Linux-Unix: Db2 Exit integration with S-TAP

The Db2 exit module enables S-TAP to monitor any Db2 database activities, whether encrypted or not and whether local or remote. It does not require A-TAP or K-TAP.

About this task

Db2 exit embeds a Guardium library into the Db2 database and communicates with the S-TAP via a Guardium shared library.

Db2 Exit shared libraries are part of the Guardium Unix S-TAP installation. S-TAP includes 32-bit and 64-bit.
  • libguard_db2_exit_32.so
  • libguard_db2_exit_64.so
When you install the S-TAP, it copies libraries in the standard library paths, and creates links, for example:
  • It copies libraries in the standard library paths:
    • Shell Installation: <guardium_installation_directory>/guard_stap
    • GIM Installation: < guardium_installation_directory>/modules/STAP/current/files
  • It creates links, for example:
    • /usr/lib/libguard_db2_exit_32.so -> libguard_teradata_db2_32.so.<release number>
    • /usr/lib64/libguard_db2_exit_64.so -> libguard_teradata_db2_64.so.<release number>
The digits after .so. reflect the release number. These digits were introduced in V10.6. (In previous releases, Lib files do not include release numbers.)

Linux-Unix: S-TAP monitoring mechanisms support matrix details exactly what can be monitored by Db2 Exit.

If there is no other database to monitor then K-TAP is not required. Set ktap_installed=0 in guard_tap.ini, or with GIM: set ktap_enabled to no. You can upgrade the Linux OS and the S-TAP without being concerned about K-TAP module compatibility. However, if there is another database that needs monitoring by S-TAP, then K-TAP is required. You must ensure that a compatible K-TAP module is available when you upgrade your Linux version.

When upgrading S-TAP from v10.6.0.0 and higher, database restart is not required. You can upgrade S-TAP while the database is running. The EXIT library from the previous version is used until you restart the database, When you restart the database, it starts using the updated exit library on the S-TAP. If, however, there are any issues addressed in the new library that you are waiting for, you must restart the database.

Use the Db2 exit health check script to gather information from the Db2 server, for use when configuring the Db2 IEs. The script is located in the guard_stap bin directory. (If you are running an S-TAP version prior to v10.6, obtain the script from Technical Support.) You can run it from anywhere with the full path. The script name is ./db2_exit_health_check.sh [ check | fix ]. By default it outputs some of the IE parameters for each DB2_EXIT IE, and runs checks on the IE configuration. Use the fix option to fix the IE parameters.

Procedure

  1. Install and start up the S-TAP agent on the database server and configure an Inspection engine for the db2_exit protocol. See Linux-Unix: Before you start installing S-TAP and Linux-Unix: Inspection engine parameters.
  2. If S-TAP is already installed and configured with A-TAP:
    1. Stop the Db2 by entering db2stop force; ipclean
    2. Deactivate the A-TAP by entering /opt/IBM/guardium/module/modules/ATAP/current/files/bin/guardctl db_instance=<db_instance> deactivate
    3. Configure the IE (Inspection Engine) for DB2_EXIT as usual either in the guard_tap.ini or via GUI. (Make sure any previously configured IE for db_type=DB2_EXIT is completely removed.)
    4. Verify that the parameter db_install_dir for DB2_EXIT IE is set to the value of $DB2_HOME or $HOME of Db2 environment variable.
    5. Restart the S-TAP with the new configuration.
  3. Determine the Db2's bitwise. Log in as root and run db2level. The output is similar to
    DB21085I Instance db2inst1 uses 64 bits and DB2 code release SQL09070, with level identifier 08010107
  4. Locate the communication buffer exit library location (DB2PATH):
    1. Log in to Db2 as user trip
    2. In the Db2 CLP, run get database manager configuration
    3. In the output, look for default database path:
      Default database path (DFTDBPATH) = /DB2/trip
      DFTDBPATH is the value you need for the environment parameter DB2PATH.
  5. As Db2 OS user, create the directory by entering one of these commands. (This is only done the first time you set up Db2 for exit).
    • 32 bit environment: mkdir $DB2_PATH/sqllib/security/plugin/commexit
    • 64 bit environment: mkdir $DB2_PATH/sqllib/security64/plugin/commexit
  6. As Db2 OS user, run the command: ln -fs /usr/lib64/libguard_db2_exit_64.so $DB2_PATH/sqllib/security64/plugin/commexit/libguard_db2_exit_64.so.
  7. As root user, add the Db2 OS user to the Guardium group.
    The Guardium group is created during S-TAP installation. This requirement increases the security of shared memory regions that are created by the S-TAP.
    1. If Db2 user is 'trip', verify if 'trip' has been authorized already. Use guardctl under the A-TAP folder, as user root.
      # /opt/IBM/guardium/module/modules/ATAP/current/files/bin/guardctl is-user-authorized trip
User 'trip' is authorized.
    2. If the user trip is not authorized, authorize it now:
      # /opt/IBM/modules/STAP/current/guardctl authorize-user trip
  8. Enable db2 exit in Db2 (so it sends the database activity to the S-TAP).
    1. Log in as Db2 OS user and use the Db2 CLP commands to enable:
      db2 UPDATE DBM CFG USING COMM_EXIT_LIST libguard_db2_exit_64
    2. Verify if DB2_Exit is successfully enabled by entering:
      db2 get database manager configuration
      The output should include
      Communication buffer exit library list (COMM_EXIT_LIST) = libguard_db2_exit_64
  9. Set up Zones/WPARs.
    1. In the slave Zone/WPAR, install same version of S-TAP that is already installed in global, with K-TAP disabled..
    2. On Zone/WPARs, add DB2_EXIT IE in the guard_tap.ini or configure using GUI.
    3. If there are any IEs that were created automatically by discovery, delete them.