IBM Support

Release of Guardium Data Protection health check 12.0p9997

Release Notes


Abstract

This technical note provides guidance for installing IBM Security Guardium Data Protection health check patch 12.0p9997. It includes overview and description of all checks.

Content

Patch information
  • Patch file name: SqlGuard-12.0p9997.tgz.enc.sig
  • Patch date: Feb 06 2026
  • MD5 checksum: de27af692f57b738e50c829a4f1d6800
 
Finding the patch 
Make the following selections to locate this patch for download on the IBM Fix Central website:
 
  • Product selector: IBM Security Guardium
  • Installed version: 12.0
  • Platform: All
  • Click "Continue," select "Browse for fixes," and click "Continue" again.
  • Enter the patch information in the "Filter fix details" field to locate the patch
For information about Guardium patch types and naming conventions, see the Understanding Guardium patch types and patch names support document.
 
Prerequisite 
Guardium version 12.0
 
Overview

 

  • The purpose of the patch is to perform preliminary checks on the Guardium appliance before GPU or bundle installation to prevent issues during installation.
  • This patch can be installed more than once.
  • The health check generates a log file named health_check.<time_stamp>.log.
  • To view the log file:
    • View in GUI - "Health Check Log" report
      • Right click on the last installed health check and select "Health Check Log - Details" to see the details of each check
    • View in fileserver:
      • Type fileserver command in cli
      • Open the fileserver in web browser
      • Go to opt-ibm-guardium-log ->diag->current folder and open the most recent log file 
  • The log file will contain a status of each validation. 
    • In case any one of these validations has failed:
      • The status of the failed validation will start with an “ERROR:” prefix and the following message will appear at the end of the log file: Please send this log file and <file_name> file to support team.
      • Installed patch report will show the patch with status: ERROR: Patch Installation Failed
        • Review the details in this document to determine how to proceed. Guardium support can assist with any questions.
    • In case validation is completed with a warning:
      • The status of the failed validation will start with “WARNING:”, and the following message will appear at the end of the log file: Please send this log file and <file_name> file to support team. 
      • Installed patch report will show the patch with status: WARNING: Review health check log file.
        • Review the details in this document to determine how to proceed. Guardium support can assist with any questions.
    • If no problem was found:
      • The following message appears at the end of the log file: Appliance is ready for GPU installation/upgrade.
      • Installed patch report will show the patch with status: DONE: Patch installation Succeeded.
 
  • The list of checks will expand and is subject to change in future versions of health check. Always download the latest from fix central
 
Details of each check
 

Appliance Configuration Check

In case there is no issue with DB (used DB space is less than 80%) or disk space, the following messages appear in the output file:

  • There is NO issue with DB size
  • There is NO issue with disk space
In case DB used space is greater than 80%, the following message appears in the output file:

  • ERROR:DB is more than 80% full. Please reduce size of your DB and run Health Check again.

     

In case DB used space is between 50% and 80%, the following message appears in the output file:

  • WARNING:DB is more than 50% full. Please reduce size of your DB and run Health Check again.

     

In this case we do not fail the patch, but strongly recommend asking support to investigate the issue before GPU installation.
 
In case /var partition has less than 30G of free space, the following message appears in the output file:
  • ERROR:/var partition has less than 30G of free space.
In case / partition has less than 2.5G of free space, the following message appear in the output file:
  • ERROR: root partition has less than 2.5G of free space
In case there are old files in /boot partition that can be moved, the health check does it automatically and the following message appears in the output file:
  • Old initramfs files moved from /boot to /var/tmp/p9997_initramfs_files

 

 

 

 

 

After automatically moving files, in case /boot partition does not have enough space to start the upgrade, the following message appears in the output file:

 

  • ERROR: Not enough space in /boot. Contact Guardium support and attach support must_gather patch_install_issues and system_db_info.

 

Custom Query Check

In case customer has custom queries with the same name that are going to be added by GPU, the following message will appear in log file:
  • ERROR: Duplicate query names found.
In case no custom queries found with the same name that are going to be added by upgrade, the following message will appear in log file:
  • No duplicate queries found.
 

 

Drop obsolete columns

 

 

In order to prevent failure during insertion of analytic data collected from collector, an obsolete column AVG_EXECUTION_TIME should be dropped from the AGG_ANALYTIC_INPUT table in DATAMART DB.

 

 

In case the column is found, the following message will appear in log file:

 

 

  • Obsolete column DATAMART.AGG_ANALYTIC_INPUT.AVG_EXECUTION_TIME has been dropped.

     

In case the column was not found, the following message will appear in log file:

 

 

  • Obsolete column DATAMART.AGG_ANALYTIC_INPUT.AVG_EXECUTION_TIME was not found.
 

MySQL Table Corruption Check

In case there are any crashed tables found in the main databases, the following message will appear in the log file:

  • ERROR: Crashed tables have been found.

     

    • Guardium support should investigate the issue before GPU installation.

 

In case no crashed tables are found, the following message will appear in the log file:
  • No crashed tables found.
 

 

Check Hardware Version

 

 

To prevent failure of upgrade because of firmware version, we want to verify that current version of it will not cause upgrade issues.

 

 

In case when hardware is not 3550 M4 or 3550 M5 or SR630 (M6), patch will NOT fail and the following message will appear in the log file:
  • Hardware is not a recognized type. Skipping version check
In case hardware version need to be checked and the check passes, the patch will NOT fail and the following message will appear in the log:
  • <Hardware version info>. Hardware version check passed.
For each of the supported models/types, the health check verifies the following:
  • x3550 M5 – Type 8869/5463
    • DSA: >= 10.5
    • IMM2: >= 5.40
    • UEFI:  >= 3.11
  • SR630 (M6) – Type 7X02:
    • BMC/XCC: >= 4.20
    • LXPM: >= 1.90

    • UEFI:  >= 2.61

       

In case hardware version does not pass the verification, the patch will fail and the following message will appear in the log file:
  • ERROR: Hardware version check failed. Please apply the latest firmware patch from IBM Fix Central
 

Check Network Role

 

 

In order to prevent failure of upgrade because of wrong network configuration, the patch will verify rolemap file content

 

 

  • In case the appliance is built on cloud, this check is obsolete and the following message will appear in the log file: “No need to check rolemap for cloud appliance”

     

  • In case configuration is correct, the following message will appear in the log file: “No need to rebuild rolemap”

     

  • In case configuration is wrong but can be fixed by the patch, the following message will appear in the log file: "Rolemap was successfully rebuilt"

     

  • In case configuration is wrong and the patch can not fix it, the patch will fail and the following message will appear in the log file: "ERROR: Please escalate the issue to Guardium support for fixing network configurations" and the patch will fail to prevent GPU installation failure

     

 

Check for existing TURBINE_USER_GROUP_ROLE table

 

 

TURBINE_USER_GROUP_ROLE table may be missing due to previous database crash problems.

 

 

  • In case this table is missing, the following message will appear in the log file: “ERROR: TURBINE_USER_GROUP_ROLE table does not exist or is corrupted”. Guardium support should be contacted to correctly rebuild this table.

     

  • In case the table exists, no message will be written to the log file.
 
 

Check for Windows S-TAP and Enterprise Load Balancer compatibility

 

 

Enterprise Load Balancer (ELB) on v12.0 Central Manager (CM) is not compatible with Windows S-TAPS with versions:

 

 

  • v10.6, v11.0, v11.1, v11.2 – All versions

     

  • v11.4 – Before 11.4.0.267

  • v11.3 – Before 11.3.0.321

     

Windows S-TAP versions 11.3.0.321, 11.4.0.267 and all 11.5 and above are not affected. All other S-TAP types are not affected. Windows S-TAPs should be upgraded to the latest versions before upgrading CM.

 

 

In case ELB is active with Windows S-TAPS on affected versions, the following message will appear in log file on the CM only:

 

 

  • WARNING: Windows S-TAP versions not compatible with Enterprise Load Balancer found. Upgrade S-TAPs before upgrading appliances. Problem S-TAPs, versions and collector they report to can be found in elb_windows_stap_check.log.

     

In case ELB is not active, or Windows S-TAPs on affected versions not found, the following message will appear in log file on the CM only:

 

 

  • No issue with Windows S-TAP ELB compatibility.

     

If affected S-TAPs are found, elb_windows_stap_check.log is available from fileserver Sqlguard logs->diag->current folder. The log file lists all affected S-TAPs, their version and collector they report to.

 

Check for old guard parameter name

 

 

Guard parameter with name ‘cm_of_cms_hostname’ is no longer valid as it has been renamed.

 

 

In case the old parameter name is found on the appliance, it is removed and the following message will appear in the log file:

 

 

  • Old guard_parameter removed.

     

In case the old parameter was not found, no action is taken and no message appears in the log file.

 

 

 

 

 

Check for GIM certificates

 

 

It is not possible to push new GIM bundles in v12 if the GIM is using SHA1 certificates. The default certificate on v11 appliances was SHA1. It is possible to upgrade to v12 with SHA1 certificate, but after upgrade it must be updated to use custom SHA256.

 

 

In case no GIM clients are connected to this appliance, no action is needed, the following message will appear in log file:

 

 

  • No issue with GIM certificates - No GIM clients connected to this appliance.

     

In case GIM clients are connected but there is no issue with the certificates, the following message will appear in log file:

 

 

  • No issue with GIM certificates.

     

In case GIM clients are connected and GIM certificates using SHA1 are found, the following message will appear in log file:

 

 

  • WARNING: Non SHA256 GIM certificates found. To resolve install new SHA256 GIM certificates from cli.

     

To install custom GIM certificates see - https://www.ibm.com/docs/en/guardium/11.5?topic=management-creating-managing-custom-gim-certificates

 

 

For more information on SHA256 certifcate updates see - https://www.ibm.com/support/pages/updating-guardium-data-protection-gim-clients-sha256-certificates

 

Check for MySQL TMM or TMD files

 

 

In some cases MySQL temporary TMM or TMD files remain on the system unexpectedly. They can cause corrupted tables during patch installation. If they exist, health check p9997 moves them to a temporary location, which resolves the problem.

 

 

In case no TMM or TMD files exist, the following message will appear in the log file:

 

 

  • No issue with TMM or TMD files.

     

In case TMM or TMD files exist and are successfully cleaned up, the following message will appear in the log file, followed by a list of files moved:

 

 

  • TMM or TMD files moved to temporary location (/var/tmp/hc_tm_files). Files:

     

In case TMM or TMD files exist but there was a problem moving them, the following message will appear in the log file, followed by a list of files moved:

 

 

  • ERROR: TMM or TMD files found, but could not be moved. Contact Guardium support to resolve. Files:

     

In this case, further investigation will be required by Guardium support.

 

 

 

Check for cloud other than AWS appliance

 

 

Patch p15 will be blocked on cloud appliance other than AWS.
In case Health check identify the appliance as a cloud one but not AWS, it will end up with a WARNING status and the following message in the log file:

 

 

  • INFORMATION: Patch v12.0p15 will be blocked in a Cloud Environment other than AWS.

 

Check for old empty partitions

 

 

Cloud appliances can contain old empty database partitions between the template creation and current date. Old partitions might affect patch installations or aggregation processes performance. If Health check find such partitions 100 days older than retention period, it will fail with the following message in the log:

 

 

  • ERROR: Old empty partitions where found that will affect patches installation performance.

     

Installation of support ad hoc patch SqlGuard-12.0p1107.tgz.enc.sig provided by Guardium support team should drop these old partitions. Support can check the internal section of this technote for patch location.

 

Check for wrong rule action parameter ids
 
There might be wrong ids in RULE_ACTION_PARAMETER caused by not properly set AUTO_INCREMENT value, which might cause duplicate errors during patch installation.
In case auto increment values is wrong, the patch will update auto increment to a proper value and the following message appears in the log:
 
  • AUTO_INCREMENT was altered for RULE_ACTION_PARAMETER table
In case wrong ids found in the table, the patch will perform the required update and the following message appears in the log:
 
  • RULE_ACTION_PARAMETER_IDs have been updated
In case auto increment and id values are correct, the following message appears in the log:
 
  • No Issue with RULE_ACTION_PARAMETER_ID found.
In any of the above scenarios no additional actions are required by the user.

 

 

 

 

Check for GUI pages availability when installing bundle p20 or higher on CM

Installing bundle 12.0p20 and above on CM will cause many pages in the MUs GUI to be inaccessible if the MU is below p20. Action is required before installing bundle on the CM to ensure all GUI pages are accessible on MU without interruption.

Ad-hoc patch 12.0p1008 should be installed on all units before installing p20 or higher on the CM. If MUs are on p20 or higher, no action is required. For more details see: https://www.ibm.com/support/pages/node/7169627 

In case appliance is below p20 and does not have p1008 installed, the following message appears in the log:

  • WARNING: After installing bundle 12.0p20 or higher on the CM, some MU GUI pages will not be accessible. To resolve, install 12.0p1008 on all appliances before installing bundle p20 or higher on CM.

Otherwise, the following message appears in the log:

  • No issue with MU GUI pages availability

 

Check for incompatible bind rpm issue

12.0p25 and above install an rpm that is not compatible with 12.0p100. To install 12.0p100, 12.0p9981 must be installed first to resolve the rpm issue. p9981 is available on fix central.

In case the incompatible rpm is found, the following message appears in the log:

  • ERROR for p100: Incompatible bind rpm found. Install 12.0p9981 to resolve
12.0p100 install will be blocked, but future 12.0 bundles will not.
 
In case the incompatible rpm is not found, the following message appears in the log:
 
  • No issue with incompatible bind rpm
  •  
Check for patch certificate overwriting by older bundle
If older patch signing certificate update e.g. 12.0p1005 was installed, action is required before installing bundles before p25. Older bundles will overwrite the new patch certificate unless 12.0p1012 is installed first.
It is recommended to always install the latest bundles, however in some cases old bundle installation might be required.
If bundle p25 or later will be installed, no action is required from this check.
In case old bundle installation will overwrite new patch certs, the following message appears in the log:
  •  ERROR for bundles below 12.0p25: Install 12.0p1012 so patch certificate is updated after installing older bundle
In case old bundle installation will not overwrite new patch certs, the following message appears in the log:
  • No issue with patch certificate after old bundle install
Check for new patch signing certificate
Patch signing certificates for Guardium Data Protection appliances expire March 29th 2025 18.00 GMT. Action is required to ensure patch installation is not affected by the changes. Bundles starting with 12.0p35 are signed by the new certificate. To install p35 or higher, action is required, see the technote link below for how to resolve.
In case the patch signing certificate is not updated, the following message appears in the log:
  • ERROR for p35 and future bundles: New patch signing certificate is not found. See health check release notes for more information.
In case the patch signing certificate is updated, the following message appears in the log:
  • No issue with patch certificate
 
Check if FIPS mode is enabled
 
In case FIPS mode is enabled, the following message appears in the log:
  • WARNING: Some keys and certificates generated during install of 12.2 may not be FIPS 140-3 compliant
Check if there are any custom ANALYTIC CASE/SYMPTOM records
 
Some custom defined records might be deleted by GPU or Bundle lower than p200.
New check checks if such records exist and sore them aside on appliance. The following warning message will appear in Health Check Log report:
  • WARNING: $count records created by customer might be deleted by the next patch installation.
 
The following recommendation will appear in Health Check Log - Details report:
  • In order to restore deleted custom records, please ask Support to provide you patch SqlGuard-12.0p1129.tgz.enc.sig and install it AFTER GPU/Bundle installation.
Patch SqlGuard-12.0p1129.tgz.enc.sig will be supplied to customer per request by Guardium Support team.
The issue is not relevant after p200 or higher is installed.
 
 

Check for incompatible rpms issue

12.0p45 and above install an rpm that is not compatible with 12.0p100. To install 12.0p100, 12.0p9981 must be installed first to resolve the rpm issue. p9981 is available on fix central.

In case the incompatible rpms are found, the following message appears in the log:

  • ERROR for p100: Incompatible rpms found. Install 12.0p9981 to resolve
12.0p100 install will be blocked, but future 12.0 bundles will not.
 
In case the incompatible rpms are not found, the following message appears in the log:
 
  • No issue with incompatible rpms

Check for failed dependencies issue

12.0p15, 12.0p115 and above install dependencies required for 12.0p200.  

In case the failed dependencies are found, the following message appears in the log:

  • ERROR for p200: Bundle 15 or higher required for 12.0.
  • ERROR for p200: Bundle 115 or higher required for 12.1.
12.0p200 install will be blocked, but future 12.0 bundles will not.
 
 

Check for incompatible grub2 EFI rpms issue

In the case of  incompatible grub2 EFI RPMs, 12.0p7125 must be installed instead of 12.0p125. p7125 is available on fix central.

In case the incompatible grub2 EFI RPMs are found, the following message appears in the log:

  • ERROR for 12.0p125: Please install 12.0p7125 instead.
 

Check for snif patch, v12.0 bundle issue for GPU 200

 

In the case old guardium-rds package is found, the following message appears in the log:

  • ERROR for p200: You need to reinstall the current snif patch or install a newer one.
12.0p200 install will be blocked, but future 12.0 bundles will not.
 

[{"Type":"MASTER","Line of Business":{"code":"LOB76","label":"Data Platform"},"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSMPHH","label":"IBM Security Guardium"},"ARM Category":[{"code":"a8m0z000000Gp0NAAS","label":"INSTALL UPGRADE MIGRATION"}],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"12.0.0"}]

Document Information

Modified date:
06 March 2026

UID

ibm17160183

Page Feedback