IBM Support

Guardium DB2-Exit - Frequently Asked Questions (FAQ)

Question & Answer


Question

DB2 Exit embeds a Guardium library into DB2 via DB2_Exit mechanism. This document answers some frequently asked questions regarding.

Answer

Implementation

Q: Where can I find information on implementing DB2-Exit?

A: Refer to this document.

KTAP Modules

Q: If we use DB2-Exit, do we need to request new STAP bundle each time the Linux kernel is updated?

A: DB2 Exit feature communicates directly to STAP and does not require KTAP to function.

If there is no other Inspection Engine (IE) that requires KTAP, then KTAP is not needed. You can set ktap_installed=0 in guard_tap.ini. If using GIM, you can set ktap_enabled to no, in the GIM dialog for that STAP. You can upgrade the Linux OS and the STAP without being concerned about KTAP module compatibility.

NOTE: If there is another IE in the STAP that requires KTAP module, then you will need to ensure that a compatible KTAP module is available when you upgrade your Linux version.

ATAP

Q: Do we need to activate ATAP when using DB2-Exit?

A: ATAP is not required if using DB2-Exit. DB2-Exit mechanism enables Guardium to pick up all DB2 traffic, whether encrypted or not and whether local or remote.

Guardium Firewall

Q: Does Guardium support firewall actions with DB2-Exit?

A: Support for Guardium firewall has been introduced in Guardium STAP 10.1.2. This also requires DB2 version 10.1 or later.

STAP Debug Level

Q: What is the appropriate level of debug setting for DB2-Exit?

A: When set STAP log level to 10, debug information will be logged in to both STAP log and db2diag.log. When it is set to 11, debug information will be logged only into db2diag.log


Q: What is the impact of debug logging on the database server?

The logging is done by the DB2 Exit module. This module is loaded by DB2 and the diagnostics are piped to the log files. Since the database server is the one technically doing the logging, there will be some impact, depending on how much logging is done. Please note that the STAP logging is meant to be used as part of troubleshooting and not a standard feature. So, the impact will be only when logging is turned on.



Limitations

Q: What are the limitations to DB2-Exit?

  • Guardium data masking (scrub/redact) is not supported by the DB2-Exit mechanism.
  • Guardium STAP versions before 10.1.2 do not support Guardium firewall
  • Stored Procedures: The execution of stored procedures will be monitored. Since Guardium does not know what is in a stored procedure, SQL from inside the procedure will not be captured.

[{"Product":{"code":"SSMPHH","label":"IBM Security Guardium"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"Guardium S-TAP","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF010","label":"HP-UX"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"}],"Version":"10.0;10.0.1;10.1;9.5","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Document Information

Modified date:
13 August 2021

UID

swg21991357

Page Feedback