Install a single patch or multiple patches as a background process.
About this task
Use this topic to provide visibility and control over patch installation, status and
history.
See Central Management for more information.
This how-to
topic uses a combination of commands from the CLI and choices from the GUI to help you install the
latest Guardium patch. The Guardium system must be rebooted after installing a patch.
Important: Patches downloaded in ZIP format must be unzipped outside
the
Guardium system before
uploading and installing. Observe the following restrictions for any patch with database structure
changes:
- Perform or schedule the patch installation during quiet time on the Guardium system to avoid conflicts with
long-running processes such as heavy reports, audit processes, backups, and imports.
- The exact time required for patch installation depends on database utilization, data
distribution, and other considerations.
- Install patches in a top-down manner, first patching a central manager before patching
aggregators and finally collectors.
In the procedure below, you will follow these steps from the Guardium system that is designated
and configured as the Central Manager:
- Backup the system profile, using the CLI command store backup profile.
- Enter the CLI command store system patch install to install a single patch or
multiple patches to the Central Manager from a network location.
- Click to move patches from the CM to managed units.
Procedure
Backup the system profile
- Using a SSH client, log into the IBM Security Guardium
Central Manager as the CLI user.
- Enter the following command: store backup profile
- The following dialog will appear:
Do you want to setup for automatic recovery? (Y/n)
Enter the patch backup destination host:
Enter the patch backup destination directory:
Enter the patch backup destination user:
Enter the patch backup destination port if you have a special port for SCP operation, or press ENTER to use the default port:
Enter the patch backup destination password:
- Use the following CLI command if the patch installation failed, patch revert failed, and
the automatic restore failed or disabled. The following command gets the pre-patch backup file and
restore it on the system. If the pre-patch backup file is currently located on the system, enter the
file name. Otherwise, the pre-patch backup profile information is used to get the file.
CLI>show backup profile patch backup flag is 1 patch backup automatic recovery flag is 1 patch backup dest host is
patch backup dest dir is patch backup dest user is patch backup dest port is patch backup dest pass is CLI>restore pre-patch backup
Install the patch(es) to the Central Manager
Note: A compressed patch file may
contain multiple patches, but only one patch can be installed at a time. To install more than one
patch, choose all the patches that need to be installed, separated by commas. Internally the CLI
submits requests for each patch on the list (in the order specified by the user) with the first
patch taking the request time provided by the user and each subsequent patch three minutes after the
previous one. In addition, CLI will check to see if the specified patch(es) are already requested
and will not allow duplicate requests.
- Enter the following command:
store system patch install <type> <date> <time>
where <type> is sys, ftp,
scp, or cd and <date> and
<time> are the patch installation request date and time formatted as YYYY-mm-dd
and hh:mm:ss. If date and time are not entered or if now
is entered, the installation request
time is NOW.
Table 1. Patch install type descriptions and parametersName |
Description |
sys |
The sys option is for use when installing a second or subsequent patch from a
compressed file that has been copied to the Guardium system by using this command previously. Use
this option to apply a second or subsequent patch from a patch file that has been copied to the IBM®
Guardium® system by a previous store system patch
execution.
Install from /var/log/guard/patches
|
ftp or scp |
The ftp and scp options copy a compressed patch file from a
network location to the Guardium system. To install a
patch from a compressed patch file located somewhere on the network, use the ftp or
scp option, and respond to the prompts as shown below. Important: Patches downloaded in ZIP format must be unzipped outside
the Guardium system before
uploading and installing. Observe the following restrictions for any patch with database structure
changes: - Perform or schedule the patch installation during quiet time on the Guardium system to avoid conflicts with
long-running processes such as heavy reports, audit processes, backups, and imports.
- The exact time required for patch installation depends on database utilization, data
distribution, and other considerations.
- Install patches in a top-down manner, first patching a central manager before patching
aggregators and finally collectors.
Please enter the following information for file transfer:
Host to import patch from:
User on (host name):
Full path to the patch, including name (file name may use wildcard *):
(LDAP password)Password:
Enter the scp/ftp port if you need to use a special port, else just press Enter key to continue:
The file transfer process can take a while to complete.
Leave the terminal open and do not answer any questions until the transfer is complete.
Starting transfer, please wait.
The file transfer is complete.
The backup profile is not set for saving the backup file when patch installation failed.
If you want to save the backup file, please answer NO to the question and run CLI command store backup profile to set up the parameters.
Do you want to continue (yes or no)? yes
List the files in the patches directory:
1. (name of file)
Please choose patches to install (1-1, or multiple numbers separated by ",", or q to quit): 1
Install item 1
Patch has been submitted, and will be installed according to the request time, please check installed patches report or CLI (show system patch installed).
Please don't forget to remove your media if necessary.
|
cd |
The cd option is for use in installing the patch from a DVD disk. To display a
complete list of applied patches, see the Installed Patches report on the Guardium Monitor tab of the administrator portal. There is also an
Available Patches report on this same Guardium Monitor
tab. To install a patch from a DVD, insert the DVD into the IBM
Guardium DVD ROM drive before executing this command. A
list of patches contained on the DVD will be displayed.
|
Use the UI to move the patch(es) from Central Manager to managed
units
- Click .
The Patch Distribution button will open a new screen, display an available
patch list with dependencies, and allow for the selecting of a patch and installing it to all
selected units. The list of available patches is constructed out of the available patches and
evaluating the currently installed patches on each of the selected units along with the dependency
list of available patches. Patches available but not installable (a dependent patch is missing) are
shown in the list as grayed out and cannot be selected. The selection of patch to install is a
single selection - only one patch can be installed at a time. Once a patch is selected and the
install button pushed a command is sent to all selected units to install that patch; this process of
installing patches will happen in the background.
- Navigate to .
- Click on Patch Installation Status. The Patch
Installation Status screen will display for each unit, failed installations and
discrepancies - situations such as having one patch being installed on part of the units only,
regardless if it failed on other units or was not installed.
Results
The patched systems are now ready to be used; however, remember that the Guardium system must be
rebooted after installing a patch.