GIM Server Allocation
Remotely connect to a pre-installed and inactive (not connected to any collector) GIM agent and make it connect to some collector without the need to access the database server.
Overview
The following process (also called GIM Auto-Discovery) allows you to remotely connect to a pre-installed and inactive GIM agent and make it connect to a collector without accessing the database server.
- An inactive GIM client runs in listener mode and waits for a connection from any collector.
- From the collector's graphic user interface (GUI) or the GuardAPI, you can send the IP address of any collector to the inactive GIM client.
- The inactive GIM client accepts the collector's IP address and connects to it.
If GIM is installed without specifying a collector's IP address (--sqlguardip) it will run in server mode. When the GIM agent is running in server mode, it accepts messages only from verified collectors over SSL that have certificate authentication and shared secret verification. If there are 30 or more consecutive authentication failures, the GIM agent stops listening for requests and runs in server mode. This action prevents denial of service (DoS) attacks.
You can define your own certificates, shared secret, and port number. To use other certificates, specify the certificate/key full path name in the installation parameters: --key_file and --cert_file. Load the certificates to the collector key store with the GuardAPI command store certificate gim.
To set a shared secret other than the default one, use the GuardAPI command grdapi gim_set_global_param paramName=gim_listener_default_shared_secret paramValue=<password>. The format should be a string. The shared secret must be identical on the database server and collector.
To use a port other than the default one, specify the port in the installation parameter --listener_port. Set the GIM global parameter gim_listener_default_port with the new port in the GIM Global Parameters.
Parameters
The following list describes the GIM installation parameters:
- --sqlguardip - Sets the collector IP address/hostname that the GIM client is connecting to. If it is not specified, the GIM client will work in “Listener mode".
- --ca_file - Full file name path to the Certificate Authority PEM file.
- --key_file - Full file name path to the private key PEM file.
- --cert_file - Full file name path to the certificate PEM file.
- --shared_secret - specify a shared secret to verify collectors.
- --listener_port - specify a port number that is different than the default.
- --no_listener - disables GIM from running in "Listener mode" even if --sqlguardip is not specified.
- update parameters
- install modules
- uninstall GIM directly on the database server
- ca_file
- key_file
- cert_file
- Additional command line parameter
GIM and Consolidated Installers for GIM have an additional command line parameter:
--allow_ip_hostname_combo <0|1>param name : GIM_ALLOW_IP_HOST_COMBO
param values : 1 - Enabled, 0 - Disabled
Param default value : 0
param description : If Enabled, and the GIM_CLIENT_IP is different than the db server's hostname, GIM_CLIENTS.GIM_CLIENT_NAME will be set with a value that is the combination of `hostname`_<GIM_CLIENT_IP>.
If GIM_CLIENT_IP is set with an IP address and the GIM_ALLOW_IP_HOST_COMBO is enabled, GIM's hostname will be a combination of the <hostname>_<GIM_CLIENT_IP> This will allow GIM clients uniqueness across database servers with "common" hostname.
LIMITATION: You can NOT set GIM_CLIENT_IP with a "common" hostname. This will be considered as an attempt to register with a duplicate identifier.
Setting GIM in Server Mode Global Parameters
You can set up the server mode GIM parameters by using the following GuardAPI command:
grdapi gim_set_global_param
paramName=gim_listener_default_shared_secret
paramValue=<password>
This value is encrypted and stored in the database. The value must be identical to the unencrypted value as the shared secret if you install the GIM agent on the database server.
To set up a new default server mode GIM port, use the following GuardAPI command:
grdapi gim_set_global_param paramName=gim_listener_default_port paramValue=<port number>
This value must be identical to the unencrypted value of the shared secret if you install the GIM agent on the database server.
GIM Remote Activation
Remotely connect to a pre-installed GIM agent and connect it to a collector without accessing the database server with GIM Remote Activation.
- Click .
- Type in the IP address or host name where GIM is running in listener mode in the IP / hostname field. Otherwise, select a server group from the following list.
- Type in a numerical value in the GIM Listener Port if it is different from the GIM Global setting. The default value is 8445.
- Enter the shared secret in the GIM Listener Password field if it is different from the GIM Global setting.
- Click Submit to process the information or Reset to clear the information.
Create a GIM Auto-discovery Process
- Navigate to .
- Create a new GIM auto-discovery process by clicking the
icon.
- Name the process using the Process name field and then clicking Apply.
- Define hosts to scan for GIM clients that were installed in listener mode using the
Add hosts and ports to process section.
- Identify a host or subnet to scan using the Host(s) field. Wildcard characters are enabled. For example, to select all addresses beginning with 192.168.2, use 192.168.2.*.
- Add the host or subnet to the GIM auto-discovery process by clicking Add scan.
- Repeat the previous steps to define multiple hosts or subnets to include in the GIM auto-discovery process.
Note:- If you have a dual stack configuration, define scans for both the IPV4 and the IPV6 addresses.
- Modify existing host or subnet scans by typing over the existing value and clicking Apply to save the changes.
- Remove scans by clicking the
icon. If a task has scan results dependent upon it, the scan cannot be deleted.
- Run the GIM auto-discovery process by clicking Run Once Now or define a schedule for running the process by clicking Modify Schedule. See Scheduling for information about defining a schedule.
- After the process has completed, click View Results to see a list of
discovered GIM clients and associate those clients with Guardium systems.
- Select the GIM clients to associate.
- Click Associate to assign the clients to the current Guardium system or click Assign Collector to assign the clients to another Guardium system in your environment.
- Use the Results dialog to review the status of client association. After successfully association, GIM clients are no longer in listener mode and are not shown in the GIM auto-discovery results window.
- Click Close to close the results window.
GIM Global Parameters
Define your own shared secret or GIM listener port through the user interface.
- To open the GIM Global Parameters, click .
- Select gim_listener_default_shared_secret to set the shared secret or gim_listener_default_port to set the port.
- Click the
icon to edit the selected parameter.
- Change the value and click Save to change the parameter or Close to return to the page.