After a Guardium v9 upgrade, customer trusted certificates and Custom Attributes are lost
Upgrading to Guardium v9 overwrites customer trusted certificates with standard Guardium certificates.
IBM Guardium bug 35679 - Certificate seems to be lost / unusable after an upgrade.
Values of calculated fields (Custom Attributes) are also overwritten
An issue has been identified where trusted (GUI) certificates are overwritten after upgrading to Guardium v9.
- The GUI site may appear as not trusted
- S-TAPs may appear in red in the System View
- Custom Attributes are no longer available
The problem is introduced when upgrading to v9. The trusted certificate (keystore file) gets overwritten and replaced by the initial configuration certificates and keys.
The Custom Attributes in the Guardium internal MySQL table are overwritten
The trusted certificate (keystore file) and values of calculated fields(Custom Attributes) must be preserved during patching and/or upgrading just as other local customizations are preserved.
- The following steps should be undertaken when performing a v9 upgrade.
- For customers who have already upgraded to v9
1- Run the latest
Health Check for your version - this will preserve the current trusted certificate (keystore file) and Custom Attributes
For customers currently on v8.2
InfoSphere_Guardium_Health_Check_8.2_to_9.0_Upgrade_2013_10_09 Oct 10, 2013 (or later)
( v8.2 to 9.0 Health Check Document )
For customers currently on v9
InfoSphere_Guardium_Health_Check_9.0_2013_09_20 Sep 20, 2013 (or later)
The latest Health Checks for both v8.2 and v9 include a Release Notes document detailing the fact that the Custom trusted (GUI) certificates and Custom Attributes will be backed up automatically
2- Perform the v9 upgrade to the latest GPU - for example at the time of writing
InfoSphere_Guardium_V8.2_to_V9.0p50_Upgrade_Bundle Jul 3, 2013
3- Restore the saved trusted certificate (keystore file) and Custom Attributes after the upgrade using this specific patch v9p1010 . The patch has no dependancy
This patch has no dependancy and can be applied after any GPU level.
For example customers who upgrade using GPU 9.0p02 or bundle 8.2-9.0p02 can also apply this patch to restore the data right after the upgrade to v9.0p02 as long as they use the Latest Health Check patch as per step 1 above - with the backup procedure included
Note - For any later GPU after v9p50 there will be no need to perform step 3 during the upgrade process since the later GPUs will have the restore of the trusted certificate (keystore file) and Custom Attributes built in
If no backup of the trusted certificate exists, the following cli commands should be used to re-upload the certificates
store trusted certificate
Custom Attributes could be re-added manually.