Installing the GIM client on a UNIX server

Edit online

Learn how to install the GIM client on UNIX database servers.

Before you begin

Disk space requirements
  • Perl 5.8 (and up)
  • 1 GB of space to accommodate all GIM modules (including maintaining a copy of the previous and current installed versions). Without FAM, 300 MB.
Port requirements
  • 8445: GIM client listener, both directions. Any GIM server on either the central manager or the collector can communicate with the GIM client.
  • 8443: (Discovery) Used for communication between the DB server and the Guardium appliance, and for uploading features.
  • 8446: Used between the GIM client and the GIM server (on the central manager or collector) for authenticated TLS, both directions, custom kernel upload, MustGather loggers upload. If GIM_USE_SSL is enabled (default), then the GIM client attempts to communicate its certificate by using port 8446. If port 8446 is not open, then it defaults to 8444, but no certificate is passed (for example, TLS without verification).
  • 8081: Used between the GIM client and the GIM server (on the central manager or collector) for non-TLS (but with message signing verification), both directions, custom kernel upload, MustGather loggers upload. In this scenario, the parameter GIM_USE_SSL must be disabled (=0).

About this task

You can install and use the GIM client in a Solaris secondary zone or an AIX workload partition (WPAR). This enables you to use the GIM client to install an S-TAP® in a secondary zone or WPAR. When you install an S-TAP in a secondary zone or WPAR, the K-TAP is disabled, regardless of the setting of the ktap_enabled parameter. You can also use the GIM client to install the Configuration Auditing System (CAS) agent in a secondary zone or WPAR. You cannot install the discovery bundle in a secondary zone or WPAR; the discovery agent that is running on the global zone can collect information from other zones.

The process for installing the GIM client in a Solaris secondary zone or an AIX workload partition is the same as the process for installing in the primary zone. The installation can take a few seconds longer than installing in the primary zone. If you install the GIM client on a Solaris system with primary and secondary zones, you must install the client in the same location on the primary and secondary zones. This location cannot be a shared directory.

On Solaris, the GIM supervisor process that runs in the primary zone controls the GIM client and supervisor in each secondary zone. If the supervisor process on the primary zone is shut down, all GIM processes on the secondary zones are shut down as well.

Table 1. Installation parameters
Parameter Description
dir Target directory of the GIM client installation.
tapip The IP address or FQDN of the database server or node on which the GIM client is being installed.
sqlguardip The collector IP address/hostname that the GIM client connects to. If it is not specified, the GIM client installs in “Listener mode".
perl Path to Perl script. For example: /usr/bin/
ca_file Full file name path to the Certificate Authority PEM file.
key_file Full file name path to the private key PEM file.
cert_file Full file name path to the certificate PEM file.
listener_port Listener port for registration with appliance. Default = 8445.
shared_secret Set the shared secret to verify collectors.
no_listener Disables "Listener mode" even if sqlguardip is not specified.
install_customed_bundles Allow GIM clients to install custom bundles.
  • 0: no
  • 1: yes
failover_sqlguardip The IP address/hostname of the secondary collector with which this GIM client communicates.
allow_ip_hostname_combo Enables GIM client uniqueness across database servers with "common" hostname.
  • 0: no
  • 1: yes
    • If GIM_CLIENT_IP is an IP address, the GIM client hostname is a combination of the <hostname>_<GIM_CLIENT_IP>.
    • If GIM_CLIENT_IP is set with an IP address and the GIM_ALLOW_IP_HOST_COMBO is enabled, GIM's hostname is a combination of the <hostname>_<GIM_CLIENT_IP>. This setting allows GIM clients uniqueness across database servers with "common" hostname.
You cannot set GIM_CLIENT_IP with a "common" hostname. This setting is considered as an attempt to register with a duplicate identifier.
auto_set_gim_tapip When the value is set to 1, a local IP is automatically assigned. Do not specify both auto_set_gim_tapip and tapip when you install the GIM client.
  • 0: no
  • 1: yes
The default value is 0.
Note: Install the GIM client first on the primary zone, then on the local.

Procedure

  1. Place the GIM client installer on the database server in any folder.
  2. Run the installer: ./<installer_name> [-- --dir <install_dir> <--sqlguardip> <g-machine ip> --tapip <db server ip address> --perl <perl dir> -q].
    The installer name has the syntax: guard-bundle-GIM-<release build>-<DB>-<OS>_<bit>.gim.sh. For example:
    guard-bundle-GIM-10.5.0_r103224_v10_5_1-rhel-6-linux-x86_64.gim.sh
    Attention:
    • Omit the --sqlguardip parameter to install the client in GIM listener mode. Listener mode makes the GIM client available for remote registration from a Guardium® system. For more information, see GIM remote activation and Creating a GIM auto-discovery process.
    • When cloning database servers and establishing large deployments, use --auto_set_gim_tapip to allocate a random IP address from one of the valid IP addresses of a database server. Do not specify both auto_set_gim_tapip and tapip when you install the GIM client. Update the GIM_AUTO_SET_CLIENT_IP parameter after GIM client installation by using Manage > Module Installation > Set up by Client.
  3. Verify that the files are added.
    On Red Hat Enterprise Linux 7 or later, GIM service files are managed by the systemd services and are typically located within /etc/systemd/system/. You can view their contents by running the following commands:
    systemctl cat guard_gim.service
systemctl cat guard_gsvr.service
    On Red Hat Enterprise Linux 6, GIM service files are managed by the Upstart service manager and are typically located within /etc/init/, such as /etc/init/gim* or /etc/init/gsvr*. Run the following commands to verify that the files are added:
    ls -la /etc/init/gim*
ls -la /etc/gsvr*
    On Solaris, version 10 or later, run the following command:
    ls /lib/svc/method/guard_g*
    On all other platforms, run the following commands to verify that the following new entries were added to /etc/inittab:
    gim:2345:respawn:<perl dir>/perl <modules install dir>/GIM/<ver>/gim_client.pl
gsvr:2345:respawn:<modules install dir>/perl <modules install dir>/SUPERVISOR/<ver>/guard_supervisor
    where modules install dir is the directory where all GIM modules are installed, for example, /usr/local/guardium/modules.
  4. Enter the following command to verify that the GIM client, SUPERVISOR process, and modules are running:
    ps -afe | grep modules
  5. Log in to the Guardium system and check the Process Monitoring status.