IBM Support

Installing Guardium S-TAP in Solaris Zones

Question & Answer


Question

How to install S-TAP in Solaris zones?

Answer

Solaris versions 10 and above implement virtualized operating environments called Zones. Each zone is self contained and has its own hostname, IP address, storage and process space. Processes running in one zone are disassociated from the other zones. There is an over-arching zone called the Global Zone and every other zone is called a non-global zone.

Every zone shares a common kernel that is running in the Global Zone. Since the kernel is shared amongst the zones, special challenges exist in applications that require specific kernel modules, in that, they have to be installed in the Global Zone.

Guardium S-TAP is one such application that requires special handling when installed in a zoned Solaris Operating Environment. Guardium S-TAP includes a kernel component, K-TAP, which, being a kernel module, has to be installed in the Global Zone. This presents a set of special situations:
1. GIM (if used) and S-TAP must be installed in the Global Zone using a Global Zone IP address as the tap_ip.

2. S-TAP inspection engines require the IP address of the database server host to which it connects.
3. S-TAP inspection engines require the path of the database server executable.

Inspection engine IP address

By default, S-TAP connects to the loop back address 127.0.0.1. This will not work if the database server is installed in a non-Global Zone, as the loop back address refers to the "local host", which is the global zone, in this case.

Obtain the IP address of the non-Global zone using "ifconfig -a". For example to intercept database traffic for a database server installed in zone "dbserver01":

#ifconfig -a
....
....
*hme0:1: flags=1000843 mtu 1500 index 2
zone dbserver01
inet 192.168.1.201 netmask ffffff00 broadcast 192.168.1.255*
....
....


zone dbserver02
inet 192.168.1.202 netmask ffffff00 broadcast 192.168.1.255*

The IP address of the zone "dbserver01" is 192.168.1.201. S-TAP must connect to this IP address rather than 127.0.0.1 in order to intercept database traffic to and from the "dbserver01" zone.

When adding the inspection engine via S-TAP control page in GUI, or directly editing the guard_tap.ini file change:

[DB_0]
connect_to_ip=127.0.0.1

to

[DB_0]
connect_to_ip=192.168.1.201

 
Inspection engine path to DBSERVER executable:

Each zone being a self contained operating environment, path inside a particular zone is specific to that zone. For instance /opt/IBM/informix/11.70.UC3 can exist in each zone and are different from each other.

Since S-TAP is installed in the Global zone, the database executable in the non-Global zone must be accessible from the Global zone. If the file system in the non-Global zone is externally mounted via mechanisms like NFS, it is important that the mounted location has the required permission to be accessed from the global zone. Otherwise, the STAP will initially be green in the collector GUI, but will turn red and stay red.

Since each non-Global zone is a virtualized environment, paths inside a non-Global zone is accessible from the Global zone via a “zone path prefix”. The Solaris command “zoneadm” can be used to obtain the prefixes for the various zones. For example, from the Global zone:

#zoneadm list -cv
ID NAME STATUS PATH
0 global running /
2 dbserver01 running /data/zones/dbserver01
3 dbserver02 running /data/zones/dbserver02

In this example output, there are two non-Global zones dbserver01 and dbserver02 . The file structure inside each zone can be accessed from the global zone via /data/zones/dbserver01 and /data/zones/dbserver02 for the zones dbserver01 and dbserver02 respectively. If the database server that is of interest, is installed in /opt/IBM/informix/11.70.UC3 in the zone dbserver01, then the full path to that directory from the global zone would be:


  • /data/zones/dbserver01/root//opt/IBM/informix/11.70.UC3

Note the directory node “root” intervening between the zone relative prefix and the install path inside the zone. When specifying the path to the database server executable and the install path to S-TAP, this full zone relative path from the global zone must be used. For example:

[DB_1]
connect_to_ip=192.168.1.201

# Path to the database server executable
db_exec_file=/data/zones/dbserver01/root//opt/IBM/informix/11.70.UC3/bin/oninit

# Path to the database server installation
db_install_dir=/data/zones/dbserver01/root//opt/IBM/informix/11.70.UC3



Monitoring multiple non-Global Zones

Database servers in multiple non-Global zones can be monitored by creating a separate DB section in the guard_tap.ini for each. Based on the example above, in order to monitor dbserver02 as well, the DB section would be:

[DB_2]
connect_to_ip=192.168.1.202

# Path to the database server executable
db_exec_file=/data/zones/dbserver02/root//opt/IBM/informix/11.70.UC3/bin/oninit

# Path to the database server installation
db_install_dir=/data/zones/dbserver02/root//opt/IBM/informix/11.70.UC3

Monitoring databases using the same port on some non-Global Zones but not others

Extra configuration is required to monitor databases with this specific requirement:

  • Databases on different local zones that use the same database port
  • Requirement is to monitor traffic from some of these databases but not all
In Guardium v11.3 and before, the steps to monitor only the required databases in this situation are:
  1. Set up inspection engines for databases that require monitoring as described in this technote
  2. Set ktap_fast_tcp_verdict=0 in the guard_tap.ini and restart S-TAP
With the default ktap_fast_tcp_verdict=1, traffic from local zone databases without an inspection engine will still be captured if it comes over a port defined in an inspection engine.
With ktap_fast_tcp_verdict=0 traffic only from databases with inspection engines will be captured. However, there is an impact on S-TAP performance with this setting.
In future S-TAP versions, this limitation is expected to be removed so ktap_fast_tcp_verdict=1 can be used.

Summary:
  1. Install GIM (if used) and S-TAP in the Global Zone.
  2. Set the S-TAP inspection engine parameter “connect_to_ip” to the IP address of the non-global zone.
  3. Set the S-TAP inspection engine parameters “db_exec_file” and “db_install_dir” to the full path as accessed from the global zone.
  4. Databases in multiple non-Global zones can be monitored by creating a separate DB section as necessary.

[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSMPHH","label":"IBM Security Guardium"},"Component":"--","Platform":[{"code":"PF027","label":"Solaris"}],"Version":"11;10;9","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Document Information

Modified date:
23 February 2021

UID

swg21507773

Page Feedback