This document provides a reference to the contents of this patch. If applicable, the detailed description of each fix and instructions for applying this patch are contained within the download package. The actual package is available for downloading from the IBM Fix Central website at http://www.ibm.com/support/fixcentral/

Make the following selections on Fix Central:
Product selector:           IBM Security Guardium
Installed Version:          11.0
Platform:                          Windows

Click "Continue", then select "Browse for fixes" and click "Continue" again.

• Fresh install of v11.5, no reboot required.
• The NmpProxy driver requires a reboot in order to complete the upgrade. If there are no issues with your current NmpProxy functionality, you can delay the reboot until the next maintenance cycle. No fixes will be applied to the NmpProxy driver until a server reboot is completed.
• Guardium strongly recommends that you do not use the following builds as they contain instabilities that can lead to system failure: 
  11.4.0.168 through 11.4.0.204
  11.3.0.257 through 11.3.0.287
  Best practice is to uninstall these builds and reboot before you install S-TAP v11.5. For all other builds, you can upgrade as usual.

SHA256 GIM client certificates
After applying patch 11.0p530 or newer, Guardium supports SHA256 GIM certificates. This has the following implications:

Deprecated support and functionality

S-TAP status monitoring
S-TAP status monitoring allows you to monitor the DB server environment. Initially introduced in v11.4 for protocol 7 S-TAPs, this functionality is now available for protocol 8 S-TAPs.
For more information, see Configuring S-TAP in the S-TAP Control page.

Automatically correct a local IP
If the local IP is misconfigured or missing, S-TAP attempts to automatically select an appropriate IP from a list provided by the operating system. In the case of multiple available IPs, a Windows API selects the best option for creating a stable connection with the appliance.

S-TAP configuration utility
S-TAP now includes an easy-to-use command line-based utility, guard-config-update.exe, that you can use to modify the S-TAP configuration file. This utility lends itself to automating configuration processes.
For more information see Windows: Configuring S-TAP with guard-config-update.

Must Gather v3.1
As with previous versions, Must Gather continues to aid customers and support teams in troubleshooting issues by gathering and uploading debugging information. V3.1 adds a parsing option delivered by a new PowerShell script that aggregates important information from many files into a simple summary. For more information, see Must gather for Windows S-TAP and other Windows agents.

Mute logs for improved performance
When increased S-TAP performance is required due to significant traffic loads, you can mute the driver debug logs from either the installer or GIM. This provides a significant performance boost but can impact the ability to troubleshoot should problems arise.

To mute the driver logs using CLI, set the value to ON. Any other value sets the parameters to OFF. When using GIM, set the value to 1 to mute or 0 to unmute. The new parameters are:        
 

​​​​​For more information see Protocol 7 Debug parameters and Protocol 8 Debug parameters.

Db2 Exit with auto-discovery
You can now use auto-discovery to configure a Db2 Exit-specific inspection engine instead of the default Db2 inspection engine. Auto-discovery will supply the default Db2 inspection engine when DB2_EXIT_DRIVER_INSTALLED=0 and will replace it with a Db2 Exit inspection engine when DB2_EXIT_DRIVER_INSTALLED=1. For more information on Db2 Exit, see Windows: Configuring the Db2 Exit Library.

Db2 Exit Configuration Utility
S-TAP includes a new Guardium utility for configuring Db2, db2configure.exe:

Note: Restart of the database is required to finish installing or uninstalling the configuration for Db2 Exit 

Enterprise load balancing configuration
S-TAP now supports managed user (MU) group and S-TAP group configuration through GIM as well as guard_tap.ini. Use of these groups is now strictly enforced when using the S-TAP installation wizard as well as GIM so that an MU group cannot be configured without an S-TAP group configuration

For more information, see Associating S-TAP group with a managed unit group for enterprise load balancing.

Extended Session Key
The new randomly generated 32-bit Extended Session Key (ESK) has been added to S-TAP’s v7 protocol for unique identification of each database session to address proper session carry-overs during failover events. GlobalSessionKey configuration parameter has been added to signal Guardium Appliance to enable or disable the usage of ESKs.

     New parameter details
     Guard_tap.ini: GLOBAL_SESSION_KEY
     GIM: WINSTAP_GLOBAL_SESSION_KEY
     Default value: 0
     Description: This parameter toggles the use of extended session keys for unique session identification. 0=disabled, 1=enabled.

Improved failover functionality
S-TAP now comes with significant improvements in failover performance, ensuring that data integrity is preserved when data fails over to another configured collector. 

Dropped packet count
S-TAP can handle large loads of database traffic but is not immune to buffer overflows. When data packets are dropped, S-TAP keeps a count of these to better inform customers of the state of their Guardium environment.

For more information, see Windows: S-TAP statistics

Issue Key	Description
GRD-68904	For more information, see GRD-68904 in the “Resolved issues” section of these release notes.
GRD-64080	Guardium 11.5 does not support some versions of Windows S-TAP when it's used with the enterprise load balancing feature. Using incompatible versions can lead to a loss of communication with S-TAPs. Workaround: Before you upgrade your Guardium system to 11.5, you must upgrade your Windows S-TAPs to a version that is equal or higher than the following:  version 11.3 revision 11.3.0.321  version 11.4 revision 11.4.0.267 version 11.5 revision 11.5.0.143. For more information, refer to: https://www.ibm.com/support/pages/node/6839291
GRD-54373	When upgrading, S-TAP stops capturing traffic for open sessions. Data for these sessions may be lost.  Best Practice: Schedule upgrades during low-traffic hours.
GRD-52552	Redact policies that use REGEX can only scrub data types that are null-terminated.  Workaround: Fast scrub policies can improve scrubbing functionality for data that is not null-terminated.
GRD-44569	Injected DLLs have been updated to allow easy loading and unloading from the system. This change does mean that the following configuration steps are required when upgrading from any 11.3 version or older. Db2 Exit configuration has changed and will not work as previously configured. Best Practice: Following upgrade to 11.5 from any 11.3 version or older, Db2 Exit should be reconfigured as described in https://www.ibm.com/docs/en/guardium/11.5?topic=tap-windows-configuring-db2-exit-library. Injected DLLs for Db2 have been updated in 11.4 and traffic will not be captured for Db2 after upgrade without a Db2 service restart. Best Practice: To capture Db2 traffic following upgrade to 11.5 from any release prior to 11.4, the Db2 service must be restarted following upgrade to S-TAP v11.5. Subsequent upgrades will not require a Db2 service restart.
GRD-68347	The default value for the QUERY_REWRITE_FAIL_CLOSE parameter is 8 for S-TAP 11.1 and earlier versions. If you upgrade from an earlier version (either directly or indirectly) and are using the v7 protocol, this value might be retained in the new S-TAP. For QUERY_REWRITE_FAIL_CLOSE, 8 is no longer a valid value.  Workaround: Replace the invalid value with the new default value, 0, following an upgrade from versions 11.1 and earlier. For more information about QUERY_REWRITE_FAIL_CLOSE, see Protocols 7 and 8 Query rewrite parameters.