IBM InfoSphere Guardium

Version 8.0 Upgrade Guide, 7.0 to 8.0

This document includes step procedures for upgrading S-TAPs, upgrading the IBM InfoSphere Guardium appliance, upgrading of stand-alone appliances vs. upgrade of managed units, and upgrade of collectors vs. upgrade of aggregators.

Product Overview
IBM InfoSphere Guardium provides the simplest, most robust solution for safeguarding your entire application and database infrastructure, including: Real-time database activity monitoring (DAM) for proactively identifying unauthorized or suspicious activities, preventing attacks and blocking unauthorized access by privileged users. Auditing and compliance solutions for automating and simplifying validation activities related to data integrity, data privacy, and various regulations and standards such as PCIDSS and SOX. Change control solutions for preventing unauthorized changes to database, privileges, and configurations. Vulnerability management solutions for identifying and resolving database vulnerabilities such as missing patches, misconfigured privileges, and default accounts. Fraud prevention solutions with application layer monitoring for identifying unauthorized activities by application users (SAP, PeopleSoft, Oracle EBS, Cognos, etc.). Database leak prevention for locating sensitive data and preventing data center breaches.

About this document

This document describes how to upgrade IBM InfoSphere Guardium to version 8.0 from version 7.0. The 8.0 upgrade is only applicable for a fully patched version 7.0 (all patches up to and including patch 706) system. If you have an earlier version of the IBM InfoSphere Guardium appliance, you must upgrade to 7.0 (patch 706) before upgrading to 8.0. To upgrade to version 8.0 from any version other than 7.0, contact Technical Support to obtain the correct documentation and software. For a detailed description of the new features in this release, see the version 8.0 Release Notes and the version 8.0 online help manuals.
IBM InfoSphere Guardium Upgrade Guide - 1

Contents Contents
Upgrade Guide, 7.0 to 8.0 ............................................................................................................................. 1 Product Overview ..................................................................................................................................... 1 About this document ................................................................................................................................ 1 Before You Begin........................................................................................................................................... 4 Minimum Requirements ........................................................................................................................... 4 Before Upgrading Any Unit ....................................................................................................................... 4 Health Check before upgrade ............................................................................................................... 4 High-Availability System Upgrades ....................................................................................................... 4 Upgrade Sequence for Aggregation Environment ................................................................................ 4 Upgrade Sequence for Central Manager Environment ........................................................................ 5 GIM Installation .................................................................................................................................... 5 Email addresses .................................................................................................................................... 5 Need to Decide, Version 8.0 or Version 7.0 GUI Layout ....................................................................... 5 Set a Shared Secret ............................................................................................................................... 6 Estimated Down Time ........................................................................................................................... 6 Make sure CAS data is ready for upgrade............................................................................................. 6 Upgrade Procedure ....................................................................................................................................... 7 Step 1: S-TAP reporting ............................................................................................................................. 7 Step 1a (Optional): Reassign Primary Host for an S-TAP .......................................................................... 7 Step 2: Upgrade IBM InfoSphere Guardium Appliance ............................................................................ 8 Step 2a: Back Up the Pre-Upgrade System ............................................................................................... 8 Step 2b: Pre-Upgrade Patches .................................................................................................................. 8 Step 2c: Apply the Upgrade Patch .......................................................................................................... 10 Step 2d: Apply Maintenance Patches (Optional) .................................................................................... 10 Step 3: Upgrade S-TAPs........................................................................................................................... 11 (S-TAP) Version 7.0 Uninstall process ................................................................................................. 11 Un-installing Version 7.0 S-TAP before un-installing GIM .................................................................. 12
IBM InfoSphere Guardium Upgrade Guide - 2

On-line help for S-TAPs ....................................................................................................................... 12 Known Limitations Version 8.0 managing Version 7.0 ............................................................................ 13 Reconfiguration Activities Required after Upgrade.................................................................................... 15 Version 7.0 Managed units/Collectors and Version 8.0 Central Manager/Aggregator.............................. 17 Installation Steps..................................................................................................................................... 17 Pre-upgrade Patch Issues ........................................................................................................................ 17 Additions to Pre-upgrade patch.............................................................................................................. 18 Non-managed Collectors ........................................................................................................................ 18 Upgrade using Non-managed Aggregator .............................................................................................. 18 Appendix A Health Check patch ............................................................................................................... 19 Appendix B Upgrade from version 7.0 backup via CLI ............................................................................. 20 Upgrade from the version 7.0 backup via CLI. ........................................................................................ 20 Appendix C IBM InfoSphere Guardium Installation Manager ................................................................. 22 GIM server............................................................................................................................................... 22 GIM Client ............................................................................................................................................... 22 GIM User Interface.................................................................................................................................. 22 Installing GIM for the first time .............................................................................................................. 22 Installing GIM on the Database Server (UNIX) ....................................................................................... 22 Installing GIM on the Database Server (Windows) ................................................................................. 23 Install Perl for GIM on Windows ............................................................................................................. 23 Appendix D - GIM Rollback Procedure........................................................................................................ 24 Appendix E Vulnerability Assessment Tests ............................................................................................ 26 Where to go from here ............................................................................................................................... 27

IBM InfoSphere Guardium Upgrade Guide - 3

Before You Begin

Before beginning the upgrade process, be sure to read through all of the topics in this section.

Minimum Requirements
Dell models InfoSphere Guardium Patch Level Memory Disk space 1950, R610 Version 7.0, patch 706 4 GB No minimum

If your hardware is older than the minimum listing here, discuss how to upgrade your equipment with Technical Support.

Before Upgrading Any Unit

Customers must discuss the upgrade with Technical Support prior to performing any upgrade. Always perform a full system backup from the CLI before starting the upgrade procedure, regardless of the unit type (collector, aggregator, or Central Manager). The duration of the upgrade procedure depends on the amount of data on the appliance, so it is suggested that you purge all unnecessary data before upgrading, as that will make the upgrade process run faster.
Health Check before upgrade

Run the Health Check patch, before the upgrade to Version 8.0, to perform preliminary checks on the InfoSphere Guardium appliance, in order to prevent potential issues during the upgrade. See Appendix A on this patch and what it does.
High-Availability System Upgrades

If your unit is configured for high-availability, that functionality must be turned off via the CLI, and the unit must be rebooted before performing the upgrade. After the upgrade completes, the high-availability functionality can be turned on again via the CLI.
Upgrade Sequence for Aggregation Environment

Upgrade the aggregator before upgrading any of the units that export data to it. An upgraded aggregator can aggregate data from older releases, but an older aggregator cannot aggregate data from newer releases. See the later section in this document on pre-upgrade patches for information that applies to the Aggregation Environment. At least one day before updating the aggregator, from the admin account, stop the aggregation process (the Export Data schedule) on all collectors that export data to that aggregator. Do not restart the Export Data schedules on the collectors until after the aggregator has been upgraded.
IBM InfoSphere Guardium Upgrade Guide - 4

Upgrade Sequence for Central Manager Environment

Upgrade the Central Manager to the new release before upgrading the managed units, taking care to upgrade an aggregator before upgrading any of the units that export data to it (see above). Although an 8.0 Central Manager can manage a 7.0 unit, not all functionality will be available on the 7.0 unit. To minimize the discrepancies, install the mandatory pre-upgrade patch on each 7.0 managed unit. The pre-upgrade patch is detailed later in the document. Complete 8.0 functionality will not be available on a managed unit until that unit has been upgraded to 8.0. There are further instructions on upgrade issues with managed units/collectors (running IBM InfoSphere Guardium 7.0) and a Central Manager/ Aggregator (running IBM InfoSphere Guardium 8.0) in this document. These further instructions appear in the Pre-upgrade patch section of this document.
GIM Installation

The purpose of IBM InfoSphere Guardium Installation Manager (GIM) is to simplify the task of managing the IBM InfoSphere Guardium remote modules such as S-TAP, K-TAP and CAS. With GIM, the customer can install and update the agents on the database server (S-TAP and CAS) directly from the GUI without a need to login as root to the database server. Installing GIM first simplifies the upgrade of the agents (S-TAP, CAS). For detailed instructions on how to install GIM, see the GIM online help book available on all IBM InfoSphere Guardium 8.0 appliances. You can download a PDF version of that document from the GIM help book in the IBM InfoSphere Guardium Help Contents. See also Appendix B of this document for GIM installation instructions.
Email addresses

Set the email address to all users (especially admin) to a real email address prior to upgrade. The email addresses of all pre-defined users (example, admin user) in IBM InfoSphere Guardium 8.0 are ** (no email address). If the email address of the admin user is not set to a real email address, a Scheduled Job Exception message will be generated every 30 minutes, announcing "No Valid Email address for Recipient and/or User Admin".
Need to Decide, Version 8.0 or Version 7.0 GUI Layout

By default, the upgrade process will apply the Version 8.0 look and feel. IBM InfoSphere Guardium customers are encouraged to follow the default upgrade and use the Version 8.0 layout as it provides better access to various Version 8.0 enhancements and new features. IBM InfoSphere Guardium customers, who have made many panel customizations in their Version 7.0 UI and wish to retain their Version 7.0 GUI layout, can do so in one of the following ways:
IBM InfoSphere Guardium Upgrade Guide - 5

Option #1: Install the update-7.0p7990_SetKeepPanelsForUpgrade.tgz.enc patch *BEFORE* the upgrade. If choosing to retain the Version 7.0 GUI layout, this option is recommended. Option #2: There is a CLI command available to upgrade from a version 7.0 backup. This CLI command can be used ONLY if the user performed a full system backup of IBM InfoSphere Guardium 7.0, patch 706 before the upgrade (both CONFIG backup and DATA backup are recommended, DATA backup is required). See Appendix A of this document for more information. Notes, Version 8.0 or Version 7.0 GUI layout: At any point, the IBM InfoSphere Guardium customer may reset the Version 8.0 UI to its default layout though the GUI; Edit Account --> select Layout --> Reset Reports that were defined by the customer in Version 7.0 will be placed under the "V7 Reports" pane in the upgraded Version 8.0 portal.
Set a Shared Secret

The System Shared Secret that was not required for Aggregation in previous versions must now be set and be the same for Aggregator and all aggregated collectors for Aggregation to work.
Estimated Down Time

Plan at least two hours of down time for the upgrade. As mentioned above, the duration of the upgrade procedure depends on the amount of data on the appliance (it is suggested that you purge all unnecessary data before upgrading).
Make sure CAS data is ready for upgrade

Install patch-9271 on any Version 7 appliance that is licensed for CAS; patch-9271 will look for a specific condition with CAS data that could lead to failing the entire v7-to-v8 upgrade process. If patch p9271 fails to install - it means that the Version 7.0 appliance is NOT ready for an upgrade, and the customer should contact IBM InfoSphere Guardium Technical Support for assistance BEFORE proceeding with the updated. If patch p9271 installs successfully it means that CAS data is ready for upgrade.

Patch Name: SqlGuard-7.0p9271_checkCasData.tgz.enc Patch MD5SUM: d4a1188093f6731b86417b53fe559aae

IBM InfoSphere Guardium Upgrade Guide - 6

Upgrade Procedure
Upgrade IBM InfoSphere Guardium products in this order: (1) Central Manager; (2) Aggregator; (3) Collector; (4) Managed Units; (5) S-TAP agents. Follow the steps in the upgrade procedure:

Step 1: S-TAP reporting

IBM InfoSphere Guardium 8.0 appliances can service 7.0 S-TAPs and it is recommended that you upgrade all 7.0 S TAPs to version 8.0 as soon as possible, to take advantage of all new features and enhancements. The easiest way to upgrade S-TAPs is by using the IBM InfoSphere Guardium Installation Manager (GIM) to provide an automatic installation capability for IBM InfoSphere Guardium modules such as S-TAP and KTAP. See the GIM client installation instructions in Appendix B of this document. If you have multiple IBM InfoSphere Guardium appliances, and you want to minimize S-TAP down-time, you can temporarily reset the primary IBM InfoSphere Guardium host for each S-TAP serviced by the appliance to be upgraded. Then after the appliance has been upgraded, you can restore the primary host assignments for those S TAPs. Follow the optional procedure described below (Step 1a) to reassign the primary host for an S-TAP.

Step 1a (Optional): Reassign Primary Host for an S-TAP

To reassign the primary host for an S-TAP, log on the administrator portal of the primary host for that S-TAP and open the S-TAP Control panel (select S-TAP Control from the Local Taps section of the Administration Console). For each S-TAP for which this appliance is the active host: 1. Click the (Edit) button to open the S-TAP Configuration panel. If the Edit button is not active, this appliance is not currently servicing this S-TAP (the S-TAP may be offline, or another IBM InfoSphere Guardium appliance may be servicing it). 2. In the S-TAP Configuration panel, click the Plus button to expand the Hosts pane. One or more IBM InfoSphere Guardium hosts will be listed, with a check-mark beside the name of this IBM InfoSphere Guardium appliance, indicating that it is the active host for the S-TAP. 3. To designate one of the listed IBM InfoSphere Guardium appliances as the primary host for this S-TAP, click (Set Primary) in the right-most column for that appliance. This will move that appliance all to the top of the list of appliances (making it the primary host). If the appliance you want to service this S-TAP is not listed, enter its IP address in the text box and click Add, and then click the (Set Primary) button for that appliance. 4. When you are done, click the Apply button at the bottom of the S-TAP Configuration panel.
IBM InfoSphere Guardium Upgrade Guide - 7

5. For a Windows server only, restart the GUARD_STAP service.

Step 2: Upgrade IBM InfoSphere Guardium Appliance

Follow this procedure to upgrade each IBM InfoSphere Guardium Appliance. These steps are performed from the CLI, so you will need to have the IBM InfoSphere Guardium CLI user password for the unit being upgraded.

Step 2a: Back Up the Pre-Upgrade System

Before running this step, archive and purge all data that you will not need to access on your upgraded system. The less data on your system, the more quickly the upgrade procedures will run. For instructions on how to archive and purge data, see the IBM InfoSphere Guardium Administration Guide. This step is performed while logged in as the CLI user on the IBM InfoSphere Guardium appliance: 1. Using an SSH client, log in to the IBM InfoSphere Guardium unit as the CLI user. 2. Enter the following command to back up the IBM InfoSphere Guardium system: backup system You will be prompted to supply host, directory and password information for the system to which the backup data will be sent. Respond appropriately, and a series of messages will inform you that various processes or services are being stopped. Ultimately, you will be informed of the result of the backup operation with a message like the one illustrated below: Backup done. Keep the file /<xxx>/<host_name.domain_name-yyyy-mm-dd>.sqlguard.bak in a safe place. [Press Enter to continue] 3. Press Enter to complete the operation. A series of messages will display to confirm the backup. 4. Log in to the backup host and verify that the backup file has been copied there.

Step 2b: Pre-Upgrade Patches

Note: Install the pre-upgrade patches from the Version 7.0 Central Manager BEFORE upgrading the Central Manager or Aggregator. This permits the distribution of these patches from manager to managed units (which cannot be done after the upgrade).

IBM InfoSphere Guardium Upgrade Guide - 8

The two pre-upgrade patches are required on Version 7.0 appliances if these Version 7.0 appliances are communicating with any Version 8.0 appliances (Central Manager; Aggregator; Collectors; Managed Units), in an environment where both versions are installed. You can install the pre-upgrade patches directly from a CD, or copy them over SCP/FTP from a remote host on the network. 1. Using an SSH client, log in to the IBM InfoSphere Guardium unit as the CLI user. 2. Do one of the following: If installing from the CD, insert the patch CD in the IBM InfoSphere Guardium CD drive, enter the following command, and skip ahead to step 3: store system patch install cd If installing from the network, enter the following command: store system patch install [ftp | scp] And respond to the following prompts: Host to import patch from: User on <hostname>: Full path to patch, including name: <user@host> password: 3. You will be prompted to select the patch to apply: Please choose one patch to apply (1-n, q to quit): Type the number that identifies the pre-upgrade patch, and then press Enter. SqlGuard-7.0p7999_PreUpgrade.tgz.enc This pre-upgrade patch is required for Version 7.0 managed units that will be managed by a Version 8.0 Central Manager. SqlGuard-7.0p7998_PreUpgrade_NonManagedCollectors.tgz.enc This pre-upgrade patch is required for Version 7.0 non-managed collectors in a Version 8.0 environment (Version 8.0 Aggregator). The following KeepPanels patch must be installed before the upgrade (if retaining Version 7.0 GUI layout see wording on Version 7.0 portlets and panels in the Before You Begin section). SqlGuard-7.0p7990_SetKeepPanelsforUpgrade.tgz.enc Customers who have made many panel customizations in their Version 7.0 UI and wish to retain their Version 7.0 GUI layout should install this patch prior to installing the upgrade patch. See the earlier wording on Version 7.0 portlets and panels in the Before You Begin section.

IBM InfoSphere Guardium Upgrade Guide - 9

Step 2c: Apply the Upgrade Patch

You can install the upgrade patch directly from a CD, or copy it over SCP/FTP from a remote host on the network. 4. Using an SSH client, log in to the IBM InfoSphere Guardium unit as the CLI user. 5. Do one of the following: If installing from the CD, insert the patch CD in the IBM InfoSphere Guardium CD drive, enter the following command, and skip ahead to step 3: store system patch install cd If installing from the network, enter the following command: store system patch install [ftp | scp] And respond to the following prompts: Host to import patch from: User on <hostname>: Full path to patch, including name: <user@host> password: 6. You will be prompted to select the patch to apply: Please choose one patch to apply (1-n, q to quit): Type the number that identifies the upgrade patch, and then press Enter. SqlGuard-7.0p8000.tgz.enc Version 7.0 to 8.0 upgrade patch 7. During the upgrade process, the IBM InfoSphere Guardium unit will restart/reboot a few times. That is expected and does not require any action.

Step 2d: Apply Maintenance Patches (Optional)

After restarting the system, apply any maintenance patches that you have received for the new release. Initially, there will be no maintenance patches to apply. Patches are distributed as compressed archive files, either on CD or on your IBM InfoSphere Guardium FTP account. There may be more than one patch on a CD. You can install patches directly from the CD, or remotely using SCP/FTP. 1. Log in to the IBM InfoSphere Guardium unit as the CLI user. 2. For each patch you apply, do one of the following: If installing from the CD, Insert the patch CD in the IBM InfoSphere Guardium CD drive, enter the following command, and skip ahead to step 3:
IBM InfoSphere Guardium Upgrade Guide - 10

store system patch install cd If installing from the network, enter the store system patch command. Note that the syntax of this command changed subsequent to release 5.1 the new syntax is shown below. Enter either ftp or scp as the last keyword of the command, to indicate which file transfer method you will use: store system patch install [ftp | scp] And respond to the following prompts: Host to import patch from: User on <hostname>: Full path to patch, including name: Password: 3. You will be prompted to select the patch to apply: Please choose one patch to apply (1-n, q to quit): Type the number of the patch to apply, and then press Enter.

Step 3: Upgrade S-TAPs

As mentioned earlier, 7.0 S-TAPs can be serviced by 8.0 IBM InfoSphere Guardium appliances, but it is recommended that you upgrade the S-TAPs as soon as possible, to take advantage of all new features and enhancements. If you reassigned the primary host for one or more S-TAPs before upgrading an appliance, you can restore the management of each such S-TAP to the upgraded appliance by logging in to the IBM InfoSphere Guardium appliance currently managing that S-TAP, and changing its primary host as described earlier (see optional Step 1a).
(S-TAP) Version 7.0 Uninstall process

Problem: The uninstall of ATAP leaves leftover files on the server. Solution When transitioning from Version 7.0 to Version 8.0 and activating ATAP through enabling encryption in the GUI, make sure that there are no $ORACLE_HOME/lib/libguard-* leftovers Use the following deactivate command: /usr/local/guardium/bin/guardctl db-instance=any dbhome=/home/oracle10/product/10.2.0/db_1 db-type=oracle deactivate When to use this command - After upgrading from Version 7.0 to Version 8.0, and for every Oracle installation hat ATAP was active under a Version 7.0 install.

IBM InfoSphere Guardium Upgrade Guide - 11

Un-installing Version 7.0 S-TAP before un-installing GIM

System configuration/setup: Version 7.0 STAP or (non-GIM) Version 8.0 S-TAP installed. GIM client is installed and GIM S-TAP is pending installation. An attempt to un-install Version 7.0/ (non-GIM) Version 8.0 S-TAP and then un-install GIM will generate the following message, "GIM installation is corrupted. IBM InfoSphere Guardium's modules will be removed ungracefully." The message doesn't require any specific steps. An attempt to remove GIM will cause GIM to try and understand the nature of the loaded KTAP, but the lack of software associated with this module (due to the un-installation of the non-GIM S-TAP), makes the un-install script dump this message. The un-install process however completes successfully, after a system reboot.
On-line help for S-TAPs

For detailed instructions on how to upgrade or install new S-TAPs, see the S-TAP online help book available on all IBM InfoSphere Guardium 8.0 appliances. You can download a PDF version of that document from the S-TAP help book in the IBM InfoSphere Guardium Help Contents.

IBM InfoSphere Guardium Upgrade Guide - 12

Known Limitations Version 8.0 managing Version 7.0

The upgrade process cannot be done simultaneously on all appliances (Central Manager, Aggregator, Collector, Managed Units) and all S-TAPs at the same time. During the upgrade transition, the customer will have a hybrid Version 7.0 and Version 8.0 InfoSphere Guardium solution. While this "hybrid mode" is supported by InfoSphere Guardium, many functions are limited until all components are at the same version. While in the hybrid mode, avoid making any configuration changes. Therefore, it is strongly recommended to complete the upgrade in a timely manner and have all InfoSphere Guardium components at the same version and the same patch level. Data collection, data assessment, policies (with some restrictions) will continue to work while in the hybrid mode. Functions with new or enhanced capabilities in Version 8.0 will not work in a mixed Version 7.0/Version 8.0 environment. The list below details the major functions that will be disabled or limited while in this hybrid mode: 1. For an Upgrade from Version 7.0 to Version 8.0, it is mandatory that the latest patch level, patch 706, be on all IBM InfoSphere Guardium 7.0 appliances. None of the upgrade/preupgrade patches will work unless the Version 7.0 appliance is at the latest patch level, patch 706. 2. A remote policy installation on a IBM InfoSphere Guardium 7.0 unit from a IBM InfoSphere Guardium 8.0 manager is not permitted. Until the IBM InfoSphere Guardium 7.0 unit is upgraded to 8.0, policies can only be installed locally on units managed by the central manager. 3. There are a few IBM InfoSphere Guardium 8.0 rule actions that are not supported in IBM InfoSphere Guardium Version 7.0. If such rule actions are present, they will not work on the managed unit. IBM InfoSphere Guardium Version 8.0 supports multiple policies and multiple actions, thus an IBM InfoSphere Guardium Version 7.0 managed unit will apply ONLY the first action, and only one policy can be installed. Use multiple policies and multiple actions per rule only after all the systems are upgraded. 4. On a Version 7.0 managed node, managed by a Version 8.0 Central Manager, audit processes can not be modified. A user can only run or view an audit process. 5. Version 8.0 adds support for creating reports with no count field. While in hybrid mode (Version 7.0/Version 8.0), the user should avoid creating reports with no count field on the Central Manager, since these reports are instantly shared by all managed units and will not function when the Version 8.0 Central Manager is managing a Version 7.0 appliance. 6. Java error, Unable to locate DLL - During upgrade of Windows S-TAPs, for Java 1.6.0, an error may be generated by the JVM that indicates it is unable To Locate DLL, The dynamic link library MSVCR71.dll could not be found in the specified path. This error can be
IBM InfoSphere Guardium Upgrade Guide - 13

remedied by implementing one of the two workarounds: (1) use a different (another release) JVM (if one is available on the system) or (2) download the DLL from Microsoft and place it in the Windows system directory.

IBM InfoSphere Guardium Upgrade Guide - 14

Reconfiguration Activities Required after Upgrade

1. In the new patch mechanism on the GUI side, there is now a way to configure a profile to setup where database backups are stored. This is setup on the Central Manager and can then be pushed down to the managed nodes. The destination field (where the database backups are stored) is meant to point to a host where the backup will be stored. This is not a pointer to the local machine. 2. After upgrade from Version 7.0 to Version 8.0, customers need to reload Open source database drivers (if used). Data Direct drivers in Version 7.0 will be available in Version 8.0. 3. The upgrade will disable the auto-detect (DB Discovery) functionality. To reinstall the gautodetect component, install a separate patch and enable this feature. The name of this separate gauto-detect installation is SqlGuard-8.0p1.tgz.enc (md5sum). 4. Log Full Details with Values/ Log Full Details with values per session - These log actions use more system resources as they log the specific values of the relevant commands. Use this log action only when you need to generate reports with specific conditions on these values. Activation of this log action choice is not available without consulting Technical Services (Query Hint). These log actions are locked in IBM InfoSphere Guardium 8 unless there is an existing rule in IBM InfoSphere Guardium 7 with either one of these actions. In this case, these log actions are unlocked. 5. Queries with aggregated Conditions (sum, max, avg, etc) created in Version 7.0 can not be saved or cloned after upgrade to Version 8.0. The queries will keep working with no problem. If a modification is needed, users must remove all conditions: save the query and then add the conditions back in the Version 8.0 standard. 6. New datasources created from CAS instance data during the upgrade are created now with admin as the owner and allowed to all roles. Users should review these datasources after upgrade. 7. During the CAS Upgrade, datasources are generated for all the Version 7.0 CAS Instances. These datasources are not set as Shared. This means, if you wanted to use them in Security Assessments, you would have to go to them individually and set them as Shared. 8. Matching CAS instance with a datasource is handled differently in version 8.0 after an upgrade - When a user creates more than one CAS instance in version 7.0 using the same database connectivity configuration, and the CAS server is upgraded to version 8.0, datasources will be created from these CAS instance configurations in order to match the CAS instance with a datasource the way it is done in version 8.0. In the course of creating these datasources, the version 7.0-to-version-8.0 upgrade will look for identical configuration information among the CAS instances, and will create only one datasource for all those instances. It will name this one datasource after one of those CAS instances. As a result, when looking at the CAS status screen after the version 7.0-to-version-8.0 upgrade, a user will see the CAS instances that they created in version 7.0, along with the name of a datasource that is associated with it, and that datasource name may reference the

IBM InfoSphere Guardium Upgrade Guide - 15

name of another CAS instance (the one that the datasource was created from) because it uses the same datasource connectivity configuration as that other CAS instance. Therefore, the CAS instance name referenced in the datasource in the first column of the status screen does not reflect the CAS instance, but the second column of the screen does reflect the CAS instance, and this second column should be used by a user to identify the CAS instance. 9. The Classifier Cls/Asmt Description is stored differently in Version 8.0. Rerun the completed Version 7.0 Classifier process in Version 8.0 in order to get the proper Cls/Asmt Description name. Use the "invoke..." command from the Classifier/Assessment Job Queue report to execute a given Classifier process. In Version 8.0, attempting to run the GuardAPI command "execute_cls_process" for a completed Version 7.0 classifier process will not work because both the Classifier process and the Classifier policy names in Version 7.0 are stored in the Cls/Asmt Description. In Version 8.0, the Cls/Asmt Description is stored with just the Classifier process name. Examples: In Version 7.0, grdapi execute_cls_process processName="AA for new Oracle driver patch 7 - aaaa" api_target_host=< > In Version 8.0, grdapi execute_cls_process processName="AA for new Oracle driver patch 7" api_target_host=< > During the restore db-from-v7 process, the name with both the Classifier process and Classifier policy is carried over to the Version 8.0 after the "restore db-from-v7" process is complete. Executing a NEW Classifier process, after the restore is complete, works fine because Version 8.0 stores just the Classifier Process name. 10. During the upgrade, the default purging period of internal components in the system is set to the schedule previously set in Version 7.0. Users can override these defaults through the CLI using the store purge object CLI command.

IBM InfoSphere Guardium Upgrade Guide - 16

Version 7.0 Managed units/Collectors and Version 8.0 Central Manager/Aggregator

This section lists upgrade issues with managed units/collectors (running IBM Guardium 7.0) and a Central Manger/Aggregator (running IBM InfoSphere Guardium 8.0). It is recommended to have your Central Manager and managed units on the same version. Having a Central Manager in a different version than its managed units should be a temporary thing and it is highly recommended to upgrade all managed units to the same version as the Central Manager. Run Sync (Refresh) on all managed nodes after upgrading, in order for these managed nodes to recognize for the proper software version that they are. Install the Pre-upgrade patch before the Central Manager is upgraded. The reason for this is as follows: The management patch installer in IBM InfoSphere Guardium Version 8.0 is not compatible with IBM InfoSphere Guardium Version 7.0 patches (with the Upgrade patch being the one exception). So, before the upgrade, remotely install the Pre-upgrade patch on all the managed units from the Central Manager's GUI. After the upgrade, the only way to install the Pre-upgrade patch is by going to the CLI of each individual unit and installing there (which is more work). To install the Pre-upgrade patch from the Central Manager to the Managed units running IBM InfoSphere Guardium Version 7.0, first copy the patch to the Central Manager via fileserver.

Installation Steps
1. Copy the Pre-upgrade patch to the Central Manager via fileserver. 2. Remotely install the Pre-upgrade patch on all the managed units from the Central Manager's GUI. 3. Install the Upgrade patch on the Central Manager.

Pre-upgrade Patch Issues

1. The Pre-upgrade patch currently depends on IBM InfoSphere Guardium Version 7.0 with patch 706 being on the system. The Pre-upgrade patch will ONLY run on a managed unit. It will not run on a Central Manager or standalone. Upgrade the Central Manager or standalone units with an upgrade patch (different from the pre-upgrade patch). 2. The managed units with Pre-upgrade patch will give user errors before the Central Manager is upgraded. 3. The Policy Builder will not be accessible on a pre-upgrade system until the upgrade is performed.

IBM InfoSphere Guardium Upgrade Guide - 17

4. On a managed system running IBM InfoSphere Guardium Version 7.0 (with the pre-upgrade patch), policies cannot be modified and the installed policy cannot be viewed. However the policy installed in a managed system can be reviewed and modified in the Central Manager (running IBM InfoSphere Guardium Version 8.0), and changes will take effect after the policy is re-installed in the managed units (running IBM InfoSphere Guardium Version 7.0). The managed units can be either managed collectors or managed aggregators.

Additions to Pre-upgrade patch

Two pre-Upgrade patches: 1 For all managed machines. 2 Only for non-managed (stand alone) collectors exporting to an upgraded aggregator.

Non-managed Collectors
There is a second pre-upgrade patch for NON-managed collectors. The NON-managed collector must be a standalone collector, and have patch 706 as a pre-requisite.

Upgrade using Non-managed Aggregator

1. Upgrade aggregator. 2. Apply non-managed pre-upgrade patch to all collectors pointing to this aggregator. 3. When ready, upgrade all collectors.

IBM InfoSphere Guardium Upgrade Guide - 18

Appendix A Health Check patch

IBM InfoSphere Guardium Health Check Patch for V7.0 to V8.0 Upgrade Package name: SqlGuard-7.0p997.tgz.enc Dependencies: Patch 706 The purpose of this patch is to perform preliminary checks on the InfoSphere Guardium appliance before the upgrade to Version 8 in order to prevent potential issues during the upgrade. The following will be checked by the patch: There are no discrepancies between DB structures on the appliance and the template of DB structure for V8. There are no Ad Hoc scripts that are going to be deleted by the upgrade. There are no duplicates in CAS entities. There are no duplicates in SECURE PARAMETERS entity. There are no duplicates in GROUP MEMBER entity. The appliance is not supported DELL machine for V8. There are no users with space in their login name. There are no custom entries in ALERT PARAMETERS entity. There is no issue with DB size (used DB space is less than 50%).

Note: This list is subject to change/expand with later versions of the Health Check patch to include additional checks, if required. The health check generates a log file named health_check.<time_stamp>.log. In order to view the log file, perform the following actions: 1. Type the CLI command, fileserver. 2. Open the fileserver in web browser. 3. Go to Sqlguard logs->diag->current folder and open the log file. The log file will contain status of each validation. In case any one of these validations is failed, the status of the failed validation will start with ERROR: prefix and the following message will appear at the end of the log file: Please send <file_name> file to support team If no problem was found the following message appear at the end of the log file: Appliance is ready for upgrade

IBM InfoSphere Guardium Upgrade Guide - 19

Appendix B Upgrade from version 7.0 backup via CLI

There is a new Version 8.0 CLI command available if the upgrade fails and attempts to repair the problem also fail. This CLI command can be used ONLY if the user performed a full system backup of IBM InfoSphere Guardium 7.0, patch 706 before the upgrade (both CONFIG backup and DATA backup are recommended, DATA backup is required). Make sure that the InfoSphere Guardium system is in the same state it was in IBM InfoSphere Guardium 7.0 before restoring the IBM InfoSphere Guardium 7.0 backup. Contact Technical Support for assistance in using this specific CLI command. To be used as directed by Technical Support.

Upgrade from the version 7.0 backup via CLI.

Follow these steps: 1. Backup config in Version 7.0 2. Backup data in Version 7.0 (mandatory 3. Reinstall as Version 8.0 4. Install Version 8.0 license 5. Restore config in Version 8.0 6. Restore data in Version 8.0 (optional) The following CLI command is available from Appendices help book .pdf CLI Command restore db-for-V7 Use this command only under direction from Technical Support as this command takes a V7 back-up (backup data must be provided, configuration backup is optional) and performs a restore on a V8 system. It includes upgrading the data, portlets, etc. It is recommended that users perform a full backup prior to upgrading their system to V8. If for some reason the upgrade fails and leaves the machine in a way that can not be used, instead of trying to fix and re-run the upgrade, it is recommended that users rebuild the machine as a V8 system, setting up this V8 system with only the basic network information (IP, resolver, route, system hostname and domain). Then run the CLI command, upgrade-db-from-V7 The result will be a V8 system with the data and customization (if configuration file is provided) from the previous V7 system. First, try a regular upgrade from V7 to V8. If this is not successful, then use the backup as an alternative way to upgrade from V7 to V8.
IBM InfoSphere Guardium Upgrade Guide - 20

Note: Older data being restored to an aggregator (not to investigation center), and outside the merge period, will not be visible until the merge period is changed and the merge process rerun. Syntax restore db-from-v7 This procedure will restore and upgrade a v7 backup on a newly-installed v8 system. If the v7 files are currently located on a remote system, use the "import file" CLI command to transfer them locally prior to running this procedure. The imported files will be put in the /var/dump/ directory. Continue (y/n)? Note: Answering Y (yes) to the following questions during the execution of the "restore dbfrom-V7" CLI command will result in all non-canned/customized reports and panes to compress into one pane with the name of "v.7.0 Custom Reports". Note: Answering N (no) to the same questions will result in all panes being restored to what they were in V7. Update portal layout (panes and menus structure) to the new v8 default (current instances of custom reports will be copied to the new layout, as well as parameter changes on predefined reports) for the user admin? (y/n) n Update portal layout (panes and menus structure) to the new v8 default (current instances of custom reports will be copied to the new layout, as well as parameter changes on predefined reports) for all other users? (y/n)

IBM InfoSphere Guardium Upgrade Guide - 21

Appendix C IBM InfoSphere Guardium Installation Manager

The information below is also available, in greater depth, from the InfoSphere Guardium Installation Management (GIM) help book in the online help on the appliance. The purpose of IBM InfoSphere Guardium Installation Manager (GIM) is to simplify the task of managing the IBM InfoSphere Guardium remote modules such as S-TAP, K-TAP and CAS.

GIM server
GIM server is installed as part of an IBM InfoSphere Guardium appliance or Central Management installation and performs such duties as registering GIM clients, providing a list of available updates that are ready for download and installed on client servers, transferring software updates to the client server, and updating the installation status of clients.

GIM Client
In order to work with GIM, the GIM client application must be installed manually for the first time on all the database server systems. The GIM client performs duties such as registering to the GIM server, initiate a request to check for software updates, installing the new software, updating module parameters, and uninstalling modules.

GIM User Interface

GIM's UI provides the user the ability to install, uninstall, upgrade IBM InfoSphere Guardium bundles and modules as well as provide feedback about database servers, installed modules, and statuses. A user may interact with GIM through GIM CLI commands or the GIM GUI.

Installing GIM for the first time

GIM is consisted of 2 main modules: GIM client and GIM server. GIM Client is a set of perl scripts running on each DB Server. GIM server is a Java servlet installed as part of the IBM InfoSphere Guardium appliance installation (for example, it does not require any special installation procedure). Installing GIM on the Database Server (UNIX) Installing GIM on the Database Server (Windows)

Installing GIM on the Database Server UNIX)

In order to install GIM client (on the database server) the following steps must be followed: 1. Place GIM client installer on the database server (any directory). The installer is a file in the following format: guard-bundle-module-version_name_sw_revision-os-os_versionos_vendor-processor.gim.sh. For example: guard-bundle-GIM-doberman_r2841_1-aix5.3-aix-powerpc.gim.sh 2. Run the installer as follows :
IBM InfoSphere Guardium Upgrade Guide - 22

./guard-bundle-GIM-doberman_r2841_1-aix-5.3-aix-powerpc.gim.sh -- --dir <install_dir> --sqlguardip <g-machine ip> --tapip <db server ip address> [--perl <perl dir>] 3. The Installation can be verified by: a. Checking that the following new entries were added to /etc/inittab gim:2345:respawn:'perl dir'/perl 'install dir'/GIM/'gim version'/gim_client.pl gsvr:2345:respawn:/perl_dir'/perl 'install dir'/SUPERVISOR/'supervisor_version'/guard_supervisor b. Issue the following UNIX process report to validate the GIM client and SUPERVISOR process are running ps -afe | grep gim c. Login to the IBM InfoSphere Guardium appliance and check the Process Monitoring status Navigate to the Process Monitoring; select Administration Console > Module Installation. Note: To rollback on procedure above do the following steps: Remove from inittab the two entries mentioned in bullet item 5 ( and execute 'init q'). Remove the installation directory (for example, 'rm -rf /usr/local/guardium/modules').

Installing GIM on the Database Server (Windows)

In order to install GIM client (on the database server) the following steps must be followed: 1. Install Perl for GIM on Windows. 2. Place GIM client installer on the database server (any directory). 3. Run the setup.exe file to begin wizard install the GIM client (will be located in the gim_client directory). 4. Follow and answer the questions in the installation wizard.

Install Perl for GIM on Windows

The GIM client requires perl version 5.8.x or 5.10.x to be installed. Ensure the following packages are installed. IPC-Run3 Win32-DriveInfo

IBM InfoSphere Guardium Upgrade Guide - 23

Appendix D - GIM Rollback Procedure

The main purpose of the GIM rollback mechanism is to handle errors during installation and attempt to recover IBM InfoSphere Guardium's modules to prior states. Few enhancements were added to the rollback mechanism in order to eliminate the need of system reboot as part of the recovery process. See the Special Recovery Scenario for installing/upgrading STAPs. The GIM Rollback mechanism will support the following scenarios: (1) Live Upgrade Recovery (a) In BUNDLE context (for example, when bundles are installed rather than standalone modules), recovery will rollback ONLY the modules within the failed module bundle. For example: Assume the following bundles BUNDLE-CAS: containing BUNDLE-CAS, CAS BUNDLE-DISCOVERY: containing BUNDLE-DISCOVERY, DISCOVERY If installing BUNDLE-CAS and BUNDLE-DISCOVERY (for example, the modules will be installed in the following order : BUNDLE-CAS, CAS,BUNDLE-DISCOVERY, DISCOVERY), and the module DISCOVERY fails to install, only the module BUNDLEDISCOVERY, DISCOVERY will be rolled back (for example, removed in case of a scratch install, or rolled back to the previous version in case of an upgrade). (b) An exception to the rule above, would be modules that are marked as a NO_ROLLBACK (in the form of a read-only parameter _NO_ROLLBACK=1). If the rollback mechanism identifies such a module, it halts the whole rollback process. Right now STAP/KTAP are marked as modules that once loaded/started successfully, they not be rolled back in the event of a failure another module. For example: Assume the following bundle: BUNDLE-STAP: containing BUNDLE-STAP, ATAP, KTAP, STAP, TEE Assume module STAP is marked as NO_ROLLBACK module. If installing BUNDLE-STAP and the module TEE fails to install, only the module TEE will be rolled back (for example, removed in case of a scratch installation, or rolled back to the previous version in case of an upgrade). In this scenario, all the user has to do is reinstall the failed bundle, once figuring out the nature of the failure.
IBM InfoSphere Guardium Upgrade Guide - 24

(c). In NON-BUNDLE context (for example, installation of standalone modules), the behavior is identical as each module belongs to a bundle (even if not installed as part of one). (d) In this scenario, all the user has to do is reinstall the failed bundle, once figuring out the nature of the failure. (2) Boot time installation Recovery When installation is happening as part of a system boot, a second reboot will be needed in order for complete recovery (user will still see the status IP-PR after reboot, and a GIM_EVENT entry will indicate a second reboot is needed to complete recovery. After a second reboot, the module/bundle state will move to FAILED). (3) Special recovery scenario In case of upgrading from a non-GIM Version 8 installation to a GIM BUNDLE-STAP, that includes a KTAP module from the SAME build, failure in upgrading the KTAP, will cause the recovery process to halt and leave the new KTAP software on the file system, so manual recovery can be performed. This scenario will leave the system with a non-working STAP, but with a loaded KTAP. The GUI will indicate that BUNDLE-STAP has failed (specifically : BUNDLE-STAP,TEE, STAP and KTAP), other modules which were installed as part of the bundle will show INSTALLED. A GIM_EVENT entry will indicate (ERROR CODE: ERR1) to distinguish this failure from other KTAP failures. Manually recovery will include : Restoring KTAP functionality (attempting to run guard_ktap_loader install. Failure in this step requires R&D intervention). Establishing a current link to point to the KTAP directory. Resetting the client on the GIM GUI (for example, letting the GIM client push its latest condition after the manual work) Reinstalling BUNDLE-STAP (to complete the installation of the bundle: STAP and TEE)

IBM InfoSphere Guardium Upgrade Guide - 25

Appendix E Vulnerability Assessment Tests

This appendix outlines the Vulnerability Assessment (VA) tests that existed in V7 and have been removed or changed in V8. Customers need to be aware of these changes and upgrade their Vulnerability Assessment accordingly. Description changed Previous Version No Select Privileges On System Tables In Application Databases Only DBA Standard Roles Authorizations Only DBA Access To SYS.AUD$ Only DBA Access To any V$ View Now No Select Privileges On System Tables/Views In Application Databases Only Administrators have privileges on predefined roles Only Administrator Access To SYS.AUD$ Only Administrator Access to any V$ View

Tests deleted without replacement db2start Setuid Bit Is Not Set No Public Bind Package Access No Public Implicit Schema Creation No Public NonFenced Procedure Execution db2stop Setuid Bit Is Not Set db2govd Setuid Bit Is Not Set Only DBA Access To Any X$ table

IBM InfoSphere Guardium Upgrade Guide - 26

Where to go from here

The upgraded system is now ready to use. Version 8.0 supports Version 7.0 licenses and all Version 7.0 entitled functions will still be enabled in the upgraded Version 8.0. New product keys will be provided upon purchase of new functions.

========

July 6, 2011

IBM InfoSphere Guardium 8.0 Licensed Materials Property of IBM. Copyright IBM Corp. 2011. All Rights Reserved. U.S. Government Users Restricted Rights - Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp. IBM, the IBM logo, and ibm.com are trademarks of International Business Machines Corp., registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the Web at www.ibm.com/legal/copytrade.shtml. The following terms are trademarks or registered trademarks of other companies: Linux is a registered trademark of Linus Torvalds in the United States, other countries, or both. Microsoft and Windows are trademarks of Microsoft Corporation in the United States, other countries, or both. UNIX is a registered trademark of The Open Group in the United States and other countries. Java and all Java-based trademarks are trademarks of Sun Microsystems, Inc. in the United States, other countries, or both. Other company, product or service names may be trademarks or service marks of others.

IBM InfoSphere Guardium Upgrade Guide - 27