Deploying an external runtime database

To optimize performance or increase storage capacity for the appliance, we can deploy an external runtime database. We can configure the appliance to connect to DB2®, PostgreSQL, or Oracle database on an external server.

If Oracle is set as the external runtime database and either the local management interface or runtime server trace specification includes Oracle trace points (for example, oracle.*) the underlying Oracle JDBC jar file is changed to a debugging jar file. This might have adverse effects on performance and as such Oracle tracing should only be enabled for debugging purposes and disabled once complete. Warning: Enabling trace for Oracle components “oracle.*” might result in the Oracle database administrator password being logged in clear text.

A Security Verify Access appliance with Advanced Access Control includes an internal database to store user data such as session attributes and device fingerprints. This embedded database is suitable for small environments. In a production environment, use an external runtime database that can handle the required volume of data.

The appliance provides scripts to deploy the runtime database on an external DB2, PostgreSQL, or Oracle server. We can then configure the appliance to use the external database.

Steps

1. Use the File Downloads management page in the local management interface to access the runtime database deployment files for the environment.

   Database type	Deployment scripts
   DB2	/access_control/database/db2/runtime/isam_access_control_db2.sql
   PostgreSQL	/access_control/database/postgresql/runtime/isam_access_control_postgresql.sql
   Oracle	/access_control/database/oracle/runtime/isam_access_control_oracle.sql

2. Save the deployment script on the database server.
3. Run the DB2, PostgreSQL, or Oracle script to create the external database.

   PostgreSQL script

   Run the following command:

   psql --echo-all --variable ON_ERROR_STOP=1 --file <sql file name> 
   --username <username> --host <host> --port <port> <database name>

   Oracle script

   1. Copy the downloaded isam_access_control_oracle.sql file into the Oracle home directory. For example, ORACLE_HOME=/opt/oracle/app/oracle/product/11.2.0/dbhome_1 
   2. Log in to SQL*Plus.
   3. At the SQL prompt, run START isam_access_control_oracle.sql.

   DB2 script

   1. Create a DB2 instance to contain the runtime database. For information about creating the DB2 instance, see the DB2 documentation.
   2. Open the isam_access_control_db2.sql file in an editor on the DB2 server.
   3. Replace the following macros with the values specific to the environment:

      &DBINSTANCE

      The name of the DB2 instance.

      &DBUSER

      The name of the DB2 administrator.

      &DBPASSWORD

      The password for the DB2 administrator.

   4. Save the changes.
   5. Log in to the DB2 Command utility (Windows) or DB2 host (UNIX) as the DB2 administrator.
   6. Run the following command:

      db2 -tsvf <fully_qualified_path_to_script>

      The following example shows the fully qualified path to the script:

      db2 -tsvf /tmp/isam_access_control_db2.sql

4. Validate the tables were successfully created.
5. Ensure that no errors were returned during the creation and log in to the database to manually check the tables exist.

6. From the top menu of the local management interface, select System > Cluster Configuration to open the Cluster Configuration management page.

7. Select the Database tab.

8. We must enter the following JDBC connection information:

   Type

   The database type, which is either DB2, PostgreSQL, or Oracle.

   Address

   The IP address of the external database server.

   Port

   The port on which the external database server is listening.

   Username

   The name of the database administrator.

   Password

   The password for the database administrator.

   DB2 also requires the following information:

   Secure

   Select this check box to create a secure connection with the server. Before a secure connection can be established, we must first import the certificate the appliance uses to communicate with the server into the lmi_trust_store and rt_profile_keys key files. Use the SSL Certificates page to import the appropriate certificate.

   Database name

   The name of the database instance on the external DB2 server.

   Complete the following steps to identify and specify the DB2 database name when your DB2 database is remote to the cluster that we are configuring.

   1. Open the isam_access_control_db2.sql file that was used to create the database and tables.

   2. In the CREATE DATABASE entry, get the name specified. In the following entry, HVDB is the string that identifies the default database name:

      CREATE DATABASE HVDB ALIAS HVDB using codeset UTF-8 territory us 
      PAGESIZE 8192 WITH "HVDB Tables";

PostgreSQL also requires the following information:

Secure

Select this check box to create a secure connection with the server. Before a secure connection can be established, we must first import the certificate the appliance uses to communicate with the server into the lmi_trust_store and rt_profile_keys key files. Use the SSL Certificates page to import the appropriate certificate.

Database name

The name of the database instance on the external PostgreSQL server.

Oracle also requires the following information:

Secure

Select this check box to create a secure connection with the server. Before a secure connection can be established, we must first import the certificate the appliance uses to communicate with the server into the lmi_trust_store and also a keystore which only contains public keys that needs to be created. Use the SSL Certificates page to create this keystore and to import the appropriate certificate.

Certificate Store

Choose the keystore which contains the certificate that will be used to communicate with the server.

Service name

Specify the name of the Oracle instance on the external server. Contact your Oracle database administrator for this information.

Click Save.

Deploy the changes.

The appliance is configured to use the runtime database that is deployed on the external system.

General Information

HVDB data is language agnostic. Character support might not be an issue with regards to the installation that is chosen.

Oracle DB_BLOCK_SIZE or PAGE_SIZE can vary based on deployments but it is suggested to have at least 16384.

The suggested character set is ALUTF8.

User permissions for database must have read-write access and the ability to execute the commands in the SQL script.

Oracle:

dbca -createDatabase -templateName sampletemplate.dbc -gdbname hvdb -sid hvdb -responseFile NO_VALUE -
characterSet AL32UTF8 -memoryPercentage 20 -emConfiguration LOCAL -dbsnmpPassword mypassword -sysPassword 
mypassword -systemPassword mypassword -silent

DB2:

CREATE DATABASE HVDB ALIAS HVDB using codeset UTF-8 territory us 
PAGESIZE 8192 WITH "HVDB Tables";

What to do next

• Tune the external database by setting the configuration parameters. See Runtime database tuning parameters.

• On Oracle 12.2 check the supported login protocol is set on the DBMS. If it is not, set the value SQLNET.ALLOWED_LOGON_VERSION=11 in the sqlnet.ora file. For information, see https://docs.oracle.com/en/database/oracle/oracle-database/12.2/upgrd/required-tasks-complete-upgrading-oracle-database.html#GUID-12B920E9-B2DA-48A0-832C-3E07D172A011

Parent topic: Runtime database

Parent topic: Runtime database