IBM Support

Original setup of Guardium KTAP_FAST_TCP_VERDICT as disabled (0) could potentially trigger v10.1.4 STAPs to impact performance.

Flash (Alert)


Abstract

Original setup of Guardium KTAP_FAST_TCP_VERDICT as disabled (0) could potentially trigger v10.1.4 STAPs to impact performance.

Content

On New v10.1.4 installations the Guardium STAP has the KTAP_FAST_TCP_VERDICT enabled (1) by default - this is a correct recommended setting for Guardium.

There are cases where the Guardium STAP is upgraded from an older version 9 or early version 10 where the KTAP_FAST_TCP_VERDICT was originally set as disabled (0) (the default v9 value)

Remediation

Customers who are planning to upgrade from Guardium STAP v9 or early v10 STAPs to v10.1.4 (or have this value disabled because of previous upgrades), should update the KTAP_FAST_TCP_VERDICT parameter to be enabled(1) before performing the upgrade to the v10.1.4.

The following grdapi commands can be run from a cli prompt to get and set the change in a specific DB Server host. Be sure to use your DB Server hostname or ip in the below examples instead of <db server hostname or ip>

To get the current config at any time for a particular DB Server :- (it will list all the guard_tap.ini parameters)

  • grdapi display_stap_config stapHost=<db server hostname or ip>  

To set the KTAP_FAST_TCP_VERDICT parameter for a particular DB Server :- ( command is all on one line )

  • grdapi update_stap_config stapHost=<db server hostname or ip> updateValue=TAP.ktap_fast_tcp_verdict:1

Related information

The ktap_fast_tcp_verdict parameter
High CPU and I/O utilization in STAP host
v10 Documentation on ktap_fast_tcp_verdict
GuardAPI S-TAP functions

Document information

More support for: IBM Security Guardium

Software version: 10.1.4

Operating system(s): AIX

Reference #: 2012955

Modified date: 26 January 2018