How to install patches

Install a single patch or multiple patches as a background process.

Backup the system profile

1. Using a SSH client, log into the IBM Security Guardium Central Manager as the CLI user.
2. Enter the following command: store backup profile
3. The following dialog will appear:

   Do you want to setup for automatic recovery? (Y/n) 
   Enter the patch backup destination host:
   Enter the patch backup destination directory:
   Enter the patch backup destination user:
   Enter the patch backup destination port if you have a special port for SCP operation, or press ENTER to use the default port:
   Enter the patch backup destination password:

4. Use the following CLI command if the patch installation failed, patch revert failed, and the automatic restore failed or disabled. The following command gets the pre-patch backup file and restore it on the system. If the pre-patch backup file is currently located on the system, enter the file name. Otherwise, the pre-patch backup profile information is used to get the file.

   CLI>show backup profile patch backup flag is 1 patch backup automatic recovery flag is 1 patch backup dest host is 
   patch backup dest dir is patch backup dest user is patch backup dest port is patch backup dest pass is CLI>restore pre-patch backup

Install the patch(es) to the Central Manager

5. Enter the following command:

   store system patch install <type> <date> <time>

   where <type> is sys, ftp, scp, or cd and <date> and <time> are the patch installation request date and time formatted as YYYY-mm-dd and hh:mm:ss. If date and time are not entered or if now is entered, the installation request time is NOW.

   Table 1. Patch install type descriptions and parameters

   Name	Description
   sys	The sys option is for use when installing a second or subsequent patch from a compressed file that has been copied to the Guardium system by using this command previously. Use this option to apply a second or subsequent patch from a patch file that has been copied to the IBM® Guardium® system by a previous store system patch execution. Install from /var/log/guard/patches
   ftp or scp	The ftp and scp options copy a compressed patch file from a network location to the Guardium system. To install a patch from a compressed patch file located somewhere on the network, use the ftp or scp option, and respond to the prompts as shown below. Important: Patches downloaded in ZIP format must be unzipped outside the Guardium system before uploading and installing. Observe the following restrictions for any patch with database structure changes: Perform or schedule the patch installation during quiet time on the Guardium system to avoid conflicts with long-running processes such as heavy reports, audit processes, backups, and imports. The exact time required for patch installation depends on database utilization, data distribution, and other considerations. Install patches in a top-down manner, first patching a central manager before patching aggregators and finally collectors. Please enter the following information for file transfer: Host to import patch from: User on (host name): Full path to the patch, including name (file name may use wildcard *): (LDAP password)Password: Enter the scp/ftp port if you need to use a special port, else just press Enter key to continue: The file transfer process can take a while to complete. Leave the terminal open and do not answer any questions until the transfer is complete. Starting transfer, please wait. The file transfer is complete. The backup profile is not set for saving the backup file when patch installation failed. If you want to save the backup file, please answer NO to the question and run CLI command store backup profile to set up the parameters. Do you want to continue (yes or no)? yes List the files in the patches directory: 1. (name of file) Please choose patches to install (1-1, or multiple numbers separated by ",", or q to quit): 1 Install item 1 Patch has been submitted, and will be installed according to the request time, please check installed patches report or CLI (show system patch installed). Please don't forget to remove your media if necessary.
   cd	The cd option is for use in installing the patch from a DVD disk. To display a complete list of applied patches, see the Installed Patches report on the Guardium Monitor tab of the administrator portal. There is also an Available Patches report on this same Guardium Monitor tab. To install a patch from a DVD, insert the DVD into the IBM Guardium DVD ROM drive before executing this command. A list of patches contained on the DVD will be displayed.

   • To delete a patch install request, use the CLI command delete scheduled-patch
   • Patches remain after installation only on the Central Manager. Standalone or managed unit patch files ARE deleted after installation.
   • To display the available patches: show system patch available
   • To display the already installed patches and patches scheduled to be installed—showing date/time and the install status: show system patch installed
   • Use the fileserver command to start an HTTPS-based file server running on the Guardium appliance. This facility is intended to ease the task of uploading patches to the unit, or downloading debugging information from the unit. Each time this facility starts, it deletes any files in the directory to which it uploads patches.
     Note: Any operation that generates a file, that the fileserver will access, should finish before the fileserver is started (so that the file is available for the fileserver).
     1. To start the file, enter the fileserver command: fileserver
     2. Starting the file server. You can find it at https://(name of unit)
     3. Press ENTER to stop the file server.
     4. Open the fileserver in a browser window, and to one of the following:
        • To upload a patch, click Upload a patch and follow the directions.
        • To download log data, click Sqlguard logs, go to the file you want, right-click on it, and download as you would any other file.
     5. When you are done, return to the CLI session and press Enter to terminate the session.

Use the UI to move the patch(es) from Central Manager to managed units

6. Click Setup > Tools and Views > Patch Distribution.

   The Patch Distribution button will open a new screen, display an available patch list with dependencies, and allow for the selecting of a patch and installing it to all selected units. The list of available patches is constructed out of the available patches and evaluating the currently installed patches on each of the selected units along with the dependency list of available patches. Patches available but not installable (a dependent patch is missing) are shown in the list as grayed out and cannot be selected. The selection of patch to install is a single selection - only one patch can be installed at a time. Once a patch is selected and the install button pushed a command is sent to all selected units to install that patch; this process of installing patches will happen in the background.

7. Navigate to Central Management > Central Management > Patch Distribution.
8. Click on Patch Installation Status. The Patch Installation Status screen will display for each unit, failed installations and discrepancies - situations such as having one patch being installed on part of the units only, regardless if it failed on other units or was not installed.