Configure S-TAPs from the GUI

Complete an S-TAP Configuration

After installing an S-TAP agent on a database server, follow this procedure to complete the S-TAP configuration from the administrator portal. You must be logged into the Guardium appliance that is the active host for the S-TAP. (You can only edit an S-TAP configuration from its active host.) Some configuration changes require that the S-TAP agent be restarted manually. Those are noted in the sections below.

Click S-TAP Control in the Local Taps section of the Administration Console, to open the S-TAP control panel. If there is no Local Taps section on the Administration Console between the Central Management and Guardium Definitions sections, you must first configure this Guardium appliance to manage S-TAP agents; see Configure Guardium Appliance to Manage Agents.
Locate the S-TAP to be configured, in the S-TAP Host column. Look for its IP address or the symbolic host name of the database server on which it is installed. Each S-TAP has a row of control buttons, described below:

Control	Description
	Remove. Click this button to remove an S-TAP from the list. You cannot remove an active S-TAP. Clicking this button does not stop an S-TAP from sending information, nor does it remove this Guardium host from the list of Guardium hosts stored in the configuration file for that S-TAP. This button is useful to “clean up” your display of information when you know that an S-TAP has become inactive or when this Guardium unit is no longer listed as a host in that S-TAP’s configuration file. In either of those cases, the S-TAP is displayed indefinitely with an offline status (since all this Guardium unit “knows” is that the S-TAP is unavailable).
	Refresh S-Tap Information. Click to fetch a fresh copy of the S-TAP configuration from the agent. You may want to do this after making changes that for some reason did not work. See Reload Last Good Configuration, below for more information.
	Re-initialize Buffer. Sends a message to the S-TAP requesting that it re-initialize its buffer.
	Edit. Click to edit the configuration. This is enabled only when this appliance is the active Guardium host for the S-TAP.
	Show Log. Click to display the S-TAP event log in a separate window.
S-Tap Host	The IP address or host name of the host.
	Status of the S-TAP. One of the three lights will be illuminated: Green (Online) – The S-TAP is functioning normally. Red (Offline) – The S-TAP is not responding. Yellow (Not Synchronized) – Configuration changes have been sent to the S-TAP, but the S-TAP has not yet acknowledged that the changes were applied. If the light remains yellow for an extended period of time, you can assume that the S-TAP did not accept the new configuration. When that happens, S-TAP attempts to restart using the last good configuration. When an error has occurred, you can open the S-TAP Events panel in a separate window by clicking the Show Log button (see above). In many cases the event log will contain error messages indicating what was wrong with the new configuration. To reload the last good configuration from the S-TAP host, click the Refresh S-TAP information button (see above). Note: If you have trouble determining the color of the light, hold the mouse pointer over the set of lights to display the current status (Offline, Not Synchronized, or Online) as a tool tip.
Last Response	Date and time of the last response from this S-TAP

Verify that the Status indicator is green (the right-most light). If it is not, the Guardium server and S-TAP are not connected.
Click the (Edit) button for that S-TAP. If the Edit button is not active, this Guardium appliance is not the active host for this S-TAP. You must log on to the active host for this S-TAP to make any changes.
Expand and make modifications to any of the following sections of the S-TAP configuration. Typically, the only additional task at this point is to define one or more inspection engines. (An inspection engine identifies a set of database connections to monitor.) Click on any section listed below for a detailed description of its use.

If you have updated any information, and want to save the new configuration, click the Apply button at the bottom of the panel.
Check again that the status light in the S-TAP control panel is green. You may see it turn yellow briefly, but it should return to green the next time the screen is refreshed. If the light remains yellow, S-TAP was unable to restart using the new configuration. When that happens, S-TAP attempts to restart using the last good configuration. The configuration in your S-TAP Control panel will still contain any changes you have applied - including any errors. To reload the last good configuration from the S-TAP host to your S-TAP Control panel, click (Refresh S-TAP Information) in the S-TAP Control panel toolbar.
Back to top

S-TAP Control Details

Use the S-TAP Control Details pane to view or edit basic configuration settings for the S-TAP agent. The following table describes all controls for both Unix and Windows S-TAP. The complete set of controls is not available when displaying current settings, but is available when editing the configuration. Controls that apply for Unix or Windows only are noted at the start of each description.

Control	Description
Devices	Always blank for a Windows server. For a Unix server, identifies an interface to monitor for database traffic: none (blank) monitor local traffic only, except for a Linux server (see below). lo to monitor local traffic only, on a Linux server only. tap_ip_device_name to monitor both local traffic and network traffic, the device name on which the database server IP address is defined. To find the device name on an HPUX system, use the lanscan command. On all other Unix systems, use the ifconfig –a command.
Load Balancing	This box controls how S-TAP reports traffic to Guardium appliances, as follows: 0 = Report all traffic to a single appliance (the default). 1 = Load balancing; distribute sessions evenly to all appliances, by client port number (all traffic for a single session must go to the same appliance). 2 = Full redundancy; report all traffic to all appliances.
Messages	Controls where S-TAP processing messages (not database traffic) will be written: Remote To the active Guardium host. Syslog To the syslog file on the database server.
Trace Files Dir	The directory to which trace files will be written.
Alternate IPs	One or more alternate or virtual IP addresses used to connect to this database server. This is used only when your server has multiple network cards with multiple IPs, or virtual IPs. S-TAP only monitors traffic when the destination IP matches either the S-TAP Host IP defined for this S-TAP, or one of alternate IPs listed here, so we recommend that you list all virtual IPs here.
Shared Memory	Windows only. Controls the action to be taken when a shared memory connection is detected: Disable Disconnect the session. Alert Send an alert.
Shared Memory Monitor Named Pipes Monitor Local TCP Monitor	Windows only. Mark the checkboxes to enable shared memory drivers. To improve performance, you should disable any drivers that are not used. Note: After enabling or disabling any shared memory driver, you must restart the S-TAP service for the change to take effect.
App. Server User Identification	Windows only. Note: After enabling or disabling this feature, you must restart the S-TAP service for the change to take effect. 0 = Disabled. 1 = Reserved for future use. 2 = Windows Terminal Server or Citrix Terminal Server is used. The terminal session user of the database server will be stored in the OS user name, in the following format: OS_USER[ ;WTS:<DOMAIN NAME>;<WTS SESSION LOGIN NAME>;[REMOTE CLIENT HOST NAME] ] There will be no REMOTE CLIENT HOST NAME when using a console application.
Oracle Encryption	Windows only. Note: After enabling or disabling this feature, you must restart the S-TAP service for the change to take effect, and you must restart the Oracle Monitor Service. 0 = disabled, 1 = enabled; controls the automatic handling of Oracle Encryption. When used, the instance name value must be set in the inspection engine configuration (described later).
SQL Server TAP Decrypted	Windows only. Note: After changing any of these parameters, you must restart the S-TAP service for the change to take effect, and you must restart the MSSQL Monitor Service. Controls the type of automatic decryption applied to the traffic seen by S-TAP: None No automatic decryption. All SQL in SSL traffic will be ignored. All SQL in Kerberos traffic will be seen, but the database user name will be replaced by a string of hexadecimal characters (by Kerberos). Kerberos and SSL Automatically decrypts SSL and maps Kerberos names. Use this option if some traffic of interest uses Kerberos, but does not also use SSL. If both Kerberos and SSL are used for all traffic of interest, use the SSL Only option, below. SSL Only Automatically decrypts SSL traffic. Use this option if all traffic of interest is SSL traffic. In this situation, even if Kerberos authentication is also used, it is of no consequence, because S-TAP obtains all of the information it needs before the message is encrypted, and before Kerberos replaces the real database username.
Kerberos Credentials Mapping	Windows only. Note: After changing this setting, you must restart the S-TAP service for the change to take effect, and you must restart the MSSQL Monitor Service. When Kerberos authentication is used, controls how S-TAP obtains the database user names. If either Sync option (below) is selected, S-TAP will not forward messages to the Guardium appliance until it resolves the real database user name. So in high-message-volume situations, some messages may be lost. When the Async option is used, all messages will be forwarded to the Guardium appliance, but initial sessions for users with new Kerberos tickets will have strings of hexadecimal characters in the database username field until S-TAP resolves the actual database user name. At Startup, Sync During startup processing, S-TAP obtains all authenticated users from the domain controller. This can be time consuming. After all users have been obtained and tabled, S-TAP starts sending data to the Guardium appliance. When it encounters a message from a user it does not recognize, it obtains that database user name as described for On Demand, Sync, below. On Demand, Sync When S-TAP encounters a Kerberos message for an unrecognized user, S-TAP fetches the user name from the domain controller. It does not forward any traffic from that user to the Guardium appliance until it has the actual database user name. On Demand, Async Like the above option, except that messages are not held while waiting to obtain the database user name.
TLS	Use - Mark to use a TLS (encrypted) connection. This applies to both the S-TAP and CAS agents. Before changing this setting, verify that the ports used for this purpose are not being blocked by a firewall between the server and the Guardium appliance. See the Guardium Port Requirements table in the S-TAP Overview. Failover - Mark to indicate that if no TLS connection can be established, a non-TLS connection can be used. Note: Windows only. After changing this setting, you must restart the S-TAP service for the change to take effect.

S-TAP Control Hunter

The Hunter component of S-TAP is not used for Windows servers, and is not used in the recommended Unix S-TAP configuration. It is optionally used by Unix S-TAP, when the TEE monitoring mechanism (rather than the recommended kernel-level monitoring mechanism) is used.

When used, the Hunter component can be configured to report and optionally kill any rogue connections that it discovers on the database server. A rogue connection is any connection that bypasses the TEE mechanism.

Control	Description
Hunt	Identifies any processes to be killed, using the following syntax: db_type:process [,db_type:process] db_type can be: DB2 Informix Oracle Sybase process can be: SHM Shared memory IPv4 Internet Protocol version 4 IPv6 Internet Protocol version 6 FIFO A named pipe IPC mechanism PIPE A simple (unnamed) pipe IPC INET Internet Protocol (HPUX) These values are not case-sensitive, and each entry is separated from the next by a comma. Example: To kill Oracle Bequeath processes, which uses a simple pipe, you would enter: oracle:pipe
Sleep Time	Maximum number of seconds between the randomized starting time of the Hunter’s rogue process search routine. The start time is random to increase the difficulty of defeating it by running in fixed time slots or intervals. The recommended value for sleep time is anywhere between 60 and 300.
DBs	Using a comma separated list, the database types to be reported: DB2 Informix Oracle Sybase

S-TAP Control Change Auditing

The Change Auditing pane of the S-TAP Control panel applies to the CAS (Change Auditing System) agent only. The CAS product is an optional component unrelated to S-TAP, but all Guardium components installed on the database server share a single configuration file.

We recommend that you use the default values for all settings, unless instructed to do otherwise by Guardium Support.

Control	Description
Task Baseline Client Baseline	These files are reserved for future use. The Unix defaults are task_baseline and client_baseline, respectively, and the Windows defaults are the same, but all uppercase characters.
Task Checkpoint Client Checkpoint	These files are used for restart processing. For each of these two file names, there will be a series of files created. Each version of the file will end with a uniqueness number. The Unix defaults are task_checkpoint and client_checkpoint, respectively, and the Windows defaults are the same, but all uppercase characters.
Checkpoint Period	The maximum number of seconds between checkpoints. The default is 60.
Fail Over File	Name of the file to which data is written when the Guardium appliance cannot be reached. During this time, the file may grow to the maximum size specified (see Failover File Size Limit, below). When the limit is reached, a second file will be created, using the same name with the digit 2 appended to the end of the name. (This is the point at which CAS begins trying to connect to a secondary server.) If that file also reaches the maximum size, the first file will be overwritten, and if the first file fills again, the second file will be overwritten. Thus, following an extended outage, you may lose data, but you will have an amount of data up to twice the size of the Failover File Size Limit (see below). The default is fail_over_file.
Fail Over File Size Limit	Failover file maximum size, in KB (the default is 5000). There are two of these files, so the disk space requirement will be twice what you specify here. If you specify -1, there will be no limit on the file size, but we recommend not doing this so that the file size is capped.
Max Reconnect Attempts	After losing a connection to the Guardium appliance, the maximum number of times CAS will attempt to reconnect. Set this value to -1 to remove any maximum (CAS will attempt to reconnect indefinitely). The default is 5000 times, so using the default reconnect interval (see below), this is about 3.5 days. After the maximum has been met, CAS will continue to run, writing to the failover files, as described above, but it will not attempt to reconnect with a host.
Reconnect Interval	Number of seconds between reconnect attempts (60). See the description of the reconnection process, above.
Raw Data Limit	Maximum number of kilobytes written for an item when the Keep data checkbox is marked in the item template (1000). If you specify -1, there will be no limit.
Md5 Size Limit	Maximum size of a data item, above which the MD5 checksum calculation will not be performed (1000). If you specify -1, there will be no limit.

S-TAP Control Application Server User Identification

The Application Server User Identification pane is used by the End-user Application ID Monitoring product. Contact Guardium Sales or Support if you want more information about the End-user Application ID Monitoring product.

Control	Description
Session Timeout	Number of minutes for a timeout. Default is 1800.
Ports	Application server ports. Use commas to separate entries, or hyphens for inclusive ranges. The default is 8080.
Login Pattern	Pattern used to identify a user login.
Username Prefix	Start of user name in the Post/Get data.
Username Postfix	End of user name in the Post/Get data.
Session Pattern	Pattern used to identify a new session.
Session Prefix	Start of session ID in the Post/Get data.
Session Postfix	End of session ID in the Post/Get data.
Session ID Pattern	Pattern used to identify an existing session.
Session ID Prefix	Start of session ID in the Post/Get data.
Session ID Postfix	End of session ID in the Post/Get data.

S-TAP Control Guardium Hosts

This pane lists all Guardium appliances defined as hosts for the S-TAP. In many cases only a single appliance will be defined as the host for an S-TAP. Additional hosts can be defined to provide a fail over capability. Guardium S-TAP hosts are referred to using three terms:

Term	Guardium Host
Active Host	The host to which this S-TAP is currently connected. If you want to modify the S-TAP configuration from the Guardium administrator console, you must be logged into the active host. Usually, the active host will be the primary host (see below).
Primary Host	The preferred Guardium appliance to received data from (and control) this S-TAP. This is the host that the S-TAP attempts to connect with each time that the S-TAP restarts, or following a lost connection to the current active host.
Secondary Host	If multiple Guardium appliances are defined as hosts for the S-TAP, any appliance not designated as the primary host is a secondary host. If the S-TAP loses its connection to the active host, and it cannot re-connect to the primary host, it will attempt to connect to a secondary host, in the order listed. When you are logged into the administrator console of a secondary host, you can view the S-TAP configuration, but you cannot edit it unless that host is also the active host at that moment.

In the S-TAP Configuration panel, the Guardium Host pane contains the controls described in the table below. Note that the buttons shown are available only in the S-TAP Configuration panel (and not in the S-TAP Control panel):

Control	Description
Active	A check mark in this column indicates the active host (see above).
Guardium Host	Identifies a Guardium appliance using either the IP address or the symbolic host name.
	Delete. Click to delete the associated host. This control does not appear on the active host row.
	Move down. Click to move the associated host one position down in the list.
	Move up. Click to move the associated host up one row in the list.
	Set primary. Move this host to the top of the list (designating it as the primary host).

Define Secondary Guardium Hosts for an S-TAP

Before defining a secondary host, be sure that you understand how secondary hosts are used. See Secondary Guardium hosts for S-TAP agents in the overview.

To define a secondary host:

Open the S-TAP configuration for editing.
In the S-TAP Configuration panel, click the button beside Guardium Hosts to expand the S-TAP Control Guardium Hosts pane.

The first host listed is the primary host for the S-TAP. Following any outage or restart, S-TAP attempts to connect to the primary host first.

Enter the IP address of the secondary Guardium host in the text box.
Click the Add button.
Optional. To change the host designated as the primary host (the first in the list), or to change the order of secondary hosts, do one of the following:

Click (Down) or (Up) beside each host to reorder the list.

To designate any secondary host as the primary host, click (Set Primary) in the right-most column for that host. This will move that host all the way to the top of the list.

Optional. To remove a secondary host, click its (Remove) button. You cannot remove the active host.
When you are done, click the Apply button at the bottom of the S-TAP Configuration panel.

Note: If you have changed the primary host, and you want the S-TAP to begin using the new primary host right away, and this is a Windows server, you will need to restart the GUARD_STAP service. (Restarting the service ins not required on Unix servers.)

S-TAP Control Inspection Engines

The layout of the Inspection Engines pane varies depending on the server operating system, the database protocol, and for Unix systems, whether the K-Tap or TEE mechanism is being used.

Caution: Do not configure an S-TAP inspection engine to monitor network traffic that is also monitored directly by a Guardium appliance that is hosting the S-TAP, or by another S-TAP reporting to the same Guardium appliance. If that happens, the Guardium appliance will receive duplicate information, will not be able to reconstruct sessions, and will ignore that traffic.

Each control in the Inspection Engines pane is described in the table below. Some controls apply to Unix or Windows only.

Control	Description
Protocol	The type of database server being monitored (FTP, DB2, Informix, Oracle, Sybase, MSSQL, Named Pipes, Windows File Share, Mysql, or Kerberos).
Port Range	The range of ports monitored for this database server. There is usually only a single port in the range. For a Kerberos inspection engine, this value should always display as 88-88. If a range is used, do not include extra ports in the range, as this may result in excessive resource consumption while the S-TAP attempts to analyze unwanted traffic.
TEE Listen Port Real Port	Not used for Windows. Under Unix, replaced by the KTAP DB Real Port when the K-Tap monitoring mechanism is used. Required when the TEE monitoring mechanism is used. The Listen Port is the port on which S-TAP listens for and accepts local database traffic. The Real Port is the port onto which S-TAP forwards traffic.
KTAP DB Real Port	Not used for Windows. Under Unix, used only when the K-Tap monitoring mechanism is used. Identifies the database port to be monitored by the K-Tap mechanism.
Client IP/Mask	A list of Client IP addresses and corresponding masks to specify which clients to monitor. If the IP address is the same as the IP address for the database server, and a mask of 255.255.255.255 is used, only local traffic will be monitored. An address/mask value of 1.1.1.1/0.0.0.0 will monitor all clients. When editing the list, to create an additional Client IP/Mask entry, click the (Add) button. To delete the last Client IP/Mask entry, click the (Remove) button.
Exclude Client IP/Mask	A list of Client IP addresses and corresponding masks to specify which clients to exclude. This option allows you to configure the S-TAP to monitor all clients, except for a certain client or subnet (or a collection of these) When editing the list, to create an additional Exclude Client IP/Mask entry, click the (Add) button. To delete the last Exclude Client IP/Mask entry, click the (Remove) button.
Connect to IP	The IP address for S-TAP to use to connect to the database. Some databases accept local connection only on the “real” IP of the machine, and not on the default (127.0.0.1).
DB Install Dir	Unix only. DB2 or Informix: Enter the full path name for the database installation directory. For example: /home/oracle10 All other database types: enter NULL.
Process Names	For a Windows Server: For Oracle or MS SQL Server only, when named pipes are used. For Oracle, the list usually has two entries: oracle.exe,tnslsnr.exe. For MS SQL Server, the list is usually just one entry: sqlservr.exe. For a Unix Server: For a DB2, Oracle, or Informix database, enter the full path name for the database executable. For example: /home/oracle10/prod/10.2.0/db_1/bin/oracle For all other database types, enter NULL.
Named Pipes	Windows only. Specifies the name of the named pipe used by MS SQL Server for local access. If a named pipe is used, but nothing is specified here, S-TAP will attempt to retrieve the named pipe name from the registry.
Instance Name	The database instance name is required for: MS SQL Server 2005 using encryption, or MS SQL Server using Kerberos Authentication (MSSQLSERVER is the default) Oracle using database encryption (there is no default)
DB2 Shared Memory	The following three fields apply only when DB2 is selected as the database type. If shared memory connections are monitored, the following three parameters must be set. See DB2 Linux S-TAP Configuration Parameters, below for detailed instructions.
Adjustment	Default is 20. See DB2 Linux S-TAP Configuration Parameters, below.
Client Position	Default is 61440. See DB2 Linux S-TAP Configuration Parameters, below.
Size	Default is 131072.See DB2 Linux S-TAP Configuration Parameters, below.
	Available on the Configuration panel only. When adding an inspection engine, be sure to click the Add button in the Add Inspection Engine pane before clicking the Apply button at the bottom of the Configuration panel.

DB2 Linux S-TAP and A-Tap Configuration Parameters

The DB2-specific S-TAP and A-Tap parameters apply only when all of the following conditions are met:

The DB2 server is running under Linux.
The K-Tap monitoring mechanism is installed.
Clients connect to DB2 using shared memory.

The DB2-specific S-TAP parameters are set on the Inspection Engine definition panel..

Set the Position parameter value according to the shared memory size used by db2bp, as follows:

Position=61440 (if db2bp uses 131072)

Position=671744 (if db2bp uses 327680)
Position=1064960 (if db2bp uses 524288)

If you do not know the shared memory size used by db2bp, follow the procedure outlined below.

How to find the db2 shared memory offsets

The following table summarizes the required parameters used both for S-TAP and A-Tap when configured to monitor DB2 shared memory on Linux.

Parameter	S-TAP Name	A-Tap Name	Default Value	Comments
Packet header size	db2_fixed_pack_adjustment	db2_header_offset	20	Default value is tested for DB2 8.2 and newer on various 64-bit platforms. Other versions of DB2 and 32-bit platforms may need a different offset. Typical values are 16 and 12.
Client I/O area offset	db2_shmem_client_position	db2_c2soffset	61440	This parameter is derived from ASLHEAPSZ DB2 parameter. See bellow a command that may be used to compute it.
DB2 shared memory segment size	db2_shmem_size	db2_shmsize	131072	This parameter is determined empirically. See a sequence of commands that may be used to get it, below.

Guardium provides a shared library that can be used to determine the values for the DB2-specific parameters. The basic approach is that you run the shared library with a DB2 client, and run some sample SQL commands. After you disconnect from the database, the shared library determines the parameter values to be used, and writes them to a text file.

First verify that a local client can connect via shared memory

Log in to the db2 user.
Enter the echo $SHELL command to determine which shell is used.
If that user doesn't use the bash shell, run a bash shell.
Run the db2sql92 command. On DB9.1, the db2sql92 utility may not be available. In that case, see Get values using the db2 command, below.
Connect to the database using shared memory, and verify that you can submit queries and receive replies. The parameters for db2sql92 to connect with shared memory will vary, depending on your local installation. Verify with the DBA that you actually connected via shared memory. If you connect in any other way, the shared library will not be able to determine the parameter values.

Get values using the db2sql92 command (preferred method)

Run the following command:

LD_PRELOAD=<install_dir><offset_finder> db2sql92 <db2sql_parameters>

Where:

install_dir is the S-TAP installation directory (/usr/local/guardium/guard_stap by default)
offset_finder is either of the following depending on whether the Linux server is a 32 or 64-bit system:

find_db2_offset.so (for 32-bits)
find_db2_offset64.so (for 64 bits)

db2sql_parameters are the parameters for -d sample is acceptable for your Run the following command:

For example:

LD_PRELOAD=/usr/local/guardium/guard_stap/find_db2_offset.so db2sql92 -d sample

You should receive output that looks something like this:

Tracking IPC operation

SQL authorization ID = DB2INST2?

Local database alias = SAMPLE

Running in Embedded Dynamic mode.

---------------------------------------------

DB2SQL92 >

At the DB2SQL92 prompt, submit several erroneous queries. For example, repeat the following command three times ():

DB2SQL92 > select * from my_mistake;

You will receive error messages in response to each invalid command.

Enter the quit command:

DB2SQL92> quit

Check the /tmp directory for files named in the form guard_db2_offset.nnnn, where nnnn is a numeric variable.
Display the contents of any such file in the /temp directory. It will contain the two parameters you need to include in the S-TAP configuration file. If there are multiple files, look for the one containing non-zero values. For example:

db2_shmem_client_position=61440

db2_fix_pack_adjustment=16

Get values using the db2 command (if db2sql92 is not available)

Open a new bash shell as the db2 instance user. Make sure the db2bp command processor is not currently running for this new shell. To check for that, run ps -x. You should not see a command called db2bp running. If it does, either kill it or run a new shell.
Run the following two commands:

export LD_PRELOAD=/usr/local/guardium/guard_stap/find_db2_offset.so

db2

Once in the command shell, connect to a sample database; for example:

connect to sample

Enter a few select statements, and then terminate the session; for example:

select count(*) from sysibm.tables

select count(*) from sysibm.columns

terminate

After the db2 program exits, run the following command to cancel the previous LD_PRELOAD:

export LD_PRELOAD=

Check the /tmp directory for files named in the form guard_db2_offset.nnnn, where nnnn is a numeric variable.
Display the contents of any such file in the /temp directory. It will contain the two parameters you need to include in the S-TAP configuration file. If there are multiple files, look for the one containing non-zero values. For example:

db2_shmem_client_position=61440

db2_fix_pack_adjustment=16

Alternative Technique for Finding Values of db2_shmem_client_position

Run the following commands:

Open a new bash shell as the db2 instance user.
Run the ps -x command to verify that the db2bp command processor is not currently running for this shell. You should not see a command called db2bp running. If it does, either kill it or run a new shell.
Run the following two commands:

db2 get database manager configuration | awk '/ASLHEAPSZ/{print $9 * 4096}'

The output is the required value for db2_shmem_client_position.

Alternative Technique for Finding Values of db2_shmem_size

The following sequence of commands can help to determine the shared memory segment size.

Note: ipcs command parameters and output format differ from platform to platform. The following script is based on the AIX version.

ipcs -ma | sort -n -2 +3 > /tmp/before.txt

db2 connect to <some_existing_database>

ipcs -ma | sort -n -2 +3 > /tmp/after.txt

db2 terminate

diff /tmp/before.txt /tmp/after.txt | awk '{if ($10 == 2) print $11}'

Reload Last Good Configuration

After changing an S-TAP configuration, you may notice its status light in the S-TAP Control panel turn yellow. A yellow light means that there is a mismatch between the configuration on the appliance and the configuration on the S-TAP. A temporary yellow light is acceptable, as it takes some time for the S-TAP to receive and approve the new configuration. If the yellow light persists, it usually means that the S-TAP did not accept the new configuration and reverted back to the last known good configuration.

When an error has occurred, you can review the errors by opening the S-TAP Events panel in a separate window by clicking the Show S-TAP Event Log button . In most cases the event log will contain error messages indicating what was wrong with the new configuration. See Viewing the S-TAP Events Panel for a description of error messages.

If you just attempted to apply a new configuration containing an error, the configuration displayed in the S-TAP Control panel will be the one containing that error. To reload the last good configuration from the S-TAP host back to the appliance, click (Refresh S-TAP Information) in the S-TAP Control panel.