IBM Support

System Requirements/ Platforms supported for IBM Guardium v10.6

Detailed System Requirements


Abstract

This document summarizes the recommended hardware, supported databases, and operating system platforms for IBM Guardium v10.6.

Content

Links

Guardium v10.5 system requirements and supported platforms:   http://www.ibm.com/support/docview.wss?uid=swg27047801

Links to system requirements and supported platforms documentation for other versions of Guardium: http://www.ibm.com/support/docview.wss?uid=ibm10876538

GUARDIUM v10.6

The Guardium products related to the specifications are: Database Activity Monitor; Advanced Compliance Workflow Automation; Enterprise Integrator; Vulnerability Assessment (VA), Entitlement Reports, Data-Level Access Control; and Central Manager and Aggregator.

Cross-Platform Security

The Guardium cross-platform Database Activity Monitoring (DAM) solution is ideal for heterogeneous environments because it supports all major DBMS data sources and protocols running on all major operating systems.

Disclaimer:
Not all functionality is available in all configurations. For more information, contact an IBM Security Sales Representative at: https://www.ibm.com/connect/ibm/us/en/?lnk=fcw


This table shows all data sources and versions currently supported in v10.6.

Attention: Guardium Data Protection tries to support new versions of existing data sources as quickly as possible. Typically, new versions are supported within three (3) months of release, but support for some data sources may take longer.

Data source

Supported Versions

Notes

Oracle (including ASO/SSL)

11gR2, 12.1, 12.2, 18c, 19c, 21c

Oracle 11gR2, 12.1 ASO supported by Windows S-TAP.

Guardium does not support Oracle SSL for Windows S-TAP.

Oracle 12.1 ASO/SSL supported on AIX, Solaris, Linux, and HP-UX.

Oracle 12.2 ASO/SSL supported on AIX, Solaris, Linux, and HP-UX[only ASO].

UID chain not supported for Oracle ASO encrypted sessions from ATAP.

Query Rewrite not supported for Oracle 12.1 and later.

Guardium Client IP and Analyzed Client IP are not supported in Oracle SSL traffic.

Oracle Express (XE) is not supported

Oracle RAC (including ASO/SSL)

11gR2, 12.1, 12.2, 18c, 19c

Oracle 11gR2, 12.1 ASO supported by Windows S-TAP.

Guardium does not support Oracle SSL is not supported for Windows S-TAP.

Oracle 12.2 ASO/SSL supported on AIX, and Linux.

UID chain not supported for Oracle ASO encrypted sessions from ATAP.

Query Rewrite not supported for Oracle 12.1 and later.

Oracle Express (XE) is not supported

Oracle Exadata (including ASO/SSL)

11gR2, 12.1, 12.2

Oracle 11gR2, 12.1 ASO supported by Windows S-TAP.

Oracle SSL is not supported for Windows S-TAP.

Query Rewrite not supported for Oracle 12.1 and later.

Oracle Express (XE) is not supported

Microsoft MS-SQL Server

2012, 2014, 2016, 2017,2019, 2022

Windows Platform only

SQL Server 2019 and 2022 supported on Windows Server 2016 or greater.

"Always Encryption" in MS SQL Server 2016, 2017, 2019, and 2022 is supported, except for the Redact (scrub) function. For the Redact (scrub) function within MS-SQL Server 2016, 2017, 2019, and 2022, Guardium can parse SQL statements but the encrypted columns cannot be read.

Guardium supports Query Rewrite for all versions.

IBM DB2 (Linux, UNIX)

9.7, 10.1, 10.5, 11.1
 

The versions of DB2 required in order to use DB2 Exit are: V97FP9, V101, V105 or higher.

The versions of DB2 required in order to capture UID chain using DB2 Exit are V97FP10, V101FP4, V105FP3 or higher.

For DB2 LUW, LDAP authentication is supported from the Guardium datasource. No special setup is required on the datasource connection.

Guardium supports Query Rewrite for all versions.

IBM DB2 (Windows)

10.1, 10.5, 11

SSL Encryption only supported by using DB2 EXIT.

IBM Db2 pureScale

9.8, 10.1, 10.5, 11

SSL Encryption only supported by using DB2 EXIT

IBM PureData System for Transactions

IBM PureData System for Operational Analytics

IBM PureData Systems for Analytics

IBM DB2 for i

7.1, 7.2, 7.3

IBM Db2 for z/OS

11, 12

S-TAP Prerequisites for Db2 for z/OS V12.
-Version 10 S-TAP: PTF UI36827 (APAR PI58287).
-Version 9.1 S-TAP PTF UI36830 (APAR PI58287)

Common Collector (CQC 1.1) requires PTF UI36781 (APAR PI58175).

For more information on S-TAP and collector level compatibility, see this tech note: http://www-01.ibm.com/support/docview.wss?uid=swg21699982

IMS for z/OS

12,13, 14, 15

Version 10 S-TAP Prerequisites for IMS v15:  PTF UI44191

Version 9.1 S-TAP does not support IMS v15
 

Data sets for z/OS

2.1, 2.2, 2.3

Version 10 S-TAP Prerequisites for zOS 2.3:  PTF UI55620

Version 9.1 S-TAP Prerequisites for zOS 2.3:  PTF UI51198

IBM Informix

11.70, 12.10

Informix Exit supported with 12.10
Informix Exit supported by UNIX/Linux only

Oracle MySQL and MySQL Cluster

5.7,8.0

Shared Memory traffic is not supported by Windows S-TAP

Mysql 8.0.13 is supported in v10.6 (requires Snif patch p4042 or above) for Unix S-TAP
Guardium supports MySQL Community Server

SAP Sybase ASE

15.7, 16.0,16.1

Sybase 15.7 is supported on AIX, Linux, Solaris on SPARC and HPUX
Sybase 16 is supported on AIX, Linux, Solaris on SPARC
Sybase 16 SP03 is supported for Solaris on Intel and SPARC and Linux

SSL encryption is supported excluding HP-UX, SunOS-5.10-i386_64, and SunOS-5.11-i386_64

Guardium Client IP and Analyzed Client IP are not supported in Sybase encrypted traffic.

Windows does not support SSL for Sybase ASE

SAP Sybase IQ

16.0,16.1

Sybase IQ does not support SSL for any platform.

Guardium supports SybaseIQ only on LINUX, and AIX.
Guardium supports SybaseIQ TLS only on LINUX
Sybase IQ 16.1 DB_USER is not captured for encrypted TLS connections – known issue.


Guardium does not support Sybase IQ running on Windows

IBM Netezza

6.02, 7.0, 7.1, 7.2

PostgreSQL

9.3, 9.4, 9.5, 9.6, 10, 13.4

SSL encryption is supported (9.4 and 9.5). Windows does not support encryption for PostgreSQL
PostgreSQL bind variables supported

Teradata

15, 15.10, 16.10 and 16.20

Supported by SuSe Linux only

Teradata 16.20 with EXIT supported in s-tap version 10.6

Teradata 16.20 with ATAP supported in S-TAP version 10.6

IBM BigInsights

4.2, 4.2.5

Supported by Linux only

Cloudera

5.3, 5.8, 5.12.2

Supported by Linux only

Aster

6.2

Supported by Linux only, SSL encryption not supported

Cassandra

3.0.2, 3.5, 3.11

Supported by Linux only
Cassandra Compression supported
DataStax Cassandra 6.0.0 Support by Linux only, SSL supported
ElasticSearch 7.15 Supported by Linux only

CouchDB

2.1.1

Supported by Linux, and Windows

Greenplum DB

4.3.19, 5.7, 5.17

Supported by Linux only

Hortonworks

2.1, 2.2, 2.5, 2.6

Supported by Linux only.
Hortonworks 2.1 and 2.2 are only supported using K-TAP integration.
Hortonworks 2.5 and 2.6 are only supported using Apache Ranger integration.

MariaDB

5.5, 5.6, 10.1.12, 10.1.22, 10.1.29,10.6,10.9

Supported by Linux only

MemSQL

5.5, 6,7.8

Supported by Linux only

MongoDB

3.2, 3.4, 3.6, 4.0,4.2,4.4,5.0

Supported by Linux, and Windows

MongoDB mgo client (version 2)

3.2.1, 3.4.2, 3.6, 4.0,4.2,4.4

Supported by Linux only

MongoDB Compass client (versions 1.14, 1.15, 1.16)

3.6, 4.0

Supported by Windows
Neo4j 4.4 Supported by Linux only

SAP HANA

1.0, 2.0

Supported by Linux only

HP Vertica

7.2.3, 8.0

Supported by Linux only

FTP

Host-Based Monitoring

Unique in the industry, S-TAPs are lightweight software probes that monitor both network and local database protocols (shared memory, named pipes, etc.) at the OS level of the database server. S-TAPs minimize any effect on server performance by relaying all traffic to separate Guardium appliances for real-time analysis and reporting, rather than relying on the database itself to process and store log data. S-TAPs are often preferred because they eliminate the need for dedicated hardware appliances in remote locations or available SPAN ports in your data center.

This table shows all OS platforms and versions for which S-TAPs are currently available.

OS Type

Version

Notes

AIX

6.1, 7.1, 7.2

z/OS

2.1.x, 2.2, 2.3

For data sets S-TAP, APAR# PI84769 is required to support 2.3

HP-UX

11.11 PA-RISC
11.23 PA-RISC, 11.23 IA-64
11.31 PA-RISC, 11.31 IA-64

Red Hat Enterprise Linux (includes
Oracle Linux)

5, 6, 7

Little endian and Big endian supported on Power 8 (RHEL 7.x-7.6)

Red Hat Enterprise Linux for System z

5.4, 6.x, 7

SuSE Enterprise Linux

11 - 32-bit, 64-bit
12 - 64-bit

SLES 11 PPC64 (Big Endian system only)

SLES 12 PPC64LE (Little Endian system only)

SuSE Enterprise Linux for System z

11, 12

Solaris - SPARC

10, 11.1, 11.2, 11.3

Not supported for Solaris release 11.4 and higher

Solaris - Intel

10, 11.1, 11.2, 11.3

Not supported for Solaris release 11.4 and higher

Windows Server

2012, 2012 R2, 2016, Datacenter Edition, 2016 Essentials Edition, 2016 Standard Edition, 2019

IBM i

6.1, 7.1, 7.2, 7.3

Ubuntu

10.4 (SP3 & 4), 12.04, 14.04, 16.04,18.04

DB2, Informix, MySQL, PostgreSQL only

OpenSSL for UNIX S-TAP

OpenSSL 1.0.2k

CentOS for UNIX S-TAP

CentOS 6.x, 7.x

TLS 1.2

* Supports network activity monitoring, local activity via Enterprise Integrator

What data source is supported by what Guardium product?

Legend for Column 4 - Guardium Products

Data Protection for Databases

= DPD

Data Protection for Data Warehouses

= DPDW

Data Protection for Big Data

= DPBD

Data Protection for z/OS (DB2)

= DPz/OS (DB2)

Data Protection for z/OS (IMS)

= DPz/OS (IMS)

Data Protection for z/OS (data sets)

= DPz/OS (data sets)

Data Protection for Files

= DPF

Company

Monitored Product Name

Data Source Type

Guardium Product covering

IBM

IBM DB2

Database

DPD

IBM

IBM Db2 pureScale

Database

DPD

IBM

IBM PureFlex System

Database

DPD

IBM

IBM DB2 for i

Database

DPD

IBM

IBM Informix

Database

DPD

IBM

IBM Db2 for z/OS

Database

DPz/OS (DB2)

IBM

IBM DB2 Analytic Accelerator for z/OS

Data Warehouse

DPz/OS (DB2)

IBM

IBM DB2 Warehouse

Data Warehouse

DPDW

IBM

IBM IMS

Database

DPz/OS (IMS)

IBM

IBM z/OS data sets (VSAM, XDAP, BDAM, BSAM, QSAM, BPAM, ISAM, OAM)

File system

DPz/OS (data sets)

IBM

IBM PureData System for Transaction (PDTX)

Database

DPD

IBM

IBM PureApplication System

Database

DPD

Oracle

Oracle Database

Database

DPD

Oracle

Oracle Database RAC

Database

DPD

Oracle

Oracle Database BDA

Database

DPD

Oracle

Oracle Sun MySQL

Database

DPD

Oracle

Oracle Sun MySQL Cluster

Database

DPD

MariaDB Foundation

MariaDB

Database

DPD

SAP

SAP Sybase ASE

Database

DPD

SAP

SAP Sybase IQ

Database

DPD

Microsoft

MS SQL Server

Database

DPD

Microsoft

MS SQL Server Cluster

Database

DPD

PostgreSQL

PostgreSQL

Database

DPD

SAP

SAP HANA

In-memory Database

DPD

SAP

SAP HANA Appliance

In-memory Data Warehouse

DPDW

Microsoft

Microsoft Analytics Platform System (APS)

Data Warehouse

DPDW

Teradata

Teradata

Data Warehouse

DPDW

Oracle

Oracle Exadata

Data Warehouse

DPDW

IBM

IBM Netezza

Data Warehouse

DPDW

IBM

IBM PureData for Analytics

Data Warehouse

DPDW

IBM

IBM PureData System for Operational Analytics (PDOA)

Data Warehouse

DPDW

IBM

IBM BLU Acceleration

Data Warehouse

DPDW

EMC

GreenPlum DB

Data Warehouse

DPDW

HP

HP Vertica

Data Warehouse

DPDW

Teradata

Teradata Aster DB

Hadoop

DPBD

IBM

IBM BigInsights

Hadoop

DPBD

Cloudera

Cloudera

Hadoop

DPBD

EMC

GreenPlum HD

Hadoop

DPBD

EMC

Pivotal

Hadoop

DPBD

Hortonworks

Hortonworks

Hadoop

DPBD

MongoDB

MongoDB

NoSQL

DPBD

Apache SW

CouchDB

NoSQL

DPBD

Apache SW

Cassandra

NoSQL

DPBD

DataStax

DataStax Enterprise

NoSQL

DPBD

MemSQL Inc.

MemSQL

NoSQL

DPBD

Generic

HTTP

Application protocol

DPD

IBM

IBM InfoSphere Optim Archival

Database Tool

DPD

IBM

IBM Master Data Management

Database Tool

DPD

IBM

IBM Data Stage

Database Tool

DPD

Generic

FTP

File system Protocol

DPF

Microsoft

Windows File Share (WFS)

File system Protocol

DPF

Microsoft

MS File system

File system

DPF

Red Hat

Red Hat File system

File system

DPF

Ubuntu

Ubuntu File system

File system

DPF

Novell

SuSe File system

File system

DPF

IBM

AIX File system

File system

DPF

HP

HP-UX File system

File system

DPF

IBM

AIX GPFS

File system

DPF


Supported Data source platforms for IBM Guardium Vulnerability Assessment (VA)

Data source

Supported Versions

Oracle

11gR1, 11gR2, 12.1, 12.2, 18c.

Note: Support for Oracle 18c CVEs and patch test detection will be in a future release.

Microsoft SQL Server

2012, 2014, 2016, 2017

IBM DB2 (LUW)

9.7, 10.1, 10.5, 11.1

IBM DB2 for i

6.1, 7.1, 7.2, 7.3, 7.4

IBM Db2 for z/OS

10, 11, 12

IBM Informix

11.50, 11.70, 12.10

Oracle MySQL

5.5, 5.6, 5.7

SAP Sybase ASE

15.7, 16

SAP Sybase IQ

15.4, 16

IBM Netezza

6.0, 6.02, 7.0, 7.1, 7.2

PostgreSQL

9x

Teradata

14.10, 15, 15.10, 16

Aster

6, 6.1

MongoDB

2.6, 3.0, 3.2, 3.4

SAP HANA

1.0, 2
Cloudera Hadoop 5.x

Amazon RDS data sources

Oracle, SQL Server, MySQL, PostgreSQL


Appliance deployment on the cloud

Appliance deployment on the cloud

Guardium appliance images for on the cloud deployment

http://www.ibm.com/support/docview.wss?uid=swg27049576

Cloud Deployment Guides for: Amazon AWS EC2; IBM Softlayer; Google; Microsoft Azure, Oracle

Deploy IBM Guardium VA on Amazon RDS

http://www.ibm.com/support/docview.wss?uid=swg27050667

Additional Section or row for VA for Cloud - PaaS

Amazon RDS - Oracle

Amazon RDS – MS-SQL Server

Amazon RDS – MySQL

Amazon RDS - PostgreSQL

Client-side requirements for UNIX S-TAP and Windows S-TAP

UNIX/Linux S-TAP: https://www.ibm.com/support/knowledgecenter/SSMPHH_10.6.0/com.ibm.guardium.doc.stap/stap/choose_setup.html

Windows S-TAP: https://www.ibm.com/support/knowledgecenter/SSMPHH_10.6.0/com.ibm.guardium.doc.stap/stap/windows_choose_setup.html

Supported Data Source Platforms for Guardium External S-TAP

External S-TAP is a component of Guardium that can intercept traffic for cloud and on-premises database services without installing an inspection agent on the database server. For more information, see Guardium External S-TAP in the IBM Documentation website.

Data source

Supported Versions

Notes

Oracle (SSL enabled and non-SSL enabled)

11gR1, 11gR2, 12.1, 12.2, 18.0

Available for on-premises and for Amazon RDS cloud.

Note: Oracle ASO (native network encryption) is not supported.

SQL Data Warehouse

All Versions

Available for Microsoft Azure cloud.

Microsoft SQL Server (SSL enabled only)

 All Versions

Available for on-premises and for Microsoft Azure cloud and Amazon RDS cloud.
SSL-enabled encrypted connections are supported (including Force Protocol Encryption).
MongoDB (SSL enabled and non-SSL enabled) 4.0.5 Available for on-premises.

What Guardium features work with nonSQL databases?

Platform/Feature

Hadoop

MongoDB

Cassandra

CouchDB

DAM

Yes

Yes

Yes

Yes

Exceptions

Yes

Yes

Yes

Blocking

Yes (HIVE and IMPALA)

Yes

Yes

No

Redaction 

No

Yes

Yes

No

Discovery & Data Classification

No

No

No

No

Instance Discovery

No

Yes

No

Yes

SSL

No

Yes

No

No

Kerberos

Yes

Yes

No

No

Failed Logins

Yes (Hue only)

Yes

Yes

Yes

VA

Yes (Cloudera Only)

Yes

No

No

Encryption

Yes

Yes

No

No

Query Rewrite

No

No

No

No


End of service

Guardium supports database and operating system versions up to their End-of-Service (EOS), Premier, or Mainstream support end dates. For IBM, they are published in http://www-01.ibm.com/software/support/lifecycle/ . For other vendors, contact your vendor representative to confirm their support end dates. IBM offers optional extended service support after EOS. Contact your IBM representative for further information. Guardium will support the hardware system it is running to the End-of Marketing (EOM) date plus 5 years or end of support date, whichever is sooner.


Supported web browsers

Firefox ESR 52 and above

Chrome 70 and above

Minimum screen resolution - 1366 x 768

Flexible Deployment

Guardium is available as a hardware or software offering, ensuring that you can easily deploy the solution in a wide variety of environments. As a hardware offering, the solution is delivered with licensed software fully loaded and tested on a physical appliance provided by IBM (hardware appliance). When delivered as a software offering, the solution is delivered as software images ready to be deployed by the user on their own hardware (software appliance), either directly or as virtual appliances. While the software images can be installed on any VMware product, the VMware ESX server is the recommended platform for a virtual solution. Only VMware and Hyper-V are supported by Guardium.

The following table summarizes major hardware requirements for software appliances. The Guardium solution is designed to work on i86 Intel-based or AMD-based platforms (for example, x86_64). Only platforms and hardware that are officially supported by Red Hat Linux 6.9 (64-bit) can be used as Guardium v10.1.32 platforms (note in Guardium v10.0 hardware supported by Red Hat 6.5 is required), however, not all officially supported Red Hat Linux platforms can be used. Platforms that require extra drivers or specialized post-install configuration are not supported at this time.

Minimum and Recommended Resources per software or virtual appliance

Resource

Required Range *

Comments

Physical CPUs

Minimum: 4 cores

Recommended: 8 cores

x86 (Intel or AMD) processors required

Virtual CPUs

Minimum 4 vCPUs

Recommended: 8 vCPUs

RAM

(64-bit)

Minimum: 24 GB (min)

Maximum: motherboard max

Recommended: 32 GB

Guardium's features are memory intensive. To take full advantage of these features, it is recommended to have 32 GB of RAM and 8-core CPU.

For Central Managers in a large federated environment, the recommended memory is
64 GB.

If using Ecosystem, 34 GB required.

Ports (NICs)

1 Gbit or 10 Gbit per second card recommended

10 Gbit per second card can be used in 64-bit system with sufficient memory

1-4

Each port can be an actual NIC, or a virtual switch that can be configured to use multiple NICs, optionally with failover IP teaming.

Optional: The third port may also be configured to team with the primary interface in order to provide failover IP teaming. Alternatively, the last port on the device may be configured as a secondary management interface with a different IP, NETMASK and GW from the primary.

When using Inspection Engines to capture traffic (not
S-TAPs) on software appliances, additional ports may be required. Note that this collection method is not applicable for virtual appliances.

Multiple network interfaces are supported on: (1) a Guardium hardware appliance; (2) a customer's software appliance (the customer installs Guardium software on their hardware appliance); or (3) VMware solution with ESX Server.

Disk Size

Minimum: 300 GB

Maximum:>2 TB

Recommended:

Collectors: 300-600 GB

Aggregators: 600-1800 GB


Guardium supports smaller HD disks for integrated warehouse configurations, using data mart interfaces (10.1.3 and later).

Use of RAID is recommended.

RAID-10, RAID-0, RAID-1, RAID 0+1, RAID 1+0 are supported.

Note: Larger disks may hold more audit records for longer periods of time, but are more likely to impact performance.

At least 9 GB of free disk space on the /var partition is required.

Disk Size

>2 TB

Beginning with v10.1.2, disk partitions
>2 TB are supported.

However, certain conditions are required:

1. Configure the system into EFI/UEFI mode via the BIOS.

2. Then install v10.1.2,

(a) during which the install should auto-detect the EFI bios support and use GPT (GUID Partition Tables) that allow >2 TB partitions.

(b) Additionally the v10.1.2 install will also use EXT4 partition types by default, and thus avoid the previous EXT3 file size limitation of <2 TB.

Note: To resize the hard disk of an existing appliance, the user needs to rebuild their system.

Disk Speed

7200 RPM to 15,000 RPM

To use 7200 RPM, scale back the sizing ratio by 70%.

Example: If you are using 7200 RPM disk, which is slow, you should reduce your sizing by 70%. If your sizing calls for 10 S-TAPs to a collector, if you are running with 7200 RPM drives, drop that to 3 S-TAPs to a collector.

* Refer to IBM configuration tables for physical ranges.


Application Monitoring

Guardium identifies potential fraud by tracking activities of users who access critical tables via multitier enterprise applications rather than direct access to the database. This is especially important for applications that use connection pooling where all user traffic is aggregated within a few database connections, thereby masking the identity of users.

Guardium offers out-of-the-box support for the major off-the-shelf enterprise applications (see table below), and provides built-in tools to configure and add end-user identification for niche application and home-grown applications. Note: for most applications, some basic configuration is needed, to tailor the solution to your environment.
 

Supported Enterprise Applications

Supported Application Server Platforms
(for other enterprise & custom-developed applications)

Oracle E-Business Suite

IBM WebSphere

PeopleSoft

BEA WebLogic

Siebel

Oracle Application Server (AS)

SAP

JBoss Enterprise Application Platform

Cognos

+ Others based on customer demand

Business Objects Web Intelligence

+ Others based on customer demand

[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSMPHH","label":"IBM Security Guardium"},"Component":"","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF010","label":"HP-UX"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"},{"code":"PF035","label":"z\/OS"}],"Version":"10.6","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Document Information

Modified date:
22 December 2023

UID

ibm10719695

Page Feedback