Question & Answer
Question
Q1. Does this document > Linux-Unix: Db2 Exit integration with S-TAP document apply to AIX?
https://www.ibm.com/docs/en/guardium/10.6?topic=libraries-linux-unix-db2-exit-integration-s-tap
https://www.ibm.com/docs/en/guardium/10.6?topic=libraries-linux-unix-db2-exit-integration-s-tap
A1. YES
Q2. The link states "If there is no other database to monitor then K-TAP is not required. Set ktap_installed=0 in guard_tap.ini, or with GIM: set ktap_enabled to no. You can upgrade the Linux OS and the S-TAP without being concerned about K-TAP module compatibility.
However, if there is another database that needs monitoring by S-TAP, then K-TAP is required.
You must ensure that a compatible K-TAP module is available when you upgrade your Linux version."
Will this K-Tap requirement apply when:
a. Multiple DB2_EXIT Inspection Engine configurations (example DBinstance1_ssl & DBinstance2_ssl) on a single DB2 server.
b. A DB2_EXIT Inspection Engine configuration with a second DB2 Inspection Engine configuration (example DBinstance1_ssl & DBinstance2)
a. Multiple DB2_EXIT Inspection Engine configurations (example DBinstance1_ssl & DBinstance2_ssl) on a single DB2 server.
b. A DB2_EXIT Inspection Engine configuration with a second DB2 Inspection Engine configuration (example DBinstance1_ssl & DBinstance2)
A2. NO
Explanation:
For a physical box, install S-TAP and follow the documentation to set up the DB2 Exit library. On that box, any number of DB2 instances can use a DB2 exit inspection engine. If that is the case, there is no need for K-TAP. It doesn't matter if those inspection engines use SSL or not. They can all use DB2 Exit.
To monitor both DB2 and Oracle on the same physical box, since we don't have an exit library for oracle, both A-TAP & K-TAP need to be loaded in order to monitor and read the encrypted Oracle traffic.
Note: K-TAP is for Kernal-tap and A-TAP is for Application level-tap.
DB2 Exit libraries are preferred and recommended over using A-TAP.
DB2 Exit libraries are preferred and recommended over using A-TAP.
You can skip K-TAP in this case because the Exit Library is collecting the packets and sending them to the S-TAP. So you do not need to go to the Kernel to get those packets.
Q3. For a configuration where there are SSL and non-SSL DB2 DB instances on the same DB2 server, would DB2_EXIT engine be used for both?
(example: [DB2 DBinstance1 SSL] & [DB2 DBinstance2 not SSL])
In summary, can S-TAP DB2_EXIT 10.6.0.4_r108055_1 and newer for AIX DB2 be used for both SSL/TLS encrypted and unencrypted DB2 instances?
(example: [DB2 DBinstance1 SSL] & [DB2 DBinstance2 not SSL])
In summary, can S-TAP DB2_EXIT 10.6.0.4_r108055_1 and newer for AIX DB2 be used for both SSL/TLS encrypted and unencrypted DB2 instances?
A3. YES
Related Information
[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSMPHH","label":"IBM Security Guardium"},"ARM Category":[{"code":"a8m0z0000001gcKAAQ","label":"A-TAP"},{"code":"a8m0z0000001fE7AAI","label":"STAP-\u003ED2 Exit Library"}],"ARM Case Number":"TS007337741","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]
Was this topic helpful?
Document Information
Modified date:
26 October 2022
UID
ibm16832106