IBM InfoSphere Guardium V7-To-V8 Upgrade Guide_2011!07!06

IBM InfoSphere Guardium Upgrade Guide - 1

IBM InfoSphere Guardium

Version 8.0

Upgrade Guide, 7.0 to 8.0

This document includes step procedures for upgrading S-TAPs, upgrading the IBM®

InfoSphere™ Guardium® appliance, upgrading of stand-alone appliances vs. upgrade of

managed units, and upgrade of collectors vs. upgrade of aggregators.

Product Overview

IBM InfoSphere Guardium provides the simplest, most robust solution for safeguarding your

entire application and database infrastructure, including:

Real-time database activity monitoring (DAM) for proactively identifying unauthorized

or suspicious activities, preventing attacks and blocking unauthorized access by

privileged users.

Auditing and compliance solutions for automating and simplifying validation activities

related to data integrity, data privacy, and various regulations and standards such as PCI-

DSS and SOX.

Change control solutions for preventing unauthorized changes to database, privileges, and

configurations.

Vulnerability management solutions for identifying and resolving database vulnerabilities

such as missing patches, misconfigured privileges, and default accounts.

Fraud prevention solutions with application layer monitoring for identifying unauthorized

activities by application users (SAP, PeopleSoft, Oracle EBS, Cognos, etc.).

Database leak prevention for locating sensitive data and preventing data center breaches.

About this document

This document describes how to upgrade IBM InfoSphere Guardium to version 8.0 from version

7.0.

The 8.0 upgrade is only applicable for a fully patched version 7.0 (all patches up to and including

patch 706) system. If you have an earlier version of the IBM InfoSphere Guardium appliance,

you must upgrade to 7.0 (patch 706) before upgrading to 8.0.

To upgrade to version 8.0 from any version other than 7.0, contact Technical Support to obtain

the correct documentation and software.

For a detailed description of the new features in this release, see the version 8.0 Release Notes

and the version 8.0 online help manuals.


Contents

Contents

Upgrade Guide, 7.0 to 8.0 ............................................................................................................................. 1 Product Overview ..................................................................................................................................... 1

About this document ................................................................................................................................ 1

Before You Begin........................................................................................................................................... 4 Minimum Requirements ........................................................................................................................... 4

Before Upgrading Any Unit ....................................................................................................................... 4

Health Check before upgrade ............................................................................................................... 4

High-Availability System Upgrades ....................................................................................................... 4

Upgrade Sequence for Aggregation Environment ................................................................................ 4

Upgrade Sequence for Central Manager Environment ........................................................................ 5

GIM Installation .................................................................................................................................... 5

Email addresses .................................................................................................................................... 5

Need to Decide, Version 8.0 or Version 7.0 GUI Layout ....................................................................... 5

Set a Shared Secret ............................................................................................................................... 6

Estimated Down Time ........................................................................................................................... 6

Make sure CAS data is ready for upgrade ............................................................................................. 6

Upgrade Procedure ....................................................................................................................................... 7 Step 1: S-TAP reporting ............................................................................................................................. 7

Step 1a (Optional): Reassign Primary Host for an S-TAP .......................................................................... 7

Step 2: Upgrade IBM InfoSphere Guardium Appliance ............................................................................ 8

Step 2a: Back Up the Pre-Upgrade System ............................................................................................... 8

Step 2b: Pre-Upgrade Patches .................................................................................................................. 8

Step 2c: Apply the Upgrade Patch .......................................................................................................... 10

Step 2d: Apply Maintenance Patches (Optional) .................................................................................... 10

Step 3: Upgrade S-TAPs ........................................................................................................................... 11

(S-TAP) Version 7.0 Uninstall process ................................................................................................. 11

Un-installing Version 7.0 S-TAP before un-installing GIM .................................................................. 12


On-line help for S-TAPs ....................................................................................................................... 12

Known Limitations – Version 8.0 managing Version 7.0 ............................................................................ 13

Reconfiguration Activities Required after Upgrade .................................................................................... 15

Version 7.0 Managed units/Collectors and Version 8.0 Central Manager/Aggregator .............................. 17 Installation Steps ..................................................................................................................................... 17

Pre-upgrade Patch Issues ........................................................................................................................ 17

Additions to Pre-upgrade patch .............................................................................................................. 18

Non-managed Collectors ........................................................................................................................ 18

Upgrade using Non-managed Aggregator .............................................................................................. 18

Appendix A – Health Check patch ............................................................................................................... 19

Appendix B – Upgrade from version 7.0 backup via CLI ............................................................................. 20 Upgrade from the version 7.0 backup via CLI. ........................................................................................ 20

Appendix C – IBM InfoSphere Guardium Installation Manager ................................................................. 22 GIM server............................................................................................................................................... 22

GIM Client ............................................................................................................................................... 22

GIM User Interface .................................................................................................................................. 22

Installing GIM for the first time .............................................................................................................. 22

Installing GIM on the Database Server (UNIX) ....................................................................................... 22

Installing GIM on the Database Server (Windows) ................................................................................. 23

Install Perl for GIM on Windows ............................................................................................................. 23

Appendix D - GIM Rollback Procedure ........................................................................................................ 24

Appendix E – Vulnerability Assessment Tests ............................................................................................ 26

Where to go from here ............................................................................................................................... 27


Before You Begin

Before beginning the upgrade process, be sure to read through all of the topics in this section.

Minimum Requirements

Dell models 1950, R610

InfoSphere Guardium Patch Level Version 7.0, patch 706

Memory 4 GB

Disk space No minimum

If your hardware is older than the minimum listing here, discuss how to upgrade your equipment

with Technical Support.

Before Upgrading Any Unit

Customers must discuss the upgrade with Technical Support prior to performing any upgrade.

Always perform a full system backup from the CLI before starting the upgrade procedure,

regardless of the unit type (collector, aggregator, or Central Manager). The duration of the

upgrade procedure depends on the amount of data on the appliance, so it is suggested that you

purge all unnecessary data before upgrading, as that will make the upgrade process run faster.

Health Check before upgrade

Run the Health Check patch, before the upgrade to Version 8.0, to perform preliminary checks

on the InfoSphere Guardium appliance, in order to prevent potential issues during the upgrade.

See Appendix A on this patch and what it does.

High-Availability System Upgrades

If your unit is configured for high-availability, that functionality must be turned off via the CLI,

and the unit must be rebooted before performing the upgrade. After the upgrade completes, the

high-availability functionality can be turned on again via the CLI.

Upgrade Sequence for Aggregation Environment

Upgrade the aggregator before upgrading any of the units that export data to it. An upgraded

aggregator can aggregate data from older releases, but an older aggregator cannot aggregate data

from newer releases.

See the later section in this document on “pre-upgrade patches” for information that applies to

the Aggregation Environment.

At least one day before updating the aggregator, from the admin account, stop the aggregation

process (the Export Data schedule) on all collectors that export data to that aggregator. Do not

restart the Export Data schedules on the collectors until after the aggregator has been upgraded.


Upgrade Sequence for Central Manager Environment

Upgrade the Central Manager to the new release before upgrading the managed units, taking care

to upgrade an aggregator before upgrading any of the units that export data to it (see above).

Although an 8.0 Central Manager can manage a 7.0 unit, not all functionality will be available on

the 7.0 unit. To minimize the discrepancies, install the mandatory pre-upgrade patch on each 7.0

managed unit. The pre-upgrade patch is detailed later in the document. Complete 8.0

functionality will not be available on a managed unit until that unit has been upgraded to 8.0.

There are further instructions on upgrade issues with managed units/collectors (running IBM

InfoSphere Guardium 7.0) and a Central Manager/ Aggregator (running IBM InfoSphere

Guardium 8.0) in this document. These further instructions appear in the Pre-upgrade patch

section of this document.

GIM Installation

The purpose of IBM InfoSphere Guardium Installation Manager (GIM) is to simplify the task of

managing the IBM InfoSphere Guardium remote modules such as S-TAP, K-TAP and CAS.

With GIM, the customer can install and update the agents on the database server (S-TAP and

CAS) directly from the GUI without a need to login as root to the database server. Installing

GIM first simplifies the upgrade of the agents (S-TAP, CAS).

For detailed instructions on how to install GIM, see the GIM online help book available on all

IBM InfoSphere Guardium 8.0 appliances. You can download a PDF version of that document

from the GIM help book in the IBM InfoSphere Guardium Help Contents. See also Appendix B

of this document for GIM installation instructions.

Email addresses

Set the email address to all users (especially admin) to a real email address prior to upgrade. The

email addresses of all pre-defined users (example, admin user) in IBM InfoSphere Guardium 8.0

are ** (no email address). If the email address of the admin user is not set to a real email address,

a Scheduled Job Exception message will be generated every 30 minutes, announcing "No Valid

Email address for Recipient and/or User Admin".

Need to Decide, Version 8.0 or Version 7.0 GUI Layout

By default, the upgrade process will apply the Version 8.0 look and feel.

IBM InfoSphere Guardium customers are encouraged to follow the default upgrade and use the

Version 8.0 layout as it provides better access to various Version 8.0 enhancements and new

features.

IBM InfoSphere Guardium customers, who have made many panel customizations in their

Version 7.0 UI and wish to retain their Version 7.0 GUI layout, can do so in one of the following

ways:


Option #1:

Install the “update-7.0p7990_SetKeepPanelsForUpgrade.tgz.enc” patch *BEFORE* the

upgrade.

If choosing to retain the Version 7.0 GUI layout, this option is recommended.

Option #2:

There is a CLI command available to upgrade from a version 7.0 backup. This CLI

command can be used ONLY if the user performed a full system backup of IBM

InfoSphere Guardium 7.0, patch 706 before the upgrade (both CONFIG backup and

DATA backup are recommended, DATA backup is required). See Appendix A of this

document for more information.

Notes, Version 8.0 or Version 7.0 GUI layout:

At any point, the IBM InfoSphere Guardium customer may reset the Version 8.0 UI to its default

layout though the GUI; Edit Account --> select Layout --> Reset

Reports that were defined by the customer in Version 7.0 will be placed under the "V7 Reports"

pane in the upgraded Version 8.0 portal.

Set a Shared Secret

The System Shared Secret that was not required for Aggregation in previous versions must now

be set and be the same for Aggregator and all aggregated collectors for Aggregation to work.

Estimated Down Time

Plan at least two hours of down time for the upgrade. As mentioned above, the duration of the

upgrade procedure depends on the amount of data on the appliance (it is suggested that you

purge all unnecessary data before upgrading).

Make sure CAS data is ready for upgrade

Install patch-9271 on any Version 7 appliance that is licensed for CAS; patch-9271 will look for

a specific condition with CAS data that could lead to failing the entire v7-to-v8 upgrade process.

- If patch p9271 fails to install - it means that the Version 7.0 appliance is NOT ready for an

upgrade, and the customer should contact IBM InfoSphere Guardium Technical Support for

assistance BEFORE proceeding with the updated.

- If patch p9271 installs successfully – it means that CAS data is ready for upgrade.

Patch Name: SqlGuard-7.0p9271_checkCasData.tgz.enc

Patch MD5SUM: d4a1188093f6731b86417b53fe559aae


Upgrade Procedure

Upgrade IBM InfoSphere Guardium products in this order: (1) Central Manager; (2) Aggregator;

(3) Collector; (4) Managed Units; (5) S-TAP agents.

Follow the steps in the upgrade procedure:

Step 1: S-TAP reporting

IBM InfoSphere Guardium 8.0 appliances can service 7.0 S-TAPs and it is recommended that

you upgrade all 7.0 S TAPs to version 8.0 as soon as possible, to take advantage of all new

features and enhancements.

The easiest way to upgrade S-TAPs is by using the IBM InfoSphere Guardium Installation

Manager (GIM) to provide an automatic installation capability for IBM InfoSphere Guardium

modules such as S-TAP and KTAP. See the GIM client installation instructions in Appendix B

of this document.

If you have multiple IBM InfoSphere Guardium appliances, and you want to minimize S-TAP

down-time, you can temporarily reset the primary IBM InfoSphere Guardium host for each

S-TAP serviced by the appliance to be upgraded. Then after the appliance has been upgraded,

you can restore the primary host assignments for those S TAPs.

Follow the optional procedure described below (Step 1a) to reassign the primary host for an

S-TAP.

Step 1a (Optional): Reassign Primary Host for an S-TAP

To reassign the primary host for an S-TAP, log on the administrator portal of the primary host

for that S-TAP and open the S-TAP Control panel (select S-TAP Control from the Local Taps

section of the Administration Console). For each S-TAP for which this appliance is the active

host:

1. Click the (Edit) button to open the S-TAP Configuration panel. If the Edit button is not

active, this appliance is not currently servicing this S-TAP (the S-TAP may be offline, or

another IBM InfoSphere Guardium appliance may be servicing it).

2. In the S-TAP Configuration panel, click the Plus button to expand the Hosts pane. One or

more IBM InfoSphere Guardium hosts will be listed, with a check-mark beside the name of

this IBM InfoSphere Guardium appliance, indicating that it is the active host for the S-TAP.

3. To designate one of the listed IBM InfoSphere Guardium appliances as the primary host for

this S-TAP, click (Set Primary) in the right-most column for that appliance. This will move

that appliance all to the top of the list of appliances (making it the primary host). If the

appliance you want to service this S-TAP is not listed, enter its IP address in the text box and

click Add, and then click the (Set Primary) button for that appliance.

4. When you are done, click the Apply button at the bottom of the S-TAP Configuration panel.


5. For a Windows server only, restart the GUARD_STAP service.

Step 2: Upgrade IBM InfoSphere Guardium Appliance

Follow this procedure to upgrade each IBM InfoSphere Guardium Appliance. These steps are

performed from the CLI, so you will need to have the IBM InfoSphere Guardium CLI user

password for the unit being upgraded.

Step 2a: Back Up the Pre-Upgrade System

Before running this step, archive and purge all data that you will not need to access on your

upgraded system. The less data on your system, the more quickly the upgrade procedures will

run. For instructions on how to archive and purge data, see the IBM InfoSphere Guardium

Administration Guide.

This step is performed while logged in as the CLI user on the IBM InfoSphere Guardium

appliance:

1. Using an SSH client, log in to the IBM InfoSphere Guardium unit as the CLI user.

2. Enter the following command to back up the IBM InfoSphere Guardium system:

backup system

You will be prompted to supply host, directory and password information for the system to

which the backup data will be sent. Respond appropriately, and a series of messages will

inform you that various processes or services are being stopped. Ultimately, you will be

informed of the result of the backup operation with a message like the one illustrated below:

Backup done.

Keep the file /<xxx>/<host_name.domain_name-yyyy-mm-dd>.sqlguard.bak in a safe

place.

[Press Enter to continue]

3. Press Enter to complete the operation. A series of messages will display to confirm the

backup.

4. Log in to the backup host and verify that the backup file has been copied there.

Step 2b: Pre-Upgrade Patches

Note: Install the pre-upgrade patches from the Version 7.0 Central Manager BEFORE upgrading

the Central Manager or Aggregator.

This permits the distribution of these patches from manager to managed units (which cannot be

done after the upgrade).


The two pre-upgrade patches are required on Version 7.0 appliances if these Version 7.0

appliances are communicating with any Version 8.0 appliances (Central Manager; Aggregator;

Collectors; Managed Units), in an environment where both versions are installed.

You can install the pre-upgrade patches directly from a CD, or copy them over SCP/FTP from a

remote host on the network.


2. Do one of the following:

If installing from the CD, insert the patch CD in the IBM InfoSphere Guardium CD drive,

enter the following command, and skip ahead to step 3:

store system patch install cd

If installing from the network, enter the following command:

store system patch install [ftp | scp]

And respond to the following prompts:

Host to import patch from:

User on <hostname>:

Full path to patch, including name:

<user@host> password:

3. You will be prompted to select the patch to apply:

Please choose one patch to apply (1-n, q to quit):

Type the number that identifies the pre-upgrade patch, and then press Enter.

SqlGuard-7.0p7999_PreUpgrade.tgz.enc

This pre-upgrade patch is required for Version 7.0 managed units that will be managed

by a Version 8.0 Central Manager.

SqlGuard-7.0p7998_PreUpgrade_NonManagedCollectors.tgz.enc

This pre-upgrade patch is required for Version 7.0 non-managed collectors in a Version

8.0 environment (Version 8.0 Aggregator).

The following KeepPanels patch must be installed before the upgrade (if retaining Version 7.0

GUI layout – see wording on Version 7.0 portlets and panels in the “Before You Begin’ section).

SqlGuard-7.0p7990_SetKeepPanelsforUpgrade.tgz.enc

Customers who have made many panel customizations in their Version 7.0 UI and wish to retain

their Version 7.0 GUI layout should install this patch prior to installing the upgrade patch. See

the earlier wording on Version 7.0 portlets and panels in the “Before You Begin” section.


Step 2c: Apply the Upgrade Patch

You can install the upgrade patch directly from a CD, or copy it over SCP/FTP from a remote

host on the network.


5. Do one of the following:

If installing from the CD, insert the patch CD in the IBM InfoSphere Guardium CD drive,



If installing from the network, enter the following command:




User on <hostname>:


<user@host> password:



Type the number that identifies the upgrade patch, and then press Enter.

SqlGuard-7.0p8000.tgz.enc

Version 7.0 to 8.0 upgrade patch

7. During the upgrade process, the IBM InfoSphere Guardium unit will restart/reboot a few

times. That is expected and does not require any action.

Step 2d: Apply Maintenance Patches (Optional)

After restarting the system, apply any maintenance patches that you have received for the new

release. Initially, there will be no maintenance patches to apply. Patches are distributed as

compressed archive files, either on CD or on your IBM InfoSphere Guardium FTP account.

There may be more than one patch on a CD. You can install patches directly from the CD, or

remotely using SCP/FTP.

1. Log in to the IBM InfoSphere Guardium unit as the CLI user.

2. For each patch you apply, do one of the following:

If installing from the CD, Insert the patch CD in the IBM InfoSphere Guardium CD drive,




If installing from the network, enter the store system patch command. Note that the syntax of

this command changed subsequent to release 5.1 – the new syntax is shown below. Enter

either ftp or scp as the last keyword of the command, to indicate which file transfer method

you will use:




User on <hostname>:


Password:



Type the number of the patch to apply, and then press Enter.

Step 3: Upgrade S-TAPs

As mentioned earlier, 7.0 S-TAPs can be serviced by 8.0 IBM InfoSphere Guardium appliances,

but it is recommended that you upgrade the S-TAPs as soon as possible, to take advantage of all

new features and enhancements.

If you reassigned the primary host for one or more S-TAPs before upgrading an appliance, you

can restore the management of each such S-TAP to the upgraded appliance by logging in to the

IBM InfoSphere Guardium appliance currently managing that S-TAP, and changing its primary

host as described earlier (see optional Step 1a).

(S-TAP) Version 7.0 Uninstall process

Problem: The uninstall of ATAP leaves leftover files on the server.

Solution – When transitioning from Version 7.0 to Version 8.0 and activating ATAP through

enabling encryption in the GUI, make sure that there are no $ORACLE_HOME/lib/libguard-*

leftovers

Use the following “deactivate” command:

/usr/local/guardium/bin/guardctl db-instance=any db-

home=/home/oracle10/product/10.2.0/db_1 db-type=oracle deactivate

When to use this command - After upgrading from Version 7.0 to Version 8.0, and for every

Oracle installation hat ATAP was active under a Version 7.0 install.


Un-installing Version 7.0 S-TAP before un-installing GIM

System configuration/setup:

Version 7.0 STAP or (non-GIM) Version 8.0 S-TAP installed.

GIM client is installed and GIM S-TAP is pending installation.

An attempt to un-install Version 7.0/ (non-GIM) Version 8.0 S-TAP and then un-install GIM

will generate the following message, "GIM installation is corrupted. IBM InfoSphere Guardium's

modules will be removed ungracefully."

The message doesn't require any specific steps. An attempt to remove GIM will cause GIM to try

and understand the nature of the loaded KTAP, but the lack of software associated with this

module (due to the un-installation of the non-GIM S-TAP), makes the un-install script dump this

message. The un-install process however completes successfully, after a system reboot.

On-line help for S-TAPs

For detailed instructions on how to upgrade or install new S-TAPs, see the S-TAP online help

book available on all IBM InfoSphere Guardium 8.0 appliances. You can download a PDF

version of that document from the S-TAP help book in the IBM InfoSphere Guardium Help

Contents.


Known Limitations – Version 8.0 managing Version 7.0

The upgrade process cannot be done simultaneously on all appliances (Central Manager,

Aggregator, Collector, Managed Units) and all S-TAPs at the same time. During the upgrade

transition, the customer will have a hybrid Version 7.0 and Version 8.0 InfoSphere Guardium

solution.

While this "hybrid mode" is supported by InfoSphere Guardium, many functions are limited until

all components are at the same version. While in the “hybrid mode”, avoid making any

configuration changes. Therefore, it is strongly recommended to complete the upgrade in a

timely manner and have all InfoSphere Guardium components at the same version and the same

patch level.

Data collection, data assessment, policies (with some restrictions) will continue to work while in

the “hybrid mode”. Functions with new or enhanced capabilities in Version 8.0 will not work in

a mixed Version 7.0/Version 8.0 environment.

The list below details the major functions that will be disabled or limited while in this hybrid

mode:

1. For an Upgrade from Version 7.0 to Version 8.0, it is mandatory that the latest patch level,

patch 706, be on all IBM InfoSphere Guardium 7.0 appliances. None of the upgrade/pre-

upgrade patches will work unless the Version 7.0 appliance is at the latest patch level, patch

706.

2. A remote policy installation on a IBM InfoSphere Guardium 7.0 unit from a IBM InfoSphere

Guardium 8.0 manager is not permitted. Until the IBM InfoSphere Guardium 7.0 unit is

upgraded to 8.0, policies can only be installed locally on units managed by the central

manager.

3. There are a few IBM InfoSphere Guardium 8.0 rule actions that are not supported in IBM

InfoSphere Guardium Version 7.0. If such rule actions are present, they will not work on the

managed unit. IBM InfoSphere Guardium Version 8.0 supports multiple policies and

multiple actions, thus an IBM InfoSphere Guardium Version 7.0 managed unit will apply

ONLY the first action, and only one policy can be installed. Use multiple policies and

multiple actions per rule only after all the systems are upgraded.

4. On a Version 7.0 managed node, managed by a Version 8.0 Central Manager, audit processes

can not be modified. A user can only run or view an audit process.

5. Version 8.0 adds support for creating reports with no count field. While in hybrid mode

(Version 7.0/Version 8.0), the user should avoid creating reports with no count field on the

Central Manager, since these reports are instantly shared by all managed units and will not

function when the Version 8.0 Central Manager is managing a Version 7.0 appliance.

6. Java error, Unable to locate DLL - During upgrade of Windows S-TAPs, for Java 1.6.0, an

error may be generated by the JVM that indicates it is unable To Locate DLL, The dynamic

link library MSVCR71.dll could not be found in the specified path. This error can be


remedied by implementing one of the two workarounds: (1) use a different (another release)

JVM (if one is available on the system) or (2) download the DLL from Microsoft and place it

in the Windows system directory.


Reconfiguration Activities Required after Upgrade

1. In the new patch mechanism on the GUI side, there is now a way to configure a profile to

setup where database backups are stored. This is setup on the Central Manager and can then

be pushed down to the managed nodes. The destination field (where the database backups are

stored) is meant to point to a host where the backup will be stored. This is not a pointer to the

local machine.

2. After upgrade from Version 7.0 to Version 8.0, customers need to reload Open source

database drivers (if used). Data Direct drivers in Version 7.0 will be available in Version 8.0.

3. The upgrade will disable the auto-detect (DB Discovery) functionality. To reinstall the gauto-

detect component, install a separate patch and enable this feature. The name of this separate

gauto-detect installation is SqlGuard-8.0p1.tgz.enc (md5sum).

4. Log Full Details with Values/ Log Full Details with values per session - These log actions

use more system resources as they log the specific values of the relevant commands. Use this

log action only when you need to generate reports with specific conditions on these values.

Activation of this log action choice is not available without consulting Technical Services

(Query Hint). These log actions are locked in IBM InfoSphere Guardium 8 unless there is an

existing rule in IBM InfoSphere Guardium 7 with either one of these actions. In this case,

these log actions are unlocked.

5. Queries with aggregated Conditions (sum, max, avg, etc) created in Version 7.0 can not be

saved or cloned after upgrade to Version 8.0. The queries will keep working with no

problem. If a modification is needed, users must remove all conditions: save the query and

then add the conditions back in the Version 8.0 standard.

6. New datasources created from CAS instance data during the upgrade are created now with

admin as the owner and allowed to all roles. Users should review these datasources after

upgrade.

7. During the CAS Upgrade, datasources are generated for all the Version 7.0 CAS Instances.

These datasources are not set as Shared. This means, if you wanted to use them in Security

Assessments, you would have to go to them individually and set them as Shared.

8. Matching CAS instance with a datasource is handled differently in version 8.0 after an

upgrade - When a user creates more than one CAS instance in version 7.0 using the same

database connectivity configuration, and the CAS server is upgraded to version 8.0,

datasources will be created from these CAS instance configurations in order to match the

CAS instance with a datasource the way it is done in version 8.0.

In the course of creating these datasources, the version 7.0-to-version-8.0 upgrade will look

for identical configuration information among the CAS instances, and will create only one

datasource for all those instances. It will name this one datasource after one of those CAS

instances.

As a result, when looking at the CAS status screen after the version 7.0-to-version-8.0

upgrade, a user will see the CAS instances that they created in version 7.0, along with the

name of a datasource that is associated with it, and that datasource name may reference the


name of another CAS instance (the one that the datasource was created from) because it uses

the same datasource connectivity configuration as that other CAS instance.

Therefore, the CAS instance name referenced in the datasource in the first column of the

status screen does not reflect the CAS instance, but the second column of the screen does

reflect the CAS instance, and this second column should be used by a user to identify the

CAS instance.

9. The Classifier Cls/Asmt Description is stored differently in Version 8.0.

Rerun the completed Version 7.0 Classifier process in Version 8.0 in order to get the proper

Cls/Asmt Description name.

Use the "invoke..." command from the Classifier/Assessment Job Queue report to execute a

given Classifier process.

In Version 8.0, attempting to run the GuardAPI command "execute_cls_process" for a

completed Version 7.0 classifier process will not work because both the Classifier process

and the Classifier policy names in Version 7.0 are stored in the Cls/Asmt Description. In

Version 8.0, the Cls/Asmt Description is stored with just the Classifier process name.

Examples:

In Version 7.0, grdapi execute_cls_process processName="AA for new Oracle driver

patch 7 - aaaa" api_target_host=< >

In Version 8.0, grdapi execute_cls_process processName="AA for new Oracle driver

patch 7" api_target_host=< >

During the restore db-from-v7 process, the name with both the Classifier process and

Classifier policy is carried over to the Version 8.0 after the "restore db-from-v7" process is

complete.

Executing a NEW Classifier process, after the restore is complete, works fine because

Version 8.0 stores just the Classifier Process name.

10. During the upgrade, the default purging period of internal components in the system is set to

the schedule previously set in Version 7.0. Users can override these defaults through the CLI

using the “store purge object” CLI command.


Version 7.0 Managed units/Collectors and Version 8.0 Central

Manager/Aggregator

This section lists upgrade issues with managed units/collectors (running IBM Guardium 7.0) and

a Central Manger/Aggregator (running IBM InfoSphere Guardium 8.0).

It is recommended to have your Central Manager and managed units on the same version.

Having a Central Manager in a different version than its managed units should be a temporary

thing and it is highly recommended to upgrade all managed units to the same version as the

Central Manager.

Run Sync (Refresh) on all managed nodes after upgrading, in order for these managed nodes to

recognize for the proper software version that they are.

Install the Pre-upgrade patch before the Central Manager is upgraded.

The reason for this is as follows: The management patch installer in IBM InfoSphere Guardium

Version 8.0 is not compatible with IBM InfoSphere Guardium Version 7.0 patches (with the

Upgrade patch being the one exception). So, before the upgrade, remotely install the Pre-upgrade

patch on all the managed units from the Central Manager's GUI. After the upgrade, the only way

to install the Pre-upgrade patch is by going to the CLI of each individual unit and installing there

(which is more work).

To install the Pre-upgrade patch from the Central Manager to the Managed units running IBM

InfoSphere Guardium Version 7.0, first copy the patch to the Central Manager via fileserver.

Installation Steps

1. Copy the Pre-upgrade patch to the Central Manager via fileserver.

2. Remotely install the Pre-upgrade patch on all the managed units from the Central Manager's

GUI.

3. Install the Upgrade patch on the Central Manager.

Pre-upgrade Patch Issues

1. The Pre-upgrade patch currently depends on IBM InfoSphere Guardium Version 7.0 with

patch 706 being on the system. The Pre-upgrade patch will ONLY run on a managed unit. It

will not run on a Central Manager or standalone. Upgrade the Central Manager or standalone

units with an upgrade patch (different from the pre-upgrade patch).

2. The managed units with Pre-upgrade patch will give user errors before the Central Manager

is upgraded.

3. The Policy Builder will not be accessible on a pre-upgrade system until the upgrade is

performed.


4. On a managed system running IBM InfoSphere Guardium Version 7.0 (with the pre-upgrade

patch), policies cannot be modified and the installed policy cannot be viewed. However the

policy installed in a managed system can be reviewed and modified in the Central Manager

(running IBM InfoSphere Guardium Version 8.0), and changes will take effect after the

policy is re-installed in the managed units (running IBM InfoSphere Guardium Version 7.0).

The managed units can be either managed collectors or managed aggregators.

Additions to Pre-upgrade patch

Two pre-Upgrade patches:

1 – For all managed machines.

2 – Only for non-managed (stand alone) collectors exporting to an upgraded aggregator.

Non-managed Collectors

There is a second pre-upgrade patch for NON-managed collectors. The NON-managed collector

must be a standalone collector, and have patch 706 as a pre-requisite.

Upgrade using Non-managed Aggregator

1. Upgrade aggregator.

2. Apply non-managed pre-upgrade patch to all collectors pointing to this aggregator.

3. When ready, upgrade all collectors.


Appendix A – Health Check patch

IBM InfoSphere Guardium Health Check Patch for V7.0 to V8.0 Upgrade

Package name: SqlGuard-7.0p997.tgz.enc

Dependencies: Patch 706

The purpose of this patch is to perform preliminary checks on the InfoSphere Guardium

appliance before the upgrade to Version 8 in order to prevent potential issues during the upgrade.

The following will be checked by the patch:

There are no discrepancies between DB structures on the appliance and the template of

DB structure for V8.

There are no Ad Hoc scripts that are going to be deleted by the upgrade.

There are no duplicates in CAS entities.

There are no duplicates in SECURE PARAMETERS entity.

There are no duplicates in GROUP MEMBER entity.

The appliance is not supported DELL machine for V8.

There are no users with space in their login name.

There are no custom entries in ALERT PARAMETERS entity.

There is no issue with DB size (used DB space is less than 50%).

Note: This list is subject to change/expand with later versions of the Health Check patch to

include additional checks, if required.

The health check generates a log file named health_check.<time_stamp>.log.

In order to view the log file, perform the following actions:

1. Type the CLI command, fileserver.

2. Open the fileserver in web browser.

3. Go to Sqlguard logs->diag->current folder and open the log file.

The log file will contain status of each validation.

In case any one of these validations is failed, the status of the failed validation will start with

“ERROR:” prefix and the following message will appear at the end of the log file:

Please send <file_name> file to support team

If no problem was found the following message appear at the end of the log file:

Appliance is ready for upgrade


Appendix B – Upgrade from version 7.0 backup via CLI

There is a new Version 8.0 CLI command available if the upgrade fails and attempts to repair the

problem also fail. This CLI command can be used ONLY if the user performed a full system

backup of IBM InfoSphere Guardium 7.0, patch 706 before the upgrade (both CONFIG backup

and DATA backup are recommended, DATA backup is required). Make sure that the InfoSphere

Guardium system is in the same state it was in IBM InfoSphere Guardium 7.0 before restoring

the IBM InfoSphere Guardium 7.0 backup. Contact Technical Support for assistance in using

this specific CLI command.

To be used as directed by Technical Support.

Upgrade from the version 7.0 backup via CLI.

Follow these steps:

1. Backup config in Version 7.0

2. Backup data in Version 7.0 (mandatory

3. Reinstall as Version 8.0

4. Install Version 8.0 license

5. Restore config in Version 8.0

6. Restore data in Version 8.0 (optional)

The following CLI command is available from Appendices help book .pdf

CLI Command

restore db-for-V7

Use this command only under direction from Technical Support as this command takes a V7

back-up (backup data must be provided, configuration backup is optional) and performs a restore

on a V8 system. It includes upgrading the data, portlets, etc.

It is recommended that users perform a full backup prior to upgrading their system to V8. If for

some reason the upgrade fails and leaves the machine in a way that can not be used, instead of

trying to fix and re-run the upgrade, it is recommended that users rebuild the machine as a V8

system, setting up this V8 system with only the basic network information (IP, resolver, route,

system hostname and domain). Then run the CLI command, upgrade-db-from-V7

The result will be a V8 system with the data and customization (if configuration file is provided)

from the previous V7 system.

First, try a regular upgrade from V7 to V8. If this is not successful, then use the backup as an

alternative way to upgrade from V7 to V8.


Note: Older data being restored to an aggregator (not to investigation center), and outside the

merge period, will not be visible until the merge period is changed and the merge process rerun.

Syntax

restore db-from-v7

This procedure will restore and upgrade a v7 backup on a newly-installed v8 system.

If the v7 files are currently located on a remote system, use the "import file" CLI command to

transfer them locally prior to running this procedure.

The imported files will be put in the /var/dump/ directory.

Continue (y/n)?

Note: Answering Y (yes) to the following questions during the execution of the "restore db-

from-V7" CLI command will result in all non-canned/customized reports and panes to compress

into one pane with the name of "v.7.0 Custom Reports".

Note: Answering N (no) to the same questions will result in all panes being restored to what they

were in V7.

Update portal layout (panes and menus structure) to the new v8 default (current instances of

custom reports will be copied to the new layout, as well as parameter changes on predefined

reports) for the user admin? (y/n) n

Update portal layout (panes and menus structure) to the new v8 default (current instances of

custom reports will be copied to the new layout, as well as parameter changes on predefined

reports) for all other users? (y/n)


Appendix C – IBM InfoSphere Guardium Installation Manager

The information below is also available, in greater depth, from the InfoSphere Guardium

Installation Management (GIM) help book in the online help on the appliance.

The purpose of IBM InfoSphere Guardium Installation Manager (GIM) is to simplify the task of

managing the IBM InfoSphere Guardium remote modules such as S-TAP, K-TAP and CAS.

GIM server

GIM server is installed as part of an IBM InfoSphere Guardium appliance or Central

Management installation and performs such duties as registering GIM clients, providing a list of

available updates that are ready for download and installed on client servers, transferring

software updates to the client server, and updating the installation status of clients.

GIM Client

In order to work with GIM, the GIM client application must be installed manually for the first

time on all the database server systems. The GIM client performs duties such as registering to the

GIM server, initiate a request to check for software updates, installing the new software,

updating module parameters, and uninstalling modules.

GIM User Interface

GIM's UI provides the user the ability to install, uninstall, upgrade IBM InfoSphere Guardium

bundles and modules as well as provide feedback about database servers, installed modules, and

statuses. A user may interact with GIM through GIM CLI commands or the GIM GUI.

Installing GIM for the first time

GIM is consisted of 2 main modules: GIM client and GIM server. GIM Client is a set of perl

scripts running on each DB Server. GIM server is a Java servlet installed as part of the IBM

InfoSphere Guardium appliance installation (for example, it does not require any special

installation procedure).

Installing GIM on the Database Server (UNIX)

Installing GIM on the Database Server (Windows)

Installing GIM on the Database Server UNIX)

In order to install GIM client (on the database server) the following steps must be followed:

1. Place GIM client installer on the database server (any directory). The installer is a file in

the following format: guard-bundle-module-version_name_sw_revision-os-os_version-

os_vendor-processor.gim.sh. For example: guard-bundle-GIM-doberman_r2841_1-aix-

5.3-aix-powerpc.gim.sh

2. Run the installer as follows :


./guard-bundle-GIM-doberman_r2841_1-aix-5.3-aix-powerpc.gim.sh -- --dir

<install_dir> --sqlguardip <g-machine ip> --tapip <db server ip address> [--perl <perl

dir>]

3. The Installation can be verified by:

a. Checking that the following new entries were added to /etc/inittab

gim:2345:respawn:'perl dir'/perl 'install dir'/GIM/'gim version'/gim_client.pl

gsvr:2345:respawn:/perl_dir'/perl 'install

dir'/SUPERVISOR/'supervisor_version'/guard_supervisor

b. Issue the following UNIX process report to validate the GIM client and

SUPERVISOR process are running

ps -afe | grep gim

c. Login to the IBM InfoSphere Guardium appliance and check the Process

Monitoring status

Navigate to the Process Monitoring; select Administration Console > Module

Installation.

Note: To rollback on procedure above do the following steps:

Remove from inittab the two entries mentioned in bullet item 5 ( and execute 'init q').

Remove the installation directory (for example, 'rm -rf /usr/local/guardium/modules').

Installing GIM on the Database Server (Windows)

In order to install GIM client (on the database server) the following steps must be followed:

1. Install Perl for GIM on Windows.

2. Place GIM client installer on the database server (any directory).

3. Run the setup.exe file to begin wizard install the GIM client (will be located in the

gim_client directory).

4. Follow and answer the questions in the installation wizard.

Install Perl for GIM on Windows

The GIM client requires perl version 5.8.x or 5.10.x to be installed.

Ensure the following packages are installed.

IPC-Run3

Win32-DriveInfo


Appendix D - GIM Rollback Procedure

The main purpose of the GIM rollback mechanism is to handle errors during installation and

attempt to recover IBM InfoSphere Guardium's modules to prior states. Few enhancements were

added to the rollback mechanism in order to eliminate the need of system reboot as part of the

recovery process.

See the Special Recovery Scenario for installing/upgrading STAPs.

The GIM Rollback mechanism will support the following scenarios:

(1) Live Upgrade Recovery

(a) In BUNDLE context (for example, when bundles are installed rather than standalone

modules), recovery will rollback ONLY the modules within the failed module bundle.

For example:

Assume the following bundles

BUNDLE-CAS: containing BUNDLE-CAS, CAS

BUNDLE-DISCOVERY: containing BUNDLE-DISCOVERY, DISCOVERY

If installing BUNDLE-CAS and BUNDLE-DISCOVERY (for example, the modules will be

installed in the following order : BUNDLE-CAS, CAS,BUNDLE-DISCOVERY,

DISCOVERY), and the module DISCOVERY fails to install, only the module BUNDLE-

DISCOVERY, DISCOVERY will be rolled back (for example, removed in case of a scratch

install, or rolled back to the previous version in case of an upgrade).

(b) An exception to the rule above, would be modules that are marked as a “NO_ROLLBACK”

(in the form of a read-only parameter _NO_ROLLBACK=1). If the rollback mechanism

identifies such a module, it halts the whole rollback process.

Right now STAP/KTAP are marked as modules that once loaded/started successfully, they not

be rolled back in the event of a failure another module.

For example:

Assume the following bundle:

BUNDLE-STAP: containing BUNDLE-STAP, ATAP, KTAP, STAP, TEE

Assume module STAP is marked as “NO_ROLLBACK” module.

If installing BUNDLE-STAP and the module TEE fails to install, only the module TEE will be

rolled back (for example, removed in case of a scratch installation, or rolled back to the previous

version in case of an upgrade).

In this scenario, all the user has to do is reinstall the failed bundle, once figuring out the nature of

the failure.


(c). In NON-BUNDLE context (for example, installation of standalone modules), the behavior is

identical as each module belongs to a bundle (even if not installed as part of one).

(d) In this scenario, all the user has to do is reinstall the failed bundle, once figuring out the

nature of the failure.

(2) Boot time installation Recovery

When installation is happening as part of a system boot, a second reboot will be needed in order

for complete recovery (user will still see the status “IP-PR” after reboot, and a GIM_EVENT

entry will indicate a second reboot is needed to complete recovery. After a second reboot, the

module/bundle state will move to “FAILED”).

(3) Special recovery scenario

In case of upgrading from a non-GIM Version 8 installation to a GIM BUNDLE-STAP, that

includes a KTAP module from the SAME build, failure in upgrading the KTAP, will cause the

recovery process to halt and leave the new KTAP software on the file system, so manual

recovery can be performed.

This scenario will leave the system with a non-working STAP, but with a loaded KTAP. The

GUI will indicate that BUNDLE-STAP has failed (specifically : BUNDLE-STAP,TEE, STAP

and KTAP), other modules which were installed as part of the bundle will show “INSTALLED”.

A GIM_EVENT entry will indicate (“ERROR CODE: ERR1”) to distinguish this failure from

other KTAP failures.

Manually recovery will include :

• Restoring KTAP functionality (attempting to run “guard_ktap_loader install”. Failure in this

step requires R&D intervention).

• Establishing a “current” link to point to the KTAP directory.

• Resetting the client on the GIM GUI (for example, letting the GIM client “push” its latest

condition after the manual work)

• Reinstalling BUNDLE-STAP (to complete the installation of the bundle: STAP and TEE)


Appendix E – Vulnerability Assessment Tests

This appendix outlines the Vulnerability Assessment (VA) tests that existed in V7 and have been

removed or changed in V8. Customers need to be aware of these changes and upgrade their

Vulnerability Assessment accordingly.

Description changed

Previous Version Now

No Select Privileges On System Tables

In Application Databases

No Select Privileges On System

Tables/Views In Application Databases

Only DBA Standard Roles

Authorizations

Only Administrators have privileges on

predefined roles

Only DBA Access To SYS.AUD$ Only Administrator Access To

SYS.AUD$

Only DBA Access To any V$ View Only Administrator Access to any V$

View

Tests deleted without replacement

db2start Setuid Bit Is Not Set

No Public Bind Package Access

No Public Implicit Schema Creation

No Public NonFenced Procedure Execution

db2stop Setuid Bit Is Not Set

db2govd Setuid Bit Is Not Set

Only DBA Access To Any X$ table


Where to go from here

The upgraded system is now ready to use.

Version 8.0 supports Version 7.0 licenses and all Version 7.0 entitled functions will still be

enabled in the upgraded Version 8.0.

New product keys will be provided upon purchase of new functions.

= = = = = = = =

July 6, 2011

IBM InfoSphere Guardium 8.0 Licensed Materials – Property of IBM. © Copyright IBM Corp. 2011. All Rights Reserved. U.S. Government Users Restricted Rights - Use,

duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp.

IBM, the IBM logo, and ibm.com are trademarks of International Business Machines Corp., registered in many jurisdictions worldwide. Other product and service names might

be trademarks of IBM or other companies. A current list of IBM trademarks is available on the Web at www.ibm.com/legal/copytrade.shtml.

The following terms are trademarks or registered trademarks of other companies:

Linux is a registered trademark of Linus Torvalds in the United States, other countries, or both.

Microsoft and Windows are trademarks of Microsoft Corporation in the United States, other countries, or both.

UNIX is a registered trademark of The Open Group in the United States and other countries.

Java and all Java-based trademarks are trademarks of Sun Microsystems, Inc. in the United States, other countries, or both.

Other company, product or service names may be trademarks or service marks of others.

Documents

IBM InfoSphere Guardium V7-To-V8 Upgrade Guide_2011!07!06