IBM Support

Getting Help for Guardium Data Encryption Expert

Question & Answer


Question

What can be done to expedite issue resolution for Guardium Data Encryption Expert?

Cause

Clients that provide a complete picture of their environment and current issue experience shorter resolution times. Certain "must-gather" pieces of information can be collected at the time of issue submission and attached to the Problem Management Report ("PMR").

Answer

Every environment is unique and troubleshooting product issues can be complex. Effective communication between the client and support technician facilitates transfer of the necessary knowledge and reduces the number of communication exchanges required to document an issue history.

Start With a Story


Please write a brief story about what has happened so far, beginning with a platform description and covering the overall project goals. Please include any additional details that may seem relevant and provide screen shots or command output whenever possible. In the good examples below, please note that the command that generated the error is shown, even if output has been truncated.

Example (BAD):
    Got error: “Please wait ......CLI-Daemon timeout ”

Example (GOOD):
    We are trying to install a GDE DSM. We downloaded the eAssembly from Passport Advantage and ran the program GDE_PreReq_Download_Credential.bin. We downloaded the file gde_server-2.0-r2d.tar and ran the install script install_gde_prereq. We are trying to generate the security certificate and it is failing with the error “CLI-Daemon timeout”


    # ./install_gde_prereq
    [#######-] Configuring database
    [########] Cleaning up
    Pre-req installation done.

    Run the enabler program to complete installation of Security Server.
    # su – cliadmin
    0000:vormetric$ system
    0001:system$ sec genca
    ...
    Regenerating the CA and server certificates now...
    Please wait ......CLI-Daemon timeout

Example (BAD):
    Name "gde-dsm" does not match.

    Please help.

Example (GOOD):
    We are trying to install the GDE agent and we are receiving the following error when registering the host:

    400 Security server name sent by agent, "gde-dsm" does not match the name of the security server, "gde-dsm.ibm.com"


    [root@hostname ~]#./vee-fs-5.2.1-31-rh6-x86_64.bin
    ...
    400 Security server name sent by agent, "gde-dsm" does not match the name of the security server, "gde-dsm.ibm.com"

    Our host is connected to the same network segment as the DSM and the host is defined.

    [root@hostname ~]# ifconfig eth1
    eth1 Link encap:Ethernet HWaddr 08:00:27:17:F3:56
    inet addr:192.168.56.20 Bcast:192.168.56.255 Mask:255.255.255.0
    ...

    [root@hostname ~]# ping gde-dsm
    PING gde-dsm (192.168.56.10) 56(84) bytes of data.
    64 bytes from gde-dsm (192.168.56.10): icmp_seq=1 ttl=64 time=2.03 ms
    64 bytes from gde-dsm (192.168.56.10): icmp_seq=2 ttl=64 time=1.13 ms

    --- gde-dsm ping statistics ---
    2 packets transmitted, 2 received, 0% packet loss, time 1000ms
    rtt min/avg/max/mdev = 1.136/1.583/2.031/0.449 ms

    # grep gde-dsm /etc/hosts
    192.168.56.10 gde-dsm.ibm.com gde-dsm


In addition to the above narrative, technicians may ask for additional information. Common requests include:
  • confirmation that the agent is installed or running
  • output from agent health
  • output agentinfo
  • output from various netstat commands
  • exported security policy

How To Tell If the Product Is Installed
Linux/Unix users will find the program files in /opt/vormetric/DataSecurityExpert or a location specified in the file /etc/vormetric/vormetric.cfg
Windows users will find program files in C:\Program Files\Vormetric\DataSecurityExpert

How To Tell If the Product Is Running


Linux/Unix users will see an entry in the output from the “mount” command:
# mount

/opt/vormetric/DataSecurityExpert/agent/secfs/.sec on /opt/vormetric/DataSecurityExpert/agent/secfs/.sec type secfs2 (rw,dir=/opt/vormetric/DataSecurityExpert/agent/secfs/.sec)

Windows users will see a small “Vormetric” icon in the system tray. The system tray is normally located in the lower right corner of the screen.

Agent Health Check


The script for agent health is available on Linux and Unix systems. This is a basic shell script that checks the overall status of an agent.

To run the Agent Health Check:
1. As root, run the agenthealth script
      # /opt/vormetric/DataSecurityExpert/agent/vmd/bin/agenthealth

2. Send the log file to the IBM PMR as described below “Uploading Data To A PMR”. The log file is located at /var/log/vormetric/agenthealth.log

Agent Information (agentinfo)


The Agent Information script is available on Linux, Unix and Windows systems. This is a shell script that collects configuration information and certain log files into one location.

To run the Agent Information script on Linux and Unix:
1. As root, run the agentinfo script
      # /opt/vormetric/DataSecurityExpert/agent/vmd/bin/agentinfo

2. Send the output to the IBM PMR as described below, “Uploading Data To a PMR”. The resulting file is named ai-hostname.tar.gz where hostname is the name of the host.

To run the Agent Information script on Windows
1. As Administrator, run the agentinfo script from a command prompt.
      C:\> "\Program Files\Vormetric\DataSecurityExpert\agent\shared\bin\agentinfo”
    Older versions of the agent may be located at:
      C:\> "\Program Files\Vormetric\DataSecurityExpert\agent\vmd\bin\agentinfo”

2. Zip up the contents of the directory “C:\vmcollection”
3. Send the output to the IBM PMR as described below, “Uploading Data To a PMR”.

Policy Export


The security policy is often a critical piece in debugging customer configuration issues.

To export the security policies:
1. Log in to the Data Security manager Management Console as a security administrator with host access. Switch into the security domain if necessary.
2. Navigate to the host in question by clicking on the “Hosts” page and clicking on the host name.
3. Under the “Guard FS” tab, gather a list of policies that are in effect on that system.
4. Log in to the Data Security Manager Management Console as a security administrator with policy access. Switch into the security domain if necessary
5. Select the Policy pull-down and choose “Import/Export Policies”.
6. Place a check mark next to each policy listed in step 3.
7. Click on the button labeled “Export” and save the file.
8. Send the file to the PMR as described below, “Uploading Data To a PMR”.

Uploading Data To a PMR


Files under 20 MB can be transferred to a PMR via e-mail.
1. Attach the file to an e-mail message.
2. Reference the PMR number in the subject line
3. Send the message to security_support@ecurep.ibm.com
For example, to send the agenthealth.log to PMR xxxxx.yyy.zzz:

To: security_support@ecurep.ibm.com
Subject: “PMR xxxxx.yyy.zzz”
Attachments: agenthealth.log

For larger files, consult the document “Enhanced Customer Data Repository” located at: http://www.ibm.com/support/pages/node/739283

Related Information

[{"Product":{"code":"SSSPPK","label":"IBM Guardium Data Encryption"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"Not Applicable","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"Version Independent","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Document Information

Modified date:
16 June 2018

UID

swg21960032