Linux-UNIX: Configuring Informix Exit

The Informix exit module enables S-TAP® to monitor any Informix database activities, whether encrypted or not and whether local or remote. It does not require A-TAP or K-TAP.

About this task

Informix Exit embeds a Guardium® library into the Informix database and communicates with the S-TAP via a Guardium shared library.

By default, Guardium supports up to 10 total Exit inspection engines (combined total of all Exit types). If you use more than one type of Exit, the combined maximum is 10. For more information, see the exit_libs_num_threads parameter in Linux-UNIX: General parameters.

Informix Exit shared libraries are part of the Guardium Unix S-TAP installation. S-TAP includes 64-bit Exit libraries for 64-bit OS version and 32-bit Exit libraries for 32-bit OS version.
  • libguard_informix_exit_64.so
  • libguard_informix_exit_32.so (available for RHEL6 on the i686 CPU only)
When you install the S-TAP, it copies libraries in the standard library paths, and creates links, for example:
  • It copies libraries in the standard library paths:
    • Shell Installation: <guardium_installation_directory>/guard_stap
    • GIM Installation: < guardium_installation_directory>/modules/STAP/current/files
  • It creates links, for example:
    • /usr/lib64/libguard_informix_exit_64.so -> libguard_informix_exit_64.so.<release number>
    • /usr/lib/libguard_informix_exit_32.so -> libguard_informix_exit_32.so.<release number>
The digits after .so. reflect the release number. These digits were introduced in V10.6. (In previous releases, Lib files do not include release numbers.)

Guardium supported platforms database details exactly what can be monitored by Informix Exit.

If there is no other database to monitor then K-TAP is not required. Set ktap_installed=0 in guard_tap.ini, or with GIM: set ktap_enabled to no. You can upgrade the Linux OS and the S-TAP without being concerned about K-TAP module compatibility. However, if there is another database that needs monitoring by S-TAP, then K-TAP is required. You must ensure that a compatible K-TAP module is available when you upgrade your Linux version.

When upgrading S-TAP from v10.6.0.0 and higher, database restart is not required. You can upgrade S-TAP while the database is running. The EXIT library from previous version is used until you restart the database, When you restart the database, it starts using the updated exit library. If there are any issues addressed in the new library that you are waiting for, you must restart the database.

Procedure

  1. Install and start up the S-TAP agent on the database server and configure an inspection engine for the informix exit protocol. See Linux-UNIX: Installing, upgrading and uninstalling S-TAP agents and Linux-UNIX: Inspection engine parameters.
  2. Log in as user informix to the database and locate its instance name (INFORMIXSERVER) and its installation directory (INFORMIXDIR) by running these Unix commands:
    $ echo $INFORMIXSERVER
    INFORMIXSERVER=test117
    $ echo $INFORMIXDIR
    INFORMIXDIR=/home/informix
  3. As user root, make sure the user informix is in the guardium group. If the user is not in the group guardium, use the guardctl utility to add the user to the group, for example:
    /usr/local/guardium/bin/guardctl authorize-user informix
    or with UNIX (AIX only):
    # chgroup users=informix guardium
  4. Copy libguard_informix_exit to the system standard library PATH (/usr/lib64 or /usr/lib).
  5. As user informix, create a link to the informix_exit library by running the command:
    ln -fs /usr/lib64/libguard_informix_exit_64.so $INFORMIXDIR/lib/libguard_informix_exit_64.so
    This allows Informix to use the version-independent symbolic link that was created during S-TAP installation.
  6. To enable Informix_exit monitoring you must start the ifxguard process. To start this process for first time run this command as user informix:
    ifxguard -p $INFORMIXDIR/lib/libguard_informix_exit_64.so -l $INFORMIXDIR/tmp/ifxguard.msg.txt
    After the ifxguard process starts, it automatically creates two files: one for configuration and one for messaging. The configuration file is created under
    $INFORMIXDIR/etc/ifxguard.$INFORMIXSERVER
    with these lines:
    NAME in2rh5u7_guard
    LOGFILE /home/informix12/tmp/ifxguard.msg.txt
    WORKERS 4
    LIBPATH /home/informix12/lib/libguard_informix_exit_64.so
  7. Set up Zones/WPARs.
    1. In the secondary Zone or WPAR, install same version of S-TAP that is already installed in global, with K-TAP disabled.
    2. On Zone or WPARs, add Db2 EXIT IE in the guard_tap.ini or configure using GUI.
    3. If discovery automatically created any inspection engines, delete them.
  8. To restart the process in case the exit was reconfigured, the process hangs, or is not responding:
    1. Disable ifxguard, as user informix, run the command: ifxguard -k
      The output prints:ifxguard in2rh5u7_guard successfully shut down
    2. To restart ifxguard after successful setup, as user informix, run the command ifxguard.
      The output prints:ifxguard set instance name in2rh5u7_guard Starting ifxguard in2rh5u7_guard ...
      check log file: /home/informix12/tmp/ifxguard.msg.txt
  9. Restart the S-TAP.