IBM Support

Activate Guardium ATAP to capture Oracle 12C ASO traffic on AIX 7.1 server

Troubleshooting


Problem

This article demonstrates how to activate Guardium ATAP to capture Oracle 11.2 and 12c traffic on AIX 7.1 server

Resolving The Problem

An excerpt taken from Guardium product manual which highlights no instrumentation is needed for Oracle 11.2. It also applies to Oracle 12c.

Instrumentation is not required in the following case: Oracle version 11.2 for ASO encryption


Oracle12c ASO is supported in v9.x through ATAP. ATAP can be activated from the GUI or using guardctl . The former is concise and straightforward.

If you have multiple oracle DB instances to configure, you will need to activate each instance separately by specifying db_home=$ORACLE_HOME.


Method 1 : Configure ATAP and and activate using GUI
  • Step 1: Verify ktap_installed=1 in guard_tap.ini file
  • Step 2: As root, login to oracle12c DB server and shutdown the database.
  • Step 3: Authorize oracle DB owner oracle12 to access guardium
As root:
            [root@host guard_stap]# /usr/local/guardium/guard_stap/guardctl authorize_user oracle12
            Authorizing user 'oracle12' to log traffic

Verify if user oracle12 is authorized already, run this:

            [root@host guard_stap]# /usr/local/guardium/guard_stap/guardctl is_user_authorized oracle12
            User 'oracle12' is authorized.
  • Step 4: Activate ATAP from S-TAP Control > Edit S-TAP Configuration screen in GUI by checking Encryption box in Inspection Engine.


    Enabling encryption in the inspection engine is only supported on AIX, HP-UX, and Solaris. It is not supported in Linux, WPAR, or zones environments. For latter, you may enable encryption using encryption=1 in the guard_tap.ini file.
  • Step 5: Restart oracle DB server



Method 2 : Configure ATAP and activate using guardctl
  • Step 1: Verify ktap_installed=1 in guard_tap.ini file
  • Step 2: As root, login to oracle12c DB server and shutdown the database.
    • Step 3: Configure ATAP

        • Using shell installer - Example:

         [root@host guard_stap]# /usr/local/guardium/guard_stap/guardctl db_instance=$ORACLE_SID db_home=$ORACLE_HOME db_type=oracle db_user=oracle12 db_version=12 store-conf

        Using GIM installation:

            [root@host guard_stap]# /usr/local/guardium/modules/ATAP/current/files/bin/guardctl db_instance=$ORACLE_SID db_home=$ORACLE_HOME db_type=oracle db_user=oracle12 db_version=12 store-conf
      • Step 4: Authorize oracle DB owner oracle12 to access guardium

          • Using shell installer - Example:

             [root@host guard_stap]# /usr/local/guardium/guard_stap/guardctl authorize_user oracle12
                      Authorizing user 'oracle12' to log traffic

          Using GIM installation:

             [root@host guard_stap]# /usr/local/guardium/modules/ATAP/current/files/bin/guardctl authorize_user oracle12
                      Authorizing user 'oracle12' to log traffic
          Verify if user oracle12 is authorized already, run this:

                    [root@host guard_stap]# /usr/local/guardium/guard_stap/guardctl is_user_authorized oracle12
                    User 'oracle12' is authorized.

        • Step 5: Activate ATAP

            • Using shell installer - Example:

                [root@host guard_stap]# /usr/local/guardium/guard_stap/guardctl db_instance=$ORACLE_SID activate

            Using GIM installation

              [root@host guard_stap]# /usr/local/guardium/modules/ATAP/current/files/bin/guardctl db_instance=$ORACLE_SID activate

        • Step 6: Restart oracle DB server


          Note:
          If you activate and encounter the following message, it means you might have run instrument previously.
          ERROR: Database has not been instrumented yet - please run 'instrument'

            To verify if you had run instrument previously, run:

              Using shell installer - Example:

                 [root@host guard_stap]# /usr/local/guardium/guard_stap/guardctl db_instance=$ORACLE_SID dump-params

            Using GIM installation

                    [root@host guard_stap]# /usr/local/guardium/modules/ATAP/current/files/bin/guardctl db_instance=$ORACLE_SID  dump-params


            If instrumented is yes, then add “db-use-instrumented=no” to store-conf command like this:

              Using shell installer - Example:

                  [root@host guard_stap]# /usr/local/guardium/guard_stap/guardctl db_instance=$ORACLE_SID db_home=$ORACLE_HOME db_type=oracle db_user=oracle12 db_version=12 db_use_instrumented=no store-conf

              Using GIM installation:

                  [root@host guard_stap]# /usr/local/guardium/modules/ATAP/current/files/bin/guardctl db_instance=$ORACLE_SID db_home=$ORACLE_HOME db_type=oracle db_user=oracle12 db_version=12  db_use_instrumented=no store-conf

            then reactivate ATAP:

            Using shell installer - Example:

                 [root@host guard_stap]# /usr/local/guardium/guard_stap/guardctl db_instance=$ORACLE_SID activate

            Using GIM installation

                 [root@host guard_stap]# /usr/local/guardium/modules/ATAP/current/files/bin/guardctl db_instance=$ORACLE_SID activate

          [{"Product":{"code":"SSMPHH","label":"IBM Security Guardium"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"Guardium Database Activity Monitor","Platform":[{"code":"PF002","label":"AIX"}],"Version":"10.0;10.1;10.1.2;10.1.3;9.1;9.5","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]

          Document Information

          Modified date:
          16 June 2018

          UID

          swg21700818

          Page Feedback