Patching Guardium Data Security Center

Apply a patch to Guardium Data Security Center to go to the next minor version.

Before you begin

Prepare to patch or upgrade Guardium Data Security Center and read the latest patch release notes. For more information, see Guardium Data Security Center overview and release notes.

Your environment must meet these prerequisites before you can patch Guardium Data Security Center:

In the following instructions, <current_version> refers to the version of Guardium Data Security Center that is installed on your system, and <new_version> refers to the version of Guardium Data Security Center that you are upgrading to.

Procedure

  1. Download the catalog and operator from the CASE files to your local directory.
    export ICS_USER=<ICS Admin User>
    export ICS_PASS=<ICS PASS>
    export NAMESPACE=<Namespace where GI is installed>
    export CP_REPO_USER=cp
    export CP_REPO_PASS=<cp key for ER>
    export CASE_NAME=ibm-guardium-data-security-center
    export CASE_VERSION=<CASE_VERSION>
    export LOCAL_CASE_DIR=$HOME/.ibm-pak/data/cases/$CASE_NAME/$CASE_VERSION
    
    oc ibm-pak get $CASE_NAME \
    --version $CASE_VERSION \
    --skip-verify
    
    Specify the CASE_VERSION for the version of Guardium Data Security Center you are deploying.
  2. Verify that you are logged in to the IBM Cloud® Private command-line interface (CLI). Logging in to this CLI also authenticates your account to use the OpenShift CLI. To log in, run the following command:
    oc login -u <openshift_username> -p <openshift_password> --server=https://ICP_Hostname>:6443
    • <ICP_hostname> is your Cloud Private server, for example https://cp-console.apps.myserver.com
    • <openshift_username> is your OpenShift username.
    • <openshift_password> is your OpenShift password.
  3. Verify that Guardium Data Security Center is reconciled to the previous version by running the following command:
    oc get guardiumdatasecuritycenter

    The expected results are similar to the following example:

    NAME      TYPE    STATUS   REASON      MESSAGE                    DESIRED_VERSION   INSTALLED_VERSION
    staging   Ready   True     Completed   Completed Reconciliation   3.6.0            3.6.0
  4. Run this command to determine the version of IBM Cloud Pak® foundational services that is installed on your system:
    oc get csv -n ibm-common-services | grep foundational

    Note the version number (version_number) in the output:

    ibm-common-service-operator.<version_number> IBM Cloud Pak foundational services <version_number> ibm-common-service-operator.<version_number> Succeeded

    Guardium Data Security Center requires IBM Cloud Pak foundational services 4.6.x.

  5. If you are using an OpenShift Data Foundation (ODF) storage class, run the Guardium Data Security Center preinstall script:
    oc ibm-pak launch $CASE_NAME \
      --version $CASE_VERSION \
      --namespace ${NAMESPACE} \
      --inventory install     \
      --action preInstall    \
      --tolerance 1 \
      --args "-n ${NAMESPACE} -h <DB_worker_host> -l true"
    <DB_worker_host> is the worker node name on which you want to host Db2®.
    Important: When you run the preinstall script during a Guardium Data Security Center patch, the Db2 worker node (<DB_worker_host>) must match the same set of nodes that were set during installation. If there is more than one, provide them in a comma-separated list.
  6. Install the IBM® Certificate Manager and IBM Common Services.
    1. Create a namespace ibm-cert-manager for the IBM Certificate Manager.
      oc create namespace ibm-cert-manager
    2. Set the environment variable for the --inventory parameter.
      export CERT_MANAGER_INVENTORY_SETUP=ibmCertManagerOperatorSetup
    3. Install the IBM Certificate Manager catalog.
      oc ibm-pak launch $CASE_NAME \
      --version $CASE_VERSION \
      --action install-catalog \
      --inventory $CERT_MANAGER_INVENTORY_SETUP \
      --namespace openshift-marketplace \
      --args "--inputDir ${LOCAL_CASE_DIR}"
  7. Install IBM Common Services in the same namespace as your Guardium Data Security Center installation.
    export NAMESPACE=<GDSC-NAMESPACE>
  8. Set the environment variable for --inventory parameter.
    export ICS_INVENTORY_SETUP=ibmCommonServiceOperatorSetup
  9. Install the IBM Common Services catalog.
    oc ibm-pak launch $CASE_NAME \
    --version $CASE_VERSION \
    --action install-catalog \
    --inventory $ICS_INVENTORY_SETUP \
    --namespace ${NAMESPACE} \
    --args "--registry icr.io --recursive \
    --inputDir ${LOCAL_CASE_DIR}" 
  10. Uninstall IBM Common Services version 3.x.x by using the following script.
    ./uninstall_tenant.sh --operator-namespace ibm-common-services
  11. Install the catalog.
    oc ibm-pak launch $CASE_NAME \
      --version $CASE_VERSION \
    --namespace openshift-marketplace \
    --inventory install \
    --action install-catalog \
    --args "--inputDir ${LOCAL_CASE_DIR}" --tolerance 1
  12. Install the operator.
    oc ibm-pak launch $CASE_NAME \
      --version $CASE_VERSION \
      --namespace ${NAMESPACE} \
      --inventory install \
      --action install-operator \
      --tolerance 1 \
      --args "--registry cp.icr.io --user ${CP_REPO_USER} --pass ${CP_REPO_PASS} --secret ibm-entitlement-key --inputDir ${LOCAL_CASE_DIR}"
  13. Upgrade the custom resource (CR) file to the new version:
    1. Put guardiumdatasecuritycenter into edit mode:
      oc edit guardiumdatasecuritycenter
    2. Locate the Version value:
      Version: <current_version>
    3. Change the version to the new version:
      Version: <new_version>
    4. Save and exit the file. The expected message is similar to the following example:
      guardiumdatasecuritycenter.gi.ds.isc.ibm.com/staging edited
  14. To verify that your environment was upgraded:
    1. Log in to check the version of Guardium Data Security Center.
    2. Run oc get guardiumdatasecuritycenter to verify the system reconciliation status.

      When the upgrade is complete, the output is similar to the following example:

      NAME      TYPE    STATUS   REASON      MESSAGE                    DESIRED_VERSION   INSTALLED_VERSION
      staging   Ready   True     Completed   Completed Reconciliation   3.6.0            3.6.0
    3. Run oc get pods to verify that pods are running or completed.
  15. Use one of these methods for removing an unused mount point from the Guardium Data Security Center user interface services that might cause stability problems (use step 15.a or 15.b, but not both):
    1. Run this command:
      oc edit deployment <gi_installation_name>-insights

      When you edit the file, locate and delete these fields:

      - mountPath: /node_app/src/static/insights_exports
        name: db2-scratch-mount
        subPath: scratch/insights-exports

      Save the file after you remove the fields.

    2. To remap the extra mount to an unused location, run the following command:
      oc get deployment -oyaml <gi install name>-insights | sed 's#/node_app/src/static/insights_exports#/tmp/ignore#g' | oc replace -f -