External S-TAP

IBM® Guardium® External S-TAP® is a component of Guardium that can intercept traffic for cloud and on-premises database services without installing an agent on the database server. You can either deploy an External S-TAP with Kubernetes on the OpenShift® platform or manually (without Kubernetes).

External S-TAP intercepts traffic between clients and the database server, and forwards a copy of the traffic to a Guardium collector for analysis and policy application. After your External S-TAPs are installed and running, your External S-TAPs support many S-TAP policies, including redaction, S-GATE, and S-TAP Terminate. For more information about applying policy rules, see Policy rule actions.

As shown in Figure 1, you can use External S-TAP with Kubernetes with either cloud and on-premises databases. If your site does not use Kubernetes, you can deploy External S-TAPs manually, as shown in Figure 2 For more information, see External S-TAP requirements.

Figure 1. External S-TAP overview with Kubernetes
Through Kubernetes, data from client data stores is load balanced and sent to one or more External S-TAP monitors. Data from the External S-TAP is sent to both the Guardium collector and the host data store, which can also be on-premises or in the cloud.

As shown in Figure 1, all elements of a Guardium system that use External S-TAP can be either on premises or in the cloud. If your site uses Kubernetes, then Kubernetes takes care of many housekeeping issues such as balancing the software load and managing Docker containers. In the Kubernetes deployment configuration, specify the Docker image to use for the pods. To verify the collector certificates, as described in Verify collector certificates (optional), specify your private repository along with the derived Docker image name and tag. If your site does not use Kubernetes, you need to download the External S-TAP Docker container and deploy a load-balancing solution through a hardware appliance or software. For more information, see Load balancer scripts.

As an alternative to deploying the External S-TAPwith Kubernetes, you can use Helm charts to simplify the deployment. For more information, see Deploying External S-TAP with Helm.

For information about installing External S-TAP without Kubernetes, see Deploying External S-TAP manually.
Figure 2. External S-TAP overview, manual installation
Data from client data stores is sent to a load balancer and then to one or more External S-TAP monitors. Data from the External S-TAP is sent to both the Guardium collector and the host data store, which can also be on-premises or in the cloud.

As shown in Figure 2, all elements of a Guardium system that use External S-TAP can be either on premises or in the cloud.External S-TAP is highly configurable. During deployment, you can configure most options, as discussed in External S-TAP deployment scripts. Balancing the load can either be done through a hardware appliance or software. For more information about deploying a load-balancing solution, see Load balancer scripts.

The Guardium External S-TAP Docker container

Docker containers provide a way to package software solutions so that you can easily download and manage them. Depending on your site configuration, a Guardium External S-TAP Docker container can either be downloaded directly from Docker hub or for computers without internet access, from a private image repository.

A Docker container runs an image, which is a packaged software solution (in this case, an External S-TAP) that can be installed on your host database. You can install multiple containers on the machine that serves as the External S-TAP host.

You can choose to derive the Docker container image by using a Dockerfile. By deriving the image, you can specify a single Guardium collector certificate (or set of related certificates) that you can use to deploy the External S-TAP. For more information, see Verify collector certificates (optional).

Before you deploy an External S-TAP

Assuming that your site is already using Guardium, the following steps are needed for each database where you want to run an External S-TAP container.
  1. If your site manages encrypted traffic (that is, is SSL-enabled), you need to work with a certificate authority (CA) to prepare the Guardium collector with the appropriate security certificates. This step can take some time, since you need to work with an outside company (the CA). For more information, see SSL certificates for External S-TAP. If your environment is not SSL-enabled, you can skip this step.
  2. Make sure that a Linux® environment is available. Docker must be installed and running under Linux. For more information, see https://www.docker.com/ and Download the Docker container.
  3. Prepare to deploy an External S-TAP:
    • If your site uses Kubernetes, you can deploy an External S-TAP via the user interface. To deploy with Kubernetes from the Guardium UI, use one of the following services:
      • Amazon Elastic Container Service for Kubernetes (Amazon EKS)
      • Microsoft Azure Kubernetes Service (AKS).
      For more information, see Deploying External S-TAP from the Guardium UI.
    • If your site does not use Kubernetes, you need to run scripts to deploy both a load balancer and the External S-TAP. Skip the section on deploying the External S-TAP with Kubernetes and go directly to Deploying External S-TAP manually.

After you deploy the External S-TAP, it runs automatically. You can manage the External S-TAP from the Guardium UI. For more information, see The External S-TAP user interface.