Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Product Overview
IBM InfoSphere Guardium provides the simplest, most robust solution for safeguarding your entire application and database infrastructure, including: Real-time database activity monitoring (DAM) for proactively identifying unauthorized or suspicious activities, preventing attacks and blocking unauthorized access by privileged users. Auditing and compliance solutions for automating and simplifying validation activities related to data integrity, data privacy, and various regulations and standards such as PCIDSS and SOX. Change control solutions for preventing unauthorized changes to database, privileges, and configurations. Vulnerability management solutions for identifying and resolving database vulnerabilities such as missing patches, misconfigured privileges, and default accounts. Fraud prevention solutions with application layer monitoring for identifying unauthorized activities by application users (SAP, PeopleSoft, Oracle EBS, Cognos, etc.). Database leak prevention for locating sensitive data and preventing data center breaches.
Contents Contents
Upgrade Guide, 7.0 to 8.0 ............................................................................................................................. 1 Product Overview ..................................................................................................................................... 1 About this document ................................................................................................................................ 1 Before You Begin........................................................................................................................................... 4 Minimum Requirements ........................................................................................................................... 4 Before Upgrading Any Unit ....................................................................................................................... 4 Health Check before upgrade ............................................................................................................... 4 High-Availability System Upgrades ....................................................................................................... 4 Upgrade Sequence for Aggregation Environment ................................................................................ 4 Upgrade Sequence for Central Manager Environment ........................................................................ 5 GIM Installation .................................................................................................................................... 5 Email addresses .................................................................................................................................... 5 Need to Decide, Version 8.0 or Version 7.0 GUI Layout ....................................................................... 5 Set a Shared Secret ............................................................................................................................... 6 Estimated Down Time ........................................................................................................................... 6 Make sure CAS data is ready for upgrade............................................................................................. 6 Upgrade Procedure ....................................................................................................................................... 7 Step 1: S-TAP reporting ............................................................................................................................. 7 Step 1a (Optional): Reassign Primary Host for an S-TAP .......................................................................... 7 Step 2: Upgrade IBM InfoSphere Guardium Appliance ............................................................................ 8 Step 2a: Back Up the Pre-Upgrade System ............................................................................................... 8 Step 2b: Pre-Upgrade Patches .................................................................................................................. 8 Step 2c: Apply the Upgrade Patch .......................................................................................................... 10 Step 2d: Apply Maintenance Patches (Optional) .................................................................................... 10 Step 3: Upgrade S-TAPs........................................................................................................................... 11 (S-TAP) Version 7.0 Uninstall process ................................................................................................. 11 Un-installing Version 7.0 S-TAP before un-installing GIM .................................................................. 12
IBM InfoSphere Guardium Upgrade Guide - 2
On-line help for S-TAPs ....................................................................................................................... 12 Known Limitations Version 8.0 managing Version 7.0 ............................................................................ 13 Reconfiguration Activities Required after Upgrade.................................................................................... 15 Version 7.0 Managed units/Collectors and Version 8.0 Central Manager/Aggregator.............................. 17 Installation Steps..................................................................................................................................... 17 Pre-upgrade Patch Issues ........................................................................................................................ 17 Additions to Pre-upgrade patch.............................................................................................................. 18 Non-managed Collectors ........................................................................................................................ 18 Upgrade using Non-managed Aggregator .............................................................................................. 18 Appendix A Health Check patch ............................................................................................................... 19 Appendix B Upgrade from version 7.0 backup via CLI ............................................................................. 20 Upgrade from the version 7.0 backup via CLI. ........................................................................................ 20 Appendix C IBM InfoSphere Guardium Installation Manager ................................................................. 22 GIM server............................................................................................................................................... 22 GIM Client ............................................................................................................................................... 22 GIM User Interface.................................................................................................................................. 22 Installing GIM for the first time .............................................................................................................. 22 Installing GIM on the Database Server (UNIX) ....................................................................................... 22 Installing GIM on the Database Server (Windows) ................................................................................. 23 Install Perl for GIM on Windows ............................................................................................................. 23 Appendix D - GIM Rollback Procedure........................................................................................................ 24 Appendix E Vulnerability Assessment Tests ............................................................................................ 26 Where to go from here ............................................................................................................................... 27
Minimum Requirements
Dell models InfoSphere Guardium Patch Level Memory Disk space 1950, R610 Version 7.0, patch 706 4 GB No minimum
If your hardware is older than the minimum listing here, discuss how to upgrade your equipment with Technical Support.
Run the Health Check patch, before the upgrade to Version 8.0, to perform preliminary checks on the InfoSphere Guardium appliance, in order to prevent potential issues during the upgrade. See Appendix A on this patch and what it does.
High-Availability System Upgrades
If your unit is configured for high-availability, that functionality must be turned off via the CLI, and the unit must be rebooted before performing the upgrade. After the upgrade completes, the high-availability functionality can be turned on again via the CLI.
Upgrade Sequence for Aggregation Environment
Upgrade the aggregator before upgrading any of the units that export data to it. An upgraded aggregator can aggregate data from older releases, but an older aggregator cannot aggregate data from newer releases. See the later section in this document on pre-upgrade patches for information that applies to the Aggregation Environment. At least one day before updating the aggregator, from the admin account, stop the aggregation process (the Export Data schedule) on all collectors that export data to that aggregator. Do not restart the Export Data schedules on the collectors until after the aggregator has been upgraded.
IBM InfoSphere Guardium Upgrade Guide - 4
Upgrade the Central Manager to the new release before upgrading the managed units, taking care to upgrade an aggregator before upgrading any of the units that export data to it (see above). Although an 8.0 Central Manager can manage a 7.0 unit, not all functionality will be available on the 7.0 unit. To minimize the discrepancies, install the mandatory pre-upgrade patch on each 7.0 managed unit. The pre-upgrade patch is detailed later in the document. Complete 8.0 functionality will not be available on a managed unit until that unit has been upgraded to 8.0. There are further instructions on upgrade issues with managed units/collectors (running IBM InfoSphere Guardium 7.0) and a Central Manager/ Aggregator (running IBM InfoSphere Guardium 8.0) in this document. These further instructions appear in the Pre-upgrade patch section of this document.
GIM Installation
The purpose of IBM InfoSphere Guardium Installation Manager (GIM) is to simplify the task of managing the IBM InfoSphere Guardium remote modules such as S-TAP, K-TAP and CAS. With GIM, the customer can install and update the agents on the database server (S-TAP and CAS) directly from the GUI without a need to login as root to the database server. Installing GIM first simplifies the upgrade of the agents (S-TAP, CAS). For detailed instructions on how to install GIM, see the GIM online help book available on all IBM InfoSphere Guardium 8.0 appliances. You can download a PDF version of that document from the GIM help book in the IBM InfoSphere Guardium Help Contents. See also Appendix B of this document for GIM installation instructions.
Email addresses
Set the email address to all users (especially admin) to a real email address prior to upgrade. The email addresses of all pre-defined users (example, admin user) in IBM InfoSphere Guardium 8.0 are ** (no email address). If the email address of the admin user is not set to a real email address, a Scheduled Job Exception message will be generated every 30 minutes, announcing "No Valid Email address for Recipient and/or User Admin".
Need to Decide, Version 8.0 or Version 7.0 GUI Layout
By default, the upgrade process will apply the Version 8.0 look and feel. IBM InfoSphere Guardium customers are encouraged to follow the default upgrade and use the Version 8.0 layout as it provides better access to various Version 8.0 enhancements and new features. IBM InfoSphere Guardium customers, who have made many panel customizations in their Version 7.0 UI and wish to retain their Version 7.0 GUI layout, can do so in one of the following ways:
IBM InfoSphere Guardium Upgrade Guide - 5
Option #1: Install the update-7.0p7990_SetKeepPanelsForUpgrade.tgz.enc patch *BEFORE* the upgrade. If choosing to retain the Version 7.0 GUI layout, this option is recommended. Option #2: There is a CLI command available to upgrade from a version 7.0 backup. This CLI command can be used ONLY if the user performed a full system backup of IBM InfoSphere Guardium 7.0, patch 706 before the upgrade (both CONFIG backup and DATA backup are recommended, DATA backup is required). See Appendix A of this document for more information. Notes, Version 8.0 or Version 7.0 GUI layout: At any point, the IBM InfoSphere Guardium customer may reset the Version 8.0 UI to its default layout though the GUI; Edit Account --> select Layout --> Reset Reports that were defined by the customer in Version 7.0 will be placed under the "V7 Reports" pane in the upgraded Version 8.0 portal.
Set a Shared Secret
The System Shared Secret that was not required for Aggregation in previous versions must now be set and be the same for Aggregator and all aggregated collectors for Aggregation to work.
Estimated Down Time
Plan at least two hours of down time for the upgrade. As mentioned above, the duration of the upgrade procedure depends on the amount of data on the appliance (it is suggested that you purge all unnecessary data before upgrading).
Make sure CAS data is ready for upgrade
Install patch-9271 on any Version 7 appliance that is licensed for CAS; patch-9271 will look for a specific condition with CAS data that could lead to failing the entire v7-to-v8 upgrade process. If patch p9271 fails to install - it means that the Version 7.0 appliance is NOT ready for an upgrade, and the customer should contact IBM InfoSphere Guardium Technical Support for assistance BEFORE proceeding with the updated. If patch p9271 installs successfully it means that CAS data is ready for upgrade.
Upgrade Procedure
Upgrade IBM InfoSphere Guardium products in this order: (1) Central Manager; (2) Aggregator; (3) Collector; (4) Managed Units; (5) S-TAP agents. Follow the steps in the upgrade procedure:
The two pre-upgrade patches are required on Version 7.0 appliances if these Version 7.0 appliances are communicating with any Version 8.0 appliances (Central Manager; Aggregator; Collectors; Managed Units), in an environment where both versions are installed. You can install the pre-upgrade patches directly from a CD, or copy them over SCP/FTP from a remote host on the network. 1. Using an SSH client, log in to the IBM InfoSphere Guardium unit as the CLI user. 2. Do one of the following: If installing from the CD, insert the patch CD in the IBM InfoSphere Guardium CD drive, enter the following command, and skip ahead to step 3: store system patch install cd If installing from the network, enter the following command: store system patch install [ftp | scp] And respond to the following prompts: Host to import patch from: User on <hostname>: Full path to patch, including name: <user@host> password: 3. You will be prompted to select the patch to apply: Please choose one patch to apply (1-n, q to quit): Type the number that identifies the pre-upgrade patch, and then press Enter. SqlGuard-7.0p7999_PreUpgrade.tgz.enc This pre-upgrade patch is required for Version 7.0 managed units that will be managed by a Version 8.0 Central Manager. SqlGuard-7.0p7998_PreUpgrade_NonManagedCollectors.tgz.enc This pre-upgrade patch is required for Version 7.0 non-managed collectors in a Version 8.0 environment (Version 8.0 Aggregator). The following KeepPanels patch must be installed before the upgrade (if retaining Version 7.0 GUI layout see wording on Version 7.0 portlets and panels in the Before You Begin section). SqlGuard-7.0p7990_SetKeepPanelsforUpgrade.tgz.enc Customers who have made many panel customizations in their Version 7.0 UI and wish to retain their Version 7.0 GUI layout should install this patch prior to installing the upgrade patch. See the earlier wording on Version 7.0 portlets and panels in the Before You Begin section.
store system patch install cd If installing from the network, enter the store system patch command. Note that the syntax of this command changed subsequent to release 5.1 the new syntax is shown below. Enter either ftp or scp as the last keyword of the command, to indicate which file transfer method you will use: store system patch install [ftp | scp] And respond to the following prompts: Host to import patch from: User on <hostname>: Full path to patch, including name: Password: 3. You will be prompted to select the patch to apply: Please choose one patch to apply (1-n, q to quit): Type the number of the patch to apply, and then press Enter.
Problem: The uninstall of ATAP leaves leftover files on the server. Solution When transitioning from Version 7.0 to Version 8.0 and activating ATAP through enabling encryption in the GUI, make sure that there are no $ORACLE_HOME/lib/libguard-* leftovers Use the following deactivate command: /usr/local/guardium/bin/guardctl db-instance=any dbhome=/home/oracle10/product/10.2.0/db_1 db-type=oracle deactivate When to use this command - After upgrading from Version 7.0 to Version 8.0, and for every Oracle installation hat ATAP was active under a Version 7.0 install.
System configuration/setup: Version 7.0 STAP or (non-GIM) Version 8.0 S-TAP installed. GIM client is installed and GIM S-TAP is pending installation. An attempt to un-install Version 7.0/ (non-GIM) Version 8.0 S-TAP and then un-install GIM will generate the following message, "GIM installation is corrupted. IBM InfoSphere Guardium's modules will be removed ungracefully." The message doesn't require any specific steps. An attempt to remove GIM will cause GIM to try and understand the nature of the loaded KTAP, but the lack of software associated with this module (due to the un-installation of the non-GIM S-TAP), makes the un-install script dump this message. The un-install process however completes successfully, after a system reboot.
On-line help for S-TAPs
For detailed instructions on how to upgrade or install new S-TAPs, see the S-TAP online help book available on all IBM InfoSphere Guardium 8.0 appliances. You can download a PDF version of that document from the S-TAP help book in the IBM InfoSphere Guardium Help Contents.
remedied by implementing one of the two workarounds: (1) use a different (another release) JVM (if one is available on the system) or (2) download the DLL from Microsoft and place it in the Windows system directory.
name of another CAS instance (the one that the datasource was created from) because it uses the same datasource connectivity configuration as that other CAS instance. Therefore, the CAS instance name referenced in the datasource in the first column of the status screen does not reflect the CAS instance, but the second column of the screen does reflect the CAS instance, and this second column should be used by a user to identify the CAS instance. 9. The Classifier Cls/Asmt Description is stored differently in Version 8.0. Rerun the completed Version 7.0 Classifier process in Version 8.0 in order to get the proper Cls/Asmt Description name. Use the "invoke..." command from the Classifier/Assessment Job Queue report to execute a given Classifier process. In Version 8.0, attempting to run the GuardAPI command "execute_cls_process" for a completed Version 7.0 classifier process will not work because both the Classifier process and the Classifier policy names in Version 7.0 are stored in the Cls/Asmt Description. In Version 8.0, the Cls/Asmt Description is stored with just the Classifier process name. Examples: In Version 7.0, grdapi execute_cls_process processName="AA for new Oracle driver patch 7 - aaaa" api_target_host=< > In Version 8.0, grdapi execute_cls_process processName="AA for new Oracle driver patch 7" api_target_host=< > During the restore db-from-v7 process, the name with both the Classifier process and Classifier policy is carried over to the Version 8.0 after the "restore db-from-v7" process is complete. Executing a NEW Classifier process, after the restore is complete, works fine because Version 8.0 stores just the Classifier Process name. 10. During the upgrade, the default purging period of internal components in the system is set to the schedule previously set in Version 7.0. Users can override these defaults through the CLI using the store purge object CLI command.
Installation Steps
1. Copy the Pre-upgrade patch to the Central Manager via fileserver. 2. Remotely install the Pre-upgrade patch on all the managed units from the Central Manager's GUI. 3. Install the Upgrade patch on the Central Manager.
4. On a managed system running IBM InfoSphere Guardium Version 7.0 (with the pre-upgrade patch), policies cannot be modified and the installed policy cannot be viewed. However the policy installed in a managed system can be reviewed and modified in the Central Manager (running IBM InfoSphere Guardium Version 8.0), and changes will take effect after the policy is re-installed in the managed units (running IBM InfoSphere Guardium Version 7.0). The managed units can be either managed collectors or managed aggregators.
Non-managed Collectors
There is a second pre-upgrade patch for NON-managed collectors. The NON-managed collector must be a standalone collector, and have patch 706 as a pre-requisite.
Note: This list is subject to change/expand with later versions of the Health Check patch to include additional checks, if required. The health check generates a log file named health_check.<time_stamp>.log. In order to view the log file, perform the following actions: 1. Type the CLI command, fileserver. 2. Open the fileserver in web browser. 3. Go to Sqlguard logs->diag->current folder and open the log file. The log file will contain status of each validation. In case any one of these validations is failed, the status of the failed validation will start with ERROR: prefix and the following message will appear at the end of the log file: Please send <file_name> file to support team If no problem was found the following message appear at the end of the log file: Appliance is ready for upgrade
Note: Older data being restored to an aggregator (not to investigation center), and outside the merge period, will not be visible until the merge period is changed and the merge process rerun. Syntax restore db-from-v7 This procedure will restore and upgrade a v7 backup on a newly-installed v8 system. If the v7 files are currently located on a remote system, use the "import file" CLI command to transfer them locally prior to running this procedure. The imported files will be put in the /var/dump/ directory. Continue (y/n)? Note: Answering Y (yes) to the following questions during the execution of the "restore dbfrom-V7" CLI command will result in all non-canned/customized reports and panes to compress into one pane with the name of "v.7.0 Custom Reports". Note: Answering N (no) to the same questions will result in all panes being restored to what they were in V7. Update portal layout (panes and menus structure) to the new v8 default (current instances of custom reports will be copied to the new layout, as well as parameter changes on predefined reports) for the user admin? (y/n) n Update portal layout (panes and menus structure) to the new v8 default (current instances of custom reports will be copied to the new layout, as well as parameter changes on predefined reports) for all other users? (y/n)
GIM server
GIM server is installed as part of an IBM InfoSphere Guardium appliance or Central Management installation and performs such duties as registering GIM clients, providing a list of available updates that are ready for download and installed on client servers, transferring software updates to the client server, and updating the installation status of clients.
GIM Client
In order to work with GIM, the GIM client application must be installed manually for the first time on all the database server systems. The GIM client performs duties such as registering to the GIM server, initiate a request to check for software updates, installing the new software, updating module parameters, and uninstalling modules.
./guard-bundle-GIM-doberman_r2841_1-aix-5.3-aix-powerpc.gim.sh -- --dir <install_dir> --sqlguardip <g-machine ip> --tapip <db server ip address> [--perl <perl dir>] 3. The Installation can be verified by: a. Checking that the following new entries were added to /etc/inittab gim:2345:respawn:'perl dir'/perl 'install dir'/GIM/'gim version'/gim_client.pl gsvr:2345:respawn:/perl_dir'/perl 'install dir'/SUPERVISOR/'supervisor_version'/guard_supervisor b. Issue the following UNIX process report to validate the GIM client and SUPERVISOR process are running ps -afe | grep gim c. Login to the IBM InfoSphere Guardium appliance and check the Process Monitoring status Navigate to the Process Monitoring; select Administration Console > Module Installation. Note: To rollback on procedure above do the following steps: Remove from inittab the two entries mentioned in bullet item 5 ( and execute 'init q'). Remove the installation directory (for example, 'rm -rf /usr/local/guardium/modules').
(c). In NON-BUNDLE context (for example, installation of standalone modules), the behavior is identical as each module belongs to a bundle (even if not installed as part of one). (d) In this scenario, all the user has to do is reinstall the failed bundle, once figuring out the nature of the failure. (2) Boot time installation Recovery When installation is happening as part of a system boot, a second reboot will be needed in order for complete recovery (user will still see the status IP-PR after reboot, and a GIM_EVENT entry will indicate a second reboot is needed to complete recovery. After a second reboot, the module/bundle state will move to FAILED). (3) Special recovery scenario In case of upgrading from a non-GIM Version 8 installation to a GIM BUNDLE-STAP, that includes a KTAP module from the SAME build, failure in upgrading the KTAP, will cause the recovery process to halt and leave the new KTAP software on the file system, so manual recovery can be performed. This scenario will leave the system with a non-working STAP, but with a loaded KTAP. The GUI will indicate that BUNDLE-STAP has failed (specifically : BUNDLE-STAP,TEE, STAP and KTAP), other modules which were installed as part of the bundle will show INSTALLED. A GIM_EVENT entry will indicate (ERROR CODE: ERR1) to distinguish this failure from other KTAP failures. Manually recovery will include : Restoring KTAP functionality (attempting to run guard_ktap_loader install. Failure in this step requires R&D intervention). Establishing a current link to point to the KTAP directory. Resetting the client on the GIM GUI (for example, letting the GIM client push its latest condition after the manual work) Reinstalling BUNDLE-STAP (to complete the installation of the bundle: STAP and TEE)
Tests deleted without replacement db2start Setuid Bit Is Not Set No Public Bind Package Access No Public Implicit Schema Creation No Public NonFenced Procedure Execution db2stop Setuid Bit Is Not Set db2govd Setuid Bit Is Not Set Only DBA Access To Any X$ table
========
July 6, 2011
IBM InfoSphere Guardium 8.0 Licensed Materials Property of IBM. Copyright IBM Corp. 2011. All Rights Reserved. U.S. Government Users Restricted Rights - Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp. IBM, the IBM logo, and ibm.com are trademarks of International Business Machines Corp., registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the Web at www.ibm.com/legal/copytrade.shtml. The following terms are trademarks or registered trademarks of other companies: Linux is a registered trademark of Linus Torvalds in the United States, other countries, or both. Microsoft and Windows are trademarks of Microsoft Corporation in the United States, other countries, or both. UNIX is a registered trademark of The Open Group in the United States and other countries. Java and all Java-based trademarks are trademarks of Sun Microsystems, Inc. in the United States, other countries, or both. Other company, product or service names may be trademarks or service marks of others.