IBM Support

Configuring ATAP For Oracle ASO or SSL Encryption On AIX and other Linux/Unix platforms

Troubleshooting


Problem

Oracle applications (ie. Oracle Enterprise Manager) traffic is encrypted using the Oracle Advanced Security Option (ASO) or SSL encryption . If ATAP is not configured, traffic from such applications will not be captured in InfoSphere Guardium reports.

Symptom

Missed traffic in reports for Oracle applications.

Cause

Oracle applications using ASO or SSL encrypt their data which needs to be decrypted in order to be displayed in InfoSphere Guardium reports.

IBM's Guardium product uses the standard OS relink process, as recommended by Oracle, in order to capture Oracle ASO or SSL SQL traffic using the Guardium ATAP application library. The Guardium relink adds the ATAP library to the Oracle executable in order to capture SQL traffic that is encrypted using Oracle ASO or SSL. This process is not required to capture standard Oracle traffic - just Oracle ASO or SSL traffic.

Please refer to the section ATAP configuration on AIX and Oracle in Configuring the A-TAP for specific detail on which Oracle versions / encryption types require the specific instrumentation step(s) detailed below

Environment

AIX, Linux, other Unix

Diagnosing The Problem

Recommended viewing

Review the video in this course on the Security Learning Academy:



There are two ways to identify encrypted Oracle:
  • a) Check sqlnet.ora file (usually located in $ORACLE_HOME/network/admin). If encryption is being used, the following parameters will be uncommented:
    • sqlnet.ENCRYPTION_TYPES_SERVER= (3DES112, 3DES168)
      sqlnet.ENCRYPTION_TYPES_CLIENT= (3DES168)
      sqlnet.ENCRYPTION_SERVER = required
      sqlnet.ENCRYPTION_CLIENT = required
      sqlnet.CRYPTO_SEED = 1234567891234567
      USE_DEDICATED_SERVER=ON

b) Run slon for a particular client IP and log in. the resultant slon capture apks file will show that when data is encrypted, packets will look scrambled. Additionally, a "foo bar" packet for the session typically indicates encryption:
  • Packet 14 FROM X.X.X.X 1521 TO Y.Y.Y.Y 33133 Packet length: 367 0 1 10
    00000000 : 01 6f 00 00 06 00 00 00 00 00 de ad be ef 01 65 .o.............e
    00000010 : 09 20 01 00 00 04 00 00 04 00 03 00 00 00 00 00 . ..............
    00000020 : 04 00 05 09 20 01 00 00 02 00 06 00 1f 00 0e 00 .... ...........
    00000030 : 01 de ad be ef 00 03 00 00 00 02 00 04 00 01 00 ................
    00000040 : 01 00 02 00 00 00 00 00 04 00 05 09 20 01 00 00 ............ ...
    00000050 : 02 00 06 fb ff 00 02 00 02 00 00 00 00 00 04 00 ................
    00000060 : 05 09 20 01 00 00 01 00 02 0c 00 03 00 08 00 00 .. .............
    00000070 : 00 00 00 04 00 05 09 20 01 00 00 01 00 02 00 00 ....... ........
    00000080 : 02 00 03 02 00 00 02 00 03 02 00 00 40 00 01 82 ............@...
    00000090 : 98 de 49 de f7 09 e5 e0 0d b0 a0 a5 9c a9 f2 3d ..I............=
    000000a0 : f6 c6 a7 e9 4a 44 a3 e1 87 2e f5 4c 1f a1 7a df ....JD.....L..z.
    000000b0 : 5c f2 75 81 ed 51 c3 26 ee 8b e1 04 03 1e 67 50 .u..Q.&......gP
    000000c0 : 53 b5 7c 4b 45 6f 15 4a 17 56 0b 5a 15 95 a5 00 S.|KEo.J.V.Z....
    000000d0 : 40 00 01 dc 8e a3 1b 08 60 69 8a cc f6 d1 9e 87 @.......`i......
    000000e0 : 0e 34 fc 67 c5 59 0b 4e a6 b1 3c d5 fd ef 15 ac .4.g.Y.N.......
    000000f0 : 9d 5f 3f 21 4c dc 07 cc 87 4a b3 01 d7 7f 2c 43 ._?!L....J....,C
    00000100 : 33 51 3c de 0b 1e ce 64 47 76 57 5c 51 cc 98 b3 3Q.....dGvWQ...
    00000110 : fe e7 ef 00 40 00 01 31 81 a3 8a 97 9e 79 64 78 [email protected]
    00000120 : c4 77 3d d4 57 c0 9b 92 39 b4 79 39 53 5a da 2d .w=.W...9.y9SZ.-
    00000130 : 2d f9 32 e2 e3 62 27 6c dc 5a 2e e7 10 df 5c 18 -.2..b'l.Z.....
    00000140 : 39 7d e6 9d 31 24 df 9d 1e 61 17 4c 04 9b 5c aa 9}..1$...a.L...
    00000150 : 9d 46 66 a8 a8 0d 44 00 14 00 01 66 6f 6f 20 62 .Ff...D....foo b
    00000160 : 61 72 20 62 61 7a 20 62 61 74 20 71 75 75 78 ar baz bat quux

Resolving The Problem

Here are the instructions to setup ATAP for Oracle that uses ASO or SSL encryption on AIX, Linux and other Unix:

This configuration of ATAP can be done using the guardctl utility. The guardctl utility is installed under <guardium_base>/bin directory where <guardium_base> is the directory where Guardium software is installed. By default <guardium_base> is /usr/local/guardium.


Notes:

These libraries allow the IBM Guardium solution to 'see' the Oracle ASO / SSL encrypted traffic and report it back to the Guardium Collector.

Below are the steps to configure ATAP on the database server where Guardium S-TAP is installed, so it can monitor Oracle traffic using ASO /SSL encryption:.

    • always use the "full path" when invoking the guardctl executable
    • Running the guardctl command relinks two libraries to the oracle executable, for example:

      • /usr/local/guardium/lib/libguard-atap-oracle-any-32.a in /usr/lib
        and
        /usr/local/guardium/lib/libguard-atap-oracle-any-32.so in /usr/lib


Before starting:
    • Make sure you have installed version 3 or greater of bash. The guardctl utility requires version 3 or greater of bash. (issuing 'bash --version' at the command prompt will display the version)
    • ATAP depends on KTAP. Make sure that KTAP was installed when S-TAP was installed (during STAP installation you are prompted to select if KTAP should be installed. You should select yes)
    • Make sure that ktap_installed parameter is set to 1 in the S-TAP configuration file guard_tap.ini
    • If the software is installed with GIM, make sure that environment variable GIM_ROOT_DIR is set to the <guardium_base>/modules directory (absolute path). Guardium S-TAP must be restarted after setting this variable.


Configuring ATAP for AIX , LINUX and other Unix
 
  • Configuring ATAP for Oracle on AIX:
    • 1) Login as root to the database server

      2) Stop the database.
      • Note: If there are more instances running for the same Oracle installation, ALL running instances must be stopped, and not only the instance to be configured.

      3) Add the oracle user (the one that runs the oracle database) to the "guardium" group with the guardctl command, using --db-user option. For example, the following command will add oracle user oracle10 to the "guardium" group:
      • /usr/local/guardium/guard_stap/guardctl --db-user=oracle10 authorize-user
    • 4) Gather the following oracle parameters:
      • a) Database instance name (--db-instance)
        b) DB owner account (--db-user)
        c) DB owner's home directory (--db-base)
        d) Oracle binary type (--db-bits). You can use the "file" command on the oracle binary to find out - for example :-
        • -bash-3.2$ file /home/oracle10/OraHome1/bin/oracle
          /home/oracle10/OraHome1/bin/oracle: 64-bit XCOFF executable or object module not stripped
      • e) DB installation directory (--db-home)
        f) DB version, to one decimal of precision, i.e 10.0 (--db-version)
     
    • 5) Configure ATAP, for example (this assumes your oracle userid for the oracle instance is oracle10):
      • /usr/local/guardium/guard_stap/guardctl db_type=oracle db_instance=<oracle_instance_name> db_user=oracle10 db_home=<oracle_instance_home> store-conf
     
    • 6) For AIX only configure the ATAP - including relink and instrument parameters. For example:
      • /usr/local/guardium/guard_stap/guardctl --db-instance=<oracle_instance_name> --db-user=oracle10 --db-type=oracle --db-base=/home/oracle10/ --db-bits=64 --db-home=/home/oracle10/OraHome1?/ --db-version=10.0 --db-relink-script=relink --db-use-instrumented=yes
        • Note: Oracle on AIX requires re-linking and instrumentation, hence the additional parameters.
     
    • 7) Verify parameters set in the command above and disregard all others:
      • /usr/local/guardium/guard_stap/guardctl list-configured
      • Parameters (example):
        • --db2-c2soffset = 61440 - DB2 shared memore client area offset
          --db2-header-offset = 20 - DB2 shared memory header offset
          --db2-shmsize = 131072 - DB2 shared memory size
          --db-base = /home/oracle10/ - Points to the DB user's home directory
          --db-bits = 64 - Database executable target architecture (32/64 bits)
          --db-home = /home/oracle10/OraHome1/ - Points to where the DB version is installed
          --db-info = /INFORMIXTMP/.inf.sqlexec - Additional DB info (e.g. /INFORMIXTMP/.inf.sqlexec)
          --db-instance = <oracle_instance_name> - DB Instance string - e.g. oracle SID value
          --db-relink-script = yes - Database relink script (for oracle)
          --db-space = 8 - How much space to reserve for times DB exec size
          --db-type = oracle - Contains the name of the DB (e.g. oracle, informix)
          --db-use-instrumented = yes - Whether to use the pre-instrumented version or not
          --db-user = oracle10 - Points to the DB instance user name
          --db-user-dir = /home/oracle10 - Points to the DB instance user home directory
          --db-version = 10.0 - Contains the version of the DB (e.g. 10.0, 10.2)
          --var-name = db_use_instrumented - param_db_use_instrumented
    • 8) Stop the oracle database if it is running.
    • 9) run the instrument command as root (for v8.2 and above) or as DB user (for v8.1). Instrumentation, creates a new oracle file called oracle-guard-instrumented in $ORACLE_HOME/bin. This instrumented oracle file can interface with ATAP.
      • /usr/local/guardium/guard_stap/guardctl --db-instance=<oracle_instance_name> --db-user=oracle10 --db-type=oracle --db-base=/home/oracle10/ --db-bits=64 --db-home=/home/oracle10/OraHome1?/ --db-version=10.0 --db-relink-script=relink --db-use-instrumented=yes instrument
      • This will produce quite a bit of output.. You should see the following messages at the end:
        • Executing: cp -f /home/oracle10/OraHome1?/bin/oracle /home/oracle10/OraHome1/bin/oracle-guard-instrumented
          Inserted instrumentation
          Restoring non-instrumented libn9.a from /home/oracle10/OraHome1//lib/libn9.a-guard-original
          Restoring non-instrumented naeet.o from /home/oracle10/OraHome1//lib/naeet.o-guard-original
          Restoring non-instrumented oracle /home/oracle10/OraHome1/bin/oracle-guard-original -> /home/oracle10/OraHome1/bin/oracle
    • 10) Run activate command as root. Activate will create a new oracle file in $ORACLE_HOME/bin. This is not a real oracle binary, but a small program which loads and runs oracle-guard-instrumented.
      • /usr/local/guardium/guard_stap/guardctl --db-instance=<oracle_instance_name> --db-user=oracle10 --db-type=oracle --db-base=/home/oracle10/ --db-bits=64 --db-home=/home/oracle10/OraHome1?/ --db-version=10.0 --db-relink-script=relink --db-use-instrumented=yes activate
      • The following output should be produced:

        • Oracle on AIX has to use instrumentation
          Matching module found - oracle is supported by /usr/local/guardium/modules/ATAP/current/files/lib/libguard-atap-oracle-any
          Installing library /usr/local/guardium/modules/ATAP/current/files/lib/libguard-atap-oracle-any-32.a in /usr/lib
          Installing library /usr/local/guardium/modules/ATAP/current/files/lib/libguard-atap-oracle-any-32.so in /usr/lib
          Installing library /usr/local/guardium/modules/ATAP/current/files/lib/libguard-atap-oracle-any-64.a in /usr/lib
          Installing library /usr/local/guardium/modules/ATAP/current/files/lib/libguard-atap-oracle-any-64.so in /usr/lib
          Creating permissions
          Matching module found - oracle is supported by /usr/local/guardium/modules/ATAP/current/files/lib/libguard-atap-oracle-any
          Set 297 bytes for 'executor/env' in file '/home/oracle10/OraHome1?/bin/oracle-guard-executor'
          db_exec_file=/home/oracle10/OraHome1?/bin/oracle
    • 11) Verify all oracle files are now in place in $ORACLE_HOME/bin:
      • -bash-3.2$ ls -l oracle*
        -rwsr-s--x 1 oracle10 dba 241335   Nov 28 14:01 oracle
        -rwxr-x--x 1 oracle10 dba 72535190 Nov 28 13:57 oracle-guard-instrumented
        -rwsr-s--x 1 oracle10 dba 72253264 May 21 2010  oracle-guard-original
        -rwsr-s--x 1 oracle10 dba 72253264 May 21 2010  oracleO


      •  
    • 12) Restart database. Verify encrypted traffic is now logged.
 
  • Configuring ATAP for Oracle on Linux or other Unix platforms:
    • * Note for Oracle RAC each node with STAP installed will need the following applied


      1) Same as above for AIX
      2) Same as above for AIX
      3) Same as above for AIX
        • * Note for Oracle RAC the grid user will need to be authorized as well as user oracle in the case where the listener belongs to the grid user
      4) Same as above for AIX
      5) Same as above for AIX

      6) Linux/ other Unix does not require re-linking and instrumentation. The following could be executed:
      • /usr/local/guardium/guard_stap/guardctl --db-instance=<oracle_instance_name> --db-user=oracle10 --db-type=oracle --db-base=/home/oracle10/ --db-bits=64 --db-home=/home/oracle10/OraHome1?/ --db-version=10.0


      •  
      7) Same as above for AIX
      8) Same as above for AIX

      9) Run the activate command as root. Activate will create a new oracle file in $ORACLE_HOME/bin.
      • /usr/local/guardium/modules/ATAP/current/files/bin/guardctl --db-instance=<oracle_instance_name> --db-user=oracle10 --db-type=oracle --db-base=/home/oracle10/ --db-bits=64 --db-home=/home/oracle10/OraHome1?/ --db-version=10.0 activate



      •  
      10) Verify all oracle files are now in place in $ORACLE_HOME/bin. The output will be same as for AIX, but the following file is not created since no instrumentation is needed for Linux/ other Unix:
      • -rwxr-x--x 1 oracle10 dba 72535190 Nov 28 13:57 oracle-guard-instrumented

[{"Product":{"code":"SSMPHH","label":"IBM Security Guardium"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"--","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF016","label":"Linux"}],"Version":"9.1;9.0;8.2;8.1","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Document Information

Modified date:
03 February 2021

UID

swg21683739