IBM Support

IBM Security Guardium Key Lifecycle Manager Support Matrix

Question & Answer


Question

What is the support matrix for hardware, operating systems, browsers, hypervisors, middleware, HSMs, and KMIP across the different releases of IBM Security Guardium Key Lifecycle Manager?

Answer

Note: With V4.1, IBM Security Key Lifecycle Manager is renamed as IBM Security Guardium Key Lifecycle Manager.
Click a tab to know the supported hardware, operating systems, hypervisors, middleware, Hardware Security Modules (HSM), and Key Management Interoperability Protocol (KMIP) versions across the different releases of IBM Security Guardium Key Lifecycle Manager (SKLM/GKLM):
 

Supported hardware


IBM Security Guardium Key Lifecycle Manager V4.1.x.x traditional and earlier versions

The following hardware requirement values apply to all active versions of IBM Security Guardium Key Lifecycle Manager:

System component

Minimum values1

Recommended values2

System memory (RAM) 4 GB 8 GB
Processor speed Linux and Windows systems

1.0 GHz single processor

AIX systems
1.5 GHz (2-way)

Linux and Windows systems

3.0 GHz dual processors

AIX systems
1.5 GHz (4-way)

Disk space
Disk space free for IBM Security Guardium Key Lifecycle Manager and prerequisite products such as Db2 16 GB 30 GB
Disk space free in "/tmp" or "C:\temp" 4 GB 4 GB
Db2 disk space free in "/home" directory or system drive for Db2 7 GB 25 GB
Disk space free in /var directory for Db2 1 GB on Linux and UNIX operating systems 1 GB on Linux and UNIX operating systems
See Disk space requirements for log files.

All file systems must be writable.

1 Minimum values: These values enable a basic use of IBM Security Guardium Key Lifecycle Manager.

2 Recommended values: You must use larger values that are appropriate for your production environment. The most critical requirements are to provide adequate system memory, and free disk and swap space. Processor speed is less important.

Disk space requirements for log files

Consider the following disk space requirements for log files before you install IBM Security Guardium Key Lifecycle Manager.

Log file name Log file location Maximum number of log files Maximum size of each log file Disk space requirements
sklm_audit.log <WAS_HOME>\products\sklm\logs\audit 1 No limit -
sklm.log/debug <WAS_HOME>\products\sklm\logs 100 100 MB 10 GB
agent.log <WAS_HOME>\products\sklm\logs 30 100 MB 3 GB
replication_audit.log1 <WAS_HOME>\products\sklm\logs\replication 100 1 GB per log file -

1 Only if you have configured replication.

Note: To avoid db2diag log files overflow, back up the db2diag log files regularly or modify the level of logging. For more information, see diaglevel - Diagnostic error capture level configuration parameter.


On Linux and UNIX operating systems, you must install your Db2 product in an empty directory. If the directory that you specify as the installation path contains subdirectories or files, your Db2 installation might fail.

On Linux and UNIX operating systems, 4 GB of free space is required in the $HOME directory.

On Linux and UNIX operating systems, minimum 16 GB of free space is required in the / and /opt directory.

Installing into mapped network drives/mounted partitions is not supported.

If installation locations of more than one system component fall on the same Windows drive/UNIX partition, the cumulative space to contain all those components must be available in that drive/partition.


IBM Security Guardium Key Lifecycle Manager V4.1.x.x container

The containerized IBM Security Guardium Key Lifecycle Manager application consists of two containers:

Database - PostgreSQL container

System component Minimum values Recommended values
System memory (RAM) 4 GB 8 GB
Processor speed 2.0 GHz 8.0 GHz
Persistent Storage (Volume) 40 GB (Storage type: File) 60 GB (Storage type: File)

Database - Db2 container

System component Minimum values Recommended values
Persistent Storage (Volume) 40 GB (Storage type: File) 60 GB (Storage type: File)
For detailed Db2 hardware requirements, see Db2 Community Edition 11.5.4.0.

IBM Security Guardium Key Lifecycle Manager application container

The following hardware requirement values apply to IBM Security Guardium Key Lifecycle Manager container:

System component

Minimum values

Recommended values

System memory (RAM) 4 GB 8 GB
Processor speed

1.0 GHz

4.0 GHz
Persistent Storage (Volume) 20 GB (Storage type: File) 40 GB (Storage type: File)
 

Supported operating systems


IBM Security Guardium Key Lifecycle Manager V4.1.x.x traditional and earlier versions

 
IBM Security Guardium Key Lifecycle Manager

Platform

Operating System

V3.0

V3.0.1

V4.0 V4.1 V4.1.1
AIX
 
AIX 7.1 TL4 SP6 POWER 7, 81
YES
YES YES NO NO
AIX 7.1 TL5 POWER 7, 81
YES
YES YES NO NO
AIX 7.2 POWER 7, 81 YES YES YES YES4 YES4
AIX 7.2 POWER 9
NO
NO YES3 YES3,4 YES3,4
Linux2
 
 
 
 
 
 
 
 
 
SUSE Linux Enterprise Server (SLES) 12 x86-64
YES
YES YES YES YES
SUSE Linux Enterprise Server (SLES) 12 System z
YES
YES YES YES YES
SUSE Linux Enterprise Server (SLES) 15 x86-64 NO NO NO NO YES
SUSE Linux Enterprise Server (SLES) 15 System z NO NO NO NO YES
Red Hat Enterprise Linux (RHEL) Server 8.1 - 8.4 System z NO NO NO YES YES
Red Hat Enterprise Linux (RHEL) Server 8.1 - 8.4 x86-64 NO NO NO YES YES
Red Hat Enterprise Linux (RHEL) Server 8.1 - 8.4 (PowerPC Little Endian (LE)) NO NO NO YES YES
Red Hat Enterprise Linux (RHEL) Server 7.6 - 7.9 System z
YES
YES YES YES YES
Red Hat Enterprise Linux (RHEL) Server 7.6 - 7.9 x86-64
YES
YES YES YES YES
Red Hat Enterprise Linux (RHEL) Server 7.6 - 7.9 (PowerPC Little Endian (LE)) 64 bit1
YES
YES YES YES YES
Red Hat Enterprise Linux (RHEL) Server 6.7 - 6.10 x86-64
(EOS OS)
YES
YES YES NO NO
Ubuntu 16.04 LTS x86_64
(EOS OS)
NO YES YES YES NO
Ubuntu 18.04 LTS x86_64 NO NO NO NO YES
Windows
 
 
Windows Server 2012 Standard Edition x86-64
YES
YES YES YES YES
Windows Server 2012 R2 Standard Edition x86-64
YES
YES YES YES YES
Windows Server 2016 Standard Edition x86-64 YES YES YES YES YES
Windows Server 2019 Standard Edition x86-64 NO NO NO YES YES

1 - Supported hardware includes POWER9 in POWER8 mode.

2 - For information about the Linux packages, see Linux packages.

3 - Supports POWER9 in POWER9 mode

4 - Supported only with AIX 7.2 TL3 and later.

Notes:

  • Do not install IBM Security Guardium Key Lifecycle Manager on systems with hardened operating system. You can harden the operating system after the installation completes.

  • Before you install IBM Security Guardium Key Lifecycle Manager on a UNIX or an AIX operating system, ensure that Bash shell (bash) is installed. Also, ensure that it is the default shell.

  • Before you install IBM Security Guardium Key Lifecycle Manager on an AIX operating system, ensure that the necessary libraries that are described in this technote are installed: Required gtk libraries for IBM Installation Manager on AIX.

  • For V4.1 and earlier versions, before you install IBM Security Guardium Key Lifecycle Manager on a Linux operating system, ensure that C shell (csh) is installed. Starting V4.1.1, csh is not a requirement.

  • Access requirements: Install IBM Security Guardium Key Lifecycle Manager as an administrator (root user). You can install IBM Security Guardium Key Lifecycle Manager as a non-root user on Linux operating systems only.

Linux packages

On Linux operating systems, IBM Security Guardium Key Lifecycle Manager (GKLM) requires the compat-libstdc++ package, which contains libstdc++.so.6. It also requires the libaio package, which contains the asynchronous library that is required for Db2® database servers.

  • libstdc package
    To determine whether you have the package, run the following command:
    rpm -qa  | grep -i "libstdc"
    If the package is not installed, locate the rpm file on your original installation media and install it.
    find installation_media -name compat-libstdc++*
    rpm -ivh full_path_to_compat-libstdc++_rpm_file]
  • libaio package
    To determine whether you have the package, run the following command:
    rpm -qa  | grep -i "libaio"
    If the package is not installed, locate the rpm file on your original installation media and install it.
    find installation_media -name libaio*
    rpm -ivh full_path_to_libaio_rpm_file
Prerequisites for GKLM installation on Red Hat Enterprise Linux 64-bit systems:
  • Ensure that 64-bit libaio package is installed before running db2setup. Db2 installation requires this package.
  • For GKLM V4.1.1 and V4.1 installation in graphical mode, ensure that a VNC package (for example, tigervnc) and a terminal emulator (for example, xterm) are installed. 
  • For GKLM V4.1 silent installation, ensure that the tsch package is installed.  

Requirements for Linux on System z operating system

Before you install IBM Security Guardium Key Lifecycle Manager on Linux on System z operating system, complete the following steps:

  1. Check whether the following libraries are present on the system, which are necessary for Db2® installation.
    • libpam.so.0
    • libaio.so.1
    • libstdc++.so.6.0.8
    • libstdc++33
    • ksh93
    If the system does not contain the necessary libraries, run the following command:
    yum install <library_name>
    If a library has any issues, use the following command to remove a library:
    yum remove <library_name>
    For more information, see Db2 documentation - Additional installation considerations (Linux).
     
  2. Install the IBM XL/XL C++ runtime environment:
    1. Extract the setup.
    2. Run ./install.
    3. Run the following command if an error message is displayed about missing libraries:
      yum install <missing_lib_name>
  3. Create a link between the libraries that are installed by running the following commands:
    ln -s /opt/ibm/lib/* /usr/lib/ 
    ln -s /opt/ibm/lib64/* /usr/lib64/
  4. Set the LD_LIBRARY_PATH by using the following command:
    LD_LIBRARY_PATH=/opt/ibm/lib:/opt/ibm/lib64:/usr/lib64; 
    export LD_LIBRARY_PATH
  5. Ensure that the /tmp directory has all the permissions. To provide the permissions, run the following command.
    chmod 777 /tmp

Requirements for Linux on PowerPC operating system

Before you install IBM Security Guardium Key Lifecycle Manager on Linux on PowerPC Little Endian (LE) operating system, ensure that your system meets the requirements.

  1. Install IBM XL/XL C++ environment.
    1. Extract the setup in a directory.
      tar -xvf <setup_name>
    2. Run ./install.
  2. After you install the package, create a link between the libraries that are installed by running the following steps.
    ln -s /opt/ibm/lib/* /usr/lib/                        
    ln -s /opt/ibm/lib64/* /usr/lib64/
  3. Set the LD_LIBRARY_PATH by using the following command.
    LD_LIBRARY_PATH=/opt/ibm/lib:/opt/ibm/lib64:/usr/lib64; 
    export LD_LIBRARY_PATH
  4. Before you start the installation process, ensure that the /tmp directory has all the permissions. To provide the permissions, run the following command.
    chmod 777 /tmp

Disabling Security Enhanced Linux 

IBM Security Guardium Key Lifecycle Manager on Linux operating systems might have functional problems when the Security Enhanced Linux (SELINUX) setting is enabled.

For example, a problem might occur with the TCP/IP connections on the server ports. Follow the steps provided in the Linux documentation to disable Security Enhanced Linux.


IBM Security Guardium Key Lifecycle Manager V4.1.x.x container

IBM Security Guardium Key Lifecycle Manager V4.1.x.x container
Operating system/Architecture
  • Linux/amd64
  • Linux/s390x
Container Platform
  • OpenShift Container Platform Version 4.3 or later
    • An IBM Cloud account with Cluster Administrator permissions
  • Kubernetes Container Platform Version 1.11.0 or later
  • IBM zCX environment
Helm
  • Power: At least Version 2.12.x or later, but not Version 3.x
  • x86: At least Version 2.14.x or later, but not Version 3.x
Storage
  • NFS
  • IBM Cloud File Storage (gold storage class)
  • Portworx
  • Red Hat OpenShift Container Storage 4.3 or later
  • A hostPath PV that is a mounted clustered filesystem

Supported browsers

The following browser support applies to all active versions of IBM Security Guardium Key Lifecycle Manager:

Browser

Supported Versions
Google Chrome1  86 and later
Microsoft Edge1  44 and later
Firefox ESR  24.0 and later
Microsoft Internet Explorer
 9.0, 10.0, 11.0
 (Only supported on Windows Server 2019, Windows Server 2016, Windows Server 2012, Windows Server 2012 R2)
1 - Only supported by IBM Security Guardium Key Lifecycle Manager V4.1.x.x
Note: Supported browsers are not included with the product installation. You can access the IBM Security Guardium Key Lifecycle Manager graphical user interface by using any of the supported browsers from any system. You must enable the session cookies and Java Script in the browser to establish a session with the product.

Supported hypervisors

IBM Security Guardium Key Lifecycle Manager

Hypervisor

V3.0 - V3.0.1

V4.0 - V4.1

V4.1.1
VMware ESXi 7.x NO YES YES
VMware ESXi 5.x, 6.x YES YES YES
Red Hat KVM as delivered with Red Hat Enterprise Linux (RHEL) and its RHEV equivalent 6.7 and 7.0 YES YES YES
IBM z/VM Hypervisor 6.1 - 6.4 and 7.1 NO NO YES
IBM PowerVM Hypervisor (LPAR, DPAR, Micro-Partition) any supported version NO NO YES

Supported middleware

IBM Security Guardium Key Lifecycle Manager

Middleware

Requirements (Only for V4.1 traditional and earlier)

V3.0/V3.0.1

V4.0 V4.1 V4.1.1
For traditional For container1 For traditional For container1
Database
See the Db2 requirements section
IBM Db2 Advanced Workgroup Server Edition
  • 11.1.4.52
  • 11.1.2.23
IBM Db2 Advanced Workgroup Server Edition
  • 11.5.4.02
  • 11.1.4.6
  • 11.1.4.4 interim fix 13
IBM Db2 Standard Edition
  • 11.5.6.04
  • 11.5.5.04
  • 11.5.4.03
  • PostgreSQL 12.2 
  • IBM Db2 11.5
  • IBM Db2 for z/OS 12.0
IBM Db2 Standard Edition
  • 11.5.6.03
  • PostgreSQL 12.2 
  • IBM Db2 11.5
  • IBM Db2 for z/OS 12.0
IBM WebSphere Application Server (WAS)
See the WebSphere Application Server requirements section
9.0.0.53
  • 9.0.5.4 - 9.0.5.8
  • 9.0.5.03
WAS traditional:
  • 9.0.5.6 - 9.0.5.9
  • 9.0.5.53
WAS Liberty, 20.0.0.9
WAS Liberty,
21.0.0.63
WAS Liberty:
21.0.0.63
20.0.0.9
WebSphere SDK Java Technology Edition
 None 1.8.0_144 SR53
  • 1.8.0_211 SR5 FP37
  • 1.8.0_26 SR6 FP263
  • 1.8.0_26 SR6 FP26
  • 1.8.0_261 SR6 FP153
1.8.0_261 SR6 FP15
1.8.0_26 SR6 FP26
1.8.0_26 SR6 FP26
For more information about the Java SDK version shipped with IBM WebSphere Application Server, see Verify Java SDK version shipped with IBM WebSphere Application Server fix packs.
1 -  The database must be separately installed. It is not bundled with the product.
2 - You must first install SKLM with the default bundled IBM Db2 version, then upgrade to this version. For instructions, see the relevant topic:
Db2 11.1.4.5
Db2 11.5.4.0

3 -  This is the default installed version.
4 -  After you apply the Db2 fix pack, run the Db2 commands in the following order:
db2 connect to <databasename>
db2 bind db2schema.bnd blocking all grant public sqlerror continue
db2 terminate
db2stop
db2start

Db2 requirements

The database stores the data of IBM Security Guardium Key Lifecycle Manager. Before you install IBM Security Guardium Key Lifecycle Manager, ensure that the database requirements are met.

IBM Security Guardium Key Lifecycle Manager requires DB2® Advanced Workgroup Server Edition, Version 11.1.2.2 and the future fix packs on the same system on which the IBM Security Guardium Key Lifecycle Manager server runs.
Note
  • You must use IBM Security Guardium Key Lifecycle Manager to manage the database. To avoid data synchronization problems, do not use tools that the database application might provide.
  • For improved performance of Db2 Version 11.1.2.2 on AIX systems, ensure that you install and configure the I/O completion ports (IOCP) package that is described in the Db2 documentation - Configuring IOCP (AIX).
  • If an existing copy of Db2 Advanced Workgroup Server Edition was installed as the root user at the correct version for the operating system, you can use the existing Db2 Advanced Workgroup Server Edition. IBM Security Guardium Key Lifecycle Manager installer does not detect the presence of Db2. You must specify the Db2 installation path.

SuSE Linux Enterprise Server Version 12 (System z) systems contain the libstdc++.6.so package. But, IBM Security Guardium Key Lifecycle Manager requires the libstdc++.5.so package for Db2 installation.

For more information about Db2 prerequisites, see Db2 documentation - db2prereqcheck - Check installation prerequisites.

Db2 kernel settings

Ensure that the kernel settings are correct. 

AIX systems
None required.
Linux systems
For information about kernel settings, see Db2 documentation - Modifying kernel parameters (Linux).
Window systems
None required.

WebSphere Application Server requirements

IBM Security Guardium Key Lifecycle Manager includes and installs WebSphere Application Server. During installation, IBM Security Guardium Key Lifecycle Manager customizes WebSphere Application Server configuration and profiles to suit its operations. This customization might cause problems with products that use the same server when you uninstall IBM Security Guardium Key Lifecycle Manager. Therefore, you must consider the following aspects to avoid the issues:

  • Do not install IBM Security Guardium Key Lifecycle Manager in a WebSphere Application Server instance that another product provides.
  • Do not install another product in the instance of WebSphere Application Server that IBM Security Guardium Key Lifecycle Manager provides.

IBM Security Guardium Key Lifecycle Manager requires Java Runtime Environment. IBM Java Runtime Environment is included with WebSphere® Application Server.

Use of an independently installed development kit for Java™, from IBM® or other vendors, is not supported. For more information, see Java SE 8 in WebSphere Application Server traditional V9.

Supported HSMs/Cryptographic cards

IBM Security Guardium Key Lifecycle Manager uses the IBM PKCS11 Cryptographic Provider, and supports the cryptographic cards that the provider supports. 

For a list of the supported cryptographic cards, see IBM Java V8.0 Documentation - IBM PKCS11 Cryptographic Provider. In addition to this list, the following cards are also supported by V3.0.1 and later:

  • Entrust nShield Connect+ 12.60
  • Entrust nShield Connect XC 12.60 (Compatible with nShield as a service)

Supported KMIP versions

IBM Security Guardium Key Lifecycle Manager
V3.0 - V4.0

V4.1.x.x

Key Management Interoperability Protocol (KMIP)
2.0
1.4
1.3
1.2
1.1
1.0

2.1
2.0
1.4
1.3
1.2
1.1
1.0

For more information about the supported KMIP profiles, see Key Management Interoperability Protocol (KMIP) profiles supported by IBM Security Guardium Key Lifecycle Manager.

[{"Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSTJE47","label":"IBM Security Guardium Key Lifecycle Manager"},"ARM Category":[{"code":"a8m0z000000cvdLAAQ","label":"SKLM"}],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Version(s)"}]

Document Information

Modified date:
19 November 2021

UID

swg22008774