http://publib.boulder.ibm.com/infocenter/igsec/v1/index.jsp?topic=%2Fcom.ibm.gua rdium.software.app.install.doc%2Ftopics%2Fsoftware_appliance_installation_guide.

html IBM InfoSphere Guardium Software Appliance Installation Guide This document details the steps necessary to install and configure the Software Appliance solution from IBMR InfoSphereR GuardiumR. This document also provides information on how to customize the partitioning on the appliance and how to install on a remote drive (SAN). The steps are: Assemble configuration information and the hardware required before you begin. Setup the physical appliance or the virtual appliance. Install the IBM InfoSphere Guardium image. Setup initial and basic configurations. Verify successful installation. The IBM InfoSphere Guardium solution is available as: Hardware offering V a fully configured software solution delivered on physical ap pliances provided by IBM. Software offering V the solution delivered as software images to be deployed by t he customers on their own hardware either directly or as virtual appliances. The scope of this document is the Software Offering, and the requirements listed in this document apply to the installation of both the physical appliance and the v irtual appliance unless specified otherwise. Product overview IBMR InfoSphere? GuardiumR provides a unified, cross-platform solution that both protects databases in real time and automates the entire compliance auditing pr ocess. The solution supports all major database platforms, enterprise applicatio ns, and operating systems (UNIX, Linux, Windows, and z/OSR). Step 1. Assemble the following before you begin This section details the minimum hardware resources required and what configurat ion information is necessary to obtain before installation can proceed. Step 2. Setup the physical or virtual appliance The setup instructions in this section are different when installing to a physic al appliance or a virtual appliance. Step 3. Install the IBM Infosphere Guardium image This section details how to install the image and partition the disk. Step 4. Setup Initial and Basic Configuration The initial step should be the network configuration and must be done locally th rough the Command Line Interface (CLI) accessible through the serial port or the system console. Step 5. What to do next This section details the steps of verifying the installation by logging on to th e appliance; setting unit type, installing license keys, and other installations V patches, S-TAPs, Inspection Engines, CAS. Appendix A: Detailed Hardware Specifications The table below lists the recommended platforms for InfoSphere Guardium; these p latforms were tested by IBM and approved as suitable for running the InfoSphere Guardium solution. Appendix B: How to Create the Viritual Image Use this section to install the virtual image. Appendix C: Custom Partitioning This appendix illustrates the choices available to the user who wants to customi ze the partitioning of the hard drive (locally or on a SAN disk). Appendix D: How to partition with an encrypted LVM If an encrypted disk is desired, follow the instructions in this appendix on how to create an encrypted LVM volume containing the / and /var logical volumes.

Appendix E: Example of SAN Configuration This appendix details the steps involved in moving to a command prompt in order to pre-partition a hard drive (as is needed for SAN installation). More Information For more information, go to the following online resources: ============================ Step 2. Setup the physical or virtual appliance The setup instructions in this section are different when installing to a physic al appliance or a virtual appliance. Physical Appliance Once the appliance has been loaded into the customer's rack, connect the ap pliance to the network in the following manner: How to identify eth0 and other network ports Use the following CLI commands to map the network ports. Virtual appliance The IBM InfoSphere Guardium Virtual Machine (VM) is a software-only solution lic ensed and installed on a guest virtual machine such as VMware ESX Server. ----------------Once the appliance has been loaded into the customer's rack, connect the ap pliance to the network in the following manner: Find the power connections. Plug the appropriate power cord (s) into these conne ctions. Connect the network cable to the eth0 network port. Connect any optional seconda ry network cables. Connect a Keyboard, Video and Mouse directly or through a KVM connection (either serial or through the USB port) to the appliance. PowerR up the system. The following discusses to how to connect the appliance for network-based databa se activity monitoring. For network-based database activity monitoring (as oppos ed to S-TAP-based), the appliance captures the database traffic directly through the network. In this mode, the appliance should be connected through one of the secondary network cards (in addition to the eth0 connection) to a Switch or net work Tap Device through which the monitored database traffic flows (the nearer t hat device is to the monitored database server or to a monitored application the better). ------------------How to identify eth0 and other network ports Use the following CLI commands to map the network ports. show network interface inventory Use this CLI command to display the port names and MAC addresses of all installe d network interfaces. show network interface inventory eth0 00:13:72:50:CF:40 eth1 00:13:72:50:CF:41 eth2 00:04:23:CB:11:84 eth3 00:04:23:CB:11:85 eth4 00:04:23:CB:11:96 eth5 00:04:23:CB:11:97 show network interface port Use this CLI command to locate a physical connector on the back of the appliance

. After using the show network interface inventory command (above) to display al l port names, use this command to blink the light on the physical port specified by n (the digit following eth in the above command - eth0, eth1, eth2, eth3, et c.), 20 times. show network interface port 1 The orange light on port eth1 will now blink 20 times. Install the software appliance directly on dedicated computer When installing the software appliance directly to disk on a dedicated computer, use the Physical appliance instructions. ---------------------Virtual appliance The IBMR InfoSphereR GuardiumR Virtual Machine (VM) is a software-only solution licensed and installed on a guest virtual machine such as VMware ESX Server. To install the IBM InfoSphere Guardium VM, follow the steps in Appendix B V How t o Create the Virtual Image. A summary of the steps in the appendix are: Verify system compatibility Install VMware ESX Server Connect network cables Configure the VM Management Portal Create a new Virtual Machine Install the IBM InfoSphere Guardium virtual appliance After installing the VM, return to Step 4, Setup Initial and Basic Configuration for further instructions on how to configure the IBM InfoSphere Guardium system . ========================= Step 3. Install the IBM Infosphere Guardium image This section details how to install the image and partition the disk. Make sure your BIOS boot sequence settings are set to attempt startup from the remov able media (the CD/DVD drive) before using the hard drive. Note: Installation can take place from DVD or CD. If needed, get the BIOS passwo rd from Technical Support. Load the IBMR InfoSphereR GuardiumR image from the installation DVD. The following two options will appear: Standard Installation V default partitioning. Choose this option if unsure of how to partition the disk. Custom Partition Installation - allows more customization ally or on a SAN disk). There are two custom partitioning ts the installer in a graphical mode that allows for more options. See Appendix C for further information on how to of the partitions (loc options, one that star advanced partitioning implement this option.

Note: Realize that the Standard Installation will wipe the disk, repartition and refor mat the disk, and install a new operating system. On the first boot after installation, the user will be asked to accept a Licensi ng Agreement. They can use PgDwn to read through the agreement or Q to skip to t he end. To accept the terms of the agreement V enter q to exit and then type yes. Th r MUST enter "yes" to the agreement or the machine will not boot up. The system will boot up from DVD. It takes about 12 minutes for this installatio n. The CD image version uses two separate CDs. To insert the second CD , login a s guardinstall and use the password guardium.

(a) The system asks for the CLI Password (will be set to guardium automatically afte r 10 seconds if no input is provided). The command line interface (CLI) is an ad ministrative tool that allows for configuration, troubleshooting, and management of the InfoSphere Guardium system. (b) Choose and enter the password for the GUI Admin user. Repeat this password a second time to confirm it. The admin (or system administration) user configures and manages the InfoSphere Guardium system. (c) Choose and enter the password for the Access Manager user. Repeat this passw ord a second time to confirm it. Access Management (accessmgr) is separate from system administration duties. Access Management consists of four tasks: account administration, maintenance, monitoring, and revocation. CLI and GUI passwords will need to be changed again on first login. Note: (For steps a, b, c): There is no visible output when entering the password s. (d) The installation process will now ask you to choose a collector or aggregato r (will be set to Collector automatically after 10 seconds if no input is provided). See the Product Overview for an explanation of Collector and Aggregator. If you wanted to choose aggregator and you did not choose it within 10 seconds, you mu st reinstall in order to get back to this point where you have a choice of aggre gator. Pay attention to the wording of the on-screen question: For Collector V answer YES. For Aggregator V answer NO. The system will automatically reboot at this point to complete the installation. The first login after an reboot will require a changing of passwords. ======================== Step 4. Setup Initial and Basic Configuration The initial step should be the network configuration and must be done locally th rough the Command Line Interface (CLI) accessible through the serial port or the system console. Enter the temporary cli password you supplied previously. In the following steps, you will supply various network parameters to integrate the IBMR InfoSphereR GuardiumR into your environment, using cli commands. In the cli syntax, variables are indicated by angled brackets, for example: <ip_ address> Replace each variable with the appropriate value for your network and installati on (but do not include any brackets). Note: Do not change the hostname and the time zone in the same CLI session. Set the primary System IP Address The primary IP address is for the ETH0 connection, and is defined using the foll owing two commands: Set the Default Router IP Address Use the following CLI command: Set DNS Server IP Address

Set the IP address of one or more DNS servers to be used by the appliance to res olve host names and IP addresses. The first resolver is required, the others are optional. SMTP Server An SMTP server is required to send system alerts. Enter the following commands t o set your SMTP server IP address, set a return address for messages, and enable SMTP alerts on startup. Set Host and Domain Names Configure the hostname and domain name of the appliance. This name should match the hostname registered for the appliance in the DNS server. Set the Time Zone, Date and Time There are two options for setting the date and time for the appliance. Do one of the following: Set the Initial Unit Type An appliance can be a standalone unit, a manager or a managed unit; In addition, an appliance can be set to capture database activity via network inspection or STAP or both. The standard configuration would be for a standalone appliance (fo r all appliances), and the most common setting would use STAP capturing (only fo r collectors). Reset Root Password Reset your root password on the appliance using your own private passkey by exec uting the following CLI command (requires access key: "t0Tach"): Validate All Settings Before logging out of CLI and progressing to the next configuration step, it is recommended to validate the configured settings using the following commands: Reboot the System Reboot the system to complete the basic configuration. ------------Set the primary System IP Address The primary IP address is for the ETH0 connection, and is defined using the foll owing two commands: store network interface ip <ip_address> store network interface mask <subnet_masks> Optionally, a secondary IP address can be assigned, but this can only be done fr om the GUI after the initial configuration has been performed. The remaining net work interface cards on the appliance may be used to monitor database traffic, a nd do not have an assigned IP address. --------------Set the Default Router IP Address Use the following CLI command: store network routes def <default_router_ip> ---------------Set DNS Server IP Address Set the IP address of one or more DNS servers to be used by the appliance to res olve host names and IP addresses. The first resolver is required, the others are optional. store network resolver 1 <resolver_1_ip> store network resolver 2 <resolver_2_ip> store network resolver 3 <resolver_3_ip> ----------------

SMTP Server An SMTP server is required to send system alerts. Enter the following commands t o set your SMTP server IP address, set a return address for messages, and enable SMTP alerts on startup. store alerter smtp relay <smtp_server_ip> store alerter smtp returnaddr <first.last@company.com> store alerter state startup on Note: Configuring the SMTP server can also be done via the InfoSphereR GuardiumR GUI (Admin Console > Configuration > Alerter) --------------Set Host and Domain Names Configure the hostname and domain name of the appliance. This name should match the hostname registered for the appliance in the DNS server. store system hostname <host_name> store system domain <domain_name> Note: During basic configuration of the appliance, do NOT change the hostname an d the time zone in the same CLI session. Change hostname, reboot, login and then change the time zone. ------------Set the Time Zone, Date and Time There are two options for setting the date and time for the appliance. Do one of the following: Date/Time Option 1: Network Time Protocol Provide the details of an accessible NTP server and enable its use. store system ntp server <ntpserver_name> store system ntp state on Date/Time Option 2: Set the time zone, date and time Use the following command to display a list of valid time zones: store system clock timezone list Choose the appropriate time zone from the list and use the same command to set i t. store system clock timezone <selected time zone> Note: When setting up a new timezone, internal services will restart and data mo nitoring will be disabled for a few minutes during this restart. Store the date and time, in the format: YYYY-mm-dd hh:mm:ss store system clock datetime <date_time> Note: Do not change the hostname and the time zone in the same CLI session. ---------------Set the Initial Unit Type An appliance can be a standalone unit, a manager or a managed unit; In addition, an appliance can be set to capture database activity via network inspection or STAP or both. The standard configuration would be for a standalone appliance (fo r all appliances), and the most common setting would use STAP capturing (only fo r collectors). store unit type standalone - use this command for all appliances

store unit type stap - use this command for collectors Unit type standalone and unit type stap are set by default. Unit type manager (i f needed) must be specified. Note: Unit type settings can be done at a later stage, when the appliance is ful ly operational. ----------------Reset Root Password Reset your root password on the appliance using your own private passkey by exec uting the following CLI command (requires access key: "t0Tach"): support reset-password root <N>|random Save the passkey used in your documentation to allow future Technical Support ro ot accessibility. To see the current pass key use the following CLI command: support show passkey root ----------------Validate All Settings Before logging out of CLI and progressing to the next configuration step, it is recommended to validate the configured settings using the following commands: show show show show show show show show show network interface all network routes defaultroute network resolver all system hostname system domain system clock timezone system clock datetime system ntp all unit type

-----------------Reboot the System Reboot the system to complete the basic configuration. If the system is not in its final location, now is a good time to shut the syste m down, place it in its final network location, and start it up again. Remove th e installation DVD before rebooting the system. To reboot the system, enter the following command in CLI: restart system The system will shut down and reboot immediately after the command is entered. U pon startup, the system should be accessible (via CLI and GUI) through the netwo rk, using the provided IP address and hostname. ========================= Step 5. What This section e appliance; V patches, to do next details the steps of verifying the installation by logging on to th setting unit type, installing license keys, and other installations S-TAPs, Inspection Engines, CAS.

Verify Successful Installation Verify the installation by following the following steps: Set Unit Type To set up a federated environment, configure one of the appliances as the Centra l Manager and all the other appliances should be set to be managed by the manage ment unit. Install License Keys See System Configuration in the Guardium Administration help book. Install maintenance patches (if available) Patches can be installed through CLI (see store system patch command) or through the GUI. Additional Steps (optional) The following sections discuss changing the baseline English to another language , installing S-TAP? agents, defining Inspection Engines and installing CAS agent s. -----------------Verify Successful Installation Verify the installation by following the following steps: Login to CLI - ssh cli@<ip of appliance> Login to GUI - https://<ip of appliance>:8443 (use admin userid) The first login after a reboot will require a changing of passwords. Login to the IBMR InfoSphereR GuardiumR web-based interface and go to the embedd ed online help for more information on any of the following tasks. -----------------Set Unit Type To set up a federated environment, configure one of the appliances as the Centra l Manager and all the other appliances should be set to be managed by the manage ment unit. See store unit type command in the Appendices help book, under the CLI topic ----------------Install License Keys See System Configuration in the GuardiumR Administration help book. Note: In federated environments, license keys are installed only on the Central Manager. Specific product keys, which are based on the customer&apos;s entitlements, must be installed through CLI or the GUI as described below. From the GUI: Log in as admin to the IBMR InfoSphereR Guardium console. Navigate to Administration Console > Configuration > System Enter the License Key(s) in the System Configuration panel. Click Apply. From the CLI: Log in to the CLI Issue the store license console CLI command to store a new license. store licens e console Copy and paste the new license at the cursor location. Make sure to type an equa l sign (=) at end of license code. Press Enter and then CTRL-D.

-------------------Install maintenance patches (if available) Patches can be installed through CLI (see store system patch command) or through the GUI. See the Central Patch Management topic in Aggregation and Central Management hel p book. Note: In federated environments, maintenance patches can be applied to all of th e appliances from the Central Manager. There may not be any maintenance patches included with the installation material s. If any are included, apply them as described below: Log in to the IBMR InfoSphereR GuardiumR console, as the cli user, using the tem porary cli password you defined in the previous installation procedure. You can do this by using an ssh client. Do one of the following: If installing from a patch CD, Insert the CD into the IBM InfoSphere Guardium CD drive, enter the following command, and skip ahead to step 3: store system patch install cd If installing from a network location, enter the following command (selecting ei ther ftp or scp): store system patch install [ftp | scp] And respond to the following prompts (be sure to supply the full path name to th e patch file): Host to import patch from: User on <hostname> Full path to patch, including name: Password: If installing using the fileserver function, enter the following command: store system install patch sys You will be prompted to select the patch to apply. Use wildcards in the pathname to get multiple patches. Also separate patch names by commas. To install additional patches, repeat step 2. To see if patches have been installed successfully, use the CLI command: show system patch installed Patches install via a background process that may take a few minutes to complete . ----------------Additional Steps (optional) The following sections discuss changing the baseline English to another language , installing S-TAP? agents, defining Inspection Engines and installing CAS agent s. Use CLI command store language Use the CLI command store language to change from the baseline English and convert t he database to the desired language. Installation of InfoSphereR GuardiumR is al

ways in English. An InfoSphere Guardium system can only be changed to Japanese o r Chinese (Traditional or Simplified) after an installation. The "store language " command is considered a setup of the appliance and is intended to be run durin g the initial setup of the appliance. Running this CLI command after deployment of the appliance in a specific language can change the information already captu red, stored, customized, archived or exported. For example, the psmls (the panes and portlets you have created) will be deleted, since they need to be recreated in the new language. Install S-TAP agents Install S-TAP agents on the database servers and define their inspection engines S-TAP is a lightweight software agent installed on the database server, monitor s local and network database traffic and sends the relevant information to the I BMR InfoSphere Guardium appliance (the collector) for further analysis, reportin g an alerting. To install an S-TAP, refer to the S-TAP help book included in the pro duct manuals To verify that the S-TAPs have been installed and are connected to the IBM InfoSphere Guardium appliance: Log in to the IBM InfoSphere Guardium administrator portal. Do one of the following: Navigate to the Tap Monitor > S-TAP tab, and click S-TAP Status from the menu. A ll active S-TAPs display with a green background. A red background indicates tha t the S-TAP is not active. Navigate to Administration Console > Local Taps > S-TAP Controll, and confirm th at there is a green status light for this S-TAP Define Inspection Engines Define Inspection Engines for network-based activity monitoring. Install CAS agents Install Configuration Auditing System (CAS) agents on the database server. ---------------------