This post is to summarize how to upgrade IBM Guardium Components and how to patch system
Download a server / agent Patch from IBM Fix Central
Install Patch for Aggregator from CLI
This method usually is for Central Manager (Aggregator). Once you logged into Web GUI, the notification icon will show a red number to notify you there is a patch available. You can download it from IBM Fix Center by clicking download.
Once the patch is downloaded, the patch will need to upload to the Guardium manager / aggreator. Based on the environment, the patch should either be uploaded to either the Central Manager or the individual collector. It always start from top (Manager / Aggregator) to bottom (Collector).
Note: It is strongly suggested to have a complete system backup prior to installing a patch.
- Login to the applicance as ‘cli’
- Type the command ‘fileserver <<ip_address>> <<duration>> ‘. This will enable a web server
- Once the fileserver command is executed, from the web browser, connect to the appliance https://<<appliance_name_or_ip>>:8445
cm01.51sec.org> fileserver 10.10.10.2 1200 Starting the file server... The file server is ready at https://cm01.51sec.org:8445 The timeout has been set to 1200 seconds and it may timeout during the uploading. The upload will only be accessible from the IP you are logged in from: 10.10.136.2 Press ENTER to stop the file server.
Stopping process Register patch files in the directory: SqlGuard-11.0p100_GPU_Nov_2019_V11.1.tgz.enc.sig Register succeeded ok cm01.51sec.org>
- Browse the local filesystem to find the downloaded patch file (already unzipped)
- Click the upload button to upload the patch file (*.sig ) to the appliance
- Once the patch is uploaded, close the ‘fileserver’ by simply hitting ‘enter’
- In the cli window, use the patch installation commands to install the patch
- Show system patch available : shows the available patches that can be installed (You might see some error message because of some old wrong package uploaded)
- Store system patch install sys now
- This will start the wizard to install the available patches.
itprosec-tor-igcm01.51sec.org> store system patch install sys List the files in the patches directory: 1. SqlGuard-10.0p11000_Upgrade_to_Version_11.0_Jun_2019.tgz.enc.sig 2. SqlGuard-10.0p620_Bundle_Apr_25_2019.tgz.enc.sig 3. SqlGuard-10.0p9997.tgz.enc.sig 4. SqlGuard-11.0p12_Bundle_Nov_05_2019.tgz.enc.sig 5. SqlGuard-11.0p4003_Snif_Oct_24_2019.tgz.enc.sig Please choose patches to install (1-5, or multiple numbers separated by ",", or q to quit): 5 Install item 5 Patch has been submitted, and will be installed according to the request time, please check installed patches report or CLI (show system patch installed). Please don't forget to remove your media if necessary. ok
itprosec-tor-igcm01.51sec.org> show system patch installed P# Who Description Request Time Status 11000 CLI Upgrade to Version 11.0 (Jun 07 2019-08-30 11:14:11 Phase 5: Migration completed 4003 CLI Snif Update (Oct 24 2019) 2019-12-04 17:18:45 STEP: Executing Post Install Actions 12 CLI SqlGuard-11.0p12_Bundle_Nov_05_ 2019-12-04 17:21:01 Preparing to install patch. ok
Note: Your installation might be failed because of missing dependency, just as show below:
cm01.51sec.org> store system patch install sys List the files in the patches directory: 1. SqlGuard-10.0p11000_Upgrade_to_Version_11.0_Jun_2019.tgz.enc.sig 2. SqlGuard-10.0p620_Bundle_Apr_25_2019.tgz.enc.sig 3. SqlGuard-10.0p9997.tgz.enc.sig 4. SqlGuard-11.0p100_GPU_Nov_2019_V11.1.tgz.enc.sig 5. SqlGuard-11.0p12_Bundle_Nov_05_2019.tgz.enc.sig 6. SqlGuard-11.0p4003_Snif_Oct_24_2019.tgz.enc.sig Please choose patches to install (1-6, or multiple numbers separated by ",", or q to quit): 4 Install item 4 Dependent patches not installed successfully or not available: 9997 Please don't forget to remove your media if necessary. ok
In above example, latest health_check patch was not installed first. You will need to go to fix center to download this latest health_check patch.
Installing latest health check patch is same as installing other patch:
a. Upload extracted .sig healtch_check patch through fileserver command
b. store system patch install sys : choose the one you just uploaded
c. show system patch installed : checking installation process
Note: For a sniff patch, it usually takes 10 minutes to get it done. But for a bundle package, it will take 30 – 60 minutes to get it done. Sometimes, the installed packages will not remove from the list after the installation. When make selection, you have to clearly know which one you have installed, and which one will need to be installed now.
Install Patch from Web GUI for Databases
Push STAP out from Central Manager (Aggregator)
For GIM, you will need to uncheck some filters to show it.
Distribute a patch / Install Patch from Central Manager to Collector
To distribute a patch from a central manager to managed units, one of the following must have taken place:
The patch is installed on the central manager
Monitor and verify patch installation
You can monitor and verify the installation of patches in the following ways:
Install DPS Update
You will need to update the Guardium DPS file after upgrade or restore procedures. Download the latest DPS file, then use the tool to upload and import the new DPS file.
Click green check mark to import uploaded DPS file.
Delete Stuck Patch Installation
Patch installation might be stuck at certain stage. In my this case, it has been stuck at “Preparing to install patch” for a couple of hours.
guardium-v11.yourcompany.com> show system patch install P# Who Description Request Time Status 200 CLI Guardium Patch Update (GPU) for 2020-08-16 10:25:16 DONE: Patch installation Succeeded. 4009 CLI SqlGuard-11.0p4009_Snif_Jul_09_ 2020-08-18 09:14:58 Preparing to install patch. ok guardium-v11.yourcompany.com> guardium-v11.yourcompany.com> delete scheduled-patch P# Who Description Request Time Status 200 CLI Guardium Patch Update (GPU) for 2020-08-16 10:25:16 DONE: Patch installation Succeeded. 4009 CLI SqlGuard-11.0p4009_Snif_Jul_09_ 2020-08-18 08:17:40 Preparing to install patch. Please enter patch number (or q to quit): 4009 Remove the patch number 4009 to install ok guardium-v11.yourcompany.com> show system patch inst P# Who Description Request Time Status 200 CLI Guardium Patch Update (GPU) for 2020-08-16 10:25:16 DONE: Patch installation Succeeded. ok guardium-v11.yourcompany.com> store system patch install sys List the files in the patches directory: 1. SqlGuard-11.0p4009_Snif_Jul_09_2020.tgz.enc.sig Please choose patches to install (1-1, or multiple numbers separated by ",", or q to quit): 1 Install item 1 Patch has been submitted, and will be installed according to the request time, please check installed patches report or CLI (show system patch installed). Please don't forget to remove your media if necessary. ok guardium-v11.yourcompany.com>
Generate support log for patch installation issue:
guardium-v11.yourcompany.com> support must_gather patch_install_issues This operation may take several minutes to complete. 11.2.0_r108847_v11_2_1-el76-20200529_1309 BUILD_ID_APPLIANCE="appliance-v11_2-20200529_1309" Please check notes in /var/IBM/Guardium/log/must_gather/patch_install_logs/ANALYZE_RESULTS.txt file. Created file /var/IBM/Guardium/log/must_gather/patch_install_logs/patch_install.20200818092518.tgz. ok guardium-v11.yourcompany.com>fileserver 192.168.2.70 3600