Escolar Documentos
Profissional Documentos
Cultura Documentos
Guardium Administration
Copyright, IBM Corp. 2011
Table of Contents
Guardium Administration Guide ................................................................................... 1
Guardium Administration Help Book ........................................................................... 1
Guardium Administration .......................................................................................... 1
Administration Overview ........................................................................................ 1
admin Role Privileges ............................................................................................ 1
admin User Privileges ............................................................................................ 2
Access Management and the Administrator .............................................................. 2
Installation ............................................................................................................. 3
Installation Overview ............................................................................................ 3
Step 1. Assemble the following before you begin ..................................................... 3
Step 2. Setup the physical appliance or the virtual appliance..................................... 5
Step 3. Install the IBM InfoSphere Guardium image ................................................. 7
Step 4. Setup Initial and Basic Configuration ........................................................... 8
Step 5. What to do next ..................................................................................... 10
Physical Connectivity........................................................................................... 13
Install a Server Certificate (Optional) .................................................................... 17
Appliance Overview............................................................................................. 20
System Configuration............................................................................................. 24
System Configuration Overview ............................................................................ 24
About the System Shared Secret .......................................................................... 24
Modify the System Configuration .......................................................................... 25
System Configuration Panel Reference .................................................................. 25
Inspection Engine Configuration .............................................................................. 29
Inspection Engine Configuration Overview ............................................................. 29
Configure Settings that Apply to All Inspection Engines ........................................... 30
Settings that Apply to All Inspection Engines .......................................................... 30
Create an Inspection Engine ................................................................................ 32
Start or Stop an Inspection Engine ....................................................................... 34
Remove an Inspection Engine .............................................................................. 34
Portal Configuration ............................................................................................... 34
Configure Authentication ........................................................................................ 35
Authentication Overview ...................................................................................... 35
Configure Guardium Authentication ....................................................................... 35
Configure RADIUS Authentication ......................................................................... 35
ii
Table of Contents
Configure LDAP Authentication ............................................................................. 36
Global Profile ........................................................................................................ 37
Global Profile Overview........................................................................................ 37
Override the Default Aliases Setting ...................................................................... 37
Customize the PDF Page Footer ............................................................................ 37
Edit the Alert Message Template ........................................................................... 38
Alert Message Template Variables ......................................................................... 38
Disable accordion menus ..................................................................................... 40
Named Template ................................................................................................ 40
CSV Separator ................................................................................................... 40
Add other HTML content to the Guardium Window .................................................. 40
Add or Disable a Login Message ............................................................................ 40
Enable or Disable Concurrent Same-user Logins ..................................................... 41
Enable Data Level Security at the Observed Data Level ........................................... 41
Default Filtering .................................................................................................. 41
Escalate result to all users ................................................................................... 42
SCP and FTP files via different ports ...................................................................... 42
Add a Logo to the Guardium Window .................................................................... 42
Alerter Configuration.............................................................................................. 42
Alerter Overview................................................................................................. 42
Automatically activate the Alerter on startup .......................................................... 43
Set the frequency that the Alerter checks for and sends messages ........................... 43
Configure the Alerter to send SMTP (email) messages ............................................. 43
Configure the Alerter to send SNMP traps .............................................................. 44
Anomaly Detection ................................................................................................ 44
Anomaly Detection Overview ................................................................................ 44
Automatically activate Anomaly Detection on startup .............................................. 45
Set the frequency that Anomaly Detection checks for appliance issues ...................... 45
Enable or Disable Active Alerts ............................................................................. 45
Stop or Restart Anomaly Detection ....................................................................... 45
Session Inference .................................................................................................. 46
IP-to-Hostname Aliasing ......................................................................................... 46
Upload Key File ..................................................................................................... 47
Query Hint ............................................................................................................ 47
Customer Uploads ................................................................................................. 48
Archive, Purge and Restore ..................................................................................... 49
iii
Guardium Administration
Archive, Purge and Restore .................................................................................. 49
Configure Data Archive and Purge......................................................................... 51
Configure SCP or FTP Archive or Backup ................................................................ 52
Configure EMC Centera Archive or Backup ............................................................. 53
Configure TSM Archive or Backup ......................................................................... 54
Configure Results Archive .................................................................................... 54
Restore Data ...................................................................................................... 55
Catalog Archive .................................................................................................. 56
Catalog Export ................................................................................................... 57
Catalog Import ................................................................................................... 57
Results Export (CSV, CEF, PDF) ............................................................................... 58
System Backup ..................................................................................................... 59
SCP and FTP files via different ports ...................................................................... 60
Export/Import Definitions ....................................................................................... 60
Export/Import Definitions Overview ...................................................................... 60
Definition Types for Exporting (Table) ................................................................... 63
Export Definitions ............................................................................................... 64
Import Definitions............................................................................................... 64
Distributed Interface .............................................................................................. 65
Configure Distributed Interface ............................................................................. 65
Capture Replay ..................................................................................................... 69
How to use this feature ....................................................................................... 69
Configure Replay ................................................................................................ 70
Stage the data ................................................................................................... 71
Replay the Configuration ..................................................................................... 71
Data Staging ...................................................................................................... 72
Capture/Replay Comparison Listings ..................................................................... 72
Workload Comparison ......................................................................................... 74
Transaction Status .............................................................................................. 76
Compare (invoke APIs to compare jobs) ................................................................ 76
Modify Replay Configuration ................................................................................. 76
Remove Replay Configuration............................................................................... 76
Purge Replay Results........................................................................................... 77
Stop Replay after it starts .................................................................................... 77
S-TAP Certification................................................................................................. 77
Approve STAPs ................................................................................................... 77
iv
Table of Contents
Custom Alerting Class Administration ....................................................................... 78
Configure Permission to Socket Connection ............................................................... 78
Manage Custom Classes ......................................................................................... 78
Custom Class Management Overview .................................................................... 78
Upload a Custom Class ........................................................................................ 79
Update a Custom Class........................................................................................ 79
Delete a Custom Class ........................................................................................ 79
SSH Public Keys .................................................................................................... 79
Running Query Monitor .......................................................................................... 80
Legal Notices ........................................................................................................ 81
Trademarks ....................................................................................................... 83
Guardium Administration
Administration Overview
admin Role Privileges
admin User Privileges
Access Management and the Administrator
Administration Overview
Guardium administrators perform various administration and maintenance tasks from the
administrator portal, called Administration Console. Any user assigned the admin role is
referred to as a Guardium administrator. This is distinct from the admin user account,
which is described in detail below.
Refer to the Contents panel to the left for a list of tasks usually performed by Guardium
administrators.
Back to top
admin Role Privileges
The Guardium admin role (for example, any user account with the role admin) has
privileges that are not explicitly assigned to that role. For example, when a user with the
admin role displays a list of privacy set definitions, all privacy sets defined on the Guardium
system display, and the user with the admin role can view, modify, or delete any of those
definitions.
When a user without the admin role accesses the list of privacy sets, that user will see only
those privacy sets that he or she owns (i.e. created), and all privacy sets that have been
assigned a security role that is also assigned to that user.
CLI diag Command Access
Use of the diag cli command requires an additional password, which can be the password of
any user with the admin role.
If automatic account lockout is enabled (a feature that locks a user account after a specified
number of login failures), the admin user account may become locked after a number of
failed login attempts. If that happens, use the unlock admin CLI command to unlock it.
Note: Account lockout can also be cleared by the accessmgr. Go to user browser, choose
Edit under the Actions heading for the locked account and uncheck the box next to Disabled.
Back to top
Guardium Administration
admin User Privileges
The admin user has additional privileges that are not granted to the admin role, as follows:
Admin and accessmgr roles can not be assigned to the same user. The same user
may contain both of these roles through a legacy situation or as a result of an
upgrade. However, current use will not allow the two roles to be assigned to the
same user.
In the past, when an appliance is upgraded using the upgrade patch, the accessmgr
role was assigned to the admin user, and the accessmgr user was disabled. In this
upgrade situation, to configure the accessmgr and admin users on a new appliance,
it was necessary to first log in as admin and enable the accessmgr user, then log in
Installation
Installation Overview
The appliances are shipped with the Guardium solution software, and with an initial factory
configuration (default roles, default passwords, etc.), specific product keys based on the
customers entitlements, and other unique settings that may be defined in the purchase
process.
This topic is organized as a series of installation steps that allow an administrator to
completely configure the appliance.
The initial configuration steps are performed using a local connection to the unit, via KVM or
direct keyboard and console connection. The remaining configuration steps can be done
over a network connection through the Command Line Interface (CLI) or the web-based
Graphical User Interface (GUI).
To complete the required installation and configuration, the appliance should be connected
to the network through an eth0 network card (or a virtual definition of one) and should have
a valid interface IP Address.
Before installing an appliance, read through this overview and then follow the complete set
of steps:
Step 1. Assemble the following before you begin
Step 2. Setup the physical appliance or the virtual appliance
Step 3. Install the IBM InfoSphere Guardium image
Step 4. Setup Initial and Basic Configuration
Step 5. What to do next
Supplemental information
Physical Connectivity
Install a Server Certificate (Optional)
Appliance Front and Back Views
Step 1. Assemble the following before you begin
This section details the minimum hardware resources required and what configuration
information is necessary to obtain before installation can proceed.
1.1 Hardware Requirements
The following hardware requirements are necessary for the IBM InfoSphere Guardium
solution to work properly. Unless specified otherwise, the requirements are for both the
physical installation and the virtual installation.
Guardium Administration
1.1.1 Installation on Physical Appliances
The InfoSphere Guardium solution will work only on Intel-based platforms with Xeon
processors. Only platforms and hardware that are officially supported by RedHat Linux 5.5
are expected to work properly. However, not all officially supported platforms are
guaranteed. Platforms that require additional drivers or specialized post-install configuration
are not supported at this time (see note below).
Note: If a customer has an appliance they know will require additional configuration beyond
the standard RedHat 5.5 installation, then that customer should install RedHat 5.5 and
record all the installation time choices and any post-install configuration steps. Send this
information to Guardium Technical Support for analysis and, based on the analysis, they
may be able to provide a software update to support this platform.
Any deviation from the instructions outlined in this document may result in failure to install
the solution, in such cases, the appliance might not be accessible over the network and IBM
InfoSphere Guardium Technical Support engineers will not be able to assist in
troubleshooting and remediation.
See the latest Software Appliance Technical Requirements document (not part of help
information) for specific platforms tested and approved by IBM.
1.1.2 Installation on Virtual Appliances
While IBM InfoSphere Guardium can be installed on any VMware product, the VMware ESX
server is the recommended platform for a virtual solution.
Notes:
1. Hardware requirements for the virtual solution are restricted to the platforms
supported by VMware.
2. When using the virtual solution, Database Activity Monitoring must be done via STAP agents. Over-the-network inspection through SPAN port or Tap device is not
supported for the virtual offering.
3. Due to VMwares performance limitations, it is not recommended to use the virtual
solution when monitoring high volumes of database activity. The virtual solution is
recommended for smaller environments and for the Privileged Users Monitoring
audit mode.
1.1.3 Recommended Resources
See the latest Software Appliance Technical Requirements document (not part of help
information) for required and recommended resources.
1.2 Sizing Recommendations
See the latest Software Appliance Technical Requirements document (not part of help
information) for sizing metrics.
1.3 Preparations
Preparing for the deployment of the appliance, the network administrator needs to supply:
IP address for the interface card (eth0), and optionally an IP address for a secondary
management interface connection.
Default router IP address.
DNS server IP addresses (up to three addresses), and add the new appliance to the
DNS server.
Hostname and domain name to assign to system
(optional) NTP server hostname.
(optional) SMTP configuration information (for email alerts): IP address, port, and if
authentication is used, an SMTP user name and password.
(optional) SNMP configuration information (for SNMP alerts) the IP address of the
SNMP server and the trap community name to use.
Guardium Administration
After installing the VM, go to Step 4, Setup Initial and Basic Configurations for further
instructions on how to configure the IBM InfoSphere Guardium system.
Step 3. Install the IBM InfoSphere Guardium image
This section details how to install the image and partition the disk.
1. Make sure your BIOS boot sequence settings are set to attempt startup from the
removable media (the DVD drive) before using the hard drive. Note: Installation can
take place from DVD.
2. Load the IBM InfoSphere Guardium image from the installation DVD.
3. The following two options will appear:
Standard Installation default partitioning. Choose this option if unsure of how to
partition the disk.
Custom Partition Installation - allows more customization of the partitions (locally
or on a SAN disk). There are two custom partitioning options, one that starts the
installer in a graphical mode that allows for more advanced partitioning options. See
Appendix C for further information on how to implement this option.
Notes
Realize that the Standard Installation will wipe the disk, repartition and
reformat the disk, and install a new operating system.
On the first boot after installation, the user will be asked to accept a Licensing
Agreement. They can use PgDwn to read through the agreement or Q to skip
to the end. To accept the terms of the agreement enter q to exit and then
type yes. The user MUST enter "yes" to the agreement or the machine will
not boot up.
4. The system will boot up from DVD. It takes about 12 minutes for this installation.
The CD image version uses two separate CDs. To insert the second CD , login as
guardinstall and use the password guardium.
(a). The system asks for the CLI Password (will be set to guardium automatically
after 10 seconds if no input is provided).
(b). Choose and enter the password for the GUI Admin user. Repeat this password a
second time to confirm it.
(c). Choose and enter the password for the Access Manager user. Repeat this
password a second time to confirm it.
CLI and GUI passwords will need to be changed again on first login.
Note (for steps a, b, c): There is no visible output when entering the passwords.
Guardium Administration
(d). The installation process will now ask you to choose a collector or aggregator (will
be set to Collector automatically after 10 seconds if no input is provided).
Pay attention to the wording of the on-screen question:
For Collector answer YES.
For Aggregator answer NO.
5. The system will automatically reboot at this point to complete the installation.
Step 4. Setup Initial and Basic Configuration
The initial step should be the network configuration and must be done locally through the
Command Line Interface (CLI) accessible through the serial port or the system console.
Enter the temporary cli password you supplied previously.
In the following steps, you will supply various network parameters to integrate the IBM
InfoSphere Guardium into your environment, using cli commands.
In the cli syntax, variables are indicated by angled brackets, for example: <ip_address>
Replace each variable with the appropriate value for your network and installation (but do
not include any brackets).
Note: Do not change the hostname and the time zone in the same CLI session.
4.1 Set the primary System IP Address
The primary IP address is for the ETH0 connection, and is defined using the following two
commands:
store network interface ip <ip_address>
store network interface mask <subnet_mask>
Optionally, a secondary IP address can be assigned, but this can only be done from the GUI
after the initial configuration has been performed. The remaining network interface cards on
the appliance may be used to monitor database traffic, and do not have an assigned IP
address.
4.2 Set the Default Router IP Address
store network routes def <default_router_ip>
4.3 Set DNS Server IP Addresses
Set the IP address of one or more DNS servers to be used by the appliance to resolve host
names and IP addresses. The first resolver is required, the others are optional.
store network resolver 1 <resolver_1_ip>
store network resolver 2 <resolver_2_ip>
store network resolver 3 <resolver_3_ip>
4.4 SMTP Server
Guardium Administration
Unit type standalone and unit type stap are set by default. Unit type manager (if needed)
must be specified.
Note: unit type settings can be done at a later stage, when the appliance is fully
operational.
4.8 Reset Root Password
Reset your root password on the appliance using your own private passkey by executing the
following CLI command (requires access key: t0Tach):
support reset-password root <N>|random
Save the passkey used in your documentation to allow future Technical Support root
accessibility. To see the current pass key use the following CLI command:
support show passkey root
4.9 Validate All Settings
Before logging out of CLI and progressing to the next configuration step, it is recommended
to validate the configured settings using the following commands:
show network interface all
show network routes defaultroute
show network resolver all
show system hostname
show system domain
show system clock timezone
show system clock datetime
show system ntp all
show unit type
4.10 Reboot the System
Reboot the system to complete the basic configuration. If the system is not in its final
location, now is a good time to shut the system down, place it in its final network location,
and start it up again. Remove the installation DVD before rebooting the system.
To reboot the system, enter the following command in CLI:
restart system
The system will shut down and reboot immediately after the command is entered. Upon
startup, the system should be accessible (via CLI and GUI) through the network, using the
provided IP address and hostname.
Step 5. What to do next
This section details the steps of verifying the installation by logging on to the appliance;
setting unit type, installing license keys, and other installations patches, S-TAPs,
Inspection Engines, CAS.
10
11
Guardium Administration
1. Log in to the IBM InfoSphere Guardium console, as the cli user, using the temporary cli
password you defined in the previous installation procedure. You can do this by using an ssh
client.
2. Do one of the following:
If installing from a patch DVD, Insert the DVD into the IBM InfoSphere Guardium DVD drive,
enter the following command, and skip ahead to step 3:
store system patch install cd
If installing from a network location, enter the following command (selecting either ftp or
scp):
store system patch install [ftp | scp]
And respond to the following prompts (be sure to supply the full path name to the patch
file):
Host to import patch from:
User on <hostname>:
Full path to patch, including name:
Password:
3. You will be prompted to select the patch to apply:
Please choose one patch to apply (1-n,q to quit):
Type the number of the patch to apply, and then press Enter.
4. To install additional patches, repeat steps 2 and 3.
5.5 Additional Steps (optional):
CLI command store language
Use the CLI command store language to change from the baseline English and convert the
database to the desired language. Installation of Guardium is always in English. A Guardium
system can only be changed to Japanese or Chinese (Traditional or Simplified) after an
installation. The "store language" command is considered a setup of the appliance and is
intended to be run during the initial setup of the appliance. Running this CLI command after
deployment of the appliance in a specific language can change the information already
captured, stored, customized, archived or exported. For example, the psmls (the panes and
portlets you have created) will be deleted, since they need to be recreated in the new
language.
Note: After switching converting from English to a desired language, it is not possible to
revert back to English.
Install S-TAP agents on the database servers and define their inspection engines
S-TAP is a lightweight software agent installed on the database server, monitors local and
network database traffic and sends the relevant information to the IBM InfoSphere
Guardium appliance (the collector) for further analysis, reporting an alerting.
To install an S-TAP, refer to the S-TAP help book included in the product manuals
To verify that the S-TAPs have been installed and are connected to the IBM InfoSphere
Guardium appliance:
12
13
Guardium Administration
appliance will be connected. A network administrator will be able to perform this
configuration. Consult your switch vendors documentation on the exact method to perform
this configuration. Some vendors call this mirroring feature Port Mirroring or Switched Port
Analyzer (SPAN).
The appliance provides administrative access from its first network interface card, whose
connector is labeled ETH0, and optionally from its last network interface card. The number
of the last interface card varies, depending on what types of cards are installed (one-, two-,
or four-port cards are available).
Database traffic is monitored either:
Using consecutive ETH connector pairs (1 2, 3 4, etc.) to monitor traffic via network
TAPs.
Provides an IP address for the ETH0 connection to the desktop LAN, and optionally
an IP address for a secondary management interface connection.
If an NTP server will be used, provides its host name (you cannot specify an IP
address for the NTP server).
Provides SMTP configuration information (for email alerts): IP address, port, and if
authentication is used, an SMTP user name and password.
If SNMP will be used for alerts, provides SNMP configuration information: the IP
address of the SNMP server and the trap community name to use.
14
Coordinates with the network administrator to connect the desktop LAN to ETH0, and
to the optional secondary interface (if used).
Note: If a secondary IP address is used, this must be plugged into the last/highest
port, which will be located on the top right. See System IP Address (Secondary)
under the System Configuration Panel Reference section of the System Configuration
topic.
With the network administrator, connects the SPAN port(s), or uses one or more ETH
pairs (1 2, 3 4, etc.) to either monitor traffic from network TAPs.)
When using the high availability feature, which provides fail-over support via IP
Teaming for the primary connection, the IP address assigned must be plugged into
ETH3. For more information about the high-availability option, see the store network
interface high-availability command in the Network Configuration CLI Commands
appendix.
Uses the Administration Console to ensure that the system and network settings are
properly configured.
15
Guardium Administration
Notation for Command Arguments
Some command descriptions use delimiters to indicate which command arguments are
mandatory and in which context. Each syntax description shows the dependencies between
the command arguments by using special characters:
The | (vertical bar) symbol separates alternative choices when only one can be
selected. For example: store full-bypass <on | off>
State Arguments
Commands that handle a state setting accept and use the following state arguments:
on or off
up or down
enabled or disabled
active or inactive
1 or 0
16
Note that there is no way to retrieve the CLI user password once it is set. If you lose this
password, contact Technical Support to have it reset.
For a complete list of commands and available through the CLI, see the CLI Appendix.
Set the appropriate unit type for this appliance
An appliance can be a standalone unit, a manager or a managed unit; In addition, an
appliance can be set to capture database activity via network inspection or stap or both. The
standard configuration would be for a standalone appliance, and the most common setting
would use stap capturing.
store unit type standalone
store unit type stap
Optionally Enable Automatic Decoding of Kerberos-Encrypted Database User
Names
Note: This is not the preferred way to decode Kerberos-Encrypted Database User Names.
See the Windows S-TAP help for more information. If you are unsure which approach will be
used for Kerberos, skip this step for now (this can be configured later).
In an MS SQL environment, database user names may be encrypted by Kerberos. These
names will appear as strings of hexadecimal characters in reports. The appliance can decode
these names automatically if it has access to the Kerberos traffic and the feature is enabled,
as described below.
To enable the automatic decoding of Kerberos-encrypted database user names, enter the
following commands:
store local-stap on
store unit type stap
Ignore any messages about restarting the inspection core or inspection engines. The correct
settings will take effect when you restart the server after all initial settings have been
configured (as described below).
Back to top
Install a Server Certificate (Optional)
After you have configured the network settings and rebooted the system, you can obtain
and store a server certificate following the process outlined below:
1. Use the CLI to create a Certificate Signing Request (CSR).
17
Guardium Administration
2. Submit the CSR to your Certificate Authority (CA) and obtain a server certificate in
return.
3. If the server certificate returned by your CA includes the full trust path, skip ahead
to step 4.4. Otherwise, store the CA certificate (and, if necessary, any intermediate
certificates to the full trust path) on the appliance. This must be done before storing
the new server certificate.
4. Use the CLI to store the returned server certificate on the appliance.
Note: Guardium is NOT a Certificate Authority (CA). Users of Guardium, who wish to use the
Certificate feature, need to acquire/generate their own certificate.
Each step is described in detail, below. Be aware that you perform the second step outside
of the appliance, using whatever CA your company uses.
Create a CSR
Use the CLI to create a CSR (Certificate Signing Request). Be sure to enter all information
correctly and do not enter this command until after your network settings have been
configured. The generated CSR will be a PKCS7 file encoded in PEM (base64 ASCII text)
format, so you can copy and paste it easily.
To create the CSR:
1. Log in to the appliance as the cli user, as described previously
2. Enter the csr command.
3. Reply to all prompts, which will be used in generating the request. Be aware that the
common name (CN) is generated automatically from the host and domain name you
assigned when configuring the unit:
You can find very detailed information on the DSA and RSA algorithms by searching
the web.
After you respond to the last prompt, the system displays a description of the request,
followed by the request itself, and followed finally by additional instructions. For
example:
This is the generated CSR:
Certificate Request:
Data:
Version: 0 (0x0)
Subject: C=US, ST=MA, L=Waltham, O=XYZCorp, OU=Accounting, CN=g2.xyz.com
-----BEGIN NEW CERTIFICATE REQUEST----MIICWjCCAhcCAQAwVDELMAkGA1UEBhMCVVMxEDAOBgNVBAgTB1dhbHRoYW0xETAPBgNVBAoT
CEd1
18
19
Guardium Administration
The following prompt is displayed:
What is a one-word alias we can use to uniquely identify this
certificate?
Enter a one-word name for the certificate and press Enter. The following instructions
are displayed:
Please paste your CA certificate, in PEM format.
Include the BEGIN and END lines, then press CTRL-D.
3. Copy the certificate, paste it to the command line, and press CRTL-D. You are
informed of the success or failure of the store operation.
4. If there are intermediate certificates on the full trust path to the appliance, repeat
steps 2 and 3 above for each of those, in hierarchical order.
Store the Server Certificate
Use the CLI to store the server certificate:
1. If you are not still logged in to the appliance as the cli user, log in again as described
previously.
2. Enter the store certificate console command.
The following information and prompt is displayed:
Please paste your new server certificate, in PEM format.
Include the BEGIN and END lines, then press CTRL-D.
3. Copy the server certificate, paste it to the command line, and press CRTL-D. You are
informed of the success or failure of the store operation.
4. Enter the restart gui command to restart the GUI.
Appliance Overview
The appearance of the appliance varies slightly depending on the model number and the
options purchased.
Appliance Front View
Dell Model R610
20
Item
Indicator,
Button or
Connector
Description
Power-on
indicator,
power button
NMI button
USB Connectors
(2)
Connect USB devices to the system. The ports are USB 2.0compliant.
Video connector
LCD menu
buttons
LCD panel
System
Identification
Button
Optical drive
(optional)
Optional
21
Guardium Administration
10
System
identification
panel
Indicator Pattern
Drive failed
Drive rebuilding
22
Drive online
Indicator,
Button or
Connector
Description
iDRAC6
Enterprise
port
(optional)
VFlash media
slot (optional)
Serial
connector
PCIe Slot 1
Video
connector
USB
Connectors
(2)
Connect USB devices to the system. The ports are USB 2.0compliant.
PCIe slot 2
23
Guardium Administration
Ethernet
connectors (4)
System status
indicator
connector
10
System
Status
indicator
11
System
identification
button
12
Power supply
1
13
Power supply
2
System Configuration
System Configuration Overview
About the System Shared Secret
Modify the System Configuration
System Configuration Panel Reference
System Configuration Overview
Most of the information on the System Configuration panel is set via the CLI at installation
time.
If you are using Central Management and/or Aggregation, you will need to set the System
Shared Secret for all related systems to the same value.
For instructions on how to do this, or to modify any other System Configuration settings,
see Modify the System Configuration, below.
There must be a valid license in order to use various functions within the appliance. When a
license has been entered after the system is started a restart of the GUI is needed before
being new functionality is recognized.
Back to top
About the System Shared Secret
24
To encrypt files that are exported from the appliance by archive/export activities
The system shared secret value is null at installation time. Depending on a companys
security practices, it may be necessary to change the system shared secret on a periodic
basis. Each appliance maintains a shared secret keys file, containing an historical record of
all shared secrets defined on that appliance. The same system thus will have no problem at
a later date decrypting information that has been encrypted on that system.
When information is exported or archived from one system, and imported or restored on
another, the latter must have access to the shared secret used by the former. For these
cases, there are CLI commands that can be used to export the system shared secrets from
one system, and import them on another. See the following commands in the CLI appendix:
Back to top
System Configuration Panel Reference
Field or
Control
Description
Unique Global
Identifier
This value is used for collation and aggregation of data. The default
value is a unique value derived from the MAC address of the machine.
It is strongly recommended that you do not change this value after the
system begins monitoring operations.
25
Guardium Administration
Field or
Control
Description
System
Shared Secret
Any value you enter here does not display. Each character you type
displays as an asterisk.
The system shared secret is used for archive/restore operations, and
for Central Management and Aggregation operations. When used, its
value must be the same for all units that will communicate. This value
is null at installation time, and can change over time.
The system shared secret is used:
product key
26
Field or
Control
Description
Central Manager and is done by pressing the refresh icon (the yellow
arrows) from the Central Manager to each of the collectors listed.
Number of
Datasources
Metered Scans
Left
Expiration
date
System
Hostname
The resolvable host name for the Guardium appliance. This name must
match the DNS host name for the primary System IP Address (see
below).
Domain
System IP
Address
The primary IP address that users and S-TAP or CAS agents use to
connect to the Guardium appliance. It is assigned to the network
interface labeled ETH0.
SubNet Mask
Hardware
(MAC)
Address
27
Guardium Administration
Field or
Control
Description
System IP
Address
(Secondary)
SubNet Mask
(Secondary)
Default Route
Primary
Resolver
Secondary
Resolver
Tertiary
Resolver
Test
Connection
28
Field or
Control
Description
Stop
Restart
Click the Restart button to stop and then restart the system. You will
be prompted to confirm the action.
Apply
Click the Apply button to save the changes. The changes will be applied
the next time the system restarts.
Back to top
29
Guardium Administration
For example, an IP address for your PC might be: 192.168.1.3. This address is used in the
examples below. Since these are binary numbers, the last octet (3) can be represented as:
00000011.
The mask is specified in the same format as the IP address: n.n.n.n. A zero in any bit
position of the mask serves as a wildcard. Thus, the mask 255.255.255.240 combined with
the IP address 192.168.1.3 matches all values from 0-15 in the last octet, since the value
240 in binary is 11110000. But it only matches the values 192.168.1 in the first three
octets, since 255 is all 1s in binary (in other words, no wildcards apply for the first three
octets).
Specifying binary masks can be a little confusing. However, for the sake of convenience, IP
addresses are usually grouped in a hierarchical fashion, with all of the addresses in one
category (desktop computers, for example) grouped together in one of the last two octets.
Therefore, in practice, the numbers you see most often in masks are either 255 (no
wildcard) or 0 (all).
Thus a mask 255.255.255.255 (which has no zero bits) identifies only the single address
specified by IP address (192.168.1.3 in the example above).
Alternatively, the mask 255.255.255.0, combined with the same IP address matches all IP
addresses beginning with 192.168.1.
Selecting All Addresses
The IP address 0.0.0.0, which is sometimes used to indicate all IP addresses, is not allowed
by Guardium. To select all IP addresses when using an IP address/mask combination, use
any non-zero IP address followed by a mask containing all zeroes (for example:
1.1.1.1/0.0.0.0).
Back to top
Configure Settings that Apply to All Inspection Engines
1. Select Administration Console > Inspection Engines.
2. Referring to the table below, make any changes desired.
3. Click the Apply button to save the updated system configuration when you are done
making changes.
4. Optionally add comments to the Inspection Engine Configuration. See Comments.
5. Click the Restart Inspection Engines button.
Note: The applied changes do not take effect until the inspection engines are
restarted. After applying inspection engine configuration changes, click the Restart
button to stop and restart the system (using the new configuration settings).
Back to top
Settings that Apply to All Inspection Engines
Control
Description
Default Capture
Value
30
Log Sequencingc
Log Records
Affected
Compute Avg
Response Time
Inspect Returned
Data
Record Empty
Sessions
31
Guardium Administration
Parse XML
The Inspection Engine will not normally parse XML traffic. Mark
this checkbox to parse XML traffic.
Logging
Granularity
Buffer Free: n %
Display only. n is the percent of free buffer space available for the
inspection engine process. This value is updated each time the
window is refreshed. There is a single inspection engine process
that drives all inspection engines. This is the buffer used by that
process.
Restart Inspection
Engines
Click the Restart Inspection Engines button to stop and restart all
inspection engines.
Add Comments
Apply
Back to top
Create an Inspection Engine
1. Select Administration Console > Inspection Engines.
32
33
Guardium Administration
10. Click the Add button to save the definition.
11. Optionally reposition the inspection engine in the list of inspection engines. Filtering
mechanisms defined in the inspection engines are executed in the order. If
necessary, reposition the new inspection engine configuration, or any existing
configurations, using the Up and/or Down buttons in the border of the definition.
12. Optionally click the Start button to start the inspection engine just configured. The
Start button will be replaced by a Stop button, once the engine has been started.
Back to top
Start or Stop an Inspection Engine
1. Select Administration Console > Inspection Engines.
2. To start an inspection engine, click its Start button.
3. To stop an inspection engine, click its Stop button.
Note: If using Central Management, you can also start or stop inspection engines from the Central
Management control panel. See Central Management.
Back to top
Remove an Inspection Engine
If you are no longer using an inspection engine, we suggest that you remove the definition,
so that it is not restarted accidentally.
1. Select Administration Console > Inspection Engines.
2. If the inspection engine to be removed has not been stopped, click the Stop button.
3. To remove an inspection engine, click its Delete button.
Back to top
Portal Configuration
You can keep the Guardium appliance Web server on its default port (8443) or reset the
portal as described below. We strongly recommend that you use the default port.
1. Select Administration Console > Portal to open the Guardium Portal panel.
2. If it is not marked, mark the Active on Startup checkbox (this should never be
disabled).
3. Set the HTTPS Port to an integer value between 1025 and 65535.
4. Click the Apply button to save the value. (The Guardium security portal will not start
listening on this port until it is restarted.) Or click the Revert button to restore the
value stored by the last Apply operation.
5. Click the Restart button to restart the Guardium Web server if you have made and
saved any changes. You can now connect to the unit on the newly assigned port.
Note: To re-connect to the unit once it has restarted with the new port number, you must change the URL
used to open the Guardium Login Page on your browser.
34
Configure Authentication
Authentication Overview
Configure Guardium Authentication
Configure RADIUS Authentication
Configure LDAP Authentication
Authentication Overview
By default, Guardium user logins are authenticated by Guardium, independent of any other
application. For the Guardium admin user account, login is always authenticated by
Guardium alone. For all other Guardium user accounts, authentication can be configured to
use either RADIUS or LDAP. In the latter cases, additional configuration information for
connecting with the authentication server is required.
Note: FreeRadius client software is supported.
When an alternative authentication method is used, all Guardium users must still be defined
as users on the Guardium appliance. It is only the authentication that is performed by
another application.
Note that while user accounts and roles are managed by the accessmgr user, the
authentication method used is managed by the admin user. This is a standard "separation of
duties" best practice.
To configure authentication, see the appropriate topic, above.
Back to top
Configure Guardium Authentication
1. Select Administration Console > Portal.
2. Select the Guardium radio button in the Authentication Configuration panel.
3. Click Apply.
Back to top
Configure RADIUS Authentication
1. Select Administration Console > Portal.
2. Select the RADIUS radio button in the Authentication Configuration panel. Additional
fields will appear in the panel.
3. In the Primary Server box, enter host name or IP address of the primary RADIUS
server.
4. Optionally enter the host name or IP address of the secondary and tertiary RADIUS
servers.
5. Enter the UDP Port used (1812 or 1645) by RADIUS.
6. Enter the RADIUS server Shared Secret, twice.
7. Enter the Timeout Seconds (the default is 120).
35
Guardium Administration
8. Select the Authentication Type:
9. Optionally click the Test button to verify the configuration. You will be informed of
the results of the test. The configuration will also be tested whenever you click the
Apply button to save changes (see below).
10. Click Apply. Guardium will attempt to authenticate a test user, and inform you of
the results.
Back to top
Configure LDAP Authentication
1. Select Administration Console > Portal.
2. Select the LDAP radio button in the Authentication Configuration panel.
3. In the Server box, enter the host name or IP address of the LDAP server.
4. Enter the Port number (the default is 636 for LDAP over SSL).
5. Enter the User RDN Type (relative distinguished name type) type, which is uid by
default.
Note: This attribute identifies a user for LDAP authentication. The
Access Manager should be made aware of what attribute is used here, since
the Access Manager performs the LDAP User Import operation. Click on this
help link LDAP User Import for further information on Importing LDAP Users.
Note: If a user is using SamAccountName as the RDN value, the user must
use either a "=search" or "=[domain name] in the full name.
Examples: SamAccountName=search, SamAccountName=dom
6. Enter the User Base DN (distinguished name).
7. Mark or clear the Use SSL checkbox, as appropriate for your LDAP Server.
8. Optional. To inspect one or more trusted certificates, click Trusted Certificates and
follow the instructions in that panel.
9. Optional. To add a trusted certificate, click Add Trusted Certificates and follow the
instructions in that panel.
10. Optional. Click the Test button to verify the configuration. You will be informed of
the results of the test. The configuration will also be tested whenever you click the
Apply button to save changes (see below).
11. Click Apply. Guardium will attempt to authenticate a test user, and inform you of
the results.
Back to top
36
Global Profile
Global Profile Overview
Override the Default Aliases Setting
Customize the PDF Page Footer
Edit the Alert Message Template
Disable accordion menus
Named Template
CSV Separator
Add or Disable a Login Message
Enable or Disable Concurrent Same-user Logins
Enable Data Level Security at the Observed Data Level
Default Filtering
Escalate result to all users
SCP and FTP files via different ports
Global Profile Overview
The Global Profile panel defines defaults that apply to all users.
Back to top
Override the Default Aliases Setting
By default, for any new report, or for any report contained in a default layout, aliases are
not used.
An alias provides a synonym that substitutes for a stored value of a specific attribute type.
It is commonly used to display a meaningful or user-friendly name for a data value. For
example, Financial Server might be defined as an alias for IP address 192.168.2.18.
To display aliases for an individual report, you can open its Customize Portlet panel and
mark the Show Aliases On button.
If more often than not, you would rather see aliases by default, you can change the default
aliases setting for all reports, as follows:
1. Select Administration Console > Global Profile to open the Global Profile panel.
2. Mark the Use Aliases in Reports unless otherwise specified checkbox.
3. Click Apply.
Back to top
Customize the PDF Page Footer
PDF files created by various Guardium components (audit tasks, for example) have a
standard page footer. To customize that footer:
1. Select Administration Console > Global Profile to open the Global Profile panel.
37
Guardium Administration
2. In the PDF Footer Text field, enter the text to be printed at the bottom of each
page.
3. Click Apply.
Back to top
Edit the Alert Message Template
To customize the message template used to generate alerts:
1. Select Administration Console > Global Profile to open the Global Profile panel.
2. In the Message Template text box, edit the alert template text.
You can mark the no wrap checkbox below the Message Template text box to see
where the line breaks appear in the message.
3. Click Apply when you are done.
4. Changes will not take effect until the inspection engines are restarted. To do that
now, select Administration Console > Inspection Engines > Restart Inspection
Engines.
Back to top
Alert Message Template Variables
Variable
Description
%%addBaselineConstruct
To add to baseline
%%AppUserName
%%AuthorizationCode
Authorization code
%%category
%%classification
%%clientHostname
Client hostname
%%clientIP
Client IP address
%%clientPort
%%DBProtocol
Database protocol
%%DBProtocolVersion
%%DBUser
%%lastError
38
%%netProtocol
%%OSUser
%%receiptTime
%%receiptTimeMills
%%requestType
Request type
%%ruleDescription
%%ruleID
%%serverHostname
Server hostname
%%serverIP
Server IP address
%%serverPort
%%serverType
%%serviceName
Service name
%%sessionStart
%%sessionStartMills
%%severity
%%SourceProgram
%%SQLNoValue
%%SQLString
%%SQLTimestamp
%%Subject[ ]
%%violationID
39
Guardium Administration
Management report)
Disable accordion menus
Check this box to display the Tools tab with Config and Control and Report Building in one
column and their associated functions in another column.
Named Template
Message templates are used to generate alerts.
The feature defines multiple message templates and facilitates the use of different
templates on different rules. In the past, only a single message template was available for
all rules, all receiver types, etc.
To add, modify and delete named message templates, click on the Edit button. When
creating a new named template, the starting value of the string is a copy of whatever is
currently in the Message template of the Global Profile. "R/T Alert" is the only level of
severity permitted.
Predefined message templates have been created for the SIEM solutions, ArcSight and
EnVision. The Guardium system comes preloaded with two certified (agreed upon)
templates to integrate with these two SIEM solutions.
After editing, the multiple message templates can be selected from within the Policy Builder
menu. See Policies.
CSV Separator
To define a separator to be used in the audit process:
1. Select Administration Console > Global Profile to open the Global Profile panel.
2. Choose Comma, Semicolon, Tab, or define your own in Other box to define the
CSV Separator that will be used.
3. Click Apply.
Back to top
Add other HTML content to the Guardium Window
To add a company logo graphic to the upper right portion of the Guardium window, or to
add other HTML content to the bottom of the Guardium window:
1. Select Administration Console > Global Profile to open the Global Profile panel.
2. In the HTML - Left and HTML - Right text boxes, enter the HTML for the text or
any other items you want to include on the window.
3. Optionally click the preview button
4. Click Apply.
Add or Disable a Login Message
To add a message to display in a message box, each time a user logs in:
1. Select Administration Console > Global Profile to open the Global Profile panel.
2. In the Login Message text box, enter the text you want to display when each user
logs in.
40
Show-all - Permits the logged-in viewer to see all the rows in the result
regardless of who these rows belong to. When used with the Datasec-exempt
role (see Manage Roles) permits an override of the data level security
filtering.
ii.
Include indirect records - Permits the logged-in viewer to see the rows
that belong to the logged-in user, but also all rows that belong to users below
the logged-in user in the user hierarchy. See Access Management, Data User
Security - Hierarchy and Associations.
Note: If data level security at the observed data level has been enabled, then audit process
escalation will only be allowed to users at a higher level in the user hierarchy. See Access
Management, Data User Security - Hierarchy and Associations.
Default Filtering
41
Guardium Administration
Online viewer default setting and for audit process results distribution.
Show-all - See explanation in section above, Enable Data Level Security at the Observed
Data Level, step 3. The default setting is disable.
Include indirect records - See explanation in section above, Enable Data Level Security at
the Observed Data Level, step 3. The default setting is disable.
Escalate result to all users
Escalate result to all users - A check mark in this check box escalates audit process
results (and PDF versions) to all users, even if data level security at the observed data level
is enabled. The default setting is enable. If the check box is disabled (no check mark in the
check box), then audit process escalation will only be allowed to users at a higher level in
the user hierarchy and to users with the datasec-exempt role. If the check box is disabled,
and there is no user hierarchy, then no escalation is permitted. See Access Management,
Data User Security - Hierarchy and Associations.
SCP and FTP files via different ports
Change the ports that can be used to send files over SCP and FTP.
For Global Profile - CSV, Export and Patch Backup can be changed. The default port for
ssh/scp/sftp is 22. The default port for ftp is 20.
Note: Seeing a zero "0" as the port indicates the default port is being used and no need to
change.
Add a Logo to the Guardium Window
To add a company logo graphic to the upper right portion of the Guardium window, or to
add other HTML content to the bottom of the Guardium window:
1. Select Administration Console > Global Profile to open the Global Profile panel.
2. In the Upload Logo Image pane (located at the bottom of the menu screen), if you
want to include a logo image in the upper-right portion of the portal window, enter
an image file name or click the Browse button to select a file to upload to the
Guardium appliance, and then click the Upload button. The image will display the
next time the window is refreshed.
Note: The uploaded logo file name can not contain these special characters, single quote ',
double quote ", less than sign <, greater than sign >.
Back to top
Alerter Configuration
Alerter Overview
Set the frequency that the Alerter checks for and sends messages
Configure the Alerter to send SMTP (e-mail) messages
Configure the Alerter to send SNMP traps
Automatically activate the Alerter on startup
Alerter Overview
42
43
Guardium Administration
7. In the Return E-mail Address box, enter the return address for e-mail sent by the
system. This address is usually an administrative account that is checked often.
8. Select Auth in the Authentication Method if your SMTP server uses authentication.
Otherwise, select None. When Auth is selected, you must specify the user name and
password to be used for authentication.
9. Click the Apply button to save the configuration.
Note: The Alerter will not begin using a new configuration until it is restarted.
10. Click Restart to restart the Alerter with the new configuration.
Back to top
Configure the Alerter to send SNMP traps
1. Select Administration Console > Alerter to open the Alerter Configuration panel.
Note: All remaining items in this topic are in the SNMP section of the Alerter panel.
2. In the IP Address box, enter the IP address to which the SNMP trap will be sent.
3. Optional: Click the Test Connection hypertext link to verify the SNMP address and
port (22). This only tests that there is access to specified host and port. It does not
verify that this is a working SNMP server. A dialog box is displayed, informing you of
the success or failure of the operation.
4. In the Trap Community box, enter the community name for the trap. Retype the
community in the Retype Community box.
5. Click the Apply button to save the configuration.
Note: The Alerter will not begin using a new configuration until it is restarted.
6. Click Restart to restart the Alerter with the new configuration.
Back to top
Anomaly Detection
Anomaly Detection Overview
Automatically activate Anomaly Detection on startup
Set the frequency that Anomaly Detection checks for appliance issues
Enable or Disable Active Alerts
Stop or Restart Anomaly Detection
Anomaly Detection Overview
The Anomaly Detection process executes correlation alerts according to the schedule
defined for each alert. A correlation alert looks back over a specified period of time to
determine if a condition has been satisfied (an excessive number of failed logins, for
example) See Correlation Alerts for more information.
In a Central Manager environment, the Anomaly Detection panel is used to turn off
correlation alerts that are not appropriate for a particular appliance. Under Central
44
If an alert creates an email message or SNMP trap, the Alerter component must be
configured and started.
Anomaly Detection does not play a role in the production of real time alerts, which
are produced by security policies.
Back to top.
Guardium Administration
Back to top.
Session Inference
Session Inference checks for open sessions that have not been active for a specified period
of time, and marks them as closed.
To configure the Session Inference options:
1. Select Administration Console > Session Inference.
2. Mark the Active On Startup box to start Session Inference on startup of the
Guardium appliance.
3. In the Polling Interval box, enter the frequency (in minutes) with which Session
Inference will check for open sessions. The default is 120 (minutes).
4. In the Max Inactive Period box, enter the number of minutes of inactivity, after
which a session should be marked closed. The default is 720 (minutes).
5. Click the Apply button to store the values in the configuration database. Session
Inference will not begin using a new configuration until it is restarted.
6. Click Restart to restart Session Inference with the new configuration.
Stopping Session Inference
To stop Session Inference, open the Session Inference panel as described above, and click
the Stop button.
IP-to-Hostname Aliasing
The IP-to-Hostname Aliasing function accesses the Domain Name System (DNS) server
to define hostname aliases for client and server IP addresses. Note that there are two
separate sets of IP addresses - one for clients, and one for servers. When IP-to-Hostname
Aliasing is enabled, alias names will replace IPs within Guardium where appropriate.
1. Select Administration Console > IP-to-Hostname Aliasing.
2. Mark the Generate Hostname Aliases for Client and Server IPs (when
available) checkbox to enable hostname aliasing.
A second checkbox displays when the first is marked: Update existing Hostname
Aliases if rediscovered
3. Mark the "Update existing..." checkbox to update a previously defined alias that does
not match the current DNS hostname (usually indicating that the hostname for that
IP address has changed). You may not want to do this if you have assigned some
aliases manually. For example, assume that the DNS hostname for a given IP
address is dbserver204.guardium.com, but that server is commonly known as the
QA Sybase Server. If QA Sybase Server has been defined manually as an alias for
that IP address, and the "Update" checkbox is marked, that alias will be overwritten
by the DNS hostname.
4. Click the Apply button to save the IP-to-Hostname Aliasing configuration.
5. Do one of the following:
46
Click the Run Once Now button to generate the aliases immediately.
Click the Define Schedule button to define a schedule for running this task.
For instructions on how to use the general-purpose task scheduler, see
Scheduling.
To view the aliases defined, see View the Aliases Defined, in the Common Tools book.
If for some reason you are not permitted to change the SQL Server TAP Decrypted
setting, use the procedure below to upload a key file from the server.
If no S-TAP has been installed, or if it has been installed but is not configured to handle
encrypted SQL Server traffic, a key file will be required to monitor SQL Server traffic under
the following conditions:
If the server in a SQL Server 2005 environment uses encrypted login sessions with
SQL Server mixed authentication.
Since a single Guardium appliance may be monitoring multiple SQL Server instances, you
may need to upload multiple key files. To upload a key file to the Guardium appliance:
1. Select Administration Console > Upload Key File.
2. Click the Browse button to locate the key file you want to upload. The key file name
must be the fully qualified domain name of the SQL Server. The class file cannot be
renamed it must be created with that name.
3. Enter the pass phrase in both Pass Phrase boxes.
4. Click the Upload Key File button. You will be informed of the results of the
operation.
Query Hint
This feature is password protected and can be used only as directed by Technical Support.
Contact Technical Support if you require more information.
47
Guardium Administration
The Query Hint screen is also used to activate two policy log actions, "Log full details with
values" and "Log full details with values per session". After filling in the Query Hint
password, an additional button will appear, "Add value logging option to policies". See Log
Actions in Policies for further information. Again, contact Technical Support for instructions
on how to use this feature.
Customer Uploads
Database Activity Monitor Content Subscription (previously known as Database Protection
Subscription Service) supports the maintenance of predefined assessment tests, SQL based
tests, CVEs, APARs, and groups such as database versions and patches. DPS is provided as
a service to keep information current and within industry best practices to protect against
newly discovered vulnerabilities. Distribution of updates will be done on a quarterly basis.
Uploading Jar files is also done through at this menu screen.
Note: If a custom group exists with the same name as a predefined Guardium group, the
upload process will add "Guardium - " in front of the name for the predefined group.
1. Select Administration Console > Customer Uploads
2. For DPS Upload - Enter the name of the file to be uploaded or click the Browse
button to locate and select that file.
3. Import DPS identifies what files have been uploaded.
4. For Upload DB2 z/OS License jar - Enter the name of the file to be uploaded or
click the Browse button to locate and select that file.
5. For Upload Oracle JDBC driver, or Upload MS SQL Server JDBC driver - Use
this function to upload open source drivers for Oracle and MS SQL. Oracle Data
Direct and MS SQL Data Direct drivers are pre-loaded in the Guardium appliance.
Use this function to upload open source drivers for Oracle and MS SQL which will
appear, after upload, in the Database Type drop-down menu in Datasources
Definition menu. Upload one driver at a time.
6. Click the Upload button. You are notified when the operation completes, and the file
uploaded will be displayed. This action brings the uploaded file to Central Manager.
For the Oracle JDBC and SQL Server JDBC driver files, go to Central Management
choice within Admin Console to manage distribution of these Jar file to the managed
units.
Note: After the file is successfully uploaded, the GUI needs to be restarted on the
Central Manager and the managed units.
Select Administration Console > Configuration > Portal > press Restart.
Select Administration Console > Central Management > Central Management and
press Distribute Uploaded Jar Files.
7. Click to import or click to remove the uploaded file without importing.
8. You will be prompted to confirm either action.
9. Click the Done button when finished.
Note: If you will be exporting and importing definitions from one appliance to
another, be aware that subscribed groups are not exported. When exporting
definitions that reference subscribed groups, you must ensure that all referenced
48
Data Archive backs up the data that has been captured by the appliance, for a
given time period. When configuring Data Archive, a purge operation can also be
configured. Typically, data is archived at the end of the day on which it is captured,
which ensures that in the event of a catastrophe, only the data of that day is lost.
The purging of data depends on the application and is highly variable, depending on
business and auditing requirements. In most cases data can be kept on the machines
for more than six months.
Results Archive backs up audit tasks results (reports, assessment tests, entity
audit trail, privacy sets and classification processes) as well as the view and sign-off
trails and the accommodated comments from workflow processes. Results sets are
purged from the system according to the workflow process definition.
In an aggregation environment, data can be archived from the collector, from the
aggregator, or from both locations. Most commonly, the data is archived only once, and the
location from where it is archived varies depending on the customer's requirements.
Scheduled export operations send data from Guardium collector units to a Guardium
aggregation server. On its own schedule, the aggregation server executes an import
operation to complete the aggregation process. On either or both units, archive and purge
operations are scheduled to back up and purge data on a regular basis (both to free up
space and to speed up access operations on the internal database).
Archive files can be sent using SCP or FTP protocol, or to an EMC Centera or TSM storage
system (if configured). You can define a single archiving configuration for each Guardium
appliance.
Guardiums archive function creates signed, encrypted files that cannot be tampered with.
DO NOT change the names of the generated archive files. The archive and restore
operations depend on the file names created during the archiving process.
Archive and export activities use the system shared secret to create encrypted data files.
Before information encrypted on one system can be restored on another, the restoring
49
Guardium Administration
system must have the shared secret that was used on the archiving system when the file
was created.
Note: For more information about the system shared secret, see About the System Shared
Secret in the Guardium Administration Guide; and for information on how backup and restore
shared secret files from one system to another, see the description of the aggregator backup
keys file and aggregator restore keys file commands in the CLI Reference.
Whenever archiving data, be sure to verify that the operation completes successfully. To do
this, log in as admin user, click the Guardium Monitor tab, and select the
Aggregation/Archive Log report. There should be multiple activities listed for each Archive
operation, and the status of each activity should be "Succeeded".
Backup and Restore tasks can be performed from the CLI as well as from the Guardium GUI
at the Admin Console tab. See File Handling CLI Commands for further information.
Default Purging
Aggregation - Catalog tables are aggregated, which means that the aggregator will
have the merged catalog of all of its collectors
Data Restore - Each data restore operation contains the data of the archived day,
including the catalog of that day. So, when restoring data, the catalog is also being
updated.
When catalog entries are imported from another system, those entries will point to files that
have been encrypted by that system. Before restoring or importing any such file, the
system shared secret of the system that encrypted the file must be available on the
importing system. See the description of the aggregator backup keys file and aggregator
restore keys file commands in the CLI Reference, for instructions on how to get the shared
secrets from one appliance to another.
Several commands are provided on the Administration Console for catalog maintenance:
50
Note: If you leave the Ignore data older than row blank, you will archive data for all days older
than the value specified in the Archive data older than row. This means that if you archive daily
and purge data older than 30 days, you will archive each day of data 30 times (before it is
purged on the 31st day).
5. Mark the Archive Values box to include values (from SQL strings) in the archived
data. If this box is cleared, values will be replaced with question mark characters on
the archive (and hence the values will not be available following a restore operation).
6. Select storage method radio button from the list below. Depending on how the
appliance has been configured, one or more of these buttons may not be available.
For a description of how to configure the archive and backup storage methods, see
the description of the show and store storage-system commands in the CLI
Appendix.
EMC CENTERA
TSM
SCP
FTP
51
Guardium Administration
7. Perform the appropriate procedure (below), depending on the storage method
selected:
8. Optionally mark the Purge box to define a purge operation. When this box is
marked, additional fields display.
IMPORTANT: The Purge configuration is used by both Data Archive and Data
Export. Changes made here will apply to any executions of Data Export and
vice-versa. In the event that purging is activated and both Data Export and
Data Archive run on the same day, the first operation that runs will likely
purge any old data before the second operation's execution. For this reason,
any time that Data Export and Data Archive are both configured, the purge
age must be greater than both the age at which to export and the age at
which to archive.
9. If purging data, use the Purge data older than fields to specify a starting day for the
purge operation as a number of days, weeks, or months prior to the current day,
which is day zero. All data from the specified day and all older days will be purged,
except as noted below. Any value specified for the starting purge date must be
greater than the value specified for the Archive data older than value. In addition, if
data exporting is active, the starting purge date specified here must be greater than
the Export data older than value. See the IMPORTANT note above.
Notes: There is no warning when you purge data that has not been archived
or exported by a previous operation.
The purge operation does not purge restored data whose age is within the do not purge restored
data timeframe specified on a restore operation.
10. Click Apply to verify and save the configuration changes. The system will attempt to
verify the configuration by sending a test data file to that location.
If the operation fails, an error message will be displayed and the configuration
will not be saved.
11. To run or schedule the archive and purge operation, do one of the following:
Click the Run Once Now button to run the operation once.
52
For FTP: Specify the directory relative to the FTP account home directory.
3. Change the port that can be used to send files over SCP and FTP. The default port for
ssh/scp/sftp is 22. The default port for ftp is 20.
Note: Seeing a zero '0' as the port indicates the default port is being used and no
need to change.
1. In the Username box, enter the user name for logging onto the SCP or FTP server.
This user must have write/execute permissions for the directory specified in the
Directory box (above).
2. In the Password box, enter the password for the above user, then enter it again in
the Re-enter Password box.
3. Return to the archiving or backup procedure to complete the configuration.
Back to top
Configure EMC Centera Archive or Backup
This backup or archiving task copies files to an EMC Centera storage system off-site. A
license is needed with user name and password from EMC. Four main actions are needed for
this task:
establish account with an EMC Centera on the network (IP addresses and a ClipID
are needed);
confirm that your files are indeed stored on the EMC Centera storage system.
CLI action
From the CLI, run the command,
store storage-system centera backup ON
show storage-system
GUI action
Select Administration Console, System Backup from admin account. Then selecting EMC
Centera in an archive or backup configuration panel, the following information must be
provided:
1. In the Retention box, enter the number of days to retain the data. The maximum is
24855 (68 years). If you want to save it for longer, you can restore the data later
and save it again.
2. In the Centera Pool Address box, enter the Centera Pool Connection String; for
example:
53
Guardium Administration
10.2.3.4,10.6.7.8/var/centera/us1_profile1_rwe.pea txt
Note: This IP address and the .PEA file comes from EMC Centera. The question mark is
required when configuring the path. The .../var/centera/... path name is important as the backup
may fail if the path name is not followed. The .PEA file gives permissions, username and
password authentication per Centera backup request.
3. Click the Upload PEA File button to upload a Centera PEA file to be used for the
connection string. The Centera Pool Address is still needed.
Note: If the message "Cannot open the pool at this address.." appears, check the size
of the Guardium appliance host name. A timeout issue has been reported with Centera when
using host names that are less than four characters in length.
4. Click the Apply button to save the configuration. The system will attempt to verify
the Centera address by opening a pool using the connection string specified. If the
operation fails, you will be informed and the configuration will not be saved.
5. Then Run Once Now to perform the backup using the downloaded .PEA file.
Define and export a library (this is performed with root access)
# export LD_LIBRARY_PATH=/usr/local/Centera/lib/ (set export library)
Confirm that your files have been copied to the EMC Centera. The name of the files and a
ClipID are required for this task.
Back to top
Configure TSM Archive or Backup
Before archiving to a TSM server, a dsm.sys configuration file must be uploaded to the
Guardium appliance, via the CLI. See import tsm config in the CLI Reference Appendix.
After selecting TSM in an archive or backup configuration panel, the following information
must be provided:
1. In the Password box, enter the TSM password that this Guardium appliance will use
to request TSM services, and re-enter it in the Re-enter Password box.
2. Optionally enter a Server name matching a servername entry in your dsm.sys file.
3. Optionally enter an As Host name.
4. Click the Apply button to save the configuration. When you click the Apply button,
the system attempts to verify the TSM destination by sending a test file to the server
using the dsmc archive command. If the operation fails, you will be informed and the
configuration will not be saved.
5. Return to the archiving or backup procedure to complete the configuration.
Back to top
Configure Results Archive
1. Select Administration Console > Results Archive.
2. In the boxes following Archive results older than, specify a starting day for the
archive operation as a number of days, weeks, or months prior to the current day,
which is day zero. These are calendar measurements, so if today is April 24, all
results created on April 23 are one day old, regardless of the time when the
54
EMC CENTERA
TSM
SCP
FTP
6. In the Comment box, optionally enter comments to be stored with the configuration.
7. Click Apply to verify and save the configuration changes. The system will attempt to
verify the configuration by sending a test data file to that location.
If the operation fails, an error message will be displayed and the configuration
will not be saved.
8. To run or schedule the archive and purge operation, do one of the following:
Click the Run Once Now button to run the operation once.
Before restoring from TSM, a dsm.sys configuration file must be uploaded to the
Guardium appliance, via the CLI. See import tsm config in the CLI Reference
Appendix.
Before restoring from EMC Centera, a pea file must be uploaded to the Guardium
appliance, via the Data Archive panel.
55
Guardium Administration
Before restoring on a Guardium collector run the CLI command "stop inspectioncore" to stop the inspection-core process. Note that data can not be captured during
the restore process.
To restore data:
1. Select Administration Console > Data Restore.
2. Enter a date in the From box, to specify the earliest date for which you want data.
3. Enter a date in the To box, to specify the latest date for which you want data.
4. In the Host Name box, optionally enter the name of the Guardium appliance from
which the archive originated.
5. Click the Search button.
6. In the Search Results panel, mark the Select box for each archive you want to
restore.
7. In the Don't purge restored data for at least box, enter the number of days that
you want to retain the restored data on the appliance.
8. Click the Restore button.
9. Click Done when you are finished.
Back to top
Catalog Archive
1. Select Administration Console >Data Management > Catalog Archive
2. Do one of the following:
56
To select multiple non-contiguous definitions: Hold down the Ctrl key and
click the mouse on each definition to be exported.
4. Click the Export button. Depending on your browser security settings, you may
receive a warning message asking if you want to save the file or to open it using an
editor.
5. Save the exported file in an appropriate location.
6. Click the Done button when you are finished.
Back to top
Catalog Import
1. Select Administration Console > Data Management > Catalog Import
2. Enter the name of the file containing the exported catalog entries, or click the
Browse button to locate and select that file.
3. Click the Upload button. You are notified when the operation completes and the
definitions contained in the file will be displayed.
4. Optionally repeat the previous two steps to upload additional files.
57
Guardium Administration
5. Click
(Import this set of Definitions) to import a set of definitions, or click
(Remove this set of Definitions without Importing) to remove the uploaded file
without importing the definitions.
6. You will be prompted to confirm either action.
7. Click the Done button when you have finished importing or removing all uploaded
files.
Back to top
For FTP: Specify the directory relative to the FTP account home directory.
4. Change the port that can be used to send files over SCP and FTP. The default port for
ssh/scp/sftp is 22. The default port for ftp is 20.
5. In the Username box, enter the user name to use for logging in to the host
machine. This user must have write/execute permissions for the directory specified
in the Directory box (above).
6. In the Password box, enter the password for the above user, and enter it again in
the Re-enter Password box.
7. Click the Apply button to save the configuration. The system will attempt to verify
the configuration by sending a test data file to that location. If the operation fails, it
displays an error message. If the test file is transmitted successfully, the buttons in
the Scheduling panel will become active.
8. Do one of the following:
58
To export the files right now, click the Run Once Now button.
To schedule the export operation, click the Modify Schedule button. See
Scheduling in the Common Tools book if you need help using the generic task
scheduler.
System Backup
Use the System Backup function to define a backup operation that can be run on demand or
on a scheduled basis. All configuration information and data is written to a single encrypted
file and sent to the specified destination, using the transfer method configured for backups
on this appliance (see the transfer-method CLI command description in the CLI
Appendix).
To restore backed up system information, use the restore system CLI command (see the
description of that command in the CLI Appendix).
Note: System restore must be done to the same patch level of the system backup. For example,
if a customer backed up the appliance when it was on Version 7.0, Patch 7 and then wishes to
restore this backup into a newly-built appliance, then there is a need to first install Version 7.0,
Patches 1 to 7 on the appliance and only then to restore the file.
Mark the Data checkbox to back up all data. (If you are archiving data on a
regular basis, this is unnecessary.)
3. Select storage method radio button from the list below. Depending on how the
appliance has been configured, one or more of these buttons may not be available.
For a description of how to configure the archive and backup storage methods, see
the description of the show and store storage-system commands in the CLI
Appendix.
EMC CENTERA
TSM
SCP
FTP
59
Guardium Administration
4. Perform the appropriate procedure (below), depending on the storage method
selected:
5. Click Apply to verify and save the configuration changes. The system will attempt to
verify the configuration by sending a test data file to that location.
If the operation fails, an error message will be displayed and the configuration
will not be saved.
Click the Run Once Now button to run the operation once.
Export/Import Definitions
Export/Import Definitions Overview
Export Definitions
Import Definitions
Investigation Center
Export/Import Definitions Overview
If you have multiple systems with identical or similar requirements, and are not using
Central Management, you can define the components you need on one system and export
60
When exporting graphical reports, the presentation parameter settings (colors, fonts,
titles, etc.) are not exported. When imported, these reports will use the default
presentation parameter settings for the importing system.
Subscribed groups are not exported. When exporting definitions that reference
subscribed groups, the user must ensure that all referenced subscribed groups are
installed on the importing appliance (or Central Manager in a federated
environment).
The logs of Export/Import Definitions have the same retention period than the
monitored database activity logs.
All files exported from Guardium 7 cannot be imported into Guardium 8. For
example, policies exported from Guardium 7 cannot be imported into Guardium 8,
due to the enhanced capability of multi-action rules. Users need to re-export after an
upgrade. Another option is to call Guardium technical support for data migration
services.
When audit process definitions of scheduled runs (including schedule time) are
exported to another system, the ACTIVE check box in Audit Process Builder is not
checked (INACTIVE).
Schedule Start Time of an audit process defined on one appliance and exported to
another (unrelated) appliance - In the case that the original schedule start time is
defined, it is retained. In the case that the original schedule start time is not defined
(empty), then the imported schedule start time is set to the time it was imported.
When exporting a datasource with an open source driver, the open source driver will
not be included in the export. The user needs to first upload the open source driver
into the new system before importing the datasource definition that was created
using it, otherwise the data direct driver will be substituted for the open source
driver when it is imported.
Large complex imports can take a very long time and can exceed the length of the
user's session. If this happens and the session times out the import will continue to
run in the background until it completes.
When exporting the definition of classifier policies - any custom evaluation classes
associated with the policies are not exported with the definition. For the imported
policies to work custom evaluation classes must be uploaded separately.
61
Guardium Administration
Simplified Chinese and import that file to a Guardium system of English will not be
successful.
Importing Groups
When importing a group that already exists, members may be added, but no members will
be deleted.
Importing Aliases
When importing aliases, new aliases may be added, but no aliases will be deleted.
Ownership of Imported Definitions
When a definition is created, the user who creates it is saved as the owner of that definition.
The significance of this is that if no security roles are assigned to that definition, only the
owner and the admin user have access to it.
When a definition is imported, the owner is always changed to admin.
Roles for Imported Definitions
References to security roles are removed from exported definitions. So any imported
definitions will have no roles assigned.
Users for Imported Definitions
A reference to a user in an exported definition causes the user definition to be exported.
When definitions are imported, the referenced user definitions are imported only if they do
not already exist on the importing system. In other words, existing user definitions are
never overwritten. This has several implications, as described in the Duplicate Role and User
Implications topic, below.
In addition, imported user definitions are disabled. This means that imported users can
receive email notifications sent from the importing system, but they are not able to log into
that system, unless and until the administrator enables that account.
Duplicate Group and User Implications
As mentioned above, if a group referenced by an exported definition already exists on the
importing system, the definition of that group from the exporting system will not be not
imported. This may create some confusion if the group is not used for the same purposes on
both systems.
If a user definition already exists on the importing system, it may not be for the same
person defined on the exporting system. For example, assume that on the exporting system
the user jdoe with the email address john_doe@aaa.com is a recipient of output from an
exported alert. Assume also that on the importing system, the jdoe user already exists for a
person with the email address jane_doe@zzz.com. The exported user definition is not
imported, and when the imported alert is triggered, email is sent to the jane_doe@zzz,.com
address. In either case, when security roles or user definitions are not imported, check the
62
Access Map
Alert
Alias
Audit Process
Auto-discovery Process
CAS Hosts
CAS Template Sets
Classification Process
Access Rule
Classifier Policy
Custom Class Connection Permission
Custom Domain
Custom Table
Datasource
Event Type
Group
Named Template
Period (time period)
Policy (but not an included Baseline)
Privacy Set
Query
63
Guardium Administration
Replay
Report
Role
Security Assessment
User
Users database mapping
Users database permission
Users Hierarchy
Back to top
Export Definitions
1. Select Administration Console > Guardium Definitions > Export.
2. From the Type list, select the single type of definition to export. The Definitions to
Export box will be populated with definitions of the selected type.
3. Select all of the definitions of this type to be exported.
To select multiple non-contiguous definitions: Hold down the Ctrl key and
click the mouse on each definition to be exported.
Note: Do not export a Policy definition whose name contains one or more quote characters. That definition
can be exported, but it cannot be imported. To export such a definition, make a clone of it, naming the
clone without using any quote characters, and export the clone.
4. Click the Export button. Depending on your browser security settings, you may
receive a warning message asking if you want to save the file or to open it using an
editor.
5. Save the exported file in an appropriate location.
6. Click the Done button when you are finished.
Back to top
Import Definitions
1. Select Administration Console > Guardium Definitions > Import.
2. Enter the name of the file containing the exported definitions, or click the Browse
button to locate and select that file.
3. Click the Upload button. You are notified when the operation completes and the
definitions contained in the file will be displayed.
4. Optionally repeat the previous two steps to upload additional files.
64
Note: An import operation does not overwrite an existing definition. If you attempt to import a
definition with the same name as an existing definition, you are notified that the item was not
replaced. If you want to overwrite an existing definition with an imported one, you must delete
the existing definition before performing the import operation.
8. Click the Done button when you have finished importing or removing all uploaded
files.
Back to top
Distributed Interface
Overview
Use this configuration screen to define the Distributed Interface and upload the Protocol
Buffer (.proto) file to the DIST_INT database. From this database, Query Domain metadata
is built automatically. After the metadata is built, the user can go to Custom Domain Builder
to modify or clone the data and build custom reports. The distributed interface data uses
protocol buffers. Protocol buffers are a flexible, efficient, and automated mechanism for
serializing structured data.
Configure Distributed Interface
1. Select Distributed Interface from Admin Console > Guardium Definitions.
2. Select an already created Distributed Interface from the Distributed Interface Finder.
Click on Modify or Delete for desired action.
3. Or click on the New button to create a new Distributed Interface.
4. In the Vendor ID box, enter the ID of the vendor (for example, 20000).
5. In the Domain Name box, enter the name of the domain that will be selectable from
Custom Domain Builder.
6. In the Include in aggregation box, a checkmark appears by default.
7. In the File Name box, enter or select via browsing a file name.
8. Click on Apply button to save this configuration.
9. Go to Custom Domain Builder (Tools > Report Building > Custom Domain Builder) to
build custom reports.
65
Guardium Administration
option java_package = "com.ibm.infosphere.bim.proto";
option java_outer_classname = "BimEvent";
// NOTE: AssetID and Property_type (== Property name!) are strings.
// For AssetID , it is safest to use a UUID since it provides world-wide unique ID.
// This will be the key to the table of current metrics and property values.
// per each asset, per each property , there will be one value (recent, or min, or max,etc)
message EventTypeID {
required string eventType
}
message AssetID {
required string assetId
= 1;
}
message InfoPropertyID {
required string assetId
required string propertyName
= 1;
= 2;
}
message MetricPropertyID {
required string assetId
required string propertyName
= 1;
= 2;
}
message AssetRelationID {
// These are asset "native" ids
required string sourceAssetId
= 1;
= 2;
}
message RelationPropertyID {
required string assetRelationId
required string propertyName
= 1;
= 2;
}
message Event {
optional InnerEvent innerEvent
= 1;
}
message InnerEvent {
// Common for all events
optional EventTypeID eventTypeId
optional string description
66
= 1;
= 2;
= 3;
= 4;
= 5;
= 7;
= 8;
}
message AssetInfoEvent {
optional AssetID unique_key__
= 1;
= 2;
= 3;
= 4;
= 5;
= 6;
}
message InfoProperty {
optional InfoPropertyID unique_key__
optional string value
= 1;
= 2;
}
message MetricPropertyEvent {
optional AssetID assetId
= 1;
= 2;
}
message MetricProperty {
optional MetricPropertyID unique_key__
= 1;
= 2;
= 3;
= 4;
enum Data_type {
DOUBLE
LONG
INT
= 1;
= 2;
= 3;
FLOAT
= 4;
DATE
= 5;
67
Guardium Administration
BOOLEAN
double_value
STRING
= 7; // stored in string_value
}
optional Data_type dataType
optional string unit
= 5;
= 6; // unit for the value
}
message AssetRelationEvent {
optional AssetRelationID unique_key__
= 1;
= 2;
= 3;
= 4;
}
message RelationshipProperty {
optional RelationPropertyID unique_key__
optional string value
= 1;
= 2;
}
message RuleEvent {
optional string ruleName
optional bool enabled
= 1;
= 2;
}
// --- Metadata --- All unique identifier must be defined here
message Identifier {
optional InfoPropertyID infoPropertyId
= 1;
= 2;
= 3;
68
= 4;
= 5;
Capture Replay
Use this feature for performance and capacity testing.
For performance testing, for example, take the data stream collected on one system with an
Oracle database and replay the data stream on a different system with an Oracle database.
Do this to see if one system is faster or slower in handling the data stream.
For capacity testing, take a data stream collected from one datasource and replay this data
stream on a different datasource. For example, take the data stream collected from a
system running an Oracle database and replay this data stream on a system using a DB2
database. Use this task to test the capacity of the second datasource to handle the amount
of data processed by the first datasource.
Notes:
The Replay feature will work only on data captured with a Log Full Details policy
Make sure that there are no Ignore actions in the policy. Ignore actions direct the
collector to leave out specific SQL transactions. If the SQL is not captured, then it
can not be replayed
The source database must have active S-TAP and Inspection Engines
Will work on a standalone or managed unit collector
S-TAP must be installed on any database used for Replay and be reporting back to
the same Guardium appliance where the captured database reported to for proper
analysis of capture and replay
The progress of Capture/Replay jobs may be seen in Guardium Job Queue report
from Guardium Monitor tab or within the Capture/Replay tab
If the captured data is not supported on the replay database the query will fail. For
example, capturing an Oracle SELECT statement such as "select * from test.obj1"
will fail on Informix since the '.' is not valid within Informix and Replay does not
transform the SELECT statement to "select * from test:obj1".
Bind variable capture is supported for DB2, Informix, and Oracle and will be replayed
the same as it was captured.
69
Guardium Administration
Configure Replay
Configuration of replay is the process of identifying which SQL stream, from a capture
policy, you are interested in. In order to configure capture replay, it is assumed that you
have already captured data on the Guardium appliance and the capture data has been done
with a log full detail policy.
1. Within the User view, click on the Capture/Replay tab, users with admin role:
Select Tools > Config and Control > Replay Builder
2. Click on the Configuration tab
3. To define a new replay, click on the New button, to clear any pre-populated fields,
and then populate the following fields:
Parameter
Description
Name
Period Start
required - the start time of the captured data that replay should
begin
Period End
required - the end time of the captured data when replay should
end
DB Type
Server IP
optional
Client IP
optional
DB User
optional
DB Name
optional
Service Name
optional
Net protocol
optional
Source
program
optional
4. When done configuring these values, click on the Apply button. By default the status
of this replay configuration will be 'Not Staged'; meaning that while it has been
configured there is no capture data associated with it yet. The replay configuration
can only be replayed after it has been staged.
70
Description
Name
Datasource
Name
Speed Rate
The speed at which to run the replay where examples would be: 0
= no delay (as fast it can run on second datasource), 0.1 = 10x
slower, 1 = same speed, 10 = 10x faster
Note: The speed setting is approximate. There are many normal
system and data handling processes and acknowledgements that
will slow the speed down
Repeat times
71
Guardium Administration
Parameter
Description
Commit
Methods
Log box
6. When done with configuring the Replay Schedule Setups, click the Apply button to
save the replay schedule
7. If you'd like to run the replay schedule setup once, click the Run Once Now button
to replay a data stream
8. If you'd like to assign a schedule to the selected replay schedule setup, click on the
Modify Schedule button
9. If a schedule has been defined, you may click on the Pause button to deactivate the
schedule
10. If a schedule has been defined but is paused, click on the Resume button to
reactivate the schedule
Note: Any comments in original statements that were captured are removed during replay
Data Staging
Staged Data - Shows, for a selected replay configuration, the staged SQL. By default the
value of the config ID is empty and the user must modify the runtime parameter through
the customize option and enter the config ID that you would like to see.
Replay Statistics - Shows some high-level replay execution statistics
72
Capture-Capture List
Capture-Replay List
Replay-Replay List
SQL Workload Summary Drill Down - after invoking one of the aggregation APIs
(from the invoke icon), allows the user to compare the differences between the two
captured workloads; providing insight into how SQL ran between the two.
Capture/Replay List
Is a listing of all the Captures that have been configured and have a Replay associated with
them and is used for the purpose of examining the differences in captured SQL to the
replaying of that SQL to a target database system. If a capture configuration has not been
replayed then it will not appear in the list.
The Capture-Replay List may be used to examine problems/differences in database
workloads on same,similar,or different database systems. Additional reports available by
double-clicking on a Capture-Replay List row include:
Compare Avg Execution Time - list the average execution time between capture and
repaly
Compare Rows Retrieved - list the number of rows retrieved between capture and
replay
compare SQL Execution - list the execution counts between capture and replay
Compare SQL Failures - lists the failure count between capture and replay
Replay Exception From Drill Down - list the exceptions encountered from the capture
Replay Exception To Drill Down - lists the exceptions encountered during replay
SQL Workload Summary Drill Down - after invoking one of the aggregation APIs
(from the invoke icon), allows the user to compare the differences between then
capture and replay workloads; providing insight into how SQL ran between the two.
Replay/Replay List
Is a listing of all the Replays that have been performed against the same capture
configuration.
The Replay-Replay List may be used to examine problems/differences in database
workloads on same,similar,or different database systems with the same capture
configuration. Additional reports available by double-clicking on a Replay-Replay List row
include:
73
Guardium Administration
Compare Avg Execution Time - list the average execution time between the two
replays
Compare Rows Retrieved - list the number of rows retrieved between the two replays
compare SQL Execution - list the execution counts between the two replays
Compare SQL Failures - lists the failure count between the two replays
Replay Exception From Drill Down - list the exceptions encountered from the capture
Replay Exception To Drill Down - lists the exceptions encountered during replay
SQL Workload Summary Drill Down - after invoking one of the aggregation APIs
(from the invoke icon), allows the user to compare the differences between the two
replay workloads; providing insight into how SQL ran between the two.
Workload Comparison
The workload comparison tab is non-existent the first time a user goes to the capture/replay
tab. It only shows up after the first workload comparison has done. Workload comparisons
are done by double-clicking on either a Capture-Capture List, Capture-Replay List, or
Replay-Replay List row detail and selecting View Workload Comparison.
The following table shows the reports available after selecting View Workload
Comparison from the designated Capture Replay Lists:
Reports available
Capture-Capture
List
Data Staging
Capture-Replay
List
Replay-Replay
List
Summary
Comparison
Compare
Avg
Execution
Time
Compare
SQL
Exceptions
Compare
Rows
Retrieved
Compare
SQL Failures
Workload
Aggregate Match
74
Workload
Exceptions
Workload Match
Available Reports
Data Staging - Shows the Full SQL, the staging data that was used and that was
executed during replay
Summary Comparison provides a high-level look into the differences in the capture
and replay, consisting of:
Compare Avg Execution Time - how the execution time differed between
capture and replay
Compare SQL Exceptions - how the number of SQL exceptions differed
between capture and replay
Compare Rows Retrieved - how the number of rows returned differed
between capture and replay
Compare SQL Failures - how many SQL failures there were between
capture and replay
Workload Aggregate Match - after invoking gueue_replay_agg_match_by_id or
queue_replay_object_agg_match_by_id, from the Capture-Capture List, CaptureReplay List, or Replay-Repaly List, aggregates by SQL the statistics that allow the
user to compare the differences between the selected workloads. Depending on the
two workloads selected, whether they are of the same type or not, determines which
API to use. for databases of the same type use queue_replay_agg_match_by_id, for
databases of differing type use queue_replay_object_agg_match_by_id.
Note: For Workload Aggregate Match, switching between running
queue_replay_agg_match_by_id and queue_replay_object_agg_match_by_id will,
since they use the same report (Workload Aggregate Match) will delete the previous
report results for the selected workloads.
Note: The Workload Aggregate Match will include all the data that appears during the
periods selected (full hours). If you look at the SQLs that appear on the report you
might see SQLs that were not really replayed. So if you want to see only the specific
SQLs the Workload Match report should be utilized.
Workload Exceptions - shows the SQL that generated exceptions during replay
Workload Match - after invoking queue_replay_match_by_id, provides a side by
side comparison of each SQL statement and a statistical comparison between the two
selected workloads. The queue_replay_match_by_id also provides the ability to use
defined groups that can aid in the inclusion or exclusion of database objects. Two
predefined groups, Replay-Exlude from Compare & Replay-Include in Compare, you
can go to Group Builder to see which objects have been defined or modify these
groups.
Note: For Workload Match, by default the reports show the SQLs that appear in both
the capture and in the replay. in order to see unmatched SQLs you will need to
customize the report by changing the runtime parameters such that if you want to: 1.
the SQLs that are in the replay but not in the capture set "capturedFullSQLLike" to ""
75
Guardium Administration
and replayFullSQLLike to be % 2. the SQLs that are in the capture but not in the
replay set "capturedFullSQLLike" to % and replayFullSQLLike to "".
Transaction Status
When viewing the SQL for capture or replay, there exists a status column in various reports.
This status column indicates a status for replay that is to be observed each transaction
given the following statuses:
0
1
2
4
8
5
6
9
10
ROLLBACK
COMMIT
NO_STATUS (this is the default)
AUTOCOMMIT_ON
AUTOCOMMIT_OFF
AUTOCOMMIT_ON + COMMIT
AUTOCOMMIT_ON + NO_STATUS
AUTOCOMMIT_OFF + COMMIT
AUTOCOMMIT_OFF + NO_STATUS
76
S-TAP Certification
Use this function to block unauthorized STAPs from connecting to the Guardium appliance.
If there is a checkmark in the S-TAP Approval Needed box, then STAPs can not connect until
they are specifically approved.
If an unapproved STAP connects, it is immediately disconnected until someone goes to this
GUI screen and specifically authorizes the IP Address of that STAP.
There is a pre-defined report for approved clients, "Approved TAP clients", it is available on
the "Daily Monitor" tab.
This function can also be controlled via the CLI command, stap approval ON | OFF ( store
stap certification ON | OFF, show stap certification ON | OFF) and via a GuardAPI command,
grdapi store_stap_approval.
The new configuration will be effective after running the "restart inspection-core" command.
Approve STAPs
1. Place a checkmark in the box for S-TAP Approval Needed.
2. Then specify the Approved S-TAP clients.
Note: Use the valid IP address, not the host name.
Note: Within a Central Managed environment, after adding the IPs to approved STAPs,
there is a wait time associated with synchronization that might take up to an hour. After
synchronization is complete the approved STAPs status will appear green in GUI.
77
Guardium Administration
Custom Alerting in the Monitor & Enforce help book describes how to implement and
test a custom alerting class.
Manage Custom Classes in the Administration Guide describes how to upload, update
or remove custom classes
78
To modify a key, select it from the list and click the Modify button.
To remove a key, select it from the list, click the Remove button, and confirm
the action. This completed the Remove procedure.
2. In the SSH Public Key Edit panel, for a new key, enter a Host name or IP address
(this field is required).
3. Paste the public key in the Public Key box.
4. Click the Apply button to save any changes.
79
Guardium Administration
5. Click the Back button to return to the SSH Public Key Management panel.
6. Click the Generate button to generate a new public key for this host.
7. Click the Cancel button to close this panel.
Set the query timeout for all reports and monitors running in a portlet. Other query
processes, such as policy simulations, audit processes, baseline generations and
internal processes are not affected by this timeout value. The default is 60 seconds.
Kill any currently running user query. Some queries that are listed in this panel
audit processes, for example, may exceed the query timeout specified. That is
expected, because the Report/Monitor query timeout applies to reports and monitors
running in a portlet only.
We do not recommend setting the Query Timeout above the default setting (60 seconds) for
an extended period of time. If you set this limit upwards, it will increase the chances of
overloading the system with ad hoc reporting activity.
To change the timeout setting, type a number of seconds in the Report/Monitor Query
Timeout box, and click the Update button. You will be informed when the update has been
completed.
To kill a running query, mark it in the list and click the Kill button.
The query type will be one of the following: Report/Monitor, Audit Process, Policy
Simulation, Configuration, or Definitions.
80
Legal Notices
This information was developed for products and services offered in the U.S.A.
IBM may not offer the products, services, or features discussed in this document in other
countries. Consult your local IBM representative for information on the products and
services currently available in your area. Any reference to an IBM product, program, or
service is not intended to state or imply that only that IBM product, program, or service
may be used. Any functionally equivalent product, program, or service that does not
infringe any IBM intellectual property right may be used instead. However, it is the user's
responsibility to evaluate and verify the operation of any non-IBM product, program, or
service.
IBM may have patents or pending patent applications covering subject matter described in
this document. The furnishing of this document does not grant you any license to these
patents. You can send license inquiries, in writing, to:
IBM Director of Licensing
IBM Corporation
North Castle Drive
Armonk, NY 10504-1785 U.S.A.
For license inquiries regarding double-byte character set (DBCS) information, contact the
IBM Intellectual Property Department in your country or send inquiries, in writing, to:
Intellectual Property Licensing
Legal and Intellectual Property Law
IBM Japan Ltd.
1623-14, Shimotsuruma, Yamato-shi
Kanagawa 242-8502 Japan
The following paragraph does not apply to the United Kingdom or any other country where
such provisions are inconsistent with local law: INTERNATIONAL BUSINESS MACHINES
CORPORATION PROVIDES THIS PUBLICATION "AS IS" WITHOUT WARRANTY OF ANY KIND,
EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
WARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY OR FITNESS FOR A PARTICULAR
PURPOSE. Some states do not allow disclaimer of express or implied warranties in certain
transactions, therefore, this statement may not apply to you.
This information could include technical inaccuracies or typographical errors. Changes are
periodically made to the information herein; these changes will be incorporated in new
editions of the publication. IBM may make improvements and/or changes in the product(s)
and/or the program(s) described in this publication at any time without notice.
Any references in this information to non-IBM Web sites are provided for convenience only
and do not in any manner serve as an endorsement of those Web sites. The materials at
81
Guardium Administration
those Web sites are not part of the materials for this IBM product and use of those Web
sites is at your own risk.
IBM may use or distribute any of the information you supply in any way it believes
appropriate without incurring any obligation to you.
Licensees of this program who wish to have information about it for the purpose of
enabling: (i) the exchange of information between independently created programs and
other programs (including this one) and (ii) the mutual use of the information which has
been exchanged, should contact:
IBM Corporation
J46A/G4
555 Bailey Avenue
San Jose, CA 95141-1003 U.S.A.
Such information may be available, subject to appropriate terms and conditions, including in
some cases, payment of a fee.
The licensed program described in this document and all licensed material available for it
are provided by IBM under terms of the IBM Customer Agreement, IBM International
Program License Agreement or any equivalent agreement between us.
Any performance data contained herein was determined in a controlled environment.
Therefore, the results obtained in other operating environments may vary significantly.
Some measurements may have been made on development-level systems and there is no
guarantee that these measurements will be the same on generally available systems.
Furthermore, some measurements may have been estimated through extrapolation. Actual
results may vary. Users of this document should verify the applicable data for their specific
environment.
Information concerning non-IBM products was obtained from the suppliers of those
products, their published announcements or other publicly available sources. IBM has not
tested those products and cannot confirm the accuracy of performance, compatibility or any
other claims related to non-IBM products. Questions on the capabilities of non-IBM products
should be addressed to the suppliers of those products.
All statements regarding IBM's future direction or intent are subject to change or withdrawal
without notice, and represent goals and objectives only.
This information is for planning purposes only. The information herein is subject to change
before the products described become available.
This information contains examples of data and reports used in daily business operations.
To illustrate them as completely as possible, the examples include the names of individuals,
companies, brands, and products. All of these names are fictitious and any similarity to the
names and addresses used by an actual business enterprise is entirely coincidental.
This information contains sample application programs in source language, which illustrate
programming techniques on various operating platforms. You may copy, modify, and
distribute these sample programs in any form without payment to IBM, for the purposes of
developing, using, marketing or distributing application programs conforming to the
application programming interface for the operating platform for which the sample programs
are written. These examples have not been thoroughly tested under all conditions. IBM,
82
Trademarks
IBM, the IBM logo, ibm.com and Guardium are trademarks of International Business
Machines Corp., registered in many jurisdictions worldwide. Other product and service
names might be trademarks of IBM or other companies. A current list of IBM trademarks is
available on the Web at www.ibm.com/legal/copytrade.shtml.
The following terms are trademarks or registered trademarks of other companies:
Linux is a registered trademark of Linus Torvalds in the United States, other countries, or
both.
Microsoft and Windows are trademarks of Microsoft Corporation in the United States, other
countries, or both.
UNIX is a registered trademark of The Open Group in the United States and other countries.
Java and all Java-based trademarks are trademarks of Sun Microsystems, Inc. in the United
States, other countries, or both.
83