How To
Summary
Guardium S-TAP only sees network traffic and passes it on to the sniffer on the Guardium appliance. When a Kerberos ticket is used for login to a database server, S-TAP passes that Kerberos ticket along to the sniffer. For some database server types, the sniffer can determine the database user from the Kerberos login traffic and no additional information is required. For other types, the sniffer needs some assistance. That function is performed by the S-TAP Kerberos plugin.
Objective
This is the list of database servers where Kerberos authentication is supported.
Environment
Below is an example of an S-TAP Kerberos plugin configuration for Oracle:
Steps
1. Run the following commands to find Kerberos settings in the Oracle environment:
grep -i KERB $ORACLE_HOME/network/admin/sqlnet.ora
output is similar to:
SQLNET.AUTHENTICATION_SERVICES = (BEQ,KERBEROS5PRE,KERBEROS5)
SQLNET.KERBEROS5_CONF = /etc/krb5.conf # kerberization
SQLNET.KERBEROS5_KEYTAB = /var/servicekeytab/oracleiaase00009848
SQLNET.FALLBACK_AUTHENTICATION = TRUE
SQLNET.KERBEROS5_CONF_MIT = TRUE
SQLNET.AUTHENTICATION_KERBEROS5_SERVICE = oracle
SQLNET.KERBEROS5_CONF = /etc/krb5.conf # kerberization
SQLNET.KERBEROS5_KEYTAB = /var/servicekeytab/oracleiaase00009848
SQLNET.FALLBACK_AUTHENTICATION = TRUE
SQLNET.KERBEROS5_CONF_MIT = TRUE
SQLNET.AUTHENTICATION_KERBEROS5_SERVICE = oracle
oklist|grep -i cache
output is similar to: /tmp/krb5cc_500
Please note that this may only cover local Kerberos connections. For remote, look for the cache files owned by oracle in /var/tmp directory which usually have .CC extension.
2. Guardium S-TAP includes a Kerberos plugin which is not enabled by default and requires additional configuration.
Please enable it by specifying a value for kerberos_plugin_dir in the S-TAP configuration file guard_tap.ini located:
in S-TAP shell installation - kerberos_plugin_dir=<guardium_base>/guard_stap
in GIM installation - kerberos_plugin_dir=<guardium_base>/modules/STAP/current
in GIM installation - kerberos_plugin_dir=<guardium_base>/modules/STAP/current
3. Set specific parameters in guardkerbplugin.conf file also located in the same directory based on the output in step 1 as follows:
# Kerberos values
KRB5RCACHETYPE=none
KRB5_KTNAME= /var/servicekeytab/oracleiaase00009848
KRB5_CONFIG=/etc/krb5.conf
#Plugin values
KRB5_PLUGIN_CCACHE=/tmp/krb5cc_* :/var/tmp/*.CC
#KRB5_PLUGIN_GSSAPI_LIBRARY=/usr/lib64/libgssapi_krb5.so.2.2
#KRB5_PLUGIN_DEBUG=0
KRB5_PLUGIN_DISABLE_GSSAPI=1
KRB5RCACHETYPE=none
KRB5_KTNAME= /var/servicekeytab/oracleiaase00009848
KRB5_CONFIG=/etc/krb5.conf
#Plugin values
KRB5_PLUGIN_CCACHE=/tmp/krb5cc_* :/var/tmp/*.CC
#KRB5_PLUGIN_GSSAPI_LIBRARY=/usr/lib64/libgssapi_krb5.so.2.2
#KRB5_PLUGIN_DEBUG=0
KRB5_PLUGIN_DISABLE_GSSAPI=1
3. Restart the S-TAP process.
To troubleshoot Kerberos plugin issues, please enable S-TAP and Kerberos plugin debug as shown below followed by an S-TAP process restart:
. tap_debug_output_level=4 in guard_tap.ini file
KRB5_PLUGIN_DEBUG=1 in guardkerbplugin.conf file
then analyze /tmp/guard_stap.stderr.txt file content.
Related Information
Document Location
Worldwide
[{"Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSCJM6A","label":"IBM Security Guardium S-TAP for IMS on z\/OS"},"ARM Category":[{"code":"a8m0z000000Gp0MAAS","label":"AUTHENTICATION"}],"ARM Case Number":"","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF010","label":"HP-UX"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"}],"Version":"All Version(s)"}]
Was this topic helpful?
Document Information
Modified date:
08 January 2021
UID
ibm16398596