Windows S-TAP User Guide V 10.6

Windows: S-TAP user's guide 3
Windows: Install, Upgrade, Uninstall S-TAP 4

Windows: S-TAP monitoring mechanisms support matrix 5
Windows: Prerequisites: installing S-TAP 7
Windows: S-TAP disk space requirements 8
Windows: Guardium port requirements for S-TAP 9
Windows: Installing an S-TAP agent 10
Windows: Installing S-TAP agent with GIM Setup by Client 12
Windows: S-TAP GIM installation parameters 14
Windows: Installing S-TAP agent using the interactive installer 17
Windows: Installing S-TAP agent using the command line interface 19
Windows: S-TAP command line installation parameters 21
Windows: S-TAP installation flow on Oracle RAC 25
Windows: Upgrading and Removing an S-TAP 26
Windows: When to restart or reboot the database after S-TAP installation or upgrade 28
Windows: Managing S-TAP when upgrading your database 29
Windows: Managing S-TAP when upgrading your database operating system 30
Windows: Configuring S-TAP 31
Windows: Configure S-TAP from the GUI 32
Windows: Discover database instances 35
Windows: Configuring an Inspection Engine 36
Windows: Inspection engine verification 37
Windows: S-TAP verification 39
Windows: Configure standard verification 40
Windows: Configure advanced verification 41
Windows: Configuring the S-TAP verification schedule 42
Windows: S-TAP Load Balancing models and configuration guidelines 43
Windows: Set up S-TAP authentication with SSL certificates 46
Windows: Generating certificate signing request (CSR) on Guardium system 47
Windows: Installing an SSL certificate generated outside of the Guardium system 51
Windows: Configuring the S-TAP to use x.509 certificate authentication 56
Windows: Using DB2 exit library 58
Windows: Editing the S-TAP configuration parameters 60
Windows: Guardium Hosts (SQLGuard) parameters 62
Windows: General parameters 63
Windows: Inspection engine parameters 79
Windows: Firewall parameters 85
Windows: Query rewrite parameters 88
Windows: Discovery parameters 92
Windows: Debug parameters 93
Windows: Configuration Auditing System (CAS) parameters 99
Windows: Driver parameters 100
Windows: S-TAP operation and performance 102
Windows: Stopping S-TAP using GIM 103
Windows: Starting S-TAP using GIM 104
Windows: Starting S-TAP without GIM 105
Windows: Stopping S-TAP without GIM 106
Windows: Monitoring S-TAP in the GUI 107
Windows: S-TAP statistics 109
Windows: Monitoring with the Guardium Agent Monitor 110
Windows: Troubleshooting S-TAP problems 114
Windows: S-TAP user's guide
Guardium S-TAP is a lightweight software agent installed on database servers and
file servers. The information collected by the S-TAPs is the basis of all Guardium
traffic reports, alerts, visualizations, etc.
For data activity monitoring, the S-TAP monitors activity between the client and the
database and forwards that information to the Guardium collector. The database
traffic is logged into the collector based on criteria specified in the security policy. It
is also possible to reduce the amount of traffic that is originally sent to the collector
by ignoring trusted connections or ignoring traffic from specific IPs.
For file activity monitoring, unlike data activity, the policy rules are pushed down to
the file server and thus only data that is specified in the security policy is forwarded
to the collector.
- Windows: Install, Upgrade, Uninstall S-TAP

There are a few methods of installing, upgrading and uninstalling S-TAPs. Learn
about each one and understand what works best for you.
- Windows: Configuring S-TAP
Learn to configure the S-TAP.
- Windows: S-TAP operation and performance
3
Windows: Install, Upgrade, Uninstall S-TAP
There are a few methods of installing, upgrading and uninstalling S-TAPs. Learn
about each one and understand what works best for you.
- Windows: S-TAP monitoring mechanisms support matrix
Select your S-TAP setup depending on the data you want to monitor or block. Use
this table to identify the monitoring mechanisms that can perform the operations
you require, per operating system and database.
- Windows: Prerequisites: installing S-TAP
Review the disk space and port prerequisites before installing S-TAP
- Windows: Installing an S-TAP agent
Install an S-TAP on Windows using the Guardium Installation Manager (GIM)
Monitoring Agents tool, the GIM Setup by Client, the interactive installer, or the
command line installer.
- Windows: S-TAP installation flow on Oracle RAC
Configure S-TAPs in an Oracle RAC.
- Windows: Upgrading and Removing an S-TAP
Learn how to upgrade or remove S-TAPs on Windows.
- Windows: When to restart or reboot the database after S-TAP installation or
upgrade
Windows S-TAP installation and upgrade does not require reboot of the database
server unless stated otherwise in the release notes or as an exception in this
document.
- Windows: Managing S-TAP when upgrading your database
Use these guidelines for managing your Windows S-TAP when upgrading your
database.
- Windows: Managing S-TAP when upgrading your database operating system
Use these guidelines for managing your S-TAP that was installed with the
interactive installer or CLI, when upgrading the operating system (OS) of your
database.
Parent topic:Windows: S-TAP user's guide
4
Windows: S-TAP monitoring mechanisms support
matrix
Select your S-TAP setup depending on the data you want to monitor or block. Use
this table to identify the monitoring mechanisms that can perform the operations you
require, per operating system and database.
For example, you may want to track or perform one or more of the following:
- local traffic only
- local and network traffic
- shared memory
- encrypted data
- monitor and block
- monitor only
This table covers the most common platforms, database types, and protocols,
supported by Guardium's monitoring mechanisms. The table presents general
guidelines. There may be other combinations that are not presented here that are
supported. Some of the supported setups presented here may be dependent on
specific configurations. Contact Technical Support to verify the best setup for your
specific needs. Empty cells indicate that the combination is not supported.
OS Databa Networ Local Encrypt Protoco Kerber Blockin Redacti Instanc

se k traffic traffic
ed l os g on e
traffic discove
ry
Windo MS Suppor Suppor Suppor TCP, Suppor Suppor Suppor Suppor
ws SQL ted ted ted for NMP ted ted ted ted
Server TCP
and
NMP
Windo DB2 Suppor Suppor DB2 TCP, Suppor Suppor Suppor
ws ted, ted, Exit SHM ted ted ted
also also (Except (Except
with with DB2 DB2
DB2 DB2 Exit) Exit)
Exit Exit
Windo Oracle Suppor Suppor Suppor TCP, Suppor Suppor Suppor
ws ted ted ted NMP, ted ted ted
(ASO, BEQ
SSL)
Windo Informi Suppor Suppor TCP Suppor Suppor Suppor
ws x ted ted ted ted ted
Windo Sybase Suppor Suppor TCP Suppor Suppor
ws ted ted ted ted
Windo MySQL Suppor Suppor TCP Suppor Suppor
ws ted ted ted ted
Windo Postgre Suppor Suppor TCP Suppor Suppor
ws SQL ted ted ted ted
Windo Mongo Suppor TCP Suppor Suppor Suppor
ws DB ted ted ted ted
5
Windo Couch Suppor Suppor TCP Suppor Suppor Suppor
ws DB ted ted ted ted ted
Parent topic:Windows: Install, Upgrade, Uninstall S-TAP
6
Windows: Prerequisites: installing S-TAP
Review the disk space and port prerequisites before installing S-TAP
- Windows: S-TAP disk space requirements

Verify the disk space requirements before installing your S-TAP.
- Windows: Guardium port requirements for S-TAP
If there is a firewall between Guardium® components (for example, between a
Guardium system and an S-TAP on a Windows database server), you must verify
that the ports used for connections between those components are not being
blocked.
7
Windows: S-TAP disk space requirements
Verify the disk space requirements before installing your S-TAP.
Disk Space Description

S-TAP program files S-TAP uses the Microsoft .NET
Framework. If this is not already
installed, it requires 5GB free
space
GIM Install: 300 MB
non-GIM Install: 180 MB
Buffer file 50 MB
Parent topic:Windows: Prerequisites: installing S-TAP
8
Windows: Guardium port requirements for S-TAP
If there is a firewall between Guardium® components (for example, between a
Guardium system and an S-TAP on a Windows database server), you must verify
that the ports used for connections between those components are not being
blocked.
Use your firewall management utility to check, and open as relevant, the ports listed
below.
Table 1. Port Requirements for Windows servers
Port Protocol Guardium system

connection to ...
9500/9501 TCP Alive messages
9500 TCP Clear S-TAP
9501 TLS Encrypted S-TAP
Parent topic:Windows: Prerequisites: installing S-TAP
9
Windows: Installing an S-TAP agent
Install an S-TAP on Windows using the Guardium Installation Manager (GIM)
Monitoring Agents tool, the GIM Setup by Client, the interactive installer, or the
command line installer.
Depending on your license key, you can use the same S-TAP agent for both file and
database activity monitoring. There are no specific S-TAP parameters for FAM.
The Base Filtering Engine (BFE) service must be running for the S-TAP installation.
If the service exists but is not running, Guardium attempts to start it.
S-TAPs require .NET Framework 4.5 or higher version. If the .NET 4.5 or higher
environment does not exist, S-TAP will install .NET 4.5.2.
When installing the Windows S-TAP in a Non-ASCII environment (for example,
Japanese), use either the server with that language pack or set the system locale to
that location (Japan).
S-TAP installation creates one installation log: C:\IBM Windows S-TAP.ctl.
Auto-discovery of database instances

When installing an S-TAP, you have the option of auto-discovering database
instances and creating inspection engines for the discovered instances. When
enabled, the auto-discovery process runs once at the time of S-TAP installation and
does not automatically repeat. Auto-discovery is disabled by default.
Auto-discovery creates supports these database types: MS SQL Server, DB2,
Oracle, Informix, MongoDB, CouchDB. To create inspection engines on other
discovered databases, see the Discovered Instances report.
During an upgrade, auto-discovery discovers additional database instances but
does not create inspection engines for the new instances.
If you do not want the S-TAP installation to perform automatic discovery of
databases during installation or upgrade, you can prevent it during the S-TAP
installation process by following the procedure described for each WindowsS-TAP
installer.
Enterprise load balancing

During installation of an S-TAP on Windows, you can configure the S-TAP to use
Enterprise Load Balancing features. For more information, see Enterprise Load
Balancing.
- Windows: Installing S-TAP agent with GIM Setup by Client

When you install S-TAPs on your database servers with the GIM Setup by Client,
you can install, upgrade, and manage agents on individual servers or groups of
servers. This includes monitoring processes that were installed under its control,
modifying S-TAP parameters, and performing other management tasks.
- Windows: S-TAP GIM installation parameters
Understand the parameters (each with a short description) that are typically used
in your GIM installation.
- Windows: Installing S-TAP agent using the interactive installer
The interactive installer is useful for smaller deployments or whenever a guided,
step-by-step installation experience is required.
10
- Windows: Installing S-TAP agent using the command line interface
The command-line installer provides a scriptable solution that is especially useful
for managing large deployments.
- Windows: S-TAP command line installation parameters
Understand the parameters (each with a short description) that you can use in
your script and GIM installation.
Related concepts:
Quick start for deploying monitoring agents
Guardium Installation Manager
11
Windows: Installing S-TAP agent with GIM Setup by
Client
When you install S-TAPs on your database servers with the GIM Setup by Client,
you can install, upgrade, and manage agents on individual servers or groups of
servers. This includes monitoring processes that were installed under its control,
modifying S-TAP parameters, and performing other management tasks.
Before you begin
Verify the following before you begin:
- Review the WindowsS-TAP installation requirements at Windows: Prerequisites:
installing S-TAP.
- Your database server and operating system are supported.
- The intended S-TAP installation directory is empty or does not exist.
- The GIM client is installed on the database server where you will install an S-TAP.
- The GIM client on the database server is communicating with the Guardium
system.
- Obtain the S-TAP module from either Fix Central, or your Guardium
representative.
About this task

After installing a GIM client on the database server, installation of the S-TAP for
Windows is scheduled from the Guardium system.
The only required parameter is WINSTAP_INSTALL_DIR.
The parameter WINSTAP_INSTALL_DIR cannot be modified after the installation.
All other parameters can be modified after installation.You can input any parameter
in the Setup by Client page, in the Choose parameters ribbon, using the command
WINSTAP_CMD_LINE with the syntax parameter=value for [TAP] parameters, or
with the syntax -param value for CLI parameters (Windows: S-TAP command line
installation parameters), and they are added or updated in the guard_tap.ini.
CAUTION:
There is no validation of input when using the WINSTAP_CMD_LINE.
Procedure
1. Upload the WindowsS-TAP module for installation.
A. On the Guardium system, navigate to Manage > Module Installation > Upload
Modules.
B. Click Choose File and select the S-TAP module you want to install.
C. Click Upload to upload the module to the Guardium system. After uploading,
the module is listed in the Import Uploaded Modules table.
D. In the Import Uploaded Modules table, click the check box next to the S-TAP
module you want to install. The module is imported and made available for
installation. After the module is imported, the Upload Modules page is reset
and the Import Uploaded Modules table is empty.
2. Follow the GIM instructions in Set up by Client and refer to Windows: S-TAP GIM
installation parameters.
- While the default parameters are acceptable for most installations, you are
12
required to provide a WINSTAP_INSTALL_DIR value. The default value is
C:/Program Files/IBM/Windows S-TAP. This is the only required parameter.
- If WINSTAP_TAP_IP (equivalent to the -taphost command line parameter) is not
specified, the GIM_CLIENT_IP value is used.
- If WINSTAP_SQLGUARD_IP (equivalent to the -appliance command line
parameter) is not specified, the GIM_URL value is used.
- Optionally enable enterprise load balancing. See the parameter description in
Windows: S-TAP GIM installation parameters.
- To enable auto_discovery of database instances, set
WINSTAP_NOAUTODISCOVERY to 0.
What to do next
In the Success popup, click Show Status to open the Status window to monitor the
software install/upgrade. Click to refresh the results. If an install/upgrade has a
failed status, click Uninstall if you see the button, otherwise, click Reset connection.
You can also view the status of the module installation by reviewing the report at
Manage > Reports > Install Management > GIM Clients Status.
Verify that the S-TAP is communicating with the Guardium system by navigating to
Manage > Activity Monitoring > S-TAP Control and reviewing the S-TAPs status and
configuration.
Parent topic:Windows: Installing an S-TAP agent
Related concepts:
Guardium Installation Manager
13
Windows: S-TAP GIM installation parameters
Understand the parameters (each with a short description) that are typically used in
your GIM installation.
All parameters are listed in Windows: Editing the S-TAP configuration parameters.
CAUTION:
Do not modify advanced parameters unless you are an expert user or you have
consulted with IBM Technical Support.
Table 1. Parameters applicable to all .NET installers
GIM parameter Description

QUIET Install silently. (Does not require value)
WINSTAP_INSTALL_DIR This is the install directory. Default install
path is C:/Program Files/IBM/Windows
S-TAP
WINSTAP_ENABLEGAM Enables the Guardium Agent Monitor
service (GAM).
Table 2. Other S-TAP Parameters

WINSTAP_ENABLEGAM Enables the Guardium Agent Monitor
service (GAM).
WINSTAP_TAP_IP The local/client IP. Required for
unattended installation.
WINSTAP_SQLGUARD_IP The SQLGUARD IP. You can set up
multiple appliances by specifying this
parameter multiple times, each with a
unique value.
WINSTAP_FAM_ENABLED Enables the FAM service. Disabled by
default. When upgrading, if the
guard_tap.ini parameter fam_enable was
enabled in v10.1.4 or a prior version,
then this parameter is enabled upon
upgrade.
Table 3. S-TAP Parameters with Applicable Value ON. These parameters are on by
default with their value set to ON. Unless described otherwise, setting these
parameters to any value other than ON turns the parameter off.

TCP_DRIVER_INSTALLED TCP_DRIVER_INSTALLED=1. Use TCP
driver.
NAMED_PIPE_DRIVER_INSTALLED NAMED_PIPE_DRIVER_INSTALLED=1.
Specifies the named pipe used by MS
SQL Server for local access. If a named
pipe is used, but nothing is specified in
this parameter, S-TAP attempts to
retrieve the named pipe name from the
registry.
14
DB2_TAP_INSTALLED Enables sniffing DB2 shared memory
traffic.
DB2_EXIT_DRIVER_INSTALLED Enables DB2 Integration with S-TAP.
FAM_DRIVER_INSTALLED Enables FAM S-TAP.
ORA_DRIVER_INSTALLED Enables sniffing Oracle ASO and SSL
traffic.
KRB_MSSQL_DRIVER_INSTALLED Deprecated from v10.1.4. It appears in
the guard_tap.ini file but it does not affect
the configuration.
This parameter is used to decrypt
MSSQL SSL and Kerberos encrypted
traffic. Set to 1 or 2 to collect MSSQL
encrypted traffic and Kerberos tickets. If
set to 1, when STAP starts, it will pre-
collect usernames correlated with SIDs,
collecting them for number of seconds
defined in
krb_mssql_driver_user_collect_time.
When set to 2, the pre-collection isn’t
done and the usernames are correlated
at run time.
Table 4. Enterprise Load Balancing parameters

WINSTAP_LOAD_BALANCER_IP Required if you are configuring load
balancing. This option specifies the IP
address of the central manager or
managed unit this S-TAP should use for
load balancing.
S-TAP parameters cannot be changed
via the interactive installer during
upgrade. Use the Guardium UI after the
upgrade to change S-TAP parameters.If
configuring the enterprise load balancer
to run on a managed unit, the S-TAP
must be at V10.1 or higher.
WINSTAP_INITIAL_BALANCER_TAP_G Optional. The application group name
ROUP that this S-TAP belongs to for enterprise
load balancing.Attention: Group names
with spaces or special characters are not
supported.
WINSTAP_INITIAL_BALANCER_MU_G Optional. The MU group name the app-
ROUP group will be associated with. Requires a
defined LB-APP-GROUP. An MU group
must already exist on the Central
Manager before it can be used during
installation of S-TAPAttention: Group
names with spaces or special characters
are not supported.
15
WINSTAP_LOAD_BALANCER_NUM_M The number of managed units the
US enterprise load balancer allocates for this
S-TAP.
16
Windows: Installing S-TAP agent using the
interactive installer
The interactive installer is useful for smaller deployments or whenever a guided,
step-by-step installation experience is required.
Before you begin
installing S-TAP.
- Verify that your database server and operating system are supported. See System
Requirements/ Platforms supported for IBM Guardium (http://www-
01.ibm.com/support/docview.wss?uid=swg27047801) and Windows: S-TAP
monitoring mechanisms support matrix.
- Identify the IP address of the database server or domain controller where you will
install the S-TAP, including any virtual IP addresses.
- Identify the IP address of the Guardium system that will control the S-TAP.
- Verify that the intended S-TAP installation directory is empty or does not exist.
representative.
About this task

When installing an S-TAP on a database server, you must provide the IP address or
host name of the Guardium system that will receive data from the S-TAP. After the
S-TAP has connected to the Guardium system, navigate to the Manage > Activity
Monitoring > S-TAP Control page and complete the S-TAP configuration.
Note: Windows S-TAP parameters cannot be changed via the interactive installer
during upgrading. The user can use the GUI after the upgrade to change Windows
S-TAP parameters.
Procedure
1. Log on to the database server using a system administrator account.
2. Copy the S-TAP module to your database and start the Guardium Windows S-
TAP Install Wizard. Attention: When installing an S-TAP on Windows 2012 or
later, you must use administrative privileges. To do this, right-click the installer
and choose Run as Administrator.
3. Read the license agreement on the Guardium License screen. To continue
installation, select I accept the terms of the license agreement and click Next.
4. Provide the requested content on the Customer Information screen, then click
Next to continue. The default values are appropriate for most installations.
5. Select one of the following installation types, and then click Next to continue:
- Typical: a typical installation will be appropriate for most users.
- Compact: a compact installation assumes that additional features such as
Enterprise Load Balancing are not required.
- Custom: a custom installation allows you to modify additional S-TAP installation
options such as the software choices, installation directory and the user account
17
that runs the WindowsS-TAP process.
6. Optionally, enable Enterprise Load Balancing by selecting the Enable Load
Balancing checkbox on the Load Balancing Options screen. Click Next to
continue.
A. If you enable Enterprise Load Balancing, provide the load balancer IP address
in the Load Balancer Host Address field.
B. Click the Advanced Options button to specify any additional Enterprise Load
Balancing options. For more information, see Enterprise Load Balancing.
7. Verify the Software Tap Host Address and provide Appliance Address(es) on the
Network Addresses screen, then click Next to continue.
- The Software Tap Host Address specifies the address of the local machine
where the S-TAP is being installed.
- The Appliance Address(es) specify the Guardium system addresses that will
control the S-TAP. Provide multiple addresses (typically not more than three) on
separate lines to establish failover systems for the S-TAP or when configuring S-
TAP load balancing with the participate_in_load_balancing parameter.
Attention: If you do not want the S-TAP service to be enabled after installation,
deselect the Start S-Tap Service checkbox. Deselecting the Start S-Tap Service
checkbox also disables the automatic discovery of databases and creation of
inspection engines.
The Install Wizard Completed screen appears following a successful installation.
8. Click Finish to close the installer.
What to do next
configuration.
18
Windows: Installing S-TAP agent using the
command line interface
The command-line installer provides a scriptable solution that is especially useful for
managing large deployments.
Before you begin
installing S-TAP.
- Verify that your database server and operating system are supported. See System
Requirements/ Platforms supported for IBM Guardium (http://www-
01.ibm.com/support/docview.wss?uid=swg27047801) and Windows: S-TAP
monitoring mechanisms support matrix.
- Identify the IP address of the database server or domain controller where you will
install the S-TAP, including any virtual IP addresses.
- Identify the IP address of the Guardium system that will control the S-TAP.
- Verify that the intended S-TAP installation directory is empty or does not exist.
representative.
Procedure
1. Log on to the database server using a system administrator account.
2. Copy the installer to your database, and using the WindowsCommand Prompt,
navigate to the WindowsS-TAP installer directory. For example,cd c:\Windows-STAP-
V10.6.0.0.89
You should find a setup.exe executable in the installer directory.

3. Install the S-TAP using the setup.exe executable with the appropriate parameters.
The required parameters are:
- INSTALLPATH, the default is used if you do not specify
- TAPHOST
- APPLIANCE
All parameters, except INSTALLPATH, can be updated after the installation. A
typical install command is: setup.exe -UNATTENDED -APPLIANCE 10.0.147.234 -TAPHOST 10.0.145.41
where:
- -UNATTENDED (required) invokes the command-line installer.
- -APPLIANCE specifies the IP address of the Guardium system that will control
the S-TAP.
- -TAPHOST (required) specifies the client IP address where the S-TAP is being
installed.
For a complete description of the setup.exe executable and its parameters, see
Windows: S-TAP command line installation parameters
What to do next
configuration.
19
Related reference:
Windows: S-TAP command line installation parameters
20
Windows: S-TAP command line installation
parameters
Understand the parameters (each with a short description) that you can use in your
script and GIM installation.
In a CLI installation, you install an S-TAP using the setup.exe executable with the
appropriate parameters, in this format: Setup.exe -PARAMETER value
Do not use “=” signs to assign values to the parameters. The only time “=” is used is
when you want to add a parameter to the TAP section of the guard_tap.ini file
directly as it is typed in the command line.
If you want to add additional parameters not specified here but required in the
guard_tap.ini file, you can append the [TAP] section by specifying the parameter
and value with an = sign, for example:
setup.exe -UNATTENDED -INSTALLPATH "C:/Program Files/IBM/Windows S-TAP"
-APPLIANCE 10.0.148.160 -TAPHOST 10.0.146.160 QRW_INSTALLED=0
QRW_DEFAULT_STATE=0
Important: The TAPHOST, APPLIANCE, INSTALLPATH attributes are required.
Table 1. Parameters applicable to all .NET installers
Command line parameter GIM parameter Description

UNATTENDED QUIET Install silently. (Does not
require value)
INSTALLPATH WINSTAP_INSTALL_DIR This is the install directory.
Default install path is
C:/Program
Files/IBM/Windows S-TAP
ENABLEGAM WINSTAP_ENABLEGAM Enables the Guardium
Agent Monitor service
(GAM).
UNINSTALL Uninstall. A value is not
required.
CUSTOMER To change customer name
COMPANY To change company name
SERVICEUSER To specify a user to run the
service under
SERVICEPASSWORD The password for the user
Table 2. Other S-TAP Parameters
Command line parameter Description

NOAUTODISCOVERY To prevent Auto-Discovery from running
upon install. A value is not required.
ENABLEGAM Enables the Guardium Agent Monitor
service (GAM).
21
START Controls whether S-TAP is started or not
after installation.Attention: This
parameter defaults to on and can be
disabled only by setting its value to 0.
Any value other than 0 results in this
parameter being on.
TAPHOST The local/client IP. Required for
unattended installation.
APPLIANCE The SQLGUARD IP. You can set up
multiple appliances by specifying this
parameter multiple times, each with a
unique value.
FAM Enables FAM. Disabled by default. When
upgrading, if the CLI parameter FAM was
enabled in v10.1.4 or a prior version,
then this parameter is enabled upon
upgrade.
Table 3. S-TAP Parameters with Applicable Value ON. These parameters are on by
default with their value set to ON. Unless described otherwise, setting these
parameters to any value other than ON turns the parameter off.
Command line parameter Description

TCP Use TCP driver.
NMP Specifies the named pipe used by MS
SQL Server for local access. If a named
pipe is used, but nothing is specified in
this parameter, S-TAP attempts to
retrieve the named pipe name from the
registry.
DB2SHMEM Enables sniffing DB2 shared memory
traffic.
DB2EXIT Enables DB2 integration with S-TAP.
ORACLEPLUGIN Enables sniffing Oracle ASO and SSL
traffic.
MSPLUGIN Deprecated from v10.1.4. It appears in
the guard_tap.ini file but it does not affect
the configuration.
This parameter is used to decrypt
MSSQL SSL and Kerberos encrypted
traffic. Set to 1 or 2 to collect MSSQL
encrypted traffic and Kerberos tickets. If
set to 1, when STAP starts, it will pre-
collect usernames correlated with SIDs,
collecting them for number of seconds
defined in
krb_mssql_driver_user_collect_time.
When set to 2, the pre-collection isn’t
done and the usernames are correlated
at run time.
22
Table 4. Enterprise Load Balancing parameters
Command line parameter GIM parameter Description

LOAD-BALANCER-IP WINSTAP_LOAD_BALAN Required if you are
CER_IP configuring load balancing.
This option specifies the IP
address of the central
manager or managed unit
this S-TAP should use for
load balancing.
S-TAP parameters cannot
be changed via the
interactive installer during
upgrade. Use the
Guardium UI after the
upgrade to change S-TAP
parameters.If configuring
the enterprise load
balancer to run on a
managed unit, the S-TAP
must be at V10.1 or higher.
LB-APP-GROUP WINSTAP_INITIAL_BALA Optional. The application
NCER_TAP_GROUP group name that this S-
TAP belongs to for
enterprise load
balancing.Attention: Group
names with spaces or
special characters are not
supported.
LB-MU-GROUP WINSTAP_INITIAL_BALA Optional. The MU group
NCER_MU_GROUP name the app-group will be
associated with. Requires
a defined LB-APP-
GROUP. An MU group
must already exist on the
Central Manager before it
can be used during
installation of S-
TAPAttention: Group
names with spaces or
special characters are not
supported.
LB-NUM-MUS WINSTAP_LOAD_BALAN The number of managed
CER_NUM_MUS units the enterprise load
balancer allocates for this
S-TAP.
23
24
Windows: S-TAP installation flow on Oracle RAC
Configure S-TAPs in an Oracle RAC.
Procedure
1. Install S-TAP on all nodes. In case GIM is used, install GIM client on all nodes,
then install S-TAP on all nodes.
2. Configure the STAP parameter STAP_TAP_IP: public IP configured for the node.
(Can be configured through GIM UI.)
- The parameter STAP_ALTERNATE_IPS is not required.
- If the Oracle database is encrypted (ASO/SSL) make sure the parameter
ORA_DRIVER_INSTALLED=1
- If the Oracle inspection engine is auto-discovered, it should already contain all
required parameters including INSTANCE_NAME.
25
Windows: Upgrading and Removing an S-TAP
Learn how to upgrade or remove S-TAPs on Windows.
About this task
Upgrade a Windows S-TAP using the command line

About this task
If a prior version of the Windows S-TAP has been installed, an upgrade can be
performed from the command line using the setup program.There is an
autodiscovery that runs as part of STAP. It finds the local databases and does two
things. First it creates inspection engines for some supported database types and
second it uploads database information to the appliance for later use. The current
behavior is that it will send this information to the appliance on an interval. But in
early v10 when you upgraded STAP it would also overwrite existing inspection
engines. We fixed this so that auto-discovery now doesn't update the inspection
engines but will continue to send database information on an interval to the
appliance.
Procedure
1. Log on to the database server system using a system administrator account.

2. Change to the directory containing the S-TAP setup program.
3. Run the setup program with the following options: setup -UNATTENDED
Attention: Some files from the previous release are not fully removed until the
next scheduled reboot.
Remove a Windows S-TAP using Add/Remove Programs

About this task
This procedure will remove the installed S-TAP while making sure the configuration
file is saved for future use.
Procedure

2. Copy the current S-TAP configuration file to a safe location (a non-Guardium
directory). Look for this file in C:Program Files (x86)\IBM\Windows S-
TAP\Bin\guard_tap.ini.
3. From the Add/Remove Programs control panel, remove GUARDIUM_STAP.
Attention: Some files will not be fully removed until the next scheduled reboot.
26
Remove a Windows S-TAP using the command line
About this task
This procedure will remove the installed S-TAP while making sure the configuration
file is saved for future use.
Procedure

2. Copy the current S-TAP configuration file to a safe location (a non-Guardium
directory). Look for this file in C:Program Files (x86)\IBM\Windows S-
TAP\Bin\guard_tap.ini.
3. Change to the directory containing the S-TAP setup program.
4. Run the setup program with the following options: setup -UNINSTALLAttention:
Some files will not be fully removed until the next scheduled reboot.
27
Windows: When to restart or reboot the database
after S-TAP installation or upgrade
Windows S-TAP installation and upgrade does not require reboot of the database
server unless stated otherwise in the release notes or as an exception in this
document.
If you are not certain about reboot requirement for particular version you are using,
you should check with your Technical Support representative. Restart/reboot
requirements are the same for GIM and non-GIM implementations.
Reboot database servers only when you need to upgrade the driver.
28
Windows: Managing S-TAP when upgrading your
database
Use these guidelines for managing your Windows S-TAP when upgrading your
database.
Procedure
1. Upgrade your database.
2. If using exit: make sure the exit library is in the appropriate place (for example if
there is a new DB location directory).
3. Check that the inspection engine for the database is correct (for example, the
version number).
4. If changes in the IE were made, restart the S-TAP.
29
Windows: Managing S-TAP when upgrading your
database operating system
Use these guidelines for managing your S-TAP that was installed with the interactive
installer or CLI, when upgrading the operating system (OS) of your database.
About this task
This task is relevant only for S-TAP agents installed with interactive installer or CLI.
For S-TAP agents installed with GIM, see When you upgrade your database server
operating system.
Procedure
1. Uninstall the S-TAP agent.
2. Upgrade the operating system of the database.
3. Download the S-TAP installer for the upgraded database operating system from
Fix Central, and install it.
Related concepts:
Windows: Installing an S-TAP agent
Related tasks:
Windows: Upgrading and Removing an S-TAP
30
Windows: Configuring S-TAP
Learn to configure the S-TAP.
- Windows: Configure S-TAP from the GUI
In the S-TAP Control page you can view all S-TAPs managed by this Guardium
system, manage individual STAPs, and perform a few operations on all STAPs.
- Windows: Discover database instances
The Guardium S-TAP Discovery application periodically discovers database
instances and sends the details to the primary (current active) S-TAP system.
- Windows: Configuring an Inspection Engine
Configure or modify an inspection engine in the S-TAP Control pane.
- Windows: Inspection engine verification
S-TAP verification confirms that the STAPs and their inspection engines in your
environment are running and actively monitoring database activity. Understand
verification, and define a schedule to regularly verify S-TAPs.
- Windows: S-TAP Load Balancing models and configuration guidelines
Understand the S-TAP load balancing models, and choose the one appropriate to
your setup
- Windows: Set up S-TAP authentication with SSL certificates
Set up authentication between an S-TAP server and Guardium system.
- Windows: Using DB2 exit library
The DB2 exit mechanism enables Guardium to pick up all DB2 traffic, whether
encrypted or not and whether local or remote. This solution simplifies the S-TAP
configuration, and provides native DB2 support.
- Windows: Editing the S-TAP configuration parameters
You can modify the S-TAP configuration after it is installed using GIM, the UI, or
for advanced users, the configuration file on the database.
31
Windows: Configure S-TAP from the GUI
In the S-TAP Control page you can view all S-TAPs managed by this Guardium
system, manage individual STAPs, and perform a few operations on all STAPs.
About this task
Prerequisite: You must be logged in to the Guardium system that is the active host
for the S-TAP.
Sometimes a user is unable to make a decision during the process of installing an
S-TAP or may make the wrong decision and it goes undetected until after the
installation process is complete. For instance a user may forget to type in or use the
wrong IP address when defining a SQL Guard IP. These types of mistakes can be
remedied by modifying the S-TAP configurations.
Parameters in the GUI may be safely changed. Parameters that are not in the GUI
rarely need changing and should normally be left unmodified; they are for use by
Guardium Technical Support or advanced users.
Some configuration changes require that the S-TAP agent be restarted manually, as
indicated in the parameter descriptions.
If you have installed your S-TAP by using the Guardium Installation Manager (GIM),
you can update some parameters through the GIM GUI or API.
S-TAP status can be one of:
- Green: Online
- Yellow: Not synchronized: Indicates a mismatch between local (guard_tap.ini) and
remote (stored in MySql Tap properties) configuration parameters, normally
caused by loss of connection or inability to send new configuration parameters
from the collector to the S-TAP.
- Red: Offline
Procedure
1. Click Manage > Activity Monitoring > S-TAP Control to open S-TAP Control.
2. Perform operations on all S-TAPs in the page.
- Refresh: refresh display of S-TAPs.
- Add All to Schedule: add all displayed S-TAPs to the S-TAP verification
schedule. See Windows: Inspection engine verification.
- Remove All from Schedule: remove all displayed S-TAPs from the S-TAP
verification schedule.
- Comments: add comments. See Comments.
3. Identify the S-TAP to be configured by its IP address or the symbolic host name
of the database server on which it is installed. View and perform operations on
individual S-TAPs.
Option Description
32
Delete: Click Delete to remove an S-
TAP.Deleting S-TAPs is useful
to clean up your display when
you know that an S-TAP has
become inactive, or when the
Guardium unit is no longer
listed as a host in the S-TAP's
configuration file. In either of
these cases, the S-TAP
displays indefinitely with an
offline status if you do not
delete it.
You cannot remove an active
S-TAP from the list. Clicking
delete does not stop an S-TAP
from sending information, nor
does it remove the Guardium
host from the list of hosts stored
in the S-TAP's configuration file.
Refresh: Click Refresh to fetch a copy of
the latest S-TAP configuration
from the agent. (There is no
auto-refresh of the S-TAP
display.)
Send Command: Opens the S-TAP Commands
popup, where you can run
various commands on the S-
TAP host. Restart: Restarts the
S-TAP. Not usually needed,
and if yes, you can stop it from
the DB server.S-TAP
loggingReinitialize buffer: Reset
the K-TAP statistics along with
deleting the S-TAP bufferRun
Diagnostics: Run the S-TAP
diagnostics script (and upload
the results to the Guardium
system)Record Replay Log:
Records all data to a file on DB
server (RECORD) and sends
data to collector
(REPLAY)Revoke Ignore: All
sessions ignored by a
revokable ignore policy become
un-ignored, and S-TAP starts
capturing the traffic for those
sessions.Run Database
Instance Discovery: Runs the
discovery process once,
immediately. (If enabled to run
automatically, it runs, by
default, every 24 hours.)
33
Edit S-TAP configuration: Opens the S-TAP configuration
window. Parameters that do not
appear in the GUI are
advanced parameters. Do not
modify them unless you are an
advanced user, or you have
been instructed to modify them
by Guardium Technical
Support. See GUI
parameters:Windows: General
parametersWindows:
Configuration Auditing System
(CAS) parametersWindows:
Guardium Hosts (SQLGuard)
parametersWindows: Firewall
parametersWindows:
Inspection engine parameters
Show S-TAP Event Log: Click to open the S-TAP event
log, where you can see events
such as connect, disconnect,
GIM server configuration. This
log is very useful for
troubleshooting.
Add to Schedule checkbox Adds the individual S-TAP to
the scheduled verification.
Revoke All Ignored Sessions A database could be running
checkbox many sessions, some of which
are currently ignored. Clear this
option to stop ignoring traffic
from ignored sessions.
Parent topic:Windows: Configuring S-TAP
34
Windows: Discover database instances
The Guardium S-TAP Discovery application periodically discovers database
instances and sends the details to the primary (current active) S-TAP system.
The Guardium Discovery Agent is a software agent automatically installed with the
S-TAP package on a database server. The instance discovery agent reports
database instances, listener, and port information to the Guardium system.
Discovery does not find and report on every detail of the DB instances on the server.
Auto-discovery is enabled by default. Configure the interval at which it runs with the
guard_tap.ini parameter winstap_discovery_interval.
- Database types supported by S-TAP Discovery
- MS SQL Server, DB2, Oracle, Informix, MongoDB, CouchDB.
Newly discovered database instances can be seen in the Discovered Instances
report. From this report, datasources and inspection engines can quickly be added
to Guardium using the Actions menu.
If databases on the database server are not operational (started) or are added later,
the Discovery Agent can still discover these instances by running the Run Discovery
Agent command from the STAP Control window (Manage > Activity Monitoring > S-
TAP Control. Click , and select Run Database Instance Discovery).
S-TAP Discovery can be run manually but this action is not suggested. The main
reason to run it manually is for debugging purposes. If a new request comes in from
the user interface while a scheduled discovery is running, the new request is
ignored.
Note: In order to avoid an instance where S-TAP discovery does not open the
Informix database, it is recommended to start Informix databases using the full path
to the executable.
The S-TAP Discovery application parameters should be left at their default values,
except for advanced users. Discovery application are described in Linux and UNIX
systems: Discovery parameters.
Discovery also uses these parameters:
- Software_tap_host: IP address or hostname of the database server on which the
S-TAP is installed
- sqlguard_ip: S-TAP discovery results are sent to this IP. (The Guardium system
with primary=1 in the SQLguard parameters. )
35
Windows: Configuring an Inspection Engine
Configure or modify an inspection engine in the S-TAP Control pane.
Before you begin
You must be logged in to the Guardium system that manages the S-TAP.
About this task
Do not configure an S-TAP inspection engine to monitor network traffic that is also
monitored directly by a Guardium system that is hosting the S-TAP, or by another S-
TAP reporting to the same Guardium system. That would cause the Guardium
system to receive duplicate information: it would not be able to reconstruct sessions,
and would ignore that traffic.
Procedure
1. Navigate to Manage > Activity Monitoring > S-TAP Control.
2. In the row of the S-TAP, click . The S-TAP Configuration window opens.
3. Scroll to the bottom of the inspection engines, and click next to Add Inspection
Engine....
4. Select the protocol and enter the port range. The window refreshes with the
relevant parameters, some with their default values.
5. Configure all required parameters, and click Add. If you are missing parameters,
the system informs you what is missing.
Related reference:
Windows: Inspection engine parameters
36
Windows: Inspection engine verification
S-TAP verification confirms that the STAPs and their inspection engines in your
environment are running and actively monitoring database activity. Understand
verification, and define a schedule to regularly verify S-TAPs.
Verification checks sniffer operation and communication between the Guardium
system and the inspection engines. You can enable verification for all S-TAP clients
on your system, or individual S-TAP clients, or individual inspection engines.
Verification is supported for these database types:
- DB2
- DB2 Exit (DB2 version 10)
- FTP
- Kerberos
- Mysql
- Oracle
- PostgreSQL
- Sybase
- exclude IE
- MSSQL
There are two types of verification:

- Standard verification
- Checks the sniffer operation, and the communication between the S-TAP and
the inspection engine. The verification process attempts to log in to your
database's STAP client with an erroneous user ID and password, to verify that
this attempt is recognized and communicated to the Guardium system. Next the
verification process checks whether it can connect to the selected inspection
engine on the database server. It expects to receive a response that indicates a
failed login. If a different response is received, you might have to investigate
further.
- Some error messages from individual databases do not indicate a specific
problem. For example, on several supported databases, the error code returned
for a wrong port can also mean that the database itself is not started.
- Advanced verification
- Use advanced verification to avoid failed login requests, and manage individual
IEs. For avoiding failed login requests, you must identify or create a datasource
definition associated with the target database. The datasource definition
includes credentials, which the verification process uses to log in to the
database. Then it submits a request to retrieve data from a nonexistent table in
order to generate an error message.
For both types of verification requests, the results are displayed in a new dialog that
provides information about the tests that were performed and recommended actions
for tests that failed.
- Windows: S-TAP verification

The S-TAP verification process checks several configuration parameters and
attempts to connect to the inspection engines.
- Windows: Configure standard verification
Use this task to configure all inspection engines on a specific S-TAP client host.
37
- Windows: Configure advanced verification
- Windows: Configuring the S-TAP verification schedule
You can configure the schedule for running S-TAP verification.
38
Windows: S-TAP verification
The S-TAP verification process checks several configuration parameters and
attempts to connect to the inspection engines.
Before connecting to the database, the verification process checks whether the
sniffer process is running on the Guardium system. The sniffer is responsible for
communicating with each S-TAP and processing the data that is received. If the
sniffer is not running, responses from the S-TAP are not recognized.
The verification process attempts to log in to your database's STAP client with an
erroneous user ID and password, to verify that this attempt is recognized and
communicated to the Guardium system.
Next the verification process checks whether it can connect to the selected
inspection engine on the database server. It expects to receive a response that
indicates a failed login. If a different response is received, you might have to
investigate further.
Some error messages from individual databases do not indicate a specific problem.
For example, on several supported databases, the error code returned for a wrong
port can also mean that the database itself is not started.
View the verification results in the S-TAP Verification page (Manage > Reports >
Activity Monitoring > S-TAP Verification page). Failed checks are shown first, with
recommendations for next steps. Checks that succeeded are shown in a collapsed
section at the end of the list. In some situations, it might be useful to review the
successful checks in order to choose among possible next steps.
Parent topic:Windows: Inspection engine verification
39
Windows: Configure standard verification
About this task
As an alternative to this procedure, you can use the GRDAPI command
verify_stap_inspection_engine_with_sequence.
Procedure
1. Access Manage > Activity Monitoring > S-TAP Control.
2. Use these options:
- Add All to Schedule: add all inspection engines for all displayed S-TAPs to
verification.
- Remove All from Schedule: remove all inspection engines for all displayed S-
TAPs from verification.
- Add to Schedule: add all inspection engines of the selected S-TAP client to the
schedule.
If an S-TAP does not have the option All Can Control enabled, you can only
change its status if your Guardium system is the primary system for this S-TAP.
3. Click Refresh.
4. To verify now, go to Manage > Activity Monitoring > S-TAP Verification Scheduler
and click Run Once Now.
5. By default, the system waits five seconds before displaying verification results. If
your network latency is high, this might not be enough time to receive the
expected response from the database server. If you need to allow more time, you
can use the store stap network_latency CLI command to change the period.
What to do next
40
Windows: Configure advanced verification
About this task
Procedure
1. Access Manage > System View > S-TAP Status Monitor.
2. Click anywhere in the row of the S-TAP.
The window refreshes with the individual inspection engines of this host.
3. Configure advanced verification.
A. Click one inspection engine, and click Advanced Verify.
B. Optionally, under Datasource, select Show only matching S-TAP host or select
a name from the Name drop-down list to search for a specific inspection
engine.
C. Click Close.
4. To verify now, select one or more inspection engines and click Verify. The S-TAP
Verification Results window opens.
5. By default, the system waits five seconds before displaying verification results. If
your network latency is high, this might not be enough time to receive the
expected response from the database server. If you need to allow more time, you
can use the store stap network_latency CLI command to change the period.
6. To add to or remove from verification.
A. Select one or more inspection engines.
B. Click Add to Schedule or Remove from Schedule
What to do next
41
Windows: Configuring the S-TAP verification
schedule
You can configure the schedule for running S-TAP verification.
About this task
The same schedule is used for all S-TAPs that are scheduled for verification. Once
a schedule is defined, you can click the Pause button in the S-TAP Verification
Scheduler to temporarily stop the verification process while keeping it active. Use
the Run Once Now button to run the verification once in real-time.
Procedure
1. Click Manage > Activity Monitoring > S-TAP Verification Scheduler to open the S-
TAP Verification Scheduler.
2. In the S-TAP Verification Scheduler portion of the page, click Modify Schedule.
3. In the Schedule Definition dialog, use the drop-down lists and check boxes to
schedule when verification runs. This schedule is applied to all S-TAPs that are
scheduled for verification.
4. Click Save to save your changes.
42
Windows: S-TAP Load Balancing models and
configuration guidelines
Understand the S-TAP load balancing models, and choose the one appropriate to
your setup
Each load balancing model is described here, along with its specific parameter
requirements.
Note: This topic described S-TAP load balancing, and not Enterprise Load
Balancing.
Failover
S-TAP sends traffic to one collector (primary) and fails over to the secondary as
needed. The S-TAP agents are configured with a primary and at least one
secondary collector IP. If the S-TAP agent cannot send the traffic to the primary
collector for various reasons, the S-TAP agent automatically fails over to the
secondary. It continues to send data to the secondary host until either the secondary
host system becomes unavailable, the primary host becomes available again, or
until the S-TAP is restarted (at which point it attempts to connect to its primary host
first). If the secondary host system becomes unavailable, it fails over to another
secondary if there is one defined. In the second case S-TAP fails over from the
secondary Guardium host back to the Primary Guardium host. It's recommend
setting up a primary and up to two secondary collectors. You can either define one
collector as a standby failover collector only, or a few failover collectors. When using
one standby failover, one collector is usually sufficient for 4-5 collectors. When using
a few failover collectors, each one should run at a maximum 50% capacity, so that
there are always resources for additional load. Choose the setup that works best
with your architecture, database, and data center layout. If the primary becomes
available, the S-TAP fails back from the secondary Guardium host back to the
Primary Guardium host.
The S-TAP restarts each time configuration changes are applied from the active
host.
In the S-TAP Control window, Details section: set Load Balancing to 0; In the
Guardium Hosts section: add at least one secondary Guardium Host.
Additional failover configuration should be left at the default values, except by
advanced users.
Before designating a Guardium system as a secondary host for an S-TAP, verify
these items.
- The Guardium system must have connectivity to the database server where S-TAP
is installed. When multiple Guardium systems are used, they are often attached to
disjointed branches of the network.
- The Guardium system must not have a security policy that will ignore session data
from the database server where S-TAP is installed. In many cases, a Guardium®
security policy is built to focus on a narrow subset of the observable database
traffic, ignoring all other sessions. Either make sure that the secondary host will not
ignore session data from S-TAP or modify the security policy on the Guardium
system as necessary.
Load balancing
This configuration balances traffic from one database onto multiple collectors. This
43
option might be good when you must monitor all traffic (comprehensive monitoring)
of an active database. (Note that for outliers detection, the collectors need to be
under the same aggregator and central manager in order for the aggregator to
process all related data.) When the generated traffic is large and you need to house
the data online on a collector for an extended period, this method might be your best
choice because it performs session-based load balancing across multiple collectors.
An S-TAP can be configured in this manner with up to 10 collectors.
In the S-TAP Control window, Details section: set Load Balancing to 1 for load
balancing.
Grid
With Grid, the S-TAP communicates to the collector through a load balancer, such
as f5 and Cisco. The S-TAP agent is configured to send traffic to the load balancer.
The load balancer forwards the S-TAP traffic to one of the collectors in the pool of
collectors. You also can configure failover between load balancers for continuous
monitoring if the load balancer should fail.
The persistence of S-TAP is configured by the failover parameters:
- TAP_MIN_TIME_BEFOREFAILOVER: The time interval, in minutes, after which
the S-TAP switches to secondary Guardium system if: it cannot connect to its
primary Guardium system; it can connect to its primary Guardium system but
cannot write to its buffer. Default is 5.
- TAP_MIN_HEARTBEAT_INTERVAL: Maximum time the S-TAP attempts to write
to the primary Guardium system buffer before attempting to write to the secondary
Guardium buffer. Default is 30 sec, meaning it tries to write at least 5*60/30 times
before failover.
S-TAPs in the F5 environment upload their log files and results of running
diagnostics (all files from ..\Logs folder except for memory dumps) to the active
collector and central manager (if exists) to the location
./var/IBM/Guardium/log/stap_diagnostic/
In the S-TAP Control window, Details section: set Load Balancing to 3 for the grid
model.
In addition, set:
- All can control=1
- Guardium Host=<the IP of the Virtual IP of the balancer, to which all S-TAP
database clients point to>
Redundancy
In redundancy, the S-TAP communicates its entire payload to multiple collectors.
The S-TAP is configured with more than one collector (often only two) and
communicates the identical content to both. This option provides full redundancy of
the same logged data across multiple collectors. It can also be used for logging data
and alert on activity at different levels of granularity.
In the S-TAP Control window, Details section: set Load Balancing to 2 for
redundancy.
44
45
Windows: Set up S-TAP authentication with SSL
certificates
Set up authentication between an S-TAP server and Guardium system.
S-TAPs can be configured to only connect to a certain group of machine(s) that
authenticate with a given certificate or set of certificates. These certificates can
either be generated locally on the Guardium system and sent off to the Certificate
Authority (CA) for signing or can be created at the CA and installed whole on the
Guardium system.
- Windows: Generating certificate signing request (CSR) on Guardium system

Use this procedure to generate a certificate signing request locally on the
Guardium system, for sending to the Certificate Authority (CA) for signing.
- Windows: Installing an SSL certificate generated outside of the Guardium system
Use this procedure to install the SSL certificate that was created by the CA.
- Windows: Configuring the S-TAP to use x.509 certificate authentication
46
Windows: Generating certificate signing request
(CSR) on Guardium system
Use this procedure to generate a certificate signing request locally on the Guardium
system, for sending to the Certificate Authority (CA) for signing.
Procedure
1. Log into your Guardium system with CLI.
2. Enter: cli> create csr sniffer
3. Enter the requested data.
When you've finished, it looks like:
47
4. Copy from the -----BEGIN CERTIFICATE REQUEST----- to the -----END
CERTIFICATE REQUEST----- into a file and send this to your CA for signing.
The CA will sign the certificate and send you back a public key that looks
something like:
48
5. Have this file handy to either copy its contents or import it to the Guardium
system. Enter: cli> store certificate sniffer [console | import]
6. If console, copy-paste from -----BEGIN CERTIFICATE----- all the way to -----END
CERTIFICATE----- (including those within the copy) and paste into the CLI when
prompted. If choosing import, tell the Guardium system where to import the file
from.
It asks you to confirm that you want to store the certificate, and when you
confirm, it stores it.
49
7. Restart the inspection-core for the new certificate to take effect.
Parent topic:Windows: Set up S-TAP authentication with SSL certificates
50
Windows: Installing an SSL certificate generated
outside of the Guardium system
Use this procedure to install the SSL certificate that was created by the CA.
About this task
If the CA is sending you a whole certificate to install, you need two files, the private
key in PKCS#8 (password protected) format, and the public key in PEM format. The
certificate generated needs to be a 2048 bit RSA key.
The CA sends you two files, and the public cert for your CA.
The public-cert of your CA looks like:
The public-cert specific to you/this Guardium system looks like:
51
The private key (encrypted with pkx#8) looks like:
Have these files handy to either import (via scp/ftp/etc) to the Guardium system or to
copy-paste into the cli interface on the Guardium system.
Procedure
52
1. Log in to the Guardium system via CLI.
2. Store the private key by entering: cli> store certificate keystore [import | console]
The import takes the saved file, and then copies and pastes the contents of the
file into your console interface. It asks for the password that the file was saved
with. Either you provided this to the CA for creation of the certificate, or more
likely, they provided you with a password when they sent your files. Here's what it
looks like on the Guardium system:
3. Import the signed certificate with: cli> store certificate sniffer [import | console] It
displays the information on the cert and then asks you to confirm storing the cert.
It looks like:
53
54
4. Restart the inspection-core for the new certificate to take effect.
55
Windows: Configuring the S-TAP to use x.509
certificate authentication
About this task
First, take note of what you have assigned as the CA and the CN of the certificate.
If you don't remember, use the CLI command show system certificate to display the
values.
You need the CN of the cert installed on the Guardium system and the public-key for
the CA that signed the certificate on the Guardium system. You also might want a
Certificate Revocation list signed by the same CA that signed the Guardium system
cert, but it's not necessary.
The relevant parameters in the guard_tap.ini are:
If you do not choose to use a value for a parameter, do not include it in the
guard_tap.ini. This is pertinent to the CRL path in particular, or if you want to shut off
certificate authentication and go back to TLS.
Procedure
1. Copy the public key [and the CRL if wanted] for the CA that the CA sent you to a
directory on the S-TAP host. Take note of this directory.
2. Set guardium_ca_path=[path-to-CA.pem]
3. Set sqlguard_cert_cn=[the full CN or partial CN (using * as a
wildcard) of the Guardium system]
4. If you want to use a certificate revocation list at this time, set
guardium_crl_path=[path-to-crl.crl] It should look like:
guardium_ca_path=/var/tmp/pki/Victoria_QA_CA.pem
sqlguard_cert_cn=sample1_qa.victoria
guardium_crl_path=/var/tmp/pki/Victoria_QA_CA.crl
5. Change tls=1.
6. Restart the S-TAP You are now connected using Openssl.
56
57
Windows: Using DB2 exit library
The DB2 exit mechanism enables Guardium to pick up all DB2 traffic, whether
encrypted or not and whether local or remote. This solution simplifies the S-TAP
configuration, and provides native DB2 support.
About this task
DB2 exit embeds a Guardium library into DB2 via the DB2_Exit mechanism. The
DB2_Exit communicates directly with the Guardium S-TAP to forward all DB2 traffic,
whether encrypted or not, and both local and remote. DB2 exit captures TCP as well
as SHM traffic.
DB2 exit supports terminate, and UID chain.
Limitations:
- DB2 Exit does not support Guardium data masking (scrub/redact).
- The Guardium firewall (V10.1.2 and later) requires DB2 version 10.1 or later.
- Stored Procedures: DB2-Exit monitors stored procedures. Since Guardium does
not know what is in the stored procedure, SQL from inside the procedure is not
captured.
Procedure
1. Create a new folder within the DB2 SQLLIB folder, for each instance
$DB2PATH\security\plugin\commexit\instance_name For example: C:\Program
Files\IBM\SQLLIB\security\plugin\commexit\DB2_01
2. Copy the corresponding DLLs from the S-TAP installation directory into the
created directories:
- For 32-bit DB2:
- db2fexitx86.dll
- db2exitx86.dll
- For 64-bit DB2:
- db2exitx64.dll
- db2fexitx64.dll
3. Stop the DB2 instance(s), and issue the following command:
- for 32 bit: UPDATE DBM CFG USING COMM_EXIT_LIST db2fexitx86
- for 64 bit: UPDATE DBM CFG USING COMM_EXIT_LIST db2fexitx
4. Start the DB2 instances.
5. Add an inspection engine for DB2 Exit with protocol DB2 Exit. Navigate to
Manage > Activity Monitoring > S-TAP Control. See parameter descriptions in
Windows: Inspection engine parameters. You can also modify the guard_tap.ini,
but it's much easier to use the GUI since it fills in some of the information
automatically and does some validation. If modifying the guard_tap.ini
- [DB_DB2_EXIT1]
- DB_TYPE=DB2_EXIT
- INSTANCE_NAME=Service_name
In the TAP section, set the parameter DB2_EXIT_DRIVER_INSTALLED=1
The service name is not the instance name. You can determine the service name
by using the db2tap utility in the S-TAP installation folder, or from the control
panel. Set the instance name to the portion of the service name that follows the
58
second dash ( - ) delimiter. For example, if the service name in the control panel
is DB2 - DB2COPY1 - DB2-01-0, set INSTANCE_NAME to DB2-01-0.
6. To stop using the feature and stop DB2, issue the following command and then
restart the DB2: db2 UPDATE DBM CFG USING COMM_EXIT_LIST NULL
59
Windows: Editing the S-TAP configuration
parameters
You can modify the S-TAP configuration after it is installed using GIM, the UI, or for
advanced users, the configuration file on the database.
Note: Parameters in the GUI may be safely changed. Parameters that are not in the
GUI are advanced, and rarely need changing. They are for use by Guardium
support or advanced users.
CAUTION:
Do not modify advanced parameters unless you are an expert user or you have
consulted with IBM Technical Support.
You can some modify parameters in the GUI. See Windows: Configure S-TAP from
the GUI.
GIM is an easy method for modifying parameters, if the S-TAP bundle was installed
with GIM. See Set up by Client. You can input any parameter in the Setup by Client
page, in the Choose parameters ribbon, using the command WINSTAP_CMD_LINE
with the syntax parameter=value for [TAP] parameters, and it is added or updated in
the guard_tap.ini.
CAUTION:
There is no validation of the input when using the command WINSTAP_CMD_LINE.
Use this command carefully. Do not modify advanced parameters unless you are an
expert user or you have consulted with IBM Technical Support.
If it is necessary to modify the configuration file from the database server, follow the
procedure described in this section.
The S-TAP needs restarting after you modify the guard_tap.ini. If you're using GIM,
it restarts the S-TAP automatically.
CAUTION:
Parameters must be added to their relevant section: [Version], [TAP], [SQLGuard],
[DB_<name>].
1. Log on to the database server system using the root account.
2. Stop the S-TAP.
3. Make a backup copy of the configuration file: guard_tap.ini. The default file
locations is \Program Files\IBM\Windows S-TAP\Bin\
4. Open the configuration file in a text editor.
5. Edit the file as necessary.
6. Save the file.
7. Restart the S-TAP and verify that your change has been incorporated.
- Windows: Guardium Hosts (SQLGuard) parameters

These parameters describe a Guardium system to which this S-TAP can connect.
All parameters in this section are basic, and appear in the [SQL_GUARD] section.
- Windows: General parameters
These parameters define basic properties of the S-TAP running on a Windows
server and the server on which it is installed, and do not fall into any of the other
categories.
- Windows: Inspection engine parameters
These parameters affect the behavior of the inspection engine that the S-TAP
uses to monitor a data repository on a Windows server.
60
- Windows: Firewall parameters
These parameters affect the behavior of the S-TAP with respect to the firewall.
- Windows: Query rewrite parameters
The query rewrite parameters affect the behavior of the S-TAP with respect to
discovery.
- Windows: Discovery parameters
The discovery parameters define the behavior of the auto-discovery feature, for
discovering database instances and sending the results to the current active S-
TAP.
- Windows: Debug parameters
These parameters affect the behavior of S-TAP debugging.
- Windows: Configuration Auditing System (CAS) parameters
These parameters affect the behavior of CAS.
- Windows: Driver parameters
These parameters affect the behavior of several drivers with which the S-TAP
interacts.
61
Windows: Guardium Hosts (SQLGuard) parameters
These parameters describe a Guardium system to which this S-TAP can connect.
All parameters in this section are basic, and appear in the [SQL_GUARD] section.
GUI GIM guard_tap.ini Default value Description

(checkmark PRIMARY Indicates the
indicates the primary
primary host) Guardium
system for this
S-TAP. In
guard_tap.ini:
0=secondary,
1=primary
TAP_GUARD_ 9500 Read only. Port
TCP_PORT used for S-TAP
to connect to
Guardium
system.
Guardium Host WINSTAP_SQL SQLGUARD_IP NULL IP address or
GUARD_IP hostname of the
Guardium
system that
acts as the host
for the S-TAP.
You can define
multiple hosts
by adding
[SQLGuard_1],
[SQLGuard_2],
and so on.
Parent topic:Windows: Editing the S-TAP configuration parameters
62
Windows: General parameters
These parameters define basic properties of the S-TAP running on a Windows
server and the server on which it is installed, and do not fall into any of the other
categories.
These parameters are stored in the [VERSION] section of the S-TAP properties file.
Table 1. S-TAP configuration parameters in the [VERSION] section
GUI guard_tap.ini Description

STAP_CLIENT_BUILD Read only. The build
version of the installed S-
TAP.
Version PROTOCOL_VERSION Read only. The version of
the Guardium system.
These parameters are stored in the [TAP] section of the S-TAP properties file.Table
2. S-TAP configuration parameters in the [TAP] section
GUI GIM guard_tap.ini Default value Description

TAP_TYPE wstap Read only. The
type of installed
S-TAP agent:
Version TAP_VERSION Read only. The
version of S-
TAP installed
on the server.
S-TAP Host TAP_IP Read only.
Used by the file
system
monitoring
service, instead
of the
SOFTWARE_T
AP_HOST
parameter. Both
parameters
should have the
same value.
All can control WSTAP_ALL_C ALL_CAN_CO 0 0=S-TAP can
AN_CONTROL NTROL be controlled
only from the
primary
Guardium
system. 1=S-
TAP can be
controlled from
any Guardium
system.
63
Load balancing WINSTAP_PAR PARTICIPATE_ 0 Controls S-TAP
TICIPATE_IN_L IN_LOAD_BAL load balancing
OAD_BALANCI ANCING (not enterprise
NG load balancing)
to Guardium
systems:0: No
load
balancing.1:
Load balancing.
Traffic is
balanced
between the
primary and
secondary
servers, defined
in the
SQLGuard
section. 2:
Redundancy.
Fully mirrored
S-TAP sends all
traffic to all
primary and
secondary
servers, defined
in the
SQLGuard
section.3:
Hardware load
balancing.
Guardium uses
a load balancer
such as F5 or
Cisco. S-TAP
sends the traffic
to the load
balancer, which
forwards it to
one of the
collectors in the
pool. Use the
primary
parameter in
the
SQLGUARD
section to
specify primary,
secondary, etc.
servers. If this
parameter is set
to 0, and you
have more than
one Guardium
system
64
monitoring
traffic, then the
non-primary
Guardium
systems are
available for
failover.
TLS Use USE_TLS 0 1=use SSL to
encrypt traffic
between the
agent and the
Guardium
system.
0=do not
encrypt.
Warning - the
traffic between
the agent and
Guardium
system is in
clear text.
Guardium
recommends
encrypting
network traffic
between the S-
TAP and the
collector
whenever
possible, only in
cases where
the
performance is
a higher priority
than security
should this be
disabled.
TLS Failover FAILOVER_TL 1 Deprecated in
S V10.5. 1= If ssl
connection is
not possible for
any reason, fail
over to using
non-secure
connection.
0=use only
secure
connections.
NUMBER_OF_ 4 Read only.
PROCESSORS Number of
processors on
the machine
65
ALTERNATE_I Comma-
PS separated list of
alternate or
virtual IP
addresses used
to connect to
this database
server. This is
used only when
your server has
multiple
network cards
with multiple
IPs, or virtual
IPs. S-TAP only
monitors traffic
when the
destination IP
matches either
the S-TAP Host
IP defined for
this S-TAP, or
one of the
alternate IPs
listed here, so
it's recommend
that you list all
virtual IPs here.
STAP_STATIS The interval at
TIC which the S-
TAP sends
statistic
information
about the S-
TAP to the
sniffer. positive
integer for
hours negative
integer for
minutes0=do
not sendThe
default is -1
(every minute).
DB2_TAP_INS 0 Set to 1 for
TALLED sniffing DB2
shared memory
traffic. Starts
the DB2 TAP
Service when
set to 1.
66
DB2_EXIT_DRI DB2 Integration
VER_INSTALL with S-TAP: set
ED to 1 to enable
DB2 Exit library
integration 1)
Let S-TAP
capture all DB2
traffic directly
from the DB2
engine - Note,
that it is only for
specifc DB2
releases - 10.1
and onwards 2)
When using this
method,
Firewall and
Scrub/Redact
functionality are
not supported.
Also, stored
procedures will
not be
captured. 3) It
lets us pick up
all DB2 traffic ,
regardless of
encryption/netw
ork protocol. 4)
This solution
simplifies the S-
TAP
configuration for
customers that
will deploy this
version of DB2,
and gives them
native DB2
support.
DB2_SHMEM_ Deprecated,
DRIVER_INST and replaced by
ALLED db2_tap_install
ed.
DB2_SHMEM_ Deprecated
DRIVER_LEVE
L
67
DC_COLLECT_ 24 Deprecated in
FREQ v10.5. Specifies
the frequency of
collection in
hours. Minimum
is 1, maximum
is 24.
GuardiumDC is
a service that
collects updates
of user
accounts (SIDs
and
usernames)
from the
primary domain
controller and
then signals the
changes to
Guardium_S-
TAP to update
S-TAP internal
SID/UserName
? map. If S-TAP
cannot find
resolved SID in
the map, it tries
to get it from
the primary
Domain
Controller, in
which case S-
TAP logs a
message into
debug log (level
7) The account
name *** has
been retrieved
for SID ***.
DC_COLLECT_ 200,000 Deprecated in
MAXUSERS v10.5. The
maximum
number of
users to collect.
Minimum is
10,000.
DOMAIN_CON The name of
TROLLER the specific
controller from
which the
SID/usernames
map should be
read.
68
HIGH_RESOLU 0 0: send time
TION_TIMER stamps in
milliseconds. 1:
send time
stamps in
microseconds,
but use
milliseconds
system timer (to
reduce system
performance hit
- multiply
milliseconds by
1000). 2: send
time stamps in
microseconds,
use high
resolution
windows timer
(most
accurate). For
cases 1 and 2,
the S-TAP will
indicate to the
Guardium
system that
micro seconds
are sent, by
setting the
reserved byte in
PacketData to
1.
BUFFER_FILE 50 Advanced. The
_SIZE initial size of the
buffer. The
range is 5 to
1000 in MB.
BUFFER_FILE Deprecated in
_NAME v10.5. The full
path of the
memory
mapped file if
BUFFER_MMA
P_FILE=1.
Default is
WSTAP
working
folder/StapBuffe
r/STAP_buffer.d
tx
69
BUFFER_MMA 0 1=memory
P_FILE mapped file
option. 0=virtual
memory
allocation
_MAX_SIZE maximum size
that the
Memory commit
will expand to,
in MB.
Maximum value
is 1000.
_MEM_FOOTP maximum
RINT fraction of the
total memory
that is allocated
for the dynamic
buffer increase.
The default
value of 8
translates to 1/8
of the total
memory. The
minimum
parameter
value is 2,
meaning that
you cannot
allocate more
than 1/2 of the
total memory.
70
DYNAMIC_BUF 0 Advanced.
FER_INCREAS Enables the
E dynamic buffer
feature: when
the buffer gets
to 75% full in
the current S-
TAP session,
the buffer size
increases
incrementally
by 50MB. The
feature is
controlled by
buffer_file_size,
buffer_file_max
_size,
buffer_file_mem
_footprint. he
feature is
controlled by
buffer_file_size,
buffer_file_max
_size,
buffer_file_mem
_footprint.
0: disabled; 1:
enabled
SOFTWARE_T The database
AP_HOST server host on
which S-TAP is
installed. It can
be an IP
address or a
name
recognized by
the DNSserver.
There is no
default. An
invalidly
configured
SOFTWARE_T
AP_HOST is
automatically
replaced with a
valid local IP.
71
TCP_ALIVE_M 1 This parameter
ESSAGE is deprecated
since Guardium
v10.x.
Guardium
collectors no
longer send
UDP alive
messages.
Compres. level COMPRESSIO 0 Compression
N_LEVEL level, from 1 to
9.
0=no
compression.
DISABLE_SHA 0
RED_MEMORY
_IF_TURNED_
ON
FILE_SNIFFER 45 Frequency, in
_FREQUENCY seconds, of:
registration
attempts with a
Guardium
system if a
previous
attempt was not
successfulS-
TAP checks for
new logs
available from
Program
Files\IBM\Wind
ows S-
TAP\Logs for
uploading onto
collector
MAXIMUM_PA 300,000 Deprecated
CKET_NUM
MIN_BYTES_T 500 Advanced.
O_COMPRESS Minimum size
of message to
compress.
NOT_SEND_T 0 Advanced.
O_SQLGUARD Send nothing to
the Guardium
system.
RECV_LEVEL 0 Advanced.
72
Messages: REMOTE_MES 1 1=Send
remote SAGES messages to
the active
Guardium
system. 0=Do
not send
messages
SEND_LEVEL 0 Advanced.
Used for thread
prioritization.
SNIFFED_UDP 88 Deprecated.
_PORTS
SYNCH_FLAG 1 Read only.
Deprecated in
v10.0. Indicates
whether
parameters are
synchronized
with the UI.
TAP_DBSERV
ER_NAMES
TAP_MIN_HEA 30 Maximum time
RTBEAT_INTE the S-TAP
RVAL attempts to
write to the
primary
Guardium
system buffer
before
attempting to
write to the
secondary
Guardium
buffer. Default
is 30 sec,
meaning it tries
to write at least
5*60/30 times
before failover,
by default
(using also
TAP_MIN_TIM
E_BEFOREFAI
LOVER).
73
TAP_MIN_TIM 5 The time
E_BEFOREFAI interval, in
LOVER minutes, after
which the S-
TAP switches to
secondary
Guardium
system if: it
cannot connect
to its primary
Guardium
system; it can
connect to its
primary
Guardium
system but
cannot write to
its buffer.
TCP_BUFFER_ 60000 Advanced.
SIZE Minimum
number of bytes
to collect before
sending a
message to the
Guardium
system
TIME_NETWO 0 Advanced.
RK Used for debug
only.
WEB_SERVER 1 Maximum
_CONNECTIO number of DB
NS connections by
.net app.
WEB_SERVER 0 Deprecated.
_INSTALLED Formerly used
to enable IIS
tap.
WEB_SERVER 9000 Port for web-
_PORT server
GUARDIUM_C NULL Location of the
A_PATH Certificate
Authority
certificate.
SQLGUARD_C NULL The common
ERT_CN name to expect
from the
Sqlguard
certificate.
GUARDIUM_C NULL The path to the
RL_PATH Certificate
Revocation list
file or directory.
74
TAP_FAILOVE 240 The number of
R_SESSION_Q seconds after
UIESCE failover, when
unused
sessions in the
failover list from
the previous
active servers
can be removed
from the current
active server,
TAP_FAILOVE 8192 Size, in MB, of
R_SESSION_S the failover
IZE session list.
0=no failover
sessions should
be saved
75
DB_IGNORE_R Ignore
ESPONSE response at
inspection level.
Use this
function to
ignore all
database
responses at
the S-TAP
level, without
sending
anything to the
Guardium
system. In
certain
environments,
where only
interested in
client
transactions,
this function
saves
bandwidth and
processing time
for the S-TAP
and the
Guardium
system. Use
this function for
an easier
configuration for
ignoring
unwanted
responses from
the database,
without loading
the network.
Database types
can be listed as
comma
separated or
ALL can be
specified to
ignore
responses from
all types of
databases, for
example,
DB_IGNORE_R
ESPONSE=AL
L or
DB_IGNORE_R
ESPONSE=MS
SQL,DB2.
76
Supported DB
types: ALL,
MSSQL_NP,
MSSQL,
MYSQL, TRD,
PGRS, MSSYB,
ORACLE, DB2,
DB2_EXIT,
INFORMIX,
KERBEROS,
FTP, CIFS.
DB_IGNORE_R 0.0.0.0/0.0.0.0 Comma
ESPONSE_FIL separated list of
TER IP/MASKs to be
response-
ignored. Any
DB responses
of the type
specified by
DB_IGNORE_R
ESPONSE to
the specified
IP/MASKs are
ignored
NULL: no
filtering of
responses
0.0.0.0/0.0.0.0:
all IPs are
filtered
DB_IGNORE_R 1 filtering of local
ESPONSE_LO db responses
CAL 0:no,
1:yesNote: TCP
traffic is not
considered
Local traffic for
db_ignore_resp
onse_local
parameter.
DB_IGNORE_R 65535 DB_IGNORE_R
ESPONSE_BY ESPONSE
PASS_BYTES starts when
bypass bytes
are reached.
DB_IGNORE_R 1 Reset
ESPONSE_RE DB_IGNORE_R
SETS_PER_RE ESPONSE_BY
QUEST PASS_BYTES
on each
request.
77
WSTAP_FAM_ FAM_ENABLE 0 Global
ENABLED enable/disable
for FAM monitor
(crawler).0:
disabled
1: enabled
This parameter
is persistent
upon upgrade.
UPLOAD_FEA 1 Controls
TURE uploading of all
log files from
Program
Files\IBM\Wind
ows S-
TAP\Logs onto
the collector.
78
Windows: Inspection engine parameters
These parameters affect the behavior of the inspection engine that the S-TAP uses
to monitor a data repository on a Windows server.
These parameters are stored in the individual [DB_<name>] inspection engine
section of the S-TAP properties file, with the name of a data repository. There can
be multiple sections in a properties file, each describing one inspection engine used
by this S-TAP.
GUI guard_tap.ini Default value Description

Protocol DB_TYPE The type of data
repository being
monitored.
Instance Name INSTANCE_NAME The name of the
database instance
on this server.
Required for MS
SQL Server is using
encryption; MS SQL
Server using
Kerberos
Authentication; DB2
Exit traffic
collection; DB2
SHM traffic. (Default
is
MSSQLSERVER.)
Port range PORT_RANGE_ST Starting port range
ART specific to the
database instance.
Together with
TAP_DB_PORT_M
AX defines the
range of ports
monitored for this
database instance.
There is usually
only a single port in
the range. For a
Kerberos inspection
engine, set the start
and end values to
88-88. If a range is
used, do not include
extra ports in the
range, as this could
result in excessive
resource
consumption while
the S-TAP attempts
to analyze
unwanted traffic.
79
Port range PORT_RANGE_EN Ending port range
D specific to the
database instance.
Named Pipe NAMED_PIPE sql\query,sqllocal,\ Specifies the
MSSQLSERVER named pipe used by
MS SQL Server for
local access. If a
named pipe is used,
but nothing is
specified in this
parameter, S-TAP
attempts to retrieve
the named pipe
name from the
registry.
Client Ip/Mask NETWORKS Identifies the clients
to be monitored,
using a list of
addresses in IP
address/mask
format:
n.n.n.n/m.m.m.m. If
an improper IP
address/mask is
entered, the S-TAP
does not start. Valid
values:null=select
all
clients127.0.0.1/255
.255.255.255=local
traffic only Client
Ip/Mask (networks)
and Exclude Client
Ip/Mask (exclude
networks) cannot be
specified
simultaneously.If
the IP address is
the same as the IP
address for the
database server,
and a mask of
255.255.255.255 is
used, only local
traffic will be
monitored. An
address/mask value
of 1.1.1.1/0.0.0.0
monitors all clients.
80
Exclude Client EXCLUDE_NETWO A list of client IP
Ip/Mask RKS addresses and
corresponding
masks that are
excluded from
monitoring. This
option allows you to
configure the S-TAP
to monitor all
clients, except for a
certain client or
subnet (or a
collection of these).
Client Ip/Mask
(networks) and
Exclude Client
Ip/Mask (exclude
networks) cannot be
specified
simultaneously.
Process Name TAP_DB_PROCES Database service
S_NAMES executables that are
to be monitored. For
example, a DB2 IE
would be
TAP_DB_PROCES
S_NAMES=DB2SY
SCS.EXE. For
Oracle or MS SQL
Server only, when
named pipes are
used. For Oracle,
the list has two
entries:
oracle.exe,tnslsnr.e
xe. For MS SQL
Server, the list is
just one entry:
sqlservr.exe.
PRIORITY_COUNT 20 At session creation
the first
priority_count
packets are marked
with a high priority
flag and are
transferred to a
special high priority
queue on the
collector. Valid
range 0 (disabled) -
50.
81
Identifier TAP_IDENTIFIER NULL Optional. Used to
distinguish
inspection engines
from one another. If
you do not provide
a value for this field,
Guardium auto-
populates the field
with a unique name
using the database
type and GUI
display sequence
number.
These additional parameters are used with IBM DB2 databases.

Table 1. Additional S-TAP configuration parameters for a DB2 inspection engine

DB2 Shared Mem. DB2_FIX_PACK_A 80 Required when DB2
Adjust. DJUSTMENT is selected as the
database type, and
shared memory
connections are
monitored. The
offset to the server's
portion of the
shared memory
area. Offset to the
beginning of the
DB2 shared
memory packet,
depends on the
DB2 version: 32 in
pre-8.2.1, and 80 in
8.2.1 and higher.
DB2_LOG_SIZE Advanced. The
maximum file size,
in MB, that the
functional DLL can
keep buffered
before it starts
throwing away log
entries.
82
DB2 Sh. Mem. DB2_CLIENT_OFF 61440 The offset to the
Client Pos. SET client's portion of
the shared memory
area. Required
when DB2 is
selected as the
database type, and
shared memory
connections are
monitored. The
client offset can be
calculated by taking
the value of the
DB2 parameter
ASLHEAPSZ and
multiplying by 4096
to get the
appropriate offset.
The default for this
parameter is 61440
decimal. This
parameter is
calculated by taking
the DB2 database
configuration value
of ASLHEAPSZ and
multiplying by 4096.
To get the value for
ASLHEAPSZ,
execute the
following DB2
command: db2
get dbm cfg and
look for the value of
ASLHEAPSZ. This
value is typically 15
which yields the
61440 default. If it's
not 15, take the
value and multiply
by 4096 to get the
appropriate client
offset.
DB2 Shared Mem. DB2_SHMEM_SIZE 131072 DB2 shared
Size memory segment
size. Required
when DB2 is
selected as the
database type, and
shared memory
connections are
monitored.
83
84
Windows: Firewall parameters
These parameters affect the behavior of the S-TAP with respect to the firewall.
These parameters are stored in the [TAP] section of the S-TAP properties file.
CAUTION:
These are advanced parameters and are usually modified by IBM Technical Support
only.
GIM guard_tap.ini Default value Description

WSTAP_FIREWAL FIREWALL_INSTA 0 Firewall feature
L_INSTALLED LLED enabled. 1=yes,
0=no.
WSTAP_FIREWAL FIREWALL_TIMEO 2 Time, in seconds, to
L_TIMEOUT UT wait for a verdict
from the Guardium
system if the firewall
timed out. Look at
firewall_fail_close
value to know
whether to block or
allow the
connection. The
value can be any
integer value.
WSTAP_FAIL_CLO FIREWALL_FAIL_C 0 If the verdict does
SE LOSE not come back from
the Guardium
system and the
firewall_timeout
expires: if
firewall_close = 0
the connection goes
through; if
firewall_close=1 the
connection is
blocked.
85
WSTAP_DEFAULT FIREWALL_DEFAU 0 0=firewall is
_STATE LT_STATE activated per
session when
triggered by a rule
in the installed
policy. This option
should only be used
when absolutely
necessary.1=All
traffic is watched for
firewall policy
violations2=All
traffic is watched for
firewall policy
violations for the
initial priority_count
packets. S-TAP
watches the initial
part of every new
session to your DB.
This is useful when
you have session
based policies,
firewall rules based
on the user, or
some other
information that is
passed early in the
session. It limits the
impact of firewall on
the performance.
Instead of watching
every bit of the
session
(firewall_default_sta
te=1) and waiting
for an UNWATCH
verdict, S-TAP
simply unwatches
automatically if no
WATCH or DROP is
sent. Restart the S-
TAP after changing
this parameter.
86
WSTAP_FORCE_ FIREWALL_FORC NULL When the firewall
WATCH E_WATCH feature is enabled
and
firewall_default_stat
e is 0, the session is
watched
automatically when
its client IP matches
one of this list of
IP/MASK values.
The list itself is
separated with
commas, for
example,
1.1.1.1/1.1.1.1,2.2.2
.2/2.2.2.2
WSTAP_FORCE_U FIREWALL_FORC NULL When the firewall
NWATCH E_UNWATCH feature is enabled
and
e is 1, the session is
unwatched
automatically when
its client IP matches
one of this list of
IP/MASK values.
The list itself is
separated with
commas, for
example,
1.1.1.1/1.1.1.1,2.2.2
.2/2.2.2.2,
87
Windows: Query rewrite parameters
The query rewrite parameters affect the behavior of the S-TAP with respect to
discovery.
CAUTION:
only.
GIM guard_tap.ini Default Value Description

WINSTAP_QRW_I QUERY_REWRITE 0 Enable / disable the
NSTALLED _INSTALLED Dynamic Data
Masking for
Databases feature.
When set to 0, all
other parameters in
this group are
ignored.
0=No1=Yes
88
WINSTAP_QRW_D QUERY_REWRITE 0 Sets the query
EFAULT_STATE _DEFAULT_STATE rewrite activation
trigger. Must be 0 if
e=1.0=QRW
activated per
session when
triggered by a rule
in the installed
policy1=QRW
activated for every
session regardless
of the installed
policy2=All traffic is
watched by default
for QRW policy
violations, but if no
event triggers the
watch in the first
PRIORITY_COUNT
packets, query
rewrite is turned off
for the session.
When set to 2, the
QRW operation can
be modified by the
commands: Watch,
Drop, Watch & Drop
and Unwatch. When
a watch command
is received while
state 2 is in effect it
changes the state
from 2 to 1 so that
the connection is
permanently subject
to firewall or query
rewrite operations.
When a Drop or
Watch & Drop is
received, the
connection is
immediately
terminated. When
an Unwatch
command is
received while state
2 is in effect it
changes the state
from 2 to 0 so the
connection is no
longer subject to
firewall or query
rewrite operations.
89
Restart the S-TAP
after changing this
parameter.
WINSTAP_QRW_F QUERY_REWRITE NULL Comma separated
ORCE_WATCH _FORCE_WATCH list of client
IP/MASKs (for
example,
1.1.1.1/1.1.1.1,2.2.2
.2/2.2.2.2) to watch
automatically. Valid
when qrw_installed
is 1, and
qrw_default_state is
0. Cannot be
configured to the
same IP range as
firewall_force_unwa
tch.
WINSTAP_QRW_F QUERY_REWRITE NULL Comma separated
ORCE_UNWATCH _FORCE_UNWATC list of client
H IP/MASKs (for
example,
1.1.1.1/1.1.1.1,2.2.2
.2/2.2.2.2) to
exclude from
watching. Valid
Valid when
qrw_installed is 1,
and
qrw_default_state is
1. Cannot be
configured to the
same IP range as
firewall_force_unwa
tch.
WINSTAP_QUERY QUERY_REWRITE 8 If the verdict does
_REWRITE_FAIL_ _FAIL_CLOSE not come back from
CLOSE the Guardium
system and the
QUERY_REWRITE
_TIMEOUT expires:
if
QUERY_REWRITE
_CLOSE=8 the
query rewrite
operation proceeds;
if
QUERY_REWRITE
_CLOSE=12 the
connection is
terminated.
90
WINSTAP_QUERY QUERY_REWRITE 10 If the verdict does
_REWRITE_TIMEO _TIMEOUT not come back from
UT the Guardium
system and the
QUERY_REWRITE
_TIMEOUT expires:
if
QUERY_REWRITE
_CLOSE=0 the
query rewrite
operation proceeds;
if
QUERY_REWRITE
_CLOSE=1 the
connection is
terminated.
91
Windows: Discovery parameters
The discovery parameters define the behavior of the auto-discovery feature, for
discovering database instances and sending the results to the current active S-TAP.
CAUTION:
only.
GIM guard_tap.ini Default value Description

WINSTAP_DISCOV DISCOVERY_INTE 24 The time interval, in
ERY_INTERVAL RVAL hours, at which
auto-discovery runs.
Set to 0 to disable.
92
Windows: Debug parameters
These parameters affect the behavior of S-TAP debugging.
CAUTION:
only.
These parameters are stored in the [DEBUG_OPTIONS] section of the S-TAP
properties file:
guard_tap.ini Default value Description

DEBUG_BUFFER 1 1=log the contents of local
packets
DEBUG_FIREWALL 1 1=log firewall events
These parameters are stored in the [TAP] section of the S-TAP properties file:Table
1. More S-TAP configuration parameters for debugging

DEBUG_MAX_FILE_SIZE 200
93
DEBUGLEVEL 0 Level of debug messages
to store. Leave at 0 unless
directed by IBM Technical
Support.0Only critical error
informationFrom v10.1.4:
Two "startup" debug logs
saved in bin\..\logs.
Filename syntax:
startup_hostname_timesta
mp.new and
startup_hostname_timesta
mp.old. Files from
bin\..\logs get uploaded
automatically if
upload_feature is on.1All
previous messages plus
repeatable critical error
informationFrom v10.1.4:
Two "normal" debug logs
saved in bin\StapBuffer.
Filename syntax:
stap_hostname_timestamp
.new and
stap_hostname_timestamp
.old. Files from
bin\StapBuffer are not
uploaded.2Not used3All
messages from level 1,
plus brief information about
packets sent to a
Guardium system4All
plus local sniffing log5All
plus network sniffing
log6All messages from
level 5, plus heartbeat
receiving log7All messages
from level 6, plus
miscellaneous debugging
information
94
DUMP_FILE_MODE 0 Enables capture of dump
files if S-TAP crashes.
When the parameter is not
zero, a new dump file is
opened every time the S-
TAP starts; it is empty if
there is no crash.0: no
crash dumps generated 1:
crash dumps generated,
written to the file stap.diag
which is created in the S-
TAP working directory. S-
TAP copies any existing
stap.diag file to a backup
file before overwriting the
stap.diag file.2: time-
stamped crash dumps
generated, written to a file
stap-TIMESTAMP.diag
which is created in the S-
TAP working directory,
where TIMESTAMP
identifies when the crash
dump was generated. If
you have issues with
crashes, use this option to
capture all dumps, not just
the most recent one. The
timestamp will also help
with debugging. This
option uses more
diskspace, however.
95
DEBUG_FILE_MODE Location of the S-TAP
debug file. Default is
<install
folder>/StapBuffer/stap.txt.
v10.1.4 and higher: If the
debuglevel > 0, then the
log from the previous S-
TAP session (if it exists) is
saved as:
%STAP_DIR%\Bin\StapBu
ffer\stap_%HOSTNAME%
%YY-MM-
DD%%HHMMDD%.old
and the new log is created
as:
%STAP_DIR%\Bin\StapBu
ffer\stap_%HOSTNAME%
%YY-MM-
DD%%HHMMDD%.new.
In addition to this, start-up
logs containing just
messages related to S-
TAP start-up are always
generated in
%STAP_DIR%\Logs:
startup_%HOSTNAME%%
YY-MM-
DD%%HHMMDD%.old
and
startup_%HOSTNAME%%
YY-MM-
DD%%HHMMDD%.new.
STACK_TRACE_FILE_MO Similar to dump_file_mode
DE
KERNEL_DEBUG_LEVEL 0
SYSLOG_MESSAGES 1 1= send messages to
EventViewer. 0=do not
send messages.
WER_DUMP 1
96
WER_DUMP_FOLDER None If the parameter is not set,
the following value is used.
If the STAP installation
folder is rooted anywhere
but C:\Program Files
(x86)\... then the WER
dump folder is set to the
full path ending in
...\Windows S-
TAP\Bin\..\Logs. If the
STAP installation folder
contains the text "(x86)" in
it, the dump folder is set to
C:\Guardium\Dumps and
that path will be created by
the STAP process.
For example, if Windows
S-TAP is installed to
C:\PROGRAM
FILES\IBM\WINDOWS S-
TAP and uses default
values for
WER_DUMP_FOLDER,
WER_DUMP_COUNT,
Windows S-TAP uses the
following registry settings,
then Windows S-TAP
crash dump is generated
via Windows Error
Reporting (WER) facility
when it's crashed.
HKEY_LOCAL_MACHINE\
SOFTWARE\Microsoft\Win
dows\Windows Error
Reporting\LocalDumps\gua
rdium_stapr.exe
DumpCount
REG_DWORD 0x1
DumpFolder
REG_EXPAND_SZ
C:\PROGRAM
FILES\IBM\WINDOWS S-
TAP\Bin\..\LOGS\
DumpType REG_DWORD
0x2
WER_DUMP_COUNT 1 Max value is 5.
97
98
Windows: Configuration Auditing System (CAS)
parameters
These parameters affect the behavior of CAS.

CAS_SERVER_PO 16017 The port for
RT communication with
the CAS agent.
16017 for
unencrypted; 16019
for encrypted.
99
Windows: Driver parameters
These parameters affect the behavior of several drivers with which the S-TAP
interacts.
CAUTION:
only.

WFP_DRIVER_INSTALLE 1 Deprecated in v10.5.
D
TCP_DRIVER_INSTALLE 1 Use TCP driver.
D
ORA_DRIVER_INSTALLE 1 Set to 1 for sniffing Oracle
D ASO and SSL traffic.
ORA_DRIVER_LEVEL 0 Advanced. Used for thread
prioritization.
NAMED_PIPES_DRIVER_ 1 Set to 1 for local named
INSTALLED pipes sniffing
NAMED_PIPES_DRIVER_ 0 Advanced. Used for thread
LEVEL prioritization.
SHARED_MEMORY_DRI 0 Advanced. Used for thread
VER_LEVEL prioritization.
KRB_MSSQL_DRIVER_IN 2 Deprecated from v10.1.4. It
STALLED appears in the
guard_tap.ini file but it
does not affect the
configuration.
This parameter is used to
decrypt MSSQL SSL and
Kerberos encrypted traffic.
Set to 1 or 2 to collect
MSSQL encrypted traffic
and Kerberos tickets. If set
to 1, when STAP starts, it
pre-collects usernames
correlated with SIDs,
collecting them for the
number of seconds defined
in
krb_mssql_driver_user_col
lect_time. When set to 2,
the pre-collection isn’t
done and the usernames
are correlated at run time.
KRB_MSSQL_DRIVER_L 0 This parameter is
EVEL deprecated from v10.1.4.
100
KRB_MSSQL_DRIVER_N 0 This parameter is
ONBLOCKING deprecated from v10.1.4. It
appears in the
guard_tap.ini file but it
does not affect the
configuration.
KRB_MSSQL_DRIVER_U 30 This parameter is
SER_COLLECT_TIME deprecated from v10.1.4.
Use the Correlation driver
introduced in 10.1.
CORRELATION_TIMEOU 5 The number of seconds
T the WFP and NMP sniffers
wait for correlation to occur
before giving up and
resuming the flow of traffic
to the appliance. The
default is 5 seconds.
101
Windows: S-TAP operation and performance
- Windows: Stopping S-TAP using GIM

With GIM, you can stop S-TAP without logging into the database server.
- Windows: Starting S-TAP using GIM
With GIM, you can start S-TAP without logging into the database server.
- Windows: Starting S-TAP without GIM
Learn to start S-TAP from the database server.
- Windows: Stopping S-TAP without GIM
Learn to stop S-TAP from the database server.
- Windows: Monitoring S-TAP in the GUI
Use these standard reports and views to monitor your STAP status in the GUI.
- Windows: S-TAP statistics
The S-TAP statistics are stored in the database table STAP_Statistic on the
collector. This table stores the statistics sent by the S-TAP to the sniffer.
- Windows: Monitoring with the Guardium Agent Monitor
The Guardium Agent Monitor (GAM) process monitors Guardium agent
performance and responsiveness. It is good for detailed analysis during
troubleshooting.
- Windows: Troubleshooting S-TAP problems
You can use the S-TAP Status monitor tab of the System View to begin
investigating any problems. Sometimes you might need to use other tools,
particularly if you are monitoring databases for which the inspection engines
cannot be verified.
102
Windows: Stopping S-TAP using GIM
With GIM, you can stop S-TAP without logging into the database server.
About this task
Use the following steps to change the WINSTAP_ENABLED parameter and
schedule the S-TAP startup on the database server.
Procedure
1. Navigate to Manage > Module Installation > Set up by Client.
2. In the Choose clients section, select the database servers whose S-TAPs you
want to stop. Select individual clients using check boxes in the table, or use the
Select client group menu to select a group of clients. Click Next to continue.
3. In the Choose bundle section, select your S-TAP bundle. Click Next. After
selecting a software bundle, the Selected bundle action column indicates the
action that will be performed for each client. You can stop the S-TAPs that have
the status Update parameters.
4. In the Choose parameters section, type WINSTAP_ENABLED and type in the value
0. Click Next.
5. In the Configure clients section, use the table to review the changes you want to
make.
6. Click Install.
7. Click OK to stop the S-TAP now, or use the icon to schedule the stop time,
then click OK.
Parent topic:Windows: S-TAP operation and performance
103
Windows: Starting S-TAP using GIM
With GIM, you can start S-TAP without logging into the database server.
About this task
Use the following steps to change the WINSTAP_ENABLED parameter and
schedule the S-TAP startup on the database server.
Procedure
1. Navigate to Manage > Module Installation > Set up by Client.
2. In the Choose clients section, select the database servers whose S-TAPs you
want to start. Select individual clients using check boxes in the table, or use the
Select client group menu to select a group of clients. Click Next to continue.
3. In the Choose bundle section, select your S-TAP bundle. Click Next. After
selecting a software bundle, the Selected bundle action column indicates the
action that will be performed for each client. You can start the S-TAPs that have
the status Update parameters.
4. In the Choose parameters section, type WINSTAP_ENABLED and type in the value
1. Click Next.
5. In the Configure clients section, use the table to review the changes you want to
make.
6. Click Install.
7. Click OK to start the S-TAP now, or use the icon to schedule the start time,
then click OK.
104
Windows: Starting S-TAP without GIM
Learn to start S-TAP from the database server.
About this task
Note: When Windows S-TAP encounters a fatal error during start up that is due to
configuration problems (unknown local IP address, more than 1 primary SQL-Guard
defined, etc.) it logs the reason to the Windows event log. In some cases an exit
after a failure may cause a crash and another logged event. This crash should not
cause any concern if it is preceded by the event explaining the reason for the failure.
Procedure
2. From the Services control panel, start the IBM Security Guardium S-TAP.
3. Log in to the Guardium system to which this S-TAP reports. Verify that the Status
light in the S-TAP control panel is green.
105
Windows: Stopping S-TAP without GIM
Learn to stop S-TAP from the database server.
Procedure
2. From the Services control panel, stop the IBM Security Guardium S-TAP.
3. Log in to the UI of the Guardium system to which this S-TAP was reporting, verify
that the Status light in the S-TAP control panel is now red.
106
Windows: Monitoring S-TAP in the GUI
Use these standard reports and views to monitor your STAP status in the GUI.
You can create alerts that are based on exceptions that are created by S-TAPs, but
other domains that are used by S-TAP reports are system-private and cannot be
accessed by users.
System View
S-TAP Status Monitor in the System Monitor window: For each S-TAP reporting to
this Guardium system, this report identifies the S-TAP Host, S-TAP Version, DB
Server Type, Status (active or inactive), Last Response Received (date and time),
Instance Name, Primary Host Name, and true/false indicators for: MS SQL Server
Shared Memory, DB2® Shared Memory, Win TCP, Local TCP monitoring, Named
Pipes Usage, Encryption, Firewall, DB install Dir, DB port Min and DB Port Max.
Click any line to view the inspection engines that are configured for this S-TAP. The
bread crumbs show where you are; click ALL S-TAPs to return to the list of S-TAP.
For more details, see Windows: Inspection engine verification.
Note: The DB2 shared memory driver has been superseded by the DB2 Tap
feature.
S-TAP Status Monitor: For each S-TAP reporting to this Guardium system, this
report identifies the S-TAP Host, DB Server Type, S-TAP Version, Status (active or
inactive), Inspection Engine status, Last Response Received (date and time),
Primary Host Name, and true/false indicators for: Firewall and Encrypted. Click the
S-TAP Status and the Inspection Engine status to see the Verification status on all
Inspection Engines.
S-TAP Events: For each S-TAP reporting to this Guardium system, this report
identifies the S-TAP Host, Timestamp, Event type (Success, Error Type, and so on),
and Tap Message.
If no messages display in the S-TAP Events panel, the production of event
messages may have been disabled in the configuration file for that S-TAP®. If this is
the case, you may be able to locate S-TAP event messages on the host system in
the Event Log.
Tap Monitor
Primary Guardium® Host Change Log: Log of primary host changes for S-TAPs.
The primary host is the Guardium system to which the S-TAP sends data. Each line
of the report lists the S-TAP Host, Guardium Host Name, Period Start, and Period
End.
S-TAP Status: Displays status information about each inspection engine that is
defined on each S-TAP Host. This report does not have From and To date
parameters, since it is reporting current status. Each row of the report lists the S-
TAP Host, DB Server Type, Status, Last Response, Primary Host Name, Yes/No
indicators for the following attributes: Shared Memory Driver Installed, DB2 Shared
Memory Driver Installed, Named Pipes Driver Installed, and App Server Installed. In
addition, it lists the Hunter DBS.
Inactive S-TAPs Since: Lists all inactive S-TAPs that are defined on the system. It
has a single runtime parameter: QUERY_FROM_DATE, which is set to now -1 hour
by default. Use this parameter to control how you want to define inactive. This report
contains the same columns of data as the S-TAP Status report, with the addition of
a count for each row of the report.
107
108
Windows: S-TAP statistics
The S-TAP statistics are stored in the database table STAP_Statistic on the
collector. This table stores the statistics sent by the S-TAP to the sniffer.
To access, use the GUI. You can create alerts based on results. The interval at
which the S-TAP sends statistic information about the S-TAP to the sniffer is
controlled by the guard_tap.ini parameter: STAP_STATISTIC. Valid values are:
- positive integer for hours
- negative integer for minutes
- 0=do not send
The default is -1 (every minute).
Fields in S-TAP statistics table:
- TIMESTAMP
- SOFTWARE_TAP_HOST
- TOTAL_BYTES_SO_FAR
- BUFFER_RECYCLED
- STAP_BUFFER_USAGE_PERCENT
109
Windows: Monitoring with the Guardium Agent
Monitor
The Guardium Agent Monitor (GAM) process monitors Guardium agent performance
and responsiveness. It is good for detailed analysis during troubleshooting.
Note: The GAM service should be off by default as it requires configuration specific
to the environment in which it is installed. Improper configuration can cause very
serious operational issues. This is a tool to aid in troubleshooting and otherwise is
not required.
Monitoring covers:
- CPU usage
- Memory
- Handles
- Number of threads
- Alive - responsiveness (supported agents only, currently S-TAP is the only
supported agent) (See Responsiveness)
If a monitored agent exceeds a configured threshold, or if it does not respond to the
console request, the following actions can be taken, in any combination:
- Automatically run diag.bat
- Automatically stop/restart the service
- Automatically perform a core dump
Guardium Agent Monitor is installed when S-TAP is installed but is not enabled by
default. When S-TAP is uninstalled, GAM is uninstalled.
Note: Just like S-TAP, GAM requires administrative privileges. When installing, run
with "Run as Administrator" as an administrative user.
The default install location for GAM is the parent folder of S-TAP (C:\Program
Files\IBM\Guardium Agent Monitor\).
The default location for GAM output is the \Bin\ subfolder.
After enabling GAM, make sure the process is running on the database server
(resmon.exe).
- GAM Configuration
- The Guardium Agent Monitor runs with its configuration file, resmon.ini, as its
argument. The monitor is controlled by using the resmon.ini file. See sample
resmon. Note that the default values for all of the parameters are at the bottom
in the sample ini.
- Global Configuration
- NUMBER_OF_SERVICES: Number of services being monitored
UPDATE_INTERVAL: The length of the interval between polling metrics, in
seconds
DEBUG: 1 enables the GAM debug log, 0 disables the log
NUMBER_BYTES_IN_LOG: Maximum number of KB for the GAM log
- CPU Threshold Configuration
- CPU_LOAD_LIMIT: Percentage CPU threshold at which either action is taken,
or UPDATE_INTERVAL starts counting occurrences of reaching threshold
CPU_INTERVALS_ALLOWED: Number of intervals the CPU can be above the
threshold before triggering an action (used in conjunction with
UPDATE_INTERVAL to set a time limit)
UPDATE_INTERVAL: 0 = action is taken when CPU reaches its load limit. 1 =
110
action is taken when CPU has reached its load limit the number of times
specified by CPU_INTERVALS_ALLOWED
CPUAVE: Defines the type of CPU average. 1 = usage averaged across all
CPU cores (system average), 0 = percentage of the core used by the process.
- Memory Usage, Handle Count and Thread Count Thresholds Configuration
- For these metrics there are two thresholds, limit and peak limit. An action is
triggered when a limit threshold is passed for more intervals than allowed, or
when a peak limit threshold is passed. Metrics refers to CPU, memory, and so
on.
[METRIC]_LIMIT: Lower level threshold. An action is triggered if this limit is
exceeded for more intervals than [METRIC]_INTERVALS_ALLOWED
[METRIC]_INTERVALS_ALLOWED: Number of intervals allowed for the lower
limit threshold before an action is triggered (used with UPDATE_INTERVAL for
time limit)
[METRIC]_PEAK_LIMIT: Upper level threshold. An action is triggered if this
threshold is exceeded once
Note: [METRIC]_INTERVALS_ALLOWED is used in conjunction with
UPDATE_INTERVAL to set a time limit for the threshold. (for example,
UPDATE_INTERVAL=1, CPU_INTERVALS_ALLOWED=10,
CPU_LOAD_LIMIT=10 means an action is triggered if the CPU load is over
10% for over 10 seconds).
-
Responsiveness
- NAMEDPIPE_INTERVAL: The interval, in seconds, at which the S-TAP agent
is pinged to verify responsiveness. Set to "0" to disable
- Action Configuration
- The actions that can be triggered are described under Core Dump
Configuration and Diagnostic Configuration. The second and third actions are
only initiated if they are triggered within the ACTION_RESET_INTERVAL of the
previous action. If the ACTION_RESET_INTERVAL time has elapsed with no
new triggers, then the next trigger starts a new cycle starts with the
FIRST_ACTION.
FIRST_ACTION: 0 = no action. 1 = stop then restart the service. 2 = stop the
service.
SECOND_ACTION: The action initiated the second time there is a trigger
during the ACTION_RESET_INTERVAL. 0 = no action. 1 = stop then restart the
service. 2 = stop the service.
THIRD_ACTION: The action initiated the third time there is a trigger during the
ACTION_RESET_INTERVAL. 0 = no action. 1 = stop then restart the service. 2
= stop the service.
ACTION_RESET_INTERVALS: Number of seconds before resetting the
actions.
- Core Dump Configuration
- A core dump can be taken every time an action is triggered.
ACTION: 1 = take a core dump whenever an action is triggered; 0 = no core
dump is taken.
MAX_NUM_DUMP: The maximum number of core dumps to be stored in the
dump directory (keeping the latest).
111
MDTIMEOUT: Core dump timeout time (in milliseconds)
- Diagnostic Configuration
- A diagnostic file can be run whenever an action is triggered. The diag.bet
diagnostic script, found in the same folder as the service's executable path,
runs with the DIAG_PARAMETER parameters.
DIAGACTION: 1 = run the diagnostic script whenever an action is triggered; 0 =
no diagnostic script is run.
DIAGNAME: Name of the diagnostic file to be run (must be in the same folder
as the service executable)
DIAG_PARAMETER: Parameters to be used when running the diagnostic file
-
Example of resmon.ini
- ;Semi-colon at the beginning of the line indicates a comment
;
[Global]
NUMBER_OF_SERVICES=1
;Interval for checking thresholds (seconds)
UPDATE_INTERVAL=1
;Enables monitor log
DEBUG=1
;"0" means it won't take minidump for action. "1", it will take minidump
ACTION=1
;The maximum number of dump stores in dump directory
MAX_NUM_DUMP=3
;The average CPU time, "0" is percentage of one core, "1" is average percentage of all cores in system
CPUAVE=1
;miniDump timeout in milliseconds
MDTIMEOUT=1000
;Maximum number of BYTES for monitor log (in KB)
NUMBER_BYTES_IN_LOG=200
;Configuration for the service
[Service1]
Name=GUARDIUM_STAP
;Interval to check aliveness (supported agents only), set to "0" to disable
NAMEDPIPE_INTERVAL=30
;Run diagnostic on action, set to "1" to enable
DIAGACTION=0
;Diagnostic file name

112
DIAGNAME=diag.bat
;Diagnostic parameters. If the parameter has spaces it needs to be enclosed with quotes
DIAG_PARAMETER=
;Percentage of cpu limit
CPU_LOAD_LIMIT=10
;Maximum sequential intervals over CPU_LOAD_LIMIT allowed
CPU_INTERVALS_ALLOWED=10
;Memory limit (KB)
MEM_USAGE_LIMIT=150000
MEM_USAGE_PEAK_LIMIT=200000
MEM_USAGE_INTERVALS_ALLOWED=30
;Handle limit
HANDLE_COUNT_LIMIT=500
HANDLE_COUNT_PEAK_LIMIT=1000
HANDLE_COUNT_INTERVALS_ALLOWED=20
;Thread limit
THREAD_COUNT_LIMIT=200
THREAD_COUNT_PEAK_LIMIT=300
THREAD_COUNT_INTERVALS_ALLOWED=20
;'1' take action, then restart the service
;'2' take action, then stop the service without start
FIRST_ACTION=1
SECOND_ACTION=1
THIRD_ACTION=2
;Reset interval in seconds
ACTION_RESET_INTERVALS=60
113
Windows: Troubleshooting S-TAP problems
You can use the S-TAP Status monitor tab of the System View to begin investigating
any problems. Sometimes you might need to use other tools, particularly if you are
monitoring databases for which the inspection engines cannot be verified.
- If an S-TAP is not connected to your Guardium system
- Check whether the IBM Security Guardium S-TAP service is running on the
database server:
- Check the IBM Security Guardium S-TAP service and see that it's running.
- How can I find the S-TAP version?
- From the GUI, the S-TAP® version number is displayed in Manage > System
View > S-TAP Status Monitor
- Alternatively, you can display the S-TAP version number from the command
line of the database server.
- Run debug from the command line to quickly identify configuration issues
- Turn on debug from the GIM GUI or the command line. See debug levels in
Windows: Debug parameters.
- Verify the connection between the database server and the Guardium system
- Verify that you can ping the Guardium system at sqlguard_ip from the
database server.
- If the ping is successful, verify that you can telnet to the following ports on the
Guardium system: 16016/16018
- If there is a firewall between the database server and the Guardium system
- Verify that the following ports are open for traffic between these two systems:
TCP Port 16016 or TLS Port 16018 for encrypted connections.Note: Use the
following command to check the port availability: nmap -p port
guardium_hostname_or_ip
- Verify that the sqlguard_ip parameter is set to the correct
guardium_hostname_or_ip for the Guardium system that you are connecting
to.
1. Click Manage > Activity Monitoring > S-TAP Control to open S-TAP Control.
2. Locate the S-TAP Host for the IP address that corresponds to your database
server.
3. Expand the Guardium Hosts subsection, and verify that the active Guardium
Host is correctly configured.
4. If necessary, click Modify to update the Guardium Hosts.
- Where is the debug file located?
- If the debuglevel > 0, then the log from the previous S-TAP session (if it exists)
is saved as: %STAP_DIR%\Bin\StapBuffer\stap_%HOSTNAME%%YY-MM-
DD%%HHMMDD%.old and the new log is created as:
%STAP_DIR%\Bin\StapBuffer\stap_%HOSTNAME%%YY-MM-
DD%%HHMMDD%.new.
- In addition to this, start-up logs containing just messages related to S-TAP
start-up are always generated in %STAP_DIR%\Logs:
startup_%HOSTNAME%%YY-MM-DD%%HHMMDD%.old
startup_%HOSTNAME%%YY-MM-DD%%HHMMDD%.new.
- Severe spikes in traffic, and traffic getting dropped
- This symptoms could be due to a buffer overflow. Check the debug log for a
message indicating buffer overflow. Advanced users only: consider enabling the
114
dynamic buffer feature. See dynamic_buffer_increase in
- Windows: General parameters.
- Verify that the S-TAP process is not repeatedly restarting
- On the database server, run the command ps -eaf | grep stap to verify
that the process for S-TAP is not changing.
- Verify that S-TAP Approval is not turned on
- If S-TAP Approval is turned on, any new S-TAP that connects to the Guardium
system is refused.
1. Click Manage > Activity Monitoring > S-TAP Certification to open S-TAP
Certification.
2. Look at the S-TAP Approval Needed check box. If this box is checked, new
S-TAPs can connect to this Guardium system only after they have been
added to the list of approved S-TAPs.
3. If S-TAP Approval is turned on, select Daily Monitor > Approved Tap Clients
to view a list of approved S-TAPs. If the S-TAP that you are investigating is
not on this list, return to the S-TAP Certification pane, enter the IP address of
the S-TAP in the Client Host field, and click Add.
- S-TAP verification issues
- The verification process attempts to log in to your database's STAP client with
an erroneous user ID and password, to verify that this attempt is recognized
and communicated to the Guardium system. Your S-TAP could be configured in
a way that prevents the inspection engine message from reaching the
Guardium system from which the request was made.
These configuration details include:
- Load balancing: if the S-TAP is configured to return responses to more than
one Guardium system, the error message could be sent to a different
Guardium system.
- Failover: If secondary Guardium systems are configured for the S-TAP, the
error message could be sent to a secondary Guardium system if the primary
Guardium system is too busy.
- Db_ignore_response: if the S-TAP is configured to ignore all responses from
the database, it does not send error messages to the Guardium system.
- Client IP/mask: if any mask is defined that is not 0.0.0.0, it could prevent the
error message from being sent.
- Exclude IP/mask: if any mask is defined that is not 0.0.0.0, it could prevent the
error message from being sent.
Related topics:
- Windows: Monitoring S-TAP in the GUI
- Windows: Monitoring with the Guardium Agent Monitor
- Windows: Inspection engine verification
115

Windows S-TAP User Guide V 10.6

Caricato da

Informazioni sul documento

Titolo originale

Copyright

Formati disponibili

Condividi questo documento

Condividi o incorpora il documento

Opzioni di condivisione

Hai trovato utile questo documento?

Questo contenuto è inappropriato?

Copyright:

Formati disponibili

Windows S-TAP User Guide V 10.6

Caricato da

Copyright:

Formati disponibili

Windows: S-TAP user's guide 3

Windows: Install, Upgrade, Uninstall S-TAP 4

- Windows: Install, Upgrade, Uninstall S-TAP

Parent topic:Windows: S-TAP user's guide

OS Databa Networ Local Encrypt Protoco Kerber Blockin Redacti Instanc

Parent topic:Windows: Install, Upgrade, Uninstall S-TAP

- Windows: S-TAP disk space requirements

Disk Space Description

Parent topic:Windows: Prerequisites: installing S-TAP

Port Protocol Guardium system

Parent topic:Windows: Prerequisites: installing S-TAP

Auto-discovery of database instances

Enterprise load balancing

- Windows: Installing S-TAP agent with GIM Setup by Client

About this task

Parent topic:Windows: Installing an S-TAP agent

GIM parameter Description

Table 2. Other S-TAP Parameters

GIM parameter Description

GIM parameter Description

Table 4. Enterprise Load Balancing parameters

GIM parameter Description

Parent topic:Windows: Installing an S-TAP agent

About this task

Parent topic:Windows: Installing an S-TAP agent

You should find a setup.exe executable in the installer directory.

Command line parameter GIM parameter Description

Table 2. Other S-TAP Parameters

Command line parameter Description

Command line parameter Description

Command line parameter GIM parameter Description

Parent topic:Windows: Installing an S-TAP agent

Parent topic:Windows: Install, Upgrade, Uninstall S-TAP

About this task

Upgrade a Windows S-TAP using the command line

1. Log on to the database server system using a system administrator account.

Remove a Windows S-TAP using Add/Remove Programs

1. Log on to the database server system using a system administrator account.

1. Log on to the database server system using a system administrator account.

Parent topic:Windows: Install, Upgrade, Uninstall S-TAP

Parent topic:Windows: Install, Upgrade, Uninstall S-TAP

Parent topic:Windows: Install, Upgrade, Uninstall S-TAP

Parent topic:Windows: Configuring S-TAP

Parent topic:Windows: Configuring S-TAP

Parent topic:Windows: Configuring S-TAP

There are two types of verification:

- Windows: S-TAP verification

Parent topic:Windows: Inspection engine verification

Parent topic:Windows: Inspection engine verification

Parent topic:Windows: Inspection engine verification

Parent topic:Windows: Inspection engine verification

Parent topic:Windows: Configuring S-TAP

- Windows: Generating certificate signing request (CSR) on Guardium system

When you've finished, it looks like:

Parent topic:Windows: Set up S-TAP authentication with SSL certificates

The public-cert specific to you/this Guardium system looks like:

Parent topic:Windows: Set up S-TAP authentication with SSL certificates

Parent topic:Windows: Set up S-TAP authentication with SSL certificates

Parent topic:Windows: Configuring S-TAP

- Windows: Guardium Hosts (SQLGuard) parameters

GUI GIM guard_tap.ini Default value Description

Parent topic:Windows: Editing the S-TAP configuration parameters

GUI guard_tap.ini Description