IBM Support

How to Activate ATAP for Oracle on a Linux Cluster

Question & Answer


Question

IBM Security Guardium STAP includes an ATAP feature required for Oracle deployments which use encryption. Linux clustering remounts devices from the primary node to a secondary node when it fails over. In a typical Oracle deployment, the Oracle binaries and data will be remounted. How can I activate ATAP in this environment? Activation tries to rename the Oracle binary. If I have already activated on the primary node, I cannot activate ATAP on the secondary node. NOTE: This is not a discussion of RAC or Oracle clustering. This is sepecific to Linux clustering used with Oracle.

Answer

Here is the recommended process for this kind of deployment.


0. STOP ALL Oracle processes. ALL.
1. Activate ATAP on the primary node.
2. In the Oracle install directory, note the correct name and
permissions of the Oracle binary. ATAP should have renamed the real binary oracle-guard-original and replaced it with our own copy which is usually slightly larger.
3. Move/delete the ATAP oracle binary file. Rename oracle-guard-original to the correct binary name and permissions.
4. If you have more than one Oracle install (thus more than 1 binary) repeat 1-3 for each Oracle install directory.
5. Now fail over / remount to the backup node.
6. Activate ATAP on all Oracle install directories on the backup node.
7. Verify it recreated oracle-guard-original and the ATAP version of the Oracle binary in all 3 Oracle install directories.
8. Bring up Oracle on the backup node and make sure all is well.
9. Fail back to the primary node, bring up Oracle and make sure all is well.

Key points to remember:

  • When you activate ATAP it needs to see the original Oracle binary and not oracle-guard-original.
  • Activation makes changes to the STAP configuration. Because STAP is installed separately on the primary and secondary nodes and those files are not re-mounted during failover, you need to activate ATAP on the primary and secondary nodes. Activating the primary node is not sufficient.
  • Activating ATAP backs up the Oracle binary as oracle-guard-original and replaces it with a binary that includes ATAP wrapper code. When you take step 3, you remove the wrapper code and ATAP is effectively broken on the primary node. When you activate ATAP on the secondary node, it recreates oracle-guard-original and the ATAP-wrapped Oracle binary. Those files re-mount to the primary node in step 9. Now ATAP will work on either node.

Related Information

Online doc: ATAP

[{"Product":{"code":"SSMPHH","label":"IBM Security Guardium"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"Guardium Database Activity Monitor","Platform":[{"code":"PF016","label":"Linux"}],"Version":"10.0;10.0.1;10.1;8.2;9.0;9.1;9.5","Edition":"All Editions","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Document Information

Modified date:
16 June 2018

UID

swg21992360

Page Feedback