News
Abstract
Guardium internal MySQL certificate expired at 23:59:59 GMT on April 2nd 2023. To ensure continued running of Guardium appliances, a patch with updated certificate must be installed before that time. If no action was taken before the expiration date, action is required now to fix the problem.
Content
URGENT - The deadline for MySQL certificate expiration has passed. If the certificate was not updated before the deadline you might notice some of these symptoms:
- MUs can not connect to CM
- Patching does not work
- Reports or other GUI functionality not working as expected
- Certificate expiration alert in GUI alarm bell
Checking certificate expiry
To confirm expiry date of certificates on your appliance cli run - show certificate summary
If the certificate is correctly updated, mysql lines will have an expiry date of 03/31/32.
Example result for updated certificate:
Alias Name Valid From Valid To Subject File Name
------------------ ----------- ----------- ----------------------------------------------------------------------------------------------------------------- ----------------------------
MYSQL CA 04/03/22 03/31/32 C=US, ST=Massachusetts, L=Littleton, O=IBM, OU=Guardium, CN=IBM-Guardium-CA cacert.pem
MYSQL Server 04/03/22 03/31/32 C=US, ST=Massachusetts, L=Littleton, O=IBM, OU=Guardium, CN=mysql_server server-cert.pem
MYSQL Client 04/03/22 03/31/32 C=US, ST=Massachusetts, L=Littleton, O=IBM, OU=Guardium, CN=mysql_client client-cert.pem
What to do if certificates expired
If certificates have expired, contact Guardium support. Support engineers can check the internal section of this technote for steps to resolve.
What to do after certificates are updated
To ensure the old certificates are not brought back to the appliances:
- Only install patches listed in 'Bundle patches' and 'GPU and v11 upgrade patches' section
- Only install updated ISOs from passport advantage
- Do not install patches from 'Patches removed from Fix Central' section
Steps to resolve before certificate expiry date
- Guardium appliances must be updated to include the new certificate before 23:59:59 GMT April 2nd 2023
- Bundle and ad hoc patches with the new certificate are available to install
- Guardium v11.5 is not affected, it already has the new certificate installed
Cloud appliance images
Guardium appliance images available on cloud vendors are affected. Creation of cloud appliance images with updated certificates is in progress. If new cloud appliances before v11.5 are built, contact Guardium support to resolve certificate expiry problems on those appliances.
Bundle patches
Bundle patches are the recommended way to update appliances.
Guardium GPU version | Bundle patches with new certificate |
v11.4 | v11.0p440 and above |
v11.3 | v11.0p370 and above |
v11.2 | v11.0p277 and above |
v11.1 | v11.0p165 and above |
v11.0 | v11.0p51 and above |
v10.6 | v10.0p699 and above |
v10.5 | v10.0p555 and above |
Ad hoc patches
In case bundle patch installation is not possible, ad hoc patches are available. Ad hoc patches are only dependent on major version (v10 or v11), not GPU level.
Guardium version | Ad hoc patches with new certificate |
10.5 and 10.6 | v10.0p1015 |
11.x | v11.0p1018 |
GPU and v11 upgrade patches
Updated GPU and v11 upgrade patches with the new certificate are available for upgrade scenarios.
- These patches replace the old patches of the same number of Fix central
- The updated patches must be used if installing after expiry time
- Latest bundle patch for that version should be installed after installing the GPU
Updated patches on Fix Central:
Patch name on Fix Central | Extra notes |
SqlGuard_10.0p600_GPU_Nov-2018-V10.6 (MySQL Certificates updated 2023) |
None |
SqlGuard_10.0p11002_Upgrade-to-Version-11.0_Apr-2021 (MySQL Certificates updated 2023) | Updated MySQL certificate (p699 or p1015) must be installed on the v10.6 appliance before upgrading with updated p11002 |
SqlGuard_11.0p300_GPU_Oct-2020-V11.3 (MySQL Certificates updated 2023) | Known issue - After installing v11.3 GPU p300 on top of v11.2 bundle p270, investigation dashboard (quick search) does not work. Installing the latest v11.3 bundle resolves the problem |
SqlGuard_11.0p400_GPU_Sep-2021-V11.4 (MySQL Certificates updated 2023) | None |
Patch downloads
All patches can be downloaded from IBM Fix Central
ISO Installation
As of December 20th 2022, all Guardium ISOs on Passport Advantage have been updated to contain the new certificate. When building a new appliance, download the latest ISO available from Passport Advantage.
After building a new appliance with the updated ISO, install only latest bundles with the new certificate as listed in 'bundle patches' section.
Patches removed from Fix Central
Some older bundle patches overwrite the current appliance MySQL certificate with the older expired one. These patches have been removed from Fix Central.
- If these patches were previously downloaded, do not install them. They will cause the appliance to go down
- Instead, install a bundle patch with the fix listed in 'Bundle patches' section
- Not all older bundles have been removed, only those that would overwrite the certificate
Patches removed from fix central:
Version | Patches |
11.0 | 11.0p50 |
11.1 | 11.0p130, 11.0p140, 11.0p150, 11.0p160 |
11.2 | 11.0p240, 11.0p250, 11.0p260, 11.0p270, 11.0p275 |
11.3 | 11.0p330, 11.0p340, 11.0p350, 11.0p360 |
11.4 | 11.0p404 |
Certificate expiry banner alert
A GUI banner 'alarm bell' alert appears when certificates are within 6 months of expiry.
- The date of expiry on the banner alert in v10 and v11 is in format d-M-YYYY
- Certificate expiry is checked for the alert each morning at 01.30. This means the banner alert still appears until the check is run, even if a patch with the updated certificate is installed.
[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSMPHH","label":"IBM Security Guardium"},"ARM Category":[{"code":"a8m0z000000Gp0PAAS","label":"DATABASE"}],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]
Was this topic helpful?
Document Information
Modified date:
18 April 2023
UID
ibm16839175