Upgrading: Installing IBM Guardium Key Lifecycle Manager silently

You can choose to migrate data during the installation of IBM Guardium Key Lifecycle Manager V 5.0 (target) or migrate the data as a separate step.

Before you begin

  • Read the license terms for the product. To locate the license term files, in the root directory where the installation package is located, navigate to the disk1/im/license subdirectory. The /license subdirectory has the license files in text format.
  • Select the appropriate sample response file to create the response file to be used for the installation.

    IBM Guardium Key Lifecycle Manager includes platform-specific sample response files that you can use as a template for creating your own response file. A separate response file is available depending on the operating system of the host system and the data migration approach.

    Table 1. Response files
    Approach Sample response file name Example: Install target version on a host system that is running Linux® with existing (source) version as 4.1
    Recommended: Install IBM Guardium Key Lifecycle Manager target version with inline data migration. SKLM_Silent_platform_Mig_version_Resp.xml
    SKLM_Silent_Linux_Mig_41_Resp.xml
    Note: The response file must contain the keyword Mig. For example, SKLM_Silent_Linux_Mig_41_Resp.xml
    Install IBM Guardium Key Lifecycle Manager target version without data migration.
    Note: After installation, you must run the additional step to migrate data. For instructions, see Migrating data from an earlier version of IBM Guardium Key Lifecycle Manager.
    		 SKLM_Silent_platform_Resp.xml SKLM_Silent_Linux_Resp.xml
    Where,
    • platform is the operating system that is running on the host system.
    • version is the existing (source) version of IBM Guardium Key Lifecycle Manager or Encryption Key Manager.

    The response files are available in the root directory of the installation image files.

  • If you are upgrading from Encryption Key Manager, use the SKLM_Silent_platform_Resp.xml response file.
  • Obtain the encrypted values of the passwords for following administrators of the source version: IBM Guardium Key Lifecycle Manager, WebSphere Application Server Liberty, and database.

    Also, create an encrypted password for the database administrator of the target version.

    These passwords are used in the silent inline migration procedure.

    To create the encrypted password, use the IBM® Installation Manager utility. For more information, see Encrypted password for response file elements.

  • Ensure that the correct administrator password is specified in the response file.

Procedure

  1. Open the sample response file in edit mode and update the following parameters:
    repository location
    Specify the full path to the directory in which the installation package is located.
    Note: If you enter an invalid value for this parameter, the installation program exits without an error message. Also, the error is not logged.
    The file has two instances of this parameter and both must be updated. Specify the values as shown here: 
    <repository location='myRepositoryLocation\im'/>
<repository location='myRepositoryLocation\'/>

    where myRepositoryLocation is the full path to the installation package directory.

    For example, if the installation package exists in the C:\ directory, update this parameter as follows:
    <repository location='/gklm50/disk1/im'/>
<repository location='/gklm50/disk1/'/>
    user.DB2_ADMIN_ID,com.ibm.gklm50.db2.platform.ofng
    Specify the user name for the database administrator of the target version.
    For example: 
    <data key='user.DB2_ADMIN_ID,com.ibm.gklm50.db2.linux.ofng' value='sklmdbuser'/>
    If an Active Directory or domain user is used as the database administrator, then specify the value with the domain name, as follows: domainname\db2adminuserid. For example, XYZ\sklmdbuser.
    user.DB2_ADMIN_PWD,com.ibm.gklm50.db2.platform.ofng
    Specify the encrypted password for the database administrator of the target version.
    For example: 
    <data key='user.DB2_ADMIN_PWD,com.ibm.gklm50.db2.linux.ofng' value='QTh/0AiFacssjhs9gnOYkGA=='/>
    user.CONFIRM_PASSWORD,com.ibm.gklm50.db2.platform.ofng
    Specify the same password that you provided in the user.DB2_ADMIN_PWD,com.ibm.gklm50.db2.platform.ofng parameter.
    For example: 
    <data key='user.CONFIRM_PASSWORD,com.ibm.gklm50.db2.linux.ofng' value='QTh/0AiFacssjhs9gnOYkGA=='/>
    user.SKLM_ADMIN_USER,com.ibm.gklm50.platform
    Specify the user ID for the IBM Guardium Key Lifecycle Manager administrator of the target version.
    For example: 
    <data key='user.SKLM_ADMIN_USER,com.ibm.gklm50.linux' value='sklmadmin'/>
    user.SKLM_ADMIN_PASSWORD,com.ibm.gklm50.platform
    Specify the encrypted password for the IBM Guardium Key Lifecycle Manager administrator of the source version. This password applies to the IBM Guardium Key Lifecycle Manager administrator of the target version.
    For example:
    <data key='user.SKLM_ADMIN_PASSWORD,com.ibm.gklm50.linux' value='9YTRJMRIydDSdfhaHPs1mn=='/>
    Note: If LDAP was configured on the earlier version, specify credentials for an LDAP user for the application administrator user (SKLM_ADMIN_USER and SKLM_ADMIN_PASSWORD.
    user.SKLM_ADMIN_CONF_PWD,com.ibm.gklm50.platform
    Specify the same password that you provided in the user.SKLM_ADMIN_PASSWORD,com.ibm.gklm50.platform parameter.
    For example:
    <data key='user.SKLM_ADMIN_CONF_PWD,com.ibm.gklm50.linux' value='9YTRJMRIydDSdfhaHPs1mn=='/>
    user.TKLM_VERSION,com.ibm.gklm50.platform
    Specify the source IBM Guardium Key Lifecycle Manager version.
    For example, if you are upgrading from version 3.0 on a server that is running on Linux, update this parameter as follows:
    <data key='user.TKLM_VERSION,com.ibm.gklm50.linux' value='3.0.0.0'/>
    user.TKLM_TIP_HOME,com.ibm.gklm50.platform
    For IBM Guardium Key Lifecycle Manager 2.5 and later, specify the WAS_HOME directory path for the WebSphere Application Server Liberty of the source version. For the definition of WAS_HOME, see Definitions for HOME and other directory variables.
    For example:
    <data key='user.TKLM_TIP_HOME,com.ibm.gklm50.linux' value='/opt/IBM/WebSphere/AppServer'/>
    user.TKLM_INSTALLED,com.ibm.gklm50.platform
    Ensure that the value is true, which indicates that an earlier version of IBM Guardium Key Lifecycle Manager is already installed on the server.
    For example:
    <data key='user.TKLM_INSTALLED,com.ibm.gklm50.linux' value='true'/>
    user.TKLM_DB_PWD,com.ibm.gklm50.platform
    Specify the encrypted password for the database of the source version.
    For example:
    <data key='user.TKLM_DB_PWD,com.ibm.gklm50.linux' value='SwIhGBTDHcJok80Ux4Sb3g=='/>
    user.SKLM_APP_PORT,com.ibm.gklm50.platform
    Specify the port number that the IBM Guardium Key Lifecycle Manager server of the target version listens on for HTTPS requests.
    For example:
    <data key='user.SKLM_APP_PORT,com.ibm.gklm50.linux' value='8443'/>
  2. Only when upgrading from Encryption Key Manager with inline migration: Set the following properties in the response file.
    user.EKM_PROPFILE,@OFFERINGIDPREFIX@.linux
    Specify the properties file name.
    For example: 
    <data key='user.EKM_PROPFILE,@OFFERINGIDPREFIX@.linux' value='/opt/IBM/KeyManagerConfig.properties'/>
    user.EKM_MIGRATION,@OFFERINGIDPREFIX@.linux
    Specify false to indicate that data is to be migrated inline.
    For example:
    <data key='user.EKM_MIGRATION,@OFFERINGIDPREFIX@.linux' value='false'/>
  3. Save the response file and close it.
  4. Check whether the Db2 JAR file db2jcc4.jar exists in the installation directory. If not, copy the file from the installation package into the installation directory.

    For example, copy the file from disk1/im/jre_7.0.9040.20160504_1613/jre/lib/ext into /opt/IBM/InstallationManager/eclipse/jre_7.0.9040.20160504_1613/jre/lib/ext.

    You need to run this step only when you upgrade IBM Installation Manager independently. During the upgrade process, the Db2 JAR file is deleted from the JRE folder.

  5. Open the command line and run the silent installation command as follows: 
    ./silent_install.sh myResponseFile -acceptLicense

    Where myResponseFile is the response file that you want to use. For example, SKLM_Silent_Linux_30_Resp.xml.

    By specifying the -acceptLicense parameter, you agree to and accept the license terms for this product.

  6. Verify that the installation was successful by reviewing the log files. You can view the IBM Installation Manager logs at the following locations.
    Windows
    drive:\<IM_DATA_DIR>\logs\native.

    For example, C:\ProgramData\IBM\Installation Manager\logs\native.

    drive:\<IM_DATA_DIR>\logs\sklmLogs\.

    For example, C:\ProgramData\IBM\Installation Manager\logs\sklmLogs\.

    Linux
    /<IM_DATA_DIR>/logs/native.

    For example, /var/ibm/installationmanager/logs/native.

    /<IM_DATA_DIR>/logs/sklmLogs/.

    For example, /var/ibm/InstallationManager/logs/sklmLogs/.

    For the definition of <IM_DATA_DIR>, see Definitions for HOME and other directory variables.
    Table 2. Topic change log
    Date Change description
    14 Oct 2021 Corrected the description of two properties. Removed a property.
    10 Sept 2021 Initial version.

What to do next

Depending on the version that you are upgrading from, go to the next step from the topic: