on the standard lib path, for example: KRB5_PLUGIN_CCACHE=<library name>.so
- V10.1.4 and higher: Multiple paths can be specified, separated by a semicolon (';'), for example: KRB5_PLUGIN_CCACHE=/home/sybase16/krb5cc*;/tmp/krb5cc*
- Note: Specifying more files than needed (for instance, specifying /tmp/*) impacts performance.
- KRB5_PLUGIN_GSSAPI_LIBRARY
- This is the location of the Kerberos GSSAPI dynamic library. On most systems this is named
libgssapi_krb5.so.
The location can be specified by a full path, for example:
KRB5_PLUGIN_GSSAPI_LIBRARY=/usr/lib64/libgssapi_krb5.so KRB5_PLUGIN_GSSAPI_LIBRARY=/opt/freeware/lib64/libgssapi_krb5.soAlternately, if the library is located on the standard library search path for the system, you can specify only the file name, for example:
KRB5_PLUGIN_GSSAPI_LIBRARY=libgssapi_krb5.soNote: Any libraries that are needed by the GSSAPI library (typically libkrb5.so, libk5crypto.so, libkrbsupport.so) must also be on the system.Important: If the Kerberos libraries are NOT in the standard library paths, you need to use the parameter KRB5_PLUGIN_GSSAPI_LIBRARY. Uncomment it and update its value with full path of libgssapi_krb5.so. - KRB5_PLUGIN_DEBUG
- This parameter is used for debugging the plugin only. For normal operation this line must be commented out, or plugin performance is impacted.