42
All about GIM Part I: GIM Agent Installation Guardium L2 Technical Support
All about GIM Part I: GIM Agent Installation
Guardium L2 Technical Support
2 IBM Security © 2017 – IBM CORPORATION
Upcoming Open Mics and Tech Talks
August 22
Guardium Tech Talk: Get GDPR Compliant with Guardium Analyzer
ibm.biz/TechTalkAug
September 20
All about GIM, Part 2: GIM Usage
October 18
Tips and Tricks to Keep Windows STAP Healthy
November 15
Guardium Appliance Patching
ibm.biz/GuardiumOpenMic
3 IBM Security © 2017 – IBM CORPORATION
Questions for the panel
To ask a question during the presentation:
Type a question in the box below the Ask drop-down menu in the Q&A panel.
Select All Panelists from the Ask drop-down-menu.
Click Send. Your message is sent and appears in the Q&A panel.
4 IBM Security © 2017 – IBM CORPORATION
Agenda
• What is GIM? Glossary of GIM-Related Terms GIM Overview
• GIM Agent Installation Planning GIM Client Deployment Planning System & Firewall Requirements Installation Modes
• GIM Agent Installation GIM Agent Installer (UNIX & Windows) GIM Installation Modes Walk-Through (UNIX & Windows) Validating Installation (UNIX & Windows)
• GIM Agent Installation Troubleshooting Useful Logs Services & Daemons Validating Connectivity Must Gather Information When Engaging Support
• What’s Next? Useful Resources All About GIM Part II: Usage & Deployment Methods
What is GIM?
6 IBM Security © 2017 – IBM CORPORATION
• Agent – Collection of perl scripts run on each managed server allowing for centralized management
• GIM Server – Guardium appliance used for deployment of GIM bundles and modules
• Bundle – A package of software that can be deployed with GIM. File extension .gim.
• Module – Components of a bundle. A.gim file containing one or more modules or sub-modules.
Examples: CAS, S-TAP, FAM, UTILS, ATAP, SUPERVISOR.
• Listener Mode – GIM Agent not yet associated with a GIM Server
• Standard Mode – GIM Agent associated with a GIM server
• Dynamic Updating – Fail-over Mode
Glossary of GIM-Related Terms
7 IBM Security © 2017 – IBM CORPORATION
What is GIM?
• GIM stands for Guardium Installation Manager
Client/Server architecture:
• GIM Server is the appliance
• GIM Client is the agent
Allows for the centralized deployment of STAP
modules/bundles on DB servers
Allows for centralized updating of STAP parameters
Allows for updating/upgrading of STAP software
Can be used both via CLI or GUI
Restart STAPs and gather STAP diags remotely
Deploy STAPs in groups
If planned properly very easy to use
UNIX Servers Windows Servers
GIM Server
GIM Agent Installation Planning
9 IBM Security © 2017 – IBM CORPORATION
GIM Deployment Planning
• Designate a Guardium Server
• Common Deployment Models: Central Manager can act as GIM Server
Designate an appliance as the “GIM Server”
Up to 4000 clients can be managed from a single server
• Fail-over Mode If the GIM Server cannot be reached, the client will automatically connect to the fail-over server
When the original GIM server is available, the client will switch back
• Installation Modes Standard
Listener
Tip: Any Guardium
appliance can be
designated as a GIM
Server
10 IBM Security © 2017 – IBM CORPORATION
• Central Manager acting as GIM server Centralizes deployment and management of GIM modules and bundles
Allows Collectors to focus on data collection
Useful in federated environments
• Aggregator acting as GIM server Centralizes deployment and management of GIM modules and bundles at the
aggregator level
Allows Collectors to focus on data collection
Allows Central Manager to focus on core functions
Allows more flexibility (group GIM management by datacenter, region, database type, etc.)
If you have many Aggregators it may become cumbersome to manage
• Collector acting as GIM Server Centralizes deployment and management of GIM Modules and bundles at the
collector level
Can become cumbersome if designating many Collectors
Portion of Collectors resources are diverted to non-data collection tasks
Suitable for small standalone environments with moderate levels of activity
• Dedicated appliance(s) as GIM Server Allows you to offload GIM Server functions that would otherwise compete with core
functions of your Guardium appliances
Useful for large environments with high levels of activity
Common GIM Deployment ModelsCentral Manager Collector
Normal traffic collectionGIM Traffic
Aggregator Collector
Normal traffic collectionGIM Traffic
Collector
Normal traffic collectionGIM Traffic
Dedicated Appliance Collector
Normal traffic collectionGIM Traffic
11 IBM Security © 2017 – IBM CORPORATION
At installation, add parameter: --failover_sqlguardip <ip>
The fail-over GIM Server does not show in the Process Monitoring
list
The GIM client checks for updates from the GIM server at regular
intervals
Each GIM client sends an "alive" message to its GIM server
regularly to check whether any updates are ready to be processed
In the event that a GIM client fails to connect to its GIM sever after
five consecutive attempts:
• the GIM client automatically connects to a failover server if one is
specified
• the GIM client resumes connecting to its original GIM server
when that server becomes available
The GIM server and failover server are configured using the
GIM_URL & GIM_FAILOVER_URL parameters respectively
Dynamic updating is controlled by the GIM Server/Guardium
Appliance via global GIM parameters which will be discussed in
further detail in Part II of the series
GIM Dynamic Updating (AKA Fail-Over)Primary GIM Server Secondary GIM Server
TIP: Increase Reliability,
Availability, Seviceability (RAS),
with dual GIM Servers!!
12 IBM Security © 2017 – IBM CORPORATION
GIM Agent Requirements
• The GIM Agent must be installed directly on DB server
• The GIM Agent is a set of Perl scripts that run on each DB server
• General System Requirements:
300 MB minimum of disk space or 700 MB if FAM module is also being installed
Perl version 5.8.x or 5.10.x (On Windows Perl is installed as part of the GIM Agent installation if not already
installed)
• Firewall Requirements:
8445 - GIM client listener, both directions, TCP
8446 - GIM authenticated TLS, both directions. If GIM_USE_SSL is NOT disabled, then the gim_client will attempt
to communicate its certificate via port 8446. IF port 8446 is NOT open, then it defaults to 8444, BUT no certificate is
passed (for example, TLS without verification).
8081 - To use 8081 for the GIM client to connect to the GIM server, there is a need to disable the GIM_USE_SSL
parameter - it is ON by default. If GIM_USE_SSL is NOT disabled, then the gim_client will attempt to communicate
its certificate via port 8446. IF port 8446 is NOT open, then it defaults to 8444, BUT no certificate is passed (for
example, TLS without verification).
13 IBM Security © 2017 – IBM CORPORATION
GIM Installation Modes
• The GIM Agent can be installed in one of two modes:
Listener mode
• GIM Agent is not associated with any GIM server
• Makes the GIM client available for remote registration from a
Guardium appliance (aka GIM Auto-Discovery)
• Useful for when you don’t yet know what Guardium appliance will be
your GIM server
Standard mode
• GIM Agent is registered to GIM server and can be managed
immediately
• GIM Agent must be able to communicate with the GIM server or
install will fail
8445 8445
GIM Agent not
connected to any GIM
Server only listening
GIM Agent explicitly
associated with GIM
server
TIP: GIM Server can be
any Guardium
Appliance
8446 8446
GIM Agent Installation
15 IBM Security © 2017 – IBM CORPORATION
• GIM Agent code can be obtained via Fix Central:
• GIM Agent installer for UNIX and examples:
guard-bundle-GIM-10.5.0_r103224_v10_5_1-rhel-7-linux-x86_64.gim.sh
guard-bundle-GIM-10.5.0_r103912_v10_5_1-aix-7.2-aix-powerpc.gim.sh
guard-bundle-GIM-10.5.0_r103912_v10_5_1-sunos-5.11-solaris-i386_64.gim.sh
guard-bundle-GIM-10.5.0_r103912_v10_5_1-suse-11-linux-i686.gim.sh
Setup.exe
GIM Agent Installer (UNIX & Windows)
2
1
3
https://www-945.ibm.com/support/fixcentral
16 IBM Security © 2017 – IBM CORPORATION
• Windows GIM Agent GUI install
GUI based wizard install steps
1. Place the GIM client installer on the database
server, in any folder.
2. Run the setup.exe file to start the wizard that
installs the GIM client. The setup.exe file is located
in theGIM-Installer-* folder.
3. Follow and answer the questions in the installation
wizard.
GIM Installation modes walk through (Windows)
1
2
3A3B 3B
17 IBM Security © 2017 – IBM CORPORATION
• Windows GIM Agent CLI install
CLI silent install steps
1. Place the GIM client installer on the
database server, in any folder.
2. Open a command prompt and navigate
to the GIM_Installer* folder under the
folder where you placed the installer.
3. Enter one of these commands, with no
linebreak based on the install method
desired:
GIM Installation modes walk through (Windows) cont
1
2
setup.exe -UNATTENDED -LOCALIP 10.0.100.195
Installer directory
setup.exe -UNATTENDED -LOCALIP 10.0.100.195 –APPLIANCE 10.0.100.201
Listener Mode
Standard Mode
c:\ProgramFiles(x86)\Guardium Installation Manager is the default installation directory
18 IBM Security © 2017 – IBM CORPORATION
• You can view the results of the installation in the log file at c:\IBM Windows GIM.ctl
• Confirm that the Guardium Installation Manager service Status is running and set to Automatic for it’s
Startup Type
• If the GIM Agent was deployed in standard mode verify that the GIM server can see it
Validating Windows GIM Agent Installation
Windows only has
one GIM module
while UNIX systems
use two
Windows
UNIX
GIM service will
attempt to restart
itself if it fails
19 IBM Security © 2017 – IBM CORPORATION
• You can also verify that the GIM server can see the registered agent via command line:
Validating Windows GIM Agent Installation Cont.
Listing of all GIM
grdapi CLI
commands
List all GIM cmds
20 IBM Security © 2017 – IBM CORPORATION
[root@osprey tmp]# ./guard-bundle-GIM-10.5.0_r103912_v10_5_1-rhel-6-linux-x86_64.sh \
> -- --dir /usr/local/guardium/modules/GIM --tapip 10.0.100.197 --sqlguardip 10.0.100.201 \
> --perl /usr/bin
Verifying archive integrity… All good.
Uncompressing Guard Bundle-GIM Installer….
This product is subject the license terms associated with the IBM Security Guardium Product purchased.
Installing modules …
Installation completed successfully
[root@osprey tmp]#
• UNIX GIM Agent install
UNIX GIM Agent install steps:
1. Place the GIM client installer on the database
server, in any folder.
2. Confirm key prerequisites:
3. Run the installer:
GIM Installation modes walk through (UNIX)
./<installer_name> -- --dir <install_dir> --sqlguardip <g-machine ip> --tapip <db server ip address> --perl <perl dir> -q
Standard Mode
300 MBs
for GIM
Perl path
Perl 5.10/5.11
The ‘-q’ parameter
allows for a silent
install
For Listener Mode
install omit
sqlguardip
21 IBM Security © 2017 – IBM CORPORATION
3. Based on your flavor of UNIX run these commands to verify that the files have been added:
4. Insure that the GIM client and Supervisor processes are running:
GIM Installation modes walk through (UNIX) cont.: Validating installation
ls -la /etc/init/gim*
ls -la /etc/init/gsvr*
ls /lib/svc/method/guard_g*
RHEL 6 or later
Solaris
gim:2345:respawn:<perl dir>/perl <modules install dir>/GIM/<ver>/gim_client.pl
gsvr:2345:respawn:<modules install dir>/perl <modules install dir>/SUPERVISOR/<ver>/guard_supervisor
On all other platforms, run these commands to verify that the following new entries were
added to /etc/inittab:
For our demo install on RHEL 6:
ps -ef | grep modules
22 IBM Security © 2017 – IBM CORPORATION
5. Log in to the Guardium system and check the Process Monitoring status:
GIM Installation modes walk through (UNIX) cont.: Validating installation
Or confirm via Guardium System CLI:
Filter by status or server name/IP
GIM client process used for
standard GIM operations
SUPERVISOR process
monitors GIM client and
makes sure it is running and
restarting if it fails
TIP: GUI recommended
because you can get status
of processes on the same
screen
23 IBM Security © 2017 – IBM CORPORATION
The GIM agent can be uninstalled in one of two ways:
• Locally, directly on the DB Server
• Via the GIM Server/Guardium Appliance (Covered in Part II)
To uninstall the GIM agent locally:
1. From a directory that is not within the guardium installation directory:
2. Based on your flavor of UNIX run these commands to verify that the files have been removed:
GIM Uninstall: UNIX Systems
<gim install dir>/GIM/current/uninstall.pl
ls -la /etc/init/gim*
ls -la /etc/init/gsvr*
ls /lib/svc/method/guard_g*
RHEL 6 or later
Solaris
If STAP installed you will be
prompted to reboot before
any future installations can
take place
24 IBM Security © 2017 – IBM CORPORATION
3. Verify GIM modules are not running:
4. Verify GIM client no longer registered on GIM server/guardium appliance:
GIM Uninstall: UNIX Systems cont.
gim:2345:respawn:<perl dir>/perl <modules install dir>/GIM/<ver>/gim_client.pl
gsvr:2345:respawn:<modules install dir>/perl <modules install dir>/SUPERVISOR/<ver>/guard_supervisor
On all other platforms, run these commands to verify that the following new entries were
removed from /etc/inittab:
ps -ef | grep modules
GUI
CLI
25 IBM Security © 2017 – IBM CORPORATION
The GIM agent can be uninstalled in one of two ways:
• Locally, directly on the DB Server
• Via the GIM Server/Guardium Appliance (Covered in Part II)
To uninstall the GIM agent locally:
1. Control PanelProgramsPrograms and FeaturesUninstall or Change Program
GIM Uninstall: Windows Systems
TIP: Recommended method to
uninstall is via Control Panel
1A
1B
1C
1D
26 IBM Security © 2017 – IBM CORPORATION
1. Check that Guardium Installation Manager services (services.msc) has been removed
2. Check that the Guardium Installation Manager directory has been removed:
GIM Uninstall: Windows Systems Validating Uninstall
TIP: Recommended method to
uninstall is via Control Panel
1D
GIM Service Removed
TIP: Default installation directory is:
C:\Program Files (x86)\Guardium\Guardium Installation Manager
27 IBM Security © 2017 – IBM CORPORATION
1. On the GIM server/Guardium appliance confirm that the GIM client agent shows a status of “Down”:
GIM Uninstall: Windows Systems Validating Uninstall cont.
1D
Select the checkbox and the
minus circle to remove from
GIM server
GUI
CLI
grdapi gim_reset_client
clientIP=<CLIENT_IP>
Windows GIM
agent successfully
unregistered
grdapi gim_list_registered_clients
GIM Agent Installation Troubleshooting
29 IBM Security © 2017 – IBM CORPORATION
• For GIM Agent installation refer to the following logs:
C:\IBM Windows GIM.ctl
/<INSTALL_DIR>/GIM/<GIM_AGENT_VERSION>/GIM.log
• Example: /usr/local/guardium/modules/GIM/10.1.4_r102728_1-1516139022/GIM.log
/<INSTALL_DIR>/modules/central_logger.log
• Example: /usr/local/guardium/modules/central_logger.log
Useful logs for both Windows & UNIX
TIP: Paths to these log files can vary based
on the version installed and the installation
directory chosen during install
30 IBM Security © 2017 – IBM CORPORATION
• Ping: From client to server and from server to client
- Available in CLI: ping <host>, where host is a valid IP address or hostname.
• telnet (if installed)
• netstat (check if port 8445 listening is running in Listener mode or if there is an established connection
with 8446 if running in Standard mode)
• If applicable, check if required ports are opened on firewall
• GIM process status red: Was there a fail-over or registration incomplete? Or was this registered
elsewhere – delete the process in the GUI.
Validating Connectivity
TIP: GIM.log and
central_logger.log can help
narrow down what the issue is
31 IBM Security © 2017 – IBM CORPORATION
• Are they running ?:
For UNIX:
For Windows: services.msc
• For UNIX, GIM Agent daemon can be restarted service with ‘kill’ pid for gim_client.pl
• For Windows, GIM Agent service can be started/restarted by selecting “IBM Security Guardium
Installation Manager” service and selecting Restart or Start
GIM Service and Daemons
ps -ef | grep modules
If daemon is killed or
crashes it will attempt
to respawn
If service crashes it will
attempt to restart
32 IBM Security © 2017 – IBM CORPORATION
• PERL Environment (for UNIX systems): perl –V
which perl
uname –a
cat /etc/*release*
• Logs central_logger.log
GIM.log
• In cases where additional logging is needed for troubleshooting, navigate to the GIM current directory, then edit the conf file to turn on GIM debug by setting the value as follows: gim_debug=1 adds extra logging in central_logger.log
• On the appliance side: gimserver.log (available with fileserver)
Start fileserver then navigate to logs > opt-ibm-guardium-log and download the log
Manage Maintenance GIM Logs:
• GIM Events List
• GIM Client Status
Must gather information when engaging support
TIP: In general the paths in UNIX are:
<GIM installation dir>/modules/GIM/current/GIM.log
<GIM Installation dir>/modules/central_logger.log
TIP: In general the installation paths are:
Windows : C:\Program Files (x86)\Guardium\Guardium Installation Manager
Linux: /usr/local/guardium/modules/
AIX: /usr/local/guardium/modules/
What’s Next?
34 IBM Security © 2017 – IBM CORPORATION
• Knowledge Center is your best resource for
up-to-date information on all things GIM:
Getting Started with Guardium Installation Manager:
• https://www.ibm.com/support/knowledgecenter/S
SMPHH_10.5.0/com.ibm.guardium.doc/getstart/g
etting_started-installation_manager.html
Installing the GIM client on a UNIX server:
• https://www.ibm.com/support/knowledgecenter/S
SMPHH_10.5.0/com.ibm.guardium.doc.stap/gim/t
_gim_client_install_unix.html
Installing the GIM client on a Windows server:
• https://www.ibm.com/support/knowledgecenter/S
SMPHH_10.5.0/com.ibm.guardium.doc.stap/gim/t
_gim_client_install_win.html
DeveloperWorks Guardium Community:
• https://www.ibm.com/developerworks/community/
groups/service/html/communityview?communityU
uid=432a9382-b250-4e55-98d7-8e9ee6cbf90e
• 266 members and growing!
Useful Resources
All about GIM Part II: Usage and Deployment Methods
ibm.biz/GuardiumOpenMic
36 IBM Security © 2017 – IBM CORPORATION
• How to distribute GIM bundles to MUs- Download Bundle- Upload Modules to GIM Server- Distribute/Deploy Modules (install and upgrade)- Create client groups- Bundle Distribution
- Rollback
• GUI Reports
• GIM Command Line Interface
• GIM Auto-Discovery- Registration- GIM Authentication
• Miscellaneous Tasks- Deploy Custom Built KTAP Modules- Auto-install on os upgrade- Remove Unused Bundles- Bringing STAP under GIM Management- Moving GIM Agent to different GIM Server- Remove Unused Bundles- GIM Global Parameters
• Troubleshooting
All About GIM Part II: Usage and Deployment Methods
GIM Management
Reporting
GUI/CLI Operations
& Much More!
GIM Server
UNIX STAP WIN STAP
37 IBM Security © 2017 – IBM CORPORATION
Questions for the panel
Now is your opportunity to ask questions of our panelists.
To ask a question now:
Raise your hand by clicking Raise Hand. The Raise Hand icon appears next to your name in the
Attendees panel on the right in the WebEx Event. The host will announce your name and unmute your
line.
To ask a question after this presentation:
You are encouraged to participate in the dW Answers forum:
https://developer.ibm.com/answers/topics/guardium.html
38 IBM Security © 2017 – IBM CORPORATION
IBM Security Learning Academy
www.SecurityLearningAcademy.com
Learning Videos ● Hands-on Labs ● Live Events
Learning at
no cost!
New content
published daily!
39 IBM Security © 2017 – IBM CORPORATION
Question and Answer• Thank you for the privilege of your time
• Be on the lookout for Part II in September!
ibm.com/security
securityintelligence.com
xforce.ibmcloud.com
@ibmsecurity
youtube/user/ibmsecuritysolutions
© Copyright IBM Corporation 2017. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind,
express or implied. Any statement of direction represents IBM's current intent, is subject to change or withdrawal, and represent only goals and objectives. IBM, the IBM logo, and other IBM products
and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service
marks of others.
Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your
enterprise. Improper access can result in information being altered, destroyed, misappropriated or misused or can result in damage to or misuse of your systems, including for use in attacks on others.
No IT system or product should be considered completely secure and no single product, service or security measure can be completely effective in preventing improper use or access. IBM systems,
products and services are designed to be part of a lawful, comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products
or services to be most effective. IBM does not warrant that any systems, products or services are immune from, or will make your enterprise immune from, the malicious or illegal conduct of any party.
FOLLOW US ON:
THANK YOU
www.SecurityLearningAcademy.com
41 IBM Security © 2017 – IBM CORPORATION
All about GIM Part I:
GIM Agent Installation
42 IBM Security © 2017 – IBM CORPORATION
Image References Used Throughout Presentation• Stopwatch retrieved from https://i2.wp.com/www.thorntonlibrary.org/meeting-agenda-and-minutes-icon.jpg
• Man with blindfold retrieved from https://briandcolwell.com/wp-content/uploads/2017/12/Demystify-data-small.jpeg
• Character reading book retrieved from https://gcoinc.files.wordpress.com/2012/03/evaluator_jargon_evalblog.png
• Jargon retrieved from https://edwiser.org/wp-content/uploads/2017/10/jargon.jpg
• AIX Logo retrieved from https://1.cms.s81c.com/sites/default/files/2018-03-20/systems_power_software_aix_logo_340x140_0.png
• Solaris Logo retrieved from https://i1.wp.com/www.someplacedumb.net/misc/linux/graphics/solaris-logo.png
• Linux Penguin retrieved from https://upload.wikimedia.org/wikipedia/commons/thumb/a/af/Tux.png/220px-Tux.png
• 2 > 1 image retrieved from https://findthefactors.com/wp-content/uploads/2015/05/two-is-better-than-one-because.jpg
• Checklist retrieved from https://s3.amazonaws.com/sw-stoneward-com/s3fs-public/waitingfortheelevator/2012/11/shutterstock_94689406.jpg
• Firewall PacMan Ghost retrieved from https://vector.me/files/images/3/5/355787/padepokan_firewall
• Troubleshooting monitor retrieved from https://1stwebdesigner.com/wp-content/uploads/2013/12/master-web-designer-03.gif
• RJ-45 cable: Retrieved from https://nticx4.files.wordpress.com/2013/05/dreamstime_2755985.jpg
• Jerry McGuire meme retrieved from https://i.imgflip.com/1nenhs.jpg
• Mystery box retrieved from https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcTF4MYnvyj3mG_jXLoIDeoBcDj-dCYog7FNdenuMMLufVoOdzVMDQ
• Sneak preview retrieved from https://coursesinbeestonbywea.files.wordpress.com/2015/05/sneak-preview.png
• IBM Guardium Logo retrieved from https://yt3.ggpht.com/a-/ACSszfGP7ZiRLmkGci9Eizq8n29I1458p6u4N5096g=s900-mo-c-c0xffffffff-rj-k-no
• Thank You word bubble retrieved from https://i.pinimg.com/736x/67/bb/07/67bb072a0baee3712c5c4a60cd52bf14.jpg
• Q&A retrieved from https://i.pinimg.com/736x/bd/88/13/bd881363cfb3dc1b2362765c835905f2.jpg
• Windows Logo retrieved from https://www.pcworld.pl/g1/news/thumbnails/2/9/296199_adaptiveresize_370x208.jpg
