Customer Uploads

The Database Protection Subscription Service supports the maintenance of predefined assessment tests, SQL based tests, CVEs, APARs, and groups such as database versions and patches.

Uploads are used to keep information current and within industry best practices to protect against newly discovered vulnerabilities. Updates are distributed quarterly.

Use Customer Uploads to upload the following types of files: DPS update files; Oracle JDBC drivers; MS SQL Server JDBC drivers; and, DB2 for z/OS license jar files.

Note: If a custom group exists with the same name as a predefined Guardium® group, the upload process adds Guardium in front of the name for the predefined group.
  1. Open Customer Uploads by clicking Harden > Vulnerability Assessment > Customer Uploads.
  2. For DPS Upload, click Browse to locate and select the file to be uploaded.
    1. Navigate to Harden > Vulnerability Assessment > Customer Uploads.
    2. In the DPS Upload section, click Browse and choose the latest DPS update file, then click Upload.
    3. In the Import DPS section, click to import the DPS update.
    Note: The DPS file can take a long time to install. If you restart the browser, the install stops. Either keep the Customer Upload window open until you see a status message, or use the CLI command show dps to check install status. Reference the Import DPS pane to see what files have been uploaded.
  3. For Upload DB2 z/OS License jar, click Browse to locate and select the file.
  4. Use Upload Oracle JDBC driver or Upload MS SQL Server JDBC driver to upload open source drivers. After the upload finishes, you will see the databases that are added to the Select datasource window. Upload one driver at a time.
    Note: There are two instances where open source drivers are recommended over Oracle Data Direct drivers or MS SQL Data Direct drivers.
    1. To support Windows Authentication for MS SQL Server. In all other uses, the Data Direct driver pre-loaded in the Guardium appliance is sufficient.
    2. When you use the Value Change Tracking application for Oracle version 10 or higher, the open-source driver is recommended in order to support the use of streams instead of triggers.

    Use keywords to search and download open source JDBC drivers (for example: open source JDBC driver for MS SQL).

  5. Use the Central Manager to distribute the .jar file to managed units. After the file is successfully uploaded, the GUI needs to be restarted on the Central Manager and the managed units.
Note: If you will be exporting and importing definitions from one unit to another, be aware that subscribed groups are not exported. When you export definitions that reference subscribed groups, ensure that all referenced subscribed groups are installed on the importing unit (or central manager in a federated environment).

When uploading DB2® z/OS® license jar files, the license will take effect after restart of the GUI.

Note: If the DPS stops for any reason (for example, a server restart or a GUI restart), it is recommended to wait 30 minutes before starting the DPS upload process again.
Enable ASO on the Oracle server using latest Oracle DataDirect driver

Refer to the following information when you enable ASO on the Oracle server that uses the latest Oracle DataDirect driver.

SQLNET.CRYPTO_CHECKSUM_SERVER = required

SQLNET.ENCRYPTION_SERVER = required

SQLNET.ENCRYPTION_TYPES_SERVER = (AES256, AES192, AES128)

#SQLNET.CRYPTO_CHECKSUM_TYPES_SERVER = (SHA256)

SQLNET.CRYPTO_CHECKSUM_TYPES_SERVER = (SHA1)

The Oracle JDBC driver will work and does not require specifying a connection property. Download the latest Oracle JDBC driver that is compatible with your database version, then upload that driver to the system using the Guardium Customer Uploads function.

If you continue to use Oracle DataDirect driver, then you need to specify a connection property to the datasource.

Use the following when defining the Oracle DataDirect driver connection property:

DataIntegrityLevel=required;EncryptionLevel=required;DataIntegrityTypes=(MD5,SHA1)

Note: The current Oracle DataDirect driver does not support SHA-256. So SHA-1 has to be used. That is why sqlnet.ora reference (#SQLNET.CRYPTO_CHECKSUM_TYPES_SERVER = (SHA256)) had to be commented out. However, if a Guardium customer must connect using SHA-256, they need to use the Oracle JDBC driver instead.

Data Direct references:

https://www.progress.com/documentation/datadirect-connectors

Download the Oracle database JDBC User' Guide PDF for a list of command references.

Use a tab-delimited file (.TXT) when creating and saving a Datasource Upload file from the Customer Upload functionality

If you choose to use a comma-delimited file structure (.CSV), it will not behave as intended if any column value contains a comma.

Follow these steps:
  1. If using EXCEL, save file as a tab-delimited (.TXT) file.
  2. If using OpenOffice or Libre Office then save a (.CSV) file with TAB Delimiters.
  3. Log in as admin and open Customer Uploads by clicking Harden > Configuration Change Control (CAS Application) > Customer Uploads.
  4. For Upload CSV to Create/Update Datasources, click Browse..., and select the tab-delimited file.

Upload CSV file to create or update datasources

Follow the proceeding steps to create a tab-delimited .TXT formatted file containing datasource information. This tab-delimited .TXT file can then be used with the Customer Upload function in the Guardium application to many datasource types.

Use the function to import datasources was not always compatible with each Guardium Software Release. This procedure will enable the uploading of any datasource.

The following is a list of Header Columns that should be added to an Excel spreadsheet when creating the .TXT tab-delimited datasource upload file:

Column Values (accepted for .CSV datasource upload file)

Table 1. create_datasource
Parameter Description
application

Required. Identifies the application for which the datasource is being defined. It must be one of the following:

ChangeAuditSystem

Access_policy

MonitorValues

DatabaseAnalyzer

AuditDatabase

CustomDomain

Classifier

AuditTask

SecurityAssessment

Replay

Stap_Verification

compatibilityMode

Compatibility Mode: Choices are Default or MSSQL 2000. The processor is told what compatibility mode to use when monitoring a table.

conProperty

Optional. Use only if additional connection properties must be included on the JDBC URL to establish a JDBC connection with this datasource. The required format is property=value, where each property and value pair is separated from the next by a comma.

For a Sybase database with a default character set of Roman8, enter the following property: charSet=utf8

customURL

Optional. Connection string to the datasource; otherwise connection is made using host, port, instance, properties, etc. of the previously entered fields. As an example this is useful for creating Oracle Internet Directory (OID) connections.

dbInstanceAccount

Optional. Database Account Login Name (software owner) that will be used by CAS

dbInstanceDirectory

Optional. Directory where database software was installed that will be used by CAS

dbName

Optional. For a DB2 or Oracle datasource, enter the schema name. For others, enter the database name.

description

Optional. Longer description of the datasource.

host

Required. Can be the host name or the IP address.

name

Required. Provides a unique name for the datasource on the system.

owner

Required. Identifies the Guardium user account that owns the datasource.

password

Optional. Password for owner. If used, user must also be used.

port

Optional (integer). Port number.

serviceName

Required for Oracle, Informix®, DB2, and IBM® ISeries. For a DB2 datasource, enter the database name. For others, enter the service name.

severity

Optional. Severity Classification (or impact level) for the datasource.

shared

Optional (boolean). Set to true to share with other applications. To share the datasource with other users, you will have to assign roles from the GUI.

type
Required. Identifies the datasource type. For a list of supported datasource types, use the list_db_drivers API command:
grdapi list_db_drivers
For more information, see list_db_drivers.
user

Optional. User for the datasource. If used, password must also be used.

role Optional. One or more user roles that can access the datasource. Separate roles by using a semicolon.
environmentTitle Required for cloud database service protection. Account name.
region Required for cloud database service protection. The AWS region.
objectLimit Required for cloud database service protection with native audit. The maximum number of objects found in the classification process that are added automatically to the list of audited objects. See Cloud database service protection.
primaryCollector Relevant for cloud database service protection. The collector that extracts the audit data from the cloud database.
Notes:
  1. Each of the column names must be included in the Excel spreadsheet SAVED as a tab-delimited (.TXT) file.
  2. The Created Datasource name (what is shown when looking for the datasource) is made up of both the name column and the type column.
  3. Upload file MUST be saved as a Column Tab Delimited file type.

Steps to create and upload txt file in a Text CSV format file and add Datasource Data

  1. Create the Excel spreadsheet file save as a tab-delimited .TXT file with the following headers and datasource data to support the datasource import capability.
  2. Create and save your .txt file to your PC or UNIX/Linux device for uploading into the Guardium application.
  3. Log in as admin and open Customer Uploads by clicking Harden > Configuration Change Control (CAS Application) > Customer Uploads
  4. From Upload CSV to Create/Update Datasources, click Browse and select the .txt file containing the tab-delimited datasource information.
  5. Click Upload.

A message displays showing which values from the .txt file were uploaded:

  1. New: Per file upload (if save file and added New Datasource member(s), these members returns the status of NEW.
  2. Update: Uploading the same datasource on which you made changes returns an Update status.
  3. Fail: Displayed failed datasource or errors