Table of contents

Provisioning an instance of Guardium External S-TAP

Before you can use the Guardium External S-TAP service, you must provision an instance service. Each provisioned instance corresponds to a certain cloud database that you want to proxy through Guardium®.

Before you begin

About this task

Any Cloud Pak for Data user with can_provision permission can provision an instance of the External S-TAP service. Each provisioned instance corresponds to a certain cloud database that you want to proxy through Guardium.

Procedure

  1. Open the New service instance for External S-TAP page.
    1. From the Cloud Pak for Data home page, In the Overview section, select View all under My Instances.
    2. Then select New instance and under Select a service, select Guardium External S-TAP®.
    3. Click the Guardium External S-TAP text or logo to open the description page, and then click New instance to open the New service instance for the External S-TAP service.

    The New service instance page contains a number of subpages. For each instance of an External S-TAP you want to provision, enter the information for each page, and then click Next to continue.

  2. From the Instance details page, provide the following information and then click Next to continue.
    • Name - Required. A name for this External S-TAP instance.
    • Namespace - Required. Select the Kubernetes namespace for this instance.
    • Description
  3. From the Storage page, enter the following details for persistent storage.
    • Use existing storage - Use persistent storage. For the External S-TAP service, a persistent volume claim (PVC) must be available, and Use existing storage is always selected.
    • Claim name - Select the PVC to use for storage.
  4. Under the General page, enter information about the deployment and image.
    • Deployment name - Required. A unique name for this deployment.
    • Secret - Required. An existing Kubernetes secret. You can use the default secret, estap-secret or you can specify a different Kubernetes secret or modify the default secret. For more information, see Managing certificates.
    • Replicas - Use the slider to select the number of replicas of this instance to create. The default is 2.
    • NodePort - Use the slider to select a port number on which to create the NodePort. When you deploy External S-TAP, the deployment creates a load balancer that uses the specified NodePort.
      Note: If you select a port that is already in use, the deployment fails. Use kubectl to determine available ports.
    • Service account name - A service account provides an identity for processes that run in a Kubernetes pod. Specify the service account name that your site uses to create Kubernetes pods. If you don't have service account name, use default.
    • Registry path - Required. Specify the registry path that is accessible from the namespace that contains the External S-TAP image.
    • Image label - Required. Specify the label of the External S-TAP image in the registry.
    • Image tag - Required. Specify the tag for the External S-TAP image. Use the tag to specify a particular External S-TAP image to use in the deployment. Make sure that the image take you specify is intended to be deployed with the installed assembly version.
  5. From the Database and proxy page, provide the following information.
    • Enter information for the back-end database service parameters:
      • Database host - Required. Specify the hostname or IP of the database instance for which the External S-TAP will be monitoring client connections.
      • Database port - Required. Use the slider to select a port for which the specified database is listening for client connections.
      • Database type - Required. Specify the type of database to monitor. The string must be one of the documented allowable database type strings for IBM Guardium External S-TAP. For more information, see System Requirements/ Platforms supported for IBM Guardium v11.2
      • Debug - Enables debug logging for troubleshooting. Leave debug set to 0 (off) except when debugging and troubleshooting. When debug is on, decrypted traffic might be stored in the logs and the additional logging might impact the performance of the External S-TAP.
    • Enter information for the general proxy parameters:
      • Proxy secret token - Specify the key for the token that is retrieved from the Guardium collector that is stored as the Kubernetes secret (from the General page). The proxy secret token is required only if you are retrieving or signing certificates from a Guardium collector. For more information, see Managing certificates.
      • Proxy group UUID - Specify a unique identifier to group replicas together in the Guardium appliance. If you do not specify the UUID, a UUID is randomly generated.
      • Worker threads - Specify the number of threads each External S-TAP container uses. You can specify up to the number of cores available on the Kubernetes worker nodes.
      • Proxy protocol expected - When enabled, Proxy protocol expected tells the External S-TAP to expect a proxy protocol v1 packet at the beginning of each client connection. If the packet is not present, then the connection fails. External S-TAP removes the proxy protocol packet from the data stream before it relays the connection to the back-end service.
      • Disconnect on invalid certificate - When enabled, disconnect the External S-TAP from the client or server if the certificate is invalid.
      • Notify on invalid certificate - When enabled, send an alert that a client or server with an invalid certificate has attempted to contact the External S-TAP.
      • Internal container listen port - Select the port on which the External S-TAP listens inside the container.
    • Enter information for the proxy certificate signing request (CSR) parameters. This information is required only if you are retrieving or signing certificates from a Guardium collector. For more information, see Managing certificates.
      • CSR Common Name - The common name for the CSR.
      • CSR Country - The country or region for the CSR.
      • CSR Province - The state or province for the CSR.
      • CSR City - The city or locality for the CSR.
      • CSR Organization - The organization or business name for the CSR.
      • Key length - Specify the key length for the CSR key.
  6. From the Collector page, provide information about the primary Guardium collector and up to nine secondary collectors.
    For the primary collector, provide the following information:
    • Primary Guardium collector host - Specify the hostname or IP of the Guardium appliance to which the External S-TAPs will connect.
    • Primary Guardium collector port - Select the base port on which this Guardium appliance accepts UNIX protocol traffic.
    • Primary Guardium collector connection pool size - Specify the number of auxiliary threads that the External S-TAP creates to send data to the Guardium appliance.
    • Primary Guardium collector number of main threads - Specify the number of main threads created by External S-TAP to communicate with the Guardium appliance.
      Main threads are used to participate in load balancing with options 1 and 4. When multiple main threads are available, the Guardium S-TAP connect multiple times to the same collector when threading the S-TAP's intercepted traffic read end. This is a shortcut for specifying the same collector multiple times as secondary collectors.
      Note: Set the number of main threads to greater than 1 only when the collector has the capacity for the extra connections.
    • Participate in load balancing with Guardium collectors - Select one of the following load balancing options for External S-TAP.
      • 0 - No load balancing (default). Traffic is sent to one alive server. The primary server has highest priority.
      • 1 - Split sessions between collectors. Traffic is split between servers.
      • 2 - Duplicate traffic to all collectors. Traffic is sent to all servers.
      • 3 - Hardware load balancing with a load balancer such as F5. S-TAP sends traffic to the load balancer, which forwards it to one of the collectors in the pool.
      • 4 - Split sessions between collectors (multi-threading). Traffic is managed (and split) by multiple S-TAP threads.

    Each External S-TAP instance can support up to nine additional collectors. For each of the remaining collectors, you can either provide information for that collector, or leave the Secondary Guardium collector host field blank to ignore the collector.

    • Secondary Guardium collector host - A secondary hostname or IP of a Guardium appliance to which theExternal S-TAPs can connect. If you leave this field blank, the secondary collector is ignored.
    • Secondary Guardium collector port - Select the base port on which this Guardium appliance accepts UNIX protocol traffic.
    • Secondary Guardium collector connection pool size - Specify the number of auxiliary threads that the External S-TAP creates to send data to the Guardium appliance.
    • Secondary Guardium collector number of main threads - Specify the number of main threads created by External S-TAP to communicate with the Guardium appliance.
  7. Use the Probes and Limits page to configure liveness and readiness probes along with some other options. In general, you do not need to change any of these options.
    • Liveliness probe options:
      • Probe command - The name of the script that determines whether the container is considered live.
      • Initial delay - Enter the time (in seconds) to wait before running the probe. The minimum is 1 and the maximum is 60.
      • Period - Select the time (in seconds) between pobe runs (default = 10). The minimum is 1 and the maximum is 600.
      • Failure threshold - Number of failed attempts before stopping (default = 4). The minimum is 1 and the maximum is 10.
    • Readiness probe options:
      • Probe command - The name of the script that determines if the container is considered ready.
      • Initial delay - Enter the time (in seconds) to wait before running the probe. The minimum is 1 and the maximum is 60.
      • Period - Select the time (in seconds) between pobe runs (default = 5). The minimum is 1 and the maximum is 600.
      • Failure threshold - Number of failed attempts before stopping (default = 5). The minimum is 1 and the maximum is 10.
    • Limits:
      • CPU request - Default = 500m
      • Memory request - Default = 500Mi
      • CPU limit - Default = 500m
      • Memory limit - Default = 500Mi
      • Image pull policy - Default = IfNotPresent
    • Advanced External S-TAP feature options:
      • Override server IP - If you enter a hostname or server IP, override the server IP that is recorded for intercepted traffic in the Guardium appliance with this value.
      • SQLGuard Certificate Common Name - If you provide a common name (CN) , the External S-TAP checks the specified CN against the certificate for the Guardium appliance before the External S-TAP connects. If the CN does not match, the External S-TAP will not communicate with the Guardium appliance.
      • Guardium certificate authority path - Enter the path to the CA certificate that the External S-TAP will use to verify the connection to the Guardium appliance.
  8. From the Summary page, review all of your settings, and then click Create to create this External S-TAP instance.

Results

From the Cloud Pak for Data console, you can now configure and use External S-TAPs to monitor your data with Guardium.

What to do next

After you provision an External S-TAP instance, add a connection from your database to the External S-TAPs. You can connect to any target database supported by Guardium External S-TAP. For more information about connecting to data sources, see Connecting to data sources. For information about supported databases, see System Requirements/ Platforms supported for IBM Guardium v11.2