Common GIM Deployment Models:
1. Central Manager acting as GIM server
2. Aggregator acting as GIM Server
3. Collector acting as GIM server
4. Dedicated appliance as GIM server.
- Download GIM to Assigned Database servers from https://www-945.ibm.com/support/fixcentral/
- Select
the current/correct Fix Pack.
implementation is Guardium v11 GIM, S-TAP, GIM AIX & S-TAP AIX
For Example: Guardium_11.0.1.46_S-TAP_Windows_v11.0.1.46.zip (429.42 MB)
Guardium_11.0.1.46_GIM_Windows_v11.0.1.46.zip (905.7 MB)
|
|
GIM & S-Tap Installation on Windows
Requirements:
1. GIM Agent must be installed directly on DB server
2. GIM agent is a set of Perl scripts that run on each DB server
3. 300 MB minimum free space. Perl version 5.8.x or 5.10.x ( Windows Perl is installed as part of GIM agent installtion)
4. Firewall Requirements
– 8445 – GIM client listener, both direction TCP
– 8446 – GIM authenticated TLS, both directions. TCP
– 8081 – To use 8081 for the GIM client to connect to the GIM server, there is a need to disable the GIM_USE_SSL parameter.
References:
Installing the GIM client on a Windows server
Windows: Install, Upgrade, and Uninstall the S-TAP agent
For GIM:
Procedure
- Place the GIM client installer on the database server, in any folder.
- Run the setup.exe file to start the wizard that installs the GIM client. The setup.exe file is located in the GIM-Installer-<version> folder.
- Follow and answer the questions in the installation wizard.
For S-TAP:
After installing a GIM client on the database server, installation of the S-TAP for Windows is scheduled from the Guardium system. The only required parameter is WINSTAP_INSTALL_DIR. It cannot be modified after the installation. All other parameters can be modified after installation.
Procedure
1. Upload the Windows S-TAP module for installation.
- On the Guardium system, navigate to .
- Click Choose File and select the S-TAP module you want to install.
- Click Upload to upload the module to the Guardium system. After uploading, the module is listed in the Import Uploaded Modules table.
- In the Import Uploaded Modules table, click the check box next to the S-TAP module you want to install. The module is imported and made available for installation. After the module is imported, the Upload Modules page is reset and the Import Uploaded Modules table is empty.
2. Follow the GIM instructions in Set up by Client and refer to Windows: S-TAP GIM installation parameters.
- While the default parameters are acceptable for most installations, you are required to provide a WINSTAP_INSTALL_DIR value. The default value is C:/Program Files/IBM/Windows S-TAP. This is the only required parameter.
- If WINSTAP_TAP_IP (equivalent to the -taphost command line parameter) is not specified, the GIM_CLIENT_IP value is used.
- If WINSTAP_SQLGUARD_IP (equivalent to the -appliance command line parameter) is not specified, the GIM_URL value is used.
- Optionally enable enterprise load balancing. See the parameter description in Windows: S-TAP GIM installation parameters.
- To enable auto_discovery of database instances, set WINSTAP_NOAUTODISCOVERY to 0.
to refresh the results. If an install/upgrade has a failed status, click Uninstall if you see the button, otherwise, click Reset connection.You can also view the status of the module installation by reviewing the report at .YouTube Videos Part1:
Youtube Videos Part 2:
GIM/S-TAP Installation on *NIX
Install
only GIM Client on database server (.sh)
Log onto LPAR
Sudo to Root
Upload
guard-bundle-GIM-9.0.0_r73521_v90_1-aix-6.1-aix-powerpc.gim.sh to temp dir
chmod +x guard-bundle-GIM-9.0.0_r73521_v90_1-aix-6.1-aix-powerpc.gim.sh
Install script using following command,
./guard-bundle-GIM-9.0.0_r73521_v90_1-aix-6.1-aix-powerpc.gim.sh — –dir
/usr/local/guardium –-tapip <IP
Address of LPAR being installed on> –sqlguardip CollecterIP
Once
install script complete run following command ps -ef| grep module
Check
to see if GIM client is running: ps -ef
| grep gim
Check
to see if GIM is connected to Guardium appliance
log
into Guardium appliance
Go
to the Admin Console -> Module installation -> process monitoring
Upload
GIM and STAP server and Discovery agent (gim)
Locate
the current/correct gim/stap from fix central and download (See Item 2)
Log
into Central Manager.
Go
to the Admin Console -> Module installation -> upload -> browse
(select .gim files) for STAP, GIM and Discovery
Check
and click upload
8)
Distribute
GIM modules to all collectors
Log
into Central Manager.
Go
to Admin Console -> Central Management ->
Central Management -> select all collectors
Click
on ‘Distribute GIM Bundles
Install
S-Tap from GIM (push down to database server)
Log
into Collector
Go
to the Admin console -> module installation – > Setup by Client ->
Search -> select the database you want to install STAP -> choose Next
Select
‘BUNDLE_STAP_xxxxx’, Select STAP
Click
Next
Apply
the following parameters
ktap_enabled
= 1,
KTAP_ALLOW_MODULE_COMBOS = Y,
KTAP_LIVE_UPDATE
= Y,
STAP_TAP_IP
= database ip,
STAP_SQLGUARD_IP
= collector ip
Click
“Apply to Clients”
Click
“Install/Update”
Type “Now”
Click
“apply’ & Install
Verify
if S-TAP is installed on database
Click
“Refresh” and status to be “Installed”.
19).
Go to “Tap Monitor”->STAP
Events
Note: This will be on Collector, not Aggregator.
Instance
Discovery install:
Go
to the Admin console -> module installation – > Setup by Client ->
Search -> select the database you want to install Discovery-> choose Next
Select
“Bunder-Discovery_xxxxx” and click “next”
Apply
the following parameters:
DISCOVERY_JAVA_DIR is set to Database java path(example
/usr/java6_64/jre)
DISCOVERY_TAP_IP is set to Database IP (example 10.49.235.89)
DISCOVERY_SQLGUARD_IP is set to Collector IP (example:
10.49.136.11)
Click “Apply to Clients” and Click “Install/Update”.
Enter
“now” and click “apply”
Check
the install status as mentioned below by clicking the information box
Instilation Status information Box
Installation of the
Discovery Agent on Guardium appliances
Add
“Inspection engine” from database instance discovery
Go
to “Daily Monitor” and select “Discovered instances”
Double
click on the discovered instances for each row and select “Invoke”
“Create_stap_inspection_engine”
Click
“Invoke now”
Click
“Close”
Verify
successful inspection installation from the instance discovery on the STAPS
Go
to “administration console”->Local Taps->S-TAP Control
Select
each installed S-TAP and click + on the Inspection Engines
Login
as admin and set the following:
to Guardium with admin role
Admin Console tab select Portal
GIM Update
IBM Security Guardium V10 – How to upgrade GIM (Guardium Installation Manager) Client from GUI ?
1. Download new GIM bundle and unzip (.gim format)
2. Central Manager – Manage – Module Installation – Upload Modules
Donot forgot to import module use that small green check mark button.
3. Update Old GIM version to new GIM. Manage – Module Installation – Set up by client
Choose clients – Choose bundle (stap and GIM) – choose parameters (just next) – configure clients – click Install button
YouTube Video: