Product Documentation
Abstract
This document details the configuration steps to configure a UNIX/Linux S-TAP in an Oracle RAC cluster.
Content
Oracle RAC (Real Application Clusters) allows multiple computers to run Oracle RDBMS software simultaneously while accessing a single database, thus providing clustering.
In a non-RAC Oracle database, a single instance accesses a single database. The database consists of a collection of data files, control files, and redo logs located on disk. The instance comprises the collection of Oracle-related memory and operating system processes that run on a computer system.
In an Oracle RAC environment, two or more computers (each with an Oracle RDBMS instance) concurrently access a single database. This allows an application or user to connect to either computer and have access to a single coordinated set of data.
Guardium UNIX/Linux S-TAP Configuration Steps
- Each node is part of a RAC environment located on a separate server. S-TAP must be installed on each of these servers. If you use Guardium Installation Manager (GIM) install the GIM client on all nodes, then install bundle S-TAP on all nodes.
- After S-TAP installation, configure the following S-TAP parameters (the below parameters can be configured through GIM GUI):
Configure STAP_TAP_IP to be the public IP configured for the node and STAP_ALTERNATE_IPS to be the VIPs (virtual IPs) configured for the node, separated by a comma. The scan listener has to be added to STAP_ALTERNATE_IPS as well.
- Tip: Handy command to retrieve value for virtual hostnames to put in the alternate IPs field:
su – grid –c ‘cat $ORACLE_HOME/network/admin/*.ora’|grep –i host
[root@racvm121 ~]# su - grid -c 'cat $ORACLE_HOME/network/admin/*.ora'|grep -i host |
- Configure the following S-TAP inspection engine parameter:
unix_domain_socket_marker=<key>
You can locate <key> in listener.ora in the IPC protocol definition.
Tip: Here is a handy command to retrieve value for unix_domain_socket:
su – grid –c ‘cat $ORACLE_HOME/network/admin/*.ora’|grep –i KEY
Example 1: Single IPC entry
If the following is a description in the listener.ora:
LISTENER=(DESCRIPTION=(ADDRESS_LIST=(ADDRESS=(PROTOCOL=IPC)(KEY=ORCL))))
Then change the following parameter accordingly as follows:
unix_domain_socket_marker=ORCL
Example 2: Multiple IPC lines, common format
In the case where there is more than one IPC line in listener.ora, use a common denominator of all the keys:
LISTENER=(DESCRIPTION=(ADDRESS_LIST=(ADDRESS=(PROTOCOL=IPC)(KEY=LISTENER))))
LISTENER_SCAN1=(DESCRIPTION=(ADDRESS_LIST=(ADDRESS=(PROTOCOL=IPC)(KEY=LISTENER_SCAN1))))
LISTENER_SCAN2=(DESCRIPTION=(ADDRESS_LIST=(ADDRESS=(PROTOCOL=IPC)(KEY=LISTENER_SCAN2))))
LISTENER_SCAN3=(DESCRIPTION=(ADDRESS_LIST=(ADDRESS=(PROTOCOL=IPC)(KEY=LISTENER_SCAN3))))
Guardium uses a string search in the path so LISTENER will work for all four:
unix_domain_socket_marker=LISTENER
Example 3: Multiple IPC, no common format
In the case where there is no common denominator, you must create additional inspection engines in which the unix_domain_socket_marker corresponds to the specific IPC key(s). For example, your guard_tap.ini may end up looking similar to this:
[DB_0]
...
unix_domain_socket_marker=EXTPROC1522
...
[DB_1]
...
unix_domain_socket_marker=LISTENER
…
3. If the Oracle database is encrypted (ASO/SSL), you must activate A-TAP on all nodes:
a. Stop all Oracle services (including clusterware) and verify that ohasd.bin is down.
- run "crscti stop cluster -all"
- verify that "ohasd.bin" is down when doing that
b. Authorize user oracle and grid (in case listener belongs to grid user)
c. Configure A-TAP parameters using the information provided in the online help or Knowledge Center (see link in Resources section).
d. Activate A-TAP.
e. Restart all Oracle services in the cluster.
Note: All Oracles processes must be stopped prior to activating ATAP as failure to stop Oracle processes will result in an inability to capture traffic; an inability to capture TCP traffic; and, an inability to connect to database.
Resources
· Information Center topic on configuring A-TAP (10.1)
· Technote: Setting up Guardium S-TAP to monitor Oracle database using ASO encryption on AIX
Was this topic helpful?
Document Information
Modified date:
16 July 2018
UID
swg27048586