Obtain the IP address of the database server or domain
controller on which you are installing S-TAP. If virtual IPs are used,
note all of those as well.
Obtain the IP address of the Guardium appliance that
will control this S-TAP.
If there is a firewall between the Guardium appliance
and the database server, verify that the ports used for connections between
those components are not being blocked. See Guardium
Port Requirements, in the S-TAP Installation Overview.
Check the S-TAP
Prerequisites topic in the S-TAP Installation Overview to see if any
additional software components must be installed or configured in a particular
way for S-TAP.
Decide if you want to install the CAS (Change Audit
System) agent, so that you can respond appropriately when running the
installation wizard. If you are uncertain, you can install CAS later without
having to re-install S-TAP.
If you will be monitoring an MS SQL Server 2005 database,
or any prior version of SQL Server that uses encrypted authentication
or Kerberos ticketing, see MS
SQL Server Encryption and Kerberos, below.
We strongly recommend that you take the defaults for
all other options suggested by the wizard. All of those items can be configured
more easily later, from the Guardium administrator portal.
If installing S-TAP on a single system from a CD, proceed
to Install Windows S-TAP,
below.
If installing S-TAP on one or more Windows systems from
the command line, proceed to Install
Windows S-TAP from the Command Line, below.
Back
to top
Log on to the database server system using a system
administrator account.
Insert the S-TAP installation disk in the CD drive and
follow the installation instructions provided by the wizard.
If you are installing S-TAP on a Domain Controller to capture Kerberos
traffic, choose Custom Installation,
and clear the checkboxes for all drivers except for the Kerberos
driver, which is the only S-TAP driver you should install on a Domain
Controller.
If this S-TAP will monitor
MS SQL Server encrypted traffic, or Oracle encrypted traffic, the S-TAP
service must be started after
the appropriate encryption service: Mssql
Monitor Service or Oracle Monitor
Service, but prior to the database service. In these cases, dependencies
should be defined such that the components start in the following order:
You must reboot all
instances of the databases to be monitored on the database server, before
any local traffic will be captured.
Complete the S-TAP configuration from the administrator
portal. See Configure S-TAPs
from the GUI.
This feature is intended for users who are familiar with S-TAP. The
same procedure will also handle updates of windows S-TAP from 6.1 to 7.0
Log on to a Windows system from which the database server
can be accessed.
Change to the directory containing the S-TAP setup
program.
Run the setup
program (see Windows setup Program,
immediately below).
If this S-TAP will monitor
MS SQL Server encrypted traffic, or Oracle encrypted traffic, the S-TAP
service must be started after
the appropriate encryption service: Mssql
Monitor Service or Oracle Monitor
Service. In these cases, dependencies should be defined such that:
Perform this step only if upgrading S-TAP. Perform a
full machine restart of the database server.
Verify that the S-TAP is online, and complete the S-TAP
configuration from the administrator portal of the Guardium appliance
to which this S-TAP reports. See Configure
S-TAPs from the GUI.
Windows setup Program
Use the setup command to install Windows S-TAP from the command line.
The syntax is:
setup /s /z"<key>;<install_dir>;<install_table_file>;<options>"
Where:
"..." - The complete
set of /z arguments is enclosed
in double-quote characters.
; (semi-colon) - Each argument
is separated from the next by a semi-colon character.
key - A string value used to
identify a line in the install_table_file
described below. (There will be one line for each
S-TAP.)
install_dir - Identifies the
program directory into which the S-TAP agent will be installed.
install_table_file - Full
network path name of the install table file, which must be accessible
from all database server machines on which S-TAP will be installed (from
the command line). This must be a text file, with fields separated by
spaces, and it must have Unix-format line separator characters (\n).
Each line of the install table file contains a key, and relates a database
server to a Guardium appliance. Each line must have the format:
<key> <server ip | hostname> <guard
ip | hostname>
key - Identifies
a line in the file (used by the setup command - see above).
server ip
or hostname - The IP address
or host name of the database server on which S-TAP will be installed.
guard ip
or hostname -
The IP address or host name of the Guardium appliance to which this S-TAP
will report.
options - Each
option is separated from the next by one or more spaces. Each option is
in the form keyword=value, where
the value can be 1 (TRUE), or 0 (FALSE). All keywords are optional, with
defaults as indicated in the table below.
|
Keyword |
Default and Option Description |
|
MSSQLSharedMemory |
TRUE. Install the MS SQL Server shared memory driver to monitor MS SQL
Server traffic via shared memory. |
|
DB2SharedMemory |
FALSE. Install the DB2 shared memory driver to monitor DB2 traffic via
shared memory. |
|
TLS |
FALSE. Use a secure (encrypted) connection for all communication with
the Guardium appliance. |
|
failoverTLS |
FALSE. Applies only if TLS (above) is true. If no TLS connection can
be made, attempt to connect over a non-secure connection. |
|
CAS |
TRUE. Install the CAS agent. (It can be installed later, without having
to uninstall or re-install S-TAP.) |
|
NamedPipes |
TRUE. Install the Named Pipes driver to monitor local traffic over named
pipes. |
|
Lhmon |
TRUE. Install the LHmon driver to monitor local TCP traffic. |
|
LhmonForNetwork |
FALSE. Use LHmon to monitor network TCP traffic. |
|
NoStap |
FALSE. Do not install S-TAP. Set this to true if installing CAS at a
later date (after S-TAP has been installed). |
|
START |
TRUE. Start the S-TAP and/or CAS service after installation. |
Example
Assume that the following configuration table file:
\\192.168.1.201\shareFolder\stap_configuration
Contains the following two entries:
robin 192.168.1.201 guardBox1
eagle 192.168.2.22 guardBox2
The following command installs S-TAP on the server with IP address 192.168.2.22.
The Guardium appliance it will attempt to connect with is named guardBox2.
An encrypted TLS connection will be used (TLS enabled), and all other
options will use the default settings. The actual command contains no
line breaks:
setup /s /z"eagle;c:\program files\guardium\guardium_stap;\\192.168.1.201\shareFolder\stap_configuration
TLS=1"
After version 7.0 of Windows S-TAP has been installed, an upgrade can
be performed using the setup program, as follows:
Log on to the database server system using a system
administrator account.
Change to the directory containing the S-TAP setup
program.
Run the setup program with the following options:
A full machine restart is required if the upgrade updates
driver files.
If a full restart is not required, restart the S-TAP
service.
This procedure will remove the installed
S-TAP product while making sure the configuration file is saved for future
use. If you simply want to un-install the product, start with Step 4.
Log on to the database server system using a system
administrator account.
Copy the current S-TAP configuration file to a safe
location (a “non-Guardium” directory). It is located in the \Windows\System32
directory, and is named guard_tap.ini.
From the Services
control panel, stop the GUARDIUM_STAP
and GUARDIUM_TEE services if they
are running. (Typically, the GUARDIUM_TEE service will not be running.)
From the Add/Remove
Programs control panel, remove GUARDIUM_STAP.
Reboot the database server. (Do
not skip this step.)
There are several methods for dealing with encryption and Kerberos,
all of which can be configured after installing the S-TAP agent, but one
method (not the preferred one) requires that an S-TAP agent be installed
on the domain controller, so you should be aware of which method will
be used when installing S-TAP agents.
MS SQL Server encryption and Kerberos authentication are widely used
in the MS SQL Server environment. In some cases, one or both options (encryption
and/or Kerberos authentication) may be used by default, and most users
will be unaware of that fact.
If you are missing
MS SQL Server traffic, it may be encrypted, and without decrypting that
traffic, Guardium will not recognize sessions.
If you are seeing
MS SQL Server traffic, but where you expect to see database usernames
you are seeing strings of hexadecimal characters, Kerberos authentication
is being used.
For the sake of simplicity, we will refer to the hexadecimal character
strings that appear in the username field, as Kerberos
names. These are not permanent substitutions for database usernames,
so it is not a simple matter of creating a one-time mapping; Guardium
needs to maintain a dynamic mapping of Kerberos names to actual database
usernames by constantly monitoring Kerberos. There are two general methods
for doing this, as described below.
Preferred Kerberos Name Handling Option
The preferred method for handling Kerberos names is new with version
7.0 of Guardium: on a Windows MS SQL Server database server, configure
S-TAP to automatically replace Kerberos names with real database usernames
in the traffic, before forwarding that traffic to the Guardium appliance.
Under normal conditions, the Kerberos names will never be seen on the
Guardium appliance. In heavy volume situations, if names have not yet
been resolved by the time messages must be sent to the appliance, traffic
with Kerberos names can either be sent as is (with the Kerberos names),
or dropped (your choice).
This configuration option is performed from the Administration Console,
after installing the S-TAP agent on the Windows server. For detailed instructions,
see Map Kerberos
Names at the S-TAP, below.
Alternative Kerberos Name Handling Option
You can also obtain Kerberos information by configuring an inspection
engine to monitor Kerberos traffic (as opposed to database access traffic)
on the network. Mappings will be captured and transmitted to all Guardium
appliances, where the translation will take place. To select the correct
location for the Kerberos inspection engine for your environment, you
will need to know where the Kerberos authentication occurs (i.e., on which
domain controllers), and from where on the network the traffic between
those domain controllers and the database clients of interest can be seen.
To map the names this way, you can define a Kerberos inspection engine
in either to two locations:
This is the preferred method of mapping real database usernames to Kerberos
names. For information about alternative methods, see MS
SQL Server Encryption and Kerberos, above. Perform this step from
the Administrator GUI after installing the S-TAP agent on the database
server system.
Log on to the administrator portal of the active
Guardium host for the S-TAP just installed. (The active
host is the only host from which you can modify an S-TAP configuration.)
Click S-TAP Control
in the Local Taps section of the Administration Console, to open the S-TAP
Control panel.
Locate the database server on which the S-TAP was installed,
in the S-TAP Host column, and click 
(Edit S-TAP Configuration) to open the S-TAP
Configuration panel.
Expand the S-TAP Control
Details pane.
Select the appropriate SQL
Server TAP Decrypted radio button, to control the type of automatic
decryption applied to the traffic seen by S-TAP:
SSL
Only Automatically decrypt SSL traffic. Use this option if all
traffic of interest is SSL traffic. In this situation, even if Kerberos
authentication is also used, it is of no consequence, because S-TAP obtains
all of the information it needs from the clear SSL traffic (before encryption,
and before Kerberos replaces the real database username).
Kerberos
and SSL Automatically decrypt SSL traffic and
map Kerberos names. Use this option if some traffic of interest uses Kerberos,
but does not also use SSL. If both Kerberos and SSL are used for all traffic
of interest, use the SSL Only
option, above.
None
No automatic decryption. All SQL in SSL traffic will be ignored. All SQL
in Kerberos traffic will be seen, but the database username will be replaced
by a string of hexadecimal characters.
When Kerberos and SSL
is selected above, select the appropriate Kerberos
Credentials Mapping radio button, below. When Kerberos authentication
is used, this option controls how S-TAP obtains the database user names.
If either of the two Sync options
(below) is selected, S-TAP will not forward messages to the Guardium appliance
until it resolves the real database username. So in high-message-volume
situations, some messages may be lost. When the Async
option is used, all messages will be forwarded to the Guardium appliance,
but initial sessions for users with just authorized by Kerberos may have
strings of hexadecimal characters in the database username field, if S-TAP
has not yet resolved the actual database username.
At
Startup, Sync During startup processing, S-TAP obtains all authenticated
users from the domain controller. This can be time consuming. After all
users have been obtained and tabled, S-TAP starts sending data to the
Guardium appliance. When it encounters a message from a user it does not
recognize, it obtains that database user name as described for On Demand,
Sync, below.
On
Demand, Sync When S-TAP encounters a Kerberos message for an unrecognized
user, S-TAP fetches the user name from the domain controller. It does
not forward any traffic from that user to the Guardium appliance until
it has the actual database user name.
On
Demand, Async Like the above option, except that messages are not
held while waiting to obtain the database user name.
Click the Apply
button to save changes to the Details pane.
If you have not already done so, define an MS SQL Server inspection
engine on this S-TAP, as described in the following steps. Otherwise,
skip the remainder of the procedure.
In the S-TAP Configuration panel, click the 
Add Inspection Engine to expand
the S-TAP Control Inspection Engines pane. (For detailed information,
see Configure S-TAPs from the
GUI.)
Select MSSQL from
the Protocol list.
Enter 1433 and
1434 in the Port Range boxes.
Enter SQLSERVR.EXE
in the Process Names box.
Enter MSSQLSERVER
in the Instance Name box. When you select MSSQL as the Protocol, this
name appears by default – you will only need to change it if your server
does not use the default instance name.
Define one or more Client IP/Mask sets, and click Add.
Note: To monitor all clients, enter 1.1.1.1
and 0.0.0.0 in the Client
IP and Mask boxes.
Click Apply
to save the inspection engine definition.
This is one of several methods for resolving database usernames from
Kerberos names, and it is not
the preferred method. See MS
SQL Server Encryption and Kerberos, above.
Verify with a network administrator that all traffic
from and to the Windows domain controllers on which Kerberos ticket-granting
authorities are running will be seen by the Guardium appliance. This may
require the re-configuration of a SPAN port or network TAP from which
the Guardium appliance monitors traffic.
From an SSH client window, log in to the Guardium appliance
CLI, as the cli user.
Enter the following four commands:
Enter the quit
command, give the inspection core a minute to restart, and then log into
the administrator portal of the Guardium appliance.
Log on to the administrator portal of the Guardium appliance.
On the System View tab, the STAP Status Monitor report
will list an S-TAP Host entry for IP address 127.0.0.1
(the Guardium appliance itself), with a DB Server Type of Kerberos.
(Do not edit this Inspection Engine from S-TAP Control Panel.)
Back
to top
This is one of several methods for resolving database usernames from
Kerberos names, and it is not
the preferred method. See MS
SQL Server Encryption and Kerberos, above.
For this approach, you must install S-TAP on
the domain controller.
Install the S-TAP agent on the domain controller.
Log on to the administrator portal of the active
Guardium host for the S-TAP just installed on the domain controller. (The
active host is the only host
from which you can modify an S-TAP configuration.)
Click S-TAP Control
in the Local Taps section of the Administration Console, to open the S-TAP
Control panel.
Locate the domain controller in the S-TAP Host column,
and click (Edit S-TAP Configuration) to open the S-TAP Configuration panel.
In the S-TAP Configuration panel, click the
button beside Add Inspection Engine
to expand the S-TAP Control Inspection Engines pane. (For detailed information,
see Configure S-TAPs from the
GUI.)
Select Kerberos
from the Protocol list.
Enter 88 in
both Port Range boxes.
Define one or more Client IP/Mask sets, and click Add.
Note:
To monitor all clients, enter 1.1.1.1
and 0.0.0.0 in the Client
IP and Mask boxes.
Click Apply.
After stopping Windows S-TAP, restart it as follows:
Log on to the database server system using a system
administrator account.
From the Services control panel, start the GUARDIUM_STAP
service.
You may also notice the GUARDIUM_TEE service. DO
NOT start that service. It is a rarely used component of Guardium,
and if needed, it will be started by the GUARDIUM_STAP service.
Log in to the administrator portal of the Guardium appliance
to which this S-TAP reports, verify that the Status light in the S-TAP
control panel is green.
Log on to the database server system using a system
administrator account.
From the Services control panel:
Stop the GUARDIUM_STAP
service.
If it is running,
stop the optional GUARDIUM_TEE service (typically, it will not be running).
Log in to the administrator portal of the Guardium appliance
to which this S-TAP was reporting, verify that the Status light in the
S-TAP control panel is now red.
CAS Re-configuration of JAVA_HOME location
In most cases the installation program takes care of finding the JAVA_HOME
value. This value is placed in CAS configuration file.
If for any reason (for example, you install a new Java version after
installing the Guardium CAS product), you will need to change the location
of JAVA_HOME please follow the following procedure.
Locate and open the CAS configuration file for editing.
Its full path name is:
Locate the following entry:
Replace value
with the JAVA_HOME directory.
Save the file.