Steps on Configuring Guardium UNIX/Linux S-TAP in Oracle RAC environment

Content

Oracle RAC (Real Application Clusters) allows multiple computers to run Oracle RDBMS software simultaneously while accessing a single database, thus providing clustering.

In a non-RAC Oracle database, a single instance accesses a single database. The database consists of a collection of data files, control files, and redo logs located on disk. The instance comprises the collection of Oracle-related memory and operating system processes that run on a computer system.

In an Oracle RAC environment, two or more computers (each with an Oracle RDBMS instance) concurrently access a single database. This allows an application or user to connect to either computer and have access to a single coordinated set of data.

Guardium UNIX/Linux S-TAP Configuration Steps

1. Each node is part of a RAC environment located on a separate server. S-TAP must be installed on each of these servers. If you use Guardium Installation Manager (GIM) install the GIM client on all nodes, then install bundle S-TAP on all nodes.
3. After S-TAP installation, configure the following S-TAP parameters (the below parameters can be configured through GIM GUI):

Configure STAP_TAP_IP to be the public IP configured for the node and STAP_ALTERNATE_IPS to be the VIPs (virtual IPs) configured for the node, separated by a comma. The scan listener has to be added to STAP_ALTERNATE_IPS as well.

Tip: Handy command to retrieve value for virtual hostnames to put in the alternate IPs field:

Configure the following S-TAP inspection engine parameter:

unix_domain_socket_marker=<key>

You can locate <key> in listener.ora in the IPC protocol definition.

Tip: Here is a handy command to retrieve value for unix_domain_socket:




su – grid –c ‘cat $ORACLE_HOME/network/admin/*.ora’|grep –i KEY

Example 1: Single IPC entry

If the following is a description in the listener.ora:

LISTENER=(DESCRIPTION=(ADDRESS_LIST=(ADDRESS=(PROTOCOL=IPC)(KEY=ORCL))))

Then change the following parameter accordingly as follows:

unix_domain_socket_marker=ORCL

Example 2: Multiple IPC lines, common format

In the case where there is more than one IPC line in listener.ora, use a common denominator of all the keys:

LISTENER=(DESCRIPTION=(ADDRESS_LIST=(ADDRESS=(PROTOCOL=IPC)(KEY=LISTENER))))

LISTENER_SCAN1=(DESCRIPTION=(ADDRESS_LIST=(ADDRESS=(PROTOCOL=IPC)(KEY=LISTENER_SCAN1))))

LISTENER_SCAN2=(DESCRIPTION=(ADDRESS_LIST=(ADDRESS=(PROTOCOL=IPC)(KEY=LISTENER_SCAN2))))

LISTENER_SCAN3=(DESCRIPTION=(ADDRESS_LIST=(ADDRESS=(PROTOCOL=IPC)(KEY=LISTENER_SCAN3))))

Guardium uses a string search in the path so LISTENER will work for all four:

unix_domain_socket_marker=LISTENER

Example 3: Multiple IPC, no common format

In the case where there is no common denominator, you must create additional inspection engines in which the unix_domain_socket_marker corresponds to the specific IPC key(s). For example, your guard_tap.ini may end up looking similar to this:

[DB_0]

a. Stop all Oracle services (including clusterware) and verify that ohasd.bin is down.

- run "crscti stop cluster -all"

- verify that "ohasd.bin" is down when doing that

b. Authorize user oracle and grid (in case listener belongs to grid user)

c. Configure A-TAP parameters using the information provided in the online help or Knowledge Center (see link in Resources section).

d. Activate A-TAP.

e. Restart all Oracle services in the cluster.

Note: All Oracles processes must be stopped prior to activating ATAP as failure to stop Oracle processes will result in an inability to capture traffic; an inability to capture TCP traffic; and, an inability to connect to database.

Resources

· Information Center topic on configuring A-TAP (10.1)

https://www.ibm.com/support/knowledgecenter/SSMPHH_10.1.0/com.ibm.guardium.doc.stap/stap/atap_config.html

· Technote: Setting up Guardium S-TAP to monitor Oracle database using ASO encryption on AIX

http://www-01.ibm.com/support/docview.wss?uid=swg21683739