Troubleshooting
Problem
This article demonstrates how to activate Guardium ATAP to capture Oracle 11.2 and 12c traffic on AIX 7.1 server
Resolving The Problem
An excerpt taken from Guardium product manual which highlights no instrumentation is needed for Oracle 11.2. It also applies to Oracle 12c.
Instrumentation is not required in the following case: Oracle version 11.2 for ASO encryption
Oracle12c ASO is supported in v9.x through ATAP. ATAP can be activated from the GUI or using guardctl . The former is concise and straightforward.
If you have multiple oracle DB instances to configure, you will need to activate each instance separately by specifying db_home=$ORACLE_HOME.
Method 1 : Configure ATAP and and activate using GUI
- Step 1: Verify ktap_installed=1 in guard_tap.ini file
- Step 2: As root, login to oracle12c DB server and shutdown the database.
- Step 3: Authorize oracle DB owner oracle12 to access guardium
[root@host guard_stap]# /usr/local/guardium/guard_stap/guardctl authorize_user oracle12
Authorizing user 'oracle12' to log traffic
Verify if user oracle12 is authorized already, run this:
[root@host guard_stap]# /usr/local/guardium/guard_stap/guardctl is_user_authorized oracle12
User 'oracle12' is authorized.
- Step 4: Activate ATAP from S-TAP Control > Edit S-TAP Configuration screen in GUI by checking Encryption box in Inspection Engine.
- Step 5: Restart oracle DB server
Enabling encryption in the inspection engine is only supported on AIX, HP-UX, and Solaris. It is not supported in Linux, WPAR, or zones environments. For latter, you may enable encryption using encryption=1 in the guard_tap.ini file.
Method 2 : Configure ATAP and activate using guardctl
- Step 1: Verify ktap_installed=1 in guard_tap.ini file
- Step 2: As root, login to oracle12c DB server and shutdown the database.
- Step 3: Configure ATAP
- Step 4: Authorize oracle DB owner oracle12 to access guardium
- Step 5: Activate ATAP
- Step 6: Restart oracle DB server
- Using shell installer - Example:
[root@host guard_stap]# /usr/local/guardium/guard_stap/guardctl db_instance=$ORACLE_SID db_home=$ORACLE_HOME db_type=oracle db_user=oracle12 db_version=12 store-conf
Using GIM installation:
[root@host guard_stap]# /usr/local/guardium/modules/ATAP/current/files/bin/guardctl db_instance=$ORACLE_SID db_home=$ORACLE_HOME db_type=oracle db_user=oracle12 db_version=12 store-conf
- Using shell installer - Example:
[root@host guard_stap]# /usr/local/guardium/guard_stap/guardctl authorize_user oracle12
Authorizing user 'oracle12' to log traffic
Using GIM installation:
[root@host guard_stap]# /usr/local/guardium/modules/ATAP/current/files/bin/guardctl authorize_user oracle12
Authorizing user 'oracle12' to log traffic
[root@host guard_stap]# /usr/local/guardium/guard_stap/guardctl is_user_authorized oracle12
User 'oracle12' is authorized.
- Using shell installer - Example:
[root@host guard_stap]# /usr/local/guardium/guard_stap/guardctl db_instance=$ORACLE_SID activate
Using GIM installation
[root@host guard_stap]# /usr/local/guardium/modules/ATAP/current/files/bin/guardctl db_instance=$ORACLE_SID activate
Note:
If you activate and encounter the following message, it means you might have run instrument previously.
ERROR: Database has not been instrumented yet - please run 'instrument'
To verify if you had run instrument previously, run:
Using shell installer - Example:
[root@host guard_stap]# /usr/local/guardium/guard_stap/guardctl db_instance=$ORACLE_SID dump-params
Using GIM installation
[root@host guard_stap]# /usr/local/guardium/modules/ATAP/current/files/bin/guardctl db_instance=$ORACLE_SID dump-params
If instrumented is yes, then add “db-use-instrumented=no” to store-conf command like this:
Using shell installer - Example:
[root@host guard_stap]# /usr/local/guardium/guard_stap/guardctl db_instance=$ORACLE_SID db_home=$ORACLE_HOME db_type=oracle db_user=oracle12 db_version=12 db_use_instrumented=no store-conf
Using GIM installation:
[root@host guard_stap]# /usr/local/guardium/modules/ATAP/current/files/bin/guardctl db_instance=$ORACLE_SID db_home=$ORACLE_HOME db_type=oracle db_user=oracle12 db_version=12 db_use_instrumented=no store-conf
then reactivate ATAP:
Using shell installer - Example:
[root@host guard_stap]# /usr/local/guardium/guard_stap/guardctl db_instance=$ORACLE_SID activate
Using GIM installation
[root@host guard_stap]# /usr/local/guardium/modules/ATAP/current/files/bin/guardctl db_instance=$ORACLE_SID activate
[{"Product":{"code":"SSMPHH","label":"IBM Security Guardium"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"Guardium Database Activity Monitor","Platform":[{"code":"PF002","label":"AIX"}],"Version":"10.0;10.1;10.1.2;10.1.3;9.1;9.5","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]
Was this topic helpful?
Document Information
Modified date:
16 June 2018
UID
swg21700818