IBM Support

Release of Guardium Data Protection Windows S-TAP 12.0.0.259

Release Notes


Abstract

This technical note provides guidance for installing IBM Guardium Data Protection Windows Agents 12.0.0.259, including any new features or enhancements, resolved or known issues, or notices associated with the patch.

Content

Patch information
Product: IBM Guardium
Release version: Guardium 12.0 Windows Software TAP (S-TAP)
Completion date: 15 November 2024
Fix IDs
Guardium_12.0.0.259_S-TAP_Windows
Finding the patch
  1. Select the following options to download this patch on the IBM Fix Central website and click Continue.
    • Product selector: IBM Security Guardium
    • Installed Version: 12.0
    • Platform: Windows
  2. On the "Identify fixes" page, select Browse for fixes and click Continue.
  3. On the "Select fixes" page, select Database Agent (STAP, GIM and CAS). Then, enter the patch information in the Filter fix details field to locate the patch.
When to reboot after installing or upgrading to Guardium 12.0 Windows S-TAP
  • A fresh install of Guardium 12.0 does not require a reboot.
  • When you upgrade between versions, you must reboot the database server to update the NmpProxy driver. If there are no issues with your current NmpProxy functionality, you can delay the reboot until the next maintenance cycle. No fixes will be applied to the NmpProxy driver until a server reboot is completed.
  • IBM strongly recommends that you do not use the following builds as they contain instabilities that can lead to system failure. Uninstall these builds and reboot before you install S-TAP 12.0. For all other builds, you can upgrade as usual.
    • 11.4.0.168 through 11.4.0.204
    • 11.3.0.257 through 11.3.0.287
Deprecated support and functionality
Microsoft Windows Server 2012 and 2012 R2 
Windows Server 2012 and 2012 R2 reached end of support by Microsoft on 10 October 2023 and no longer receive security updates. For this reason, as of 31 March 2024, Guardium no longer maintains support for these operating systems. For more information, see IBM Guardium support discontinuance notification for Microsoft Windows Server version 2012 and 2012 R2.
Microsoft SQL Server 2012 
Guardium no longer supports Microsoft SQL Server 2012 as of 12 July 2022. For more information, see IBM Guardium support discontinuance notification for Microsoft SQL Server version 2008 and 2012.
New support and functionality
New database support
Oracle Database 23ai on Windows 23.4.0.24.05
New features and enhancements
Dropped packet count
S-TAP can handle large loads of database traffic but is not immune to buffer overflows. When data packets are dropped, S-TAP keeps a count of these to better inform users about the state of their Guardium environment.
For more information, see Windows: S-TAP statistics
Extended session key
The new randomly generated 32-bit Extended Session Key (ESK) has been added to S-TAP’s v7 protocol for unique identification of each database session to address proper session carry-overs during failover events. GlobalSessionKey configuration parameter has been added to signal Guardium Appliance to enable or disable the usage of ESKs.
     New parameter details
     Guard_tap.ini: GLOBAL_SESSION_KEY
     GIM: WINSTAP_GLOBAL_SESSION_KEY
     Default value: 0
     Description: This parameter toggles the use of extended session keys for unique session identification. 0=disabled, 1=enabled.
Improved failover functionality
S-TAP now comes with significant improvements in failover performance, ensuring that data integrity is preserved when data fails over to another configured collector.
Must Gather 3.1
As with previous versions, Must Gather continues to aid customers and support teams in troubleshooting issues by gathering and uploading debugging information. Version 3.1 adds a parsing option delivered by a new PowerShell script that aggregates important information from many files into a simple summary. For more information, see Must Gather for Windows S-TAP and other Windows agents.
Known issues and workarounds
Issue key
Description
GRD-44569
Injected DLLs have been updated to allow easy loading and unloading from the system. This change does mean that the following configuration steps are required when upgrading from any 11.3 version or older.
  • IBM Db2 Exit configuration changed and will not work as previously configured.
    Best practice: Following upgrade to 11.5 from any 11.3 version or earlier, Db2 Exit should be reconfigured as described in the Windows: Configuring the Db2 Exit library documentation.
  • Injected DLLs for Db2 are updated in 11.4 and traffic will not be captured for Db2 after upgrade without a Db2 service restart.
    Best practice: To capture Db2 traffic following upgrade to 11.5 from any release prior to 11.4, the Db2 service must be restarted following an upgrade to S-TAP 11.5. Subsequent upgrades will not require a Db2 service restart.
GRD-54373
When upgrading, S-TAP stops capturing traffic for open sessions. Data for these sessions may be lost.
Best practice: Schedule upgrades during low-traffic hours.
GRD-73165
You may see messages such as "AD_Mssql: <Line too big to fit in log>" displayed in Stap.ctl for Auto-Discovery when the registry path plus the main message body do not fit into the message limit.
Resolved issues
Issue key Summary Known issue (APAR)
GRD-68423
Moved matching of login packets to Kerberos authenticated sessions from SQL Server into S-TAP to reduce occurrence of missing DB_USER and support TDS 7.0. New parameters are introduced in guard_tap.ini and GIM as follows:
SSPI_NAME_LIMIT
Default value: 10000
Value range: 500-20000
Description: The maximum number of SSPI names that the correlators can store in the S-TAP at any one time. Any names over this limit are dropped.
SSPI_NAME_TTL
Default value: 120
Value range: 5-300
Description: The number of seconds that an SSPI name is stored in the S-TAP. Names that linger beyond this time interval are dropped.
SSPI_SESSION_TTL
Default value: 60
Value range: 1-300
Description: The number of seconds that login packets wait for a Kerberos name to arrive for it. Login packets that linger beyond this time are released to the collector.
SSPI_SESSION_MEMORY
Default value: 40
Value range: 1-1024
Description: The amount of memory, in MB, that can be used to buffer traffic while waiting for Kerberos names to be delivered for active sessions.
The default value for the following parameter was NOT updated in this release and remains as follows.
CORRELATION_TIMEOUT Default value: 300 Guardium recommends using a value of 120 for average use.
DT249854
GRD-71840 A new regex option for regular expressions allows you to specify the length of the database column to redact. This feature helps insure that the correct data is scrubbed. For more information, see REDACT - Working with regex on Windows DB servers. DT249854
GRD-72932 Replaced memcpy with memmove to avoid nonsense DB_USER values. DT249848
GRD-73574 Fixed an issue with Guardium db2 Exit DLL freeing a pointer twice, when stopping the S-TAP service. DT244227
GRD-76256 Fixed inconsistent raw pointer and shared pointer when failover happens using protocol 7 and PARTICIPATE_IN_LOAD_BALANCING=1. DT249830
GRD-76337 Expanded the scope of the redact functionality to incorporate non-printable Unicode. DT255187
GRD-76964 Fixed excessive display of Event ID 5156 "The Windows Filtering Platform has permitted a connection" in event viewer  DT256988
GRD-77451 Fixed a potential server instability caused by Correlator.sys DT259462
GRD-78380 Fixed an issue where S-TAP service would not start when configured with V8 and IBM Common Inventory Technology (CIT) tool is installed on the server. DT259582
GRD-80188 Restored functionality to GIM parameter WINSTAP_ENABLEGAM such that the GAM service is fully disabled when WINSTAP_ENABLEGAM=0. DT365798
GRD-80264 Removed the deprecated parameter TCP_ALIVE_MESSAGE from guard_tap.ini DT395103
GRD-80324 Fixed a server instability caused by the NmpProxy driver. DT378640
GRD-82128 Added quotation marks around the uninstall path string when the path has spaces included. DT395053
GRD-83046 Fixed a server instability caused by the NmpProxy driver. DT396544
GRD-84608 Fixed an S-TAP instability when using protocol 8 and DB-TYPE value is specified in lowercase
DT395969
GRD-85678 Added GUARDIUM_CA_PATH and SQLGUARD_CERT_CN parameters to guard_tap.ini and  GIM setup by client.
DT416618
GRD-88033 Added separate event handles to notify S-TAP when 64-bit and 32-bit database processes start
DT416655
GRD-88200
Fixed an instability in Microsoft SQL Server instance due to the Correlator Proxy dynamic-link library (DLL). You must reboot the database server to update the Correlator Proxy DLL.
 DT398828
GRD-89330 Added check for out-of-bound memory violations when reading and writing the failoverinfo.dtx file, containing session failover information.
DT416535
GRD-89466 Prevent S-TAP instability by ignoring empty traffic messages.
Installers with MD5Sums
MD5Sum File Name

0b863a9134c8431609d2cc1e851f2ed6

Windows-STAP-V12.0.0.259.zip

04ecb3065239d378f25b21d20a888a17

conf.reload.WINSTAP

8e1ed6162f8c619bf89ea4947f090703

guard-WINSTAP-12.0_r120000259_1-x86_x64.gim

55d1e3f07aca853a55281634db71175f

guard-WINSTAP-guardium_12.0_r120000259_1-Windows-Server-Windows-x86_x64.exe.signed
Related Guardium updates
  • Guardium Data Protection Windows CAS 12.0.0.259 (see release notes)
  • Guardium Data Protection Windows FAM Monitor 12.0.0.259 (see release notes)
  • Guardium Data Protection Windows GIM 12.0.0.259 (see release notes)

[{"Type":"MASTER","Line of Business":{"code":"LOB76","label":"Data Platform"},"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSMPHH","label":"IBM Security Guardium"},"ARM Category":[{"code":"a8m3p000000PCTuAAO","label":"Platform\/Installation\/Deployment"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"12.0.0"}]

Document Information

Modified date:
21 July 2025

UID

ibm17175573

Page Feedback