Release of Guardium Data Protection patch 11.0p560

Release Notes

Abstract

This technical note provides guidance for installing IBM Guardium Data Protection patch 11.0p560, including any new features or enhancements, resolved or known issues, or notices associated with the patch.

Content

Patch information

Patch file name: SqlGuard-11.0p560_Bundle_Feb_19_2025.tgz.enc.sig
MD5 checksum: ecc07f2c3ba73b5be757aa0152f94365

Finding the patch

Select the following options to download this patch on the IBM Fix Central website and click Continue.
- Product selector: IBM Security Guardium
- Installed version: 11.5
- Platform: All
On the "Identify fixes" page, select Browse for fixes and click Continue.
On the "Select fixes" page, select Appliance Patch (GPU and Ad-Hoc). Then, enter the patch information in the Filter fix details field to locate the patch.

For information about Guardium patch types and naming conventions, see the Understanding Guardium patch types and patch names support document.

Prerequisites

Guardium 11.0p500 (see release note)
The latest Guardium health check patch 11.0p9997
The latest Guardium patch signing certificate on your Guardium appliance. For more information, see IBM Guardium - Patch signing certificate set to expire in March 2025.

Installation

Notes:

This patch is an appliance bundle that includes fixes for version 11.5.
This patch is cumulative and includes all the fixes from previously released patches.
This patch restarts the Guardium system.
Do not reboot the appliance while the patch install is in progress. Contact IBM Support if there is an issue with patch installation.
When changing the password of CLI and guardcli users in the Guardium command line interface, a password strength warning appears even when strong passwords are not enabled. To remove the strong password checks, execute the CLI command store user strong_password disable.
If you have single sign-on enabled and are upgrading from below 11.0p530, you must re-download metadata from the upgraded central manager and apply it on the identity provider.

Overview:

Download the patch and extract the compressed package outside the Guardium system.
Be sure to check the latest version of this patch release note online just before you install this patch.
Pick a "quiet" or low-traffic time to install the patch on the Guardium system.
Apply the latest health check patch.
Install patches in a top-down manner on all Guardium systems: start with the central manager, then aggregators, then the collectors.
Apply the latest quarterly DPS patch and rapid response DPS patch even if these patches were applied before the upgrade.

For information about installing patches, see How to install patches in the Guardium documentation.

Attention

Guardium appliance bundle upgrade time extended due to MySQL tables conversion

Following MySQL support requirements, most tables are converted from MyISAM to InnoDB starting with Guardium appliance bundle versions 11.0p550 and later, and versions 12.0p25 and later. Due to the large size of some tables, which are mostly static tables, the conversion might consume more time than usual during an appliance bundle upgrade. Note: Do not cancel the patch installation process. If you have any concerns, contact IBM Support.

For more information, see Guardium appliance bundle upgrade time extended due to MySQL tables conversion.

Guardium sniffer certification expires on 3 March 2025
The current sniffer default certificate will expire on 3 March 2025 and you must install a Guardium appliance patch to renew the certificate. For Guardium 11.5 systems, appliance bundle patch 11.0p545 or later provides an updated certificate. For more information, see IBM Guardium sniffer certification expires March 2025.

Guardium patch signing certificate expires on 29 March 2025

The current patch signing certificate for Guardium appliance patches will expire on 29 March 2025. Guardium appliance patches are signed by an internal certificate to validate that the patch is created by Guardium. Unsigned patch files cannot be installed.

This patch, 11.0p560, is signed by the new patch signing certificate. Therefore, to install this patch, the patch signing certificate on your Guardium appliance must first be updated by installing ad hoc patch 11.0p1057 (see release note), appliance bundle 11.0p550 (see release note), or appliance bundle 11.0p555 (see release note).

For Guardium 11.5 systems, appliance bundle patch 11.0p550 or later provides an updated certificate. For more information, see IBM Guardium - Patch signing certificate set to expire in March 2025.

IBM Db2 for z/OS JDBC driver update
In 11.0p560, the IBM Db2 for z/OS JDBC driver in Guardium Vulnerability Assessment is updated to support IBM Db2 13 for z/OS, which enables TLS 1.3 and other advantages. You might need to update your IBM Db2 JDBC license. If so, test your connection in a staging environment and contact the IBM Db2 Support team if licensing issues arise. For assistance, open a case at ibm.com/mysupport.

SHA256 GIM client certificates
After applying patch 11.0p530 or later, Guardium supports SHA256 Guardium Installation Manager (GIM) certificates. This has the following implications:

The default certificates could be either SHA256 or SHA128, depending on the GIM server certificate setup. Custom certificates that use SHA256 are more secure and are recommended for GIM connections. Note that GIM connectivity is not interrupted after applying this patch.
GIM only verifies bundles signed with SHA256 and requires installation of a transitional GIM bundle to support the GIM client change from SHA128 to SHA256.

For more information, see Updating Guardium Data Protection GIM clients with SHA256 certificates.

Microsoft certificates expired on 20 May 2024
Microsoft certificates (microsoftca1-4) expired on 20 May 2024. The following Guardium patches provide updated certificates:

11.3 systems that use patch 11.0p392 or later
11.4 systems that use patch 11.0p485 or later
11.5 systems that use patch 11.0p535 or later
12.0 systems that use patch 12.0p5 or later

Install the correct patch for your Guardium systems to use the updated certificates. For more information, see https://www.ibm.com/support/pages/node/7080145

Enhancements

This patch includes the following enhancements.

Issue key	Summary
GRD-80045	Configured time interval for healthy/unhealthy universal connector S-TAP host status duration
GRD-87883	IBM Db2 for z/OS JDBC driver update
GRD-88704	[Microsoft SQL Server] Record database offline and permission errors in classification process log
GRD-88790	Teradata gdmmonitor clarification for Guardium 11.4 and later
GRD-90552	Updated CLI command show certificate summary to list new patch signing certificates

Resolved issues

This patch resolves the following issues.

Patch	Issue key	Summary	Known issue (APAR)
11.0p555		See release note for patch 11.0p555	--
11.0p560	GRD-78772	Venafi: Guardium GUI certificate renewal error: "guardium Venafi retrieve script error 80333" trying to import Venafi certificate	DT389660
	GRD-80164	"show remotelog test" configured with facility.priority='all.all' only tests using facility.priority='daemon.info'	DT419678
	GRD-84662	When changing the password for the cli user after it has expired, the Guardium appliance forces to change the password twice instead of once	DT419649
	GRD-85772	Enterprise Load Balancer not relocating S-TAPs when collector database is getting full	DT419735
	GRD-86996	CLI: Unable to set Alerter SNMP traphost by using hostname	DT397016
	GRD-87121	SMTP subject/issuer verification failed	DT422295
	GRD-87129	High CPU usage on collector	DT420527
	GRD-87282	EMEA - GUI Showing version 2 SNMP But CLI and traffic in SNMPv3	DT400637
	GRD-87491	Error 'ORA-00942: table or view does not exist.' from Assessment Test ID 2374 'No Authorization To CREATE ANY LIBRARY Privilege'	DT419661
	GRD-87529	Add TUPLE_PARAMETERS table to translation	N/A
	GRD-87718	GUI certificate size still running in 1024 bites in central manager	DT422234
	GRD-87931	GRD- cannot overwrite snmp contact information	DT397399
	GRD-88120	Aggregator: Import/Export/Archive failing after bundle patch 545 with "Another aggregation process is currently running"	DT417651
	GRD-88259	reset-managed-cli command fails to reset the CLI password on all managed units	DT419826
	GRD-89153	Schedule job exception: PEStatusJob trigger: siGroup.PEStatusJobError caught executing job due to some runtime exception	DT419637
	GRD-89290	support reset_managed_cli command does not set chage for CLI user	DT409177
	GRD-89310	GUI login hangs in AWS cloud environment with central manager and managed units	DT419827
	GRD-89678	Guard Sender is correctly truncating records at 64k. Guard Sender now truncates syslog messages at sizes greater than 10k per the CLI command store remotelog max_message_size <1\|2\|3\|4\|5\|6> , where the numeric argument maps as follows: 1: 5k 2: 10k 3: 15k 4: 20k 5: 32k 6: 64k In instances where the syslog MaxMessageSize is greater than 10k, User Datagram Protocol (UDP) forwarders drop messages as limited by UDP frame size. Instead, you should configure Transmission Control Protocol (TCP) forwarders, which transfer large syslog messages as multiple packets. Regardless, the local syslog will successfully receive messages up to the maximum message size of 64k.	DT422048
	GRD-89693	Change how rsyslogd is started	N/A
	GRD-89881	Guardium FAM policy 'add another action' cannot be saved	DT419254
	GRD-90211	Unable to add new catalog archive entry on collector	DT421878
	GRD-90257	Some GUI operations, such as editing a report in Query-Report Builder, take several minutes to respond	DT418120
	GRD-90571	HealthAnalyzeJobError	DT421933
	GRD-90942	Scheduled Job Exception 'IP Alias creation: An error occurred java.util.IllegalFormatConversionException: d != java.lang.String' after version 12.1 upgrade	DT419702
	GRD-92308	Primary central manager failover policy installation verification change	DT421946
	GRD-93189	Multifactor authentication with Cisco Duo errors during configuration in Guardium GUI and CLI	DT422702

Security fixes

This patch contains the following security fixes.

Patch	Issue key	Summary	CVE
11.0p555		See release note for patch 11.0p555	--
11.0p560	GRD-83255	PSIRT: PVR0532570 - Java upgrade - Resolve issue with upgrade to Java 8.0-8.20	--
	GRD-88395	PSIRT: PVR0546593, PVR0533719, PVR0546701 - Multiple Spring vulnerabilities	CVE-2024-38808, CVE-2024-38809, CVE-2024-38816
	GRD-90223	RHEL7 - Red Hat update for linux-firmware (RHSA-2023:7513 RHSA-2024:0753)	CVE-2022-46329, CVE-2022-38076, CVE-2022-40964, CVE-2022-27635, CVE-2022-36351, CVE-2023-20593, CVE-2023-20569, CVE-2023-20592

Known issues

This patch contains the following known limitations.

Issue key	Summary
GRD-93195	If universal connector (UC) is started when the timeserver is in the process of being configured, the UC connections stop working. Workaround: After setting up a timeserver on your Guardium appliance, UC should be restarted.

[{"Type":"MASTER","Line of Business":{"code":"LOB76","label":"Data Platform"},"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSMPHH","label":"IBM Security Guardium"},"ARM Category":[{"code":"a8m3p000000PCTuAAO","label":"Platform\/Installation\/Deployment"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"11.5.0"}]

Tips

Release of Guardium Data Protection patch 11.0p560

Release Notes

Abstract

Content

Was this topic helpful?

Document Information

UID

Share your feedback

Need support?