IBM Support

Release of Guardium Data Protection health check 12.0p9997

Release Notes


Abstract

This technical note provides guidance for installing IBM Security Guardium Data Protection health check patch 12.0p9997. It includes overview and description of all checks.

Content

Patch information
  • Patch file name: SqlGuard-12.0p9997.tgz.enc.sig
  • Patch date: Oct 10 2024
  • MD5 checksum: e38210b5942fbdb89a06157017b26018
Finding the patch 
Make the following selections to locate this patch for download on the IBM Fix Central website:
 
  • Product selector: IBM Security Guardium
  • Installed version: 12.0
  • Platform: All
  • Click "Continue," select "Browse for fixes," and click "Continue" again.
  • Enter the patch information in the "Filter fix details" field to locate the patch
For information about Guardium patch types and naming conventions, see the Understanding Guardium patch types and patch names support document.
Prerequisite 
Guardium version 12.0
Overview
  • The purpose of the patch is to perform preliminary checks on the Guardium appliance before GPU or bundle installation to prevent issues during installation. 
  • This patch can be installed more than once. 
  • The health check generates a log file named health_check.<time_stamp>.log. 
  • To view the log file: 
    • View in GUI - "Health Check Log" report
      • Right click on the last installed health check and select "Health Check Log - Details" to see the details of each check
    • View in fileserver:
      • Type fileserver command in cli 
      • Open the fileserver in web browser 
      • Go to opt-ibm-guardium-log ->diag->current folder and open the most recent log file 
  • The log file will contain a status of each validation. 
    • In case any one of these validations has failed:
      • The status of the failed validation will start with an “ERROR:” prefix and the following message will appear at the end of the log file: Please send this log file and <file_name> file to support team.
      • Installed patch report will show the patch with status: ERROR: Patch Installation Failed
        • Review the details in this document to determine how to proceed. Guardium support can assist with any questions.
    • In case validation is completed with a warning:
      • The status of the failed validation will start with “WARNING:”, and the following message will appear at the end of the log file: Please send this log file and <file_name> file to support team. 
      • Installed patch report will show the patch with status: WARNING: Review health check log file.
        • Review the details in this document to determine how to proceed. Guardium support can assist with any questions.
    • If no problem was found:
      • The following message appears at the end of the log file: Appliance is ready for GPU installation/upgrade.
      • Installed patch report will show the patch with status: DONE: Patch installation Succeeded.
  • The list of checks will expand and is subject to change in future versions of health check. Always download the latest from fix central
Details of each check

Appliance Configuration Check

In case there is no issue with DB (used DB space is less than 80%) or disk space, the following messages appear in the output file:

  • There is NO issue with DB size
  • There is NO issue with disk space
In case DB used space is greater than 80%, the following message appears in the output file:
  • ERROR:DB is more than 80% full. Please reduce size of your DB and run Health Check again.
In case DB used space is between 50% and 80%, the following message appears in the output file:
  • WARNING:DB is more than 50% full. Please reduce size of your DB and run Health Check again.
In this case we do not fail the patch, but strongly recommend asking support to investigate the issue before GPU installation.
In case /var partition has less than 30G of free space, the following message appears in the output file:
  • ERROR:/var partition has less than 30G of free space.
In case / partition has less than 2.5G of free space, the following message appear in the output file:
  • ERROR: root partition has less than 2.5G of free space
In case there are old files in /boot partition that can be moved, the health check does it automatically and the following message appears in the output file:
  • Old initramfs files moved from /boot to /var/tmp/p9997_initramfs_files

 After automatically moving files, in case /boot partition does not have enough space to start the upgrade, the following message appears in the output file:

  • ERROR: Not enough space in /boot. Contact Guardium support and attach support must_gather patch_install_issues and system_db_info.

Custom Query Check

In case customer has custom queries with the same name that are going to be added by GPU, the following message will appear in log file:
  • ERROR: Duplicate query names found.
In case no custom queries found with the same name that are going to be added by upgrade, the following message will appear in log file:
  • No duplicate queries found.

Drop obsolete columns

In order to prevent failure during insertion of analytic data collected from collector, an obsolete column AVG_EXECUTION_TIME should be dropped from the AGG_ANALYTIC_INPUT table in DATAMART DB.

In case the column is found, the following message will appear in log file:

  • Obsolete column DATAMART.AGG_ANALYTIC_INPUT.AVG_EXECUTION_TIME has been dropped.

In case the column was not found, the following message will appear in log file:

  • Obsolete column DATAMART.AGG_ANALYTIC_INPUT.AVG_EXECUTION_TIME was not found.

MySQL Table Corruption Check

In case there are any crashed tables found in the main databases, the following message will appear in the log file:
  • ERROR: Crashed tables have been found.
    • Guardium support should investigate the issue before GPU installation.
In case no crashed tables are found, the following message will appear in the log file:
  • No crashed tables found.

Check Hardware Version

To prevent failure of upgrade because of firmware version, we want to verify that current version of it will not cause upgrade issues.

In case when hardware is not 3550 M4 or 3550 M5 or SR630 (M6), patch will NOT fail and the following message will appear in the log file:
  • Hardware is not a recognized type. Skipping version check
In case hardware version need to be checked and the check passes, the patch will NOT fail and the following message will appear in the log:
  • <Hardware version info>. Hardware version check passed.
For each of the supported models/types, the health check verifies the following:
  • x3550 M5 – Type 8869/5463
    • DSA: >= 10.5
    • IMM2: >= 5.40
    • UEFI:  >= 3.11
  • SR630 (M6) – Type 7X02:
    • BMC/XCC: >= 4.20
    • LXPM: >= 1.90
    • UEFI:  >= 2.61
In case hardware version does not pass the verification, the patch will fail and the following message will appear in the log file:
  • ERROR: Hardware version check failed. Please apply the latest firmware patch from IBM Fix Central

Check Network Role

In order to prevent failure of upgrade because of wrong network configuration, the patch will verify rolemap file content

  • In case the appliance is built on cloud, this check is obsolete and the following message will appear in the log file: “No need to check rolemap for cloud appliance”
  • In case configuration is correct, the following message will appear in the log file: “No need to rebuild rolemap”
  • In case configuration is wrong but can be fixed by the patch, the following message will appear in the log file: "Rolemap was successfully rebuilt"
  • In case configuration is wrong and the patch can not fix it, the patch will fail and the following message will appear in the log file: "ERROR: Please escalate the issue to Guardium support for fixing network configurations" and the patch will fail to prevent GPU installation failure

Check for existing TURBINE_USER_GROUP_ROLE table

TURBINE_USER_GROUP_ROLE table may be missing due to previous database crash problems.

  • In case this table is missing, the following message will appear in the log file: “ERROR: TURBINE_USER_GROUP_ROLE table does not exist or is corrupted”. Guardium support should be contacted to correctly rebuild this table.
  • In case the table exists, no message will be written to the log file.

Check for Windows S-TAP and Enterprise Load Balancer compatibility

Enterprise Load Balancer (ELB) on v12.0 Central Manager (CM) is not compatible with Windows S-TAPS with versions:

  • v10.6, v11.0, v11.1, v11.2 – All versions
  • v11.4 – Before 11.4.0.267
  • v11.3 – Before 11.3.0.321

Windows S-TAP versions 11.3.0.321, 11.4.0.267 and all 11.5 and above are not affected. All other S-TAP types are not affected. Windows S-TAPs should be upgraded to the latest versions before upgrading CM.

In case ELB is active with Windows S-TAPS on affected versions, the following message will appear in log file on the CM only:

  • WARNING: Windows S-TAP versions not compatible with Enterprise Load Balancer found. Upgrade S-TAPs before upgrading appliances. Problem S-TAPs, versions and collector they report to can be found in elb_windows_stap_check.log.

In case ELB is not active, or Windows S-TAPs on affected versions not found, the following message will appear in log file on the CM only:

  • No issue with Windows S-TAP ELB compatibility.

If affected S-TAPs are found, elb_windows_stap_check.log is available from fileserver Sqlguard logs->diag->current folder. The log file lists all affected S-TAPs, their version and collector they report to.

Check for old guard parameter name

Guard parameter with name ‘cm_of_cms_hostname’ is no longer valid as it has been renamed.

In case the old parameter name is found on the appliance, it is removed and the following message will appear in the log file:

  • Old guard_parameter removed.

In case the old parameter was not found, no action is taken and no message appears in the log file.

 

Check for GIM certificates

It is not possible to push new GIM bundles in v12 if the GIM is using SHA1 certificates. The default certificate on v11 appliances was SHA1. It is possible to upgrade to v12 with SHA1 certificate, but after upgrade it must be updated to use custom SHA256.

In case no GIM clients are connected to this appliance, no action is needed, the following message will appear in log file:

  • No issue with GIM certificates - No GIM clients connected to this appliance.

In case GIM clients are connected but there is no issue with the certificates, the following message will appear in log file:

  • No issue with GIM certificates.

In case GIM clients are connected and GIM certificates using SHA1 are found, the following message will appear in log file:

  • WARNING: Non SHA256 GIM certificates found. To resolve install new SHA256 GIM certificates from cli.

To install custom GIM certificates see - https://www.ibm.com/docs/en/guardium/11.5?topic=management-creating-managing-custom-gim-certificates

For more information on SHA256 certifcate updates see - https://www.ibm.com/support/pages/updating-guardium-data-protection-gim-clients-sha256-certificates

Check for MySQL TMM or TMD files

In some cases MySQL temporary TMM or TMD files remain on the system unexpectedly. They can cause corrupted tables during patch installation. If they exist, health check p9997 moves them to a temporary location, which resolves the problem.

In case no TMM or TMD files exist, the following message will appear in the log file:

  • No issue with TMM or TMD files.

In case TMM or TMD files exist and are successfully cleaned up, the following message will appear in the log file, followed by a list of files moved:

  • TMM or TMD files moved to temporary location (/var/tmp/hc_tm_files). Files:

In case TMM or TMD files exist but there was a problem moving them, the following message will appear in the log file, followed by a list of files moved:

  • ERROR: TMM or TMD files found, but could not be moved. Contact Guardium support to resolve. Files:

In this case, further investigation will be required by Guardium support.

Check for cloud other than AWS appliance

Patch p15 will be blocked on cloud appliance other than AWS.
In case Health check identify the appliance as a cloud one but not AWS, it will end up with a WARNING status and the following message in the log file:

  • INFORMATION: Patch v12.0p15 will be blocked in a Cloud Environment other than AWS.

Check for old empty partitions

Cloud appliances can contain old empty database partitions between the template creation and current date. Old partitions might affect patch installations or aggregation processes performance. If Health check find such partitions 100 days older than retention period, it will fail with the following message in the log:

  • ERROR: Old empty partitions where found that will affect patches installation performance.

Installation of support ad hoc patch SqlGuard-12.0p1107.tgz.enc.sig provided by Guardium support team should drop these old partitions. Support can check the internal section of this technote for patch location.

Check for wrong rule action parameter ids
There might be wrong ids in RULE_ACTION_PARAMETER caused by not properly set AUTO_INCREMENT value, which might cause duplicate errors during patch installation.
In case auto increment values is wrong, the patch will update auto increment to a proper value and the following message appears in the log:
  • AUTO_INCREMENT was altered for RULE_ACTION_PARAMETER table
In case wrong ids found in the table, the patch will perform the required update and the following message appears in the log:
  • RULE_ACTION_PARAMETER_IDs have been updated
In case auto increment and id values are correct, the following message appears in the log:
  • No Issue with RULE_ACTION_PARAMETER_ID found.
In any of the above scenarios no additional actions are required by the user.

Check for GUI pages availability when installing bundle p20 or higher on CM

Installing bundle 12.0p20 and above on CM will cause many pages in the MUs GUI to be inaccessible if the MU is below p20. Action is required before installing bundle on the CM to ensure all GUI pages are accessible on MU without interruption.

Ad-hoc patch 12.0p1008 should be installed on all units before installing p20 or higher on the CM. If MUs are on p20 or higher, no action is required. For more details see: https://www.ibm.com/support/pages/node/7169627 

In case appliance is below p20 and does not have p1008 installed, the following message appears in the log:

  • WARNING: After installing bundle 12.0p20 or higher on the CM, some MU GUI pages will not be accessible. To resolve, install 12.0p1008 on all appliances before installing bundle p20 or higher on CM.

Otherwise, the following message appears in the log:

  • No issue with MU GUI pages availability

Check for incompatible bind rpm issue

12.0p25 and above install an rpm that is not compatible with 12.0p100. To install 12.0p100, 12.0p9990 must be installed first to resolve the rpm issue. p9990 is available on fix central.

In case the incompatible rpm is found, the following message appears in the log:

  • ERROR for p100: Incompatible bind rpm found. Install 12.0p9990 to resolve
12.0p100 install will be blocked, but future 12.0 bundles will not.
In case the incompatible rpm is not found, the following message appears in the log:
  • No issue with incompatible bind rpm

[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSMPHH","label":"IBM Security Guardium"},"ARM Category":[{"code":"a8m0z000000Gp0NAAS","label":"INSTALL UPGRADE MIGRATION"}],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"12.0.0"}]

Document Information

Modified date:
17 October 2024

UID

ibm17160183

Page Feedback