IBM Support

Release of Guardium Data Protection 12.2.1

Release Notes


Abstract

This technical note provides guidance for installing IBM Guardium Data Protection 12.2.1, including any new features or enhancements, resolved or known issues, or associated notices.

Content

Download Guardium 12.2.1
 
IBM Passport Advantage

On Passport Advantage, you can find the Guardium Product Image - ISO file, licenses, product keys, and manuals. You can download only the products that your site is entitled. If you need assistance to find or download a product from the Passport Advantage site, contact the Passport Advantage team at 800-978-2246 (8:00 AM - 8:00 PM ET) or by email at paonline@us.ibm.com.

 
IBM Support Fix Central

On Fix Central, you can find upgrades, Guardium Patch Update (GPU) files, individual patches, and the current versions of database agents, such as Software TAP (S-TAP) and Guardium Installation Manager (GIM). If you need assistance to find a product on Fix Central, contact IBM Support.

 

Install Guardium 12.2.1

Guardium 12.2.1 is available as an ISO product image on Passport Advantage. If the downloaded package is in .zip format, extract it outside of the Guardium appliance before you upload or install it. Review the latest version of these release notes just before you install. Install Guardium across all the appliances, such as the central manager, aggregators, and collectors. For detailed steps, see Installing your Guardium Data Protection system.

 
 
Upgrade to Guardium 12.2.1

Before you upgrade, confirm that your appliance meets the minimum requirements. Upgrade your firmware to the latest versions provided by your vendor. If you use a Guardium appliance, check Fix Central for the latest firmware. 

You can upgrade to Guardium 12.2.1 (GPU 12.0p210) from Guardium systems that are running on version 12.2.0 (GPU 12.0p200, see release note). The best approach for upgrading Guardium depends on the version you are upgrading from, the hardware of your system, and any special partitioning requirements you might have. See Identifying the correct upgrade path to review upgrade scenarios and identify the correct upgrade path for your Guardium systems. Review the latest version of these release notes just before you install.

Note: The Guardium system will restart during the upgrade process for all of the patch installations, so schedule the upgrades in batches during low database traffic times to minimize audit gaps. Do not reboot the appliance while the patch installations are in progress. Contact IBM Support if there is an issue with patch installation.

 
 
Prerequisites
  • Guardium Data Protection 12.2.0 (GPU 12.0p200, see release note)
  • The latest Guardium Data Protection health check patch 12.0p9997
 
Attention
 

Feature licenses process

Guardium now uses a single-stream release model with quarterly feature updates. Previously, the Fix Central website provided only fixes, while Passport Advantage delivered new features. Going forward, updates are delivered both through Passport Advantage and Fix Central websites. 

Features downloaded through Passport Advantage are automatically unlocked. However, any new feature downloaded from Fix Central must be unlocked. Regardless of where they are downloaded from, all features controlled by feature flags must be explicitly enabled in your environment before you can use them. This can be done by using the GuardAPI command enable_disable_feature_flag on the central manager.

​​This enhancement provides flexibility to organizations that want to apply fixes without automatically enabling new functionality. 

To unlock a feature in a bundle downloaded from Fix Central, obtain the version-specific unlock file from Passport Advantage and apply the file on the central manager by using the GuardAPI command unlock_feature_flags.

You can see the list of features that are behind feature flags by using the GuardAPI command list_feature_flags. 

In 12.2.1, the following features are behind feature flags: Edge Gateway, vulnerability management, and IBM Knowledge Catalog (IKC) integration to import group members.

For more information, see Applying feature flags.

 

Single stream agent releases

Starting with 12.2.1, most of the Linux-UNIX and Windows agents for Guardium Data Protection versions 12.0 and later are now released in a "single stream". Previously, each Guardium 12.x release (12.0, 12.1, and 12.2) had its own separate agent installers and patch packages. With the move to single-stream packaging, the agent binaries are unified into one continuous release line, so the same installation and upgrade package applies across multiple Guardium 12.x versions. This simplifies maintenance, reduces version divergence, and ensures consistent feature and fix availability across all supported 12.x environments.

File names starting with 12.x are now applicable to all current Guardium 12.x versions (12.0, 12.1, and 12.2), and future releases within the Guardium 12.x family. The single-stream packaging currently applies to the following agents:

  • Guardium Configuration Auditing System (CAS)
  • Guardium File Activity Monitor (FAM) for Windows
  • Guardium Installation Manager (GIM)
  • Guardium Software TAP (S-TAP)

 

With this change, customers no longer need to locate version-specific agent packages for each 12.x release. Installing the latest 12.x agent package will be supported across all 12.x collector and aggregator versions that meet the documented compatibility requirements.

Note: The single-stream packaging does not currently apply to External S-TAP agents.

 
 
New features and enhancements


Aggregator performance improvements
The Guardium aggregator now offers an optional application-level parallel processing framework to speed up report generation and reduce latency during concurrent workloads. It uses partition-aware routing and temporary staging tables to minimize data scans and optimize memory at runtime. No infrastructure changes are required, so your existing workflows remain uninterrupted.

 

Edge Gateway
Modernize your data collection with a new Kubernetes-based monitoring pipeline. The Edge Gateway is built for high performance and scalability, making it easy to monitor both on-premises and cloud environments while reducing appliance management. With seamless integration into existing Guardium aggregators, GDSC SaaS, and the new long-term retention feature, the Edge Gateway offers a modern alternative to Guardium collectors.

 

Long-term data retention
Store multiple years of audit data with our new user-managed option for long-term retention and reporting. Meet compliance requirements and control costs by using your own S3-compatible object storage. Easily manage and monitor storage with data lake and datamart extraction reports.

 

SOX ticket reconciliation
Maintain SOX compliance with greater efficiency and accuracy by using AI-powered automation to compare user activity logs with change tickets from systems like ServiceNow. Save thousands of annual compliance hours by reducing the need for manual, repetitive, and error-prone daily checks.

 

Vulnerability management hub

A new vulnerability management UI provides an alternative, vulnerability-centric focus and a more interactive experience for users. It takes the information contained in the View Results report and turns it into a unified, fluid experience, with progressive disclosure.

 

Certificates for Guardium Cryptography Manager (GCM)

A new Guardium API (get_certificates) is added that allows you to retrieve a list of certificates for your Guardium systems. You can also use the API to retrieve the certificates for all managed units, all units plus the central manager, individual units, or for the local host.

 

Change tracker certificate management

Two new CLI commands are added to enhance the change tracker certificate management functionality.

  • show certificate stored lists certificate stores that are distributed by Guardium, displaying data from the CERTIFICATE_STORAGE_OBJECT_INFO table.
  • show certificate exceptions lists certificates that are exempted from expiry by change-tracker, displaying data from the CERTIFICATE_MONITORING_EXCEPTION table.

 

CLI user management

The GuardAPI command change_cli_password is enhanced to support password updates for all CLI users, including the admin cli account and guardcli (guardcli1,...,guardcli9) accounts. You must have accessmgr privileges to access this command.

 

DHCP support for Virtual Machines
You can now enable Dynamic Host Configuration Protocol (DHCP) on virtual machines using the store network dhcp <on|off> CLI command for automated IP address assignment, simplified network management, and enhanced flexibility in virtual machine reconfiguration or redeployment.

 

Storage support for backup and restore 

Support added for backup and restore from S3-compatible storage. The previously supported ECS protocol now supports S3, and it has been renamed to S3 Compatible in Guardium user interfaces.

 

Universal connector

Universal connector (UC) fixes are now delivered in cumulative patches separate from Guardium Data Protection appliance bundle patches. When you install Guardium 12.2.1 (GPU 12.0p210), your UC will upgrade to what is included in the GPU only if the UC on the system where you are installing GPU 12.0p210 is older than the UC that is included in GPU 12.0p210. 

  • Preinstalled UC plug-ins for AlloyDB, Milvus, Singlestore, and Sybase.
  • Additional UC plug-ins for configuration through the central manager workflow for AlloyDB, Dynamo over S3SQS, Dynamo over SQS, Microsoft SQL Server on prem over JDBC, Milvus, Oracle over pipe, SingleStore, and Snowflake over JDBC.
  • CloudWatch-based Kafka connectors for Aurora PostgreSQL over Cloudwatch Logs and AWS PostgreSQL over Cloudwatch Logs.
  • Java Database Connectivity (JDBC)-based Kafka connectors for Microsoft SQL Server on AWS, Microsoft SQL Server on Azure, SAP HANA, Sybase, and Teradata.
  • AWS CloudWatch Kafka source connector.

 

Additional enhancements include API for bulk CSV upload, SSL connection with sniffer, mini_snif load balancing, and error handling for Logstash-based universal connectors to handle critical log errors.

 
Linux-UNIX and Windows Agents

For more information about new features and enhancements to the Configuration Auditing System (CAS), Guardium Installation Manager (GIM), File Activity Monitor (FAM) for Windows (FamMonitor), and Software TAP (S-TAP) agents, see their corresponding release notes: 

 

Sniffer updates
 

The latest sniffer patch that is included in Guardium 12.2.1 is version 12.0p4015 (see release notes). Sniffer patches are cumulative; they contain all previous sniffer patches for that major version.

 
 
New supported platforms and databases
 

Operating systems

  • Red Hat 10 x86_64

 

Activity Monitoring (DAM)

  • MarkLogic 11.2.0 and v11.3.2
  • HyperSQL 2.7.4

 

Linux-UNIX S-TAP

  • MongoDB 8.2
  • EDB Postgres 17.5
  • Postgres 18.0
  • Yugabyte 2025.1.0.1
  • MariaDB 12.0.2
  • Redis 7.22

 

Windows S-TAP

  • PostgreSQL 18
  • EDB Postgres 17.6
  • MariaDB 12.0
  • Mongo 8.2

 

Vulnerability Assessment

  • Teradata 20
  • Azure PostgreSQL Flexible Server / PaaS (All versions Azure Services)
  • Azure MySQL Flexible Server / PaaS (All versions Azure Services)

 

Most supported platforms information is available in the Guardium Supported Datasources matrix. For all other supported platforms and system requirements information, including Vulnerability Assessment, platforms that are supported by External S-TAP, information about IBM i, and hardware or virtual machine requirements, see System Requirements for Guardium 12.2.1.

 
 
Resolved issues 
 
VersionIssue keySummaryAPAR
12.2 
See release notes for Guardium 12.2.
 
12.2.1GRD-85637enable_disable_ip_restriction created  ERR=2252 || Unknown errorDT455249
 GRD-95241Guardium STAP does not collect traffic for Oracle database configured with Oracle Unified Audit (OUA)DT448770
 GRD-101013Added support for kernel 6.4.0-150600.23.33-default.ppc64leDT454880
 GRD-101834Latest 12 bundles reinstall GIM and CAS default certs after the adhoc patch 12.1103 removes them.DT443072
 GRD-104989Fixed an issue where MongoDBv7.0.15 with ATAP enabled is not generating extrusion alertsDT448174
 GRD-105345Fixed a connection issue when balancing is in FAILOVER modeDT448659
 GRD-106406IBM Storage Protect Client installed on Guardium appliance contains libxmlutil library  that is vulnerable to several CVEsDT448724
 GRD-106484Error "Unable to connect to UI Server. Verify that server is operational and try again" on the GUI screen attempting to update several datasources in bulkDT448683
 GRD-106974Consolidated Installer forces K-TAP install even when K-TAP is not requiredDT450539
 GRD-108319SMTP does not send email alertDT454949
 GRD-108524Option to configure rsyslogd to bypass writing to syslogDT455404
 GRD-109007Fixed an issue in S-TAP Named Pipes proxy driver potentially causing Remote Procedure Calls failures. For more information see Guardium Windows S-TAP 12.1.19.195, 12.0.1.295, 11.5.10.478 might cause Windows OS server unavailability with RDP access.DT454370
 GRD-109234System backup failed due to mysqldump: Error 1412: Table definition has changed, please retry transaction when dumping table 'MY_TEMP_SESSIONS' at row: 0DT452530
 GRD-109472Update FAM_PROTECT_PRIVILEGED parameterDT454289
 GRD-110182Error "You do not have privileges to run this application" after importing classification policyDT453176
 GRD-110688Removed vulnerable OpenSSL binaries from GIM installation subject to CVE-2022-1292, CVE-2022-2068, CVE-2022-4450, CVE-2023-0215, CVE-2023-0286, CVE-2023-0464, CVE-2023-4807, CVE-2023-5363, CVE-2024-4741, CVE-2024-5535, and CVE-2024-6119DT454221
 GRD-110754Solaris server becomes unstable when PARTICIPATE_IN_LOAD_BALANCING changed from 0 to 4DT455613
 GRD-111136Investigation if WIN FAM causing file corruptionDT454079
 GRD-111470PSIRT: PVR0679977 -  Issue with Azure Marketplace imageN/A
 GRD-111904Utilities to manage certificates monitored for distribution 
 GRD-112239Removed vulnerable OpenSSL ssleay32.dll binary to address CVE-2024-5535 and CVE-2023-0464DT454210
 GRD-113244Query performance improvementDT455071
 GRD-113649CVE-2025-9230 - Openssl in GAM directory 
 
 
 
Known limitations and workarounds
 
ComponentIssue keySummary
Backup and archiveGRD-114741

Backup and archive operations fail on MiniIO or ECS when a custom bucket is configured. 

Workaround: For miniIO, create a new bucket name by updating the user policy to include the s3:CreateBucket permission. For ECS, if the backup/archive fails on the initial attempt, retry the action immediately.

Backup and restoreGRD-115916

After you backup and restore to a 12.2.1 environment, opening a custom dashboard can trigger an error that prevents the dashboard from loading. 

Workaround: Open the affected dashboard in Edit mode and then save the dashboard. If it's still unsuccessful, go to Query-Report builder and fix the query definition.

Backup central managerGRD-113662

After switching to the backup central manager (CM) in version 12.2.1, the Kafka Cluster status turns red, indicating connection failures to Kafka brokers. 

Workaround: After switching to the backup CM, manually restart the Kafka Cluster and Kafka Cruise Control using the Kafka Cluster Management UI to restore the Kafka Cluster to a healthy state.

DatamartsGRD-116115Guardium collectors currently do not support the creation of datamarts once and exporting them twice. This limitation means that Long-term retention (LTR) and the Guardium Data Security Center (GDSC) cannot be supported at the same time.
DatamartsGRD-116101

If the central manager is running version 12.2.1, all managed units must be patched to the same version. V6 datamarts cannot extract data from managed units that are not on the same patch level, and Guardium Data Security Center (GDSC) may not receive data from these datamarts. 

Workaround: Upgrade all managed units to match the central manager’s patch level to ensure v6 datamarts are supported.

Dynamic host Configuration Profile (DHCP)GRD-115528

Enabling DHCP does not automatically set the hostname and domain as expected.  

Workaround: Manually set host and domain names by using the following commands: store system hostname <host_name> and store system domain <domain_name>

Edge Gateway

(New feature in 12.2.1)

GRD-115974

When custom certificates are generated without a Subject Alternative Name (SAN), Edge cannot transmit health metrics to the central manager and its status is displayed as RED. Starting with Go 1.15, certificates require at least one SAN entry. 

Workaround:  Regenerate TLS certificates used by Edge Gateway to include a SAN that matches the Edge hostname(s).

Edge Gateway

(New feature in 12.2.1)

GRD-113025

When you register an Edge Gateway, you might encounter issues with configuring ports if you select HAProxy options when you have Traefik with K3s installed. Configure Traefik manually after Edge installation is complete. 

Workaround: Traefik could be disabled during K3s setup by using this option: INSTALL_K3S_EXEC="--disable=traefik"

If you want to use Traefik and Gateway API for TCPROUTE, you must enable experimentalChannel support.

When K3s multi nodes cluster is used to deploy edge, the control-plane/master nodes need to be configured NoSchedule using command: 

kubectl taint nodes ${node-name} key=value:NoSchedule

To use control-plane/master node as worker node, the control-plane/master node must match the minimum resource requirements.

Edge Gateway 

(New feature in 12.2.1)

GRD-116057

The grdapi registerEdge command does not validate cpuLimits, memoryLimits, and storageRequests inputs, allowing invalid values to register an edge without error. This results in UI issues when attempting to update the Edge Gateway due to incorrect or negative resource specifications. 

Workaround: Manually validate values in 00-edge-namespace-resourcequota-optional.yaml  in the edge bundle. A fix is available in an upcoming release.

Edge Gateway 

(New feature in 12.2.1)

GRD-116350

When multiple aggregators are selected for data export, the system processes them based on selection priority. However, the user interface does not indicate the order in which aggregators are processed. 

A fix is available in an upcoming release.

Gen AI app nodes 

(New feature in 12.2.1)

GRD-112283

The UUID to register or unregister an app is not available from the Guardium UI or through an Guardium API.

Workaround: UUIDs are available in the following folder: /var/IBM/Guardium/applications/

You can use the API list_applications to list all installed applications on a specific app-node. A fix to enhance the API to display app names is available in an upcoming release.

GenAI app nodes 

(New feature in 12.2.1)

GRD-115835GenAI application nodes are included in long-term retention (LTR) configuration even if they are not long-term retention nodes. These GenAI application nodes will not be affected by LTR setup and logs about the GenAI nodes in LTR setup can be ignored.
InstallGRD-117398

Unable to extract Guardium 12.2.1 package .zip files that were downloaded on Windows.

Workaround: Extract the files on a non-Windows machine, such as macOS or UNIX, or use the following command within PowerShell: Expand-Archive -Path .\<file> 

Long-term retention 

(New feature in 12.2.1)

GRD-115834

LTR configuration fails if certificate distribution was not successful. 

Workaround: Before configuring LTR, check that the datalake-gui certificate was distributed successfully on the application node where LTR is being configured.

Long-term retention 

(New feature in 12.2.1)

GRD-115356

If the bucket used to house LTR data is not empty, or is reused, on startup, errors can occur due to a duplicate database, table, or view name. 

Workaround: After clearing the bucket, rerun the cold storage configuration command. If you want to attempt to use an un-empty bucket, try using a unique resultSchema and coldCatalogSchema.

Long-term retention 

(New feature in 12.2.1)

GRD-114558Long term retention reports are only available in the UTC time zone.

Long-term retention 

(New feature in 12.2.1)

GRD-114299

When configuring long-term retention, you may receive the following message after installing the unit type application on the AIO node: "The new configuration will be effective once you execute the "restart inspection-core" command." 

This message can safely be ignored.

Long-term retention 

(New feature in 12.2.1)

GRD-115143

The report execution status and results are not logged in ‘Report activity’ table for datalake reports on the backup central manager (CM). 

Workaround: After switching to the backup CM in version 12.2.1, you must create the datalake runtime environment and distribute certificates by using the following two CLI commands:

  • store datalake runtime
  • distribute application certificate datalake all_managed true

Long-term retention 

(New feature in 12.2.1)

GRD-116438

After restoring collectors with long-term retention (LTR) datamarts from backup, you must reconfigure each datamart to reconnect to LTR by running the datamart_update_copy_file_info GrdAPI command on the central manager (CM).

Workaround: 

1. Access target CM and list cold storages to get the cold storage information with the command: grdapi list_cold_storages

2. Run the command grdapi datamart_update_copy_file_info

Update the v6 Datamart with the cold storage name, data bucket, and catalog endpoint names from the output in step 1.

Long-term retention 

(New feature in 12.2.1)

GRD-116433When you restore long-term retention (LTR) app node from backup, the app node must be restored to a machine with the same name.

Long-term retention

(New feature in 12.2.1)

GRD-115165, GRD-115880

The orphan collection (data that is not ingested) runs automatically after a central manager (CM) failover, but it does not run following a CM restore from backup.

Workaround: After failover, manually run the orphan collection by using the following GuardAPI command:

grdapi ingest_orphaned_files cold_storage_id=<cold_storage_id>

 
ReportsGRD-115258

After upgrading from Guardium 12.2 to 12.2.1, compliance measure or metric reports may not display the data correctly due to missing column descriptions. 

Workaround: Open the affected report in the Query Report Builder and click Save on that report to regenerate the column descriptions.

SOX ticket reconciliation

(New feature in 12.2.1)

GRD-114294

Automatic ticket mapping via GenAI fails for custom tables created prior to GenAI configuration. Ticket mapping only works if a new custom table is created after GenAI setup. 

Workaround: Create a new custom table post-GenAI configuration.

S-TAPGRD-115954

In MarkLogic database version 11.3.2, a discrepancy has been observed where the Session Key and Session ID are generated uniquely for each query from the Query console, even when multiple queries originate from the same session. This unexpected behavior may cause confusion for users relying on consistent session identifiers. 

A fix is available in an upcoming release.

S-TAPGRD-114880

When the shared-memory segment size for the priority packets or failover information hash table is changed during an upgrade from a previous release or by modifying the tap_failover_session_size parameter, restarting Unix S-TAP will result in the loss of previously saved priority packet data. 

A fix is available in an upcoming release.

S-TAPGRD-114405, GRD-115382

In the modernized GUI for S-TAP Control, you cannot set a new G-host as primary. This regression was functional in earlier releases. You also cannot control the sequence to configure failover order. 

Workaround:  After adding the G-host, save and reopen the edit panel to manually edit the S-TAP configuration and designate the desired primary host. For UNIX S-TAPs, you can also edit the guard_tap.ini file manually to update the failover order for each G-host.

S-TAPGRD-114064

After upgrading ATAP to version 12.2.1, failover events lose existing database‑session attributes ( db_user, client_ip, db_name, source_program ) due to a change in shared‑memory segment sizing between 12.2.0 and 12.2.1. 

A fix is available in an upcoming release.

S-TAPGRD-115920

The "Run Diagnostics" function from the STAP Control screen is not working correctly. 

Workaround: DNS resolver is required for STAP diagnostics upload to work correctly. You must also manually specify the gim_server value in the tap ini file.

Universal connector on Edge Gateway

(New feature in 12.2.1)

GRD-113414In Guardium edge cluster version 12.2.1, universal connector (UC) traffic is not displayed on the Quick Search (QS) report, even if UC profiles are correctly installed. This issue is specific to the edge cluster and does not occur on managed units (MUs).

Universal connector on Edge Gateway

(New feature in 12.2.1)

GRD-116555

Universal connector (UC) profile installation fails on OCP edge cluster. 

Workaround:  When deploying Edge Gateway in OpenShift or Amazon EKS clusters, an additional load balancer is required to forward traffic. Configure the ports in the load balancer to match the ports that are used by the sniffer in GDP. Then configure UC or STAP to use the load balancer's hostname/IP address and the opened ports instead of the cluster's hostname. You may need assistance from your cloud administrator to configure certain load balancer products.

Universal connectorGRD-112476

After upgrading from Guardium version 12.2 to 12.2.1, universal connector (UC) Kafka plugins (OUA, EDB Postgres) stopped functioning correctly, leading to failure in capturing traffic for these plugins.

Workaround: After upgrading Guardium Data Protection from version 12.2 to 12.2.1:

  • Restart Kafka Cluster and UC.
  • If EDB Postgres is installed on the system, update the rsyslog.conf file on the EDB server to reference the new certificate.
Universal connectorGRD-112146

After installing 12.2.1 on a central manager, the Kafka Dashboard and Kafka Alerts stop functioning correctly. The issue was traced to the Kafka Cruise Control not receiving new certificates promptly, causing authentication failures. 

Workaround: After installing 12.2.1, manually restart the Kafka cluster from the Kafka cluster management page.

Universal connectorGRD-114417If you encounter a "No suitable driver found" error after applying the patch, edit the profile configuration, re-upload the driver JAR file, save your changes, and reinstall.

 

[{"Type":"MASTER","Line of Business":{"code":"LOB76","label":"Data Platform"},"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSMPHH","label":"IBM Security Guardium"},"ARM Category":[{"code":"a8m3p000000PCTuAAO","label":"Platform\/Installation\/Deployment"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"12.2.0"}]

Document Information

Modified date:
01 April 2026

UID

ibm17251403

Page Feedback