Release Notes
Abstract
This technical note provides guidance for installing IBM Security Guardium Data Protection Windows Agents 11.4.0.447, including any new features or enhancements, resolved or known issues, or notices associated with the patch.
Content
Patch information
| Product: | IBM Security Guardium |
|---|---|
| Release version: | Guardium 11.4 Windows S-TAP |
| Completion date: | 30 July 2024 |
Fix IDs
| Guardium_11.4.0.447_S-TAP_Windows |
Finding the patch
This document provides a reference to the contents of this patch. If applicable, the detailed description of each fix and instructions for applying this patch are contained within the download package. The actual package is available for downloading from the IBM Fix Central website at http://www.ibm.com/support/fixcentral/
Make the following selections on Fix Central:
Product selector: IBM Security Guardium
Installed Version: 11.0
Platform: Windows
Click "Continue", then select "Browse for fixes" and click "Continue" again.
Make the following selections on Fix Central:
Product selector: IBM Security Guardium
Installed Version: 11.0
Platform: Windows
Click "Continue", then select "Browse for fixes" and click "Continue" again.
When to reboot after installing or upgrading to Guardium 11.4 Windows S-TAP
- Fresh install of Guardium 11.4, no reboot required.
- The NmpProxy driver requires a reboot in order to complete the upgrade. If there are no issues with your current NmpProxy functionality, you can delay the reboot until the next maintenance cycle. No fixes will be applied to the NmpProxy driver until a server reboot is completed.
- Guardium strongly recommends that you do not use the following builds as they contain instabilities that can lead to system failure:
11.4.0.168 through 11.4.0.204
11.3.0.257 through 11.3.0.287
Best practice is to uninstall these builds and reboot before you install this S-TAP v11.4. - For all other builds, you can upgrade as usual. For more information, see the Windows: When to restart or reboot the database server after installing or upgrading S-TAP support document.
Attention
SHA256 GIM client certificates
This patch provides SHA256 GIM client certificates. To avoid connectivity issues or other disruptions to the GIM service, review Updating Guardium Data Protection GIM clients with SHA256 certificates before applying this patch.
This patch provides SHA256 GIM client certificates. To avoid connectivity issues or other disruptions to the GIM service, review Updating Guardium Data Protection GIM clients with SHA256 certificates before applying this patch.
Deprecated support and functionality
Windows Server 2012 and 2012 R2
Windows Server 2012 and 2012 R2 have reached end of support by Microsoft on October 10, 2023 and will no longer receive security updates. For this reason, as of March 31, 2024, Guardium can no longer maintain support for these operating systems. For more information, please see: IBM Security Guardium support discontinuance notification for Microsoft Windows Server version 2012 and 2012 R2
Microsoft SQL Server 2012
IBM Security Guardium no longer supports Microsoft SQL Server 2012 as of July 12, 2022. For more information, please see: IBM Security Guardium support discontinuance notification for Microsoft SQL Server version 2008 and 2012
Windows Server 2012 and 2012 R2 have reached end of support by Microsoft on October 10, 2023 and will no longer receive security updates. For this reason, as of March 31, 2024, Guardium can no longer maintain support for these operating systems. For more information, please see: IBM Security Guardium support discontinuance notification for Microsoft Windows Server version 2012 and 2012 R2
Microsoft SQL Server 2012
IBM Security Guardium no longer supports Microsoft SQL Server 2012 as of July 12, 2022. For more information, please see: IBM Security Guardium support discontinuance notification for Microsoft SQL Server version 2008 and 2012
New features and enhancements
Must Gather v3.1
As with previous versions, Must Gather continues to aid customers and support teams in troubleshooting issues by gathering and uploading debugging information. V3.1 adds a parsing option delivered by a new PowerShell script that aggregates important information from many files into a simple summary. For more information, see Must gather for Windows S-TAP and other Windows agents.
As with previous versions, Must Gather continues to aid customers and support teams in troubleshooting issues by gathering and uploading debugging information. V3.1 adds a parsing option delivered by a new PowerShell script that aggregates important information from many files into a simple summary. For more information, see Must gather for Windows S-TAP and other Windows agents.
S-TAP status monitoring
S-TAP status monitoring allows you to monitor the DB server environment. Initially introduced in v11.4 for protocol 7 S-TAPs, this functionality is now available for protocol 8 S-TAPs.
For more information, see Configuring S-TAP in the S-TAP Control page.
S-TAP status monitoring allows you to monitor the DB server environment. Initially introduced in v11.4 for protocol 7 S-TAPs, this functionality is now available for protocol 8 S-TAPs.
For more information, see Configuring S-TAP in the S-TAP Control page.
New support for Db2 SSL and Informix SSL
S-TAP now supports Db2 SSL and Informix SSL.
S-TAP now supports Db2 SSL and Informix SSL.
To configure Db2 SSL, set the following parameters in the guard_tap.ini file and then restart the
Db2 service.
DB2_SSL_DRIVER_INSTALLED=1
DB2_EXIT_DRIVER_INSTALLED=0
DB2_TAP_INSTALLED=0
DB2_SSL_DRIVER_INSTALLED=1
DB2_EXIT_DRIVER_INSTALLED=0
DB2_TAP_INSTALLED=0
To configure Informix SSL, set INFX_SSL_DRIVER_INSTALLED=1 in the guard_tap.ini file.
Mute logs for improved performance
When increased S-TAP performance is required due to significant traffic loads, you can mute the driver debug logs from either the installer or GIM. This provides a significant performance boost but can impact the ability to troubleshoot should problems arise.
To mute the driver logs using CLI, set the value to ON. Any other value sets the parameters to OFF. When using GIM, set the value to 1 to mute or 0 to unmute. The new parameters are:
To mute the driver logs using CLI, set the value to ON. Any other value sets the parameters to OFF. When using GIM, set the value to 1 to mute or 0 to unmute. The new parameters are:
| CLI | GIM | Description |
|---|---|---|
| -LOG-STAP-MUTE | WINSTAP_LOG_STAP_MUTE | Mute the stap.ctl log |
| -LOG-NMP-MUTE | WINSTAP_LOG_NMP_MUTE | Mute the NmpMonitor.ctl log |
| -LOG-WFP-MUTE | WINSTAP_LOG_WFP_MUTE | Mute the WfpMonitor.ctl log |
For more information see Protocol 7 Debug parameters and Protocol 8 Debug parameters.
Db2 Exit with auto-discovery
You can now use auto-discovery to configure a Db2 Exit-specific inspection engine instead of the default Db2 inspection engine. Auto-discovery will supply the default Db2 inspection engine when DB2_EXIT_DRIVER_INSTALLED=0 and will replace it with a Db2 Exit inspection engine when DB2_EXIT_DRIVER_INSTALLED=1. For more information on Db2 Exit, see Windows: Configuring the Db2 Exit Library.
You can now use auto-discovery to configure a Db2 Exit-specific inspection engine instead of the default Db2 inspection engine. Auto-discovery will supply the default Db2 inspection engine when DB2_EXIT_DRIVER_INSTALLED=0 and will replace it with a Db2 Exit inspection engine when DB2_EXIT_DRIVER_INSTALLED=1. For more information on Db2 Exit, see Windows: Configuring the Db2 Exit Library.
Db2 Exit Configuration Utility
S-TAP includes a new Guardium utility for configuring Db2, db2configure.exe:
- Run db2configure.exe from an administrative command prompt with no parameters to configure the Db2 database and inspection engine to capture traffic using Db2 Exit.
- Run db2configure.exe from an administrative command prompt with the UNINSTALL parameter to remove the database configuration.
Note: Restart of the database is required to finish installing or uninstalling the configuration for Db2 Exit
Extended session key
The new randomly generated 32-bit Extended Session Key (ESK) has been added to S-TAP’s v7 protocol for unique identification of each database session to address proper session carry-overs during failover events. GlobalSessionKey configuration parameter has been added to signal Guardium Appliance to enable or disable the usage of ESKs.
New parameter details
Guard_tap.ini: GLOBAL_SESSION_KEY
GIM: WINSTAP_GLOBAL_SESSION_KEY
Default value: 0
Description: This parameter toggles the use of extended session keys for unique session identification. 0=disabled, 1=enabled.
New parameter details
Guard_tap.ini: GLOBAL_SESSION_KEY
GIM: WINSTAP_GLOBAL_SESSION_KEY
Default value: 0
Description: This parameter toggles the use of extended session keys for unique session identification. 0=disabled, 1=enabled.
Resolved issues
Guardium Windows S-TAP 11.4.0.447
| Patch | Issue Key | Summary | Known Issue (APAR) |
|---|---|---|---|
| 11.4.0.316 | -- | Link to 11.4.0.316 on Fix Central | -- |
| 11.4.0.363 | -- | Link to 11.4.0.363 on Fix Central | -- |
| 11.4.0.447 | GRD-68423 | Moved matching of login packets to Kerberos authenticated sessions from SQL Server into S-TAP to reduce occurrence of missing DB_USER and support TDS 7.0. New parameters are introduced in guard_tap.ini and GIM as follows: SSPI_NAME_LIMIT Default value: 10000 Value range: 500-20000 Description: The maximum number of SSPI names that the correlators can store in the S-TAP at any one time. Any names over this limit are dropped. SSPI_NAME_TTL Default value: 120 Value range: 5-300 Description: The number of seconds that an SSPI name is stored in the S-TAP. Names that linger beyond this time interval are dropped. SSPI_SESSION_TTL Default value: 60 Value range: 1-300 Description: The number of seconds that login packets wait for a Kerberos name to arrive for it. Login packets that linger beyond this time are released to the collector. SSPI_SESSION_MEMORY Default value: 40 Value range: 1-1024 Description: The amount of memory, in MB, that can be used to buffer traffic while waiting for Kerberos names to be delivered for active sessions. The default value for the following parameter was NOT updated in this release and remains as follows. CORRELATION_TIMEOUT Default value: 300 Guardium recommends using a value of 120 for average use. |
DT249847 |
| GRD-69634 | Fixed a race condition in the correlator driver that led to missing DB_USER information for encrypted Microsoft SQL Server traffic. | GA18431 | |
| GRD-70198 | Improved performance of S-TAP firewall-related functionality. | DT244172 | |
| GRD-72932 | Replaced memcpy with memmove to avoid nonsense DB_USER values. | DT249848 | |
| GRD-73574 | Fixed an issue with Guardium Db2 Exit DLL freeing a pointer twice, when stopping the S-TAP service. | DT244227 | |
| GRD-76256 | Fixed inconsistent raw pointer and shared pointer when failover happens using protocol 7 and PARTICIPATE_IN_LOAD_BALANCING=1. | DT249830 | |
| GRD-76964 | Fixed excessive display of Event ID 5156 "The Windows Filtering Platform has permitted a connection" in event viewer when enabling success auditing for Windows Filtering Platform connections. | DT256988 | |
| GRD-77451 | Fixed a potential server instability caused by Correlator.sys. | DT259462 | |
| GRD-78380 | Fixed an issue where S-TAP service would not start when configured with V8 and IBM Common Inventory Technology (CIT) tool is installed on the server. | DT259582 | |
| GRD-80188 | Restored functionality to GIM parameter WINSTAP_ENABLEGAM such that the GAM service is fully disabled when WINSTAP_ENABLEGAM=0. | DT365798 | |
| GRD-80264 | Removed the deprecated parameter TCP_ALIVE_MESSAGE from guard_tap.ini. | -- | |
| GRD-80324 | Improved the installer such that failure on a non-essential step does not abort the installation. | DT378640 | |
| GRD-82128 | Added quotation marks around the uninstall path string when the path has spaces included. | -- | |
| GRD-83046 | Fixed a server instability caused by the NmpProxy driver. | -- | |
| GRD-85373 | Win-STAP (v7 protocol) may stop sending traffic to collector when PARTICIPATE_IN_LOAD_BALANCING=1 |
Installers with MD5Sums
| MD5Sum | File Name |
|---|---|
| 2dfef49e61ad636c6ffeecfbf509fcad | conf.reload.WINSTAP |
| ec27a848712e3e6aa7427b42ca20717e | guard-WINSTAP-11.4_r110400447_1-x86_x64.gim |
| 9a3a0e0b29e233f39868ee67b379743e | guard-WINSTAP-guardium_11.4_r110400447_1-Windows-Server-Windows-x86_x64.exe.signed |
| 0f7ba64e82462d8531a88889f36b4efa | Windows-STAP-V11.4.0.447.zip |
[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSMPHH","label":"IBM Security Guardium"},"ARM Category":[{"code":"a8m3p000000PCTuAAO","label":"Platform\/Installation\/Deployment"}],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]
Was this topic helpful?
Document Information
Modified date:
07 August 2024
UID
ibm17158761