IBM Support

Release of Guardium Data Protection pre-upgrade health check 11.0p9998

Release Notes


Abstract

This technical note provides guidance for installing IBM Security Guardium Data Protection pre-upgrade health check patch 11.0p9998. It includes overview and description of all checks.

Content

Patch information
  • Patch file name: SqlGuard-11.0p9998.tgz.enc.sig
  • Patch date: Oct 27 2025
  • MD5 checksum: db24d1ef5e7adfd8812c5ade2d371607
 
Finding the patch 
Make the following selections to locate this patch for download on the IBM Fix Central website:
 
  • Product selector: IBM Security Guardium
  • Installed version: 11.0
  • Platform: All
  • Click "Continue," select "Browse for fixes," and click "Continue" again.
  • Enter the patch information in the "Filter fix details" field to locate the patch
For information about Guardium patch types and naming conventions, see the Understanding Guardium patch types and patch names support document.
 
Prerequisite 
Guardium version 11.0
 
Overview
  • The purpose of the patch is to perform preliminary checks on the Guardium appliance before v12 upgrade to prevent potential issues during the upgrade.
  • This patch can be installed more than once.
  • The health check generates a log file named health_check_9998.<time_stamp>.log.
  • To view the log file:
    • View in GUI - "Health Check Log" report
      • Right click on the last installed health check and select "Health Check Log - Details" to see the details of each check
    • View in fileserver:
      • Type fileserver command in cli
      • Open the fileserver in web browser
      • Go to opt-ibm-guardium-log ->diag->current folder and open the most recent log file 
  • The log file will contain a status of each validation. 
    • In case any one of these validations has failed, the status of the failed validation will start with an “ERROR:” prefix and the following message will appear at the end of the log file: Please send this log file and <file_name> file to support team. 
      • Review the details in this document to determine how to proceed. Guardium support can assist with any questions.
    • In case validation is completed with a warning the status of the failed validation will start with “WARNING:”, and the following message will appear at the end of the log file: Please send this log file and <file_name> file to support team. 
      • Review the details in this document to determine how to proceed. Guardium support can assist with any questions.
    • If no problem was found, the following message appears at the end of the log file: Appliance is ready for GPU installation/upgrade.
  • The list of checks will expand and is subject to change in future versions of health check. Always download the latest from fix central
 
Details of each check
 
p12001 check
 
Health check will block installation of the old upgrade patch 11.0p12000, you must upgrade with current upgrade 11.0p12001.
If health check succeeds, the following will be seen in 'show system patch installed':
 
  • WARNING: Succeeded for p12001 only

If any other warning or error status is shown, check the health check logs for details.

 
Appliance Configuration Check

 Check there is NO issue with DB size (used DB space is less than 80%). 
 In case DB used space is greater than 80%, the following message appears in the output file: 
 
  •  ERROR: DB is more than 80% full. Please reduce size of your DB and run Health Check again. 
 
 In case DB used space is between 20% and 80%, the following message appears in the output file:
 
  •  WARNING: DB is more than 20% full. Consider reducing size of your DB and run Health Check again. 
 
 In this case we do not fail the patch, but recommend to consider reducing database used space as much as possible before upgrade. Reduce space by decreasing the purge age. Reducing space used in the appliance database reduces time to complete the upgrade.
 Check there is no issue with disk space.
 
 In case there are old files in /boot partition that can be moved, the health check does it automatically and the following message appears in the output file:
  •  Old initramfs files moved from /boot to /var/tmp/p9998_initramfs_files
 
 After automatically moving files, in case /boot partition does not have enough space to start the upgrade, the following message appears in the output file:
  • ERROR: Not enough space in /boot for upgrade. Contact Guardium support and attach support must_gather patch_install_issues and system_db_info.
 
 In case /var partition does not have enough space to start the upgrade, the following message appears in the output file:
  • ERROR: Not enough space in /var for upgrade. Estimated space required - xMB. Actual space available – yMB
 
 In case /var partition is more than 45% used, the following message appears in the output file:
  • WARNING: /var disk usage is over 45%. Consider reducing /var disk usage before upgrade.
Reducing space used on the appliance /var partition reduces time to complete the upgrade. It is recommended to reduce space by purging as much data as possible.
 
 Note: Health Check will delete unnecessary metadata files from root partition

 
 
Cloud appliance check
 
Guardium appliances built on cloud platforms (AWS, Azure, IBM Cloud, Google Cloud, Oracle cloud) are not supported for upgrade patch. Upgrade these appliances using rebuild and restore method.
In case the appliance is built on cloud platform, the following message will appear in the log file:
  • ERROR: V12 upgrade patch is not allowed for cloud appliances.
 
In case the appliance is not built on cloud platform, the following message will appear in the log file:
  • No issue with appliance type
 
 
Check Custom Partitions

Appliance with custom partitions cannot be upgraded and should be rebuilt.

In case /boot partition is missing, the following message will appear in the log file:
  • ERROR: FOR UPGRADE TO v12 APPLIANCE SHOULD BE REBUILT - no boot partition.
 
In case / partition is missing, the following message will appear in the log file:
  • ERROR: FOR UPGRADE TO v12 APPLIANCE SHOULD BE REBUILT - no root partition.
 
In case /var partition is missing, the following message will appear in the log file:
  • ERROR: FOR UPGRADE TO v12 APPLIANCE SHOULD BE REBUILT - no var partition.
 
In case any non-standard partition is found, the following message will appear in the log file:
  • ERROR: FOR UPGRADE TO v12 APPLIANCE SHOULD BE REBUILT - non-standard partition
 
In case multi-disk installation is found, the following message will appear in the log file:
  • ERROR: FOR UPGRADE TO v12 APPLIANCE SHOULD BE REBUILT - multi-disk installation is not supported
 
In case any other kind of custom partition setting is found, the following message will appear in the log file:
  • ERROR: FOR UPGRADE TO v12 APPLIANCE SHOULD BE REBUILT - Custom partitions flag found.
 
In case no custom partitions are found, the following message will appear:
  • No custom partitions found
 
 
Check for MUs rebuild requirement from CM
 
When run on CM, all MUs are checked for known limitations where rebuild is required to upgrade. The limitations are – Custom partitions and cloud appliances. Root passkey must be set on the MU to get this information. This information can be used in planning upgrade strategy for the environment.
In case CM or MU has known limitation where rebuild is required for upgrade, the following will appear in the log file:
  • WARNING: At least one MU has to be rebuilt. Please check <csv_file> file.
 
Csv_file can be checked from CM fileserver opt-ibm-guardium-log/diag/current.
Example csv file:
Host NameCustom partitionedCloud applianceRebuild required
CMNoNoNo
MU1YesNoYes
MU2No YesYes
MU3YesYesYes
MU4Not foundNot foundCheck local appliance
 
 
Not found means the CM could not connect to that appliance. It can be checked directly by running health check there. 
This check does not remove requirement to install health check on all MUs.
 
Custom Query Check
 
In case customer has custom queries with the same name that are going to be added by upgrade, the following message will appear in log file: 
  • ERROR: Duplicate query names found.
 
In case no custom queries found with the same name that are going to be added by upgrade, the following message will appear in log file: 
  • No duplicate queries found.
 
 
MySQL Table Corruption Check

In case there are any crashed tables found in the main databases, the following message will appear in the log file: 
  • ERROR: Crashed tables have been found.
 
In case no crashed tables are found, the following message will appear in the log file: 
  • No crashed tables found. 
 
Check Hardware Version

To prevent failure of upgrade because of firmware version, verify that the version of firmware will not cause upgrade issues.
In case when hardware is not 3550 M4 or 3550 M5 or SR630 (M6), patch will NOT fail and the following message will appear in the log file: 
  • Hardware is not a recognized type. Skipping version check.
 
In case hardware version is M4, the patch will fail and the following message will appear in the log:
  • ERROR: M4 hardware is not supported by v12
 
In case hardware version need to be checked and the check passes, the patch will NOT fail and the following message will appear in the log: 
  • <Hardware version info>. Hardware version check passed.
 
For each of the supported models/types, the health check verifies the following:
  • x3550 M5 – Type 8869/5463
    • DSA: >= 10.5
    • IMM2: >= 5.40
    • UEFI:  >= 3.11
  • SR630 (M6) – Type 7X02:
    • BMC/XCC: >= 4.20
    • LXPM: >= 1.90
    • UEFI:  >= 2.61
In case hardware version does not pass the verification, the patch will fail and the following message will appear in the log file:
  • ERROR: Hardware version check failed. Please apply the latest firmware patch from IBM Fix Central
 
Check latest GPU

In case the highest GPU installed on the appliance is 11.4 or lower, the Health Check fails, and the following message will appear in log file:   
  • ERROR: The latest installed GPU is <number of the highest installed GPU>. Please upgrade to at least 500.
 
Check backup configured

V12 upgrade requires an external SCP or SFTP location to send data to. The GUI system backup configuration is used for this. In case system backup is not configured with SCP or SFTP options, the following message will appear in log file:
  • ERROR: System backup is not configured correctly. It must be set in GUI System Backup page using SCP or SFTP options.
 
In case system backup is configured, but a test file failed to send to the location, the following message will appear in log file:
  • ERROR: System backup is configured correctly but test connection failed. Confirm system backup settings in GUI.
 
In case system backup is configured and test connection works, the following message will appear in log file:
  • System backup is configured correctly and test connection succeeded.
 
Check TLS version

V12 does not support TLS version below v1.2. In case TLS v1.2 is not available on the appliance, the following message will appear in log file:
  • ERROR: TLS version is not correct for v12 upgrade.
 
In case TLS v1.2 is available, the following message will appear in log file:
  • TLS version 1.2 is available
 
 
 
Check Network Role 

To prevent failure of upgrade because of wrong network configuration, the patch will verify rolemap file content.
In case configuration is correct, the following message will appear in the log file:
  • No need to rebuild rolemap
 
In case configuration is wrong but can be fixed by the patch, the following message will appear in the log file: 
  • Rolemap was successfully rebuit
 
In case configuration is wrong and the patch cannot fix it, the patch will fail and the following message will appear in the log file: 
  • ERROR: Please escalate the issue to Guardium support for fixing network configurations 
 
Check for existing TURBINE_USER_GROUP_ROLE table

TURBINE_USER_GROUP_ROLE table may be missing due to previous database crash problems. In case this table is missing, the following message will appear in the log file: 
  • ERROR: TURBINE_USER_GROUP_ROLE table does not exist or is corrupted
 
Guardium support should be contacted to correctly rebuild this table. In case the table exists, no message will be written to the log file.
 
Check for old partitions

In case partitions older than purge age plus 60 days exist, the following message will appear in the log file:
  • WARNING: Old partitions found. The oldest partition is <date> while expected oldest date is <date>. Please run support must_gather patch_install_issues and contact support to clean up old partitions
Old partitions have multiple causes. The correct course of action to clean them up should be determined in consultation with Guardium support. Old partitions diagnostic file from patch must gather diag/current directory will help to determine the next steps. For more information check https://www.ibm.com/support/pages/node/6564421 
 
 
Check for old data 

In case data older than purge age plus 60 days exists in the oldest partition, the following message will appear in the log file:
  • WARNING: Data older than purge period + 60 days found in oldest partition. Please run support must_gather patch_install_issues and contact support to clean up old data.
 
If old data is existing on the appliance oldest partition, upgrade to v12 will recreate partitions based on this data, causing old partitions problems after upgrade. The correct course of action to clean them up should be determined in consultation with Guardium support. For more information check https://www.ibm.com/support/pages/node/6564421
 
Check whether any 10.5 or earlier version STAP are used by the appliance

Because v10.5 and earlier Unix and Windows S-TAPs are not supported in v12, if Health Check finds any of those, for each one the following message will appear in log file.
  • ERROR: <tap type> on <tap host> should be upgrade to version 10.6 or higher.
 
10.6 is the minimum allowed version, but it is recommended to upgrade to v11.5
 
 
Check for duplicate alias entries

Due to a previous defect, duplicates might exist in ALIAS table. The defect is resolved in latest bundles, but the leftover alias entries might remain.
In case duplicate alias entries found, the following message will appear in log file:
  • ERROR: There are duplicates in ALIAS table. Check p9998 release notes for steps to resolve.
 
In case no duplicate alias entries are found, the following message will appear in log file:
  • No duplicates in ALIAS table found.
 
For steps to resolve the problem see – https://www.ibm.com/support/pages/node/7008419
 
Check for bad uploaded jar files

Jar files for some functionality can be uploaded from GUI customer uploads page. If these files are not valid jar files they can cause upgrade to fail.
In case bad jar files are found, the following message will appear in log file, followed by a list of files:
  • ERROR: Bad jar files found in customer uploads directory. Contact Guardium support to resolve. Bad jar files:
 
In case bad jar files are not found, the following message will appear in log file:
  • No bad jar files found.
 
To resolve the problem, contact Guardium support. If the files are not needed, they can be removed by support. The files would have to be inspected on a case-by-case basis.
 

Check for GIM certificates

It is not possible to push new GIM bundles in v12.0 before 12.0p10 if the GIM certificates are using SHA1 certificates, including the default certificate on appliances. The GIM certificate must be updated to use custom SHA256. This limitation is removed in v12.0p10 and above.

In case GIM certificates using SHA1 are found, the following message will appear in log file:

  • WARNING: Non SHA256 GIM certificates found. To resolve install new SHA256 GIM certificates from cli.

In case there is no issue with the certificates, the following message will appear in log file:

  • No issue with GIM certificates.

To install custom GIM certificates see - https://www.ibm.com/docs/en/guardium/11.5?topic=management-creating-managing-custom-gim-certificates

Check for aggregator flag

In case the unit type is aggregator, but an internal aggregator flag was missing, the flag will be created and the following message will appear in the log file:

  • Missing aggregator flag automatically recreated.

In case flag already existed, the following will appear in log file:

  • No issue with missing aggregator flag.
 

Check for import file sizes on Aggregator

Time taken for v12 import jobs might be longer than versions before v11.5 due to underlying MySQL database changes. The time taken is dependent on the number of rows in import files. Longer time to run aggregation jobs is only a problem if it causes impact other scheduled jobs. For example, audit processes on aggregator might start before import is finished, resulting in missing data in the reports.

When installed on a central manager, p9998 runs checks on all managed aggregators to collect aggregation and schedule information for later analysis. The root passkey must be set on the managed aggregators to run the remote checks. There is also a local check on each aggregator or central manager p9998 is installed on.

In case there are days where total imported rows exceed 100 million, this is a strong indictor the schedule will need to be updated. The patch will show warning status in installed patch report. The following message will appear in log file:

  • WARNING: Import of large number of rows found locally on this unit. Impact on aggregation job duration is likely. See health check release notes for more information and Fileserver->Sqlguard logs->diag->current->agg_schedule_check_results_<datetime>.tgz for details of scheduled jobs.

When patch is run on the CM, in case there are days where total imported rows exceed 100 million on any managed aggregator. Message like above appears with list of logs for managed aggregators that exceeded threshold.

In case there are no days where total imported rows exceed 100 million, there is still a chance the schedule will need to be updated. The following message will appear in log file:

  • INFORMATION: Impact on aggregation job duration is possible. See health check release notes for more information.

A set of log files is created in Sqlguard logs->diag->current->agg_schedule_check_results_<dateime>.tgz. On the central manager this contains results from all managed aggregators.

If p9998 shows a warning for this check, follow this technote to resolve potential problems. The technote refers to v11.5, but the same applies on v12 - https://www.ibm.com/support/pages/node/6612043

 

Check for expired cli password

If cli user’s password is expired, or the password is set to never expire, upgrade can fail. In case cli user password is set to never expire, the following message will appear in the log file:

  • ERROR: Password for user cli never expires. The expiration must be set to a valid number of days and password reset

To resolve, the cli password expiry must be set to a valid number of days (1-60) using cli “store password expiration cli”. The cli password must then be changed using cli “store user password”, because it may be older than the number of days just set. The password and expiry can be propagated from CM to all MUs using cli “support reset-managed-cli”.

In case cli user password is expired, the following message will appear in the log file:

  • ERROR: Password has expired for user cli

To resolve, the cli password must be changed using cli “store user password”, or when prompted on cli login. The password can be propagated from CM to all MUs using cli “support reset-managed-cli”.

In case cli user password is not expired, the following message will appear in the log file:

  • Password has not expired for user cli

Check for p12001 file in migration directory

If p12001 was previously installed and failed, the patch file is no longer available in the patches directory. P9998 health check will recover the p12001 patch file if it exists, so p12001 can be re-installed after resolving the cause of the failure. This means p12001 does not need to be re-uploaded to the appliance. If p9998 detects p12001 file to recover, the following message will appear in the log file:

  • Patch restored from previous p12001 upgrade failure.

Otherwise, no message will appear in the log file.

Check for active threat analytics (ATA) cases

After upgrade to v12, existing ATA cases will appear with an incorrect Period End date. New ATA cases will not be visible. To resolve the problem after upgrade, install ad-hoc patch v12.0p4. In case ATA cases exist, the following message will appear in the log file:

  • WARNING: Appliance might be using Active Threat Analytics (ATA). After upgrade to v12, existing ATA cases will appear with an incorrect Period End date, and new ATA cases will not be visible. To correct that, install ad-hoc patch 12.0p4.

It is possible to receive this warning, even if ATA is not actively used. If ATA is not used in the environment, v12.0p4 is not required after upgrade.

Check for old host key algorithm on backup server

In v12, ssh communication with ssh-rsa host key algorithm is not allowed for security reasons. This is due to the underlying Redhat 9 OS in v12. Communication with backup servers with older OS e.g. Redhat 6 will fail. During upgrade, backup to an older server will succeed on v11 but upgrade patch will fail when v12 appliance restores from that server.

In case incompatible host key algorithm is found on the backup server, the following message will appear in the log file:

  • ERROR: Backup server host key algorithm is not compatible with Redhat 9

In case the backup server algorithm is ok, the following message will appear in log file:

  • No issue with backup server host key algorithm

To resolve, use a backup server OS that can communicate with Redhat 9 via ssh.

 

Check for secure boot

Secure boot is not supported for upgrade to v12 due to usage of an intermediate unsigned kernel. It is supported in v11.5 and v12.0

In case secure boot is detected on the system, the following message will appear in log file:

  • ERROR: V12 upgrade patch is not allowed for appliances with secure boot enabled. Disable secure boot from the VM before upgrading
In case secure boot is not detected on the system, the following message will appear in log file:
 
  • No issue with secure boot setting
If secure boot is enabled, disabled it at the VM or hardware level and restart the appliance. It can be enabled after upgrade to v12.
 
Check for active swap
 
A swap partition that is actively used as swap memory is required for upgrade. 
In case no active swap partition is found, the following message will appear in log file:
  • ERROR: No active swap partition found. Contact Guardium support to investigate.
 
Otherwise, the following message will appear in log file: 
  • No issue with active swap partition
Contact Guardium support to investigate why swap is not active in v11.5 and activate it.
 
 
Check for tables not recognized by MySQL
 
In rare cases, some table files for partitioned tables in 11.5 can be missing. If upgrade takes place in this state it will fail.
In case missing table files are detected, the following message will appear in log file for each table with missing files:
  • ERROR: Table <table> is not recognized by MySQL
Otherwise, the following message will appear in log file: 
  • No issue with tables not recognized by MySQL
Contact Guardium support to investigate the issue.
 
 
Check for ntp service enabled
 
If ntp service is not enabled in 11.5 appliance, the time of the appliance is set incorrectly after upgrade. 
In case ntp service is not enabled, the following message will appear in log file: 
  • ERROR: Ntpd service must be enabled to upgrade. Run cli - store system ntp state on
If ntp service is enabled, the following message will appear in log file: 
  • No issue with ntpd service
To enable the service in 11.5, run cli - store system ntp state on.
To disable in 12.0, run cli - store system time_server state off.
 
If the number of affected appliances is too large to run cli commands on each one, or no ntp server is available in the environment, contact Guardium support.
 
 
Check for secondary network interface where resolver can not be connected
 
If the appliance has a secondary network interface and the network resolver can not be contacted on both interfaces, upgrade will not work as expected. The appliance will be on v12, but network restart at the end of the upgrade will hang.
To resolve, use cli - store network resolvers to add resolvers that can be contacted on both network interfaces. Or remove the secondary interface before upgrade.
In case network resolver can not be contacted by all interfaces, the following message will appear in log file: 
  • WARNING: Could not resolve hostname from ip <appliance ip> using resolver <resolver ip>. Both interfaces should be able to connect to a network resolver. Result: <dig result>
In case network resolver can be contacted by all interfaces, the following message will appear in log file: 
  • No issue with resolver and secondary interface
Check ifcfg files
 
Depending on the previous network configuration of the appliance and upgrade history, internal network configuration files might be incompatible with v12 upgrade.
 
In case a problem is found, one or more of the following messages will appear in log file:
 
  • ERROR: Problem with IPADDR0 line in ifcfg-eth0. Contact Guardium support
  • ERROR: Ifcfg-eth0-1 file exists. Contact Guardium support
  • ERROR: Problem with NM_CONTROLLED line in ifcfg-eth0. Contact Guardium support
In case no problem is found, all of the following messages will appear in log file:
 
  • No issue with IPADDR0
  • No issue with ifcfg-eth0-1 file
  • No issue with NM_CONTROLLED
If any of these errors are seen, the appliance should be investigated directly by Guardium support to determine the next steps. Collect support must_gather network_issues and contact support. Support can check the internal section of this technote for more information.
 
 
Check for password string
 
For v12 upgrade, system backup must be set in the GUI to send the "upgrade backup" file to remote location. For some specific passwords, the encrypted password string can not later be used when copying the upgrade backup file back to the appliance in v12. 
 
If the current system backup password has this problem, the following message will appear in log file:
  • ERROR: System backup password could not be decrypted. Install 11.0p1064 before upgrading to resolve.
If the current system backup password is good, the following message will appear in log file:
  • No issue with system backup password
To resolve the problem, ad-hoc patch 11.0p1064 should be installed, then re-install health check to confirm the error is resolved.
 
 
Check for M5 hardware 
 
On M5 hardware the following message will appear in log file:
  • WARNING: M5 hardware detected.  Guardium v12 is RHEL 9 based which is not tested or supported on M5 hardware.  Proceed at your own risk.
Check for unsupported partition layout 
 
If /var is in /dev/sda2 and swap is in /dev/sda5 and swap size is lass than 11G
then the following message will appear in log file:
  • ERROR: This partition layout is not supported for upgrade. You can restore a v11.5 backup on a v12.0 deployment.

Check if there are any custom ANALYTIC CASE/SYMPTOM records 

Some custom defined records might be deleted by GPU or Bundle lower than p200.
New check checks if such records exist and sore them aside on appliance. The following warning message will appear in Health Check Log report:
  • WARNING: $count records created by customer might be deleted by the next patch installation.
 
The following recommendation will appear in Health Check Log - Details report:
  • In order to restore deleted custom records, please ask Support to provide you patch SqlGuard-12.0p1129.tgz.enc.sig and install it AFTER GPU/Bundle installation.
Patch SqlGuard-12.0p1129.tgz.enc.sig will be supplied to customer per request by Guardium Support team.
The issue is not relevant after p200 or higher is installed.
 
Report disk space required by backup for upgrade 
 
Disk space required by backup for upgrade will appear in log file:

    Disk space required by backup for upgrade is 49G.

[{"Type":"MASTER","Line of Business":{"code":"LOB76","label":"Data Platform"},"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSMPHH","label":"IBM Security Guardium"},"ARM Category":[{"code":"a8m3p000000PCTuAAO","label":"Platform\/Installation\/Deployment"}],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]

Document Information

Modified date:
25 November 2025

UID

ibm17157115

Page Feedback