Linux and UNIX systems: Oracle configuration for A-TAP

A-TAP Procedure when working with Oracle Patch Installations

Oracle patches may invoke relink and will replace the Oracle executable, causing the A-TAP to stop functioning.

The correct procedure is:
  1. Make sure all A-TAP instances are deactivated
  2. Apply Oracle patch(es).
  3. Activate A-TAP
However, in case A-TAP was not properly deactivated prior to Oracle patch installation, DO NOT try to deactivate it after patch installation. Instead follow these steps:
  1. Check if A-TAP IS OK. 
    grep guardium $ORACLE_HOME/bin/oracle >& /dev/null && echo "ATAP IS OK"
    1. If ATAP IS OK is displayed, the A-TAP is still active and there is no need to do anything.
    2. If ATAP IS OK is NOT displayed, remove $ORACLE_HOME/bin/oracle-guard and activate the A-TAP.
In case everything else fails:
  • Remove $ORACLE_HOME/bin/oracle-guard
  • Run relink all

A-TAP Problems And Solutions associated with Oracle Permissions

Several problem may occur that have to do with user and group permissions.
  • In 'BEQUEATH' access from the user other than the one that installed the database the permissions have to be set manually:
    • add user running sqlplus to group 'guardium'
    • open the read permissions 'chmod a+rx' on the following two directories: 
      /usr/local/guardium/xxx/etc/guard
/usr/local/guardium/xxx/etc/guard/executor
    • make sure that the SUID and SGID bits are on ${ORACLE_HOME}/bin/oracle.
      • If not, run the command chmod ug+s ${ORACLE_HOME}/bin/oracle')
  • If the UID or EUID are not members of OWNER group GID, the reason for permission denied is that the user matching UID or EUID does not belong to group matching OWNER GID.
  • To make it easier, not having to handle different OS syntaxes for adding users and groups, while disabling the automatic addition to group Guardium, two commands are available within guardctl which can be used irrespective of the method you use to activate ATAP (i.e. guardctl or guard_tap.ini):
    • #/path/to/guardium/bin/guardctl is-user-authorized
    • #/path/to/guardium/bin/guardctl authorize-user ...
Note: Group Guardium can be removed on most OS's with groupdel guardium. However, after removal, only the guard_ktap_loader parameter can correctly re-create it and change the K-TAP device permissions.
Parent topic: Linux and UNIX systems: Configuring and Activating A-TAP in Special Environments