Troubleshooting
Problem
Guardium STAP flooding the DB servers syslog with the following error messages :
ERROR: process_krb_token() kerb_plugin is NULL
ERROR: process_krb_token() kerb_plugin is NULL
ERROR: process_krb_token() kerb_plugin is NULL
Cause
The message "ERROR: process_krb_token() kerb_plugin is NULL" means that Kerberos is configured in the database server but STAP is not set up to work with Kerberos.
The messages itself reflects the fact that the guard_tap.ini has setting "kerberos_plugin_dir" set to "=NULL".
Errors associated :
--------------------------
ERROR: process_krb_token() kerb_plugin is NULL
ERROR: process_krb_token() kerb_plugin is NULL
ERROR: process_krb_token() kerb_plugin is NULL
In general, these errors mean that STAP was started before the plugin was configured.
Diagnosing The Problem
Collect the following DEBUG logs if needed:
- STAP must_gather diagnostics from the DB server.
http://www-01.ibm.com/support/
Set KTAP at debug level 4 (grep plugin /tmp/guard_stap.stderr.txt)
- guard_tap.ini
- sqlnet.ora
Resolving The Problem
STAP/KTAP handles Kerberos traffic just like any other traffic. It collects the packets and sends them to sniff, without knowing if the packet contains Kerberos tickets at that time or not. Currently there is no parameter to control the inflow of said messages within Guardium configuration due to the internal code path settings.
To avoid these messages, recommendation would be to make Kerberos consistent between DB and STAP (either disables on both or enabled on both).
Steps to configure the Kerberos plugin for the STAP.
http://www-01.ibm.com/support/docview.wss?uid=swg21688612
In order to reduce the number of messages in syslog however, unless otherwise specified by Support, ensure that STAP logging, aka tap_debug_level_output parameter in file guard_tap.ini, is always set to 0 .
#tap_debug_level_output=0
Related Information
Was this topic helpful?
Document Information
Modified date:
13 September 2018
UID
ibm10731455