Installing patches

Provides visibility and control over patch installation, status, and history.

1. Install one or more patches to the central manager by using the following command:
   Remember: A compressed patch file may contain multiple patches, but only one patch can be installed at a time. To install more than one patch, choose all the patches that need to be installed, separated by commas. Internally the CLI submits requests for each patch on the list, in the order that is specified by the user. The first patch takes the request time that is provided by the user and each subsequent patch three minutes after the previous one. In addition, CLI checks to see whether one or more specified patches are already requested and will not allow duplicate requests.

   store system patch install <type> <date> <time>

   where <type> is sys, ftp, scp, or cd and <date> and <time> are the patch installation request date and time formatted as YYYY-mm-dd and hh:mm:ss. If date and time are not entered or if now is entered, the installation request time is NOW.

   Table 1. Patch installation type descriptions and parameters

   Name	Description
   sys	The sys option is for use when you install a second or subsequent patch from a compressed file that has been copied to the Guardium system by using this command previously. Use this option to apply a second or subsequent patch from a patch file that has been copied to the IBM® Guardium system by a previous store system patch execution. Install from /var/log/guard/patches
   ftp or scp	The ftp and scp options copy a compressed patch file from a network location to the Guardium system. To install a patch from a compressed patch file located somewhere on the network, use the ftp or scp option, and respond to the prompts shown as follows: Important: Patches downloaded in ZIP format must be unzipped outside the Guardium system before uploading and installing. Observe the following restrictions for any patch with database structure changes: Perform or schedule the patch installation during quiet time on the Guardium system to avoid conflicts with long-running processes such as heavy reports, audit processes, backups, and imports. The exact time required for patch installation depends on database utilization, data distribution, and other considerations. Install patches in a top-down manner, first patching a central manager before patching aggregators and finally collectors. Please enter the following information for file transfer: Host to import patch from: User on (host name): Full path to the patch, including name (file name may use wildcard *): (LDAP password)Password: Enter the scp/ftp port if you need to use a special port, else just press Enter key to continue: The file transfer process can take a while to complete. Leave the terminal open and do not answer any questions until the transfer is complete. Starting transfer, please wait. The file transfer is complete. Do you want to continue (yes or no)? yes List the files in the patches directory: 1. (name of file) Please choose patches to install (1-1, or multiple numbers separated by ",", or q to quit): 1 Install item 1 Patch has been submitted, and will be installed according to the request time, please check installed patches report or CLI (show system patch installed). Please don't forget to remove your media if necessary.
   cd	The cd option is for use in installing the patch from a DVD disk. To display a complete list of applied patches, see the Installed Patches report on the Guardium Monitor tab of the administrator portal. There is also an Available Patches report on this same Guardium Monitor tab. To install a patch from a DVD, insert the DVD into the IBM Guardium DVD ROM drive before you run this command. A list of patches that are contained on the DVD is displayed.

   • To delete a patch install request, use the CLI command delete scheduled-patch
     Important: Patches remain after installation only on the central manager. Standalone or managed unit patch files are deleted after installation.
   • To display the available patches: show system patch available
   • To display the already installed patches and patches scheduled to be installed—showing date/time and the install status: show system patch installed.
   • Use the fileserver command to start an HTTPS-based file server that is running on the Guardium appliance. This facility is intended to ease the task of uploading patches to the unit, or downloading debugging information from the unit. Each time this facility starts, it deletes any files in the directory to which it uploads patches.
     Note: Any operation that generates a file, that the fileserver accesses, must finish before the fileserver is started (so that the file is available for the fileserver).
     1. To start the file, enter the fileserver command: fileserver
     2. Starting the file server. You can find it at https://(name of unit)
     3. Press Enter to stop the file server.
     4. Open the fileserver in a browser window, and do one of the following tasks:
        • To upload a patch, click Upload a patch and follow the directions.
        • To download log data, click Sqlguard logs, go to the file you want, right-click on it, and download as the file.
     5. When you are done, return to the CLI session and press Enter to terminate the session.
2. Use the UI to move one or more patches from central manager to managed units.
   1. Click Manage > Central Management > Central Management.
   2. From the Central Management page, select managed units to receive the patch and click Patch Distribution.
   3. From the Patch Distribution page, select the patches to distribute.

      The Patch Distribution page displays an available patch list with dependencies. On the page, you can select a patch and install it to all selected units. The list of available patches is generated by retrieving all available patches, evaluating the currently installed patches on each selected unit, and considering the dependency list of available patches. Patches available but not installable (a dependent patch is missing) are shown in the list as not available for selection. The selection of patch to install is a single selection: only one patch can be installed at a time.

   4. 
      
   5. Click Install Patch Now to install the patch immediately.If you want to schedule patch installation for the future, click Schedule Patch.
      Remember: After clicking Install Patch Now, a command is sent to all selected units to install that patch. The process of installing patches happens in the background.
   6. Click Central Management > Central Management > Patch Distribution.
   7. Click Patch Installation Status. The Patch Installation Status screen displays failed installations and discrepancies for each unit. The discrepancies include cases where a patch is installed on only some units, whether it failed on others or was not installed.