Installing the GIM client on a UNIX server

Learn how to install the GIM client on Unix database servers.

Before you begin

Disk Space requirements
  • Perl 5.8 (and up)
  • 1GB of space to accommodate all GIM modules (including maintaining a copy of the previous and current installed versions). Without FAM, 300MB.
Port requirements
  • 8445: GIM client listener, both directions. Any GIM server on either the central manager or the collector can communicate with the GIM client.
  • 8443: (discovery) on the DB server to allow communication from the DB server to the Guardium appliance, and for uploading features.
  • 8446: Used between the GIM client and the GIM server (on the central manager or collector) for authenticated TLS, both directions, custom kernel upload, MustGather loggers upload. If GIM_USE_SSL is enabled (default), then the GIM client attempts to communicate its certificate by using port 8446. If port 8446 is not open, then it defaults to 8444, but no certificate is passed (for example, TLS without verification).
  • 8081: Used between the GIM client and the GIM server (on the central manager or collector) for non-TLS (but with message signing verification), both directions, custom kernel upload, MustGather loggers upload. In this scenario, the parameter GIM_USE_SSL must be disabled (=0).

About this task

You can install and use the GIM client in a Solaris slave zone or an AIX workload partition (WPAR). This enables you to use the GIM client to install an S-TAP® in a slave zone or WPAR. When you install an S-TAP in a slave zone or WPAR, the K-TAP is disabled, regardless of the setting of the ktap_enabled parameter. You can also use the GIM client to install the Configuration Auditing System (CAS) agent in a slave zone or WPAR. You cannot install the discovery bundle in a slave zone or WPAR; the discovery agent running on the global zone can collect information from other zones. The process for installing the GIM client in a Solaris slave zone or an AIX workload partition is the same as the process for installing in the master zone. The installation can take a few seconds longer than installing in the master zone. If you install the GIM client on a Solaris system with master and slave zones, you must install the client in the same location on the master and slave zones. This location cannot be a shared directory.

On Solaris, the GIM client and supervisor in each slave zone are controlled by the GIM supervisor process that runs in the master zone. If the supervisor process on the master zone is shut down, all GIM processes on the slave zones are shut down as well.

Table 1. Installation parameters
Parameter Description
dir Target directory of the GIM client installation.
tapip The IP address or FQDN of the database server or node on which the GIM client is being installed.
sqlguardip The collector IP address/hostname that the GIM client connects to. If it is not specified, the GIM client installs in “Listener mode".
no_ssl Use SSL to encrypt traffic between the GIM client and the Guardium appliance.
  • 0: no
  • 1: Use SSL to encrypt traffic between the agent and the Guardium system. This adds ~15% of CPU usage to the GIM client.
Guardium® recommends encrypting network traffic between the GIM client and the collector whenever possible: only in cases where the performance is a higher priority than security should this be disabled.
perl Path to perl script, for example: /usr/bin/
ca_file Full file name path to the Certificate Authority PEM file.
key_file Full file name path to the private key PEM file.
cert_file Full file name path to the certificate PEM file.
listener_port Listener port for registration with appliance. Default = 8445.
shared_secret Set the shared secret to verify collectors.
no_listener Disables "Listener mode" even if sqlguardip is not specified.
install_customed_bundles Allow GIM clients to install custom bundles.
  • 0: no
  • 1: yes
failover_sqlguardip The IP address/hostname of the secondary collector with which this GIM client communicates.
allow_ip_hostname_combo Enables GIM client uniqueness across database servers with "common" hostname.
  • 0: no
  • 1: yes
    • If GIM_CLIENT_IP is an IP address, the GIM client hostname is a combination of the <hostname>_<GIM_CLIENT_IP>.
    • If GIM_CLIENT_IP is set with an IP address and the GIM_ALLOW_IP_HOST_COMBO is enabled, GIM's hostname is a combination of the <hostname>_<GIM_CLIENT_IP>. This allows GIM clients uniqueness across database servers with "common" hostname.
You can NOT set GIM_CLIENT_IP with a "common" hostname. This is considered as an attempt to register with a duplicate identifier.
auto_set_gim_tapip When value set to 1, a local IP is automatically assigned. Do not specify both auto_set_gim_tapip and tapip when installing the GIM client.
  • 0: no
  • 1: yes
Default value is 0.
Note: Install the GIM client first on the master zone, then on the local.

Procedure

  1. Place the GIM client installer on the database server in any folder.
  2. Run the installer: ./<installer_name> [-- --dir <install_dir> <--sqlguardip> <g-machine ip> --tapip <db server ip address> --perl <perl dir> -q]
    The installer name has the syntax: guard-bundle-GIM-<release build>-<DB>-<OS>_<bit>.gim.sh, for example:
    guard-bundle-GIM-10.5.0_r103224_v10_5_1-rhel-6-linux-x86_64.gim.sh
    Attention:
    • Omit the --sqlguardip parameter to install the client in GIM listener mode. Listener mode makes the GIM client available for remote registration from a Guardium system. For more information, see GIM remote activation and Creating a GIM auto-discovery process.
    • When cloning database servers and establishing large deployments, use --auto_set_gim_tapip to allocate a random IP address from one of the valid IP addresses of a database server. Do not specify both auto_set_gim_tapip and tapip when installing the GIM client. Update the GIM_AUTO_SET_CLIENT_IP parameter after GIM client installation by using Manage > Module Installation > Set up by Client.
  3. On Red Hat Linux, version 6 or later, run these commands to verify that the files have been added: 
    ls -la /etc/init/gim*
ls -la /etc/gsvr*
    On Solaris, version 10 or later, run this command:
    ls /lib/svc/method/guard_g*
    On all other platforms, run these commands to verify that the following new entries were added to /etc/inittab:
    gim:2345:respawn:<perl dir>/perl <modules install dir>/GIM/<ver>/gim_client.pl
gsvr:2345:respawn:<modules install dir>/perl <modules install dir>/SUPERVISOR/<ver>/guard_supervisor
    Where modules install dir is the directory where all GIM modules are installed, for example, /usr/local/guardium/modules.
  4. Enter this command to verify that the GIM client, SUPERVISOR process, and modules are running: 
    ps -afe | grep modules
  5. Log in to the Guardium system and check the Process Monitoring status.