IBM Guardium - Patch signing certificate set to expire in March 2025

Content

• Guardium appliance patches are signed by an internal certificate to validate that the patch is created by Guardium
• The certificate is validated when the patch is uploaded to a unit

• The current patch signing certificate will expire on March 29th 2025 18.00 GMT
• Appliance patches released starting in Q1 2025 will be signed by a new updated certificate

• Action is required on version 10.6, 11.x and 12.0 appliances before installing a patch signed by the new updated certificate
  • Appliances on 12.1 are not affected, no actions are required
    • See "Additional note for 12.1" section below
• Appliances must be prepared to install patches signed by the new certificate by installing an ad-hoc or bundle patch with the fix
  • The fix allows patches signed by old or new certificate to be installed
• Ad-hoc patches
  • Ad-hoc patches are dependent on the appliance major version and can be installed on any bundle or GPU

  • Major version	Patch number	Patch file
    v12	12.0p1012	Fix central link
    v11	11.0p1057	Fix central link
    v10.6	10.0p1044	Fix central link

  • Previous ad-hoc patches 12.0p1005 or 11.0p1050 apply the fix, but it is overwritten if a bundle older than those listed in "Bundle patches" section is installed after that ad-hoc.
    • If 12.0p1005 or 11.0p1050 are already installed on the system:
      • If an older bundle will not be installed - No action required
      • If an older bundle will be installed - Install current ad-hoc 12.0p1012 or 11.0p1057 before or after installing the older bundle and before March 29th 2025
      • If current ad-hoc 12.0p1012 or 11.0p1057 is installed - No action required
      • "Older bundle" is a bundle with number lower than those listed in "Bundle patches" section
• Bundle patches
  • Patches listed in the table are the first bundle with the fix, all future bundles also contain the fix.

  • Appliance version	Bundle number	Patch file
    12.0	12.0p25	Fix central link
    11.5	11.0p550	Fix central link
    11.4	11.0p492	Fix central link

    • After installing the bundle patch with the fix, the ad-hoc patch for that version is added to the installed patches list. For example after installing 11.0p550, 11.0p1050 is also listed:

      • appliance.ibm.com> show system patch installed
        P#      Who       Description                     Request Time         Status
        500     CLI       Guardium Patch Update (GPU) for 2024-09-13 15:58:21  DONE: Patch installation Succeeded.
        9997    CLI       Health Check for GPU installati 2024-09-13 17:42:05  DONE: Patch installation Succeeded. 
        1050    CLI       Patch Signing Update            2024-09-17 06:35:55  DONE: Installation Successful.
        550     CLI       Update Bundle for GPU 500 (Sep  2024-09-17 06:35:55  DONE: Patch installation Succeeded.

• If the ad-hoc patch number with the fix is successfully installed, that validates the certificate was updated
  • Reminder - If bundle with the fix was installed, it also adds the ad-hoc number in the patch list
• The patch signing certificate does not appear in output of cli 'show certificate summary'
• Additional validation is not required, but is possible
• Additional validation steps if needed:
  1. Download the patch zip for the required Guardium version (Download from this technote, the patches are not on fix central):

     • Appliance version	Patch number	Patch file name	Patch zip file	Patch file md5sum
       v10	10.0p1245	SqlGuard-10.0p1245.tgz.enc.sig	SqlGuard-10.0p1245_0.zip	fcb744d45ba3337f373a8b2e2c366f83
       v11	11.0p1307	SqlGuard-11.0p1307.tgz.enc.sig	SqlGuard-11.0p1307.zip	c28aff689dfd2ad5bf9835ee09e809be
       v12	12.0p1121	SqlGuard-12.0p1121.tgz.enc.sig	SqlGuard-12.0p1121.zip	23d19e6e3df2ead6116f00e762c76295
  2. Extract the patch file from the zip file
  3. Install on appliances to validate
     • The patches do not make any change, they check the existing patch signing certificate on the appliance where they are installed
     • The expiry date of the certificate is shown in the validation patch description
     • If the certificate is updated, the patch status is successful
     • If the certificate is not updated, the patch status is WARNING
     • Expected result on appliance with updated certificate

       • appliance2.ibm.com> show system patch installed
         P#    Who    Description                   Request Time        Status
         1307  CLI    Expiry - Aug 6 20:52:20 2034  2024-11-21 15:53:01 DONE: Patch installation Succeeded.

     • Expected result on appliance without updated certificated

       • appliance3.ibm.com> show system patch installed
         P#    Who     Description                    Request Time        Status
         1307  CLI     Expiry - Mar 29 18:00:22 2025  2024-11-21 15:55:35 WARNING: Patch certificate not updated

         • For v10 appliances below 10.0p699 without updated certificate, patch status will show ERROR: Patch Installation Failed
  4. On any appliance where the validation patch is in warning or failed state:
     • Confirm whether the ad-hoc with the fix is successfully installed
       • If no, re-install ad-hoc with the fix on that unit, then re-install the validation patch
       • If yes, collect support must_gather patch_install issues from that unit and contact Guardium support

• Guardium system backup and restore
  • Restoring a backup taken before expiry date on appliance after expiry date - The patch certificate on current appliance will not be overwritten
• OVA images and VM snapshots 
  • It is recommended to apply fix and create new snapshots/OVAs before expiry date
  • If appliances are built from old OVAs or snapshots that do not contain the fix, patch install will not work after the expiry date
    • In this scenario, to allow patch install follow steps in "What to do after March 29th 2025"

• ISOs and cloud appliance images will be re-released with the fix
  • ISOs on passport advantage with the fix end in "REV2". For example - Security_Guardium_Product_Image_V12.0_DVD_REV2.iso
• GPUs and upgrade patches will be re-released, signed by the updated certificate and containing the fix
  • GPUs were re-released on 3/28/2025: 11.0p400, 11.0p500, 12.0p100
  • Upgrade patches were re-released on 3/28/2025: 10.0p11002, 11.0p12001
• Critical ad-hoc patches will be re-released, signed by the updated certificate
• This technote will be updated with details of new images and patches

•  If the fix was already applied, no further action is required
• If the fix was not applied, it will not be possible to install patches on the system until further action is taken
  • No other functionality will be affected, only patch installation
• To resolve the issue:
  1. On the central manager (CM) or standalone unit, stop GUI
     • Cli - stop gui
     • Cli - stop inspection-core (Command to be executed on MU or standalone appliance)
  2. Disable any ntp or time server that would prevent setting system clock back
     • v11 cli - store system ntp state off 
     • v12 cli - store system time_server state off
  3. Set the system clock back to before the expiry date, for example:
     • Cli - store system clock datetime 2025-03-28 12:00:00
  4. Upload and install ad-hoc patch on the CM (or standalone appliance):

     • Appliance Version	Patch number	Patch file name	Patch zip file	Patch file md5sum
       v12	12.0p1112	SqlGuard-12.0p1112.tgz.enc.sig	SqlGuard-12.0p1112.zip	9ec1e7473c6054eb3e4bc9bb3a5e8b8f
       v11	11.0p1299	SqlGuard-11.0p1299.tgz.enc.sig	SqlGuard-11.0p1299.zip	b24e31332ad69b9570675c92d694e7a5
     • The ad-hoc patch applies the fix on the CM, then connects to online managed units (MU) to apply the fix there
     • After installing on CM, the installed patches list on the CM and MUs will contain 11.0p1057 or 12.0p1012 if the fix was successfully applied
  5. Reset the system clock and ntp or time server on the CM (or standalone appliance)
  6. Cli - restart gui
  7. Cli - start inspection-core (Command to be executed on MU or standalone appliance)
• If an MU is offline when the patch is installed on the CM, 11.0p1057 or 12.0p1012 will not appear in its list of patches. In this case, follow above steps directly on that MU or push 12.0p1112 or 11.0p1299 from CM to the MU when it is back online
• If an appliance is standalone. In this case, follow above steps directly on that appliance.
• Contact Guardium support if there are questions or problems with this method