Troubleshooting
Problem
When using Teradata ATAP to send packets to the Guardium Appliance sniffer, a Guardium report may show unexpected or inconsistent results. The problem could originate from KTAP or ATAP. To diagnose the issue, collect specific ATAP logs.
Symptom
The following scenarios may be observed
- Unable to capture failed logins from Teradata SQL Assistant client tool using TCP. (No issue with successful login.)
- Inconsistent DB username for successful and unsuccessful logins.
Cause
ATAP is not sending the decrypted packets to the Guardium sniffer. You need to see if there are internal ATAP errors or if ATAP is capturing these packets and not sending it through KTAP.
Diagnosing The Problem
At this point, ATAP should already be activated. (see Setup Teradata ATAP within this page to verify the steps are performed already)
Note: Please run problem scenarios whilst the diagnostic collections are running . It is important to capture logs during the problem scenario and not outside the problem situation
Steps to gather all ATAP logs: .
- 1) Stop Teradata database.
- all of /var/log/guard/atap/ and /tmp/guard_stap.stderr.txt from the DB Server.
- the slon capture file from the collector.
2) Edit the ATAP executor:
- /usr/local/guardium/modules/UTILS/current/files/bin/guard-tag edit executor/env [TERADATA DB INSTALL DIRECTORY]/bin/pdemain
3) Uncomment the following lines:
- #ATAP_LOG_LEVEL=10
#ATAP_LOG_PATH=/var/log/guard/atap/pid%05d-thr%08d.log
4) Write and quit the file (:wq!).
5) Start the database.
- **NOTE: If your Teradata DB cannot start up. You need to manually take the ATAP away.
- Perform below only if you are unable to start Teradata:
5.1 cd [TERADATA INSTALL DIR]/bin/
5.2 mv pdemain-guard-original pdemain
5.3 rm -f /usr/local/guardium/etc/guard/executor/teradata
5.4 Attempt to start the DB again. No ATAP is in place now.
6) Login to the collector and start a slon capture
7) In another root session for the DB Server, enable STAP debug with:
- echo -n 'd4' > /usr/local/guardium/modules/STAP/current/.stap.console
8) Attempt to login and reproduce the scenarios as you did before. Run the following command to get Client IP/Port for each of the client sessions.
- netstat -natp | grep gtwgateway
- For example:
- tcp 0 0 :::1025 :::* LISTEN 31292/gtwgateway
tcp 0 0 9.70.157.181:1025 9.32.113.185:65265 ESTABLISHED 31292/gtwgateway
If no connections are established then it is not a concern - it makes it easier to reference the connection in the ATAP log.
9) Check ATAP log files in /var/log/guard/atap. Send any files to IBM Support for analysis.
10) Stop stap debug with:
- echo -n 'd0' > /usr/local/guardium/modules/STAP/current/.stap.console
11) Stop the slon capture on the collector.
12) Stop the database.
13) Edit the executor once again:
- /usr/local/guardium/modules/UTILS/current/files/bin/guard-tag edit executor/env [TERADATA DB INSTALL DIRECTORY]/bin/pdemain
- Comment the two lines for ATAP logging.
14) Start the database back up.
15) Send IBM Support these files:
Related Information
Was this topic helpful?
Document Information
Modified date:
16 June 2018
UID
swg21971324