VM Installation Overview

After you install the IBM® Guardium® VM, install the IBM Guardium image and set up the initial and basic configuration.

If you are installing multiple Guardium VM systems in a VMware VirtualCenter Management Server environment, you can create a template system from the first Guardium VM that you create, and then clone that template as necessary. Then, set the IP address on each cloned system. For more information, see the information about unique ID and global ID.

Step 1: Verify system compatibility

  1. Verify that the host is compatible with VMware's ESX Server (ESX 4.0 Update 4 and higher is the bare minimum to run a Guardium system). See the VMware document entitled Systems Compatibility Guide for ESX Server.
  2. Verify that a virtual machine installed on the host is able to provide the minimum recommended resources for a Guardium system, whether you plan to use it as a collector, central manager, or an aggregator. For more information, see Hardware requirements.
  3. When you create a 64-bit VM for the first time or upgrade a 32-bit VM to 64-bit, make sure that the virtual hardware is configured for 64-bit operation. Sometimes, you might need to upgrade the virtual hardware. For information, see the VMware documentation.

Step 2: Install VMware ESX Server

Install VMware ESX Server if it is not already installed. For information on how to install and configure the VMware Infrastructure and ESX server, see the VMware vSphere documentation.

Restriction: The ESX server is supported only on a specific set of hardware devices. For more information, see the VMware Virtual Infrastructure documentation.

Step 3: Connect network cables

Before you define any virtual switches that are used for the Guardium VM, you must connect the appropriate NICs to the network. You cannot assign NICs to virtual networks or switches until the NICs are physically connected.

The following table describes how the Guardium VM uses network interfaces. Refer to this table to make the appropriate connections before you configure the virtual switches for use by the Guardium VM.

Table 1. IBM Guardium VM Network Interface Use
Interface Description
Proxy interface (the primary interface) This interface is the main gateway to the appliance, and is used for these purposes:
  • Graphical web-based User Interface (GUI) to manage, configure, and use the solution
  • Command Line Interface (CLI) for initial setup and basic configuration
  • Connections with external systems such as backup systems, database servers, and LDAP server
  • Communication with other Guardium components such as other appliances (aggregator, central manager) and agents that are installed on database or file servers such as S-TAP or CAS clients
Application server interface (the secondary interface) This interface is necessary if you configure your Guardium system as a transparent proxy. It connects to the application servers whose content your Guardium system is configured to mask.

Step 4: Configure the Guardium VM management portal

The default configuration for a new VMware ESX Server installation creates a single port group for use by the VMware service console and all virtual machines.
Remember: For the Guardium VM, do not share ports with the VMware console or any other virtual machine.
To create one or more virtual switches to be used by a Guardium VM, complete the following tasks:
  1. Open the VMware VI Client, and log in to either a VirtualCenter Server or the ESX Server host where you want to create a new virtual machine.
  2. If you are logged in to a VirtualCenter Server, from the menu bar, select Inventory. Then, expand the inventory as needed to display the managed host or cluster where you plan to install a Guardium VM.
  3. From the list of inventories, click the host or cluster where you plan to install a Guardium VM.
  4. Click the Configuration tab, and under Hardware, clickNetworking, and then click Add Networking.

    In the Add Network wizard, define a new virtual switch for the Guardium VM network interface. Using this connection, you can access the Guardium VM management console. This connection also enables communication between the Guardium VM and other Guardium components such as S-TAPs, which are software agents that you can install later on one or more database servers.

  5. Under Connection Types, click Virtual Machine and click Next.
  6. Under Network Access, click Create a virtual switch, and select the unclaimed network adapter to use for the Guardium VM network interface.

    Use the VMXNET3 network adapter type and avoid the Flexible network adapter.

  7. Select a second unclaimed network adapter if you want to use the VMware IP teaming capability to provide a secondary (failover) network interface. Later, you can designate this second adapter as a Standby Adapter and you must cable both NICs.
  8. Click Next to continue to the Connection Settings page of the Add Network wizard.
  9. In the Network Label field, enter a name for the virtual machine port group, for example: GuardETH0, and click Next.
  10. On the Summary page, click Finish. The new virtual switch is displayed in the Configuration tab.
  11. If you defined a second adapter for failover purposes:
    1. Click Properties link for the virtual switch that you created to open the Virtual Switch Properties pane.
    2. Click Ports tab and select the virtual port group that you created, for example, GuardETH0, and click Edit.
    3. In the Virtual Port Group Properties pane, click NIC Teaming tab, select Override vSwitch Failover, and then move the second adapter to the Standby Adapters list.
    4. Click OK to close the virtual port group Properties box, and click Close to close the virtual switch Properties box.
    (a)

Step 5: Create a new virtual machine

Create a new virtual machine on which to install a Guardium VM, if it is not already created

Perform this task by using the VMware VI Client.

  1. Open the VMware VI Client, and log on to either a VirtualCenter Server, or the ESX Server host on which you want to create a new virtual machine.
  2. If you are logged in to a VirtualCenter Server, click Inventory in the navigation bar, expand the inventory as needed, and select the managed host or cluster to which you want to add the new virtual machine.
  3. From the File menu, click New – Virtual Machine to open the Configuration Type panel of the New Virtual Machine wizard.
  4. Click Typical as the configuration type, and click Next to continue with the Name and Folder pane.
  5. In the Name and Folder panel, enter a name for the new virtual machine in the Virtual Machine Name field. This name appears in the VI Client inventory and is also used as the name of the virtual machines files.

    To set the inventory location for the new virtual machine, select a folder or the root location of a datacenter from the list under Virtual Machine Inventory Location.

    Click Next.

  6. If your host or cluster contains resource pools, the Resource Pool pane is displayed. Select the resource (host, cluster, or resource pool) in which you want to run the virtual machine and click Next.
  7. In the Datastore pane, select a datastore where you want to store the new virtual machine files, and click Next.
  8. In the Choose the Guest Operating System pane, choose the operating system that corresponds to the Guardium image that you are installing. Click Linux > RedHat Enterprise Linux 7, 64-bit from the Version box, and click Next.

    The operating system is not installed now, but the OS type is needed to set appropriate default values for the virtual machine.

    For VM minimum resources, refer to the Hardware Requirements in the Before you begin section.

  9. In the Virtual CPUs pane, select the number of CPUs recommended for the type of Guardium VM being installed, and click Next.
  10. In the Memory panel, select the amount of memory that is recommended for the type of Guardium VM being installed, and click Next. Important: the initial value must be at least 16 GB. If customers want to work outside the required range, consult with Technical Support.
  11. In the Network panel, click 1 as the number of ports that are required, and click Next.
  12. For the selected port, from the Network menu, choose a port group that is configured for virtual network use, which you defined in Step 4.
  13. For the selected port group, the Connect at Power On checkbox is selected by default. Click Next.
  14. In the Virtual Disk Capacity panel, enter the amount of disk space to reserve for the new virtual machine in the Disk Size field.
  15. In the Ready to Complete panel, verify your settings and click Finish.

The definition of the new virtual machine is complete. The operating system is not yet been installed, so if you attempt to start the virtual machine, that activity fails.

Step 6: Install the Guardium system

Perform this task by using the VMware Virtual Infrastructure Client.

  1. Open the VMware VI Client, and log on to either a VirtualCenter Server, or the ESX Server host on which you want to create a new virtual machine.
  2. If logged in to a VirtualCenter Server, click Inventory in the navigation bar, expand the inventory as needed, and select the virtual machine on which you want to install the Guardium VM.
  3. On the Summary tab, click Edit Settings.
  4. Click CD/DVD Drive 1.
  5. Select one of the following options to determine from where the virtual DVD device reads the Guardium Installation program.

    Datastore ISO File – Connect to the Guardium Installation ISO file on a datastore. Copy the Guardium ISO files to a datastore accessible from the ESX Server host on which the virtual machine is installed, if you did do it. Click Browse to select the file.

    Caution: For the remaining options, you need to place the Guardium Installation DVD in a DVD drive. If you reboot any system with an Guardium Installation DVD in its DVD drive, you need to install Guardium on that system, wiping out the host operating system and files.

    Client Device – Connect to a DVD device on the system on which you are running the VI Client. If you select this option, insert the Guardium DVD in the DVD drive of the system on which the VI Client is running.

    Host Device – Connect to a DVD device on the ESX Server host machine on which the virtual machine is installed. If you select this option, choose the device from the list, and insert the Guardium DVD in the DVD drive of the ESX Server host machine.

  6. Click OK.
  7. Click Power On to start the virtual machine.
  8. If you selected Client Device as your DVD Drive option, click Virtual CD-ROM (ide0:0) in the toolbar, and select the local DVD device to connect to.
  9. Click the Console tab to display the virtual machine console.
  10. When prompted, select a collector or an aggregator

    Caution: If a DVD drive was used, the DVD ejects when the installation completes. Make sure that you remove the installation DVD from that drive. If the ISO file was used, be sure to remove the ISO CD ROM by changing the virtual CD/DVD back to a Client or Host Device. Otherwise, the next time it is rebooted, you will install Guardium on the host machine, wiping out the host machine operating system and all files.

    The machine reboots automatically, and you are prompted to log in as the CLI user.

  11. Now, configure the Guardium system as described in Step 4. Set up initial and basic configuration.

Step 7: Install Multiple VMs

To install multiple GuardiumVMs, you can repeat the procedures for each appliance, or you can minimize your work by cloning the first Guardium VM that you created, and following these steps:

  1. Use the VMware virtual infrastructure server product to clone the first Guardium VM that you configured to a template.
  2. From the template, create a clone for each additional Guardium VM to be configured.
  3. For each clone, log in to the Guardium VM console as the cli user by using the temporary cli password and reset the IP configuration parameters: IP address, GLOBAL_ID (GID), hostname. The UNIQUE_ID (UID) is set automatically and does not require manual configuration. Make sure that you review all the IP configuration settings that you entered in the previous procedure. 
    store network interface ip <ip_address> 
store network interface mask <subnet_mask> 
store product gid <n>
store system hostname <host_name>

    When you are done, enter the restart network command. 

    restart network
    Important: The unique ID (UID) of the appliance is recalculated every time that the hostname changes to avoid having multiple appliances with the same unique ID.

    The global ID (GID) can be any number if it is unique and less than 9223372036854775808. This unique number is necessary during the cloning process. Obtain the global IDs from your other appliances and use a number that is unique for this clone.