Add an inspection engine to the specified S-TAP. S-TAP configurations can be modified only from the active Guardium host for that S-TAP, and only when the S-TAP is online.
|
Parameter |
Description |
|
stapHost |
Required. The host name or IP address of the database server on which the S-TAP is installed. |
|
protocol |
Required. The database protocol, which must be one of the following: db2 Informix oracle Sybase Mysql ftp windows file share kerberos Windows S-TAP hosts can also use the following protocols: mssql named pipes |
|
portMin |
Required (integer). Starting port number of the range of listening ports configured for the database. (Most often there is only - do not use large inclusive ranges, as this will degrade performance of the S-TAP.) |
|
portMax |
Required (integer). Ending port number of the range of listening ports for the database (see the note above). |
|
teeListenPort teeRealPort |
Optional (integer). Not used for Windows. Under Unix, replaced by the KTAP DB Real Port when the K-Tap monitoring mechanism is used. Required when the TEE monitoring mechanism is used. The Listen Port is the port on which S-TAP listens for and accepts local database traffic. The Real Port is the port onto which S-TAP forwards traffic. |
|
connectToIP |
Optional (integer). The IP address for S-TAP to use to connect to the database. Some databases accept local connection only on the “real” IP of the machine, and not on the default (127.0.0.1). |
|
client |
Required. A list of Client IP addresses and corresponding masks to specify which clients to monitor. If the IP address is the same as the IP address for the database server, and a mask of 255.255.255.255 is used, only local traffic will be monitored. A client address/mask value of 1.1.1.1/0.0.0.0 will monitor all clients. (See the example below.) |
|
exclude |
Optional. A list of Client IP addresses and corresponding masks to specify which clients to exclude. This option allows you to configure the S-TAP to monitor all clients, except for a certain client or subnet (or a collection of these). |
|
procNames |
For a Windows Server: For Oracle or MS SQL Server only, when named pipes are used. For Oracle, the list usually has two entries: oracle.exe,tnslsnr.exe. For MS SQL Server, the list is usually just one entry: sqlservr.exe. |
|
namedPipe |
Windows only. Specifies the name of a named pipe. If a named pipe is used, but nothing is specified here, S-TAP retrieves the named pipe name from the registry. |
|
ktapDbPort |
Optional (integer). Not used for Windows. Under Unix, used only when the K-Tap monitoring mechanism is used. Identifies the database port to be monitored by the K-Tap mechanism. |
|
dbInstallDir |
Unix only. Enter the full path name for the database installation directory. For example: /home/oracle10 |
|
procName |
For a Unix Server: For a DB2, Oracle, or Informix database, enter the full path name for the database executable. For example: /home/oracle10/prod/10.2.0/db_1/bin/oracle |
|
db2SharedMemAdjustment db2SharedMemClientPosition db2SharedMemSize |
These three parameters are used for a DB2 inspection engine, only under the following conditions:
When these parameters are used, grdapi only verifies that the protocol (see above) is db2; it does not verify that the above conditions have been met. See the DB2 Linux S-TAP Configuration Parameters topic in the S-TAP Help book for a detailed explanation of how to use these parameters. |
|
instanceName |
Optional (string). Used only for mssql or oracle encrypted traffic. Either the MSSQL or ORACLE encryption flag must be turned on before the this parameter can be used. |
grdapi create_stap_inspection_engine stapHost=192.168.2.118 protocol=Oracle portMin=1521 portMax=1521 dbInstallDir=/data/oracle10 procName=/data/oracle10/oracle/product/10.2.0/db_1/bin/oracle client=192.168.0.0/255.255.0.0 ktapDbPort=1521
|
ERR |
Description |
|
401 |
Could not retrieve stap - invalid host |
|
403 |
Cannot add Inspection Engine - Stap is not active |
|
404 |
Cannot add Inspection Engine - Invalid protocol |
|
405 |
Cannot add Inspection Engine - Client Ip/Mask are required |
|
406 |
Cannot add Inspection Engine - Validation error: |
|
407 |
Configuration rejected by stap - see stap event log for details |
|
408 |
Cannot add Inspection Engine - must specify a value for protocol |
|
409 |
Cannot add Inspection Engine - for ktap, must specify a value for ktapDbPortCannot add Inspection Engine - for tee, must specify a value for teeRealPort |
|
410 |
Cannot add Inspection Engine - for ktap, must specify a value for ktapDbPort |
|
411 |
Cannot add Inspection Engine - to use instanceName for MSSQL, you need to set SQL Server TAP Decrypted to Kerberos and SSL or SSL Only |
|
412 |
Cannot add Inspection Engine - to set instanceName for ORACLE, you need to check Oracle Encryption |
|
413 |
Cannot add Inspection Engine - can set instanceName only for oracles running on windows |
|
414 |
Cannot add Inspection Engine - can set instanceName only for ORACLE running on windows and MSSQL |
Display the properties of all S-TAPs on the specified host, optionally for a specific database type only.
|
Parameter |
Description |
|
stapHost |
Required. The host name or IP address of a database server on which S-TAPs are installed (and configured to report to this Guardium appliance). |
|
type |
Optional. If used, inspection engines for the specified database type only will be listed. Type must be one of the following: db2 informix mssql mssql-np oracle sybase |
g9.guardium.com> grdapi list_inspection_engines stapHost=192.168.2.33 type=oracle
ID=20162
Stap Host: 192.168.2.33 - Not Active
oracle Inspection Engines:
name =ORACLE2
type =ORACLE
connect to IP=127.0.0.1
install dir = /home/oracle10
exec file = /home/oracle10/product/10.2.0/db_1/bin/oracle-guard
instance name = MSSQLSERVER
encrypted = no
port range = 1521 - 1521
tee listen port = null, tee rel port = 1521
client = 127.0.0.1/255.255.255.255
client = 192.168.0.0/255.255.0.0
name =ORACLE3
type =ORACLE
connect to IP=127.0.0.1
install dir = /home/oracle9
exec file = /home/oracle9/bin/oracle
instance name = MSSQLSERVER
encrypted = no
port range = 1521 - 1521
ok
|
ERR |
Description |
|
401 |
Could not retrieve stap - invalid host |
|
402 |
Could not retrieve stap Inspection Engines |
Display the database servers from which S-TAPs report to this Guardium appliance, optionally listing only the servers having S-TAPs for which this Guardium appliance is the active host (i.e. the one to which the S-TAP is sending data and the one from which the S-TAP configuration can be modified).
|
Parameter |
Description |
|
onlyActive |
Required (boolean). Enter true to only list hosts having S-TAPs for which this appliance is the active host. Enter false to list all hosts on which S-TAPs have been configured to use this Guardium appliance as either a primary or secondary host. |
g9.guardium.com> grdapi list_staps onlyActive=false
ID=0
staps:
stap host = FALCON
stap host = 192.168.2.33
stap host = 192.168.2.173
stap host = 192.168.2.248
stap host = jumbo
ok
|
ERR |
Description |
|
400 |
Could not retrieve staps |
Remove an S-TAP inspection engine. This Guardium appliance must be the active host for the S-TAP from which the inspection engine will be removed.
|
Parameter |
Description |
|
stapHost |
Required. The host name or IP address of the database server on which the S-TAP is installed. |
|
type |
Required. Identifies the type of inspection to be removed. Type must be one of the following: db2 informix mssql mssql-np oracle sybase |
|
sequence |
Required (integer). The sequence number of the inspection engine to be removed within the set of inspection engines of the specified type. We suggest you use the grdapi list_inspection_engines command with the type option first, to verify the sequence number of the inspection engine to be removed. |
grdapi remove_stap_inspection_engine stapHost=192.168.2.118 type=Oracle sequence=1
|
ERR |
Description |
|
401 |
Could not retrieve stap - invalid host |
|
403 |
Cannot remove Inspection Engine - Stap is not active |