Release Notes
Abstract
This technical note provides guidance for installing IBM Security Guardium Data Protection ad hoc patch 12.0p1106, including any new features or enhancements, resolved or known issues, or notices associated with the patch.
Content
Patch information
- Patch file name: SqlGuard-12.0p1106.tgz.enc.sig
- MD5 checksum: b64929386669dc42e8a3706eb73369db
Finding the patch
Make the following selections to locate this patch for download on the IBM Fix Central website:
- Product selector: IBM Security Guardium
- Installed version: 12.0
- Platform: All
- Click "Continue", select "Browse for fixes", and click "Continue" again.
- Select "Appliance patch (GPU and ad hoc)" and enter the patch information in the "Filter fix details" field to locate the patch.
For information about Guardium patch types and naming conventions, see the Understanding Guardium patch types and patch names support document.
Prerequisites
Guardium Data Protection 12.0p15 or Guardium Data Protection 12.0p7015, but not both. For more information, see the 12.0p15 release notes or 12.0p7015 release notes.
Installation
Notes
- This patch restarts sshd.
- Do not reboot the appliance while the patch install is in progress. Contact Guardium support if there is an issue with patch installation.
Overview
- Download the patch and extract the compressed package outside the Guardium system.
- Be sure to check the latest version of these patch release notes online just before you install this patch.
- Pick a "quiet" or low-traffic time to install the patch on the Guardium system.
For information about installing Guardium Data protection patches, see How to install patches in the Guardium documentation.
Attention
FIPS enable on 12.0p15 causes ssh connection issue issue
Enabling FIPS in 12.0p15 adds KEX algorithms to sshd configuration that are disallowed in FIPS mode. If FIPS is enabled after 12.0p15 is installed, logging in to the system via ssh is impacted. If a system that already has FIPS enabled is upgraded to 12.0p15, there is no impact.
Solution
Install one of the following patches.
| Patch | Notes | Log file | |
|---|---|---|---|
| 12.0p1105 | Can be applied to any Guardium system individually. | /opt/IBM/Guardium/log/fix_fips_ssh.log | |
| 12.0p1106 |
Apply to CM and it will fix the CM and all the MUs. Cannot be applied to a non-CM.
The managed units must have functional root/cloudsupport passkey set. Otherwise, remotely fixing those units will not be possible. This patch will not patch managed units (MU) that are lower than 12.0p15.
Inspect the log file after installing the patch. There may be managed units that were offline. Such units will be skipped. If any MU was offline, when the system shows active in the CM Central Management page, the individual system patch 12.0p1105 can be installed locally in it.
|
/opt/IBM/Guardium/log/fix_fips_ssh.log | |
Requirements
- Guardium Data Protection 12.0p15 must be installed.
- To access an affected system via ssh, use the following command to log in as cli and apply the patch:
ssh -o KexAlgorithms=ecdh-sha2-nistp521 <host> - Note: It is not possible to distribute a patch from the CM to an affected managed unit.
Sample log file
|
----------------------------
mysystem1.example.com Mon Jun 3 09:45:36 AM EDT 2024 Verifying that the last major patch matches 12.0p15
Last major patch detected matches 12.0p15 backing up /etc/ssh/sshd_config to /etc/ssh/sshd_config_20240603_094536 Fixing /etc/ssh/sshd_config /etc/ssh/sshd_config is fixed backing up /opt/IBM/Guardium/cli/subs_store.pl to /opt/IBM/Guardium/cli/subs_store.pl_20240603_094536 ---------------------------- 192.168.1.100 is offline: skipping Processing: 192.168.1.101 ---------------------------- mysystem2.example.com Mon Jun 3 09:45:38 AM EDT 2024 Verifying that the last major patch matches 12.0p15 Last major patch detected matches 12.0p15 backing up /etc/ssh/sshd_config to /etc/ssh/sshd_config_20240603_094538 Fixing /etc/ssh/sshd_config /etc/ssh/sshd_config is fixed backing up /opt/IBM/Guardium/cli/subs_store.pl to /opt/IBM/Guardium/cli/subs_store.pl_20240603_094538 ---------------------------- |
Bug fix
This patch resolves the following issues.
| Issue key | Summary | |
|---|---|---|
| GRD-82992 | FIPS enable on 12.0p15 causes ssh connection issue. | |
Known limitations
This patch contains the following known limitations:
| Issue key | Summary |
|---|---|
| GRD-83690 | Do not install this patch if you are using OCI or GCP, and have FIPS enabled. When FIPS is enabled, you are not able to connect to cloud instances of GCP and OCI. |
[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSMPHH","label":"IBM Security Guardium"},"ARM Category":[{"code":"a8m3p000000PCTuAAO","label":"Platform\/Installation\/Deployment"}],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]
Was this topic helpful?
Document Information
Modified date:
02 August 2024
UID
ibm17156620