IBM Security Guardium

 View Only
Expand all | Collapse all

Guardium ELB Configuration

  • 1.  Guardium ELB Configuration

    Posted Thu March 05, 2020 06:47 AM
    Hello

    I have a Guardium configuration with 1 CM - Aggregator and 2 Collectors. I have enabled Enterprise Load Balancing for all S-TAPs. The CM is the Load Balancer.

    I see that at the CM (Aggregator) I am receiving traffic from the same database from both Collectors which confirms that the load balancing is working properly. (Not just failover) 

    The problem I have is with the S-TAP status monitor. The inspection engine status is green only on one collector, which is declared as primary. But since I'm in load balancing, why have a primary and a secondary. Normally on both collectors and on the S-TAP status monitor, the S-TAP should be green.

    No problem with the S-TAP control, everything is green on both collectors.

    Is this a normal behavior or did I miss something in the S-TEP configuration?

    Thank you for your feedback

    Regards

    ------------------------------
    Mohamed AFEILAL
    ------------------------------


  • 2.  RE: Guardium ELB Configuration

    IBM Champion
    Posted Thu March 05, 2020 07:40 AM
    Hi Mohamed,

    The behavior depends on what you have set for STAP_LOAD_BALANCER_NUM_MUS.  Also, the version of the S-TAP you are running.

    My experience running v10.5 appliance and STAPs:

    STAP_LOAD_BALANCER_NUM_MUS = 1 CM will assign one collector as the primary.  If the collector goes down the CM will assign another collector.  If the primary collector goes down and the CM isn't available, the STAP will stop.

    STAP_LOAD_BALANCER_NUM_MUS = 2 CM will assign a primary and secondary, only the primary should log session data.  My experience has been that the STAP will show green on both collectors.  The main reason you would want to use 2 is to safeguard if the CM isn't available to assign another collector and if the primary collector were to go down, the STAP would failover to the secondary.

    STAP_LOAD_BALANCER_NUM_MUS = 3 or greater.  I haven't tested this functionality because it doesn't work, according to support, until v10.6, but I understand that it will allow the STAP to send sessions to multiple collectors.  I don't understand it to be duplicate, but more in the event that the STAP gets overloaded it will divide its load.

    ------------------------------
    WendyZ
    ------------------------------



  • 3.  RE: Guardium ELB Configuration

    Posted Thu March 05, 2020 07:59 AM
    Hello Wendy

    I'm in version 11.1

    I tried everything, NUM_MUS = 2 and 3

    I just switched to an S-TAP to go to 3. Below are the messages I got

    LOG_NOTICE MSG(203) MODULE(1) SEV(2) COUNT(1) Secondary TLS main connection established with: Collector1_IP 2020-03-05 13:53:18.0
    LOG_DEBUG MSG(248) MODULE(1) SEV(0) COUNT(1023) Pour failover info from file client_ip=a02175a, server_ip=a02280c, sport=63130, dport=14342 2020-03-05 13:53:18.0
    LOG_ERR FIPS 140-2 mode not available 2020-03-05 13:48:19.0
    LOG_NOTICE MSG(297) MODULE(1) SEV(2) COUNT(1) Got managed unit(s) "Collector2_IP;Collector1_IP" from load balancer CM-IP 2020-03-05 13:48:19.0
    LOG_WARNING MSG(298) MODULE(1) SEV(3) COUNT(1) Received 2 MUs while 3 were requested. Stap will have reduced functionality 2020-03-05 13:48:19.0
    LOG_NOTICE MSG(510) MODULE(1) SEV(2) COUNT(1) FAM is disabled in guard_tap.ini 2020-03-05 13:48:19.0
    LOG_NOTICE MSG(511) MODULE(1) SEV(2) COUNT(1) FAM is disabled in guard_tap.ini 2020-03-05 13:48:19.0
    LOG_NOTICE MSG(347) MODULE(1) SEV(2) COUNT(1) Guardium TAP starting 2020-03-05 13:48:19.0
    LOG_DEBUG MSG(248) MODULE(1) SEV(0) COUNT(1) Pour failover info from file client_ip=a022810, server_ip=a02280c, sport=63398, dport=14342 2020-03-05 13:48:19.0
    LOG_NOTICE MSG(203) MODULE(1) SEV(2) COUNT(1) Primary TLS main connection established with: collector2_IP 2020-03-05 13:48:19.0
    LOG_WARNING MSG(238) MODULE(1) SEV(3) COUNT(1) Connected to Primary Server Collector2_IP 2020-03-05 13:48:19.0
    LOG_NOTICE UTAP 'DataBase_IP' configuration changed, differences: Section 'TAP' parameter 'load_balancer_num_mus' changed from '2' to '3' 2020-03-05 13:48:18.0
    LOG_ALERT MSG(365) MODULE(1) SEV(5) COUNT(1) Got new configuration 2020-03-05 13:48:03.0

    No change in S-TAP status monitor. Green only on one collector

    ------------------------------
    Mohamed AFEILAL
    ------------------------------



  • 4.  RE: Guardium ELB Configuration

    Posted Thu March 05, 2020 08:17 AM
    For more information

    During S-TAP installation 'Set up by client' I set the parameter STAP_SQLGUARD_IP to collector1_IP and STAP_ADDITIONAL_SQLGUARD_IPS to NULL.

    After Installation I see that STAP_SQLGUARD_IP takes the value collector2_IP and STAP_ADDITIONAL_SQLGUARD_IPS takes the value collector1_IP

    Why guardium chose collector2_IP as its main one. The installation is made from collector1_IP

    Regards

    ------------------------------
    Mohamed AFEILAL
    ------------------------------



  • 5.  RE: Guardium ELB Configuration

    IBM Champion
    Posted Thu March 05, 2020 08:32 AM
    When you enable Enterprise Load Balancing by setting 

    STAP_PARTICIPATE_IN_LOAD_BALANCING = 0
    You no longer set the STAP_SQLGUARD_IP.  Instead you set STAP_LOAD_BALANCER_IP to your CM.  The CM will determine what is populated in the STAP_SQLGUARD_IP parameter when it designates the primary collector.  Additionally, if you set STAP_SQLGUARD_IP, it will get overridden.  That is functioning as intended.

    I assume that you've set up S-TAP and Managed unit groups and associated them?  May not be necessary since you only have CM, AGG, and two collectors, but if you expand is will be necessary.  It is how the CM determines which collectors to assign a S-TAP to.  When a S-TAP has been missing from my S-TAP group I've had many issues.  
    https://www.ibm.com/support/knowledgecenter/en/SSMPHH_11.1.0/com.ibm.guardium.doc.admin/aggregate_cm/load_balancing_associating_staps_mus.html



    ------------------------------
    Wendy Zemba
    ------------------------------



  • 6.  RE: Guardium ELB Configuration

    Posted Thu March 05, 2020 08:51 AM
    Yes I have created a group containing all the S-TAPs that I have assigned to a group containing both collectors.

    I think it's like this

    The problem of checking the Inspection Engine still persists. The control is Ok only from one  collector (STAP_SQLGUARD_IP) : the 'main'

    ------------------------------
    Mohamed AFEILAL
    ------------------------------



  • 7.  RE: Guardium ELB Configuration

    Posted Fri March 06, 2020 08:41 AM
    "The problem of checking the Inspection Engine still persists. The control is Ok only from one  collector (STAP_SQLGUARD_IP) : the 'main'"

    regarding this point, is the Stap installed on a linux cluster? if so, try adding the following parameter to the Stap config on the CM:
    STAP_WAIT_FOR_DB_EXEC = 1 (or greater)

    more info can be found in the following link:
    https://www.ibm.com/support/knowledgecenter/SSMPHH_11.1.0/com.ibm.guardium.doc.stap/stap/r_stapparmsu_tap1.html


    ------------------------------
    MARAT WOLFSON
    ------------------------------



  • 8.  RE: Guardium ELB Configuration

    Posted Fri March 06, 2020 08:42 AM
    Hi Mohamed,

    regarding this point: "The problem of checking the Inspection Engine still persists. The control is Ok only from one  collector (STAP_SQLGUARD_IP) : the 'main'"

    is the stap installed on a Linux cluster?, if so, please add the following parameter to the stap config on the CM:
    STAP_WAIT_FOR_DB_EXEC =1 (or higher)

    more info can be found in following link:
    https://www.ibm.com/support/knowledgecenter/SSMPHH_11.1.0/com.ibm.guardium.doc.stap/stap/r_stapparmsu_tap1.html


    ------------------------------
    MARAT WOLFSON
    ------------------------------



  • 9.  RE: Guardium ELB Configuration

    Posted Mon March 09, 2020 09:25 AM
    Hi Marat

    All S-TAPs are under AIX 6.1.

    Regards

    ------------------------------
    Mohamed AFEILAL
    ------------------------------



  • 10.  RE: Guardium ELB Configuration

    Posted Thu March 05, 2020 09:19 AM
    Hi Wendy

    I re-installed S-TAP without specifying the following parameters

    STAP_ADDITIO..._SQLGUARD_IPS
    STAP_SQLGUARD_IP

    The instatation ends with failure.

    but when I position them, the installation ends as normal.

    In my opinion, it is necessary to specify these two mandatory parameters

    ------------------------------
    Mohamed AFEILAL
    ------------------------------



  • 11.  RE: Guardium ELB Configuration

    Posted Wed June 17, 2020 12:21 PM
    Hi Wendy,
                I have recently setup load balance. I created each Managed group with 3 collectors in it. I have configure parameter STAP_PARTICIPATE_IN_LOAD_BALANCING=4, STAP_LOAD_BALANCER_NUM_MUS = 3, and also i have created a STAP group of 12 STAP's. I configure STAP_SQLGUARD_IP parameter for 4 STAP, collector 1, for other 4 STAP's collector 2 and for other remaining 4 STAP's collector 3. But when i have installed all the changes. i can see on IE on collector 1,2and 3 for all the STAP's Guardium Primary host is showing up collector 2. while collector 1 and collector 3 as a secondary host. We are having issue with High memory utilization and high CPU utilization on collector 2.

    Why all the STAP's are pointing to collector 2 while i have setup different collector for each 4 STAP's. Everytime i am changing STAP_SQLGUARD_IP to different collector but still it is showing up on collector 2.

    Please let me know what I am doing wrong or is there any bug with Load Balance.

    thanks,
    farah





    ------------------------------
    farah zabe
    ------------------------------



  • 12.  RE: Guardium ELB Configuration

    Posted Thu March 05, 2020 08:54 AM
    For this small configuration you should consider manual setup primary and failover collector for each STAP

    ------------------------------
    Zbigniew (Zibi) Szmigiero
    IBM
    Warsaw
    ------------------------------



  • 13.  RE: Guardium ELB Configuration

    Posted Thu March 05, 2020 09:21 AM
    Hello Zibi

    Can you please be more explicit. What do you mean by manual install first?

    Regards

    ------------------------------
    Mohamed AFEILAL
    ------------------------------



  • 14.  RE: Guardium ELB Configuration

    Posted Thu March 05, 2020 09:54 AM

    I suggest do not use ELB for your configuration.

    BTW - why do you reinstall STAP's to change parameters?

    STAP reinstallation can fail if you forgot restart OS.



    ------------------------------
    Zbigniew (Zibi) Szmigiero
    IBM
    Warsaw
    ------------------------------



  • 15.  RE: Guardium ELB Configuration

    Posted Thu March 05, 2020 10:16 AM
    Hello

    I installed ELB following a customer requirement. He wants to have load balancing between the collectors. Is there any special reason to not install the ELB

    I don't reinstall S-TAP on the database server, it's from the collector. As soon as I change the value of an S-TAP parameter in ''Install by client'', Guardium reinstalls the affected module.

    I know that the installation of S-TAP directly on the database server is a bit special.

    Regards

    ------------------------------
    Mohamed AFEILAL
    ------------------------------



  • 16.  RE: Guardium ELB Configuration

    Posted Thu March 05, 2020 10:48 AM

    "I installed ELB following a customer requirement. He wants to have load balancing between the collectors. Is there any special reason to not install the ELB"

    It is not clear - would you like to spread traffic using round robin approach or use ELB to manage HA?
    Still in both situation with two collectors I do not see reason to use ELB.
    The ELB functionality to move STAP to another collector base on collector performance does not make sense for 2 collectors.
    How many STAP's do you have?

    "I don't reinstall S-TAP on the database server, it's from the collector. As soon as I change the value of an S-TAP parameter in ''Install by client'', Guardium reinstalls the affected module."

    Affected modules are not reinstalled only reconfigured in this case.



    ------------------------------
    Zbigniew (Zibi) Szmigiero
    IBM
    Warsaw
    ------------------------------



  • 17.  RE: Guardium ELB Configuration

    Posted Thu March 05, 2020 11:04 AM
    In fact, we are trying to answer both cases: HA and disaster recovery. The load balancing is a benefit that I find it interesting, unless otherwise indicated.

    In a second phase of the project, we are going to install a CM and a collector in the disaster site (standby site).

    The collector of the backup site will be in the same group as the current collectors. The backup CM will be the mirror of the current CM. This is to ensure the sharing of configurations between the main site collectors and the backup site collector. In the event of a switchover, the entire configuration (Policy, ...) must be reopened on the backup site automatically without any manual intervention.

    We currently have 10 S-TAPs and we plan to go to 15 very soon.

    ------------------------------
    Mohamed AFEILAL
    ------------------------------