Linux and UNIX systems: DB2 Exit integration with S-TAP
The DB2 exit mechanism enables Guardium to pick up all DB2 traffic, whether encrypted or not and whether local or remote. It does not require A-TAP or K-TAP.
About this task
DB2 exit embeds a Guardium library into DB2 via the DB2_Exit mechanism. The DB2_Exit communicates directly with the Guardium S-TAP to forward all DB2 traffic, whether encrypted or not, and both local and remote. DB2 exit captures TCP as well as SHM traffic. Enabling UID chain with DB2 consumes much less CPU resource than KTAP and UID chain.
The DB2 exit library is a dynamic linked library. The DB2 database loads during database starts.
DB2 exit supports firewall (from STAP 10.1.2, also requires DB2 version 10.1 or later), terminate, and UID chain.
If there is no other Inspection Engine (IE) on the S-TAP that requires K-TAP, then you don't need to load K-TAP: set ktap_installed=0 in guard_tap.ini, or with GIM set ktap_enabled to no, in the GIM dialog for that STAP. You can upgrade the Linux OS and the STAP without being concerned about K-TAP module compatibility. However, if there is another IE in the S-TAP that requires the K-TAP module, you must ensure that a compatible K-TAP module is available when you upgrade your Linux version.
- DB2 Exit does not support Guardium data masking (scrub/redact)
- The Guardium firewall (V10.1.2 and later) requires DB2 version 10.1 or later
- Stored Procedures: DB2 Exit monitors stored procedures. Since Guardium does not know what is in the stored procedure, SQL from inside the procedure is not captured.
- Stop the DB2.
- Upgrade STAP.
- Copy latest db2 exit lib to DB2 commexit directory.
- Start the DB2.
- Stop the DB2.
- Patch the DB2 Database
- In case the DB2 configuration was overwritten you need to re-enable using db2 UPDATE DBM CFG USING COMM_EXIT_LIST libguard_db2_exit_64
- Start the DB2.
The Guardium installer has two versions of the DB2 EXIT library: 32- and 64-bit. Use the one that matches your installed DB2. Both versions are in the Guardium installation directory in the lib sub-directory. On Linux servers, the 64-bit version is in lib64.
DB2 versions V101FP4 and V105FP3 support UID chain.
Library names
- libguard_db2_exit_32.so
- libguard_db2_exit_64.so