News
Abstract
Default Self signed Guardium GIM SSL certificates are due to expire in May of 2024. This article describes steps Guardium administrators need to take in order to avoid potential communication issues between GIM clients and GIM servers.
Content
GIM SHA1 Certificates are set to expire May 2024. If the certificates are not renewed by expiration date, the GIM client-server communication will be affected.
NOTE: Data activity monitoring will not be affected
How to confirm when GIM Certificates are expiring
Option 1 - Check directly on one appliance
- In cli run - show certificate summary
- Check the lines with Alias Name gim
- There are two certificates with Alias Name gim. Only one of them expires in May 2024.
- If the Valid To date of one of the certificates is May/26/2024 or May/27/2024 then the problem is present and action is required
- The date might be different depending on the time zone of the appliance
- Example line with a problem:
-
Alias Name Valid From Valid To Subject File Name
------------------ ----------- ----------- ------------------------------------------------------ ----------------------------
gim May/29/2014 May/26/2024 xxxx CN=GIM, OU=xxx, O="xxx", L=xxx, ST=xxx, C=xxx .keystore
-
Option 2 - Use ad-hoc patches to check CM environment
Customers can install the following adhoc patches. These patches produce a report that will show status of GIM Certificates across the environment.
For details on how to install and use these patches see:
| Appliance version | Ad-hoc patch number |
| V12 (all bundles) | p1101 |
| V11 (all bundles) | p1266 |
| V10 (all bundles) | p1243 |
Environments affected
Appliances on the following versions will have GIM certificate that will expire in May 2024:
- All v10.6
- All v11.3
- All v11.4, except case when first GIM client installed after appliance was on p475
- All v11.5, except case when first GIM client installed after appliance was on p530
- v12 appliances upgraded from v11.5, where v12.0p10 not installed
- v12.0p10 resolves the issue
Remediation
Generic patches (no prerequisites)
"Generic" ad-hoc patches with no prerequisite bundles are recommended to resolve the issue. The following patches renew GIM certificate expiration on both GIM server (appliance) and GIM clients (Database server agent):
| Appliance version | Patch number | Prerequisite bundle | Patch Link | Notes |
| V12 | p1003 | None | SqlGuard_12.0p1003_GIM-Certificates-Fix | V12.0p1003 is a generic ad-hoc that can be applied on all V12 bundles. Includes updated certificate for any May 2024 expiry |
| V11 | p1042 | None | SqlGuard_11.0p1042_GIM-Certificates-Fix |
V11.0p1042 is a generic ad-hoc that can be applied on all V11 bundles and GPUs. Includes updated certificate for any May 2024 expiry.
Note : p1042 is replacing p1040 due to an issue found.
|
| V10.6 | p1037 | None (v10.6 is required) | SqlGuard_10.0p1037_GIM-Certificates-Fix |
V10.0p1037 is a generic ad-hoc that can be applied on all bundles on v10.6 only. Includes updated certificate for any May 2024 expiry.
After Patch installation, distribute the new set of GIM certificates to GIM clients via upgrading bundle GIM to the following or later versions :
For Unix OS: v10_6-r116142
For Windows OS: V10.6.0.437
|
Note : If you are using custom certificates for Sniffer component install the above "Generic" ad-hoc patches
Other patches
Ad-hoc patches with prerequisite bundles on some versions will be released.
The following patches renew GIM certificate expiration on both GIM server (appliance) and GIM clients (Database server agent):
| Appliance version | Patch number | Prerequisite bundle | Patch Link | Notes |
| V11.5 | p538 | p535 | SqlGuard_11.0p538_GIM-Certifcates-Fix | Includes updated certificate for May 26th expiry only |
| V11.4 | p488 | p485 | SqlGuard_11.0p488_GIM-Certifcates-Fix | Includes updated certificate for May 26th expiry only |
| V11.4 | p489 | p485 | Includes updated certificate for any May 2024 expiry | |
| V11.4 | p479 | p470 | SqlGuard_11.0p479_GIM-Certifcates-Fix | Includes updated certificate for any May 2024 expiry |
| V10.6 | p1034 | None | SqlGuard_10.0p1034_GIM-Certifcates-Fix |
Includes updated certificate for May 26th expiry only
After Patch installation, distribute the new set of GIM certificates to GIM clients via upgrading bundle GIM to the following or later versions :
For Unix OS: v10_6-r116142
For Windows OS: V10.6.0.437
|
| V10.6 | p1036 | None | SqlGuard_10.0p1036_GIM-Certifcates-Fix |
Includes updated certificate for any May 2024 expiry
After Patch installation, distribute the new set of GIM certificates to GIM clients via upgrading bundle GIM to the following or later versions :
For Unix OS: v10_6-r116142
For Windows OS: V10.6.0.437
|
| V11.3 | p395 | p300 | SqlGuard_11.0p395_Bundle | Full patch bundle |
| V11.4 | p490 | p400 | SqlGuard_11.0p490_Bundle | Full patch bundle |
| V11.5 | p540 | p500 | SqlGuard_11.0p540_Bundle | Full patch bundle |
Steps to resolve
- If not using recommended generic ad-hocs, install the prerequisite bundle listed in the table for your appliance version
- For bundles p530, p475 and higher, GIM certificates are updated to SHA256. These bundles require additional actions to manage the transition. Follow steps in - Updating Guardium Data Protection GIM clients with SHA256 certificates
- If appliance is below p530 or p475, use the generic ad-hocs to avoid extra actions for SHA256 transition
- Install the patch listed in the table, for your appliance version
- After Patch installation, give couple hours for automatic distribution of renewing GIM certificates on agent side to execute. Status can be checked through the report “GIM Certificate Deployment Status”
- If system configuration backup is scheduled on the appliance, run the backup after the certificates are updated
- If backup is required for disaster recovery, use system configuration backups taken after the GIM certificates are updated
- If new GIM client is installed with old certificates and pointed to the environment where certificates are already updated, to renew certificate for this new GIM client
- In GIM GUI enable parameter - 'gim_auto_certificate_distribution' to 1
- In cli run - store certificate gim client auto-generate - select the client that you need to renew certificate for.
How to resolve after certificate expiry date
If the certificates were not renewed and the expiry date passed additional actions are required on the GIM client side.
GIM bundle installer with updated certificates will be released including updated certificate.
To resolve after certificate expired:
- Install the correct appliance patch as outlined in the remediation section listed above for your appliance version.
- Upgrade GIM bundle (using transitional bundle GIM if not being used prior, otherwise use standard bundle GIM) with the updated certificate directly on database server. In case of fresh installation, use regular bundle GIM. The versions for the GIM bundles are :
For Unix OS: v11.4_r117207, v11.5_r117180 , v12.0_r117209
For Windows OS: v11.4.0.413, v11.5.0.338, v12.0.0.183
Troubleshooting
Use case:
After installing patches listed above to remediate GIM client and server certificate expiration, the certificate was not renewed on GIM client side and as a result the GIM clients are unable to communicate with GIM server. Some of those GIM clients will show in output of Cli command “show certificate gim client" : "STATUS: PENDING - Certificate is waiting to be distributed."
Recovery steps:
- For v11.4 or v11.5 Guardium versions, apply the below adhoc patches 11.0p1284 ; for v12.0, apply adhoc patch 12.0p1109. And, then monitor GIM process monitor via GIM console and GIM certificate deployment report closely.
Guardium version Patch zip file Patch md5sum 11.0 SqlGuard-11.0p1284.tgz.enc_.sig__0.zip 9b0d483f2f80e9a5d88deda19404f189 12.0 SqlGuard-12.0p1109.tgz.enc_.sig__0.zip 56e9105d23f638ca049d112694ec083e Download the zip file from this technote and unzip to get the patch, or contact Guardium support to provide - Above patch will disable certificate validation between GIM server and clients for communication via port 8446. You should observe GIM clients showing up in GIM process monitor gradually. Also, in GIM certificate deployment report, the deployment status moves from PENDING to PROCESSING to ACTIVE gradually for GIM clients.
- If there still PENDING GIM clients remaining in GIM console. Assess if these GIM clients are removed or repurposed. If 'pending' GIM clients no longer exist and not needed, via GIM console, 'reset connection' via GIM 'Setup by client' feature to remove them from DB. If 'pending' is due to machine/GIM client down, fix them first. If they are still stuck in pending, use CLI 'store certificate gim client auto-generate' to fix them individually or via range. Finally, if CLI 'auto-generate' is not helpful, upgrade GIM clients on DB server (for Unix OS using the bundle GIM *.gim.sh installer) to the latest GIM installers uploaded to Fix Central: For Unix OS: v11.4_r117207, v11.5_r117180 , v12.0_r117209 For Windows OS: v11.4.0.413, v11.5.0.338, v12.0.0.183
- After confirming all GIM clients are with green status in "GIM Processes Monitor" , in v11 install adhoc patch 11.0p1285; in v12.0 install adhoc patch 12.0p1110 to restore original parameter value in server.xml, which enables GIM server and client communication via certificate.
Guardium version Patch zip file Patch md5sum 11.0 SqlGuard-11.0p1285.tgz.enc_.sig__0.zip 2c036ea2173a1565cbbe49690d9c6a2d 12.0 SqlGuard-12.0p1110.tgz.enc_.sig__0.zip 44d4597f522577c8b139eb16a8f992bc Download the zip file from this technote and unzip to get the patch, or contact Guardium support to provide
[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSMPHH","label":"IBM Security Guardium"},"ARM Category":[{"code":"a8m0z000000Gp0TAAS","label":"GIM"}],"Platform":[{"code":"PF004","label":"Appliance"}],"Version":"All Versions"}]
Was this topic helpful?
Document Information
Modified date:
21 June 2024
UID
ibm17115129