IBM Support

IBM Security Guardium - KTAP module causing STAP install failure in Oracle Exadata environment

Troubleshooting


Problem

I am trying a GIM-based STAP installation on Exadata servers, but STAP is failing to install with errors related to KTAP

Symptom

GIM.log file shows below error:

guard_ktap_loader: Cannot install ktap at this time, please contact IBM. (exit_code : 1) at /usr/local/modules/KTAP/current/rc line 890. (errno: 255)
Failure location : at /usr/local/modules/GIM/10.1.4_r103106_1-1524808446/GIM.pm line 793.)

Cause

New Exadata models are upgrading to RHEL 7, where it is required signing of any adapter on the machine for security purposes. Secure boot feature is now active by default on Exadata Servers. On the other hand, Guardium STAP is not signed, and therefore installations and upgrades are failing.

Diagnosing The Problem

Detailed errors in GIM.log that show the KTAP was built locally but still failed to install. 

I- Failure point : start (Can't start KTAP-10.1.4_r103106_1-1524811879 : 
Searching for modules in /usr/local/modules/KTAP/10.1.4_r103106_1-1524811879/modules-*.tgz 
guard_ktap_loader: File /lib/modules/4.1.12-94.7.8.el6uek.x86_64/build/.config not found. Local build of KTAP will not 
guard_ktap_loader: be attempted. Please install kernel development packages for 4.1.12-94.7.8.el6uek.x86_64 if you wish 
guard_ktap_loader: to build KTAP locally. 
best fit module for 4.1.12-94.7.8.el6uek.x86_64 is ktap-10.1.4_r103106_v10_1_4_1-oe6u8x64m-4.1.12-94.3.5.el6uek.x86_64-x86_64-SMP.ko 
Extracted module ktap-10.1.4_r103106_v10_1_4_1-oe6u8x64m-4.1.12-94.3.5.el6uek.x86_64-x86_64-SMP.ko from /usr/local/modules/KTAP/10.1.4_r103106_1-1524811879/modules-10.1 
.4_r103106_v10_1_4_1.tgz 
guard_ktap_loader: Cannot install ktap at this time, please contact IBM. (exit_code : 1) at /usr/local/modules/KTAP/current/rc line 890. (errno: 255) 
Failure location : at /usr/local/modules/GIM/10.1.4_r103106_1-1524808446/GIM.pm line 793.)..

Following messages appear in ktap_install.log: 

FATAL: Error inserting ktap (/lib/modules/4.1.12-94.7.8.el6uek.x86_64/kernel/drivers/misc/ktap.ko): Required key not available
/sbin/modprobe --force ktap ktap_build_number=103106 sys_call_table_addr=ffffffff81a7dc20 ia32_sys_call_table_addr=ffffffff81a7eb00 kernel_toc_addr= kernel_gp_addr= 
FATAL: Error inserting ktap (/lib/modules/4.1.12-94.7.8.el6uek.x86_64/kernel/drivers/misc/ktap.ko): Required key not available

Resolving The Problem

Signing Kernels in Exadata Linux servers with secure boot functionality turned on: 

Starting with revision 10.5.0_r104955, Guardium STAP installation supports Exadata servers with secure boot on. Below are steps to enroll Guardium STAP key on database server, which requires kernel signing. Guardium key needs to be enrolled on Exadata server before installation of STAP. Key enrollment required only at the first installation of the STAP/KTAP with kernel signing. Subsequent upgrades use the same key provided kernel is not updated.


Guardium key enrollment procedure for systems requiring signed kernel modules

Note: key enrollment procedure requires DB server administrative/root privileges and system console access.

Step 1) Download STAP from Fix Central and extract guardium_module_signing.der from the .zip file (it's under a folder named "Kernel_Signing" )

Step 2) Copy guardium_module_signing.der to the Exadata server.

Step 3) Execute command on Exadata server as follows:
mokutil --import guardium_module_signing.der
NOTE: Specify a password that you enter when the system reboots. You will be prompted for it after the BIOS POST, but before the kernel booting (in the EFI shim). 

Step 4) Ensure to have access to system console

Step 5) Reboot the system when possible. Enter the SHIM UEFI key management screen by pressing a key within 10 seconds. From the following screen select MOK:

MOK_screen

Step 6) Select "View key 0" (or the highest number key, if other keys have been added)

Note: Key is imported in Step 3. We need to enroll the latest added key if there are multiple keys present.

Step 7) Ensure that this Key matches the displayed Key, signed by Oracle Corporation

Step 8) Select 'Continue', and 'Yes' to Enroll the Key.

Step 9) Enter the password you provided in Step 3.

renol_key

Step 11) Reboot the system, User can confirm the key's presence in the system keyring by executing the following command:

cat /proc/keys | grep Guardium
Example:
cat /proc/keys | grep Guardium
06dd7037 I------ 2 perm 1f010000 0 0 asymmetri IBM Guardium Secure Boot Signing: d0609780bff59335919e575279c9b20b6728ca93: X509.RSA 6728ca93



Note: There is known bug published from oracle tech support (https://support.oracle.com/knowledge/Sun%20Microsystems/2933437_1.html), which could result in the removal of existing enrolled application keys (including 'Guardium') from the oracle exadata systems. 
User has to repeat above steps to enroll 'Guardium' key again so as to load KTAP module as temporary workaround method or patch Oracle software as permanent solution.

If you prefer, steps to disable to the secure boot facility on the Oracle Exadata server can be found at:

[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSMPHH","label":"IBM Security Guardium"},"Component":"Guardium STAP","Platform":[{"code":"PF016","label":"Linux"}],"Version":"All Versions","Edition":"All Editions","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Document Information

Modified date:
25 April 2023

UID

swg22016425

Page Feedback