VM Installation Overview

To install the IBM® Security Guardium® VM, follow the steps that are described here. After you install the VM, return to earlier Step 3, Install the IBM Security Guardium image, and earlier Step 4, Initial Setup and Basic Configuration.

If you are installing multiple Guardium VM systems in a VMware VirtualCenter Management Server environment, you can create a template system from the first Guardium VM that you create, and then clone that template as necessary. Then, all you need to do is set the IP address on each cloned system. For more information, see the note following Step 7.

Step 1: Verify system compatibility

  1. Verify that the host is compatible with VMware's ESX Server (ESX 4.0 Update 4 and higher is the bare minimum to run a Guardium system). See the VMware document entitled Systems Compatibility Guide for ESX Server, which is available online in PDF format.
  2. Verify that a virtual machine installed on the host will be able to provide the minimum recommended resources for a Guardium system, whether you plan to use it as a collector, central manager, or aggregator. See the Minimum/Recommended Resources in the Hardware Requirements section of this document.
  3. When you create a 64-bit VM for the first time or upgrade a 32-bit VM to 64-bit, ensure that the virtual hardware is correctly configured for 64-bit operation. In some cases, you might need to perform an Upgrade Virtual Hardware operation. For information, refer to your VMware documentation.

Step 2: Install VMware ESX Server

If it is not already installed, install VMware ESX Server. VMware provides installation instructions on their website to help with installing and configuring the VMware Infrastructure and ESX server.

Note: The ESX server is only supported on a specific set of hardware devices. For more information, see the VMware Virtual Infrastructure documentation.

Step 3: Connect network cables

Before you define any virtual switches that will be used for the Guardium VM, you must connect the appropriate NICs to the network. You cannot assign NICs to virtual networks or switches until the NICs are physically connected.

The following table describes how the Guardium VM uses network interfaces. Refer to this table to make the appropriate connections before you configure the virtual switches for use by the Guardium VM.

Table 1. IBM Security Guardium VM Network Interface Use
Interface Description
Proxy interface (the primary interface) This interface is the main gateway to the appliance, and is used for these purposes:
  • Graphical web-based User Interface (GUI) to manage, configure, and use the solution
  • Command Line Interface (CLI) for initial setup and basic configuration
  • Connections with external systems such backup systems, database servers, and LDAP server
  • Communication with other Guardium components such as other appliances (aggregator, central manager) and agents that are installed on database or file servers such as S-TAP® or CAS clients
Application server interface (the secondary interface) This interface is required if you configure your Guardium system as a transparent proxy. It connects to the application servers whose content your Guardium system is configured to mask.

Step 4: Configure the Guardium VM management portal

The default configuration for a new VMware ESX Server installation creates a single port group for use by the VMware service console and all virtual machines. For the Guardium VM, we strongly recommend that you do not share ports with the VMware console or any other virtual machine. Follow these instructions to create one or more virtual switches to be used by a Guardium VM.

VM Infrastructure client
  1. Open the VMware VI Client, and log on to either a VirtualCenter Server, or the ESX Server host on which you want to create a new virtual machine.
  2. If you are logged in to a VirtualCenter Server, click Inventory in the navigation bar, and expand the inventory as needed to display the managed host or cluster on which you plan to install a Guardium VM.
  3. In the inventory display, click the host or cluster on which you plan to install a Guardium VM.
  4. Click Configuration tab, click Networking in the Hardware box, and then click Add Networking.
    Configuration, Networking, Add Networking

    This opens the Add Network Wizard, which is used for various purposes.

    Use the Add Network Wizard to define a new virtual switch for the Guardium VM network interface. This is the connection over which you will access the Guardium VM management console, and over which the Guardium VM will communicate with other Guardium components (S-TAPs, for example, which are software agents that you will install later on one or more database servers).

  5. In the Connection Types box, click Virtual Machine and click Next.
  6. In the Network Access panel, click Create a virtual switch, and mark the unclaimed network adapter that you will use for the Guardium VM network interface.
    Create a virtual switch
  7. Optionally mark a second unclaimed network adapter if want to use the VMware IP teaming capability to provide a secondary (failover) network interface. Later, you will designate this second adapter as a Standby Adapter (and of course, you must cable both NICs appropriately).
  8. Click Next to continue to the Connection Settings page of the Add Network Wizard.
  9. In the Network Label box, enter a name for the virtual machine port group, for example: GuardETH0, and click Next.
    Virtual Switch, Vswitch
  10. In the Summary page, click Finish. The new virtual switch is displayed in the Configuration tab.
  11. Optional. If you have defined a second adapter for failover purposes: (a) Click Properties link for the virtual switch just created to open the virtual switch Properties panel. (b) Click Ports tab and select the virtual port group just created (GuardETH0 in the example), and click Edit. (c) In the virtual port group Properties panel, click NIC Teaming tab, mark the Override vSwitch Failover box, and then move the second adapter to the Standby Adapters list. (d) Click OK to close the virtual port group Properties box, and click Close to close the virtual switch Properties box.
Network Adapters
Override Switch Failover

Step 5: Create a new virtual machine

If you have not already done so, create a new virtual machine on which to install a Guardium VM.

Perform this task by using the VMware VI Client.

  1. Open the VMware VI Client, and log on to either a VirtualCenter Server, or the ESX Server host on which you want to create a new virtual machine.
  2. If you are logged in to a VirtualCenter Server, click Inventory in the navigation bar, expand the inventory as needed, and select the managed host or cluster to which you want to add the new virtual machine.
  3. From the File menu, click New – Virtual Machine to open the configuration Type panel of the New Virtual Machine wizard.
  4. Click Typical as the configuration type, and click Next to continue with the Name and Folder panel.
  5. On the Name and Folder panel:

    Enter a name for the new virtual machine in the Virtual Machine Name field. This name appears in the VI Client inventory and is also used as the name of the virtual machines files.

    To set the inventory location for the new virtual machine, select a folder or the root location of a datacenter from the list under Virtual Machine Inventory Location.

    Click Next.

  6. If your host or cluster contains resource pools, the Resource Pool panel is displayed, and you must select the resource (host, cluster, or resource pool) in which you want to run the virtual machine. Click Next.
  7. On the Datastore panel, optionally select a datastore in which to store the new virtual machine files, and click Next.
  8. In the Choose the Guest Operating System panel, choose the operating system that corresponds to the Guardium image that you are installing. Click Linux > RedHat Enterprise Linux 7, 64-bit from the Version box, and click Next.

    The operating system is not installed now, but the OS type is needed to set appropriate default values for the virtual machine.

    For VM minimum resources, refer to the Hardware Requirements in the Before you begin section.

  9. On the Virtual CPUs panel, select the number of CPUs recommended for the type of Guardium VM being installed, and click Next.
  10. On the Memory panel, select the amount of memory recommended for the type of Guardium VM being installed, and click Next. Important: the initial value must be at least 16 GB. If customers want to work outside the required range, consult with Technical Support.
  11. On the Network panel, click 1 as the number of ports that are required, and click Next.
  12. For the selected port, use the Network pull-down menu to choose a port group configured for virtual network use. (You should have defined this port group in the previous procedure.)
  13. For the selected port group, mark the Connect at Power On check box (it should be marked by default), and click Next.
  14. On the Virtual Disk Capacity panel, enter the amount of disk space to reserve for the new virtual machine in the Disk Size field.
  15. On the Ready to Complete panel, verify your settings and click Finish.

This completes the definition of the new virtual machine. The operating system has not yet been installed, so if you attempt to start the virtual machine, that activity will fail.

Step 6: Install the Guardium system

Perform this task using the VMware Virtual Infrastructure Client.

  1. Open the VMware VI Client, and log on to either a VirtualCenter Server, or the ESX Server host on which you want to create a new virtual machine.
  2. If logged into a VirtualCenter Server, click Inventory in the navigation bar, expand the inventory as needed, and select the virtual machine on which you want to install the Guardium VM.
  3. On the Summary tab, click Edit Settings.
  4. Click CD/DVD Drive 1.
  5. Select one of the following options to determine from where the virtual DVD device will read the Guardium Installation program. We strongly recommend the first option:

    Datastore ISO File – Connect to the Guardium Installation ISO file on a datastore. If you have not already done so, copy the Guardium ISO files to a datastore accessible from the ESX Server host on which the virtual machine is installed. Click Browse to select the file.

    Caution: For the remaining options, you will place the Guardium Installation DVD in a DVD drive. If you reboot any system with an Guardium Installation DVD in its DVD drive, you will install Guardium on that system, wiping out the host operating system and files.

    Client Device – Connect to a DVD device on the system on which you are running the VI Client. If you select this option, insert the Guardium DVD in the DVD drive of the system on which the VI Client is running.

    Host Device – Connect to a DVD device on the ESX Server host machine on which the virtual machine is installed. If you select this option, choose the device from a drop-down menu, and insert the Guardium DVD in the DVD drive of the ESX Server host machine.

  6. Click OK.
  7. Click Power On to start the virtual machine.
  8. If you selected Client Device as your DVD Drive option, click Virtual CD-ROM (ide0:0) in the toolbar, and select the local DVD device to connect to.
  9. Click Console tab to display the virtual machine console.
  10. When asked if building a collector or aggregator, choose the appropriate type.

    Caution: If a DVD drive was used, the DVD ejects when the installation completes. Be sure to remove the installation DVD from that drive. If the ISO file was used, be sure to remove the ISO CD ROM by changing the virtual CD/DVD back to a Client or Host Device. Otherwise, the next time it is rebooted, you will install Guardium on the host machine, wiping out the host machine operating system and all files.

    The machine will reboot automatically, and you will be prompted to log in as the CLI user.

  11. At this point, return to Step 4, Set up Initial and Basic Configurations for complete instructions on configuration of the Guardium system.

Step 7: Install Multiple VMs

(Optional) To install multiple GuardiumVMs, you can repeat the procedures for each appliance, or you can minimize your work by cloning the first Guardium VM that you created, and following these steps:

  1. Use the VMware virtual infrastructure server product to clone the first Guardium VM that you configured to a template.
  2. From the template, create a clone for each additional Guardium VM to be configured.
  3. For each clone, log in to the Guardium VM console as the cli user by using the temporary cli password and reset any of the IP configuration parameters that you set in the previous procedure. Mandatory tasks: reset the IP address, reset the GLOBAL_ID (GID), and reset the host name. The UNIQUE_ID (UID) is set automatically and does not require manual configuration. Be sure to review all of the IP configuration settings entered in the previous procedure.
    store network interface ip <ip_address> 
    store network interface mask <subnet_mask> 
    store product gid <n>
    store system hostname <host_name> 
    

    When you are done, enter the restart network command.

    restart network 
    Note: The unique ID (UID) of the appliance is recalculated every time the hostname changes in order to avoid having multiple appliances with the same unique ID.
    Note: The global ID (GID) can be any number so long as it is unique and less than 9223372036854775808. During the cloning process this unique number is necessary. Please obtain the global IDs from your other appliances and use a number that is unique for this clone.